RE: [Declude.JunkMail] "free" or "popular" domains
> Any one have a fairly up to date list? I have a list of servers that are considered ISPs, Mail Services and services that may be significant. Let me know off the list if this is what you are looking for. Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire 't fire't fire 't fire
Except for the underscore I inserted, both snippets are verbatim. No trailing spaces or hidden control characters. The message was not in Base-64. I just checked my Declude log for today and it did fire off on 7 other messages today. I'll include the whole spam message in an attachment here. Andrew 8) -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire 't fire >BODY 0 CONTAINS bta_mail.net.cn > >face=verdana color=#80 size=3>Unsubscribe >at: [EMAIL PROTECTED] >** That should get caught. Does the "BODY 0 CONTAINS bta_mail.net.cn" line contain any spaces/tabs at the end of it? Could the E-mail that was caught have been sent using base64 encoding perhaps? -Scott SpamSample.zip Description: Binary data
RE: [Declude.JunkMail] A line in one of my filter text filesdidn 't fire 't fire
BODY 0 CONTAINS bta_mail.net.cn Unsubscribe at: [EMAIL PROTECTED] ** That should get caught. Does the "BODY 0 CONTAINS bta_mail.net.cn" line contain any spaces/tabs at the end of it? Could the E-mail that was caught have been sent using base64 encoding perhaps? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire't fire
(sigh) Keyboard virus... I should have had an underscore in *both* of the entries. To recap I'll reproduce here with an underscore inserted to get around my own filter: #Dec-02-2002 AC Very common in Chinese hosted spamvertisement # "unsubscribe" footers BODY 0 CONTAINS bta_mail.net.cn And the "verbatim" spam snippet with an underscore inserted: Unsubscribe at: [EMAIL PROTECTED] ** And the symptom was that this line in my filter text didn't fire on an actual spam but did fire on a follow-up test (and my message to this list when I neglected to insert *both* underscores). Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A line in one of my filter text filesdidn't fire
Is there a gotcha in filter text files when the message is in HTML format? No (unless the spammer uses comments to break up text that would otherwise be filtered). Unsubscribe at: [EMAIL PROTECTED] ** If you add a line "BODY 0 CONTAINS bta_mail.net.cn", it should work. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A line in one of my filter text files didn't fire
Is there a gotcha in filter text files when the message is in HTML format? The following line works if I send myself a message from HotMail, but didn't on an actual piece of spam I just received, whose relevant bit of text I'll reproduce here with an underscore inserted to get around my own filter: #Dec-02-2002 AC Very common in Chinese hosted spamvertisement "unsubscribe" footers BODY 0 CONTAINS btamail.net.cn And the verbatim snippet: Unsubscribe at: [EMAIL PROTECTED] ** If it makes any difference, the header defines the e-mail format as: MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" I have already checked the Declude log (MED) to make sure there was no error reported in accessing the filter text file... No problem reported. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
DSN:RE: Re: [Declude.JunkMail] osirusoft down?
Don't say "fires". It makes me nervous. Been through 2 here already, lost 1 house, and just bought a big house above a canyon that hasn't burned in 40 years. On 01/07/03 3:24pm you wrote... >> That's Santa _Ana_ winds Scott ;-) > >Brian, you got it easy up there in Santa Barbra. Try being in the San >Gabriel Valley where I live. Remember the 2 big fires we had a number of >months ago? All that ash is in the air and in eyes and lungs and everywhere. >The area around them looks like a big black cloud. > >My eyes have been constantly watering for the last 2 days. > >John Tolmachoff MCSE, CSSA >IT Manager, Network Engineer >RelianceSoft, Inc. >Fullerton, CA 92835 >www.reliancesoft.com > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >://www.mail-archive.com. >ve.com. >--- >[This E-mail scanned for viruses by Solid Oak Software] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "free" or "popular" domains
My list would be the same as previously cited, and yes, earthling.net is not a typo. All of these would make it to my list as the "top faked from: domains". But of the ones that I've seen make it through to the spamtraps, none. Which is why I haven't implemented a small negative weight for these domains; the spam that pretends to come from these domains is always overwhelmingly spammy and is caught anyway. What would be useful is a rigorous test for these domains that can tell the difference between a bogus MSN.com (or whatever) and the real one. If it's definitely bogus, then I could set the action to DELETE instead of getting a HOLD from the high weight. That would take a big bite out of the messages I have to wade through with the excellent SpamReview app. (gazing at navel...) I could probably get there anyway by giving these domains a negative weight and creating a DELETE action at a high enough WEIGHT. Ah well. The volume caught (average of 700 a day) hasn't yet exceeded our ability to deal with the HOLD messages. Andrew 8) -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] "free" or "popular" domains > earthling.net I am sure that is earthlink.net, correct? Of course, some people claim they are aliens. :)) John Tolmachoff MCSE, CSSA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re: [Declude.JunkMail] osirusoft down?
> That's Santa _Ana_ winds Scott ;-) Brian, you got it easy up there in Santa Barbra. Try being in the San Gabriel Valley where I live. Remember the 2 big fires we had a number of months ago? All that ash is in the air and in eyes and lungs and everywhere. The area around them looks like a big black cloud. My eyes have been constantly watering for the last 2 days. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] osirusoft down?
Is anyone having problems using relays.osirusoft.com and relays.ordb.org? Should I comment these out in the global.cfg file to avoid excessive timeouts? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO
> It's also important to realize the purpose of the HELOBOGUS test. It > isn't designed primarily to catch spammers. It's designed to help > detect poorly administered mailservers -- ones that are likely to be > abused by spammers. True, but if you're using HELOBOGUS for anything other than advertising to your clients' clients--which Declude is definitely good for :)--you're giving it a weight, so you are using it not only as community outreach, but as a spam test. > And those Fortune 500 companies that have their mailserver advertise > itself with a name other than what it really is, well, they are > running mailservers that are poorly administered. I have zero respect for people who think they're too big to change: CitiGroup actually has a stated policy that they "do not make changes for outside companies" or suchlike, which they use to avoid fixing problems they don't really understand. But we can't have zero-tolerance for HELOBOGUS in practical terms, since we risk losing clients by losing their clients, and the more hoops it takes to get to an IT group, the more annoyed everyone becomes (even if their own bureaucracy is at fault). > But if you don't penalize them, they will definitely continue > bending the rules too far, which helps increase spam. Yes, something must actually break, even if it just means that they consistently trip the weekly ALERT threshold. But again, speaking from a combo of experience and my own grudges, a dead HELO of 'www03.example.com' is a lot less likely to get fixed than a dead HELO of just 'mail.' Even the stupid mail admin can see and fix some problems with the latter, while the former will likely involve contacting the much-feared DNS group, blah blah blah. And when people do ask us how to fix pass a "looser" test, we will of course continue to say that a published FQHN is required, still spreading the "tighter" word to those admins. We're pretty strict on our own. SPAManager, for example, was not our idea. But clients dictate varying tolerances. Something that has surprised me is how likely difficult internal users are to have irascible, irrational external contacts/friends--self-evident, I suppose, but the parity is just uncanny sometimes! At any rate, a looser HELOBOGUS option (maybe a separate test completely, now that I think about it, to enable varying weights) would make HELOBOGUS less of a liability for us. >>But I WOULD use a negative test in the style of IPNOTINMX, >>"rewarding" a site slightly for having the ability, experience, and >>control to match the two and hopefully combatting some FPs. > Aha -- like the IPNOTINMX test. That's a good idea. Glad you agree there! I think the two tests (exact match and parent/grandparent domain match) would be perfect. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
DSN:Re: [Declude.JunkMail] osirusoft down?
That's Santa _Ana_ winds Scott ;-) It has been in the 80's here in So Cal. and the winds have knocked out our electricity twice for a total of about 8 hours, and our backup copper T1 once. Our big fiber line and batteries have kept us up and running. This morning I woke up and when I turned on the lights they were all dim. I checked and we had 60 volts! Things were beeping all over the house. Dang APC UPS's don't have a "bell off" button. I guess the electricity was off for 3 hours or so, and when the power came back up it was a few volts short. I have never seen anything like this before, especially in January. Brian On 01/07/03 5:56pm you wrote... > >>Is anyone having problems using relays.osirusoft.com and relays.ordb.org? >>Should I comment these out in the global.cfg file to avoid excessive >>timeouts? > >It's a temporary problem due to the "Santa Monica Winds" in California, >which are apparently blowing cars from one lane on highways to another. > -Scott > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >://www.mail-archive.com. >ve.com. >--- >[This E-mail scanned for viruses by Solid Oak Software] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "free" or "popular" domains
> earthling.net I am sure that is earthlink.net, correct? Of course, some people claim they are aliens. :)) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "free" or "popular" domains
We've setup the following domains: @yahoo.com @yahoo.co.uk hotmail.com msn.com email.com aol.com @mail.com lycos.com lycos.co.uk @usa.net earthling.net xx.com I think Len Conrad should have a lot more of them: He wrote today on the Imail-list: "One of the ways IMGate stops spam is, for 3500 domains that are frequently forged,... " Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of John > Tolmachoff > Sent: Tuesday, January 07, 2003 11:38 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] "free" or "popular" domains > > > Any one have a fairly up to date list? > > John Tolmachoff MCSE, CSSA > IT Manager, Network Engineer > RelianceSoft, Inc. > Fullerton, CA 92835 > www.reliancesoft.com > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft down?
Is anyone having problems using relays.osirusoft.com and relays.ordb.org? Should I comment these out in the global.cfg file to avoid excessive timeouts? It's a temporary problem due to the "Santa Monica Winds" in California, which are apparently blowing cars from one lane on highways to another. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] "free" or "popular" domains
Any one have a fairly up to date list? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Feature requests: LOOSEN HELOBOGUSON/OFF, REVNOTHELO
- I've found HELOBOGUS is often counterproductive, even with a low weight, since legit sites, even (especially?) "big guns" (Fortune 500, whatever) often give their servers fully-qualified, RFC-legal--yet publicly nonexistent--hostnames. What would help a lot, I think, is the ability to let theoretically publishABLE FQHNs go, but still catch unqualified hostnames, illegitimate characters, and IP addresses. It's also important to realize the purpose of the HELOBOGUS test. It isn't designed primarily to catch spammers. It's designed to help detect poorly administered mailservers -- ones that are likely to be abused by spammers. And those Fortune 500 companies that have their mailserver advertise itself with a name other than what it really is, well, they are running mailservers that are poorly administered. It's a catch-22: If you penalize a mailserver for bending the rules too far, you risk losing some legitimate mail. But if you don't penalize them, they will definitely continue bending the rules too far, which helps increase spam. As spam gets worse (increasing over 400% last year), legitimate mailers can either complain that some of their mail gets caught as spam, or they can get their acts together and fix their problems. That doesn't mean that we won't consider it (I dislike the LOOSENSPAMHEADERS option, for example, but it was added because others liked it). - I would never, ever, ever block someone who had non-matching HELO and PTR. Repeat, I would never hold this against someone, and it really peeves me when clients (one of our military sites, for example) suggest it. Good -- because it would catch mail from this list. :) But I WOULD use a negative test in the style of IPNOTINMX, "rewarding" a site slightly for having the ability, experience, and control to match the two and hopefully combatting some FPs. Aha -- like the IPNOTINMX test. That's a good idea. The tricky part is figuring out exactly what makes a match -- it's easy if the HELO is "example.com" and the PTR is "mail.example.com". But, it gets a bit more confusing if the HELO is "host.example.co.uk" and the PTR is "host2.example.co.uk". Perhaps two separate tests, so that if they match exactly, you could subtract X points from the weight, and if they match partially (such as the host/host scenario), you could subtract Y points. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EXE files, again!
I have a persitant old lady that is very upset by the fact we do not allow EXE files. She is making greeting cards with MS Home Publisher. I showed her this link on Microsofts site http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx , but she is still adamant that it does not pertain to Home Publisher... I tried searching Symantec and a couple other sites looking for a generic page by a "major authority" that EXE files are a "Bad Thing" (tm). Anyone have good links? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Overflow directory
> Why they don't answer with an 5xx code? There was one single "531 - > Mailbox has exceeded disk quota" today... Because they're stupid. They don't want to wait, so they just keep it comin' 1/2 hour later. >> If the server terminates the session and blacklists you temporarily >> or permanently for future attempts... > According to our MRTG-Stats and SMTP-Logfiles they neither has done > this. Even more enraging--they don't even know how to be smart about being strict. > Do you remember some keyword or the subject line? In this list > Imail-keywords are commonly used ;-) The thread is called "Hotmail rejection" from Dec 2002. > It's not so easy: Most of the users aren't able to differentiate between > kB and MB... Word to that. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO
Scott/All, - I've found HELOBOGUS is often counterproductive, even with a low weight, since legit sites, even (especially?) "big guns" (Fortune 500, whatever) often give their servers fully-qualified, RFC-legal--yet publicly nonexistent--hostnames. What would help a lot, I think, is the ability to let theoretically publishABLE FQHNs go, but still catch unqualified hostnames, illegitimate characters, and IP addresses. - I would never, ever, ever block someone who had non-matching HELO and PTR. Repeat, I would never hold this against someone, and it really peeves me when clients (one of our military sites, for example) suggest it. But I WOULD use a negative test in the style of IPNOTINMX, "rewarding" a site slightly for having the ability, experience, and control to match the two and hopefully combatting some FPs. In particular, this separates people using consumer DSL providers (who pre-assign a non-matching PTR reflecting the PPPoE or static IP address) from companies with a tighter hold on their IT, and--although we provide hosting services ourselves!--would also give a boost to those that don't use shared servers. Of course, the more people learn about this counterweight, the less useful it would be, and there are some spammers who already would benefit from it. Yet it would definitely assist when (untreatable) SPAMHEADERS/BADHEADERS/HELOBOGUS blasts come from legitimate sources. Kind of a toss-up, but I'd like to discuss it. Please post your thoughts. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
> Any mail server that terminates the session instead of > sending a 5xx is broken, as it's just inviting more > waste on both sides. Why they don't answer with an 5xx code? There was one single "531 - Mailbox has exceeded disk quota" today but a lot of 01:07 10:00 SMTP-(07BC) >. 01:07 10:00 SMTP-(07BC) rl-recv: connection reset 01:07 10:00 SMTP-(07BC) 01:07 10:00 SMTP-(07BC) SMTP_DELIV_FAILED 01:07 10:00 SMTP-(07BC) >QUIT > If the server terminates the session > and blacklists you temporarily or permanently for future > attempts, that's "politically" draconian, but at least it's > technically wiser about bandwidth. According to our MRTG-Stats and SMTP-Logfiles they neither has done this. > I had a lengthy > argument about this with Len Conrad on the IMail list; you > may wish to look it up. Do you remember some keyword or the subject line? In this list Imail-keywords are commonly used ;-) In any case a tool as mentoined from Scott to watch and control single smtp transmissions should be very usefull in such a situation. > It is, essentially, a no-win situation unless > you counsel users to be sure that the destination > domain willaccepttheirattachments It's not so easy: Most of the users aren't able to differentiate between kB and MB... Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I'm rather fond of this web tool for doing multiple simultaneous lookups: http://openrbl.org/ Specifically, it returns hyperlinks and text messages if returned by the bl. It also puts up spam related news and info. Andrew 8) -Original Message- From: Sharyn Schmidt [mailto:[EMAIL PROTECTED]] I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I don't know about popularity, but I'd use the SPAM database lookup tool at http://www.dnsstuff.com/ That's perfect..that's exactly what I was looking for! Thanks! Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] BADHEADERS Code a400010b -- not at /tools/header?
>>I can't retrieve the extended info for code a400010b. Does anyone >>have it on hand? > That one is caused by a missing To: header. Thanks--I would've caught it if I'd had the original e-mail, but I just had the alert. Is it indeed not at /tools/badheaders? -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Overflow directory
> So there are a lot of msgs where the remote mailserver after some > mb's of transfered data terminates the trasmission. Any mail server that terminates the session instead of sending a 5xx is broken, as it's just inviting more waste on both sides. If the server terminates the session and blacklists you temporarily or permanently for future attempts, that's "politically" draconian, but at least it's technically wiser about bandwidth. I had a lengthy argument about this with Len Conrad on the IMail list; you may wish to look it up. As you mention, setting an outgoing size limit may help. But it will not help if you set a (generous, but not crazy) 10 MB limit and users send to domains with even lower limits. And these domains are the ones most likely to muck with your retries. It is, essentially, a no-win situation unless you counsel users to be sure that the destination domain willaccepttheirattachments--fareasierin corporate-to-corporate situations than in person-to-person. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Service Introduced To Help Legitimate Bulk Mailers Evade Spam Filters
Horrifying doublespeak: they agree that spamtraps are foolproof evidence of harvesting, and yet they may somehow be found in an otherwise verifiable opt-in list? I'm sure their verification process is really in-depth. Anyone thought about how much they could have made by getting $5-15MM in VC a couple of years ago just to set up spam cannons? God, we're lucky that kind of go-getting isn't feasible right now. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] BADHEADERS Code a400010b -- not at/tools/header?
Thanks--I would've caught it if I'd had the original e-mail, but I just had the alert. Is it indeed not at /tools/badheaders? No, it isn't -- the problem is that there were some other flags in there that were causing the lookup tool to fail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
> What would be nice, though, > is if IMail had a way of listing all the SMTP processes in > memory and what > they were working on, and allowed you to stop them. Can we place another wish list, even if christmas just passed? ;-) > In this case, you could move some of the Q*.SMD files to a temporary > directory, and perhaps wait 8 hours or so and then move them > back to the spool directory. Ok, done. The situation now ist turned back normal. Our users heven't set (until now) any outgoing msgs size limit. So there are a lot of msgs where the remote mailserver after some mb's of transfered data terminates the trasmission. The retransmission of this msgs uses a lot of bandwith so also other large mails for recipients able to recieve them cannot be delivered because the remote mailserver terminates the transmission after 1-2 hours of very slow transmission. I've now 2 questions. I think it's better to place them in the imail list... Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT a bit..spam databases
Hi Sharyn, I don't know about popularity, but I'd use the SPAM database lookup tool at http://www.dnsstuff.com/ There's also an interesting article posted at http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html Burzin Hi, I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. What, in everyone's opinion, is the most common one used? TIA Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7602 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS Code a400010b -- not at/tools/header?
I can't retrieve the extended info for code a400010b. Does anyone have it on hand? That one is caused by a missing To: header. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BADHEADERS Code a400010b -- not at /tools/header?
Scott/All, I can't retrieve the extended info for code a400010b. Does anyone have it on hand? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
So we have a very large spool folder with many timed out delivery attempts and I will try to move some large msgs in a temporary folder until tonight. Ah, I see. The overflow directory won't help here -- if you move the \IMail\spool\Q*.SMD files to the \IMail\spool\overflow directory, Declude Queue would try sending them immediately. If the E-mails can't be sent because of problems reaching the remote mailservers, Declude Queue won't be able to speed up the process. Another problem is, that spooled files that are in delivery (_[id].smd) can't be deleted or moved manualy. That's intentional. If you could delete one of those files, it would prevent the E-mail from being delivered. If you could move it, then IMail wouldn't be able to properly process the file. What would be nice, though, is if IMail had a way of listing all the SMTP processes in memory and what they were working on, and allowed you to stop them. Where can I read more about the overflow functionality? Can it be useful to not only move to much msgs in the overflow folder but also if there is to much data in the spool folder? The overflow directory is designed to work automatically, so you shouldn't need to move files there. You can find out more information about it at http://www.declude.com/dq.htm . In this case, you could move some of the Q*.SMD files to a temporary directory, and perhaps wait 8 hours or so and then move them back to the spool directory. Or, you could try changing the SMTP settings in IMail to retry E-mail every few hours, rather than the default of every 30 minutes. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Service Introduced To Help Legitimate Bulk Mailers Evade Spam Filters
>From InternetWeek at http://www.internetwk.com/breakingNews/INW20030106S0006: ExactTarget, which provides e-mail marketing services, introduced technology on Monday designed to help legitimate bulk mailers evade spam filters. The service added two new features: Content Detective identifies words, phrases and patterns that are likely to trigger spam filters, and then recommends alternatives. List Detective scans mailing lists as they are uploaded to the service, and identifies suspicious e-mail addresses -- such as [EMAIL PROTECTED], [EMAIL PROTECTED], and postmaster and abuse addresses -- that are designed to trap spammers. The List Detective functionality is designed to get around a common technique used by spam fighters to identify spam -- they create e-mail accounts and post the addresses of those accounts to the Internet, using the accounts for no legitimate mail whatsoever. Every piece of e-mail coming in to one of those accounts will be spam, and the spam fighters can then block the same messages from arriving at legitimate mail accounts. ExactMail provides hosted e-mail services for permission-based marketing; customers upload mailing lists to ExactMail's hosted applications, provide content and the ExactMail manages the mailing. Legitimate bulk mailers have been collateral damage in the effort to control spam; managers of mailing lists complain that words like "Viagra," used in e-mail, can get legitimate subscription newsletters erroneously tagged as spam and rejected by mail servers. Chip House, director of marketing at ExactMail, said the service makes a priority out of identifying spammers and blocking them from using ExactMail. If a client uses the service to circumvent spam filters, ExactMail contacts the client to review the source of the names, how the client captures e-mail addresses and how the names were opted in. If the service can't verify the list is opt-in, ExactMail won't mail the list and may terminate the contract. Clients must agree contractually not to send spam, and ExactMail monitors uploads, deliveries, bounces and other events to ensure lists are legitimate. This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
No there is no file in the overflow directory.
The problem is not that there are to much msgs for the server. The
problem is that there are 600 clients returning from holidays and
everone begins to donwload his email. In addition they begin to send
relative large mails ("here the picture where I'm ..." made with his new
5 megapixel camera)
Not enough there is a hoax mail arround and thousands of "Attention New
virus!!!" msgs where send. (I've set a keyword in our SpamChk to block
this now.)
The problem is now that also other mailservers in our zone here seem to
have the same problem and the delivery to this servers is very slow.
So we have a very large spool folder with many timed out delivery
attempts and I will try to move some large msgs in a temporary folder
until tonight. Another problem is, that spooled files that are in
delivery (_[id].smd) can't be deleted or moved manualy.
Where can I read more about the overflow functionality? Can it be useful
to not only move to much msgs in the overflow folder but also if there
is to much data in the spool folder?
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of R.
> Scott Perry
> Sent: Tuesday, January 07, 2003 4:08 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Overflow directory
>
>
>
> >Can I manually move spooled D and Q-files in the overflow
> folder? When
> >they will be respooled?
>
> You can, but it is not recommended.
>
> If there are any files in the overflow directory (there
> should only be Q*.*
> files in there), it means that your mailserver is overloaded
> (not that it
> *was* overloaded, but that it currently *is* overloaded and
> is sending mail
> at its maximum capacity). If there are files in there,
> Declude Queue is
> taking care of "feeding" them to IMail at a rate that it can
> handle (so
> that it will send them as soon as it can, overriding the
> default IMail
> behavior of sending it 1/2 hour or more later).
>
> Although you can move the files back to the spool directory
> (no harm will
> be done by doing that), it prevents Declude Queue from
> speeding up the
> message delivery, and will revert back to the IMail method
> (which can take
> often take hours to deliver E-mails that could otherwise go
> out in a few
> minutes).
> -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I use the Spam Database Lookup tool on Scott's www.dnsstuff.com. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt > Sent: Tuesday, January 07, 2003 6:51 AM > To: Declude Junkmail List > Subject: [Declude.JunkMail] OT a bit..spam databases > > Hi, > > I'm trying to see if a certain IP address is listed in any of the > Orbz-like spam databases. > > What, in everyone's opinion, is the most common one used? > > TIA > Sharyn > > > > We are the worldwide producer and marketer of the award winning Cruzan > Single Barrel Rum, judged "Best in the World" at the annual > San Francisco Wine and Spirits Championships. For > more information, please click (go to) href="http://www.cruzanrums.com";>www.cruzanrums.com > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS & MAILFROM warnings on legitserver
I've got a problem with Declude catching mail from my web server. The web
server is sending mail from web forms that customers fill out to users
hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings,
stating that the domain "server_name" does not have any MX/A records. How
can I resolve this? I don't want to whitelist the server name but I've got
to be able to send the email forms to the respective users.
That's because your web server is claiming to be an Internet host named
"server_name" (which isn't valid -- an Internet host needs to be in the
format "server_name.example.com"), and sending mail from a non-existent
domain (probably something like "webmaster@server_name").
The best way to deal with this is to fix the problem, and have the web
server send out mail properly, by using "server_name.example.com" as the
host name and a return address of "[EMAIL PROTECTED]" (or
"[EMAIL PROTECTED]"). That way, the E-mail won't be caught as spam on other
servers.
The quick fix, though, would be to whitelist the IP address of the web
server ("WHITELIST IP 192.0.2.25" in the \IMail\Declude\global.cfg
file). That will prevent the E-mail from getting caught by Declude
JunkMail, but it could still get caught on the receiving server.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow directory
Can I manually move spooled D and Q-files in the overflow folder? When they will be respooled? You can, but it is not recommended. If there are any files in the overflow directory (there should only be Q*.* files in there), it means that your mailserver is overloaded (not that it *was* overloaded, but that it currently *is* overloaded and is sending mail at its maximum capacity). If there are files in there, Declude Queue is taking care of "feeding" them to IMail at a rate that it can handle (so that it will send them as soon as it can, overriding the default IMail behavior of sending it 1/2 hour or more later). Although you can move the files back to the spool directory (no harm will be done by doing that), it prevents Declude Queue from speeding up the message delivery, and will revert back to the IMail method (which can take often take hours to deliver E-mails that could otherwise go out in a few minutes). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT a bit..spam databases
Hi, I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. What, in everyone's opinion, is the most common one used? TIA Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS & MAILFROM warnings on legit server
Add the appropriate records in your DNS. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED]] On Behalf Of Troy Hilton > Sent: Tuesday, January 07, 2003 6:06 AM > To: Declude Junkmail Forum (E-mail) > Subject: [Declude.JunkMail] HELOBOGUS & MAILFROM warnings on legit server > > Hello All, > > I've got a problem with Declude catching mail from my web server. The web > server is sending mail from web forms that customers fill out to users > hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, > stating that the domain "server_name" does not have any MX/A records. How > can I resolve this? I don't want to whitelist the server name but I've got > to be able to send the email forms to the respective users. > > I look forward to your help. > > Troy > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Outblaze is not happy with our fromfile - Image`fx (part5)
I've had issues with Outblaze's clients, mail.com, e-mail.com, when I was blocking them Outblaze contacted me about it. I have to say in their defense, when I had an issue with a user of theirs they took care of it right away and terminated the account. In a way it's no big deal, the spammer has 100 other addresses to use, but at least they did back up the "no spam" policy they say they have. Just my dealing with them, FWIW. Paul > In any event outblaze has not been active since 2002/11/24 > so it was not really a problem removing them, however, when > I viewed their web site I got the impression that they do > some sort of bulk mailing or campaign. I don't know what > to make of them. They don't describe their services clear > enough for us simple folk. ;) > > Sorry if this wasted your time, I figured it may be of interest. > > Regards, > Tom > Image`fx > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Overflow directory
Hi Scott, Can I manually move spooled D and Q-files in the overflow folder? When they will be respooled? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS & MAILFROM warnings on legit server
Hello All, I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain "server_name" does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. I look forward to your help. Troy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
