RE: [Declude.JunkMail] SURBL issue

[Darrell LaRock]

OK, after some digging I found this

--09:46:15--  http://www.surbl.org/sc.surbl.org.rbldns
   => `surbl.rbldns.tmp'
Resolving www.surbl.org... done.
Connecting to www.surbl.org[66.170.2.60]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:46:15 ERROR 404: Not Found.

After checking the SURBL site I found this under the news section
*.rbldns - going away when no traffic, use *.rbldnsd instead

In the script find the line 
set v_url=http://www.surbl.org/sc.surbl.org.rbldns

and change it to 
set v_url=http://www.surbl.org/sc.surbl.org.rbldnsd

It now works again.

Darrell


-Original Message-
From: Darrell LaRock [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 08, 2004 9:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] SURBL issue

Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f "tokens=*" %%c in ('findstr /r "$" surbl.rbldns.tmp') do set
v_result=ok
if not "%v_result%"=="ok" (set v_result=conversion error) & (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

>>> [EMAIL PROTECTED] 09/07/04 04:35PM >>>
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet & Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SURBL issue

[Darrell LaRock]

Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f "tokens=*" %%c in ('findstr /r "$" surbl.rbldns.tmp') do set
v_result=ok
if not "%v_result%"=="ok" (set v_result=conversion error) & (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

>>> [EMAIL PROTECTED] 09/07/04 04:35PM >>>
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet & Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank

[Darrell LaRock]

Matt,

 

But if you rename the tests to DYN –
than how you are configuring non-DUL tests twice?  


Darrell

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Saturday, May 15, 2004 6:42
PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail]
DUL skipping was ISBLANK is blank



 

Andy,

I think there might be some confusion here.  If you change the test names
and use the %IP4R%/dnsbl trick, it will always test the first hop regardless of
what the Mail From is, unless of course you are whitelisting the sender.

You don't have to remove the tests, you just have to rename them.  I
renamed mine with DYN, that way Declude doesn't see them as matching
DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a
local address.

The only drawback that I have found with this work around is when you try
configuring non-DUL tests twice, once only for the first hop, and once for all
hops, in which case the work around will cause some extra lookups, but that's
minor, and I'm only aware of a few people besides myself that are doing this. 
Nothing else appears to be a problem in anyway whatsoever.

Matt



Andy Schmidt wrote:





Then, in either cases, scanning the first hop is a simple matter of  



changing the test name to eliminate the reserved string of DUL, DYNA or DUHLand using the hack which Matt found. << NO - removing DUL/DYNA/DUHL is NOT an option.  Because MUCH of the privateemails originate from some address that is on that list - but only on theFIRST hope. Thus, the DUL/DYNA/DUHL skip tests on the FIRST hop!   They can't be omitted - otherwise we'd block most private mail relayedthrough other providers SMTP servers.  Best RegardsAndy Schmidt Phone:  +1 201 934-3414 x20 (Business)Fax:    +1 201 934-9206    -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Don BrownSent: Saturday, May 15, 2004 04:19 PMTo: MattCc: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank  This wasn't a bug or a larger issue of Declude trust based upon the 'fromAddress.' There was no choice but to skip DUL/DYNA/DUHL tests (which werethe only ones skipped) when the 'from address' was spoofed as a localaddress. Imail 8 and WHITELIST AUTH help, but they don't solve this issue,either. Imail 8 can still be configured where the Client is NOT required to Auth inorder to send. One example of that is 'Relay for Addresses.' So, if we have IPs on a DUL/DYNA/DUHL list, are using anything but 'No MailRelay' in Imail 8 and we run a DYNA/DUL/DUHL test on the first hop, we willdefinitely tag our own customers. So, the way I see it, running DYNA/DUL/DUHL tests on the first hop of ALLmail, is only safe for those folks who: (1) are sure that none of their IPaddresses are on any DYNA/DUL/DUHL list (and will never be onone) -OR- (2) run Imail 8, have it configured for 'No Mail Relay' and haveWHITELIST AUTH specified in the Declude's Global.cfg. Then, in either cases,scanning the first hop is a simple matter of changing the test name toeliminate the reserved string of DUL, DYNA or DUHL and using the hack whichMatt found. For instance: Change this:  NJABL-DUL  ip4r  dnsbl.njabl.org  127.0.0.3  10  0 To this:  NJABL-HOP1  dnsbl %IP4R%.dnsbl.njabl.org  127.0.0.3  10  0 I don't think a switch in Declude is really needed. Thanks,  Saturday, May 15, 2004, 10:01:11 AM, Matt <[EMAIL PROTECTED]> wrote:M> Andy, M> It's only been a matter of months since a realistic work around M> wasavailable for most users (using WHITELIST AUTH).  To the best of M> myknowledge, I'm the only one of us that has said anything about it M> onthis list (first time in March, but of course I could be wrong). M> LikeI indicated though, there is a way to fix the problem using the M> dnsbltrick, and it works immediately.  I would however like to see a M> switchgiven also, but this seems more like a convenience if you M> useDUL/DYNA/DUHL the way that they were meant to be used in the M> firstplace (which I was not), but still, it only means some extra M> lookups. M> Matt   M> Andy Schmidt wrote:     M>   Thanks - ouch.M>    M>   I'd say that's a bug in design.M>    M>   Since AUTH is supported in Imail 8 and sinceothers may not allow M> local users to send through their Imail server (myoutbound is going M> through IIS SMTP with SMTP AUTH), there should be ATLEAST a config M> option to turn this "spam me by faking sender" featureoff!  M>   Best RegardsM>   Andy Schmidt  M>   Phone:  +1 201 934-3414 x20(Business)M> Fax:    +1 201 934-9206 M> -Original Message-M>  M> From:[EMAIL PROTECTED]:Declude.JunkMail-ownerM> @declude.com]M> On Behalf Of MattM>   Sent: Saturday, May 15, 2004 01:49 AMM>   To:[EMAIL PROTECTED]M>   Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK isblank    M> In absentia...  M>    M> http://www.mail-archive.com/[EMAIL PROTECTED]/msg17162.htmM> l  M> This made a lot of sense before, and it was the only way to disable 

[Declude.JunkMail] Hotmail Sending Mail From IP's with No Reverse DNS

[Darrell LaRock]

Has anyone else noticed over the last day or so that some of the hotmail
messages are coming from servers without revdns..  This is a snag cause they
are failing both revdns and spamdomains..  Any thoughts?

Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with
ESMTP
  (SMTPD32-8.05) id A6657F0180; Wed, 21 Apr 2004 18:32:05 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
 Wed, 21 Apr 2004 15:30:14 -0700
Received: from 134.84.102.157 by sea2-dav3.sea2.hotmail.com with DAV;
Wed, 21 Apr 2004 22:30:14 +
X-Originating-IP: [134.84.102.157]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: "x" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [POTENTIAL SPAM]Assignment Desk
Date: Wed, 21 Apr 2004 17:27:30 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0009_01C427C5.ECC21740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 21 Apr 2004 22:30:14.0967 (UTC)
FILETIME=[377B2C70:01C427F0]
X-RBL-Warning: SPAMDOMAINS: Spamdomain 'hotmail.com' found: Address of
[EMAIL PROTECTED] sent from invalid [No Reverse DNS]. [2-10-5000]
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" [2-48-18000]
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.68.164.107
with no reverse DNS entry. [2-53-1a800]
X-Declude-Sender: [EMAIL PROTECTED] [207.68.164.107]
X-Declude-Spoolname: Df665007f01804541.SMD
X-Declude-Sender: [EMAIL PROTECTED] [12.25.87.100]
X-Declude-Spoolname: Df66c3910081cb3c8.SMD
X-Spam-Tests-Failed: Whitelisted
X-Spam-Weight: 0
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 377609636


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP

[Darrell LaRock]

Scott,

It's AT&T's DNS servers.  I wonder if they are doing something to block
those kinds of lookup's.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, April 01, 2004 11:02 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP


>I noticed that several RBL's have not been triggered off one of our backup
>mail servers over the last 24 hours.  For example SPAMCOP hasn't.  I turned
>on "DEBUG" mode and noticed that it was reporting this
>
>04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test
>#18 [ORDB=*]. Answer=root.loopback.?
>04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as
Test
>#19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.?
>04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test
>#20 [DSBL=*]. Answer=root.loopback.?
>
>Is this a normal answer?

No, that is not a normal answer -- the "Answer=root.loopback.?" indicates 
that the DNS server is responding, but reporting an answer of 
"root.loopback" which isn't correct.  It sounds like your DNS server is 
having problems.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAMCOP

[Darrell LaRock]

I noticed that several RBL's have not been triggered off one of our backup
mail servers over the last 24 hours.  For example SPAMCOP hasn't.  I turned
on "DEBUG" mode and noticed that it was reporting this

04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test
#18 [ORDB=*]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as Test
#19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test
#20 [DSBL=*]. Answer=root.loopback.?

Is this a normal answer?
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Atriks - Pt.2

[Darrell LaRock]

How aggressive is SBL compared to SPEWS?  I know with SPEWS they list a lot
of adjacent net blocks of the spammers...  Does SBL employ the same tactics?

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Tuesday, January 06, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Atriks - Pt.2

Forgive me for repeating myself on this one, but I'm a proponent of 
blocking outright on SBL.  There's a good reason for spammers to be in 
their list, and it's not some community project where anyone and 
everyone makes nominations, so it's practically flawless.

Another trick for Green Horse is the following lines in a custom filter 
somewhere:

# Green Horse Corporation (SBL12495)
BODY28CONTAINS/img/c.0/
BODY28CONTAINS/img/o.0/
BODY28CONTAINS/img/v.0/

This is just in case they break out into new address space.  28 is my 
delete weight plus Declude's negative weight tests (because they tend to 
get added in after custom filters and I use SKIPIFWEIGHT functionality).

Matt


Fritz Squib wrote:

>Amazing, I knew that I saw a lot more spam coming from individual cable/dsl
>modems, but I had no idea...
>
>http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495
>
>http://groups.google.com/groups?scoring=d&q=atriks.com+group:*abuse*
>
>Fritz
>
>Frederick P. Squib, Jr.
>Network Operations/Mail Administrator
>Citizens Telephone Company of Kecksburg
>http://www.wpa.net
>
>()  ascii ribbon campaign - against html mail 
>/\- against microsoft attachments
>
>  
>


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

Matt,

I think you are right.  My guess is that for some reason they dropped the domain out 
of the root servers for a period of time and the major isps grabed the worldnic 
servers as being authoratative.

Not much we can do, other than wait...

Darrell
-- Original Message --
From: Matthew Bramble <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Sat, 20 Dec 2003 00:02:14 -0500

>Darrell,
>
>It looks like your name server records were maybe munged for a period of 
>time from a root update that is now fixed.  Those munged records though 
>are being cached and they should get a good copy once they expire.  This 
>might explain why all of us seem to be able to resolve your domain, 
>being that we aren't likely to have it cached being smaller providers, 
>however the larger providers seem to have bad records for it because 
>they hit your domain while the data was bad.  Just guessing of course.
>
>If you have some local ISP's which are likely to have chached an earlier 
>copy of the records, try querying their servers to see what it returns.  
>I suspect that they will have a bad copy also, at least for a short 
>period of time.  I don't believe there is anything you can do about this 
>if I am correct.
>
>Matt
>
>
>
>Darrell LaRock wrote:
>
>>Scott,
>>
>>On the DNSSTUFF, I used the cached ISP report looking at the NS record.  What does 
>>it mean when an ISP has the name server set to ns92.worldnic.com?  Does this mean at 
>>one time when the domain was looked up it was not resolved from the root servers?
>>
>>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. 
>>[TTL=1d 9h 38m 50s] 
>>AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. 
>>[TTL=1d 4h 18m 50s] 
>>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. 
>>[TTL=1d 2h 53m 53s] 
>>AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] 
>>NS=ns92.worldnic.com. [TTL=10h 45m 11s] 
>>
>>Taking wild stabs in the dark :)
>>Darrell
>>
>>-- Original Message --
>>From: "R. Scott Perry" <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>Date:  Fri, 19 Dec 2003 22:56:28 -0500
>>
>>  
>>
>>>>However, something is seriously wrong as the major ISP's can't resolve it 
>>>>(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
>>>>after the whois info was updated to the new authoratative servers.
>>>>  
>>>>
>>>That's probably the problem.
>>>
>>>Once the first .com parent server gets the new NS records, it takes up to 
>>>about 6 hours for all the other .com parent servers to get updated, and 
>>>another 48 hours before TTL values expire on DNS servers throughout the 
>>>world.  Earthlink, Charter, and some other larger ISPs almost certainly 
>>>have the old values cached, which will take up to 48 hours to expire after 
>>>the change.  During that time, they will be using the old NS records.
>>>
>>>   -Scott
>>>
>>>
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

Scott,

On the DNSSTUFF, I used the cached ISP report looking at the NS record.  What does it 
mean when an ISP has the name server set to ns92.worldnic.com?  Does this mean at one 
time when the domain was looked up it was not resolved from the root servers?

AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. [TTL=1d 
9h 38m 50s] 
AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. [TTL=1d 
4h 18m 50s] 
AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. [TTL=1d 
2h 53m 53s] 
AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] NS=ns92.worldnic.com. 
[TTL=10h 45m 11s] 

Taking wild stabs in the dark :)
Darrell

-- Original Message --
From: "R. Scott Perry" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 22:56:28 -0500

>
>>However, something is seriously wrong as the major ISP's can't resolve it 
>>(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
>>after the whois info was updated to the new authoratative servers.
>
>That's probably the problem.
>
>Once the first .com parent server gets the new NS records, it takes up to 
>about 6 hours for all the other .com parent servers to get updated, and 
>another 48 hours before TTL values expire on DNS servers throughout the 
>world.  Earthlink, Charter, and some other larger ISPs almost certainly 
>have the old values cached, which will take up to 48 hours to expire after 
>the change.  During that time, they will be using the old NS records.
>
>-Scott
>---
>Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
>Declude Virus: Catches known viruses and is the leader in mailserver 
>vulnerability detection.
>Find out what you've been missing: Ask about our free 30-day evaluation.
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

Scott,

We duplicated the zone files between both providers.  So all records are identical.  
If the zone files are the same than all of the timeouts should not matter.

Check this out
1.) Do a direct query against ns1.loudcloud.com for wltx.com - Returns 66.54.32.202.

2.) Do a direct query against ns1.infi.net for wltx.com - Returns 66.54.32.202.

3.) Do a direct query against ns1.mindspring.net or ns2. or ns3 and the query will in 
general 9 out of 10 times timeout.  We can also duplicate this behavior on Charter and 
Road Runner.

I can't even come up with a possible explanation...  The zone files are the same

Thanks
Darrell


-- Original Message --
From: "R. Scott Perry" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 22:56:28 -0500

>
>>However, something is seriously wrong as the major ISP's can't resolve it 
>>(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
>>after the whois info was updated to the new authoratative servers.
>
>That's probably the problem.
>
>Once the first .com parent server gets the new NS records, it takes up to 
>about 6 hours for all the other .com parent servers to get updated, and 
>another 48 hours before TTL values expire on DNS servers throughout the 
>world.  Earthlink, Charter, and some other larger ISPs almost certainly 
>have the old values cached, which will take up to 48 hours to expire after 
>the change.  During that time, they will be using the old NS records.
>
>-Scott
>---
>Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
>Declude Virus: Catches known viruses and is the leader in mailserver 
>vulnerability detection.
>Find out what you've been missing: Ask about our free 30-day evaluation.
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

Andrew,

One question that I have is the TTL stuff shouldnt matter since the zone files that 
were moved over are the same.  All we are doing is switching DNS providers right now.

Darrell

-- Original Message --
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 18:45:00 -0800

>I'd say that the domain is fine at its new home; the question is what was
>the TTL on the domain before it was moved?
>
>I would go very little out on a limb and say that the folks with trouble to
>wltx.com were cacheing the DNS for longer than the TTL on the domain, or it
>was really high before the change, and they're respecting that.
>
>If you didn't already know it, this site, courtesy of declude.com, is a
>wonderful resource:
>
>http://www.dnsreport.com/
>
>Andrew 8)
>
>-Original Message-
>From: Darrell LaRock [mailto:[EMAIL PROTECTED] 
>Sent: Friday, December 19, 2003 5:59 PM
>To: [EMAIL PROTECTED]
>Subject: [Declude.JunkMail] OT: DNS Issue (HELP)
>
>
>This is off topic, but I need some help in a bad way to figure out a DNS
>problem I am having that is preventing one of our sites from receiving mail
>and thier web site from loading.
>
>We recently (this week) switched the name servers from our current provider
>to another provider.   The zone files are duplicate between providers.
>
>However, something is seriously wrong as the major ISP's can't resolve it
>(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right after
>the whois info was updated to the new authoratative servers.
>
>Now the crazy thing is I can resolve the site using the auth. servers, but
>not off one of Earthlink's or charters.  
>
>The site is "wltx.com".
>
>Can you resolve it?
>
>How can I verify that the site did not fall out of the root servers? Anyone
>else have any input?
>
>Darrell
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

I am absolutly baffled.

Eathlink Dial-up - Does not work
Charter Cable Connection - Does not work
AT&T T1 using local bind server - Works
Roadrunner Cable - Does not work
AOL - Intermittent.
Several users who replied - Works

Darrell


-- Original Message --
From: Scott Winberg <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 19:13:55 -0700

>Hello Darrell,
>
>Working from here. Denver, CO area.
>
>
>Scott
>
>Friday, December 19, 2003, 6:59:06 PM, you wrote:
>
>Darrell> This is off topic, but I need some help in a bad way to figure out a DNS 
>problem I am having that is preventing one of our sites from receiving mail and thier 
>web site from loading.
>
>Darrell> We recently (this week) switched the name servers from our current provider 
>to another provider.   The zone files are duplicate between providers.
>
>Darrell> However, something is seriously wrong as the major ISP's can't resolve it 
>(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right after the 
>whois info was updated to the new
>Darrell> authoratative servers.
>
>Darrell> Now the crazy thing is I can resolve the site using the auth. servers, but 
>not off one of Earthlink's or charters.  
>
>Darrell> The site is "wltx.com".
>
>Darrell> Can you resolve it?
>
>Darrell> How can I verify that the site did not fall out of the root servers? Anyone 
>else have any input?
>
>Darrell> Darrell
>Darrell> ---
>Darrell> [This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>Darrell> ---
>Darrell> This E-mail came from the Declude.JunkMail mailing list.  To
>Darrell> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>Darrell> type "unsubscribe Declude.JunkMail".  The archives can be found
>Darrell> at http://www.mail-archive.com.
>
>
>
>-- 
>
> Scottmailto:[EMAIL PROTECTED]
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

This is off topic, but I need some help in a bad way to figure out a DNS problem I am 
having that is preventing one of our sites from receiving mail and thier web site from 
loading.

We recently (this week) switched the name servers from our current provider to another 
provider.   The zone files are duplicate between providers.

However, something is seriously wrong as the major ISP's can't resolve it (Earthlink, 
Charter, Some AOL Users, Road Runner).  This occured right after the whois info was 
updated to the new authoratative servers.

Now the crazy thing is I can resolve the site using the auth. servers, but not off one 
of Earthlink's or charters.  

The site is "wltx.com".

Can you resolve it?

How can I verify that the site did not fall out of the root servers? Anyone else have 
any input?

Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

[Darrell LaRock]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics


our gateway now handles all incoming mail and there is no spam coming into
our mail servers to test. The new test platforms will allow us to move some
domains 


So are you saying your product when used as a gateway is 100% effective at
removing spam?  Nothing slips through

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filter Entry Not Being Triggered

[Darrell LaRock]

BODY5   CONTAINS href="http

Should there by any reason why the above filter entry wouldn't be triggered
on an email that contains that string in the html source?

What am I doing wrong?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAM DOMAINS

[Darrell LaRock]

We have a listing in our spam domains file 
mac.com apple.com

this line seems to be tripping off on the following
X-RBL-Warning: SPAMDOMAINS: Spamdomain 'mac.com' found: Address of
[EMAIL PROTECTED] sent from invalid [No Reverse DNS].

How do I prevent the "mac.com" spam domain entry from picking up on for
example freediemac.com?

Thanks
Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filter question On Short Keywords

[Darrell LaRock]

We make extensive use of filters based on keywords.  With short keywords
like like S_e_x we sometimes run into problems with keyword being triggered
based on base64 encoding of an attachment.

Example:
10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER
on sex [weight->2; SExQlAnjsABzk

My Questions:
1.) Is it possible to have a test created that detects attachments?
2.) Is there some kind of general text that is inserted into the headers or
body that indicates that an attachment is present?

Thanks
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filters And Attachments

[Darrell LaRock]

Darrell LaRock
Systems Analyst
Gannett Television
716-849-2272
Hod do most folks deal with word filters being triggered on attachments.
See below for example?

10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER
on sex [weight->2; SExQlAnjsABzk

Is there something that is put in the body of a message that indicates there
is an attachment so that potentially reverse weight can be applied?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Starting Declude to Force a Queue Run

[Darrell LaRock]

Scott,

I am going to stop the smtp service so no mail will be coming in.
Essentially, at that point I need to clear out that overflow queue..

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 2:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Starting Declude to Force a Queue Run


>I have a backup mail server that is a bit under-speed of our primary mail 
>server.  Right now the backup mail server is being pounded with SoBig 
>which has forced the box to 100% cpu and the queue is growing slowly.
>
>
>
>I am going to stop the smtp service in imail on this backup server while I 
>swap a faster server into its place.  How can I manually force declude to 
>start processing the messages in the overflow directory once I stop the 
>smtp service..

Declude will automatically start processing E-mails from the overflow 
directory as soon as the next E-mail arrives.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Starting Declude to Force a Queue Run

[Darrell LaRock]

Title: RE: [Declude.JunkMail] Alligate









Scott,

 

I have a backup mail server that is a bit
under-speed of our primary mail server.  Right now the backup mail server is
being pounded with SoBig which has forced the box to 100% cpu and the queue is
growing slowly.

 

I am going to stop the smtp service in
imail on this backup server while I swap a faster server into its place.  How
can I manually force declude to start processing the messages in the overflow
directory once I stop the smtp service..

 

Darrell

 

-Original Message-
From: Keith Johnson
[mailto:[EMAIL PROTECTED] On
Behalf Of Keith Johnson
Sent: Wednesday, August 20, 2003
10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail]
Alligate

 



John, 





 We
have it as a Declude only test





 





Keith







-Original
Message- 
From: John Tolmachoff (Lists)
[mailto:[EMAIL PROTECTED] 
Sent: Wed 8/20/2003 1:05 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.JunkMail]
Alligate



Do you mean as a Declude ONLY test?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Keith Johnson
> Sent: Tuesday,
 August 19, 2003 7:18 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Alligate
>
> Does anyone have any configs they are willing to share that they are using
in
> production for Alligate with Declude?  Thanks for the aid.
>
> Keith
> Nyuujjrx吖Nrzujryjʞmrxjqy•








<>

RE: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts Points Instead of Adding

[Darrell LaRock]

We use the following...

REVDNS  -10 ENDSWITH .thisdomain.com

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Tuesday, August 05, 2003 4:16 PM
To: Declude JunkMail
Subject: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts
Points Instead of Adding

Hello, All,
I had posted this message a couple of weeks ago and didn't hear anything so
I thought I'd give it another shot.

Is there anyway that the SPAMDOMAINS test can be setup so that if a message
"passes" the SPAMDOMAINS test then points are "subtracted" from the total
weight?  I think of this as the opposite of points being "added" to the
total weight if a message "fails" the SPAMDOMAINS test but my thinking might
be wrong.

Thanks In Advance,
Dan Geiser [EMAIL PROTECTED]

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: "Declude JunkMail" <[EMAIL PROTECTED]>
Sent: Tuesday, July 22, 2003 7:41 PM
Subject: [Declude.JunkMail] Test Like SPAMDOMAINS But Subtracts Points
Instead of Adding


> Hello, All,
> I don't know if this would require a separate test or of there is some way
> you can twist SPAMDOMAINS to have the desired result...
>
> But as SPAMDOMAINS can be configured to add points on to the weight of a
> message if the message fails the test I would also like to be able to have
a
> test which subtracts points from the total weight if the Reverse DNS of
the
> IP address matches the Sender's domain name.  Does that make sense?  If
so,
> does anyone know how to implement this?
>
> Thanks In Advance,
> Dan Geiser <[EMAIL PROTECTED]>
>
> 
> This E-mail is scanned and free from viruses. www.nexustechgroup.com
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> This E-mail is scanned and free from viruses. www.nexustechgroup.com
>
>


This E-mail is scanned and free from viruses. www.nexustechgroup.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] dlanalyzer reporting system

[Darrell LaRock]

Their has been an overwhelming request for this much more than I have
anticipated.

I am setting up a webpage for this.  I have to get the documentation
together, because there are a lot of options that need to be documented so
that you will actually be able to use.

I am hoping I will have everything together before the weekends over.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks
Sent: Friday, August 01, 2003 12:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Report System

It's become blatantly apparent that there is a VERY STRONG NEED for an
application such as this. Are the Declude people listening?

Terry

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of i360 Support
Sent: Friday, August 01, 2003 9:14 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Report System

Please add me too.

Would like to see it.

Thanks
Heimir


- Original Message -
From: "James James" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 01, 2003 10:53 AM
Subject: Re: [Declude.JunkMail] Report System


> I hate filling the list with another of these, but I would like a copy to.
> This sounds like the utility I've always wanted but could never find.
>
> Thanks
> James James
> Help Desk/Systems Administration
> Lile International
>
> - Original Message -
> From: "Dave Jordan" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, August 01, 2003 8:44 AM
> Subject: Re: [Declude.JunkMail] Report System
>
>
> > Hey, Don't leave me out!  It looks like it's just what the Dr. ordered.
> >
> > Dave Jordan
> >
> > - Original Message -
> > From: "GlobalWeb.net Webmaster" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, August 01, 2003 11:23 AM
> > Subject: RE: [Declude.JunkMail] Report System
> >
> >
> > > Add me to the list too - a donation will be in order...
> > >
> > >
> > > Sincerely,
> > >
> > > Randy Armbrecht
> > > Global Web SolutionsR, Inc.
> > > 804-346-5300 ext. 1
> > > 877-800-GLOBAL (4562) ext. 1
> > > http://globalweb.net
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry
> > > Sent: Friday, August 01, 2003 11:07 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [Declude.JunkMail] Report System
> > >
> > >
> > > Darrel,
> > >
> > > Maybe you should start charging for it. As long as you're not...please
> > > include me. (Actually, I'd consider a donation if it works as well as
> > > you claim.)
> > >
> > > Thanks,
> > > Shayne Embry
> > > [EMAIL PROTECTED]
> > >
> > >
> > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Glenn
Brooks
> > > > Sent: Friday, August 01, 2003 9:48 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [Declude.JunkMail] Report System
> > > >
> > > >
> > > > add me, also
> > > >
> > > > At 12:17 PM 8/1/2003 +0200, you wrote:
> > > > >Hi Darrel,
> > > > >
> > > > >Please add me to your list, I'd love to try it out
> > > > >
> > > > >Best regards
> > > > >Lachezar
> > > > >[EMAIL PROTECTED]
> > > > >
> > > > >-Original Message-
> > > > >From: [EMAIL PROTECTED]
> > > > >[mailto:[EMAIL PROTECTED] Behalf Of VanTech.Net
> > > > >Sent: Thursday, July 31, 2003 11:40 PM
> > > > >To: [EMAIL PROTECTED]
> > > > >Subject: RE: [Declude.JunkMail] Report System
> > > > >
> > > > >
> > > > >Darrel,
> > > > >
> > > > >I would be interested in trying it out.  I like Delog, but I
> > > > would like
> > > > >to have some format options such as .html.
> > > > >
> > > > >Thank you,
> > > > >Aaron Caviglia
> > > > >[EMAIL PROTECTED]
> > > > >
> > > > >
> > > > >-Original Message-
> > > > >From: [EMAIL PROTECTED]
> > > > >[mailto:[EMAIL PROTECTED] On Behalf Of
> > > > Darrell LaRock
> > > > 

RE: [Declude.JunkMail] Report System

[Darrell LaRock]

Terry,

I used delog for awhile, but I needed several other features that did not
come with delog.  So I developed an application that had all of the features
that I needed.  Below is a sample report that I generated(tab format).  The
reports can be in tab, csv, or html format and you have the ability to email
them as well.

There are many other things that dlanalyzer can report on.  You can get
reports on domains, users, tests, and different reporting periods.  The
combinations are endless.

Right now I am finishing up database support and a few other miscellaneous
features I wanted to add in..

If you would like to try it out let me know and I will make it available..

Darrell


Start Time: 6/1/2003 12:00:00 AM
End Time: 6/2/2003 12:00:00 AM
Total Messages: 25935
Messages That Failed: 18252
Spam Percentage: 70.38%

TEST# FAILEDPercentage
BADHEADERS  373514.40%
BASE64  12034.64%
BLACKLIST   13255.11%
COMMENTS668 2.58%
DECREASEIPWGHT  40  0.15%
DECREASEWEIGHT  557 2.15%
DECREASEWEIGHTLOW   313 1.21%
DSBL380714.68%
DSN 12154.68%
EASYNET-DNSBL   741828.60%
FXBLACKLIST 25749.92%
HELOBOGUS   477618.42%
HEUR10  289911.18%
IPBLACKLIST 5   0.02%
MAILFROM385 1.48%
NJABL   408 1.57%
NOABUSE 334112.88%
NONENGLISH  214 0.83%
NOPOSTMASTER402015.50%
OLDEMPLOYEE 29  0.11%
ORDB261 1.01%
OSDUL   113 0.44%
OSLIST  2   0.01%
OSRELAY 343 1.32%
OSSOFT  326512.59%
OSSRC   330812.75%
POSTMASTER  12  0.05%
REVDNS  423116.31%
ROUTING 14875.73%
SNIFFER 328512.67%
SNIFFERAV   12  0.05%
SNIFFERCASINO   159 0.61%
SNIFFERDEBT 815 3.14%
SNIFFEREXP  269 1.04%
SNIFFERGETRICH  630 2.43%
SNIFFERGREY 421 1.62%
SNIFFERINK  196 0.76%
SNIFFERINSURAN  58  0.22%
SNIFFEROBFUS350 1.35%
SNIFFERPHARM17276.66%
SNIFFERPORN 16306.28%
SNIFFERSCAM 1   0.00%
SNIFFERSPAMWAR  127 0.49%
SNIFFERTHEFT138 0.53%
SNIFFERTRAVEL   438 1.69%
SPAMCOP 417216.09%
SPAMHEADERS 416016.04%
WEIGHT1010482   40.42%
WEIGHT5 769 2.97%
WORDFILTER  782630.18%

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks
Sent: Thursday, July 31, 2003 2:26 PM
To: Declude. JunkMail
Subject: [Declude.JunkMail] Report System

While it's quiet I'd like to know which system is best at reporting status
of the email system in terms of most messages sent from/delivered to
address, etc. I need a good summary reporting system that will email me
these results. I've tried delog but the email feature doesn't work.

Terry


---
[This E-mail scanned for viruses by Surfside Internet]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Kodak picture CD and Spam Domains

[Darrell LaRock]

Kami,

Great idea!!!  This is much better then using contains on the header (since header 
forging is easy).

Darrell

-- Original Message --
From: "Kami Razvan" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 23 Jun 2003 18:15:06 -0400

>Hi;
>
>Do you know what the REVDNS is?  We are finding good results for adding
>negative weight to domains that are like this.  We simply have a negative
>REVDNS list.
>
>REVDNS  -20  CONTAINS  .yahoo.com
>REVDNS  -20  CONTAINS  .aol.com
>
>The above are two entries in our list.
>
>Regards,
>Kami
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock
>Sent: Monday, June 23, 2003 5:55 PM
>To: [EMAIL PROTECTED]
>Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains
>
>
>I have been seeing a lot of mail failing the spam domains test with kodak's
>picture cd.  It allows users to use their own email address when sending
>pictures, but it comes from Kodak's servers.
>
>Is their any other way around this?  Right now I setup a filter to subtract
>the spam domains weight if picturecd.kodak.com is found in the headers.
>
>Also, not to mention their mail fails the BADHEADERS test for a bogus time
>zone.
>
>Darrell
>
>> **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF
>> YOU FEEL THIS MESSAGE IS IN ERROR**
>> Received: from picturecd2.kodak.com [192.232.121.246] by
>mail1.gannett-tv.com with ESMTP
>>   (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400
>> Received: from picturecd.kodak.com
>(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71])
>> by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484
>> for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT)
>> Message-Id: <[EMAIL PROTECTED]>
>> From: [EMAIL PROTECTED]
>> To: [EMAIL PROTECTED]
>> Subject: clouds 2nd try
>> Date: 22 Jun 2003 21:42:44 Mountain Standard Time
>> Content_Description:
>> Content_Description:
>> Content_Description:
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary=3_boundary
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
>just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
>Declude.JunkMail".  The archives can be found at
>http://www.mail-archive.com.
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Kodak picture CD and Spam Domains

[Darrell LaRock]

I have been seeing a lot of mail failing the spam domains test with kodak's
picture cd.  It allows users to use their own email address when sending
pictures, but it comes from Kodak's servers.

Is their any other way around this?  Right now I setup a filter to subtract
the spam domains weight if picturecd.kodak.com is found in the headers.

Also, not to mention their mail fails the BADHEADERS test for a bogus time
zone.

Darrell

> **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF 
> YOU FEEL THIS MESSAGE IS IN ERROR**
> Received: from picturecd2.kodak.com [192.232.121.246] by
mail1.gannett-tv.com with ESMTP
>   (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400
> Received: from picturecd.kodak.com
(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71])
> by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484
> for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT)
> Message-Id: <[EMAIL PROTECTED]>
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: clouds 2nd try
> Date: 22 Jun 2003 21:42:44 Mountain Standard Time
> Content_Description:
> Content_Description:
> Content_Description:
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary=3_boundary

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

[Darrell LaRock]

Scott,

Looks like it fixed it.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, June 12, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


>The config files were sent to your [EMAIL PROTECTED] account.

Wow, this was a tricky one.

It turns out that there was a problem where the first line of a fromfile 
blacklist might not work properly if multiple fromfile blacklists were used.

There is an interim release v1.70i11 at 
http://www.declude.com/release/170i/declude.exe that fixes this issue.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

[Darrell LaRock]

The config files were sent to your [EMAIL PROTECTED] account.

Darrell




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, June 12, 2003 9:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


>However, while going through the logs with debug on, I noticed other
>fromfilters not triggering with valid addresses.  In this case there is a
>"reverseweightlow" fromfilter that has the @aol.com address in the file.
>The sender is from @aol.com but there was no match form the filter.

Isn't that the same user and same test that was having the problem before 
(when there were lots of recipients)?

Could you E-mail me your \IMail\Declude\global.cfg file and the file used 
with the reverseweightlow test, so I can try to reproduce the problem here?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

[Darrell LaRock]

Scott,

I will attempt to reproduce the original problem with the large amount of
recipients with debug on.  

However, while going through the logs with debug on, I noticed other
fromfilters not triggering with valid addresses.  In this case there is a
"reverseweightlow" fromfilter that has the @aol.com address in the file.
The sender is from @aol.com but there was no match form the filter.

Here is a snippet of the log in the attached text file.

Darrell


Darrell LaRock
Systems Analyst
Gannett Television
716-849-2272


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, June 11, 2003 2:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


>I have a from filter that contains email addresses.  When this filter is
>triggered it will "routeto" another email address.
>
>When I test this with one recipient it works.  However, I am having an
issue
>when mail that comes in that has many recipients (>30+) the email addresses
>from the filter is not being detected.
>
>I am using version 1.70 of declude.  Scott I am emailing directly to you
>snippets of the log and config files for a gander.

Would there be any chance of trying to reproduce this with the debug mode 
on ("LOGLEVEL DEBUG" in the \IMail\Declude\global.cfg file temporarily)?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


filterlog.zip
Description: Zip compressed data

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

[Darrell LaRock]

Scott,

Not to convolute this issue, but I just noticed another fromfilter that is
not getting triggered 100% of the time.

This is a snippet from the debug output.  In the fromfilter has the @aol.com
address so the reverseweightlow filter should have been triggered.

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock
Sent: Wednesday, June 11, 2003 1:33 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients

I have a from filter that contains email addresses.  When this filter is
triggered it will "routeto" another email address.

When I test this with one recipient it works.  However, I am having an issue
when mail that comes in that has many recipients (>30+) the email addresses
from the filter is not being detected.

I am using version 1.70 of declude.  Scott I am emailing directly to you
snippets of the log and config files for a gander.

Darrell LaRock


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting DNS server to IMail's 12.25.87.98.
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Declude JunkMail Pro Version Registered
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Start
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Locked e:\imail\spool\Q870eb6a801ceed64.SMD.
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Getting message envelope
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Copyall=no_copyall_account.
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Qe:\imail\spool\D870eb6a801ceed64.SMD
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Hmail1.gannett-tv.com
06/11/2003 15:46:23.140 Q870eb6a801ceed64 We:\imail
06/11/2003 15:46:23.140 Q870eb6a801ceed64 E0,
06/11/2003 15:46:23.140 Q870eb6a801ceed64 S<[EMAIL PROTECTED]>
06/11/2003 15:46:23.140 Q870eb6a801ceed64 NRCPT To:<[EMAIL PROTECTED]>
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip: NRCPT To:<[EMAIL PROTECTED]>
06/11/2003 15:46:23.140 Q870eb6a801ceed64 R<[EMAIL PROTECTED]>
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip: R<[EMAIL PROTECTED]>
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting altaddr 0 to [EMAIL PROTECTED] 
[EMAIL PROTECTED]
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting reciphost to wkyc.com
06/11/2003 15:46:23.140 Q870eb6a801ceed64 06/11/2003 15:46:23.140 Q870eb6a801ceed64 
nRecips: 1 (1 total)
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip 0: [EMAIL PROTECTED] = [EMAIL 
PROTECTED]
06/11/2003 15:46:23.140 Q870eb6a801ceed64 Starting locality check (sender=aol.com; 
nr=1 ca=off).
06/11/2003 15:46:23.140 Q870eb6a801ceed64 CL Opening 
HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains
06/11/2003 15:46:23.140 Q870eb6a801ceed64 [EMAIL PROTECTED] [0] is local domain1
06/11/2003 15:46:23.140 Q870eb6a801ceed64 [EMAIL PROTECTED] [0] is local main domain
06/11/2003 15:46:23.156 Q870eb6a801ceed64 Done getting message envelope 15 i=4
06/11/2003 15:46:23.156 Q870eb6a801ceed64 Getting headers
06/11/2003 15:46:23.156 Q870eb6a801ceed64 Done getting envelope and headers
06/11/2003 15:46:23.156 Q870eb6a801ceed64 Ver=30 verflag=0
06/11/2003 15:46:23.156 Q870eb6a801ceed64 About to run spam tests
06/11/2003 15:46:23.156 Q870eb6a801ceed64 fromfile: Starting BLACKLIST
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with BLACKLIST [448 lines 
processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting FXBLACKLIST
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with FXBLACKLIST [851 lines 
processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting WUSAOFFENSIVE
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with WUSAOFFENSIVE [9 lines 
processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHT
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHT [73 lines 
processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHTLOW
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHTLOW [5 
lines processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHTHIGH
06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHTHIGH [7 
lines processed]
06/11/2003 15:46:23.171 Q870eb6a801ceed64 Going through datafile
06/11/2003 15:46:23.171 Q870eb6a801ceed64 LOOKING FOR IP: Received: from 
imo-d05.mx.aol.com [205.1
06/11/2003 15:46:23.171 Q870eb6a801ceed64 Setting [IPTEXT] to 205.188.157.37
06/11/2003 15:46:23.171 Q870eb6a801ceed64 iptext now=205.188.157.37
06/11/2003 15:46:23.171 Q870eb6a801ceed64 Testing IP 205.188.157.37
06/11/2003 15:46:23.171 Q870eb6a801ceed64 Handling Received: header
06/11/2003 15:46:23.171 Q870e

[Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

[Darrell LaRock]

I have a from filter that contains email addresses.  When this filter is
triggered it will "routeto" another email address.

When I test this with one recipient it works.  However, I am having an issue
when mail that comes in that has many recipients (>30+) the email addresses
from the filter is not being detected.

I am using version 1.70 of declude.  Scott I am emailing directly to you
snippets of the log and config files for a gander.

Darrell LaRock


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DSN:Let it all through

[Darrell LaRock]

You would use the "whitelist to" command in the global config file.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Link Brokers
Support
Sent: Tuesday, June 10, 2003 2:19 PM
To: Declude Junk Mail
Subject: [Declude.JunkMail] DSN:Let it all through

Question.  I have a customer who just insists on wanting all junk mail.
How do I set up a single email so anything coming to that address passes all
test.  Including test that I have set to delete, such as Spam db's I have
set to delete.

Kevin Shimwell
Link Brokers Group, LLC  ( Support )
401 Ist Ave. North
North Myrtle Beach, SC 29582
Phone: 843-663-1004
Fax: 843-663-1007
Email:  [EMAIL PROTECTED]
24/7 Support   http://www.linkbrokers.com/support_ticket.cfm
Support M-F  1-888-546-5631



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelist and mult rcpt

[Darrell LaRock]

Karen,

This is something that I brought up on the list awhile back with how to
avoid this.  As we were getting hammered with spam getting to the end user
cause they were tagging the whitelisted postmaster account to it.

We do not whitelist the postmaster account, instead you setup a "filter"
test that contains an "allrecips" for the postmasters email address and
assign this test a really high negative value to prevent the message from
being bounced.  Then you set the action up for the test as a "routeto" back
to the postmasters account.

What this does is the following

[1] Allows all messages regardless of how many spam tests they fail to
always be routed to the postmaster
[2] If the message contains a user account other than the postmaster the
mail will be delivered to the user if the message is under your spam
threshold and if it is over your spam threshold whatever action you have
specified will then be enacted on that message.

Darrell

Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karen Oland
Sent: Thursday, May 29, 2003 12:57 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] whitelist and mult rcpt

We've been getting a lot of spam in the last week or so that bypasses all
our spam filters -- they are all copied to the postmaster@ account for our
domain.  Apparently, they are taking advantage of the common practice of
whitelisting the postmaster and the inability of spam filtering programs to
separate actions on messages sent to multiple users.  No doubt, it won't be
long before most messages do the same, rendering both your postmaster
account and spam filters useless.

I know it has been asked for before and said to be "impossible" (programmer
speak, for don't want to do it -- I know, being one), but PLEASE consider
creating multiple copies of messages that arrive for multiple recipients, so
that the spam filters can operate (yes, this means some complications, but a
little trickery could reduce problems -- for example, only making a copy for
the recipient(s) that are whitelisted).

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] DNS Redundancy

[Darrell LaRock]

In regards to Declude does it use the second DNS IP address specified in
IMAIL if the first is not available.

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IPNOTINMX

[Darrell LaRock]

Scott,

My expected behavior would be that this piece of mail *SHOULD* have had
-3 subtracted from it.  This is the behavior that I am shooting for.

Now you asked 
>>So, I would need to ask, why do you think that the weight of 3 was not

>>subtracted from the total weight of the E-mail?

The log files for Declude show that it wasn't subtracted

03/31/2003 18:24:33 Qce102a4f0086c057 BASE64:5 SNIFFER:8 .  Total weight
= 13
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary
encoded text or HTML section was found in this E-mail.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed
SNIFFER: 63.). Action=COPYTO.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13
reaches or exceeds the limit of 10.). Action=BOUNCE.
03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice
03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 63.136.220.30 ID:

Amy I missing something?

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, April 02, 2003 9:56 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] IPNOTINMX


>Why didn't negative weight get added for this piece of mail I received
>from the IPNOTINMX Test.

The E-mail definitely should not fail the IPNOTINMX test, as the IP it
came 
from is in the MX record for the domain in the return address.  The log 
file snippet confirms that the E-mail did not fail the IPNOTINMX test.

So the question is whether or not the negative weight was used.

>Global.cfg
>IPNOTINMX   ipnotinmx   x   x   0   -3

Given this, the E-mail should have had a weight of 3 subtracted from its

total weight, since it did not fail the IPNOTINMX test.

So, I would need to ask, why do you think that the weight of 3 was not 
subtracted from the total weight of the E-mail?
  -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IPNOTINMX

[Darrell LaRock]

Are you sure about that?

03/31/2003 18:24:22 Qce246c0a00a00dbb WORDFILTER:4 nIPNOTINMX:-3 .
Total weight = 1
03/31/2003 18:24:22 Qce246c0a00a00dbb L1 Message OK

It seems to get triggered for other pieces of mail.

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Patrick
Childers
Sent: Wednesday, April 02, 2003 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] IPNOTINMX

> Why didn't negative weight get added for this piece of mail I 
> received from the IPNOTINMX Test.
> 
> Global.cfg
> IPNOTINMX   ipnotinmx   x   x   0   -3
> 
> Default.junkmail file
> IPNOTINMX IGNORE


Because you set the action to "IGNORE". Change it to "WARN" and it
should
work. :)
~Patrick

---
[This E-mail scanned for viruses by Declude/McAfee]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] IPNOTINMX

[Darrell LaRock]

Why didn't negative weight get added for this piece of mail I received
from the IPNOTINMX Test.

Global.cfg
IPNOTINMX   ipnotinmx   x   x   0   -3

Default.junkmail file
IPNOTINMX   IGNORE


DNS Lookup
> set q=mx
> netaff.com.
Server:  wgrz-lclci01.us.ad.gannett.com
Address:  10.4.41.134

netaff.com  MX preference = 20, mail exchanger = mail.crosspoint.com
netaff.com  MX preference = 10, mail exchanger = mail.netaff.com
netaff.com  nameserver = ns2.crosspoint.com
netaff.com  nameserver = ns1.crosspoint.com
mail.netaff.com internet address = 63.136.220.30
mail.crosspoint.com internet address = 63.136.220.20
ns1.crosspoint.com  internet address = 63.136.220.20
ns2.crosspoint.com  internet address = 63.136.220.30

Received: from mail.netaff.com [63.136.220.30] by mail1.gannett-tv.com
with ESMTP
  (SMTPD32-7.12) id AE102A4F0086; Mon, 31 Mar 2003 18:24:00 -0500
Received: by mail.netaff.com
with MailBeamer v3.32 ;
Mon, 31 Mar 2003 16:23:58 -0700
From: Tammy Kehe <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: FW: Wildfire practice
Date: Mon, 31 Mar 2003 16:23:00 -0700
X-Mailer: MailBeamer v3.32
Message-ID: <[EMAIL PROTECTED]>
X-Priority: 3
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_0_vIFomJIuuVmGbDWQZXMDQyuCaiU"

Dce102a4f0086c057.SMD

03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary
encoded text or HTML section was found in this E-mail.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed
SNIFFER: 63.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13
reaches or exceeds the limit of 10.). Action=BOUNCE.
03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice
03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 63.136.220.30 ID:



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Year 2020

[Darrell LaRock]

I have seen random date changes when the battery that powers the RTC
(Real Time Clock) on the MB goes bad..  However, I have only seen this
in really old computers.

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel
Sent: Thursday, March 27, 2003 11:46 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Year 2020

I don't know if this is the right place for this question, but I'm
looking
for some feedback. The date has randomly changed to the year 2020 on our
mail server. This has happened twice now. Has anybody ever heard of this
happening before and what might cause it?


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail??

[Darrell LaRock]

Scott,

A couple of notes...

1.) We started with IMail Antivirus and next week it looks like we will
be adding another imail server purchasing Declude AntiVirus for it and
another license for our existing server.  My main problem is that to
continue to run Imail AV it costs about $6,500 for a 1 year
subscription(unlimited users).  To me that price is ridiculous.  Also,
it lacks many features like suppress virus notifications for certain
viruses and the ability to block certain file attachments.

2.) Potentially is it possible for Imail to ween the ability for your
add on products to work.

I'll hang up now and listen. (man, I have been listening way to much to
sports radio.)

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 27, 2003 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail??


>Have you tested IMail v8.0 yet with Declude?

No -- as far as I know, the beta testing hasn't begun yet (although 
Ipswitch does have it running on their own mailservers now).

>It has built-in anti-spam functionality from what I hear.
>Is this going to have an adverse effect on your product.

Well, "hear" is the key word here.  Does "hear" mean "full featured 
anti-spam product bundled with IMail at no cost", "very basic anti-spam 
functionality at high cost", etc?  Right now, I'm looking at a box for 
IMail v6.0 that has a quote on the side "Stopped the spam dead cold."
:)

A year and a half ago, Ipswitch came out with IMail AntiVirus, and
Declude 
has fared quite well.  We even have some people who pay for a year with 
IMail AntiVirus, and switch to Declude before their year is up, because
of 
problems where the mail delivery stops occasionally.  As you know, that 
isn't an issue with Declude -- mail delivery won't stop with Declude.
For 
mission critical mailservers, that's a big issue.

Also, it's important to remember that (aside from filtering/rules)
Ipswitch 
doesn't have much anti-spam experience.  We started selling anti-spam 
software over 5 years ago.  It takes a lot of time to develop anti-spam 
software that works well.  For example, does the DNS engine that
Ipswitch 
uses with IMail handle TXT records?

If you are correct that v8 will have built-in anti-spam functionality,
it 
most likely won't be very full featured (if they aren't going to be
making 
money off of it, it may end up like the built-in mailing list 
functionality), so people will still need Declude JunkMail, whether or
not 
they upgrade to v8.  If it is a separate add-on, it is likely that it
will 
be similar to the situation now with AV software (a product with fewer 
features at a high cost).

In any case, we've been through this before, and can do it again.  :)
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] What does this mean: internet.e-mail

[Darrell LaRock]

Title: Message









Kami,

 

I seen several messages today that had
that listed right at the top of the message source.,

 

Darrell

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Wednesday, March 26, 2003
12:16 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] What
does this mean: internet.e-mail

 



Hi;





 





We have a watch words file that if
with an entry in the default file - simply to know if these words appear and
how often.





 





One such entry in the spam emails
is:





 











 





more importantly the last
part:  http://internet.e-mail





 





Does anyone know if this is an
output generated by a special software -- I hardly see this in any other
emails.





 





So far 100% of all the emails
reported with this entry are spam.





 





Regards,





Kami

RE: [Declude.JunkMail] Question On behavior

[Darrell LaRock]

John,

You are absolutely right on this should be implemented instead of
whitelisting the postmaster or abuse account.  This week I can't tell
you how many messages got through because "postmaster@" was listed as a
recipient.

That shouldn't happen anymore...

Darrell 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
Sent: Wednesday, March 26, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Question On behavior

> We have achieved the desired behavior with that setup.  I sent a test
> message tripping off one of the filters and the mail was delivered to
> the postmaster and was not delivered to the other recipients.

Thanks for that update Darrell.

Sounds like something that should be implemented by any one whitelisting
postmaster or root or abuse.

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question On behavior

[Darrell LaRock]

Scott,

We have achieved the desired behavior with that setup.  I sent a test
message tripping off one of the filters and the mail was delivered to
the postmaster and was not delivered to the other recipients.

This is just a testament on how flexible this product is..

Thanks for the help
Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, March 26, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Question On behavior


>To get around this problem do you think this is possible?
>
>Add a lot of negative weight to the message that has a recipient as
>postmaster so it won't get bounced.  Then create a test that will route
>the message back to the postmaster's account?

It might be possible to do something like that.  An action "ROUTETO 
[EMAIL PROTECTED]" would prevent the other users from seeing the 
E-mail.  Perhaps adding a filter that includes a line "ALLRECIPS 0
CONTAINS 
[EMAIL PROTECTED]", and then having the action for that filter set
to 
"ROUTETO [EMAIL PROTECTED]"?  That way, any E-mail that was
addressed 
to [EMAIL PROTECTED] would get sent only to [EMAIL PROTECTED]
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Not Failing the comments test

[Darrell LaRock]

I assume this didn't fail the comments test because it is actually not
formatted like a true html comment 

RE: [Declude.JunkMail] Question On behavior

[Darrell LaRock]

Scott,

To get around this problem do you think this is possible?

Add a lot of negative weight to the message that has a recipient as
postmaster so it won't get bounced.  Then create a test that will route
the message back to the postmaster's account?  This would then route the
message to the postmaster and not the other recipients?  I am only
pursing this because some really offensive email has been getting
through where they are including the postmaster@ address in the mail.

Is it possible to accomplish something like that?

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, March 25, 2003 10:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Question On behavior


>We have our domains postmaster addresses whitelisted.  I noticed that a
>message coming in that has multiple recipients will be delivered to all
>the recipients mailboxes as long as it has a whitelisted postmaster
>address.
>
>This is not exactly the desired behavior I am looking for.

Unfortunately, that is the behavior that is required.  The problem is
that 
you are dealing with a single E-mail with multiple recipients, not
multiple 
E-mails.  We are working on some creative ways to get around this, but 
there would still be some definite limitations.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] How can I do this?

[Darrell LaRock]

I am sure many people have noticed a lot of spam that is like this.
Consider a users email address like this [EMAIL PROTECTED]

Then the subject of the email is

bsmith, have you seen this blah blah

Any thoughts on how to check to see if the right hand side of the email
address is contained in the subject?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Question On behavior

[Darrell LaRock]

We have our domains postmaster addresses whitelisted.  I noticed that a
message coming in that has multiple recipients will be delivered to all
the recipients mailboxes as long as it has a whitelisted postmaster
address.

This is not exactly the desired behavior I am looking for.

It should have blocked this mail from all recipients except the
postmaster.

03/24/2003 22:08:17 Qc816661e001c6824 WORDFILTER:13 DSBL:5
WIREHUB-DNSBL:3 NOPOSTMASTER:1 BASE64:5 SNIFFER:8 .  Total weight = 35
03/24/2003 22:08:17 Qc816661e001c6824 E-mail whitelisted - automatically
passing all spam tests [EMAIL PROTECTED]
03/24/2003 22:08:17 Qc816661e001c6824 L1 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills
- Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 12.233.204.136 ID: 
03/24/2003 22:08:17 Qc816661e001c6824 L2 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills
- Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [EMAIL PROTECTED]  IP: 12.233.204.136 ID: 
03/24/2003 22:08:17 Qc816661e001c6824 L3 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Penis Enlargement Pills -
Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]  IP:
12.233.204.136 ID:

20030324 220817 127.0.0.1   SMTP (1812) processing
e:\imail\spool\Qc816661e001c6824.SMD
20030324 220817 127.0.0.1   SMTP (1812) ldeliver
mail1.gannett-tv.com dlarock-main (1) [EMAIL PROTECTED] 4166
20030324 220817 127.0.0.1   SMTP (1812) ldeliver wfmy.com
2wantstoknow-main (1) [EMAIL PROTECTED] 4166
20030324 220817 127.0.0.1   SMTP (1812) forwarded message to
[EMAIL PROTECTED],[EMAIL PROTECTED]
20030324 220817 127.0.0.1   SMTP (1812) finished
e:\imail\spool\Qc816661e001c6824.SMD status=1 


Any thoughts?
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Headers Changing On Outbound Attached Message

[Darrell LaRock]

I am using the copyto function to route a copy of any message that fails
the sniffer test to my email box.

If the message is a false positive I then insert the false positive
message into another email and send it off to the folks at sniffer.
What we found today is that for some reason headers are being inserted
into the false positive attached message from Outlook? Also, it is
inserting several other headers like altering the message id.

Example of headers in message before forwarding it out as attached
message

Received: from sender0012.lodo.exactis.com [64.208.135.32] by
mail1.gannett-tv.com with ESMTP
  (SMTPD32-7.12) id A91A577000EA; Fri, 21 Mar 2003 13:25:30 -0500
Received: by sender0012.lodo.exactis.com
  (queueup version 6.2: Copyright 2000 Experian, Inc. All rights
reserved.)
  with stdio id KARE11_AAAJL29299; Fri, 21 Mar 2003 11:23:50 MST
Date: Fri, 21 Mar 2003 18:17:12 UT
From: "Tribune Alerts"
<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Reply-To: "Tribune Alerts"
<[EMAIL PROTECTED]>
Errors-To:
[EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Subject: [POTENTIAL SPAM]'Shock and awe'
X-Mailer: Experian ContactMail Build v1.89  (Using MIME::Lite v2.117 )
X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed
[EMAIL PROTECTED] Was: 64.208.135.177 from
bog0007.lodo.exactis.com (bog0007.lodo.exactis.com [64.208.135.177]) by
relays.osirusoft.com
X-Declude-Sender:
[EMAIL PROTECTED]
[64.208.135.32]
X-Declude-Spoolname: D591a577000eadda1.SMD
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 348193479

Example of headers When they receive it and view the attached message

Reply-To: "Tribune Alerts"
<[EMAIL PROTECTED]>
From: "Tribune Alerts"
<[EMAIL PROTECTED]>
To: "Daly, Mark" <[EMAIL PROTECTED]>
Subject: [POTENTIAL SPAM]'Shock and awe'
Date: Fri, 21 Mar 2003 13:17:12 -0500
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_016D_01C2EFD4.31C710F0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-Declude-Sender:
[EMAIL PROTECTED]
[64.208.135.32]
X-Declude-Spoolname: D591a577000eadda1.SMD
X-RCPT-TO: <[EMAIL PROTECTED]>
X-UIDL: 348193479
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed
[EMAIL PROTECTED] Was: 64.208.135.177 from
bog0007.lodo.exactis.com (bog0007.lodo.exactis.com
[64.208.135.177]) by relays.osirusoft.com
Importance: Normal

Why would Outlook be altering an attached message?

Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Comments Test

[Darrell LaRock]

For the comments test has anyone found an acceptable value that seems to
trap a lot of spam?

Thanks
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude Gone Wild

[Darrell LaRock]

Today I had an instance where all my mail started being held as SPAM.  99% of it was 
legit mail.  At first I thought it may be a sniffer problem as that was installed 
within the last week.

Attached is a snippet of logs that shows declude over and over testing a peice of mail

I disabled Sniffer at approximatly 2:30pm today.  Reviewing the logs now seems to show 
that declude is still repeating the behavior below *substantially* less though.

I am running Declude 1.63

Any thoughts?

//INITIAL PROBLEM
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail cli

RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer

[Darrell LaRock]

I find that interesting that the major ISP's fail those kinds of tests.
Anyone have any idea's on why they wouldn't have those addresses setup?

Dl

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker |
Netsmith Inc
Sent: Friday, July 26, 2002 4:27 PM
To: '[EMAIL PROTECTED]'
Subject: RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer

That is about average, over 50% of our inbound mail fails at least one
test
(more like 70%)...
This is where the weighing system comes into play.
Tests like "no postmaster" and "no abuse" fail every message from
systems
like aol.com, msn.com, earhtlink.net, etc,etc... So they will appear as
SPAM
in your logfiles.

You need to use the weighing system / edit your $default$.junkmail and
your
global.cfg to meet your needs.

There is no cut/dry solution to spam, I have definitely learned
monitoring
this list that everybody has a different solution that fits their setup.

The great thing about declude/sniffer is their flexibility, great
mailing
lists and frequent updates.

(ex: we completely disabled the no postmaster/no abuse tests in our
system,
they are just too inefficient for our setup, but in other setups they
are
very useful )


-Original Message-
From: Jim Rooth [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 3:18 PM
To: [EMAIL PROTECTED]
Subject: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer


I must be doing something wrong!  I looked at the confirm log and I have
caught almost half of the 20,000 emails as spam.  I have poured through
the
logs though and have only found four obviously legitimate emails that
should
not have been caught.  I fixed that with the myfilter file. Either I am
doing it wrong or the program is great.  I suspect the latter...


Jim Rooth
Klotron, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Kratka
Sent: Friday, July 26, 2002 3:08 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude and Sniffer

Just curious. How many people are using both Declude Junk Mail and the
sniffer add-on and has it made a difference if yes. I have been
completely
pummeled with Spam and am looking for more options.

Thanks.

Jeff

*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
*


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  You can E-mail [EMAIL PROTECTED] for assistance.
You
can visit our web site at http://www.declude.com .
---


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  You can E-mail [EMAIL PROTECTED] for assistance.
You
can visit our web site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] 1.56 Stablility

[Darrell LaRock]

Not to beat a dead horse, are we thinking anytime in the next 2 weeks or
should I plan on just moving with 1.55.

Darrell


Darrell LaRock
Information Systems Analyst
Gannett Television
716-849-2272

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Wednesday, July 24, 2002 5:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] 1.56 Stablility


>Any idea when 1.56 will move from the beta state.  We are bringing up a
>new mail server and I wanted to know if it is stable enough to go live
>with it.  I know a couple weeks back there were some posts about
>problems that were corrected with an interim release.

We should have a 1.57 shortly that addresses the issues from 1.56.  We 
expect that 1.57 should be quite stable.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] 1.56 Stablility

[Darrell LaRock]

Any idea when 1.56 will move from the beta state.  We are bringing up a
new mail server and I wanted to know if it is stable enough to go live
with it.  I know a couple weeks back there were some posts about
problems that were corrected with an interim release.

Thanks In Advance
dl

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] Console

[Darrell LaRock]

Someone mentioned earlier that there was a way to invoke declude to
spawn a console in order to see what's happening in real time.  Is this
correct and how do you invoke this?

Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: BLARSBL:RE: [Declude.JunkMail] Get a load of this . . .

[Darrell LaRock]

Title: Message









Anyone wonder if they intended to send
that message thinking that everyone would automatically block those
sites?  Nice little tactic…. 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
Sent: Wednesday, July
 03, 2002 4:07 PM
To: [EMAIL PROTECTED]
Subject: RE: BLARSBL:RE:
[Declude.JunkMail] Get a load of this . . .

 



Hi;





I also randomly checked the
domains and I have a hard time believing some of those sites are in any sort of
mass e-marketing.





 





216.234.252.98 home.faithmail.com





216.234.252.91 home.brownsmail.net
216.234.252.92 home.bazaar.com





216.234.252.97 home.esife.org





 





are some that just don't appear to
be e-spammers.





 





this is the most peculiar message.





 





Kami





 





 



-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Schick
Sent: Wednesday, July 03, 2002
2:50 PM
To: [EMAIL PROTECTED]
Subject: BLARSBL:RE:
[Declude.JunkMail] Get a load of this . . .



I randomly checked some of those IPs
and non of them showed up on any blacklist.  Right now his mail would get
through to us since he would not fail any tests.  I wonder what his
concern is.  He should send the message to AOL and Earthlink to see if he
gets any response.





 





Chuck Schick 
Warp
8, Inc. 
303-421-5140

www.warp8.com






 





 





-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Glenn \ WCNet
Sent: Wednesday, July 03, 2002
12:24 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Get a
load of this . . .



Here are some to add to your Kill
file or BlackList!





 





 





--






Hello Administrators for wcnet.net,
 
Please check to verify that messages being sent to our Opt-in customers that
are using your services are not being blocked by any of wcnet.net's
servers.  If there currently are blocks on any of our IP's, please contact
me directly so that we may find a resolution to this.

Relevant Marketing Technologies is a leading permission marketing and affinity-based
email marketing company. The current client roster is primarily made up of four
industries: Music, Sports, Broadcast, and Entertainment. Relevant Marketing
Technologies is the leading online opt-in permission based newsletter services
provider in each of these industries. Relevant Marketing Technologies has
attained this leadership position primarily through the growth and evolution of
ENewsNotifier (ENN).

The ENN system is opt-in, and permission based, and provides direct live links
to the URL to de-active the users individual account automatically imbedded
into each and every message sent through our servers. We have modified all of
our servers to prohibit open relay access, and have been cleared by MAPS
through www.mail-abuse.org on all or
our IP addresses. We are not spam.

Currently, the servers we use to distribute email messages are:

216.234.252.24 ellis1.popmail.com
216.234.252.26 campbell1.popmail.com
216.234.252.35 feist1.popmail.com
216.234.252.36 leguin1.popmail.com
216.234.252.40 pohl1.popmail.com
216.234.252.44 herbert1.popmail.com
216.234.252.45 lucas1.popmail.com
216.234.252.46 verne1.popmail.com
216.234.252.47 trout1.popmail.com
216.234.252.48 simak1.popmail.com
216.234.252.49 mail.goglobal.net
216.234.252.50 niven1.popmail.com
216.234.252.51 wells1.popmail.com
216.234.252.52 bova1.popmail.com
216.234.252.53 orwell1.popmail.com
216.234.252.59 home.popmail.com
216.234.252.70 corporate.popmail.com
216.234.252.91 home.brownsmail.net
216.234.252.92 home.bazaar.com
216.234.252.93 home.ennmail.com
216.234.252.94 home.broadcastimagemail.com
216.234.252.95 home.mykswomail.com
216.234.252.96 home.countrystarsmail.com
216.234.252.97 home.esife.org
216.234.252.98 home.faithmail.com
216.234.253.20 mail4.roiinteractive.com
216.234.253.214 mail5.roiinteractive.com

Our DNS Lookup information is as follows:

Administrative Contact, Technical Contact:
  Host  (HO9039-ORG) [EMAIL PROTECTED]
  Relevant Marketing Technologies Inc.
  Relevant Marketing Technologies, Inc.
  6688 N. Central Expressway, Suite 150
  Dallas, Tx 75026
  US
  469-385-2000 Fax- 469-385-2001 Fax- -
469-385-2001

If I can be of any assistance in the expeditious modification of our records
with you, please do not hesitate contacting me.


Sincerely,

Bethann Lesnick
Senior Client Consultant
Strategic Development & Marketing

Relevant Marketing Technologies
6688 N. Central Expressway, Suite 150
Dallas, TX 75206

Main - 469.385.2000
Direct - 469.385.2022
Fax - 469.385.2001

[EMAIL PROTECTED]
www.RelevantMarketingTechnologies.com

email marketing and communication solutions

RE: [Declude.JunkMail] maybe a dumb question

[Darrell LaRock]

The "WARN" action only generates a line in the header of the message.
Are you trying to send an alert to the user that sent it?  

Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Stanley Lyzak
Sent: Monday, July 01, 2002 12:34 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] maybe a dumb question

Ok,

If this is too easy a question, cut me a break...we have been using
declude for 4 days (and are LOVING it!) (hitting about 65% - 75% catch
rate- trying to improve).

We have an IMail 6.x mailbag server (no actual mailboxes or domains
exist). It uses relay for IP and a hosts file per IMail recommendation.


Using declude, we are seeing two odd behaviors:

1) No setting for inbound mail in $default$.junkmail can be made to
generate a warning (we are testing with a piece of software that can be
made to violate the rules enough to cause a warning). Outbound warnings
in the global.cfg work like a champ. Is this because we have no actual
domains/mailboxes hosted on this server???

2) (Possibly related to above?): Although we are running the Pro version
of Declude, we cannot get a per-domain variation in the rule set. The
only warnings that are effective, are from the global.cfg file in the
imail/declude folder. We have tried creating a subfolder under declude
with the same name as our domain name, but it ignores any global.cfg or
$default$.junkmail file setting in that folder (yes I restarted the
IMail SMTP service after the changes).


Any ideas?


Thanks

BTW, the manual doesn't seem to be very inclusive in how everything can
be set. I have done some searches on the Internet and found a few nice
tools (and this forum has been helping a lot). But is there a good
repository of hints and specs (settings) that I could get my hands on???
I am very technically literate.

Thanks again!

Stan Lyzak, BSEE, CISSP, MCSE², CCNA, A+
Network Security Engineer
ASysTech, Inc.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .