RE: [Declude.JunkMail] Encoded Email... how?
>Also what we are finding is they are turning the links and addresses into binary numbers, therefore making it impossible to detect the links and trap them... Such as majority of porn-sites. We get links like: http://0111010101010101010101010101010... FYI: Scott, or rather Declude, has a decimal IP "test" at www.dnsstuff.com. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
>I'm not an expert, but it may be that this started as a way to encode
>languages containing Unicode into RFC-compliant messages. When I created my
>own text kill filters for this it caught some E-mails that looked legitimate
>to a business that did foreign correspondance (I didn't decode or analyze
>them in detail though).
That *shouldn't* happen, if the E-mail was using a "text/plain" or
"text/html" MIME segment. The "text/plain" should only be used for ASCII
data, and "text/html" should only be used for HTML.
I'm guessing that either [1] They had no clue what they were doing, and
sent Unicode in a text/plain MIME segment, which isn't supposed to happen,
or [2] It may have actually been a different MIME type ("text/unicode",
perhaps -- I don't know).
If you (or anyone else) happens to have one of these, I would be interested
in seeing it.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
I'm not an expert, but it may be that this started as a way to encode languages containing Unicode into RFC-compliant messages. When I created my own text kill filters for this it caught some E-mails that looked legitimate to a business that did foreign correspondance (I didn't decode or analyze them in detail though). - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 04, 2002 5:07 PM Subject: Re: [Declude.JunkMail] Encoded Email... how? > It's something that we may add a new test for, as HTML (and text) should > never need to be encoded that way. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've seen a lot of this as well, and frankly it works against them. There are seldom legitimate reasons to obscure a web link - particularly by coding it as binary or as a long integer. The Message Sniffer rule base some aggressive rules built to trap any web link that starts off with more than 3 digits in a row, and a large number of specific rules to numbered or otherwise coded web links. (These are very common in porn spam) These might make good tests Scott ;-) If you (anyone) decide to add rules like this to your filters be cautious not to go too wild with them. There are a number of legitimate services, internal corporate software, and other legitimate reasons to use numbered links. You must tune to suit your tastes. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Wednesday, September 04, 2002 5:10 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Encoded Email... how? | | | We are actually finding more & more SPAM are coming that way. | We are only catching them when they put interesting words in | the subject. | | Also what we are finding is they are turning the links and | addresses into binary numbers, therefore making it impossible | to detect the links and trap them... Such as majority of | porn-sites. We get links like: | http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
I C... I was able to reproduce this quite easily with outlook express, I am surprised its not used more frequently. I suppose the renagade bulk mailer programmers havent added that option yet... I agree Scott, html/txt should never be sent that way. I formally request that filter feature be added :-) As always thanks for your response and effort Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 04, 2002 5:07 PM Subject: Re: [Declude.JunkMail] Encoded Email... how? > > >This one has me baffled. This email (spam) showed up as what appeared to be > >an html formatted message. When I view the raw message it appears as an > >encoded attachment making it impossible to filter on any body content. > > > >How are they doing it and how do we stop it? > > That's getting to be a more common trick of spammers. They are sending an > HTML MIME segment that is encoded (using base64 encoding, which is normally > only used when sending files). That way, the E-mail can't easily be filtered. > > It's something that we may add a new test for, as HTML (and text) should > never need to be encoded that way. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've just added a base64 decoding filter to the Message Sniffer program for precisely this reason. This makes encoded HTML segments or attached files look like plain data to the pattern matching engine. There are other coding tricks in use as well and we are building those filter modules for later release. Once the current beta of sniffer is a full-fledged production version we will include this code in the free demo version. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Wednesday, September 04, 2002 5:07 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Encoded Email... how? | | | | >This one has me baffled. This email (spam) showed up as what | appeared | >to be an html formatted message. When I view the raw message | it appears | >as an encoded attachment making it impossible to filter on any body | >content. | > | >How are they doing it and how do we stop it? | | That's getting to be a more common trick of spammers. They | are sending an | HTML MIME segment that is encoded (using base64 encoding, | which is normally | only used when sending files). That way, the E-mail can't | easily be filtered. | | It's something that we may add a new test for, as HTML (and | text) should | never need to be encoded that way. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We are actually finding more & more SPAM are coming that way. We are only catching them when they put interesting words in the subject. Also what we are finding is they are turning the links and addresses into binary numbers, therefore making it impossible to detect the links and trap them... Such as majority of porn-sites. We get links like: http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
>This one has me baffled. This email (spam) showed up as what appeared to be >an html formatted message. When I view the raw message it appears as an >encoded attachment making it impossible to filter on any body content. > >How are they doing it and how do we stop it? That's getting to be a more common trick of spammers. They are sending an HTML MIME segment that is encoded (using base64 encoding, which is normally only used when sending files). That way, the E-mail can't easily be filtered. It's something that we may add a new test for, as HTML (and text) should never need to be encoded that way. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Encoded Email... how?
Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - encoded-email.zip Description: Zip compressed data
RE: FW: [Declude.JunkMail] delivery receipts
Ah, ok. Got it. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. Sent: Wednesday, September 04, 2002 8:01 AM To: [EMAIL PROTECTED] Subject: Re: FW: [Declude.JunkMail] delivery receipts John, the MAILFROM test I am using is not a "fromfile" test that uses an external file. Its the name given to the "envfrom" test, the built-in Declude test which tests for a valid domain in the Senders address. I ran a few tests a bit ago by sending myself some emails using invalid Sender addresses. And applying a HOLD action to this test does seem to stop Imail from sending the delivery receipt. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: FW: [Declude.JunkMail] delivery receipts
John, the MAILFROM test I am using is not a "fromfile" test that uses an external file. Its the name given to the "envfrom" test, the built-in Declude test which tests for a valid domain in the Senders address. I ran a few tests a bit ago by sending myself some emails using invalid Sender addresses. And applying a HOLD action to this test does seem to stop Imail from sending the delivery receipt. Bill -Original Message- From: "John Tolmachoff" Sent: Wed, 4 Sep 2002 07:49:56 -0700 Subject: FW: [Declude.JunkMail] delivery receipts OK, I will help to test. My thought: Bill, put this address in the MAILFROM file; [EMAIL PROTECTED] Send me an address to send to. I will send an e-mail to that address through [EMAIL PROTECTED] with requesting return receipts and delivery confirmation and we can see what happens. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. Sent: Wednesday, September 04, 2002 6:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] delivery receipts Will an action of HOLD keep IMail from attempting to send a delivery receipt for an email? We are having a problem with delivery receipts that are addressed to invalid senders filling up our mail queues. So I'm hoping that by putting an action of HOLD on the MAILFROM test this will help reduce the queue size. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] School system needs advice
>I've come back to work, but boss has me at a site on a project and am unable to take time until I get back to the shop. > >However, I have him here with me and am talking to him about the fact that more time needs to be spent with proper configuration and he seems receptive. He is also very receptive to me trying a demo of Message Sniffer. Perserver and don't give up. We are standing with you. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] School system needs advice
I've come back to work, but boss has me at a site on a project and am unable to take time until I get back to the shop. However, I have him here with me and am talking to him about the fact that more time needs to be spent with proper configuration and he seems receptive. He is also very receptive to me trying a demo of Message Sniffer. -Curtis On 9/4/2002 8:37 AM, "Darrell L." <[EMAIL PROTECTED]> wrote: > Hen you get back to work post your global.config file so we can see how > you have it setup. I am sure a lot of people will be able to offer good > advice upon seeing your config file. > > Darrell > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Curtis Faulkner > Sent: Tuesday, September 03, 2002 7:32 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] School system needs advice > > Thanks to all of you for your quick help! > > Darrell, I feel like a bad network admin, as I can't answer the question > about our current tests right now. My boss brought this issue up with > me > sick at home and I currently can't get to my server or backups (I tend > to > make my NT's very inaccessible out of an NT security paranoia). > > I've explained to management that no solution will get 100% (I'm > familiar > with this concept and have been trying to explain it for a month to my > boss > for various needs). So far on this project, he is trusting me, > according to > a recent e-mail, to augment the current solution or to correct the > config to > provide better service. Hopefully, I will continue to keep us away from > the > corporate-is-better mentality that quite often enters in these type of > scenarios. I just want the best product for the job and feel that it > will > include Declude, whether it means a new config or adding Message > Sniffer. > > -Curtis > > > On 9/3/2002 5:21 PM, "Darrell L." <[EMAIL PROTECTED]> wrote: > Does anyone have suggestions on how I can quickly tune Declude >> JunkMail to provide a decent-quality result? I generally like Declude > (especially Virus), but a flashy corporate package tends to look good to >> management types and failure seems to be more accepted if it comes from a >> multi->>million dollar corporation. >> >> >> You will never be able to stop 100% of all the porn spam.. You should >> be able to get a good percentage. However, if the mindset in place is >> that "failure seems to be more accepted if it comes from a > multi-million >> dollar corporation." Then you are already behind the 8-ball. >> >> What tests are you using? >> >> Darrell >> >> >> >> >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >> (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> --- >> [This E-mail scanned for viruses by Declude Virus] >> >> > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] delivery receipts
>Will an action of HOLD keep IMail from attempting to send a delivery >receipt for an email? I actually do not know the answer to that one. I would expect that IMail would send the delivery receipt upon delivery of the E-mail (in which case the HOLD action would prevent the receipt from being sent), but I will need to do some testing to see if this really is the case. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] delivery receipts
Will an action of HOLD keep IMail from attempting to send a delivery receipt for an email? We are having a problem with delivery receipts that are addressed to invalid senders filling up our mail queues. So I'm hoping that by putting an action of HOLD on the MAILFROM test this will help reduce the queue size. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Word Filter code?
>Line number? I bet it does not count blank lines right? > > >Line 1: SUBJECT 1 CONTAINS$ >Blank spacer >Line 3: SUBJECT 3 CONTAINS$$$ > >The Line 3 is actually Line 2!? So who is on 3rd? :D It *should* count blank lines, so it should match the line number used in text editors. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Word Filter code?
Hi again..
Line number? I bet it does not count blank lines right?
Line 1: SUBJECT 1 CONTAINS$
Blank spacer
Line 3: SUBJECT 3 CONTAINS$$$
The Line 3 is actually Line 2!? So who is on 3rd? :D
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Wednesday, September 04, 2002 9:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Word Filter code?
>What is the meaning of (295)? I am almost sure it has to do with the
>filter that has failed!
>
>X-RBL-Warning: WORDFILTER: Message failed WORDFILTER test (295)
It is the line number in the filter where the test was triggered.
>How can we setup a code so we can make sure we know which listing is
>triggered?
>
>For example in this line, is there anyway to list a code after $:
>
>SUBJECT 1 CONTAINS $
You can either use the line number to find which filter triggered the
test,
or you can use LOGLEVEL HIGH, which will have a "Triggered filter on $
[Weight->1]" line in the log, that shows the filter that caused the test
to
be triggered ("$" in this case), as well as the new weight (for people
who
aren't good at math ).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers....
Title: Message A. Gotcha. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker | Netsmith IncSent: Wednesday, September 04, 2002 8:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers So do I, but you still have to authenticate twice. This was just an idea I had i thought i would share where you only authenticate once (Imail webmail) and can seamlessly integrate your own application with webmail. -Original Message-From: Mark Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 04, 2002 7:31 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers >but the biggest stump can be there is no easy way to check authentication against the IMAIL registry. This isn't so hard if you write a COM .dll object to read from the registry. In any case, I don't store passwords in the registry... I use SQL for the IMAIL "database" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker | Netsmith IncSent: Tuesday, September 03, 2002 11:55 PMTo: '[EMAIL PROTECTED]'Subject: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers The topic has been reached numerous on this list so I thought I would share an idea I had earlier today that works great with everyone on this list. Many of you have the idea's of writing your own parsers/interfaces for parts of declude or other parts of imail, but the biggest stump can be there is no easy way to check authentication against the IMAIL registry, or to integrate the features seamlessly into the imail/webmail interface. Any developer can easily validate a session using an IMAIL session without ever needing or knowning the actual password of an account. I have commented my Cold Fusion authorization page [ cf_imail_login.txt ] so that no matter what language you code in you should be able to easily port. For a working example feel free to check my "test" login I make available to this list. http://mail.bsc.net/ login = [EMAIL PROTECTED] pass = declude ( click the "Junkmail" button and you will be sent to an external server, but the interface is identical ) *Note: my working example builds heavily on the attachments I have included. I stripped everything down to the bare logic so everyone can use this to suit their needs. If anyone else finds this information nearly as useful as I did today please let me know. I'm sure this will make using the filters much much simpler for my users. -Tom
Re: [Declude.JunkMail] Word Filter code?
>What is the meaning of (295)? I am almost sure it has to do with the
>filter that has failed!
>
>X-RBL-Warning: WORDFILTER: Message failed WORDFILTER test (295)
It is the line number in the filter where the test was triggered.
>How can we setup a code so we can make sure we know which listing is
>triggered?
>
>For example in this line, is there anyway to list a code after $:
>
>SUBJECT 1 CONTAINS $
You can either use the line number to find which filter triggered the test,
or you can use LOGLEVEL HIGH, which will have a "Triggered filter on $
[Weight->1]" line in the log, that shows the filter that caused the test to
be triggered ("$" in this case), as well as the new weight (for people who
aren't good at math ).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] Word Filter code?
Title: Message What is the meaning of (295)? I am almost sure it has to do with the filter that has failed! X-RBL-Warning: WORDFILTER: Message failed WORDFILTER test (295) How can we setup a code so we can make sure we know which listing is triggered? For example in this line, is there anyway to list a code after $: SUBJECT 1 CONTAINS $ Regards, Kami
RE: [Declude.JunkMail] RSS Blacklist
>The domain that is listed is saturnstpaul.com. They were running their >mail server on an AS/400 and had us host their mail when their AS/400 >was very busy since it was an open relay. This is where the problem >probably originated. I'll try explaining the situation to MAPS and see >where I get. Thanks. http://work-rss.mail-abuse.org/cgi-bin/nph-rss-sview?64.198.38.249 shows that you got listed because spam went through your IMail server, not due to the AS/400 server (they list based on the IP address, not the hostname). Have you checked your log files to see how much spam was sent at that time? With Declude Hijack running, most spammers won't get any mail out (due to the separate HOLD1/HOLD2 settings, and the fact that they typically send about 20 E-mails at a time). The URL shows headers with the exact date/time the spams were sent. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] School system needs advice
Hen you get back to work post your global.config file so we can see how you have it setup. I am sure a lot of people will be able to offer good advice upon seeing your config file. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Curtis Faulkner Sent: Tuesday, September 03, 2002 7:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] School system needs advice Thanks to all of you for your quick help! Darrell, I feel like a bad network admin, as I can't answer the question about our current tests right now. My boss brought this issue up with me sick at home and I currently can't get to my server or backups (I tend to make my NT's very inaccessible out of an NT security paranoia). I've explained to management that no solution will get 100% (I'm familiar with this concept and have been trying to explain it for a month to my boss for various needs). So far on this project, he is trusting me, according to a recent e-mail, to augment the current solution or to correct the config to provide better service. Hopefully, I will continue to keep us away from the corporate-is-better mentality that quite often enters in these type of scenarios. I just want the best product for the job and feel that it will include Declude, whether it means a new config or adding Message Sniffer. -Curtis On 9/3/2002 5:21 PM, "Darrell L." <[EMAIL PROTECTED]> wrote: >>> Does anyone have suggestions on how I can quickly tune Declude > JunkMail to >>> provide a decent-quality result? I generally like Declude (especially >>> Virus), but a flashy corporate package tends to look good to > management >>> types and failure seems to be more accepted if it comes from a > multi->>million >>> dollar corporation. > > > You will never be able to stop 100% of all the porn spam.. You should > be able to get a good percentage. However, if the mindset in place is > that "failure seems to be more accepted if it comes from a multi-million > dollar corporation." Then you are already behind the 8-ball. > > What tests are you using? > > Darrell > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers....
Title: Message So do I, but you still have to authenticate twice. This was just an idea I had i thought i would share where you only authenticate once (Imail webmail) and can seamlessly integrate your own application with webmail. -Original Message-From: Mark Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 04, 2002 7:31 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers >but the biggest stump can be there is no easy way to check authentication against the IMAIL registry. This isn't so hard if you write a COM .dll object to read from the registry. In any case, I don't store passwords in the registry... I use SQL for the IMAIL "database" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker | Netsmith IncSent: Tuesday, September 03, 2002 11:55 PMTo: '[EMAIL PROTECTED]'Subject: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers The topic has been reached numerous on this list so I thought I would share an idea I had earlier today that works great with everyone on this list. Many of you have the idea's of writing your own parsers/interfaces for parts of declude or other parts of imail, but the biggest stump can be there is no easy way to check authentication against the IMAIL registry, or to integrate the features seamlessly into the imail/webmail interface. Any developer can easily validate a session using an IMAIL session without ever needing or knowning the actual password of an account. I have commented my Cold Fusion authorization page [ cf_imail_login.txt ] so that no matter what language you code in you should be able to easily port. For a working example feel free to check my "test" login I make available to this list. http://mail.bsc.net/ login = [EMAIL PROTECTED] pass = declude ( click the "Junkmail" button and you will be sent to an external server, but the interface is identical ) *Note: my working example builds heavily on the attachments I have included. I stripped everything down to the bare logic so everyone can use this to suit their needs. If anyone else finds this information nearly as useful as I did today please let me know. I'm sure this will make using the filters much much simpler for my users. -Tom
RE: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers....
Title: Message >but the biggest stump can be there is no easy way to check authentication against the IMAIL registry. This isn't so hard if you write a COM .dll object to read from the registry. In any case, I don't store passwords in the registry... I use SQL for the IMAIL "database" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker | Netsmith IncSent: Tuesday, September 03, 2002 11:55 PMTo: '[EMAIL PROTECTED]'Subject: [Declude.JunkMail] ASP/CF/CGI/etc Web Developers The topic has been reached numerous on this list so I thought I would share an idea I had earlier today that works great with everyone on this list. Many of you have the idea's of writing your own parsers/interfaces for parts of declude or other parts of imail, but the biggest stump can be there is no easy way to check authentication against the IMAIL registry, or to integrate the features seamlessly into the imail/webmail interface. Any developer can easily validate a session using an IMAIL session without ever needing or knowning the actual password of an account. I have commented my Cold Fusion authorization page [ cf_imail_login.txt ] so that no matter what language you code in you should be able to easily port. For a working example feel free to check my "test" login I make available to this list. http://mail.bsc.net/ login = [EMAIL PROTECTED] pass = declude ( click the "Junkmail" button and you will be sent to an external server, but the interface is identical ) *Note: my working example builds heavily on the attachments I have included. I stripped everything down to the bare logic so everyone can use this to suit their needs. If anyone else finds this information nearly as useful as I did today please let me know. I'm sure this will make using the filters much much simpler for my users. -Tom
RE: [Declude.JunkMail] School system needs advice
Well everyone's needs are different. I have sniffer set with weight 20 I have all other tests set with weight 10 Except badheaders/spamheaders are weight 6 And I removed 'nopostmaster' 'noabuse' and 'revdns' alltogether. I "Personally" send to my "spam mailbox" at weight 1 (any test). Things such as some of my newsletters get caught, so I just built exceptions for them. Most of my users send to "spam mailbox" at weight 16 (sniffer alone, OR at least 2 other tests) I think I usually send about 1 false positive per month to sortmonster(sniffer), and they always QUICKLY respond and remove the offending rule. Again, different systems receive different JunkMail and have different needs. For kicks I send anything caught by sniffer to one folder and everything it missed (but caught by declude) to another, then I reverse that sometimes. I think its around 5% of junkmail caught by declude made it though sniffer alltogether ( less than 1% makes it to my inbox). Something around 30% of my junkmail makes it through declude and is caught by sniffer however. -Original Message- From: Danny Klopfer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 11:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] School system needs advice I'm curious as to what weight you are setting sniffer at? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Baker | Netsmith Inc Sent: Tuesday, September 03, 2002 2:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] School system needs advice Double that. Using declude + sniffer I have not seen a piece of porn get through. Only rarely do I see any spam get through. I would highly suggestion getting sniffer, as much (adult + non-adult) spam often passes all HEADER checks (which is what declude does alone), so you must rely on something that checks the message body (sniffer). Well worth the $$$! (try their Free Demo to get a glimpse of what it does. Keep in mind you are using old body definitions with their demo, and they give almost daily updates once you register). -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 4:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] School system needs advice > I need good suggestions, both general and specific. Spam is always going to get through at one time or another. BUT, we have had success adding Sniffer (www.sortmonster.com) into the Declude Junkmail mix. Our local competition uses Postini and the amount of spam that gets by that over priced service is incredible. I have a friend who's work place uses them and he laughs at the amount of spam he does not have to see our service. We also have an IMGate box (http://imgate.meiway.com) as our first line of defense. By doing all of the above, our spam level is very low. I am always tweaking the settings and spend more time on it than I would like. As an ISP, I have to be more open to some of the known junk places for our users that like getting coupons and junk on a daily basis. As a school district, you will be able to get away with rejecting EVERYTHING Sniffer wants to reject. newsletters included as they are not related to school needs. And Sniffer seems to do a great job at catching porno spam!!! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
