[Declude.JunkMail] refining the filtering process
We're fairly new at using JunkMail and we want to refine the process beyond the basic tests (typically weight10 or weight20). What strategy or steps would you recommend next? Two obvious ideas are Filtering and the ip4r tests. For filtering, I'm concerned about the system overhead and the effectiveness. I've heard that filtering on message headers is not effective and that filtering on message bodies is hard on the system. For ip4r, I've heard so many horror stories about over-zealous spam databases that I'm not sure which spam databases are worth working with. It would be really cool if someone at Declude wrote an addendum to the manual that talks about how to work with Declude JunkMail, rather than just how to use it. Any guidelines would be much appreciated. Thanks and happy holidays. Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] refining the filtering process
While I'm hoping that Scott or someone will still reply to my earlier message (quoted below), I have a simpler, more mechanical question: how can I place the weight into the subject line of a message that fails one of the weight tests? It would be handy, for example, to see SPAM [6]: blah blah blah. Thanks, Ben - Original Message - From: IMail Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 15, 2003 11:41 AM Subject: [Declude.JunkMail] refining the filtering process We're fairly new at using JunkMail and we want to refine the process beyond the basic tests (typically weight10 or weight20). What strategy or steps would you recommend next? Two obvious ideas are Filtering and the ip4r tests. For filtering, I'm concerned about the system overhead and the effectiveness. I've heard that filtering on message headers is not effective and that filtering on message bodies is hard on the system. For ip4r, I've heard so many horror stories about over-zealous spam databases that I'm not sure which spam databases are worth working with. It would be really cool if someone at Declude wrote an addendum to the manual that talks about how to work with Declude JunkMail, rather than just how to use it. Any guidelines would be much appreciated. Thanks and happy holidays. Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] refining the filtering process
Thanks for the answer on the subject question. Your answer on the other (refining...) question was a bit shorter than I was hoping for. Do you have an archive for your JunkMail list messages? I've been scanning through the archives of IMail, but it's hard to pinpoint the right information. Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 15, 2003 1:56 PM Subject: Re: [Declude.JunkMail] refining the filtering process While I'm hoping that Scott or someone will still reply to my earlier message (quoted below), I have a simpler, more mechanical question: how can I place the weight into the subject line of a message that fails one of the weight tests? It would be handy, for example, to see SPAM [6]: blah blah blah. You can use TESTNAME SUBJECT SPAM [%WEIGHT%] to do that. As far as refining the filtering process, that's a *huge* topic, and reading this mailing list is the best thing that you can do. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist setup problem
Did I miss something here? I created a whitelist for a client (we use DJ Pro) by adding this line to their domain-specific $default$.junkmail file: WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt (I put it in right before their list of weighted tests). Inside the whilte list file, I have an entry: [EMAIL PROTECTED] I thought that this would cause email from this person to bypass the spam system. However, messages from him are still being scored and processed. When I checked the declude-x-sender line, the address is: [EMAIL PROTECTED] Is the whitelisting system case-sensitive? What am I missing here? Thanks, Ben --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist setup problem
Thanks Scott. You're saying the whiltelist file needs a blank line at the end? I didn't have one, but I just added one now. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 12, 2004 10:09 AM Subject: Re: [Declude.JunkMail] Whitelist setup problem Did I miss something here? I created a whitelist for a client (we use DJ Pro) by adding this line to their domain-specific $default$.junkmail file: WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt (I put it in right before their list of weighted tests). Inside the whilte list file, I have an entry: [EMAIL PROTECTED] I thought that this would cause email from this person to bypass the spam system. However, messages from him are still being scored and processed. When I checked the declude-x-sender line, the address is: [EMAIL PROTECTED] Is the whitelisting system case-sensitive? It isn't case sensitive. Is that the last line in the file? If so, can you move the cursor to the line below it? If not, you need to go to the end of the line and hit ENTER (most Windows programs won't be able to see the last line in the file without a CRLF at the end). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] More problems with: Whitelist setup problem
My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: The have a file whitelist.txt which for now has these entries: [EMAIL PROTECTED] [EMAIL PROTECTED] There are two blank lines after the scott listing. This file is referenced in their $default$.junkmail file as follows: REVDNS WARN ROUTING WARN SPAMHEADERS WARN WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt WEIGHT5 MAILBOX InSpamLow WEIGHT10 MAILBOX InSpam (This is a section out of the file, because I figured you would recognize the placement. It's right between the individual tests and the weighted tests.) This morning they received an email with this header (again, just an excerpt): From: Thiel, Scott [EMAIL PROTECTED] To: Nancy [EMAIL PROTECTED], Steve [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 Mar 2004 16:13:17.0345 (UTC) FILETIME=[6D0B3110:01C40AA8] X-RBL-Warning: HELOBOGUS: Domain CHSCOWA.exch.chsroot has no MX or A records. X-Declude-Sender: [EMAIL PROTECTED] [205.235.215.4] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, WEIGHT5, WEIGHT5s [5] X-Note: This E-mail was sent from mailx.chsinc.com ([205.235.215.4]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 372121280 This message was caught by the weight5 test, which sends the message to the InSpamLow mailbox. The client wants this sender to be whitelisted, so that his emails always go to the regular Inbox. So why did JM process this email? It seems the X-Declude-Sender matches the line in the whitelist.txt file (since it's not case-sensitive). What am I missing? Thanks, Ben BC Web - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 12, 2004 10:09 AM Subject: Re: [Declude.JunkMail] Whitelist setup problem Did I miss something here? I created a whitelist for a client (we use DJ Pro) by adding this line to their domain-specific $default$.junkmail file: WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt (I put it in right before their list of weighted tests). Inside the whilte list file, I have an entry: [EMAIL PROTECTED] I thought that this would cause email from this person to bypass the spam system. However, messages from him are still being scored and processed. When I checked the declude-x-sender line, the address is: [EMAIL PROTECTED] Is the whitelisting system case-sensitive? It isn't case sensitive. Is that the last line in the file? If so, can you move the cursor to the line below it? If not, you need to go to the end of the line and hit ENTER (most Windows programs won't be able to see the last line in the file without a CRLF at the end). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More problems with: Whitelist setup problem
I sent you the JM log file off-line as you request. However, once I looked at it closer, I found these lines: 03/18/2004 14:26:00.973 Q21f8015800fcaa67 Domain name = paulsoncommodities.com, User name = Steve. 03/18/2004 14:26:00 Q21f8015800fcaa67 Using [incoming] CFG file D:\IMAIL\Declude\paulsoncommodities.com\$default$.junkmail. 03/18/2004 14:26:00.973 Q21f8015800fcaa67 Could not open whitelist file D:\IMail\Declude\PaulsonCommodities\whitelist.txt. For a while I didn't understand this, and I even ran additional tests. Then I realized the obvious: if you compare the second and third lines of the excerpt, you'll see that one refers to paulsoncommodities.com (correct) and the other to paulsoncommodities (incorrect). My apologies to everyone for wasting time and bandwidth on what was a really trivial mistake. I'm going to go to the local pasta bar and ask for a hundred lashes with a wet noodle. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 1:25 PM Subject: Re: [Declude.JunkMail] More problems with: Whitelist setup problem My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: I can't see any problems here. I would recommend using the debug mode to track this down. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through that just be whitelisted, and then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me (off-list) the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can see what the problem is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Countries List
So how do we use this functionality? Per your instructions, I'm trying to study the newsgroup postings to see how to use the extra functionalities included in the Interim releases, but those postings seem to leave me with more questions than answers. Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 3:22 PM Subject: Re: [Declude.JunkMail] Countries List I don't currently have that file in my IMail\Declude directory. If we are only running DJM Pro v1.75 will having this file do anything for us? Only if you are using the experimental IP-Country functionality. If you are not, there is no need to have that file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Countries List
And where do you get these? Ben - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 6:46 AM Subject: Re: [Declude.JunkMail] Countries List Mailpure's foreign-TLD and badcountrynorevdns are also good examples of country filters that are prebuilt and may be easy to implement with few changes. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/23/04 07:12PM So how do we use this functionality? Per your instructions, I'm trying to study the newsgroup postings to see how to use the extra functionalities included in the Interim releases, but those postings seem to leave me with more questions than answers. Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 3:22 PM Subject: Re: [Declude.JunkMail] Countries List I don't currently have that file in my IMail\Declude directory. If we are only running DJM Pro v1.75 will having this file do anything for us? Only if you are using the experimental IP-Country functionality. If you are not, there is no need to have that file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Countries List
That's super Joe -- I hope they look at your email when the finally write the manual instructions for this. Would you be willing to share your list of bad countries? It seems to me that would make a good starting point for us. Thanks again. Ben - Original Message - From: J Porter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 10:09 PM Subject: Re: [Declude.JunkMail] Countries List Ben... 1. To get the Countries Test to work, add a line to your global.cfg something like: CTRY2filter c:\imail\declude\ctry2.txt x 5 0 this creates a filter test named CTRY2 with a link to a text file. 2. Create a text file (my example being ctry2.txt) which looks something like: COUNTRIES 5 CONTAINS AR COUNTRIES 5 CONTAINS AT Use this link to get the 2 letter abbrevations for the countries you want to add to your own filter: http://www.iana.org/cctld/cctld-whois.htm . Some folks add the whole list while I've only added the ones I see as a problem. 3. Get this file from Scott and put in it your C:\imail\declude directory. Get his file from: http://www.declude.com/release/178/all_list.dat . Keep this link as this file is apparently updated every so often. 4. Lastly, add an action line to your $default.junkmail file CTRY2WARN(or some other action as you see fit) Change the point values to suit your own requirements. If I got all the instructions correct, you'll see a new line in the header such as: X-Country-Chain: CANADA-UNITED STATES-destination and some points added to the total weight if it finds a country in your text file. In the filter text file, you can use either COUNTRY or COUNTRIES with different meanings. Someone please correct me, but I think COUNTRY only looks at the origin country where COUNTRIES will meet the test if it's anywhere in the pathway shown. This test works pretty well for us to add just enough weight to put some spam over our delete or hold limit. (Thanks Scott!) Y'all feel free to swat me if I missed something or got something wrong... :) ~Joe - Original Message - From: IMail Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 7:12 PM Subject: Re: [Declude.JunkMail] Countries List So how do we use this functionality? Per your instructions, I'm trying to study the newsgroup postings to see how to use the extra functionalities included in the Interim releases, but those postings seem to leave me with more questions than answers. Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 3:22 PM Subject: Re: [Declude.JunkMail] Countries List I don't currently have that file in my IMail\Declude directory. If we are only running DJM Pro v1.75 will having this file do anything for us? Only if you are using the experimental IP-Country functionality. If you are not, there is no need to have that file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] per user settings question
We have JM Pro, and have a few per-user settings. Now we have a client with a nobody alias setup to catch all emails that aren't specifically addressed to one of their mailboxes. They want custom JM settings for this nobody alias. Can we just setup a nobody.jumkmail file like we would for any regular account? I guess this really breaks down to two questions: do the per-user settings apply to aliases? And do they apply to the nobody account? If we can't do a per-user setting for a nobody alias, then what's the best way to achieve the customer's goal? Thanks, Ben --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] per user settings question
Hmmm..., that doesn't quite do what they want. They have an mailbox julie, and nobody is an alias that resolves to julie. They want different JM settings for mail specifically addressed to julie versus mail addressed to no legitimate mailbox (which would get handled through the nobody alias). For example, if stephanie used to work for the company but has been gone for two years (and her mailbox closed for two years), they want different settings for stephanie than for julie. I suppose I could suggest that we create a true mailbox called nowhere, make nobody an alias for it, create per-user JM settings for the nowhere mailbox, and then have the nowhere mailbox forward all mail to julie. Will that work? Would the mail get processed by JM twice? Once on its way to nowhere and once on its way to julie? Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 01, 2004 11:41 AM Subject: Re: [Declude.JunkMail] per user settings question We have JM Pro, and have a few per-user settings. Now we have a client with a nobody alias setup to catch all emails that aren't specifically addressed to one of their mailboxes. They want custom JM settings for this nobody alias. Can we just setup a nobody.jumkmail file like we would for any regular account? With aliases, Declude JunkMail looks at the address that the alias resolves to. So if you have the nobody alias resolve to [EMAIL PROTECTED], then you could set up per-user settings for [EMAIL PROTECTED] (\IMail\Declude\example.com\nosuchaccount.junkmail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] per user settings question
Thanks, Scott. Actually, we're back at IMail 7.15. I have yet to see any real benefit in the 8.x series. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 01, 2004 2:07 PM Subject: Re: [Declude.JunkMail] per user settings question Hmmm..., that doesn't quite do what they want. They have an mailbox julie, and nobody is an alias that resolves to julie. They want different JM settings for mail specifically addressed to julie versus mail addressed to no legitimate mailbox (which would get handled through the nobody alias). For example, if stephanie used to work for the company but has been gone for two years (and her mailbox closed for two years), they want different settings for stephanie than for julie. I suppose I could suggest that we create a true mailbox called nowhere, make nobody an alias for it, create per-user JM settings for the nowhere mailbox, and then have the nowhere mailbox forward all mail to julie. That is exactly what I would recommend. Will that work? Would the mail get processed by JM twice? Once on its way to nowhere and once on its way to julie? It should work fine. If you're using IMail v8.1, you'll probably be stuck having the mail scanned twice, though. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] f-prot
I'd like to second this question. I remember seeing a couple of discussions here where people couldn't agree on which McAfee product to use as the command line scanner with Declude. And, of course, the online stores always emphasize the Windows-based products. So exactly which product is it that's needed? Thanks, Ben - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 12:56 PM Subject: RE: [Declude.JunkMail] f-prot Do you have a CDW product number on this? Called and they took forever to come back with $20+ Thanks, John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, May 18, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot On 17 May 2004 at 20:56, Aaron J. Caviglia wrote: Where can we purchase the command line scanner? Aaron - If you are referring to the Mcafee one for $11 - Scott mentioned My 1 year McAfee VirusScan Command Line license was $11 through CDW. We paid the same thing off of State contract from Insight. -Nick Hayer Thanks, Aaron Caviglia On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote: For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is non-existant and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] f-prot On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a Do I really need it?. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. [EMAIL PROTECTED] 5/15 12:29p Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
[Declude.JunkMail] What's wrong with this header?
Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 Message-ID: [EMAIL PROTECTED] From: Steve [EMAIL PROTECTED] To: Dr Ben Bednarz [EMAIL PROTECTED] Subject: SPAM [7]Fw: SPAM [13]ngate antelope.ppt Date: Thu, 17 Jun 2004 14:34:47 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_00BE_01C45478.3D874360 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.75.194.49 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [65.75.194.49] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] X-Note: This E-mail was sent from [No Reverse DNS] ([65.75.194.49]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 387407616 Any thoughts? Ben Bednarz BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with this header?
We're still running Imail 7.15 -- I have yet to see any value in upgrading to 8.x -- so is there an easy way to do the whitelisting of local accounts for IMail 7.x? Also, what would you think about lowering the weight for CMDSPACE from 8 to 4? Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 9:48 AM Subject: Re: [Declude.JunkMail] What's wrong with this header? Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] This E-mail failed 2 tests: CMDSPACE and REVDNS. It failed the REVDNS test because it was sent from an IP with no reverse DNS entry. That can usually be fixed quite easily. The CMDSPACE test, though, it an odd test -- it is very rare for a legitimate E-mail from another mailserver to fail the test (less than 1 in 1,000), but it is very common for E-mail from mail clients to fail that test. As a result, it may be worth whitelisting your own users (if you use IMail v8, you can do this with a line WHITELIST AUTH in the \IMail\Declude\global.cfg file if your users authenticate, and you are running the latest beta of Declude JunkMail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Conditional test weighting
Is it possible to make the weight of a test conditional? Here is my thinking: we've been having problems with our own users getting zapped by the CMDSPACE test. We are running IMail 7.15, so we don't have access to the whitelist auth option. We can whitelist our own domains, but that would let a lot of spam through, since spammers often falsely use your own domain name as the from: line. However, it would be nice to have the weight of CMDSPACE be 8 most of the time, but reduce it to, say, 2, when the message comes from our clients' own domain names. So we're not whitelisting our own clients' domain names, just changing the weight of one of the tests. Can this be done? Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] working with filters
I'm a little confused, mainly because I really haven't worked with filters. In reading the manual about filters, it seems you apply weights both inside the filter and in the filter file line in the global.cfg file. In the example given in the manual, weights are assigned to several tests (such as HELO 8 CONTAINSlocalhost), also to the file (C:\IMail\Declude\myfilter.txt x 5 0). Does that mean a message failing this test gets a score of 13? Second question: can you apply a filter file on a per-domain or per-user basis (assuming JM Pro)? The manual only talks about the global.cfg file. Third question: The quoted message below was a response to one of my earlier questions. It appears that the filter was given a name of LOCALCMDSPACE. Is there a way to use this? Or does it just show up in the message header? I'm just trying to understand the purpose. Thanks, Ben - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 25, 2004 4:35 AM Subject: Re: [Declude.JunkMail] Conditional test weighting on 6/24/04 6:07 PM, Imail Admin wrote: Is it possible to make the weight of a test conditional? Here is my thinking: we've been having problems with our own users getting zapped by the CMDSPACE test. We are running IMail 7.15, so we don't have access to the whitelist auth option. We can whitelist our own domains, but that would let a lot of spam through, since spammers often falsely use your own domain name as the from: line. However, it would be nice to have the weight of CMDSPACE be 8 most of the time, but reduce it to, say, 2, when the message comes from our clients' own domain names. So we're not whitelisting our own clients' domain names, just changing the weight of one of the tests. Can this be done? You might want to try a filter like this (you'll need the latest beta and/or interim of declude). The CMDSPACE test must be run before this filter is run and the CMDSPACE test weight in this example is 1. LOCALCMDSPACE - SKIPIFWEIGHT 50 TESTSFAILED END NOTCONTAINS CMDSPACE REMOTEIP -1 CONTAINS 12.4.184. REMOTEIP -1 CONTAINS 12.4.185. REMOTEIP -1 CONTAINS 12.4.186. where 12.4.184., and such, are the IP subnets assigned to your users. If a message fails the cmdspace test and is not from a local ip address, the message would have 1 added to its weight. Messages failing the cmdspace test and connecting from your ip address range would end up with 0 added to their weight. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] working with filters
Hi Scott, Thanks for the quick reply. What do you mean by apply to certain users? If I add a line to a filter to the global.cfg file, it runs for everyone. So where in the filter file do I apply per-domain settings? For example, in the REMOTEIP code I was looking at, it seems the REMOTEIP test runs for everyone. Perhaps this is connected to my earlier question: in the script I was looking at, the filter was given a name. Is there a use for this name? Here is the filter text I was looking at: LOCALCMDSPACE - SKIPIFWEIGHT 50 TESTSFAILED END NOTCONTAINS CMDSPACE REMOTEIP -1 CONTAINS 12.4.184. REMOTEIP -1 CONTAINS 12.4.185. REMOTEIP -1 CONTAINS 12.4.186. Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 9:57 AM Subject: Re: [Declude.JunkMail] working with filters I'm a little confused, mainly because I really haven't worked with filters. In reading the manual about filters, it seems you apply weights both inside the filter and in the filter file line in the global.cfg file. In the example given in the manual, weights are assigned to several tests (such as HELO 8 CONTAINSlocalhost), also to the file (C:\IMail\Declude\myfilter.txt x 5 0). Does that mean a message failing this test gets a score of 13? Correct. Second question: can you apply a filter file on a per-domain or per-user basis (assuming JM Pro)? The manual only talks about the global.cfg file. Yes and no. All tests in Declude JunkMail are global. So it is not possible to have a test that will be run for just certain users. However, you can define the filter, and have it only apply to certain users (by having the per-user/per-domain settings take action for specific user(s) but not others). If you do this, the test will still be run for everyone. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] working with filters
Sorry Scott, I just realized I was being Monday-morning befuddled. The inclusion of the filter line in the global.cfg file only defines the test, just as all the other tests are defined there. It's only when I put the reference in the $default$.junkmail file to that test name that the test is actually used. Sorry for being so slow... Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 10:46 AM Subject: Re: [Declude.JunkMail] working with filters So where in the filter file do I apply per-domain settings? Per-user/per-domain settings are not handled in the filter file -- check the Per-user settings and Per-domain settings sections of the manual at http://www.declude.com/junkmail/manual.htm for details on per-user/per-domain settings. Perhaps this is connected to my earlier question: in the script I was looking at, the filter was given a name. Is there a use for this name? Yes. Every test must have a name -- that is how Declude JunkMail knows what you want to do. For example, if your per-user config file has two lines DELETE and WARN, Declude JunkMail won't know what you want to do. But if it has lines TEST1 DELETE and TEST2 WARN, then Declude JunkMail will know what to do. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] working with filters
I must really be slow today, so my apologies in advance... Applying actions for different tests for different users/domains is fine. If I put YOURTESTNAME DELETE into a per-domain junkmail file, then messages that fail that test will be deleted. However, what about weighting? If I define a filter that gives a weight, then that's done at the global.cfg level. I can then take action at the per-domain level (mark as spam if weight is greater than 10, and so on). But it seems my filter will effect the weight of all messages. I am trying to apply a filter that will change the weight only for a specific domain. So maybe the filter runs for all domains, but I want it to only affect the weight of a certain domain. What am I missing here? Thanks again, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 10:44 AM Subject: Re: [Declude.JunkMail] working with filters What do you mean by apply to certain users? If the recipient's config file has YOURTESTNAME DELETE, the E-mail will be deleted for that user. If the recipient's config file has no line beginning with YOURTESTNAME, the test will still be run, but no action will be taken (so the test does not apply to that user). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] working with filters
Thanks for your patience Scott. I think I understand now, although my actual test doesn't seem to be working. Perhaps you can tell me where I'm going wrong? 1. I put a reference to the filter in the global.cfg file (e.g., c:\imail\declude\cmdspacefilter.txt x 0 0). Notice that I gave the filter a weight of zero. 2. In the filter file, I have these lines: LOCALCMDSPACE - SKIPIFWEIGHT 20 TESTSFAILED END NOTCONTAINS CMDSPACE REMOTEIP -6 CONTAINS 66.224.41 REMOTEIP -6 CONTAINS 5.75.194.49 This should name the filter LOCALCMDSPACE, should cause it to be skipped if weight is already over 20, should cause it to quit if the TESTSFAILED text does not contain CMDSPACE. If it gets to the last two lines, it should add a weight of -6 if REMOTEIP contains the IP addresses. By the way, notice that in on of the lines, I only use a partial IP address. I wanted to have that line take effect for all IPs inside 66.224.41.*. I didn't do anything else because I just want the weight to be adjusted. The REMOTEIP lines restrict my weighting to those two IP addresses. I ran an in-house test and this filter wasn't applied. I'm not sure why. Here is a sample header from one of the tests: Received: from bc7 [66.224.41.4] by bcw6.bcwebhost.net with ESMTP (SMTPD32-7.15) id A5C7E3E0140; Mon, 28 Jun 2004 12:47:19 -0700 Message-ID: [EMAIL PROTECTED] From: Carol [EMAIL PROTECTED] To: Ben Bednarz [EMAIL PROTECTED] Subject: SPAM [8]test 3 Date: Mon, 28 Jun 2004 12:47:19 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_001B_01C45D0E.0C5BBAC0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Declude-Sender: [EMAIL PROTECTED] [66.224.41.4] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE, WEIGHT5, WEIGHT5r [8] X-Note: This E-mail was sent from bcnetserv.bednarzconsulting.com ([66.224.41.4]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 387407718 So this email failed the CMDSPACE test and came from the 66.224.41 REMOTEIP, but didn't get the negative weight I expected from LOCALCMDSPACE. What am I missing? Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 11:22 AM Subject: Re: [Declude.JunkMail] working with filters I must really be slow today, so my apologies in advance... Applying actions for different tests for different users/domains is fine. If I put YOURTESTNAME DELETE into a per-domain junkmail file, then messages that fail that test will be deleted. Correct (but only for E-mail to that one domain). However, what about weighting? The weighting will be applied to all users/domains. If I define a filter that gives a weight, then that's done at the global.cfg level. I can then take action at the per-domain level (mark as spam if weight is greater than 10, and so on). But it seems my filter will effect the weight of all messages. Correct. I am trying to apply a filter that will change the weight only for a specific domain. So maybe the filter runs for all domains, but I want it to only affect the weight of a certain domain. This would require some creativity, if it is possible, starting the filter with a line that would end the filter if the E-mail is not addressed to the specific domain you want it to apply to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] working with filters
Hi Scott, That's just what I needed. I took the script from someone else's earlier reply to my questions about CMDSPACE. I guess the email message reformatted the text, so the way I read it was to put the filter name inside the filter file instead of inside the global.cfg file. Now that I've fixed that, it works perfect. CMDSPACE counts as 8 for most people, but counts only as 2 for certain clients. I have a second question: we have clients that are getting hit with the REVDNS test. Is this because their ISP has no reverse DNS entry for that IP? If we want to fix this problem, then do we need to have our clients talk to their access ISP about setting up a reverse DNS entry? Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 1:07 PM Subject: Re: [Declude.JunkMail] working with filters 1. I put a reference to the filter in the global.cfg file (e.g., c:\imail\declude\cmdspacefilter.txt x 0 0). Notice that I gave the filter a weight of zero. Is that MYTESTNAME filter c:\imail\declude\cmdspacefilter.txt x 0 0 (good) or just c:\imail\declude\cmdspacefilter.txt x 0 0 (bad)? 2. In the filter file, I have these lines: LOCALCMDSPACE - FYI, that line won't be recognized by Declude JunkMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF issue
I've been just begging for motivation to upgrade from 7.15 to 8.x, and so far, the only good reason I've found is the WHITELIST AUTH feature. Otherwise, it's hard to see any reason for upgrading, especially when I've got a stable, trouble-free mail server now, and an upgrade could introduce any number of new problems. Now if someone could just convince Ipswitch to do something significant with IMail (better calendaring, improved list server, support for ASP in web pages, better handling of IMAP, and so on), I'd jump to the upgrade in a snap. In the meanwhile, I'm with David: we sit at 7.15 and just work around the absence of WHITELIST AUTH. Ben Bednarz BC Web - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:42 PM Subject: RE: [Declude.JunkMail] SPF issue No, the probem you are having is with your own mail server catching messages from your subscribers sending mail. If you do not allow mail relay and only auth then you can whitelist your dial up ip address of your users within declude. Now if they are not connecting from one of your dial up ranges then they will be caught with the SPF record. Many features of declude are muted by not using WHITELIST AUTH and not being on the 8.x version of imail. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 29, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF issue Unfortunately i'm running imail 7.07 and it doesn't look like we'll be going to 8.x anytime soon. So, if i change my spf record to include the ip pool of my dialup users, i should be ok, correct? That would be fine. or, i could change the -all to ~all, correct? That could work, although it has two drawbacks: many SPF systems don't support softfail yet, and it reduces the effectiveness of your SPF record. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] confusion on SPF and IP addresses
Hi, There is one point about the setup of SPF records in DNS that confuses me: SPF compares the return address of email against the IP of the MX record for that domain. However, the MX record doesn't point to an IP, it points to a host name, which may be in another domain. So the MX record for abc.com may point to mail.xyz.com. So when systems do an SPF lookup, do they just find the IP of mail.xyz.com and use that, and ignore the fact that that mail server really belongs to another domain? Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] understanding JM scores
Hi, I'm trying to better understand how JM scores weights. I sent a test message from one of our internal accounts to another, and it came out with a spam weight of 5. This was in the header: X-Declude-Sender: [EMAIL PROTECTED] [66.224.41.4] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE, SPFFAIL, LOCALCMDSPACE, WEIGHT5, WEIGHT5r [5] X-Note: This E-mail was sent from bcnetserv.bednarzconsulting.com ([66.224.41.4]). X-RCPT-TO: [EMAIL PROTECTED] I then went to the IMail logs, pulled the Q-number, and used that to look up the processing in the Declude log. Here is what Declude has to say: 10/18/2004 13:37:39 Q299209820080b72d L1 Message OK 10/18/2004 13:37:39 Q299209820080b72d Tests failed [weight=5]: CMDSPACE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SPFFAIL=IGNORE LOCALCMDSPACE=IGNORE WEIGHT5=SUBJECT WEIGHT5r=MAILBOX CATCHALLMAILS=IGNORE Here are the relevant lines from global.cfg: BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACE cmdspace x x 8 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 5 0 IPNOTINMX ipnotinmx x x 0 -3 MAILFROMenvfrom x x 12 0 NOLEGITCONTENT nolegitcontent x x 0 -5 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFPASS spf passx -3 0 SPFFAIL spf failx 3 0 LOCALCMDSPACE filter D:\IMail\Declude\cmdspace.txt x 0 0 And here is the text of the cmdspace.txt file: SKIPIFWEIGHT 20 TESTSFAILED END NOTCONTAINS CMDSPACE REMOTEIP -6 CONTAINS 66.224.41 REMOTEIP -6 CONTAINS 5.75.194.49 REMOTEIP -6 CONTAINS 65.103.158.62 I should mention that we do have an SPF record for our primary domain name (bcwebhost.net), but not for bednarzconsulting.com, and that we're using IMail 7.15. Can Scott or someone explain to me how the weight on this message was calculated? Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] understanding JM scores
So what does the =IGNORE mean in the logs? Such as this: CMDSPACE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SPFFAIL=IGNORE LOCALCMDSPACE=IGNORE WEIGHT5=SUBJECT WEIGHT5r=MAILBOX CATCHALLMAILS=IGNORE And if this is only a list of tests that failed, then is there no list of tests the passed? Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 4:06 AM Subject: Re: [Declude.JunkMail] understanding JM scores Can Scott or someone explain to me how the weight on this message was calculated? The weight is calculated by adding/subtracting every relevant weight for the E-mail. In almost all cases where the weights do not seem to add up, it is because the E-mail did *not* fail a spam test that is set to use a negative weight. For example, E-mails that do not fail the IPNOTINMX or NOLEGITCONTENT tests will normally have points subtracted from their weight (as they are more likely to be legitimate E-mails). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] understanding JM scores
Thanks, Scott. Ok, one more: here is the scoring system I use: BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACE cmdspace x x 8 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 5 0 IPNOTINMX ipnotinmx x x 0 -3 MAILFROMenvfrom x x 12 0 NOLEGITCONTENT nolegitcontent x x 0 -5 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFPASS spf passx -3 0 SPFFAIL spf failx 3 0 LOCALCMDSPACE filter D:\IMail\Declude\cmdspace.txt x 0 0 According to the log entry, the message should get 8 for failing CMDSPACE, 0 for failing IPNOTINMX, 0 for failing NOLEGITCONTENT, 3 for failing SPFFAIL, and 0 for failing LOCALCMDSPACE. It gets 0 points for passing all of the remaining tests. So that totals to 11, not 5. So how am I misreading this? Also, how can I find out why it failed the SPFFAIL test? Since this was for an internal message, I expected to pass the SPF tests (we have an SPF record). Thanks again, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 3:25 PM Subject: Re: [Declude.JunkMail] understanding JM scores So what does the =IGNORE mean in the logs? Such as this: CMDSPACE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SPFFAIL=IGNORE LOCALCMDSPACE=IGNORE WEIGHT5=SUBJECT WEIGHT5r=MAILBOX CATCHALLMAILS=IGNORE Those are the actions that are taken. So the subject was modified since the E-mail failed the WEIGHT5 test, and the E-mail was re-routed to another mailbox since it failed the WEIGHT5r test, but no other actions were taken due to the E-mail failing other tests. And if this is only a list of tests that failed, then is there no list of tests the passed? Correct. The E-mail passed any tests that you have defined, but that are not listed. The only other option would be for Declude JunkMail to log every single test for every single E-mail, which could make for large log file entries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] understanding JM scores
Thanks for your help, Scott. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 4:15 AM Subject: Re: [Declude.JunkMail] understanding JM scores Thanks, Scott. Ok, one more: here is the scoring system I use: CMDSPACE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SPFFAIL=IGNORE LOCALCMDSPACE=IGNORE WEIGHT5=SUBJECT WEIGHT5r=MAILBOX CATCHALLMAILS=IGNORE CMDSPACE cmdspace x x 8 0 IPNOTINMX ipnotinmx x x 0 -3 NOLEGITCONTENT nolegitcontent x x 0 -5 SPFFAIL spf failx 3 0 LOCALCMDSPACE filter D:\IMail\Declude\cmdspace.txt x 0 0 According to the log entry, the message should get 8 for failing CMDSPACE, 0 for failing IPNOTINMX, 0 for failing NOLEGITCONTENT, 3 for failing SPFFAIL, and 0 for failing LOCALCMDSPACE. It gets 0 points for passing all of the remaining tests. So that totals to 11, not 5. So how am I misreading this? That's a difference of -6. So somewhere, Declude JunkMail is subtracting 6 points. Could your filter file be doing that? Also, how can I find out why it failed the SPFFAIL test? Since this was for an internal message, I expected to pass the SPF tests (we have an SPF record). Unfortunately, it is not possible to find out why the E-mail failed the SPF test -- but if you enter the appropriate information into http://www.dnsstuff.com/pages/spf.htm you can find out why it failed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPF question
Hi, I have a question about setting up the SPF string. If I use this string: v=spf1 a mx a:bcw5, a:bcw6 -all as a text record in our domain (bcwebhost.net), then the SPF test checks the sending IP and tries to match it against either bcw5.bcwebhost.net or bcw6.bcwebhost.net. The -all option says that if the sending IP doesn't match one of those two, the test fails. Now when I send out mail, it goes out through an IP (66.224.41.4 -- our firewall) that doesn't belong to that domain. So how do I get the SPF test to pass for email coming from this IP address? Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF question
Thanks, Scott. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 2:42 PM Subject: Re: [Declude.JunkMail] SPF question I have a question about setting up the SPF string. If I use this string: v=spf1 a mx a:bcw5, a:bcw6 -all as a text record in our domain (bcwebhost.net), then the SPF test checks the sending IP and tries to match it against either bcw5.bcwebhost.net or bcw6.bcwebhost.net. The -all option says that if the sending IP doesn't match one of those two, the test fails. Now when I send out mail, it goes out through an IP (66.224.41.4 -- our firewall) that doesn't belong to that domain. So how do I get the SPF test to pass for email coming from this IP address? You just need to add ip4:66.224.41.4 to the SPF record, and you should be all set. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
I think Jerry has this right. Both our Declude and IMail support agreements are currently lapsed. We were planning on renewing both in early 2005 when Ipswitch had their big fiasco over discontinuing IMail as a stand-alone program. So we plan on dropping IMail and we postponed renewing the Declude support contract. I'm sure that if we switch to SmarterMail that we'll renew the Declude contract, but that could be months out. In the meanwhile, we were happy with our current version of Declude until this bug popped up. Since this is a major bug, I consider Declude responsible. I'll be interested to see what they do. Actually, I could think of one compromise solution: release an update/fixed version, require a support contract for the download, but offer (for a limited time) a substantial discount on the support contract. Or, if you don't like that, then offer a short-term support contract (three months for one quarter of the usual price). I really am a big fan of Declude; I just don't like being forced into an upgrade. Ben BC Web - Original Message - From: Jerry Murdock [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, January 03, 2005 8:22 AM Subject: Re: [Declude.JunkMail] 2005 SpamHeaders Glitch? I don't think that's fair for a bug like this. Declude has never been presented as being a time sensitive licensed product. I know some of my old installs are still probably using older versions without other issues. I've made my successors aware of this and it's up to them now. There are a lot of folks out there that will be looking for an iMail replacement, and may consider Smartermail/Declude, but won't if they feel CPHZ is not doing right. CPHZ should release a 1.82 or a 1.8101 and make it available for all licensed users. They would then get a phone home version out to more users, and generate good will instead of ill will. I'm surprised the conspiracy theorists haven't chimed in already that this is just a way to force an upgrade. I don't believe that, but some will be thinking it. Jerry - Original Message - From: Ncl Admin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, January 03, 2005 10:51 AM Subject: RE: [Declude.JunkMail] 2005 SpamHeaders Glitch? At 07:59 AM 1/2/2005 +1100, you wrote: Great way to increase sales due to the need to update service agreements. Anyone that runs production software without service agreements gets what they deserve. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] whitelist not configured right?
Hi, We regularly use the whitelist feature with our clients, and it always works. Now, however, when I try to use it with our own domain, it doesn't seem to be operating. When I connect to our mail server from home (using broadband cable) to send messages, the system always gives me a high spam score (specifically failing cmdspace and spffail). So in the whitelist file for our domain name, I put a line IP x.x.x.x, where x.x.x.x is my home IP address. However, the Declude continues to scan messages sent from my home PC for spam, and to act accordingly. What am I missing here? Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist not configured right?
Thanks, Scott. I also thought that whitelist files included all of the same options as the whitelist commands that go into a global.cfg file. What about @domain-name? Does that work in a whitelist file? Thanks, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, January 24, 2005 12:23 PM Subject: Re: [Declude.JunkMail] whitelist not configured right? So in the whitelist file for our domain name, I put a line IP x.x.x.x, where x.x.x.x is my home IP address. However, the Declude continues to scan messages sent from my home PC for spam, and to act accordingly. The problem is that whitelist files don't have an option of IP x.x.x.x. In this case, you could add a line WHITELIST IP x.x.x.x in the \IMail\Declude\global.cfg file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Anyone with an updated Global.cfg?
Hi, I've noticed in the last couple of weeks a huge upsurge in junk mail getting through our system with lower weights (i.e., ending up in the InBox instead of the spam folder or being deleted). We don't do a lot of tweaking with our configuration files, so we normally expect a certain small percentage to get through. But this big increase makes me wonder if our global.cfg file has become so obsolete that our JM setup is no longer effective. Does anyone have a more current global.cfg file that they would be willing to share? I should mention that we also started a trial of demo version of Sniffer, but so far we've seen only a very marginal effect. Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] question on calculating weights
Hi All, Hope you don't mind another simple question... I have a spam message with a weight of 2: X-Spam-Tests-Failed: SNIFFER [2] The problem with this line was that we have sniffer weighted at 7. So I went to the Declude JM log and came up with this: 03/01/2005 13:17:46 Qdbca042102961063 Tests failed [weight=2]: IPNOTINMX=IGNORE SNIFFER=WARN CATCHALLMAILS=IGNORE The problem here is that IPNOTINMX has a weight of -3 and CATCHALLMAILS has a weight of 0. So that would seem to imply that the total weight should have been 4 (7 - 3), instead of 2. Where did the extra -2 come from? Here are the relevant lines from the global.cfg file: IPNOTINMX ipnotinmx x x 0 -3 SNIFFER external nonzero d:\imail\sniffer\snfrv2r3.exe xnk05x5vmipeaof7 7 0 CATCHALLMAILS catchallmails x x 0 0 So somebody slap me on the side of my head and tell me what I'm missing. Thanks, Ben --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] timeout test on Spam
That's a good question about the DNS server. When I run the response test from dnsstuff.com, my DNS servers get graded as A or A-, which would seem to be OK. Also, the timeouts only seem to occur on spam. Ben - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 01, 2005 2:36 PM Subject: Re: [Declude.JunkMail] timeout test on Spam That usually indicates your are having DNS issues. Are you sure your DNS server is healthy and responding to queries quickly? Darrell Imail Admin writes: Hi All, We get a fair amount of spam that slips through without triggering anything (including Sniffer). I notice in the headers for these messages a line like the following: X-Note: This E-mail was sent from (timeout) ([213.213.213.56]). Should I be using the timeout as a test for spam? If so, how? Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] timeout test on Spam
Thanks Scott. Question: I'm not familiar with the NOTIS command; is that from Version 2 of JM? Ben - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 01, 2005 1:38 PM Subject: Re: [Declude.JunkMail] timeout test on Spam I use a variant of Matt's badcountrynorevdns test to punish timeout's from spam haven countries: BadCountryREVDNSTimeout.txt: REVDNS END NOTIS (Timeout) COUNTRY 50 IS CN COUNTRY 50 IS KR COUNTRY 40 IS RU - Original Message - From: Imail Admin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 01, 2005 3:18 PM Subject: [Declude.JunkMail] timeout test on Spam Hi All, We get a fair amount of spam that slips through without triggering anything (including Sniffer). I notice in the headers for these messages a line like the following: X-Note: This E-mail was sent from (timeout) ([213.213.213.56]). Should I be using the timeout as a test for spam? If so, how? Thanks, Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] catchallmails question
Title: Message Hi, I have a strange question, which once against my astounding ignorance. I just tried using DLAnalyzer Lite on our latest Declude JM log. For the sample I tested, I got these results: Total Messages Processed: 11,234Messages That Failed Defined Test(s): 10,153Percentage That Failed Defined Test(s): 90.38%Average Message Weight: 4Average Message Weight/Failed: 5 TEST # FAILED PercentageWEIGHT10...6,308...56.15%CATCHALLMAILS..5,393...48.01%NOLEGITCONTENT.4,361...38.82%IPNOTINMX..4,237...37.72%WEIGHT53,856...34.32%WEIGHT10S..3,564...31.73%WEIGHT20...3,509...31.24%WEIGHT73,465...30.84%SNIFFER3,451...30.72%SPAMCOP3,006...26.76% You can ignore the Weight tests; those are just weight ranges and not real tests. Here's the thing: Catchallmails also is not a real test; it's supposed to catch all emails. So why doesn't the Catchallmails statistic above show 100%? The system is telling me that Catchallmails only caught 48%. I should mention that Catchallmails comes in the global.cfg file after the regular tests, and after the weight ranges, but before a handful of whitelisted IPs. Help, please? Ben BC Web
Re: [Declude.JunkMail] catchallmails question
Title: Message Thanks, Darrell. This at least sets me on the right path. I don't believe "Whitelist AUTH" is something we use because we're running IMail 7.15, which, I believe, doesn't support that option. However, there must be other,similar causes for being skipped. So, does anyone know a list of reasons why messages would be skipped? Obviously, a whitelist of address, domains, and IPs, would be one possibility. For that matter, does anyone have a utility that would analyze messages being skipped? It would seem an obvious thing to review, in case a whitelisted source (AUTH, address, etc.) becomes hijacked. Perhaps this would be a good addition for DLAnalyzer. Ben - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.JunkMail@declude.com Sent: Wednesday, March 02, 2005 6:56 PM Subject: Re: [Declude.JunkMail] catchallmails question Ben, There are various conditions that can account for messages being picked up without being marked with the "CATCHALLMAILS" test. A good bulk of these instances occur because a message under certain conditions will not loga "Test failed" line. One example is "Whitelist AUTH" in this particular example the only line that is logged in the Declude log for that particular message is this. 02/28/2004 00:01:59 Q57371524c9ad Skipping E-mail from authenticated user [EMAIL PROTECTED]; whitelisted. In regards to DLAnalyzer it will count this as a message (as it should), but there will be no tests associated with it like "catchallmails" because the "Tests failed" line is not logged. There are other situations where this also occurs, but that one stuck into my head. Hope that helps. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Wednesday, March 02, 2005 7:54 PM Subject: [Declude.JunkMail] catchallmails question Hi, I have a strange question, which once against my astounding ignorance. I just tried using DLAnalyzer Lite on our latest Declude JM log. For the sample I tested, I got these results: Total Messages Processed: 11,234Messages That Failed Defined Test(s): 10,153Percentage That Failed Defined Test(s): 90.38%Average Message Weight: 4Average Message Weight/Failed: 5 TEST # FAILED PercentageWEIGHT10...6,308...56.15%CATCHALLMAILS..5,393...48.01%NOLEGITCONTENT.4,361...38.82%IPNOTINMX..4,237...37.72%WEIGHT53,856...34.32%WEIGHT10S..3,564...31.73%WEIGHT20...3,509...31.24%WEIGHT73,465...30.84%SNIFFER3,451...30.72%SPAMCOP3,006...26.76% You can ignore the Weight tests; those are just weight ranges and not real tests. Here's the thing: Catchallmails also is not a real test; it's supposed to catch all emails. So why doesn't the Catchallmails statistic above show 100%? The system is telling me that Catchallmails only caught 48%. I should mention that Catchallmails comes in the global.cfg file after the regular tests, and after the weight ranges, but before a handful of whitelisted IPs. Help, please? Ben BC Web
Re: [Declude.JunkMail] catchallmails question
Title: Message Hey Scott, This is really a question for you about JM. The JM log file lists "passed" messages as "L1 Message OK", so it's only the failed messages that list the actual tests failed. However, isn't catchallmails supposed to fail for all messages? So it must be the JM ignores the catchallmails failure when listing a message as "OK." Is this understanding correct? I'm just trying to understand the behavior in the log files. Should all "failed" messages always list catchallmails? If so, does that mean the a count of the number of catchallmails-failed messages in the log should equal the number of messages that failed some (other) test? For example, if I have a log of 10,000 messages, and I know that 7,000 of them list the catchallmails option in their list of failed messages, that should mean there were 7,000 messages (70%) that failed some other test. Thanks, Ben BC Web - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Thursday, March 03, 2005 12:15 PM Subject: Re: [Declude.JunkMail] catchallmails question Thanks, Darrell. This at least sets me on the right path. I don't believe "Whitelist AUTH" is something we use because we're running IMail 7.15, which, I believe, doesn't support that option. However, there must be other,similar causes for being skipped. So, does anyone know a list of reasons why messages would be skipped? Obviously, a whitelist of address, domains, and IPs, would be one possibility. For that matter, does anyone have a utility that would analyze messages being skipped? It would seem an obvious thing to review, in case a whitelisted source (AUTH, address, etc.) becomes hijacked. Perhaps this would be a good addition for DLAnalyzer. Ben - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.JunkMail@declude.com Sent: Wednesday, March 02, 2005 6:56 PM Subject: Re: [Declude.JunkMail] catchallmails question Ben, There are various conditions that can account for messages being picked up without being marked with the "CATCHALLMAILS" test. A good bulk of these instances occur because a message under certain conditions will not loga "Test failed" line. One example is "Whitelist AUTH" in this particular example the only line that is logged in the Declude log for that particular message is this. 02/28/2004 00:01:59 Q57371524c9ad Skipping E-mail from authenticated user [EMAIL PROTECTED]; whitelisted. In regards to DLAnalyzer it will count this as a message (as it should), but there will be no tests associated with it like "catchallmails" because the "Tests failed" line is not logged. There are other situations where this also occurs, but that one stuck into my head. Hope that helps. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Wednesday, March 02, 2005 7:54 PM Subject: [Declude.JunkMail] catchallmails question Hi, I have a strange question, which once against my astounding ignorance. I just tried using DLAnalyzer Lite on our latest Declude JM log. For the sample I tested, I got these results: Total Messages Processed: 11,234Messages That Failed Defined Test(s): 10,153Percentage That Failed Defined Test(s): 90.38%Average Message Weight: 4Average Message Weight/Failed: 5 TEST # FAILED PercentageWEIGHT10...6,308...56.15%CATCHALLMAILS..5,393...48.01%NOLEGITCONTENT.4,361...38.82%IPNOTINMX..4,237...37.72%WEIGHT53,856...34.32%WEIGHT10S..3,564...31.73%WEIGHT20...3,509...31.24%WEIGHT73,465...30.84%SNIFFER3,451...30.72%SPAMCOP3,006...26.76% You can ignore the Weight tests; those are just weight ranges and not real tests. Here's the thing: Catchallmails also is not a real test; it's supposed to catch all emails. So why doesn't the Catchallmails statistic above show 100%? The system is telling me that Catchallmails only caught 48%. I should mention that Catchallmails comes in the global.cfg file after the regular tests, and after the weight ranges, but before a handful of whitelisted IPs. Help, please? Ben BC Web
Re: [Declude.JunkMail] Whitelisting our Domain
Just curious: does SmarterMail use SMTP or something similar? Ben - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 04, 2005 7:39 AM Subject: Re: [Declude.JunkMail] Whitelisting our Domain Yes. If all users send through your server, then use SMTP AUTH on all clients and configure Junkmail to whitelist AUTHing users. If not, but all mail comes in from static IPs, you could use an IP whitelist to bypass for those IPs. Darin. - Original Message - From: Kevin Stanford [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 04, 2005 10:25 AM Subject: [Declude.JunkMail] Whitelisting our Domain If we whitelist our domain will Spam that spoofs our email addresses and domain also be whitelisted? If so, how can I circumvent it? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting our Domain
Alright guys, it was only a typo, no need to get in a huff. If you had looked at Darin's message that I quoted, you would see he was talking about SMTP Auth, and that was my question, not just SMTP. My fingers just can't keep up with my thoughts. We use IMail 7.15, which does not support SMTP Auth, and that's just about the only feature I regret missing from 8.x. We plan to look at Smarter Mail at some point, and I was curious if they had a similar feature so that we can whitelist our domains (which was the topic here, remember?) with Declude JM. Feel better? Ben P.S. Actually, we don't use SMTP either. We take each mesasge that is to go out, hand write them on small slips of paper, tie those to the backs of squirrels, and send those out the door. We tried sending the scraps of paper by US Mail, but that was less reliable. - Original Message - From: Dan Horne [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, April 05, 2005 8:07 AM Subject: RE: [Declude.JunkMail] Whitelisting our Domain No, it uses MTP, the precursor to SMTP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, April 05, 2005 10:35 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting our Domain I think it uses STP...The Racer's Edge. - Original Message - From: Imail Admin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 04, 2005 6:18 PM Subject: Re: [Declude.JunkMail] Whitelisting our Domain Just curious: does SmarterMail use SMTP or something similar? Ben - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 04, 2005 7:39 AM Subject: Re: [Declude.JunkMail] Whitelisting our Domain Yes. If all users send through your server, then use SMTP AUTH on all clients and configure Junkmail to whitelist AUTHing users. If not, but all mail comes in from static IPs, you could use an IP whitelist to bypass for those IPs. Darin. - Original Message - From: Kevin Stanford [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 04, 2005 10:25 AM Subject: [Declude.JunkMail] Whitelisting our Domain If we whitelist our domain will Spam that spoofs our email addresses and domain also be whitelisted? If so, how can I circumvent it? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 8.2 / smartermail
So how about all the hot new features of IMail 8.2? How do those compare with similar features in SmarterMail? Also, we mostly use IMAP, rather than the web interface. How does the IMAP feature in Smartermail compare to Imail? For that matter, is there any change to the IMAP feature in Imail 8.2? I've always considered their IMAP support a little weak, and I'd be interested to know if they've made any improvements. Ben - Original Message - From: Robert Grosshandler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, April 28, 2005 3:22 PM Subject: [Declude.JunkMail] Imail 8.2 / smartermail Ok -- time for the question again. Thumbs up or down on the declude / smartermail integration? Comments appreciated. Rob --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 8.2 / smartermail
We use Declude JM Pro with IMail, and have been thinking about SmarterMail. We often use the ability to direct messages in certain weight ranges (e.g., 10-20) to go to certain mailbox folders (spam). Are you saying this feature isn't supported when using JM with SM? Ben - Original Message - From: David Franco-Rocha [ Declude ] [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, April 29, 2005 5:14 AM Subject: Re: [Declude.JunkMail] Imail 8.2 / smartermail Declude does not currently plug directly into SmarterMail's spam tools. They are completely separate. The MAILBOX directive used by Declude with IMail, whereby an email is moved to a specific user folder, is not available on the SmarterMail platform. When I have discussed this with SmarterMail, they have said that the recipient can move it himself to a particular folder on the basis of headers added to the message by Declude. David Franco-Rocha - Original Message - From: Jonathan [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, April 28, 2005 10:57 PM Subject: Re: [Declude.JunkMail] Imail 8.2 / smartermail Darrell ([EMAIL PROTECTED]) wrote: Sidenote, I assume SmarterMail can act as a domain filtering gateway with Declude, right? Pretty sure I saw some marketing spam saying it could .. Yes, that is absolutly correct - Declude will work on Smartermail. So I was just playing with the SM web interface -- does Declude plug directly into SM's spam tools? If so, that looks pretty slick compared to hacked up scripts shuffling stuff into the right folders .. :) Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] curious about subject line
Just a curiosity: I received an email from someone at Veritas, and the subject line was: Fw: [WARNING - POSSIBLY NOT VIRUS SCANNED]Re: VERITAS Support: Case ID I'm assuming that this warning was added by their system? Why would they do that? If they knew it wasn't scanned, why wouldn't they go ahead and scan it? Ben Bednarz BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and IMail 8.2
Hi Barry, and thanks for the explanation. The only thing that concerns me is that we renewed our Declude service agreement this spring, but have never been able to download an upgrade to Declude due to the bug(s). So I'm just a little concerned about how long before we have a stable 2.x version -- I'd hate to have the entire year pass without an upgrade! Thanks, Ben BC Web - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, August 23, 2005 10:35 AM Subject: [Declude.JunkMail] Declude and IMail 8.2 Thank you for you posts. We understand your frustration; here are the facts so there is no confusion. 1. This is NOT a bug in Declude. Ipswitch made changes to their IMail architecture, making it incompatible with Declude and this requires a fundamental re-write of Declude not a 10 minute fix. 2. As soon as we were aware of these changes we began development to modify Declude to work with IMail 8.2. 3. It has been our priority and focus since we first identified the problem. 4. In order to deliver a quality product, sufficient testing needs to be done to ensure customer satisfaction. Since identification of the issue additional patches have been released by Ipswitch meaning additional testing and development has been required. 5. This is not an issue of interim releases as Declude product architecture has had to change making it very different from earlier versions of Declude. 6. This is not an issue of having Scott back as the situation would be no different from today. We are in regular consultation with Scott and we all agree as to the product direction and problem resolution. If there was an easier, faster, simpler way in which we could achieve a resolution we would do it. Barry --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and Smartermail?
I think you have this backwards: the hang-up here isn't Declude, it's SmarterMail. I'm very interested in SmarterMail myself, but I'm not even going to try a trial until they add the AUTH feature. Ben BC Web - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, August 24, 2005 4:18 PM Subject: RE: [Declude.JunkMail] Declude and Smartermail? That is a big gaping hole in my opinion. Guess I'll look for another solution as I don't think I can wait for declude to get around to fixing this oversight. Thanks for your feedback. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Wednesday, August 24, 2005 3:13 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude and Smartermail? Biggest issues is the lack of WHITELIST AUTH. I confirmed last week with SMarterMail that that functionality will be available in the 3.0 version du out later this year. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Beckstrom Sent: Wednesday, August 24, 2005 1:00 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude and Smartermail? I'm looking for some feedback on using declude with smartermail. Is anybody running that combination? How is it working and how is the performance? Have you encountered any problems or shortcomings? Would you recommend Declude to smartermail administrators? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] chronic junkmail -- new account
Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as New Account. The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: New Account [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 a href=http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417;Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, Wait by Ying Yang Twins. First download is FREE!/a You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- new account
So when you look at the header, the only information you can trust is the last server before it reaches your server. Is his server address real? I mean, really his? Does he hijack open relays or spam zombies, or use servers outside of the US? I'm just curious how reliable this information is in filtering him out. Just for curiousity, I made a list from his latest New Account spam and found these sources. Ben ** 02.mailmx01.com [207.154.32.2] mx05.curb101.com [64.200.217.41] mx17.curb101.com [64.200.217.53] mx20.curb101.com [64.200.217.56] 134.opnletters.com [65.175.2.134] k.opnletters.com [65.175.2.20] 03.opnletters.com [65.175.2.30] 11.opnletters.com [65.175.2.38] 52.opnletters.com [65.175.2.52] 107.opnstuff.com [66.227.68.107] 224.opnstuff.com [66.227.68.224] 227.opnstuff.com [66.227.68.227] 234.opnstuff.com [66.227.68.234] 234.opnstuff.com [66.227.68.234] 32.opnstuff.com [66.227.68.32] 52.opnstuff.com [66.227.68.52] 55.opnstuff.com [66.227.68.55] 59.opnstuff.com [66.227.68.59] mx18139.tt03.com [69.6.18.139] mx18143.ss03.com [69.6.18.143] mx18180.hh02.com [69.6.18.180] mx18193.pp03.com [69.6.18.193] mx18231.ee02.com [69.6.18.231] mx1886.ff02.com [69.6.18.86] mx1927.tt03.com [69.6.19.27] mx1938.ff02.com [69.6.19.38] mx1982.dd03.com [69.6.19.82] mx20173.aa05.com [69.6.20.173] mx2027.tt03.com [69.6.20.27] mx2081.pp03.com [69.6.20.81] mx2081.pp03.com [69.6.20.81] mx4121.gg02.com [69.6.41.21] mx634.dd03.com [69.6.6.34] 16.asp060.com [69.6.64.116] 28.asp070.com [69.6.65.128] 46.asp070.com [69.6.65.146] 60.asp070.com [69.6.65.160] 66.asp070.com [69.6.65.166] 14.asp010.com [69.6.73.114] 46.asp040.com [69.6.76.146] ** - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, October 09, 2005 3:58 PM Subject: Re: [Declude.JunkMail] chronic junkmail -- new account This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, but I did find it in MAILPOLICE, and if you have URIBL support, it is also in SURBL presently. Matt IMail Admin wrote: Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as New Account. The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: New Account [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 a href=http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417;Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, Wait by Ying Yang Twins. First download is FREE!/a You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude with SmarterMail 3.0
yes, but I've been waiting all year for SM 3.0, with no end in site. Ben - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, October 28, 2005 8:02 AM Subject: RE: [Declude.JunkMail] Declude with SmarterMail 3.0 Nice to know! Now it's time to set up the new mailserver ;-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, October 28, 2005 3:32 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude with SmarterMail 3.0 The 3.0 version of SmarterMail, yet to be released, will pass authentication information to Declude. For those of you who have been patiently waiting to implement WHITELIST AUTH with SmarterMail, please be advised that Declude will support that functionality with SmarterMail 3.0. David Franco-Rocha Declude Technical / Engineering --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Release 3.0.5.23
Title: Message Hi Barry, Maybe I've just been out of the loop, but that's the first mention I've heard of Declude 4.0. We've been waiting on upgrading to 3.0 pending some confidence in its reliability. Is 4.0 something schedule for this year, or far out in the future? Thanks, Ben BC Web - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, December 29, 2005 11:31 AM Subject: [Declude.JunkMail] Declude Release 3.0.5.23 Declude Release 3.0.5.23 There has been an intermittent bug in Declude that reported certain features in the Pro version were not available. There is no function within Declude to downgrade functionality other than by changing the key in the configuration file which is under the control of our customers. There is no remote capability for anyone at Declude to change the contents of a customer’s configuration file. The latest release posted today 3.0.5.23 contains a fix for this bug. We recognize that some customers had issues with our licensing software over the last weekend. We had thoroughly tested this when we first released this version of the licensing software, including turning off of the server and we were confident that this type of issue would not arise. It seems however that with the communications failure (Verizon) a problem arose for a limited number of our customers. We analyzed the code this week and thanks to customers who worked with us on this and the problem has now been resolved. The fix is in 3.0.5.23 We have designed a new, simplified licensing application that will be released with Declude 4.0 and we will post more details closer to the time. Barry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Thursday, December 29, 2005 1:28 PMTo: Declude.JunkMail@declude.comSubject: RE: Re: [Declude.JunkMail] So - what happened with the Downgrade Decludes silence, since Scott left, normally means they have not completed their investigation. I think their silence on this and other issues is a definite concern. Declude used to be very up front on issues and much more active on this list. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 29, 2005 9:26 AMTo: Declude.JunkMail@declude.comSubject: CBL:Re: [Declude.JunkMail] So - what happened with the Downgrade I would also like to add myDEEP concern about this issue. I have yet to see an adequate explanation about the problem orany steps that are being taken to prevent it in the future. It would be helpful if Declude would explain how this "phone home" feature works so we can better address issues when it doesn't. Don - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Thursday, December 29, 2005 10:32 AM Subject: [Declude.JunkMail] So - what happened with the Downgrade Hi, After all this turmail last weekend, where several users suffered a "downgrade" from Pro which strangely coincided with the unavailability of a certain host name at Declude - and which equally strangely seemed to fix itself after Declude fixed that problem on Monday -- I'm wondering what the outcome of all that was? Has that "coincidence" been sufficiently explained so that we ALL can sleep better THIS weekend? What about the apparent resource leakage that seemed to occurat those clientswhile Declude's hardware problem was going on? Has it been investigated to determine if there is a problem in the exception handling that might cause an ever-increasing resource consumptions? I would really like to get an update on what has been accomplished this week to shed some light into this whole matter to put my mind at ease. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
[Declude.JunkMail] Fw: [Declude.Virus] ? Name Voting Time
First, I vote AGAINST anything with 4 in it. Why 4? You were calling it version 4, but that's a complete misnomer. Currently, it represents the same feature set as the so-called version 3, so there is no reason to call it version 4. In addition, there are three components in it (AVA, JM, HJ), so again there is nothing to indicate four. Am I missing something here? It seems that any name with four in it or indicating a four (such as the cute Quattro) is actually misleading. That's as bad as your current process of naming it version 4. By process of elimination: 1. Quattro is not only inappropriate but a rip-off of the old Borland name. And it leaves no room for future changes to the suite. 2. DEC4 is a waste, but DEC alone is redundant from Declude, not to mention confusing with Digital Equipment. So that's out. 3. Suite4 can be salvaged by shortening to Suite. This is completely unoriginal, but at least it's honest and clear, leaving no room for doubt. 4. R/4 is another rip-off, and really doesn't explain the collective nature of the different products. 5. Total is probably best, because it is just as clear as Suite but a little more original. And it doesn't have a stupid 4 in it. 6. Power Suite4. Again, let's dump the 4. Is Power Suite really any better than just Suite? Only to marketing types who live on tropical islands and worship Donald Trump. 7. Max4 is another rip-off, and it doesn't explain the collective nature of the combined products. 8. ForePlay sounds good to me. What's your problem? 9. ES4 can be shortened to ES, but that's really just another wordplay on Suite and Power Suite. You guys are kind of in a rut, huh? Sounds like #5 is best, since your Puritan hearts won't let you pick #8. Personally, I think you need to start the contest over and get some new names altogether. Is this really all the names you received? Heck, I could think up better names than this... wait, I did send in some names, and none of them made the list. So you guys filtered the choices before presenting for a vote? I thought you already admitted you don't know how to name products? So why would you try to list only your favorites. Time to go back to #8 (wish I had thought of that one, even though it does have a stupid 4 in it). Ben BC Web - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Wednesday, February 15, 2006 2:39 PM Subject: [Declude.Virus] ? Name Voting Time Here are the choices: Please send your votes to [EMAIL PROTECTED] no later than 5pm Eastern Time Friday 17th February. - Declude Quattro - DEC4 - Suite4 - R/4 (release four) - Declude Total - Declude Power Suite 4 - Declude Max4 - Declude ForePlay just making sure you're paying attention) - Declude-ES4 (E-mail security 4) Thanks Barry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] recursion turned off causes higher JM scores?
Hi All, I was testing out our domain name at dnsreport.com, and it complained that we had recursion turn on at the DNS server. So I tried turning it off, and suddenly all our JM scores went through the roof. I've got a sample from some personal mail below. It looks to me like IPs weren't being resolved or something, because the it shows that no A or MX recording found in the sending domain, which is absurd. We use MS DNS with MS Win2k Server. There are two places where recursion is listed: on the forwarders tab and on the Advanced tab. I originally had them both turned on, but had then turned them both off. That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? Thanks, Ben Here's the sample header: Received: from mx48.smf.ebay.com [66.135.209.221] by bcw6.bcwebhost.net with ESMTP (SMTPD32-7.15) id A3D6124B014A; Fri, 31 Mar 2006 21:47:02 -0800 Received: from qsxbat02.den.ebay.com (qsxbat02.den.ebay.com [10.4.59.12]) by mx48.smf.ebay.com (8.13.5/8.13.5) with ESMTP id k315khXO011994 for [EMAIL PROTECTED]; Fri, 31 Mar 2006 21:47:01 -0800 DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns; h=x-ebay-mailtracker:to:from:mime-version:content-type:subject:date:message-id; b=GOQb51Mirppc1kbCc7VZ0zjb/JKEjBWm67pXUdsVPwdbg6LsdObHNxCpuuK1lo5aa ZWQdtM/e8OXmGvU6nfAznD3BoCP2Gh2rI3+hPrYVJerePj2O/pH9MuhE0ebfSxUQLaM 84xORpGTDWGmu9gRhchmJl7jCsPv4M5rqinECmg=X-eBay-MailTracker: 10008.0.0.0To: [EMAIL PROTECTED]: [EMAIL PROTECTED]: 1.0Content-Type: multipart/alternative;boundary=8258267.1143870345921.JavaMail.ebba.qsxbat02Subject: SPAM [16]eBay Favorite Search: intel scb2 ataDate: Fri, 31 Mar 2006 21:45:45 PSTMessage-ID: [EMAIL PROTECTED]X-RBL-Warning: HELOBOGUS: Domain mx48.smf.ebay.com has no MX or A records[0001].X-RBL-Warning: MAILFROM: Domain ebay.com has no MX or A records [0001].X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 66.135.209.221with no reverse DNS entry.X-Declude-Sender: [EMAIL PROTECTED] [66.135.209.221]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) forspam.X-Spam-Tests-Failed: HELOBOGUS, MAILFROM, REVDNS, WEIGHT5, WEIGHT10,WEIG HT15, WEIGHT15r, WEIGHT7 [16]X-Note: This E-mail was sent from [No Reverse DNS] ([66.135.209.221]). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
OK, so now I've turned all recursion back on. As it is, I can't see any postings to the group because the SPAM ratings are all too high and they're being deleted. Let's hope things are back to normal. Ben - Original Message - From: IMail Admin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, March 31, 2006 11:12 PM Subject: SPAM [16][Declude.JunkMail] recursion turned off causes higher JM scores? Hi All, I was testing out our domain name at dnsreport.com, and it complained that we had recursion turn on at the DNS server. So I tried turning it off, and suddenly all our JM scores went through the roof. I've got a sample from some personal mail below. It looks to me like IPs weren't being resolved or something, because the it shows that no A or MX recording found in the sending domain, which is absurd. We use MS DNS with MS Win2k Server. There are two places where recursion is listed: on the forwarders tab and on the Advanced tab. I originally had them both turned on, but had then turned them both off. That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? Thanks, Ben Here's the sample header: Received: from mx48.smf.ebay.com [66.135.209.221] by bcw6.bcwebhost.net with ESMTP (SMTPD32-7.15) id A3D6124B014A; Fri, 31 Mar 2006 21:47:02 -0800 Received: from qsxbat02.den.ebay.com (qsxbat02.den.ebay.com [10.4.59.12]) by mx48.smf.ebay.com (8.13.5/8.13.5) with ESMTP id k315khXO011994 for [EMAIL PROTECTED]; Fri, 31 Mar 2006 21:47:01 -0800 DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns; h=x-ebay-mailtracker:to:from:mime-version:content-type:subject:date:message-id; b=GOQb51Mirppc1kbCc7VZ0zjb/JKEjBWm67pXUdsVPwdbg6LsdObHNxCpuuK1lo5aa ZWQdtM/e8OXmGvU6nfAznD3BoCP2Gh2rI3+hPrYVJerePj2O/pH9MuhE0ebfSxUQLaM 84xORpGTDWGmu9gRhchmJl7jCsPv4M5rqinECmg=X-eBay-MailTracker: 10008.0.0.0To: [EMAIL PROTECTED]: [EMAIL PROTECTED]: 1.0Content-Type: multipart/alternative;boundary=8258267.1143870345921.JavaMail.ebba.qsxbat02Subject: SPAM [16]eBay Favorite Search: intel scb2 ataDate: Fri, 31 Mar 2006 21:45:45 PSTMessage-ID: [EMAIL PROTECTED]X-RBL-Warning: HELOBOGUS: Domain mx48.smf.ebay.com has no MX or A records[0001].X-RBL-Warning: MAILFROM: Domain ebay.com has no MX or A records [0001].X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 66.135.209.221with no reverse DNS entry.X-Declude-Sender: [EMAIL PROTECTED] [66.135.209.221]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) forspam.X-Spam-Tests-Failed: HELOBOGUS, MAILFROM, REVDNS, WEIGHT5, WEIGHT10,WEIG HT15, WEIGHT15r, WEIGHT7 [16]X-Note: This E-mail was sent from [No Reverse DNS] ([66.135.209.221]). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/rel ease/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
I see; so it becomes non-authoritative on everything. Do you know what the difference is between the two recursion settings in MS DNS? There is one on the forwarders tab and one on the advanced tab. This is getting a little off-topic, but I appreciate the help anyway and the list looks quiet today. So why is recursion necessary? If I have forwarders configured, wouldn't they either report the answer, or use recursion, or use forwarders themselves? It would seem that forwarders should achieve the same results as recursion. For that matter, what would happen if you enabled recursion but didn't list forwarders? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 10:10 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? Don't configure any zones but allow recursion. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep
[Declude.JunkMail] problem with DNSstuff.com web site
Hi All, I've been trying to access www.dnsstuff.com and www.dnsreport.com from my desktop system. I keep getting this reply: Sorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses [EMAIL PROTECTED] and [EMAIL PROTECTED] here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 66.224.41.4. Thanks! * That IP is our gateway address. I can get to those sites from any of our DMZ servers or from home, but not from inside the network. I am the only person who goes to those sites and I go there very infrequently (2-4 time a month). I've checked and can find no signs of viruses or spyware on our in-house sytems that might trigger this response. So any ideas what is happening? Is there an mail I can contact (since the response page says nothing)? Thanks Ben Bednarz BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
I read the abuse link before, but it is unhelpful, and I couldn't get the 8080 link to work either. That's why I posted here; doesn't Declude own that site? Ben - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 6:41 PM Subject: RE: [Declude.JunkMail] problem with DNSstuff.com web site Ben, based on the info here: http://banned.dnsstuff.com/pages/abuse.htm You might try going to their backup site at: http://www.dnsstuff.com:8080/ As for contacting somebody there, join the forums and make a posting. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, April 06, 2006 6:08 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] problem with DNSstuff.com web site Hi All, I've been trying to access www.dnsstuff.com and www.dnsreport.com from my desktop system. I keep getting this reply: Sorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses [EMAIL PROTECTED] and [EMAIL PROTECTED] here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 66.224.41.4. Thanks! * That IP is our gateway address. I can get to those sites from any of our DMZ servers or from home, but not from inside the network. I am the only person who goes to those sites and I go there very infrequently (2-4 time a month). I've checked and can find no signs of viruses or spyware on our in-house sytems that might trigger this response. So any ideas what is happening? Is there an mail I can contact (since the response page says nothing)? Thanks Ben Bednarz BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
So you mean that when Scott sold Declude, he didn't sell this site too? The last email address for Scott that I have is [EMAIL PROTECTED] I wonder if this would still work? Otherwise, where would I contact someone about this? Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 11:10 PM Subject: RE: [Declude.JunkMail] problem with DNSstuff.com web site No, that site is owned and maintained by R. Scott Perry. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Thursday, April 06, 2006 10:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] problem with DNSstuff.com web site I read the abuse link before, but it is unhelpful, and I couldn't get the 8080 link to work either. That's why I posted here; doesn't Declude own that site? Ben - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 6:41 PM Subject: RE: [Declude.JunkMail] problem with DNSstuff.com web site Ben, based on the info here: http://banned.dnsstuff.com/pages/abuse.htm You might try going to their backup site at: http://www.dnsstuff.com:8080/ As for contacting somebody there, join the forums and make a posting. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, April 06, 2006 6:08 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] problem with DNSstuff.com web site Hi All, I've been trying to access www.dnsstuff.com and www.dnsreport.com from my desktop system. I keep getting this reply: Sorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses [EMAIL PROTECTED] and [EMAIL PROTECTED] here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 66.224.41.4. Thanks! * That IP is our gateway address. I can get to those sites from any of our DMZ servers or from home, but not from inside the network. I am the only person who goes to those sites and I go there very infrequently (2-4 time a month). I've checked and can find no signs of viruses or spyware on our in-house sytems that might trigger this response. So any ideas what is happening? Is there an mail I can contact (since the response page says nothing)? Thanks Ben Bednarz BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
Amazingly, the link to the forums page gives me the same error message. Thanks, Ben - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, April 07, 2006 6:42 AM Subject: RE: [Declude.JunkMail] problem with DNSstuff.com web site Contacting Us When we first started this site, we plastered our E-mail address everywhere. As we started getting more questions than we could handle, we removed many references. As we started getting more and more spam, we removed more references. We then added the forums. Now, we find that about 15% to 20% of our outgoing responses bounce due to very poor anti-spam software (ones that bounce on a single criterion, which is bad, but that also use a criterion that is very unreliable). So we don't offer our E-mail address anymore, unfortunately. However, you are welcome to use the DNSstuff.com Forums for any questions or issues you may have. If you have a need to contact us in a non-public way our whois record does have an E-mail address that can be used. http://www.dnsstuff.com/pages/forums.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Friday, April 07, 2006 7:57 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] problem with DNSstuff.com web site So you mean that when Scott sold Declude, he didn't sell this site too? The last email address for Scott that I have is [EMAIL PROTECTED] I wonder if this would still work? Otherwise, where would I contact someone about this? Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
Thanks Scott, and good to hear from you again! Is there anyway to back track this Java program that was browsing your site? I keep a pretty tight lid on viruses and spyware, but it seems to me something must be infected somewhere. Also, do you have any dates? It would help if I knew something like... traffic up until 3/12/06 or some such thing. Thanks again, Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, April 07, 2006 7:47 PM Subject: Re: [Declude.JunkMail] problem with DNSstuff.com web site The problem is ... I forgot to mention, your IP is unblocked now. :) -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] invURIBL
Based on the discussion under Declude JM, I'm also looking at adding invURIBL. However, I find the weighting system in the invurible.exe.config file very confusing. This is the total weight passed to Declude? I can't figure out what typical weight scores would be or how to adjust them. Just for reference, we mark the subject line at 5, divert the messages into a separate folder at 10, and delete at 15 using Sniffer and Declude JM. Thanks, Ben - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, April 07, 2006 9:34 AM Subject: RE: [Declude.JunkMail] invURIBL I adjusted the weights to match my weight ranges INV-URIBL external weight D:\IMail\declude\INVURIBL2.7\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 The weights are assigned in the INVURIBL.exe.config not in declude's GLOBAL.CFG Just look at each test and read the web site. Determine what will work for your weigting system. Then adjust based on your false positive rate. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig Edmonds Sent: Friday, April 07, 2006 8:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invURIBL Importance: High Kevin, What weight did you give? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, April 07, 2006 5:35 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invURIBL We had to change the DNS timeout. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, April 07, 2006 8:18 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] invURIBL Per suggestions from others, I am looking to implement invURIBL on our mail server (Imail 8.2x with Declude 4.0.9). I wanted to give it a trial run first, but because of it's low cost and recommendations from others, I will probably just implement it. I'm not much of a tweaker so I'm curious if anyone has any must tweaks after installation, or any other recommendations for settings. Thanks for any tips. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Experience with 4.x
I'd sure like to see some Declude comments on this discussion. Ben BC Web - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, May 22, 2006 5:12 PM Subject: Re: [Declude.JunkMail] Experience with 4.x Darrell, I put up two Windows Explorer windows side-by-side under normal volume and the pattern was consistent where the proc folder grows while the work folder shrinks until the work folder hits zero at which point the proc folder empties out and everything lands in work and then the pattern repeats with proc growing while work shrinks. My settings are as follows: THREADS50 WAITFORMAIL100 WAITFORTHREADS10 WAITBETWEENTHREADS50 WINSOCKCLEANUPON AUTOREVIEWON INVITEFIXON Matt Darrell ([EMAIL PROTECTED]) wrote: It's a faulty design that leaves more than half a server's CPU capacity unused due to the mere fact that they wait for all threads to complete before moving in a new batch. I can't speak to what you see on your server, but that is not how it is running on my server. I just double checked again to make sure I am not crazy, but as I watch the thread count on my server (decludeproc) the threads fluctuate between 7 - 30 ( threads currently set to 50). It is not uncommon to see the threads move as follow: 11,8,10,7,15, While I was watching it I never seen a case where it went down low enough for the WAITFORMAIL setting to kick in. Watching the proc/work directory you can see files moving in and out, but never really emptying out. Its possible what I am seeing is an anomaly or maybe I am interpreting it wrong. Maybe David can comment on this. Darrell invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and ORF. Stop spam at the source the spamvertised domain. More effective than traditional RBL's. Try it today - http://www.invariantsystems.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] accidental whitelisting
Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] accidental whitelisting
Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 5:46 AM Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] accidental whitelisting
Well, it's spam from outside, so I'm not sure that I would ever see or know about BCC recipients. The headers just show the message addressed to me, with the from line from me, but with someone else's IP address. It's probably the oldest spam trick in the book to just forge the From line. Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 6:32 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Anyone on the BCC line? If there's an address there that is being whitelisted, then the entire email gets whitelisted to all recipients. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 9:01 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 5:46 AM Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
[Declude.JunkMail] More accidental whitelisting
Hi All, Last week I was struggling with this mysterious accidental whitelisting. Emails addressed to me were whitelisted, even though I had (to the best of my knowledge) no whitelisting turned on for my own address. After setting the JM logging to high, I came up with the following lines: 05/28/2007 17:39:47.568 q764101a664c1.smd Past whitelisting 05/28/2007 17:39:47.568 q764101a664c1.smd Looping #0 [flags=1] 05/28/2007 17:39:47.568 q764101a664c1.smd [EMAIL PROTECTED] [EMAIL PROTECTED]@mail2.bcwebhost.net] *local* 05/28/2007 17:39:47.568 q764101a664c1.smd Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains for [EMAIL PROTECTED] [0] 05/28/2007 17:39:47.568 q764101a664c1.smd D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Doing whitelist file D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Using whitelist file D:\IMail\Users\ben\aliases.txt. 05/28/2007 17:39:47.568 q764101a664c1.smd Skipping4 E-mail from [EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. 05/28/2007 17:39:47.568 q764101a664c1.smd Domain name = mail2.bcwebhost.net, User name = ben. So, for reasons I don't understand, Declude is looking at my aliases.txt file for whitelisting. I couldn't find anywhere in the configuration files for this to happen, but there it is. I don't even know how aliases.txt is created, but when I looked inside it, I found the email addresses for various random people, and also my own address. My question is: why is Declude using this file for whitelisting? And why do I have this file anyway? Thanks, Ben - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 6:01 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 5:46 AM Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list
Re: [Declude.JunkMail] More accidental whitelisting
Hi Matt, I understood the discussion about AUTOWHITELIST ON and the web address book issue. Where I got caught was that this server doesn't use aliases.txt, but the file is just there by accidental legacy. We're in the process of replacing our old 7.15 server with a new 2006.2 server by moving to a new machine. So far, the only domain we've moved over (until we get the bugs like this worked out) is our own domain. As part of that process, I copied over our old user folders (just for our domain) to the new server. The aliases.txt file must have been in the old users folder on the old server. Where I got fooled was because apparently 2006.2 doesn't use that file any more, so when I logged into the web interface, it told me the address book was empty. And, truthfully, I (and most of our users) used IMAP access via Outlook or something similar, rather than the web interface, so I wasn't even familiar with the file. I do agree with the discussion on this point: first, the whitelisting should never apply to your own address, and, I think the whole idea of whitelisting the address book should be an option that can be turned on/off from the config file. Anyway, thank you very much for clearing up this mystery for me. Thanks! Ben - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Monday, May 28, 2007 8:50 PM Subject: Re: [Declude.JunkMail] More accidental whitelisting Ben, This was covered early in the thread. You have AUTOWHITELIST ON in your global.cfg, and that causes Declude to whitelist whatever is in the recipient's address book (aliases.txt in all IMail versions prior to 2006). You have your own E-mail address listed in your address book, and a spammer forged your address as the Mail From. This is commonly seen by those that use AUTOWHITELIST. There is no way to stop this unless you remove your address from your address book, and this is also likely happening to your other users where they have themselves listed in their address book, as well as others on your hosted domains in the event that there are multiple recipient forging spam. There is a limited workaround for some of this using a test called BYPASSWHITELIST. You can search the archives or manual about this. The best solution if you want to keep the ability to whitelist from the address book would be for Declude to make a change to automatically exclude any recipient of the E-mail from triggering AUTOWHITELIST. This has been requested repeatedly for over 3 years and even came up again in this thread. The fact that people were quick to point out that this was likely the reason for your issue is testament to the fact that it affects a lot of people that use this functionality. Matt Imail Admin wrote: Hi All, Last week I was struggling with this mysterious accidental whitelisting. Emails addressed to me were whitelisted, even though I had (to the best of my knowledge) no whitelisting turned on for my own address. After setting the JM logging to high, I came up with the following lines: 05/28/2007 17:39:47.568 q764101a664c1.smd Past whitelisting 05/28/2007 17:39:47.568 q764101a664c1.smd Looping #0 [flags=1] 05/28/2007 17:39:47.568 q764101a664c1.smd [EMAIL PROTECTED] [EMAIL PROTECTED]@mail2.bcwebhost.net] *local* 05/28/2007 17:39:47.568 q764101a664c1.smd Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains for [EMAIL PROTECTED] [0] 05/28/2007 17:39:47.568 q764101a664c1.smd D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Doing whitelist file D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Using whitelist file D:\IMail\Users\ben\aliases.txt. 05/28/2007 17:39:47.568 q764101a664c1.smd Skipping4 E-mail from [EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. 05/28/2007 17:39:47.568 q764101a664c1.smd Domain name = mail2.bcwebhost.net, User name = ben. So, for reasons I don't understand, Declude is looking at my aliases.txt file for whitelisting. I couldn't find anywhere in the configuration files for this to happen, but there it is. I don't even know how aliases.txt is created, but when I looked inside it, I found the email addresses for various random people, and also my own address. My question is: why is Declude using this file for whitelisting? And why do I have this file anyway? Thanks, Ben - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 6:01 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try
Re: [Declude.JunkMail] More accidental whitelisting
Hi John, You sound grumpy. Yes, it was stupid of me to talk about controlling the feature that uses the web address book for whitelisting when AUTOWHITELIST already does that. I knew about that, since I talked about it in the original thread on this subject. It was late and I was just thinking (or, perhaps, not thinking) that more control over this feature would have been nice. Obviously, the best improvement is the same one everyone else has asked for: don't auto-whitelist your own address. I do disagree with your first statement. I expect Declude to know what version of IMail is running, which would tell it whether to bother processing certain files, such as aliases.txt. Anyway, thanks again to both you and Matt for your help. Ben - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Monday, May 28, 2007 11:11 PM Subject: RE: [Declude.JunkMail] More accidental whitelisting The point you have missed is that just because YOU are using Imail 2006.2 does not mean every one else is. Declude is doing exactly as it should, checking to see if an aliases.txt file exists and if so use it. As for the option of turning whitelisting based on the address book on or off, uh, ah, golly gee, that is what AUTOWHITELIST is for. As for not knowing that 2006.2 no longer uses the aliases.txt files… John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Monday, May 28, 2007 10:22 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] More accidental whitelisting Hi Matt, I understood the discussion about AUTOWHITELIST ON and the web address book issue. Where I got caught was that this server doesn't use aliases.txt, but the file is just there by accidental legacy. We're in the process of replacing our old 7.15 server with a new 2006.2 server by moving to a new machine. So far, the only domain we've moved over (until we get the bugs like this worked out) is our own domain. As part of that process, I copied over our old user folders (just for our domain) to the new server. The aliases.txt file must have been in the old users folder on the old server. Where I got fooled was because apparently 2006.2 doesn't use that file any more, so when I logged into the web interface, it told me the address book was empty. And, truthfully, I (and most of our users) used IMAP access via Outlook or something similar, rather than the web interface, so I wasn't even familiar with the file. I do agree with the discussion on this point: first, the whitelisting should never apply to your own address, and, I think the whole idea of whitelisting the address book should be an option that can be turned on/off from the config file. Anyway, thank you very much for clearing up this mystery for me. Thanks! Ben - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Monday, May 28, 2007 8:50 PM Subject: Re: [Declude.JunkMail] More accidental whitelisting Ben, This was covered early in the thread. You have AUTOWHITELIST ON in your global.cfg, and that causes Declude to whitelist whatever is in the recipient's address book (aliases.txt in all IMail versions prior to 2006). You have your own E-mail address listed in your address book, and a spammer forged your address as the Mail From. This is commonly seen by those that use AUTOWHITELIST. There is no way to stop this unless you remove your address from your address book, and this is also likely happening to your other users where they have themselves listed in their address book, as well as others on your hosted domains in the event that there are multiple recipient forging spam. There is a limited workaround for some of this using a test called BYPASSWHITELIST. You can search the archives or manual about this. The best solution if you want to keep the ability to whitelist from the address book would be for Declude to make a change to automatically exclude any recipient of the E-mail from triggering AUTOWHITELIST. This has been requested repeatedly for over 3 years and even came up again in this thread. The fact that people were quick to point out that this was likely the reason for your issue is testament to the fact that it affects a lot of people that use this functionality. Matt Imail Admin wrote: Hi All, Last week I was struggling with this mysterious accidental whitelisting. Emails addressed to me were whitelisted, even though I had (to the best of my knowledge) no whitelisting turned on for my own address. After setting the JM logging to high, I came up with the following lines: 05/28/2007 17:39:47.568 q764101a664c1.smd Past whitelisting 05/28/2007 17:39:47.568 q764101a664c1.smd Looping #0 [flags=1
[Declude.JunkMail] Filtering outbound as a default
Right now, we only use JM on a domain-by-domain basis. We're considering turning on spam filtering on all outbound email. How do we configure that as a default? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering outbound as a default
What about older versions? Thanks, Ben - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, July 02, 2007 2:14 PM Subject: Re: [Declude.JunkMail] Filtering outbound as a default Ben, In newer versions of Declude there is a directive for the global.cfg that needs to be turned on OUTBOUNDSCANNINGSPAM ON. I believe in newer versions ON is the default? Than you would need to add your tests and actions like in the $default$.junkmail file into the global.cfg file. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, and SmarterMail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Imail Admin wrote: Right now, we only use JM on a domain-by-domain basis. We're considering turning on spam filtering on all outbound email. How do we configure that as a default? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Possible trojan?
Hi All, This is is off-topic, but the people here seemed to always be ahead of the game with these kinds of problems. I wanted to know if what I'm experiencing is some sort of trojan or virus, or just bad luck. We have had two unrelated systems (one desktop, the other a notebook, on different networks in different states) experiencing the same problem with a week of each other. The short description of the problem is this: The system hive under Windows XP Pro becomes corrupt (when you boot, this leads to a message about \windows\system32\config\system being unreadable). You can replace the system hive (typically, you boot to the Recovery Console and then copy over the system hive from \windows\system32\repair), but that version only works a short while before also becoming corrupt. If you get the System hive to be somewhat stable and boot into Safe Mode, the System Restore Point software works sporadically or not at all. Other services and programs seem to crash randomly or not load at all. Hardware failure has been ruled out. There are no major new software installations. The systems had been operating fine for at least a year previously. Any ideas? The fact that the problems persist (if the System hive just was corrupt from a power failure, for example, then it would stay fixed after being replaced) suggests a software issue. Since there is no new software installation on either system, that makes me suspect a trojan or backdoor or something. Sorry for being off-topic, but I do appreciate your help. Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] why isn't this message deleted
Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to warn. Is it just a matter of setting one of the triggers to delete? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why isn't this message deleted
Hi, Thanks, Darin. We were putting the filter on outbound because we charge a little more for filtering on inbound service and they aren't paying for it. Is there a cost in terms of CPU utilization if we filter on outbound? In general, I don't expect to hit legit messages on outbound. We'll set the threshold pretty high and if the messages are coming from our clients (which should be the case except for forwarding), then they should never come close to the threshold. One question: is it possible to change the subject line for forwarded messages? That would give our clients a heads-up where the messages are coming from. Thanks, Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 3:34 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Yes, it will work. However, I think you'll want the delete setting put on inbound messages rather than outbound. In other words, do the scanning and actions on the inbound message to that account, before it is forwarded to the other account. You'll also want to be careful that you're not deleting legit messages, so don't change a filter to delete unless you are sure. Lastly, you'll want to get on AOL's postmaster feedback loop, if you aren't already. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 6:14 PM Subject: [Declude.JunkMail] why isn't this message deleted Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to warn. Is it just a matter of setting one of the triggers to delete? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why isn't this message deleted
So, how do I add a mod to the subject line for all messages for a specific domain? I mean, it would obviously be a setting in the junkmail file for that domain name, but I'm used to using weights to trigger such things, while for this case, I want it on all messages. Thanks, Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Tuesday, February 26, 2008 1:19 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted I don't believe it will work that way for you. Forwarded messages are not scanned twice, so I believe they are only processed as incoming. As for changing the subject, that again would be done on the inbound filter for forwarded messages. As to the CPU question, the cost is the same for the same tests, inbound or outbound doesn't matter. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 8:59 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Hi, Thanks, Darin. We were putting the filter on outbound because we charge a little more for filtering on inbound service and they aren't paying for it. Is there a cost in terms of CPU utilization if we filter on outbound? In general, I don't expect to hit legit messages on outbound. We'll set the threshold pretty high and if the messages are coming from our clients (which should be the case except for forwarding), then they should never come close to the threshold. One question: is it possible to change the subject line for forwarded messages? That would give our clients a heads-up where the messages are coming from. Thanks, Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 3:34 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Yes, it will work. However, I think you'll want the delete setting put on inbound messages rather than outbound. In other words, do the scanning and actions on the inbound message to that account, before it is forwarded to the other account. You'll also want to be careful that you're not deleting legit messages, so don't change a filter to delete unless you are sure. Lastly, you'll want to get on AOL's postmaster feedback loop, if you aren't already. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 6:14 PM Subject: [Declude.JunkMail] why isn't this message deleted Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to warn. Is it just a matter of setting one of the triggers to delete? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] evaluating foreign spam
Hi, Lately, we've been getting a lot of stuff like this: Received: from mail5.slik.com.ru [194.62.0.249] by mail2.bcwebhost.net with ESMTP (SMTPD-9.20) id ABB40398; Wed, 05 Mar 2008 09:43:16 -0800 Message-ID: [EMAIL PROTECTED] From: =?koi8-r?B?7dXSwdfDxddh?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SPAM [13]=?koi8-r?B?xMzRINDSz8bJzMHL1MnLySDJIMzF3sXOydEgzc7Px8nIINrBws/MxQ==?= =?koi8-r?B?18HOyco=?= Date: Wed, 05 Mar 2008 15:54:03 + MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_0007_01C87EE8.0451BBC1 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.0 on 3/5/2008 9:47:33 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: SUBCHARS-50: Subject with at least 50 characters found. X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-RBL-Warning: SUBCHARS-60: Subject with at least 60 characters found. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 61. X-Declude-Sender: [EMAIL PROTECTED] [194.62.0.249] X-Declude-Spoolname: Ddbb401e07908.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [13] at 09:47:34 on 05 Mar 2008 X-Declude-Fail: NOABUSE [2], NOPOSTMASTER [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [7], WEIGHT5 [5], WEIGHT10 [10], WEIGHT10r [10], WEIGHT7 [7], WEIGHT7r [7], ZEROHOUR [0] X-Country-Chain: [RIPE Unlisted]-destination Where the body of the message is full of Russian. Is the best way to weight this stuff by country of origin? If so, what kind of country tests do people typically use? How severe is the CPU load on these kinds of tests? For this particular message, it get blocked as spam, but some of these messages come through as clean and I'm trying to figure how to filter for them better. Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question on mailbox action...
The answer to your question is yes, the mailbox is created automatically. We use it all the time. Ben - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, April 30, 2008 7:47 AM Subject: RE: [Declude.JunkMail] Question on mailbox action... I am not trying to re route the messages. What I want to do is place the email in a spam folder for each user if the message exceeds a certain weight. The mailbox action in declude would seem to do this. I just want to know if the folder will be created automatically using the mailbox action if it does not already exist. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Tuesday, April 29, 2008 4:32 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Question on mailbox action... It the mail box is [EMAIL PROTECTED] And you say ROUTETO [EMAIL PROTECTED] THEN THE FOLDER SPAM GETS CREATED AUTOMATICLY Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, April 29, 2008 5:36 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Question on mailbox action... If I institute a mailbox action like WEIGHT10 MAILBOX spam Will Imail automatically create the folder spam for the user if it does not already exist? Thanks Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking certain character sets
Hi, I have a question of strategy. Per David's message below, one can setup a filter for a character set (such as Russian). Alternative, one could use BANCHARSET. For a third alternative, one could use rules.ima within IMail itself. So what are the pros and cons of these three approaches? Which would likely have the least CPU impact? Also, is BANCHARSET new? I have a slightly older version of Declude and I don't recall it (of course, I can't find a manual for my version either). Thanks, Ben - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, May 06, 2008 8:14 AM Subject: RE: [Declude.JunkMail] blocking certain character sets For these char sets it is much easier - use the following: ANYWHERE 10 PCRE (?i:(iso-2022-jp|unicode-1-1-utf-7)) David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, May 06, 2008 11:05 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thank you for the filter for koi8-r Would you be willing to code me one for unicode-1-1-utf-7 ISO-2022-JP (I deleted my example of unicode-1-1-utf-7) Subject: =?ISO-2022-JP?B?GyRCQXc/LiUoJWkhPBsoSg==?= Subject: X-IMail-SPAM DELIVERY FAILURE: =?ISO-2022-JP?B?GyRCJWYhPCU2ITwbKEIgeG55cnd5ICh4bnlyd3lAc21iYy5jb20uaGs=?= =?ISO-2022-JP?B?KSAbJEIkTxsoQiBEb21pbm8gGyRCJUclIyVsJS8lSCVqJEskTzgrGyhC?= =?ISO-2022-JP?B?GyRCJEQkKyRqJF4kOyRzISMbKEI=?= Thanks very much Ferrell - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Monday, April 21, 2008 10:21 AM Subject: RE: [Declude.JunkMail] blocking certain character sets I am surprised that they are still coming through, I would think that should have stopped it altogether. However add the following line to a junkmail filter: #CYRILLIC ANYWHERE 10 PCRE (?i:(charset=.{0,2}koi8-[ur].{0,2})|(=\?koi8-[ur]\?b\?)) David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Monday, April 21, 2008 7:55 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thanks very much. I added to the Declude.cfg BANCHARSET koi8-r after I upgraded to 4.4.0 They are still coming thru. Is there anything else that I need to do? This is what I'm still getting From: =?koi8-r?B?58XOzsHEycog98HTyczYxdfJ3g==?= [EMAIL PROTECTED] Subject: X-IMail-SPAM =?koi8-r?B?58/S0d3JxSDQ1dTF18vJIQ==?= Thanks very much Ferrell Ard - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 08, 2008 10:12 AM Subject: RE: [Declude.JunkMail] Need help in setting up filter please You can use the settings in Declude.cfg to stop certain character sets. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, April 08, 2008 7:41 AM To: Declude Subject: [Declude.JunkMail] Need help in setting up filter please We are getting a lot of email that has the code for character set in the From The from always starts with =?koi8-r? Does anyone have a filter that might help me eliminate these. From: =?koi8-r?B?8dLP08zB1yD30d7F08zB18/Xyd4=?= xqs Thanks very much Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking certain character sets
David, Can you tell me when (what version number) the PCRE filter was introduced? Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 16, 2008 8:39 AM Subject: RE: [Declude.JunkMail] blocking certain character sets Ferrell, It would be interesting to get a copy of the email line that the filter did not work on - that way we can look at adjusting the expression David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Friday, May 16, 2008 11:34 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets When I added to my global.cfg BANCHARSETkoi8-r it did not do anything ( emails continued to come in with this character set) Putting it into a Filter DID work. ANYWHERE 30 PCRE (?i:(charset=.{0,2}koi8-[ur].{0,2})|(=\?koi8-[ur]\?b\?)) (most of the time - but not all the time). The advantage - for me - for the Filter is that it applies to all 400 Post Offices that we host on the server. Whereas the rules.ima would have to be set up for each mailbox. Ferrell - Original Message - From: Imail Admin [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, May 15, 2008 3:56 PM Subject: Re: [Declude.JunkMail] blocking certain character sets Hi, I have a question of strategy. Per David's message below, one can setup a filter for a character set (such as Russian). Alternative, one could use BANCHARSET. For a third alternative, one could use rules.ima within IMail itself. So what are the pros and cons of these three approaches? Which would likely have the least CPU impact? Also, is BANCHARSET new? I have a slightly older version of Declude and I don't recall it (of course, I can't find a manual for my version either). Thanks, Ben - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, May 06, 2008 8:14 AM Subject: RE: [Declude.JunkMail] blocking certain character sets For these char sets it is much easier - use the following: ANYWHERE 10 PCRE (?i:(iso-2022-jp|unicode-1-1-utf-7)) David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, May 06, 2008 11:05 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thank you for the filter for koi8-r Would you be willing to code me one for unicode-1-1-utf-7 ISO-2022-JP (I deleted my example of unicode-1-1-utf-7) Subject: =?ISO-2022-JP?B?GyRCQXc/LiUoJWkhPBsoSg==?= Subject: X-IMail-SPAM DELIVERY FAILURE: =?ISO-2022-JP?B?GyRCJWYhPCU2ITwbKEIgeG55cnd5ICh4bnlyd3lAc21iYy5jb20uaGs=?= =?ISO-2022-JP?B?KSAbJEIkTxsoQiBEb21pbm8gGyRCJUclIyVsJS8lSCVqJEskTzgrGyhC?= =?ISO-2022-JP?B?GyRCJEQkKyRqJF4kOyRzISMbKEI=?= Thanks very much Ferrell - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Monday, April 21, 2008 10:21 AM Subject: RE: [Declude.JunkMail] blocking certain character sets I am surprised that they are still coming through, I would think that should have stopped it altogether. However add the following line to a junkmail filter: #CYRILLIC ANYWHERE 10 PCRE (?i:(charset=.{0,2}koi8-[ur].{0,2})|(=\?koi8-[ur]\?b\?)) David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Monday, April 21, 2008 7:55 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thanks very much. I added to the Declude.cfg BANCHARSET koi8-r after I upgraded to 4.4.0 They are still coming thru. Is there anything else that I need to do? This is what I'm still getting From: =?koi8-r?B?58XOzsHEycog98HTyczYxdfJ3g==?= [EMAIL PROTECTED] Subject: X-IMail-SPAM =?koi8-r?B?58/S0d3JxSDQ1dTF18vJIQ==?= Thanks very much Ferrell Ard - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 08, 2008 10:12 AM Subject: RE: [Declude.JunkMail] Need help in setting up filter please You can use the settings in Declude.cfg to stop certain character sets. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, April 08, 2008 7:41 AM To: Declude Subject: [Declude.JunkMail] Need help in setting up filter please We are getting a lot of email that has the code for character set in the From The from always starts with =?koi8-r? Does anyone have a filter that might help me eliminate these. From: =?koi8-r?B?8dLP08zB1yD30d7F08zB18/Xyd4=?= xqs
Re: [Declude.JunkMail] blocking certain character sets
Oh, well, thanks anyway Dave. I have 4.2.20 and no current SA. - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 16, 2008 10:00 AM Subject: RE: [Declude.JunkMail] blocking certain character sets Declude Security Suite 4.3.40 [12 March 2007] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Friday, May 16, 2008 12:45 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David, Can you tell me when (what version number) the PCRE filter was introduced? Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 16, 2008 8:39 AM Subject: RE: [Declude.JunkMail] blocking certain character sets Ferrell, It would be interesting to get a copy of the email line that the filter did not work on - that way we can look at adjusting the expression David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Friday, May 16, 2008 11:34 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets When I added to my global.cfg BANCHARSETkoi8-r it did not do anything ( emails continued to come in with this character set) Putting it into a Filter DID work. ANYWHERE 30 PCRE (?i:(charset=.{0,2}koi8-[ur].{0,2})|(=\?koi8-[ur]\?b\?)) (most of the time - but not all the time). The advantage - for me - for the Filter is that it applies to all 400 Post Offices that we host on the server. Whereas the rules.ima would have to be set up for each mailbox. Ferrell - Original Message - From: Imail Admin [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, May 15, 2008 3:56 PM Subject: Re: [Declude.JunkMail] blocking certain character sets Hi, I have a question of strategy. Per David's message below, one can setup a filter for a character set (such as Russian). Alternative, one could use BANCHARSET. For a third alternative, one could use rules.ima within IMail itself. So what are the pros and cons of these three approaches? Which would likely have the least CPU impact? Also, is BANCHARSET new? I have a slightly older version of Declude and I don't recall it (of course, I can't find a manual for my version either). Thanks, Ben - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, May 06, 2008 8:14 AM Subject: RE: [Declude.JunkMail] blocking certain character sets For these char sets it is much easier - use the following: ANYWHERE 10 PCRE (?i:(iso-2022-jp|unicode-1-1-utf-7)) David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, May 06, 2008 11:05 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thank you for the filter for koi8-r Would you be willing to code me one for unicode-1-1-utf-7 ISO-2022-JP (I deleted my example of unicode-1-1-utf-7) Subject: =?ISO-2022-JP?B?GyRCQXc/LiUoJWkhPBsoSg==?= Subject: X-IMail-SPAM DELIVERY FAILURE: =?ISO-2022-JP?B?GyRCJWYhPCU2ITwbKEIgeG55cnd5ICh4bnlyd3lAc21iYy5jb20uaGs=?= =?ISO-2022-JP?B?KSAbJEIkTxsoQiBEb21pbm8gGyRCJUclIyVsJS8lSCVqJEskTzgrGyhC?= =?ISO-2022-JP?B?GyRCJEQkKyRqJF4kOyRzISMbKEI=?= Thanks very much Ferrell - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Monday, April 21, 2008 10:21 AM Subject: RE: [Declude.JunkMail] blocking certain character sets I am surprised that they are still coming through, I would think that should have stopped it altogether. However add the following line to a junkmail filter: #CYRILLIC ANYWHERE 10 PCRE (?i:(charset=.{0,2}koi8-[ur].{0,2})|(=\?koi8-[ur]\?b\?)) David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Monday, April 21, 2008 7:55 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blocking certain character sets David Thanks very much. I added to the Declude.cfg BANCHARSET koi8-r after I upgraded to 4.4.0 They are still coming thru. Is there anything else that I need to do? This is what I'm still getting From: =?koi8-r?B?58XOzsHEycog98HTyczYxdfJ3g==?= [EMAIL PROTECTED] Subject: X-IMail-SPAM =?koi8-r?B?58
Re: [Declude.JunkMail] Tip of the day??
I prefer table... tennis - Original Message - From: John T To: declude.junkmail@declude.com Sent: Saturday, May 17, 2008 12:44 AM Subject: Re: [Declude.JunkMail] Tip of the day?? Pong John T eServices For You -Original Message- From: Declude Junkmail [EMAIL PROTECTED] Sent 5/14/2008 12:12:45 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Tip of the day?? Ping. kinda quiet arounf here... Anyone got any tips on blocking the business loan junkmail? ~Joe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Blacklist / Whitelist (Barracuda)
Hi, A couple of months ago I read the discussion about the new Barracuda BRBL. Then I went to the archives to see how people were implementing it into Declude. I have Declude 4.2.x, so I don't have the features of 4.4. I was unable from reviewing the archives to figure out the best way to implement this. Can someone give me the lines for global.cfg? And do you still think it's worth it? Thanks, Ben - Original Message - From: David Dodell [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 15, 2008 9:28 PM Subject: Re: [Declude.JunkMail] New Blacklist / Whitelist b) http://www.barracudacentral.org/rbl Hadn’t seen this one mentioned? Any experiences? Effective? False Positives? I'm giving this one a try ... I know Barracuda is a large manufacturer of hardware spam firewalls ... reputable company --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What's wrong with my Declude?
Hi, We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. I don't spend much time tweaking the system any more -- it's a small server that only handles about 40 domains (none of them heavy users). Anyway, lately (last couple of weeks) I've noticed more spam getting through. A lot more. Everything seems to be working as always, but it's not as effective. I'm looking for advice on how to make this effective without spending either big bucks or investing huge amounts of time. Any advice? Here is my DL Analyzer report: Total Messages Processed: 7,487 Messages That Failed Defined Test(s): 7,404 Percentage That Failed Defined Test(s): 98.89% Average Message Weight: 42 Average Message Weight/Failed: 42 TEST # FAILED PERCENTAGE CATCHALLMAILS 7,404 98.89% IPNOTINMX 7,306 97.58% WEIGHT4 6,791 90.70% WEIGHT5 6,726 89.84% WEIGHT7 6,652 88.85% WEIGHT8 6,554 87.54% WEIGHT10 6,481 86.56% WEIGHT12 6,282 83.91% NOLEGITCONTENT 6,239 83.33% WEIGHT15 6,147 82.10% WEIGHT20 5,930 79.20% WEIGHT20R 5,930 79.20% BARRACUDA 5,917 79.03% WEIGHT30 5,534 73.91% WEIGHT30R 5,534 73.91% INV-URIBL 5,427 72.49% SPFUNKNOWN 5,290 70.66% SNIFFER 4,625 61.77% CBL 4,121 55.04% UCEPROTECT-2 3,840 51.29% UCEPROTECT-3 3,702 49.45% SPAMCOP 3,659 48.87% UCEPROTECT-1 3,355 44.81% REVDNS 2,467 32.95% CMDSPACE 2,290 30.59% SUBCHARS-50 2,227 29.74% SUBCHARS-55 1,787 23.87% SPFPASS 1,664 22.23% SORBS-WEB 1,574 21.02% SUBCHARS-60 1,441 19.25% SORBS-DUHL 1,086 14.51% FIVETEN-SRC 1,085 14.49% FROMNOMATCH 1,072 14.32% NOPOSTMASTER 886 11.83% NOABUSE 728 9.72% SUBSPACE-12 592 7.91% BADHEADERS 583 7.79% SURBL 564 7.53% DYNHELO 541 7.23% WEIGHT7R 505 6.75% NONENGLISH 500 6.68% IMP-SPAM 392 5.24% SPFFAIL 342 4.57% WEIGHT10R 334 4.46% SORBS-SPAM 325 4.34% WEIGHT8R 293 3.91% SUBSPACE-15 286 3.82% WEIGHT4R 269 3.59% WEIGHT5R 245 3.27% WEIGHT15R 217 2.90% SPAMCANNIBAL 217 2.90% HELOBOGUS 217 2.90% SBL 205 2.74% SUBSPACE-17 201 2.68% WEIGHT12R 174 2.32% AHBL 158 2.11% SPAMHEADERS 152 2.03% BADWHOIS 133 1.78% FIVETEN-OPTIN 113 1.51% DSN 57 0.76% BONDEDSENDER 46 0.61% ROUTING 36 0.48% SIZE-300K 33 0.44% BASE64 32 0.43% SIZE-500K 20 0.27% IADB 19 0.25% AHBL-DOMAINS 15 0.20% SIZE-1MB 12 0.16% CONTSPACES 4 0.05% NJABL 4 0.05% BADCTYREVDNSTO 1 0.01% Thanks, Ben --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
Hi, How do I get a current version of global.cfg? My license is long expired and my version is much older. Here's the relevant sections from the global.cfg file I have now: #= RBL IP4R TESTS == # 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions. # 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address). # 3. For type ip4r, 'matchstring' is the string to look for, or * for anything. AHBL ip4r dnsbl.ahbl.org* 6 0 ADNSBL ip4r dnsbl.antispam.or.id 127.0.0.2 3 0 BLITZEDALL ip4r opm.blitzed.org* 7 0 CBL ip4r cbl.abuseat.org 127.0.0.2 6 0 CSMA-SBL ip4r sbl.csma.biz 127.0.0.2 2 0 DSBL-CONFIRMED ip4r list.dsbl.org* 6 0 FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 7 0 JAMMDNSBL ip4r dnsbl.jammconsulting.com 127.0.0.2 3 0 INTERSIL ip4r blackholes.intersil.net 127.0.0.2 5 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org 127.0.0.6 3 0 IMP-SPAM ip4r spamrbl.imp.ch 127.0.0.5 5 0 #ORDB ip4r relays.ordb.org* 5 0 #MTLDB ip4r mtldb.declude.com 127.0.0.2 3 0 #MXRATE is FREE but requires registration http://www.mxrate.com/Subscribe.asp MXRATE-BLOCK ip4r pub.mxrate.net 127.0.0.2 7 0 MXRATE-SUSPICIOUS ip4r pub.mxrate.net 127.0.0.4 2 0 NJABL ip4r dnsbl.njabl.org 127.0.0.2 5 0 SBL ip4r sbl.spamhaus.org * 9 0 SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 4 0 SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5 0 SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0 SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 6 0 SPAMBAG ip4r blacklist.spambag.org 127.0.0.2 2 0 SPAMCANNIBAL ip4r bl.spamcannibal.org 127.0.0.2 2 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 8 0 #UCEPROTECT-1 ip4r dnsbl-1.uceprotect.net 127.0.0.2 8 0 #UCEPROTECT-2 ip4r dnsbl-2.uceprotect.net 127.0.0.2 7 0 UCEPROTECT-1 ip4r dnsbl-1.uceprotect.net 127.0.0.2 5 0 UCEPROTECT-2 ip4r dnsbl-2.uceprotect.net 127.0.0.2 4 0 UCEPROTECT-3 ip4r dnsbl-3.uceprotect.net 127.0.0.2 2 0 BARRACUDA IP4Rb.barracudacentral.org 127.0.0.2 3 0 #= GOOD MAIL IP4R TESTS == BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 IADB ip4r iadb.isipp.com 127.0.0.1 -5 0 FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 -3 0 MXRATE-ALLOW ip4r pub.mxrate.net 127.0.0.3 -3 0 #= RHBSL TESTS == AHBL-DOMAINSRHSBL rhsbl.ahbl.org127.0.0.2 10 0 BADWHOIS rhsbl whois.rfc-ignorant.org 127.0.0.5 3 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0 MAILPOLICE-BLOCK rhsbl block.rhs.mailpolice.com 127.0.0.2 8 0 MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 8 0 SURBL rhsbl multi.surbl.org* 5 0 Thanks, Ben --- [This E-mail was checked by Declude] - Original Message - From: Scott Fisher sfis...@farmprogress.com To: declude.junkmail@declude.com Sent: Wednesday, July 28, 2010 11:59 AM Subject: RE: [Declude.JunkMail] What's wrong with my Declude? One thing is to add zen.spamhaus.org (removing cbl, sbl and perhaps njabl). It's the newer list from spamhaus ZEN IP4R zen.spamhaus.org * 7 0 You'd probably be best off comparing your global.cfg to Declude's current globabl.cfg. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Imail Admin Sent: Wednesday, July 28, 2010 1:30 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] What's wrong with my Declude? Hi, We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. I don't spend much time tweaking the system any more -- it's a small server that only handles about 40 domains (none of them heavy users). Anyway, lately (last couple of weeks) I've noticed more spam getting through. A lot more. Everything seems to be working as always, but it's not as effective. I'm looking for advice on how to make this effective without spending either big bucks or investing huge amounts of time. Any advice? Here is my DL Analyzer report: Total Messages Processed: 7,487 Messages That Failed Defined Test(s): 7,404 Percentage That Failed Defined Test(s): 98.89% Average Message Weight: 42 Average Message Weight/Failed: 42 TEST # FAILED PERCENTAGE CATCHALLMAILS 7,404 98.89% IPNOTINMX 7,306
Re: [Declude.JunkMail] What's wrong with my Declude?
Hi Pete, By SNF I assume you mean Sniffer? How do I tell for sure which version is running and whether it is getting the latest downloads? I know it's running at least partially because the report lists it. I checked the cfg file and it says configuration for v2r3, so I assume that's version 2 and not version 3? Then I checked my old emails and found that my last license renewal was at the end of last August, so I have a valid license. I haven't received any noticed since then about newer versions or even renewing my license this year. Thanks, Ben --- [This E-mail was checked by Declude] - Original Message - From: Pete McNeil madscient...@microneil.com To: declude.junkmail@declude.com Sent: Wednesday, July 28, 2010 12:18 PM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? On 7/28/2010 2:29 PM, Imail Admin wrote: lately (last couple of weeks) I've noticed more spam getting through. A lot more. Check your SNF installation. I looked up your license ID and checked for your telemetry and did not find it. This usually means that SNF is not currently running on your system or that you have not yet upgraded to version 3. Hope this helps, _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
Hi Pete, Thanks. I think I'll try your installer first. I checked and my Sniffer subscription runs out in late September. I'm considering the possibility of upgrading Declude (first time in many years) and getting the OEM Sniffer with it. If I do that, it'll be in September. My system is so old (Imail 2006.23 running on top of Windows Server 2000) that I worry it won't handle the newest versions of these products. Thanks, Ben --- [This E-mail was checked by Declude] - Original Message - From: Pete McNeil madscient...@microneil.com To: declude.junkmail@declude.com Sent: Sunday, August 01, 2010 11:28 AM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? On 8/1/2010 1:36 PM, Imail Admin wrote: Hi Pete, By SNF I assume you mean Sniffer? How do I tell for sure which version is running and whether it is getting the latest downloads? I know it's running at least partially because the report lists it. I checked the cfg file and it says configuration for v2r3, so I assume that's version 2 and not version 3? Then I checked my old emails and found that my last license renewal was at the end of last August, so I have a valid license. I haven't received any noticed since then about newer versions or even renewing my license this year. That all sounds about right. I'm betting (based on the above) that you simply never upgraded to version 3. The best way to do that is to use our installer. http://www.armresearch.com/products/snfClientServerWinInstaller.jsp http://www.armresearch.com/message-sniffer/download/SNF_CS_Installer.exe Another good way (if you're upgrading Declude also) is to switch to the built-in OEM version of SNF in Declude. (contact Declude about that if you wish to switch). _M --- [This E-mail was checked by Declude] -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
Hi Pete, OK, I did the upgrade. One thing that was slightly different from the instructions was that even though I directed it to install into the same folder as the prior Sniffer installation (d:\imail\sniffer), it only offered me a choice of a new install and said nothing about an upgrade. Still, it seemed to go through smoothly, so I'll just cross my fingers. Now that that's done, do I need to change my global.cfg setting? The old setting is SNIFFER external nonzero D:\imail\sniffer\liajkovy.exe w91zgqvr4g73s6o5 7 0. Thanks, Ben --- [This E-mail was checked by Declude] - Original Message - From: Pete McNeil madscient...@microneil.com To: declude.junkmail@declude.com Sent: Sunday, August 01, 2010 11:28 AM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? On 8/1/2010 1:36 PM, Imail Admin wrote: Hi Pete, By SNF I assume you mean Sniffer? How do I tell for sure which version is running and whether it is getting the latest downloads? I know it's running at least partially because the report lists it. I checked the cfg file and it says configuration for v2r3, so I assume that's version 2 and not version 3? Then I checked my old emails and found that my last license renewal was at the end of last August, so I have a valid license. I haven't received any noticed since then about newer versions or even renewing my license this year. That all sounds about right. I'm betting (based on the above) that you simply never upgraded to version 3. The best way to do that is to use our installer. http://www.armresearch.com/products/snfClientServerWinInstaller.jsp http://www.armresearch.com/message-sniffer/download/SNF_CS_Installer.exe Another good way (if you're upgrading Declude also) is to switch to the built-in OEM version of SNF in Declude. (contact Declude about that if you wish to switch). _M --- [This E-mail was checked by Declude] -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
Got it. Thanks! --- [This E-mail was checked by Declude] - Original Message - From: Pete McNeil madscient...@microneil.com To: declude.junkmail@declude.com Sent: Sunday, August 01, 2010 2:34 PM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? On 8/1/2010 3:03 PM, Imail Admin wrote: Hi Pete, OK, I did the upgrade. One thing that was slightly different from the instructions was that even though I directed it to install into the same folder as the prior Sniffer installation (d:\imail\sniffer), it only offered me a choice of a new install and said nothing about an upgrade. Still, it seemed to go through smoothly, so I'll just cross my fingers. Now that that's done, do I need to change my global.cfg setting? The old setting is SNIFFER external nonzero D:\imail\sniffer\liajkovy.exe w91zgqvr4g73s6o5 7 0. I'm guessing the installer didn't understand the old installation -- that happens sometimes because they all tend to be a little different. You should comment out your old SNIFFER line -- the installer should have created a new one for you that calls SNFClient. Note that SNFClient will accept and ignore the authentication string, but it doesn't need to have it... Your new SNIFFER line might look something like: SNIFFER external nonzero D:\sniffer\SNFClient.exe 7 0 Hope this helps, _M --- [This E-mail was checked by Declude] -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] weird processing of lists
Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
I've got a second user with the same problem, so I'd be interested in help. The only thing I've thought of so far is to create user-specific settings for each list and specify not to create folders, but that's a pain in the neck. Any help would be appreciated. Thanks, Ben -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
But you're the man who knows everything about Declude. Surely you know the answer to my original question? Ben -Original Message- From: David Barker Sent: Wednesday, December 29, 2010 5:21 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] weird processing of lists Most likely ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of IMail Admin Sent: Tuesday, December 28, 2010 3:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
What surprises me is that I haven't found anywhere where this problem has been discussed before. Granted that IMail's list server is primitive and that seriously list services use a separate list server, still a lot of IMail admin use the built-in list service for basic list services. So I would assume that all of these users would have them same problem with JM and the IMail list service. For that matter, I don't really understand why I'm having this problem just now, after using of using both products. Ben - Original Message - From: Dean Lawrence To: declude.junkmail@declude.com Sent: Wednesday, December 29, 2010 12:52 PM Subject: Re: [Declude.JunkMail] weird processing of lists Ben, Maybe you could right a rule that evaluates the sender and originating IP. So that if the email is from listn...@domain.com and the IP matches the server's IP (since it is being generated from your server), that it assigns a negative weight to the message? Dean P.S. This is off the top of my head without looking at the docs, so I may be off base. On Wed, Dec 29, 2010 at 3:07 PM, IMail Admin imailad...@bcwebhost.net wrote: But you're the man who knows everything about Declude. Surely you know the answer to my original question? Ben -Original Message- From: David Barker Sent: Wednesday, December 29, 2010 5:21 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] weird processing of lists Most likely ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of IMail Admin Sent: Tuesday, December 28, 2010 3:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
Thanks for the offer. In it's simplest sense, however, I think I understand what's going on. Declude is processing messages sent to a list address and then attempting to send some messages to folders within that mailbox. I can't even imagine why Declude would process the list address, rather than the addresses of the individual recipients. I guess that's the real question. Thanks, Ben - Original Message - From: Nick Hayer To: declude.junkmail@declude.com Sent: Wednesday, December 29, 2010 2:49 PM Subject: Re: [Declude.JunkMail] weird processing of lists Ben, No idea how to fix it - all I can suggest though is to run your log in debug mode and duplicate the problem. Then the logs may give you a clue as to what is going on. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm -- From: Imail Admin imailad...@bcwebhost.net Sent: Wednesday, December 29, 2010 5:26 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists What surprises me is that I haven't found anywhere where this problem has been discussed before. Granted that IMail's list server is primitive and that seriously list services use a separate list server, still a lot of IMail admin use the built-in list service for basic list services. So I would assume that all of these users would have them same problem with JM and the IMail list service. For that matter, I don't really understand why I'm having this problem just now, after using of using both products. Ben - Original Message - From: Dean Lawrence To: declude.junkmail@declude.com Sent: Wednesday, December 29, 2010 12:52 PM Subject: Re: [Declude.JunkMail] weird processing of lists Ben, Maybe you could right a rule that evaluates the sender and originating IP. So that if the email is from listn...@domain.com and the IP matches the server's IP (since it is being generated from your server), that it assigns a negative weight to the message? Dean P.S. This is off the top of my head without looking at the docs, so I may be off base. On Wed, Dec 29, 2010 at 3:07 PM, IMail Admin imailad...@bcwebhost.net wrote: But you're the man who knows everything about Declude. Surely you know the answer to my original question? Ben -Original Message- From: David Barker Sent: Wednesday, December 29, 2010 5:21 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] weird processing of lists Most likely ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of IMail Admin Sent: Tuesday, December 28, 2010 3:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
[Declude.JunkMail] How effective should Inv-Uribl be?
I'm still having trouble with more spam seepage, so I've been looking at my various tests. I noticed that in the past, the Inv-uribl test caught 63-70% of messages, but recently it's only catching 56%. When I look at a lot of the low value spam (messages that barely get classified as spam), they always have an Inv-uribl result of score 0 range clean. Is it just that this test is less effective now? Or have I somehow messed up my configuration? As an aside: I use DL Analyzer to check these results. One this it always does is give the average weight/message and average weight/failed message. Typically, these are scores such as 45 and 46. Just lately I started get results like -131,000 and -136,000. I don't know if this is another sign of something broken in my configuration or if the analyzer program has somehow broken. Thanks. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How effective should Inv-Uribl be?
I’m not quite sure what you mean. In the Declude global.cfg file the only reference to inv-uribl is INV-URIBL external weight D:\imail\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 In the invUribl.exe.config file there is (in part): *** !-- This is the URI Blacklist That The URI Will Be Checked Against -- add key=URIBL_List1 value=multi.surbl.org / !-- Weight added to the result code or custom bitmask total. -- add key=URIBL_Weight_List1 value=0 / !--Allows you to override the normal values for bitmasks for a custom return weight-- add key=Enable_Custom_Bitmask_Values_URIBL_List1 value=true / !--If using multi.surbl.org see http://www.surbl.org/lists.html#multi for which lists correspond -- !--to which bitmask values -- !-- BitValue_2 = comes from sc.surbl.org -- !-- BitValue_4 = comes from ws.surbl.org -- !-- BitValue_8 = comes from phishing data source (labelled as [ph] in multi) -- !-- BitValue_16 = comes from ob.surbl.org -- !-- BitValue_32 = comes from ab.surbl.org -- !-- BitValue_64 = comes from jp data source (labelled as [jp] in multi) -- add key=URI_Bitmask_BitValue_1_Weight_URIBL_List1 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List1 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List1 value=2 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List1 value=5 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List1 value=3 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List1 value=7 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List1 value=10 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List1 value=0 / !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- !-- BitValue_8 = comes from red.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=2 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / !--Enables the checking of the URI's name servers against an RBL. -- !--If the name servers are listed in the RBL the defined weight will be added-- !--Max_Name_servers_To_Check - Sets the number of name servers to check. -- !--If set to zero all name servers returned from the DNS query will be checked-- !--Bitmask_Skip_Options_Name_Server_RBLx - Bitmask value that allows you to skip -- !--the associated Namerserver check if the URI is listed in the URI list. -- !--Values: 0 - no skipping will occur. 1 - Skip Nameserver check if URI was listed-- !--in a URI list. 2 - Skip if the URI's name server was already found in he given -- !--blacklist. This prevents double scoring. These are bitmask values and would -- !--be added together based on the options you want.-- add key=Enable_URI_Name_Server_Check value=true / add key=Max_Name_Servers_To_Check value=3 / add key=Name_Server_RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_Name_Server_RBL1 value=2 / add key=Name_Server_Return_Code_RBL1 value=* / add key=Name_Server_Weight_RBL1 value=5 / *** In the inv-uribl log file I find references to multi.surbl.org, sbl.spamhaus.org, multi.uribl.com, and xx.countries.nerd.dk (where xx is a country code such as ru). All the lines that end in Total Weight = 0 don’t list any tests at all – they just resolve the IP. Thanks. From: Nick Hayer Sent: Friday, March 18, 2011 11:21 AM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How effective should Inv-Uribl be? What uribl tests are you using and are you getting hits on them - check your logs.. I'm suggesting you may need different tests - the one you are using may have blacklisted you or are dead even... -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, March 18, 2011 2:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How effective should Inv-Uribl be? I'm still having trouble with more spam seepage, so I've been looking at my various tests. I noticed that in the past, the Inv-uribl test caught 63-70% of messages, but recently it's only catching 56
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
That’s a good idea, so I looked at what I have in the config file: !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- !-- BitValue_8 = comes from red.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=2 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / I’m not an expert, but this seems to say that showing up in the black, grey, or red lists gets you scores of 7, 0 2 corresponding to bitmasks results of 127.0.0.2, 127.0.0.4, and 127.0.0.8. So then I went to the uribl.com web site to look up the definitions of these lists: ■black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added. ■grey.uribl.com - This lists contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE. This zone rebuilds several times a day as necessary. ■red.uribl.com - This list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk. From this, I don’t understand why red would rate a score of 2 and grey a score of 0. It seems to me that grey is in between black and red, and should probably have a score of 3 or 4. In my system, that kind of score wouldn’t be enough to cause the message to be treated as spam (my Declude threshold for “ordinary email” is 5), but it would if combined with other failed tests. Any thoughts on this? Thanks, Ben From: Nick Hayer Sent: Tuesday, April 05, 2011 5:52 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you read the Inv-Uribl log file? maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.