[Declude.JunkMail] Newbie questions:
After reading the archives (thanks all!) for most of the afternoon, I'm still on the fence with what to expect from Declude. I run an ISP that gets over 100k emails inbound a day, and the hardware handles it nicely. SMTP normally never claims more than 20% of available cpus for both in and outbound traffic. Here are the questions I've made sofar: Given the above info, what can I expect the overall processor 'hit' to be on incoming filtering only? Does Declude utilize more processing power if I use more checks? Are checks run simultaneously, or linearly? I've read that smtp32.exe is replaced by declude.exe. Does Declude utilize multi-processors? Does declude.exe run as a single process, or in a one-spawned-per-message sort (similar to smtp32.exe). Can I use an "allow this message to process, but save a copy for further review" type action? Does the HOLD action allow for easy respooling of an offending message? Does an imail serverwide or domainwide filter process the message before or after declude does? Do you have (or can you suggest) any suggested configs (paid and non-fee) that have a low count of 'real' messages being trapped? Do you have (or can you suggest) a list of "these hosts must be whitelisted to keep your users from killing you", or similar? What (if any) are the known issues with integrating with McAfee's SMTP Virus Scan (not on same machine) ? Thanks to all, John
Re: [Declude.JunkMail] Whitelist for only one domain?
>I have a customer that wants to get mail from a certain Spammer. > >How can I whitelist that address just for one domain and not for all >of our domains/customers? > >The Per Domain configuration looks like it continues to use the one >global.cfg which is where the white list is located, but a change >there would apply to all domains, not just one certain domain. You could try "WHITELIST TODOMAIN example.com" ot "WHITELIST TO [EMAIL PROTECTED]", which would allow them to get all the spam they want. The other option would be to have per-user or per-domain settings for your customer, which are set up to allow that spam through somehow, based on the tests that it is failing. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Whitelist for only one domain?
I have a customer that wants to get mail from a certain Spammer. How can I whitelist that address just for one domain and not for all of our domains/customers? The Per Domain configuration looks like it continues to use the one global.cfg which is where the white list is located, but a change there would apply to all domains, not just one certain domain. Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] New to the list
http://www.mail-archive.com/declude.junkmail@declude.com/ And welcome. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Weiner Sent: Friday, July 12, 2002 9:13 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New to the list Is there an archive of earlier lists available for perusal or download? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] New to the list
http://www.mail-archive.com/declude.junkmail@declude.com/maillist.html Frederick P. Squib, Jr. Network Administrator Citizens Internet Services http://www.wpa.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Weiner Sent: Friday, July 12, 2002 12:13 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New to the list Is there an archive of earlier lists available for perusal or download? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] New to the list
Is there an archive of earlier lists available for perusal or download? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] DORKZTL:Interesting article on CNET about Spam blacklists
http://news.com.com/2100-1023-943337.html?tag=fd_lede --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Console
>Someone mentioned earlier that there was a way to invoke declude to >spawn a console in order to see what's happening in real time. Is this >correct and how do you invoke this? The Declude Console was designed primarily for use with Declude Hijack, but can be used with the other Declude programs as well. You can download it from http://www.declude.com/release/153/deccon.exe , and place it in your \IMail directory. You then need to have a line "CONSOLE ON" in your global.cfg file, and the console will be started automatically as needed. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Negative Weight
>In assigning negative weight should we assign the domain as it appears >in the log? First, I should clarify that there are two meanings of "negative weight". One is the weight that is added to an E-mail when the E-mail does NOT fail a spam test (which is almost always 0). The other is a standard weight, with a negative value (which is what you are talking about). >Almost all newsletters from Microsoft are assigned a warning for REVDNS. >So should we assign a negative 5 weigth to: > >Microsoft.com >Or: >Newsletters.Microsoft.com >Or: >delivery.pens.microsoft.com You would use: >X-Declude-Sender: >[EMAIL PROTECTED] >[207.46.239.124] Newsletters.Microsoft.com -- that's the one used in the return address, which is what Declude (and IMail) use. So in a filter file, you could have "MAILFROM -5 CONTAINS newsletters.microsoft.com". One important note here is that if the filter test itself has a weight assigned to it, you need to take that into effect. For example, if you have "MYFILTER filter myfilterfile x 8 0", the MYFILTER test would cause the Microsoft E-mail to have a weight 3 higher than when it started (+8 for being listed in the filter, and -5 from the line that it matched). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Console
Someone mentioned earlier that there was a way to invoke declude to spawn a console in order to see what's happening in real time. Is this correct and how do you invoke this? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Negative Weight
Hi; In assigning negative weight should we assign the domain as it appears in the log? Almost all newsletters from Microsoft are assigned a warning for REVDNS. So should we assign a negative 5 weigth to: Microsoft.com Or: Newsletters.Microsoft.com Or: delivery.pens.microsoft.com This is also true for e-Mails coming from AOL. Thoughts? Kami Header Example: --- Received: from rainer.bnt.com [12.4.218.18] by mail.durability.com with ESMTP (SMTPD32-7.11) id A402122001AE; Thu, 11 Jul 2002 02:21:54 -0400 Received: from delivery.pens.microsoft.com ([207.46.239.124]) by rainer.bnt.com (8.12.3/8.12.3) with ESMTP id g6B6LR4M096110 for <[EMAIL PROTECTED]>; Thu, 11 Jul 2002 02:21:27 -0400 (EDT) (envelope-from [EMAIL PROTECTED] m) X-Authentication-Warning: rainer.bnt.com: Host [207.46.239.124] claimed to be delivery.pens.microsoft.com Received: from tkmsftddsq04 ([10.201.232.143]) by delivery.pens.microsoft.com with Microsoft SMTPSVC(5.0.2195.4905); Wed, 10 Jul 2002 23:20:31 -0700 Reply-To: <[EMAIL PROTECTED] om> From: "Microsoft" <[EMAIL PROTECTED] om> To: <[EMAIL PROTECTED]> Subject: [SPAM]Microsoft Security Bulletin MS02-035: SQL Server Installation Process May Leave Passwords on System (Q263968) Date: Wed, 10 Jul 2002 23:20:31 -0700 Message-ID: <10169001c228a3$0ebd4320$8fe8c90a@tkmsftddsq04> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: AcIoowUUrcgBWo70Rq6QFLWjpHSfdA== Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 X-OriginalArrivalTime: 11 Jul 2002 06:20:31.0675 (UTC) FILETIME=[0F07E0B0:01C228A3] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.46.239.124 with no reverse DNS entry. X-RBL-Warning: HEUR10: Heuristic spam detection level 10 [0.75] X-Declude-Sender: [EMAIL PROTECTED] m [207.46.239.124] X-Declude-Spoolname: D2402122001ae2ad8.SMD X-Note: This E-mail was scanned by Declude (www.declude.com) for spam & virus. X-Spam-Tests-Failed: REVDNS, WEIGHT10, HEUR10 x-Weight: 13 X-Note: This E-mail was sent from [No Reverse DNS] ([207.46.239.124]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 326074069 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] I spammed myself again!
My profound apologies to one and all. I'm not having a good morning [I had an afternoon of hooky planned for the golf course, and it's not going to happen after all], so I'm making bad decisions. I could send the headers, but here are two lines from the declude log that are more to the point: 07/11/2002 20:44:50 Q2676128 DSBL:4 SPAMCOP:8 BADHEADERS:8 FOREIGN:3 SNIFFER:11 MYFILTER:15 . Total weight = 49 07/11/2002 20:44:50 Q2676128 This E-mail was whitelisted - automatically passing all spam tests And of course, I had my own domain whitelisted and the $domain business made it look like my domain. Now I need to go browse the archives and reread the posts from earlier in the week that I just skimmed that discussed this very issue. I'll shut up now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, July 12, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] I spammed myself again! >I thought I had a handle on all this, but this message from Timothy got >snagged by my MYFILTER filter test, which is looking for "Saf-E Mail" in the >body and applying punitive weights That's one of the major disadvantages to filtering -- you often can't receive E-mail referring to the E-mails that you are trying to block. >but I received a message in my own >personal Inbox overnight from Saf-E which didn't trip the word filter, or >HELOBOGUS, or BADHEADERS, or SPAMHEADERS, or anything else. "X-Note: Tests >failed: None." How frustrating. Well a generic spam won't necessarily trigger the BADHEADERS or SPAMHEADERS tests. If you post the full headers of the E-mail, I could give you an idea of what tests it should have failed. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] I spammed myself again!
>I thought I had a handle on all this, but this message from Timothy got >snagged by my MYFILTER filter test, which is looking for "Saf-E Mail" in the >body and applying punitive weights That's one of the major disadvantages to filtering -- you often can't receive E-mail referring to the E-mails that you are trying to block. >but I received a message in my own >personal Inbox overnight from Saf-E which didn't trip the word filter, or >HELOBOGUS, or BADHEADERS, or SPAMHEADERS, or anything else. "X-Note: Tests >failed: None." How frustrating. Well a generic spam won't necessarily trigger the BADHEADERS or SPAMHEADERS tests. If you post the full headers of the E-mail, I could give you an idea of what tests it should have failed. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Help!?
>Can someone help me with this please? 205.214.199.131 is a sendmail machine >I have rigged to help out Imail with deliveries so it has a secondary MX. >People send mail to xxx from xxx which is obviously forged and the only >proof is the X-auth warning from my secondary MX. Can anyone see any way of >stopping this? I thought of using a filter but the filters afaik does not do >HEADERS. >X-Declude-Sender: [EMAIL PROTECTED] [205.214.199.131] Here's the problem -- Declude JunkMail sees the E-mail as coming directly from your sendmail machine. If you add a line "IPBYPASS 205.214.199.131" to the \IMail\Declude\global.cfg file, Declude JunkMail will see the IP that the spam was really sent from. The new filtering that is in beta doesn't have a way to filter the headers yet, but it will. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Help!?
Can someone help me with this please? 205.214.199.131 is a sendmail machine I have rigged to help out Imail with deliveries so it has a secondary MX. People send mail to xxx from xxx which is obviously forged and the only proof is the X-auth warning from my secondary MX. Can anyone see any way of stopping this? I thought of using a filter but the filters afaik does not do HEADERS. Craig. From: [EMAIL PROTECTED] X-Authentication-Warning: name2.sunbeach.net: [203.193.56.230] didn't use HELO protocol Importance: Normal Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] Date: Thu, 11 Jul 2002 16:13:58 -0500 Subject: Beasty Babes!! X-Encoding: MIME X-Declude-Sender: [EMAIL PROTECTED] [205.214.199.131] X-Declude-Spoolname: De62c102.SMD X-Spam-Tests-Failed: None X-Note: Total spam weight of this E-mail is 0. X-RCPT-TO: <[EMAIL PROTECTED]> --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] I spammed myself again!
I thought I had a handle on all this, but this message from Timothy got snagged by my MYFILTER filter test, which is looking for "Saf-E Mail" in the body and applying punitive weights, but I received a message in my own personal Inbox overnight from Saf-E which didn't trip the word filter, or HELOBOGUS, or BADHEADERS, or SPAMHEADERS, or anything else. "X-Note: Tests failed: None." How frustrating. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Timothy C. Bohen Sent: Thursday, July 11, 2002 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] I spammed myself again! I have the beta installed can someone give me an idiots guide to adding the HELO test to hopefully try and stop these? Thanks Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email : [EMAIL PROTECTED] phone : 989.235.5100 x222 fax : 989.235.5151 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Sent: Friday, July 05, 2002 6:12 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] I spammed myself again! Here's another reason why we get spammed from ourselves, read the following footer from acknowledged spam message: - This email was sent to you via Saf-E Mail Systems. Your email address was automatically inserted into the To and From addresses to eliminate undeliverables which waste bandwidth and cause internet congestion. Your email or webserver IS NOT being used for the sending of this mail. No-one else is receiving emails from your address. You may utilize the removal link below if you do not wish to receive this mailing. Please Remove Me Saf-E Mail Systems, PO Box 116-3015 San Rafael de Heredia, CR 011-506-267-7139 - Stick this in your filter list! I guess were all going to have to stick ourselves into the KILL List! Regards, Tom --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .