[Declude.JunkMail] Reject Msg based on Size
Scott, I just had an MIT engineer/user suggest a feature to reject messages based on their size. I found this fascinating personally. You could look at the size and bounce, e.g. SIZE 10MB BOUNCE Might be a server saver also... especially if it bounced a partial response smaller message. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP Black List
I have been trying to get the IP Black list file to function properly. Below are the settings I am using.. GLOBAL.CFG IPFILE fromfile d:\imail\declude\ipblacklist.txt x 20 0 The "fromfile" test type is only for return addresses (E-mail addresses), not IP addresses. If you change it to: IPFILE ipfile d:\imail\declude\ipblacklist.txt x 20 0 then it should work. One last thing once its working. If I lookup a class of IP's and it seems to be owned by a clearing house for SP*AM would it be advisable to add 209.50.0.1/8 to the list ? *If* it appears as though all the IPs in the range belong to the spammer, yes. But, there are often cases where an IP of a known spammer gets listed, but there are legitimate mailers in the same Class C range, so you do have to be careful. If you aren't very familiar with CIDR ranges, you can use the tool at http://www.DNSstuff.com -- for example, you can enter "209.50.0.1/8", and it will show that it covers 209.0.0.0 through 209.255.255.255. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IP Black List
I have been trying to get the IP Black list file to function properly. Below are the settings I am using.. GLOBAL.CFG IPFILE fromfile d:\imail\declude\ipblacklist.txt x 20 0 DEFAULT.JUNKMAIL IPFILE HOLD I added my IP address to the IPFile and sent a test message with no luck except my service provider failed RDNS. Any thoughts ? One last thing once its working. If I lookup a class of IP's and it seems to be owned by a clearing house for SP*AM would it be advisable to add 209.50.0.1/8 to the list ? David BarrettMaine Connect, Inc " I'd rather be a failure at something I enjoy than be a success at something I hate "-- George Burns
RE: [Declude.JunkMail] Filter Question
Scott,
OK. I'll leave you alone for the rest of today .
BTW, HiJack has trapped over 500 pieces of SPAM this weekend for 2 domains
whose Primary MX's have been up and running the entire time. JunkMail got
another 400+ for 1 of those domains. Just shows how the spammers are going
after the secondary MX's.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Sunday, February 02, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Filter Question
>I would like to be able to filter on the domain names of mailservers in
>the chain. In this case I would like to have an entry such as
>
>WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter
>screening criteria for the mailservers in the chain). I know I can use
>HEADER for this but is there a parameter I've missed that would let me
>have these checked as JunkMail is parsing to do its thing on each of
>the hops. I have HOPHIGH 6 in my GLOBAL.CFG.
No, there isn't any other parameter aside from HEADERS that you could
filter on in this case. Although Declude JunkMail does look at the server
names, the only one it cares about is one corresponding to the remote
mailserver (the HELO parameter in filtering).
In this case, I would recommend using something like:
HEADERS 5 CONTAINS .aebolts.com (
Adding the "(" there should prevent virtually all other headers from
triggering the filter (for example, you could have "Subject: We have to do
something about these .aebolts.com E-mails!" that wouldn't get
caught). It's not quite as accurate as it would be if there was a
parameter that just searched the server names, but it's pretty close.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Question
I would like to be able to filter on the domain names of mailservers in the
chain. In this case I would like to have an entry such as
WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening
criteria for the mailservers in the chain). I know I can use HEADER for
this but is there a parameter I've missed that would let me have these
checked as JunkMail is parsing to do its thing on each of the hops. I have
HOPHIGH 6 in my GLOBAL.CFG.
No, there isn't any other parameter aside from HEADERS that you could
filter on in this case. Although Declude JunkMail does look at the server
names, the only one it cares about is one corresponding to the remote
mailserver (the HELO parameter in filtering).
In this case, I would recommend using something like:
HEADERS 5 CONTAINS .aebolts.com (
Adding the "(" there should prevent virtually all other headers from
triggering the filter (for example, you could have "Subject: We have to do
something about these .aebolts.com E-mails!" that wouldn't get
caught). It's not quite as accurate as it would be if there was a
parameter that just searched the server names, but it's pretty close.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question
Hi Scott, Nothing like a quiet Sunday morning to get the questions going. I have a filter question and will use the following header to explain. The e-mail is being handled correctly by JunkMail according to the GLOBAL.CFG settings I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. I realize that this particular piece of SPAM has been identified as such by many other tests, but that's not the question here. As always, thanks for the time. George Kulman Partner Ridge Systems, L.L.C. Example Header follows: *** Received: from mtiwmhc14.worldnet.att.net [204.127.131.114] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A1E0250252; Sun, 02 Feb 2003 09:57:36 -0500 Received: from mtiwmhc14.worldnet.att.net ([127.0.0.1]) by mtiwmhc14.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <[EMAIL PROTECTED] net> for <[EMAIL PROTECTED]>; Sun, 2 Feb 2003 14:56:07 + Received: from data.aebolts.com ([216.171.211.31]) by mtiwmhc14.worldnet.att.net (mtiwmhc14) with ESMTP id <2003020214560611400kmvlje>; Sun, 2 Feb 2003 14:56:06 + Received: from data.aebolts.com (data.aebolts.com [216.171.211.31] (may be forged)) by data.aebolts.com (8.12.6/8.12.6) with ESMTP id h12FSook018111 for <[EMAIL PROTECTED]>; Sun, 2 Feb 2003 07:28:50 -0800 Received: (from root@localhost) by data.aebolts.com (8.12.6/8.12.6/Submit) id h12FSo64018109; Sun, 2 Feb 2003 07:28:50 -0800 Message-Id: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: <[EMAIL PROTECTED]> From: "Rick Wagner" <[EMAIL PROTECTED]> Subject: Date: Sun Feb 2 01:05:00 PST 2003 MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?216.171.211.31 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D31e0002502523542.SMD X-Spam-Tests-Failed: 15 SPAMCOP, BADHEADERS, IPNOTINMX, WEIGHT10 X-Note: This E-mail was sent from (Private IP) ([127.0.0.1]). X-Country-Chain: UNITED STATES->destination X-ALLRECIPS: [EMAIL PROTECTED] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 341851603 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Enhancement
Thanks again Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HiJack Enhancement >I find that HiJack catches a meaningful amount of SPAM for the store >and forward domains and probably also helps out on Dictionary Attacks >as well. It seems like some spammers deliberately target secondary MX's >with the thought that they can sneak stuff through more easily. Yes, many spammers have caught on that sending to secondary MX's makes it more likely that the E-mail will not get caught. >It appears that HiJack keeps it records in memory and, if there's a >restart on Declude.exe the statistics are reset. Correct. >If this is a correct interpretation, would it be possible to maintain >this >data in a editable >file which would be loaded by HiJack on a restart? Also to add a >"persistence parameter" that would enable us to set a time period for >retention of entries in the file, 10 days for example. That would keep the >list from growing infinitely. That's a very good idea -- I'll see if we can incorporate that into Declude Hijack. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Enhancement
I find that HiJack catches a meaningful amount of SPAM for the store and forward domains and probably also helps out on Dictionary Attacks as well. It seems like some spammers deliberately target secondary MX's with the thought that they can sneak stuff through more easily. Yes, many spammers have caught on that sending to secondary MX's makes it more likely that the E-mail will not get caught. It appears that HiJack keeps it records in memory and, if there's a restart on Declude.exe the statistics are reset. Correct. If this is a correct interpretation, would it be possible to maintain this data in a editable file which would be loaded by HiJack on a restart? Also to add a "persistence parameter" that would enable us to set a time period for retention of entries in the file, 10 days for example. That would keep the list from growing infinitely. That's a very good idea -- I'll see if we can incorporate that into Declude Hijack. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBlacklist CIDR Question
Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBlacklist CIDR Question >When JunkMail does a CIDR calculation from an entry in ipblacklist.txt >file does it use the actual value of the IP address that is listed or >does it calculate what it believes to be the correct range of >addresses? It calculates the full range of addresses. So: >For example, how would the following entry be interpreted? > >216.162.101.110/27 > >A. from 216.162.101.110 to 216.162.101.141 or > >B. from 216.192.101.96 to 216.162.101.127 This would be treated as B. That way, if you have an IP, you can enter it and the CIDR range without having to make sure that it is set up properly (so you can enter "192.0.2.25/24" and get the whole 192.0.2.0-192.0.2.255 range without having to change it to "192.0.2.0/24"). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBlacklist CIDR Question
When JunkMail does a CIDR calculation from an entry in ipblacklist.txt file does it use the actual value of the IP address that is listed or does it calculate what it believes to be the correct range of addresses? It calculates the full range of addresses. So: For example, how would the following entry be interpreted? 216.162.101.110/27 A. from 216.162.101.110 to 216.162.101.141 or B. from 216.192.101.96 to 216.162.101.127 This would be treated as B. That way, if you have an IP, you can enter it and the CIDR range without having to make sure that it is set up properly (so you can enter "192.0.2.25/24" and get the whole 192.0.2.0-192.0.2.255 range without having to change it to "192.0.2.0/24"). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HiJack Enhancement
Scott, I find that HiJack catches a meaningful amount of SPAM for the store and forward domains and probably also helps out on Dictionary Attacks as well. It seems like some spammers deliberately target secondary MX's with the thought that they can sneak stuff through more easily. It appears that HiJack keeps it records in memory and, if there's a restart on Declude.exe the statistics are reset. If this is a correct interpretation, would it be possible to maintain this data in a editable file which would be loaded by HiJack on a restart? Also to add a "persistence parameter" that would enable us to set a time period for retention of entries in the file, 10 days for example. That would keep the list from growing infinitely. George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBlacklist CIDR Question
Scott, When JunkMail does a CIDR calculation from an entry in ipblacklist.txt file does it use the actual value of the IP address that is listed or does it calculate what it believes to be the correct range of addresses? For example, how would the following entry be interpreted? 216.162.101.110/27 A. from 216.162.101.110 to 216.162.101.141 or B. from 216.192.101.96 to 216.162.101.127 TIA, George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
