RE: [Declude.JunkMail] What exactly does HOLD do?
We recommend to our sniffer customers that they hold messages so that they can recover any false positives that show up. Rather than looking through the held messages, keep them around for 30 days or so and if a false positive possibility is reported by a user then you can hunt down the message based on text or keywords provided in the complaint. If you find the message, you can report the false positive (or adjust your rules) and put the message(s) back into the queue. With the volume of spam that we capture it is unreasonable to expect an SA to "view" all of it... but keeping it around with HOLD is a good way to play it safe and improve your filtering - no matter what technologies you are using. The periodic cleanup can be automated as well so that you never have to see any of the held messages unless you are hunting down a false positive possibility. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of Timothy C. Bohen | Sent: Wednesday, March 06, 2002 9:50 AM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] What exactly does HOLD do? | | | I am new to Junkmail and still getting it configured the way I want. | | So here is my question: | | Why would I want to HOLD messages? | | I mean the way I understand it is I would have to manually go through and | check them, and I REALLY don't want to mess with that. | | Thanks | | Timothy C. Bohen | CMSInter.Net LLC / Crystal MicroSystems LLC | === | web : www.cmsinter.net | email : [EMAIL PROTECTED] | phone : 989.235.5100 x222 | fax : 989.235.5151 | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type "unsubscribe Declude.JunkMail". You can E-mail | [EMAIL PROTECTED] for assistance. You can visit our web | site at http://www.declude.com . | | --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
BLARS:Re: [Declude.JunkMail] What exactly does HOLD do?
> I am new to Junkmail and still getting it configured the way I want. > > So here is my question: > > Why would I want to HOLD messages? Speaking as another new Declude user, we set everything to hold to check which tests were catching which information. Over the last few weeks I've been tweaking the settings, and am now at 99% of the HOLD mail actually being SPAM (though I think some is slipping through still...) I go through the messages and delete the ones I don't want, then send the ones that got caught by mistake back out. (move to the Spool folder) I have recently set some actions to delete that proved to be 100% successful in our case. Jeff --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
Unfortunately they do. Not all mail clients and mail scripts that are used are fully RFC compliant. Just look at Microsoft Passport password reset service. badheaders & revdns. Saw a mac e-mail client the otherday that triggered BOTH badheaders and spamheaders. :( Wednesday, March 06, 2002, 10:59:59 AM, you wrote: PCc> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? PCc> [EMAIL PROTECTED] PCc> --- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] What exactly does HOLD do?
Better to have a message held then deleted if a angry pissed of customer is calling that he haven't gotten this very very VERY important message. Also if you use the weight system you could do it in steps. low weight just a warning, higher weight holding them and even higher delete. You will have a minimum to check but keep in mind many systems out there are broken that are supposed to be valid. Saw a Mac e-mail client the other day that triggered both badheaders and spamheaders plus revdns on the senders host and to top it of nopoastmaster and noabuse (a local school district). Also seen Microsoft Passport password reset service fail badheaders, revdns, nopostmater and noabuse. At the same time I seen spammers that only thing they triggered was maybe ossrc or spamcop. Wednesday, March 06, 2002, 08:49:47 AM, you wrote: TCB> I am new to Junkmail and still getting it configured the way I want. TCB> So here is my question: TCB> Why would I want to HOLD messages? TCB> I mean the way I understand it is I would have to manually go through and TCB> check them, and I REALLY don't want to mess with that. TCB> Thanks TCB> Timothy C. Bohen TCB> CMSInter.Net LLC / Crystal MicroSystems LLC TCB> === TCB> web : www.cmsinter.net TCB> email : [EMAIL PROTECTED] TCB> phone : 989.235.5100 x222 TCB> fax : 989.235.5151 TCB> --- TCB> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] TCB> --- TCB> This E-mail came from the Declude.JunkMail mailing list. To TCB> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and TCB> type "unsubscribe Declude.JunkMail". You can E-mail TCB> [EMAIL PROTECTED] for assistance. You can visit our web TCB> site at http://www.declude.com . TCB> --- TCB> [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your fulltime professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: H:Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
>What is a "broken mail client"? A mail client that doesn't work. For example, if you use Outlook, and your E-mail address is "[EMAIL PROTECTED]", but it creates an E-mail header "From: [EMAIL PROTECTED]", that would be an example of a broken mail client. There are some older E-mail clients and lots of web server applications that are broken. Most people consider "legitimate mail" to mean any mail that they want, even if it comes from a broken mail client. However, mail sent from a broken mail client is very volatile, and may not reach the recipient's mail client or may become malformed along the way or just disappear. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
H:Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
What is a "broken mail client"? At 3/6/02 12:07 PM, you wrote: >>Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? > >No. > >No legitimate mail should ever fail the BADHEADERS test. A legitimate >mail will only fail that test if it comes from a broken mail client. Elise Lewis mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Testing for MIME EOF
>but you ARE doing it already - that's why I see the log entry. Yes, but that's from Declude Virus. Declude Virus can detect that, but Declude JunkMail can't. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Testing for MIME EOF
Scott, but you ARE doing it already - that's why I see the log entry. > > >> Warning: EOF in middle of MIME segment [] << > Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Wednesday, March 06, 2002 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Testing for MIME EOF >Have you ever researched, whether the problem of: > > >> Warning: EOF in middle of MIME segment [] << > >would make a good SPAM test? It sounds like it would be another case of a >broken mail client - so it would fit well into the "BADHEADER" line of >thinking: if it doesn't follow RFCs it's probably some freeware SPAM mailer. It would make a good spam test. Unfortunately, it's quite complicated to detect this, as it would require scanning the entire E-mail and processing all the MIME segments (which can get very tricky when there are embedded E-mails with the E-mail, and other similar scenarios). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Testing for MIME EOF
>Have you ever researched, whether the problem of: > > >> Warning: EOF in middle of MIME segment [] << > >would make a good SPAM test? It sounds like it would be another case of a >broken mail client - so it would fit well into the "BADHEADER" line of >thinking: if it doesn't follow RFCs it's probably some freeware SPAM mailer. It would make a good spam test. Unfortunately, it's quite complicated to detect this, as it would require scanning the entire E-mail and processing all the MIME segments (which can get very tricky when there are embedded E-mails with the E-mail, and other similar scenarios). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
> >> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? << > >That's pretty common - the two tests "overlap". It's pretty common for spam, but should never happen with legitimate mail. The two tests look for different problems, so no one problem will cause both the BADHEADERS and SPAMHEADERS tests to fail, but if there are multiple problems, both tests may fail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
>Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? No. No legitimate mail should ever fail the BADHEADERS test. A legitimate mail will only fail that test if it comes from a broken mail client. Legitimate mail may fail the SPAMHEADERS test, if it is sent from a poorly designed mail client (usually one where the programmers felt it would be OK for some of the mail it sends to be marked as spam, in return for cheaper product). The BADHEADERS and SPAMHEADERS tests look for different problems, so it is possible for an E-mail to fail both of them. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
>> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? << That's pretty common - the two tests "overlap". --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
>From our experience, they will. Lee -- Lee Woolman, 805-987-3643 CybrHost Corp. - High Speed Ecommerce Hosting, a Miva Premier Hosting Partner > From: <[EMAIL PROTECTED]> > Organization: Computerized Horizons > Reply-To: [EMAIL PROTECTED] > Date: Wed, 6 Mar 2002 10:59:59 -0600 > To: <[EMAIL PROTECTED]> > Subject: [Declude.JunkMail] BADHEADERS and SPAMHEADERS > > Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? > > [EMAIL PROTECTED] > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] BADHEADERS and SPAMHEADERS
Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Testing for MIME EOF
Hi Scott: Have you ever researched, whether the problem of: >> Warning: EOF in middle of MIME segment [] << would make a good SPAM test? It sounds like it would be another case of a broken mail client - so it would fit well into the "BADHEADER" line of thinking: if it doesn't follow RFCs it's probably some freeware SPAM mailer. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Changing wieght
>I am probably just going to use weighting only but I wanted to play around >with changing it higher and lower to find the right mix. From the doc's it >looks like I have to change it in two places?? There are two ways you can go about it. One is to change the existing WEIGHT10 test. That would (technically) only require one change to the \IMail\Declude\global.cfg file (changing the "WEIGHT10 weight x x 10 0" to "WEIGHT10 x x 15 0" to get it to use a weight of 15). However, that would be quite misleading (the WEIGHT10 test getting triggered on a weight of 15), so you would likely want to change it to "WEIGHT15 x x 15 0". That would also require changing the "WEIGHT10 WARN" in the \IMail\Declude\$default$.JunkMail file to "WEIGHT15 WARN". Or, you can add your own test, by leaving the WEIGHT10 test the way it is, and adding "WEIGHT15 weight x x 15 0" to the \IMail\Declude\global.cfg file, and "WEIGHT15 WARN" to the \IMail\Declude\$default$.JunkMail file. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Changing wieght
I am probably just going to use weighting only but I wanted to play around with changing it higher and lower to find the right mix. From the doc's it looks like I have to change it in two places?? Thanks Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email : [EMAIL PROTECTED] phone : 989.235.5100 x222 fax : 989.235.5151 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] What exactly does HOLD do?
>So here is my question: > >Why would I want to HOLD messages? > >I mean the way I understand it is I would have to manually go through and >check them, and I REALLY don't want to mess with that. Using HOLD is exactly the same as DELETE, except that there is a copy of the E-mail on the hard drive. Using HOLD instead of DELETE doesn't require you to go through them all. Some of customers will go through all the held E-mail, but others will hold on to them just in case someone wants a copy of an E-mail that was held. But, depending on your situation (an ISP versus a small business, for example), the DELETE action may be fine in your situation (it's the action that AOL uses on E-mail that it thinks may be spam). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] What exactly does HOLD do?
I am new to Junkmail and still getting it configured the way I want. So here is my question: Why would I want to HOLD messages? I mean the way I understand it is I would have to manually go through and check them, and I REALLY don't want to mess with that. Thanks Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email : [EMAIL PROTECTED] phone : 989.235.5100 x222 fax : 989.235.5151 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
