[Declude.JunkMail] request?
How about a test to check if the e-mail address in the subject is the same as the person it was sent to? Or how about a test that checks for the following dupe names: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Why BADHEADER for this?
>> Are you sure you matched this up correctly? << Declude Version 1.68i5. Here is "the chain of evidence" I followed: You did good. :) It turns out this is a bug in Declude JunkMail, where it would stop processing headers if it encountered a header continuation line that consisted of a single character. In this case, the Subject: line was continued onto a separate line that contained the single character "K". This will be fixed in the next release; if anyone needs it right away, I can get an interim release ready that has the fix. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamManager/Declude Setup!
John, I subscribed to that list when I bought the product, but I do not see anywhere what email address to send to the list with. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff Sent: Tuesday, March 25, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SpamManager/Declude Setup! > Did you make any changes to the SpamManager config file or just leave it as > default? You want to use the Declude specific configuration options. They are in the pdf. SpamManager also has its own list service. [EMAIL PROTECTED] John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamManager/Declude Setup!
It is [EMAIL PROTECTED] I'll check that. It is supposed to be sending this out in the welcome message. On 03/25/03 4:11pm you wrote... >John, > >I subscribed to that list when I bought the product, but I do not see >anywhere what email address to send to the list with. > >Sincerely, >Grant Griffith, Vice President >EI8HT LEGS Web Management Co., Inc. >http://www.getafreewebsite.com >877-483-3393 > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff >Sent: Tuesday, March 25, 2003 12:25 PM >To: [EMAIL PROTECTED] >Subject: RE: [Declude.JunkMail] SpamManager/Declude Setup! > > >> Did you make any changes to the SpamManager config file or just leave it >as >> default? > >You want to use the Declude specific configuration options. > >They are in the pdf. > >SpamManager also has its own list service. > >[EMAIL PROTECTED] > >John Tolmachoff MCSE, CSSA >IT Manager, Network Engineer >RelianceSoft, Inc. >Fullerton, CA 92835 >www.reliancesoft.com > > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >ve.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Why Did This Get Through?
Hi Robert, If the message was hold on your server, can you send me the entire message? (as attachment) Even the logfile entries from SpamChk can be usefull to understand why there is such a high result. As I can see on the header data this message is spam and was prcoessed on your server according to the weight20 action. So there should be all right. Markus BTW: The third hop [67.104.187.162] now is listed on SpamCop > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Robert Forsyth > Sent: Tuesday, March 25, 2003 6:57 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Why Did This Get Through? > > > I'm see an on-again off-again occurrence of emails getting > through that should of failed. > > Below are the headers...can anyone shed some light? > > Thanks > Robert > > Received: from relay04.valueweb.net [216.219.253.238] by > wjla.com with ESMTP > (SMTPD32-7.06) id A72D1CA50104; Tue, 25 Mar 2003 12:51:41 -0500 > Received: from gaia.valueweb.net ([216.219.253.52]:21995 "EHLO > gaia.valueweb.net") by relay04.valueweb.net with ESMTP > id ; Tue, 25 Mar 2003 12:52:39 -0500 > Received: from [67.104.187.162] ([67.104.187.162]:8219 "HELO > smtp1.valueweb.net") by gaia.valueweb.net with SMTP > id ; Tue, 25 Mar 2003 12:52:23 -0500 > Message-Id: <[EMAIL PROTECTED]> > Date: Tue, 25 Mar 2003 12:52:21 -0500 > To: [EMAIL PROTECTED] > From: "ARCO Computer Products, LLC." <[EMAIL PROTECTED]> > Subject: What If Your Hard Drive Crashed Right Now? > MIME-Version: 1.0 > Content-Type: text/html; charset="iso-8859-1"; format=flowed > X-RBL-Warning: WEIGHT20: Weight of 65 reaches or exceeds the > limit of 20. > X-Declude-Sender: [EMAIL PROTECTED] [216.219.253.238] > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SPAMCHK, IPNOTINMX, WEIGHT10, WEIGHT20 [65] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 337582254 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Why BADHEADER for this?
>> Are you sure you matched this up correctly? << Declude Version 1.68i5. Here is "the chain of evidence" I followed: A) The snippet of our own, highly informative, bounce message showing the DECLUDE variables: ... (verbose text omitted) ... Mail Server: 161.225.2.41 for target.com [target.com] DNS Pointer: [No Reverse DNS] Host Name: exthub02.tgt.com Triggers: BADHEADERS, REVDNS, HELOBOGUS, IPNOTINMX, WEIGHTREPORT, WEIGHTHDR, WEIGHT10 (Total weight between 10 and 19.) More Info: http://www.dnsstuff.com/tools/ip4r.ch?ip=161.225.2.41 (Your server must not be black-listed!) http://www.dnsstuff.com/tools/ptr.ch?ip=161.225.2.41 (Your server must be properly registered in DNS with a reverse lookup pointer!) http://www.dnsstuff.com/tools/lookup.ch?name=exthub02.tgt.com&type=A (Your server must have a valid host name!) Countries: UNITED STATES->destination (Your email should not be routed back and forth between countries.) Message ID: <[EMAIL PROTECTED]> Queue ID: D30a30f17006e558b.SMD on Maywood-IS-0002.Webhost.HM-Software.com B) Here a snippet of the matching Declude log: Please note how the "subject" line is cut off after "BL" - exactly at the same point where the subject header advances to a new line! 03/24/2003 11:22:05 Q30a30f17006e558b BADHEADERS:5 REVDNS:5 HELOBOGUS:3 11:22:05 Q30a30f17006e558b Msg failed BADHEADERS (This E-mail was sent from a broken mail client [802c].). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 161.225.2.41 with no reverse DNS entry.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed HELOBOGUS (Domain exthub02.tgt.com has no MX or A records.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTREPORT (Weight of 13 reaches or exceeds the limit of 11.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTHDR (Weight of 13 reaches or exceeds the limit of 1.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=BOUNCE. 03/24/2003 11:22:05 Q30a30f17006e558b Subject: RE: MERVYNS CFM SMPL & AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL 03/24/2003 11:22:05 Q30a30f17006e558b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 161.225.2.41 ID: 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed BADHEADERS (This E-mail was sent from a broken mail client [802c].). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 161.225.2.41 with no reverse DNS entry.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed HELOBOGUS (Domain exthub02.tgt.com has no MX or A records.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTREPORT (Weight of 13 reaches or exceeds the limit of 11.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTHDR (Weight of 13 reaches or exceeds the limit of 1.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=BOUNCE. 03/24/2003 11:22:05 Q30a30f17006e558b Subject: RE: MERVYNS CFM SMPL & AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL 03/24/2003 11:22:05 Q30a30f17006e558b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 161.225.2.41 ID: C) Here again the message header as appended by Declude to the Bounce message: From/To and Message ID matches the bounce message. Date/time in the Received header matches the beginning of the Declude header within 10 seconds. Received: from exthub02.tgt.com [161.225.2.41] by mail.webhost.hm-software.com with ESMTP (SMTPD32-7.07) id A0A3F17006E; Mon, 24 Mar 2003 11:21:55 -0500 Received: from msphub02.tgt.com ([10.104.240.124]) by exthub02.tgt.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id FKTDP30V; Mon, 24 Mar 2003 10:27:38 -0600 Received: by msphub02.tgt.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Mar 2003 10:21:51 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Stacey.Riney" <[EMAIL PROTECTED]> To: "'Boehm-Bezing, Inga'" <[EMAIL PROTECTED]>, "Stacey.Riney" <[EMAIL PROTECTED]> Cc: Richard D'Angelo <[EMAIL PROTECTED]> Subject: RE: MERVYNS CFM SMPL & AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL K Date: Mon, 24 Mar 2003 10:23:28 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="_=_NextPart_001_01C2F221.B3D37EE0" --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why BADHEADER for this?
This one returned code 802c (This E-mail has a bogus Date: header.) - however, the Date: header does look just fine? Are you sure you matched this up correctly? When I run it through here, it only triggers the SPAMHEADERS test (due to the string of spaces that appear in the subject), but not the BADHEADERS test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Why BADHEADER for this?
Hi Scott: This one returned code 802c (This E-mail has a bogus Date: header.) - however, the Date: header does look just fine? May be the problem is the "Subject" header - as it appears to "wrap" around into a second line? But, then again, multi-line headers appear to be quite normal, because even the "Received" and "To" headers are multiline? Received: from exthub02.tgt.com [161.225.2.41] by mail.webhost.hm-software.com with ESMTP (SMTPD32-7.07) id A0A3F17006E; Mon, 24 Mar 2003 11:21:55 -0500 Received: from msphub02.tgt.com ([10.104.240.124]) by exthub02.tgt.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id FKTDP30V; Mon, 24 Mar 2003 10:27:38 -0600 Received: by msphub02.tgt.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Mar 2003 10:21:51 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Stacey.Riney" <[EMAIL PROTECTED]> To: "'Boehm-Bezing, Inga'" <[EMAIL PROTECTED]>, "Stacey.Riney" <[EMAIL PROTECTED]> Cc: Richard D'Angelo <[EMAIL PROTECTED]> Subject: RE: MERVYNS CFM SMPL & AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL K Date: Mon, 24 Mar 2003 10:23:28 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="_=_NextPart_001_01C2F221.B3D37EE0" --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How can I do this?
on 3/25/03 2:41 PM, Darrell LaRock wrote: > I am sure many people have noticed a lot of spam that is like this. > Consider a users email address like this [EMAIL PROTECTED] > > Then the subject of the email is > > bsmith, have you seen this blah blah > > Any thoughts on how to check to see if the right hand side of the email > address is contained in the subject? We use the Pro version of Declude and have setup filter tests for "," and "@" in the subject of messages. We give each test a low weighting but hope that these tests will push a message that fails other tests over the edge so that we can delete them. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How can I do this?
I am sure many people have noticed a lot of spam that is like this. Consider a users email address like this [EMAIL PROTECTED] Then the subject of the email is bsmith, have you seen this blah blah Any thoughts on how to check to see if the right hand side of the email address is contained in the subject? Part of the problem here is when the username is likely to appear in the subject, such as "[EMAIL PROTECTED]" ("See you Thursday Joe!") or "[EMAIL PROTECTED]". But it does seem to be occurring much more frequently now, so a test for that could be useful in the weighting system. I'll see if we can add that. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How can I do this?
I am sure many people have noticed a lot of spam that is like this. Consider a users email address like this [EMAIL PROTECTED] Then the subject of the email is bsmith, have you seen this blah blah Any thoughts on how to check to see if the right hand side of the email address is contained in the subject? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why Did This Get Through?
I'm see an on-again off-again occurrence of emails getting through that should of failed. Well, this one *did* fail: X-Spam-Tests-Failed: SPAMCHK, IPNOTINMX, WEIGHT10, WEIGHT20 [65] It failed the SPAMCHK and IPNOTINMX tests, which ended up giving the E-mail a very high weight (most likely, due to a high value in SPAMCHK). So my questions would be: [1] Should the E-mail have failed other tests? [2] Did Declude take the correct action on the E-mail, given the tests that it failed? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Why Did This Get Through?
I'm see an on-again off-again occurrence of emails getting through that should of failed. Below are the headers...can anyone shed some light? Thanks Robert Received: from relay04.valueweb.net [216.219.253.238] by wjla.com with ESMTP (SMTPD32-7.06) id A72D1CA50104; Tue, 25 Mar 2003 12:51:41 -0500 Received: from gaia.valueweb.net ([216.219.253.52]:21995 "EHLO gaia.valueweb.net") by relay04.valueweb.net with ESMTP id ; Tue, 25 Mar 2003 12:52:39 -0500 Received: from [67.104.187.162] ([67.104.187.162]:8219 "HELO smtp1.valueweb.net") by gaia.valueweb.net with SMTP id ; Tue, 25 Mar 2003 12:52:23 -0500 Message-Id: <[EMAIL PROTECTED]> Date: Tue, 25 Mar 2003 12:52:21 -0500 To: [EMAIL PROTECTED] From: "ARCO Computer Products, LLC." <[EMAIL PROTECTED]> Subject: What If Your Hard Drive Crashed Right Now? MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1"; format=flowed X-RBL-Warning: WEIGHT20: Weight of 65 reaches or exceeds the limit of 20. X-Declude-Sender: [EMAIL PROTECTED] [216.219.253.238] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SPAMCHK, IPNOTINMX, WEIGHT10, WEIGHT20 [65] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 337582254 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamManager/Declude Setup!
> Did you make any changes to the SpamManager config file or just leave it as > default? You want to use the Declude specific configuration options. They are in the pdf. SpamManager also has its own list service. [EMAIL PROTECTED] John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting test results
| What we are doing is to track the 2000 (user configurable) | most recent spammer | IP addresses. The list is maintained as an MRU style list | (sorted with the | most recent at the top). If incoming messages reach a user | defined score, the | IP address of the spammer is added to the list. | Here is what we found. After about 3 weeks of data | collection, only about 1 in | 400 incoming spams is identified by a DNS lookup, and NOT on | the list of the | 2000 most recent spammers. Also, of all the spams we receive | on all accounts, | about 43% are on the recent spammer list, meaning that almost | half of the | spams we receive are from senders that have spammed us before. This is one of the capabilities we're buiding into Message Sniffer v3. Our testing has shown similar results, however there are some complexities with these tests particularly where "gray" sources are found. As a result our implementation will resolve the IP address & other "network centric" tests first as "features" of the message. These features then become part of the input stream for the bayesian hinting engine. (It should be noted that the "bayesian hinting engine" is really more a blend of fuzzy logic, neural networks, and naieve baysian learning techniques... it's just easier to use the current buzz-word to describe it...) So far our simulations indicate some profound accuracy imrpovements when "new" spam arrives, and surprisingly also when non-spam from "gray" senders arrives. The early analysis indicates that the learning engine is picking up second and third order patterns associated with these message features... This has the effect of "gating" the effect of some heuristics which are ambiguous under other circumstances so that they only count when they can be accurate. It seems obvious that as a weighted test, the top "n" most used IPs are a good bet - similarly a suggestion for research would be to apply a logarithmic scale to the MRU list position and use that as a weight... This scheme can be particularly useful if the list is dynamically scaled because the relative weights of different list positions can be maintained as the number of entries on the list changes... This is a similar mechanism to our "Rule Strength" analysis which is used to gate out rules that are currently inactive. (See http://www.sortmonster.com/MessageSniffer/Performance/CurrentRuleStrengt h.jsp) Another important factor we have found for these kinds of tests is that there tends to be a periodicity to message rates from some networks... the result of this is that in a linear MRU paradigm some networks will appear and dissappear from the list resulting in "late blocking" on the same period. That is, a batch of unwanted content will come through and cause the IP to go to the top of the list, but then the flow falls off and the IP is dropped. Next time unwanted content comes in from that IP it is let through the filter for a time because the IP is not on the list... shortly it will be blocked again but during that "build up time" a significant amount of the content might be delivered. A counter to this "pulsing" effect is to develop in increasing "persistence" to the more highly listed IPs so that they tend to stay on the list through the "down" period. Another important balance for persistence however is to reduce it's effects based on any ambiguous or false positive hits... in fact it turns out that this "persistence reduction" should have a persistence of it's own so that periodic false-positive indications can be suppressed when there is mixed content from the source. Note that periodicity, gating, and persistence mechanisms are useful on may heuristics - not just IP based tests. I hope these thoughts spark some new ones the prove helpful... :-) _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamManager/Declude Setup!
Hey John, Yes, I am using the weighting system. This information will be very useful! Did you make any changes to the SpamManager config file or just leave it as default? Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff Sent: Tuesday, March 25, 2003 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SpamManager/Declude Setup! > I have just purchased SpamManager and am working on getting it setup and > running. Anyone have any information on setting this up to work well with > Declude? I am looking for any samples or anything. Are you using the weighting system with Declude? Here is what I do and what is recommended: SPMMGRSPAM1 external>17 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRSPAM2 external>39 "D:\Imail\SpamManager\noxmail.exe" 10 0 SPMMGRSPAM3 external>99 "D:\Imail\SpamManager\noxmail.exe" 10 0 SPMMGRADULT1external<-17 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRADULT2external<-39 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRADULT3external<-74 "D:\Imail\SpamManager\noxmail.exe" 20 0 I am currently holding at 25 and deleting at 35. Let me know if you need a more detailed explanation. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas headers
on 3/25/03 10:14 AM, John Tolmachoff wrote: > What is the originating IP address? 66.180.244.23 66.180.244.25 66.180.244.28 and I assume others. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamcheck
SpamChk is a free external test designed for declude junkmail. It can be used as "add-on" to make some content based tests. The result of the content based tests are returned as a weight to declude. So this result can make a part of the junkmail weighting system. SpamChk is also able to search for tipical legitimate mail properties and can give them a negative weight. This can help to avoid false positives. I suggest to try it out. The best way to see how it works is to scroll trough the logfile (with debug set to level 9) The setup should be very simple. I recommend to use the ini-file I've posted some days ago in this thread. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of andyb > Sent: Tuesday, March 25, 2003 6:03 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Spamcheck > > > What's the difference between spamcheck and declude? > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamManager/Declude Setup!
> I have just purchased SpamManager and am working on getting it setup and > running. Anyone have any information on setting this up to work well with > Declude? I am looking for any samples or anything. Are you using the weighting system with Declude? Here is what I do and what is recommended: SPMMGRSPAM1 external>17 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRSPAM2 external>39 "D:\Imail\SpamManager\noxmail.exe" 10 0 SPMMGRSPAM3 external>99 "D:\Imail\SpamManager\noxmail.exe" 10 0 SPMMGRADULT1external<-17 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRADULT2external<-39 "D:\Imail\SpamManager\noxmail.exe" 20 0 SPMMGRADULT3external<-74 "D:\Imail\SpamManager\noxmail.exe" 20 0 I am currently holding at 25 and deleting at 35. Let me know if you need a more detailed explanation. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] White list question
> >From: "preston whisenant" <[EMAIL PROTECTED]> Save Address > >Received: from lists2.texasstar.net [63.214.164.124] by LandDeals.com > > (SMTPD32-6.06) id AB5E4270284; Tue, 25 Mar 2003 15:53:02 + > >X-Originating-IP: [67.234.71.122] > >X-Originating-Email: [EMAIL PROTECTED] > >To: "CIBList" <[EMAIL PROTECTED]> > > In this case, I would recommend: > > WHITELIST IP 63.214.164.124 Or, if using Pro version and filters: HEADERS -50 CONTAINS [EMAIL PROTECTED] (Sorry, IMO, I reserve WHITELIST for when there is no other option.) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamcheck
What's the difference between spamcheck and declude? Spamcheck is an addon for Declude JunkMail ( http://www.declude.com/tools lists a number of addons for Declude). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamManager/Declude Setup!
Hello All, I have just purchased SpamManager and am working on getting it setup and running. Anyone have any information on setting this up to work well with Declude? I am looking for any samples or anything. Thanks! Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] White list question
How do we white-list list serv messages when they come from the subscribers, not from the list? From: "preston whisenant" <[EMAIL PROTECTED]> Save Address Received: from lists2.texasstar.net [63.214.164.124] by LandDeals.com (SMTPD32-6.06) id AB5E4270284; Tue, 25 Mar 2003 15:53:02 + X-Originating-IP: [67.234.71.122] X-Originating-Email: [EMAIL PROTECTED] To: "CIBList" <[EMAIL PROTECTED]> In this case, I would recommend: WHITELIST IP 63.214.164.124 That will make sure that E-mails from the mailserver users by the list server get whitelisted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Habeas headers
This should not be an issue since Habeas headers implies they are adhereing to the strict rules put forth by Habeas, and had to pay for the right to use them, if they are in violation, report them to Habeas, who will take legal action against topica.com for violating the agreement. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Helpdesk Sent: Tuesday, March 25, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Habeas headers If anyone is using the Habeas headers whitelist option you should be aware that topica.com is sending their messages with habeas headers. We have them blacklisted but since the whitelisting overrides everything, their messages were getting through. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] White list question
We have a customer who subscribes to a real estate service that sends info via a list serv. The messages are being diverted because they fail a few too many tests. How do we white-list list serv messages when they come from the subscribers, not from the list? Here are some headers: From: "preston whisenant" <[EMAIL PROTECTED]> Save Address Received: from lists2.texasstar.net [63.214.164.124] by LandDeals.com (SMTPD32-6.06) id AB5E4270284; Tue, 25 Mar 2003 15:53:02 + X-Originating-IP: [67.234.71.122] X-Originating-Email: [EMAIL PROTECTED] To: "CIBList" <[EMAIL PROTECTED]> [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamcheck
What's the difference between spamcheck and declude? - Original Message - From: "Frederick P. Squib, Jr." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 22, 2003 7:47 PM Subject: RE: [Declude.JunkMail] Spamcheck > Tom, > http://www.riedmann.it/spamchk/ > > Been using it for a while and it works great. > > Fritz > > Frederick P. Squib, Jr. > Network Operations > Citizens Telephone Company > Citizens Internet Services > http://www.wpa.net > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Amazing!!
If this isn't the easiest way to get valid email addresses for spammers! -0- > -Original Message- > From: Hacking Emails > [mailto:ijnijnijnijnijnijnijnijnijnijnijnijnijnijnijnijnijnijn [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 5:25 AM To: Subject: Just send the email address u want to hack. We'll send u the password. Want to HACK any ones EMAIL ?. Just send 2 emails to [EMAIL PROTECTED] . In the first email write your-email-address in the subject line. Then immediately send the second email writing the-persons-email-address-u want-to-hack in the subject line. (remember, the second email should contain the persons id whom you want to hack. In the subject line). Thats all. If your request is qualified and passed. The password of the person you want to hack will be send to your email address in 48 hrs. But we do not take any respossibilities of non delivery. --- [This E-mail scanned for viruses by NETrends.com Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas headers
Several porn spammers are also using them. They claim that they are using verified opt-in lists, however we have seen several reports from customers that claim they never opted-in for any adult oriented material, however may have for other things. They are apparently buying their "opt-in" lists from other sources. We have one knowledgable customer that said his wife signed up for some TV shopping network newsletter, and within a week started getting adult messages marked with the Habeas headers. I have had several conversations with the Habeas people. While they claim they will go after violators of the Habeas copyright, I still have not figured out how they will stop spammers that buy what they claim to be legitimate opt-in lists. Here's the biggest problem with Habeas. Once the mark is abused, administrators will stop whitelisting it. They are not going to wait until the legal staff at Habeas is able to stop the use of the mark by a particular spammer. That could take months or longer. This will make Habeas completely ineffective almost overnight. One thing they could do is to add an additional header and force their licensees to use it. It would classify the source as being the original opt-in list owner, or a "business partner", meaning someone who bought or rented the list. At least this would help to identify the sender as being the source that you contacted rather then someone who you didn't. Actually, my opinion is that this concept will flame out long before it is ever determined to be useful. On 03/25/03 9:37am you wrote... >If anyone is using the Habeas headers whitelist option you should be aware >that topica.com is sending their messages with habeas headers. We have them >blacklisted but since the whitelisting overrides everything, their messages >were getting through. > >Greg > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >ve.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Habeas headers
Report them. http://www.habeas.com/faq/index.htm#5.1 http://www.habeas.com/report/ What is the originating IP address? http://www.habeas.com/services/infringers.htm John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Helpdesk > Sent: Tuesday, March 25, 2003 6:37 AM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Habeas headers > > If anyone is using the Habeas headers whitelist option you should be aware > that topica.com is sending their messages with habeas headers. We have them > blacklisted but since the whitelisting overrides everything, their messages > were getting through. > > Greg > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas headers
If anyone is using the Habeas headers whitelist option you should be aware that topica.com is sending their messages with habeas headers. We have them blacklisted but since the whitelisting overrides everything, their messages were getting through. One option you can use here is to use the weighting system to subtract X points from the weight when the Habeas headers are encountered. However, I would *strongly* urge you to look at the E-mail that had the Habeas headers, to see whether or not it was sent to someone who requested it. If they requested it, they should get it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question On behavior
We have our domains postmaster addresses whitelisted. I noticed that a message coming in that has multiple recipients will be delivered to all the recipients mailboxes as long as it has a whitelisted postmaster address. This is not exactly the desired behavior I am looking for. Unfortunately, that is the behavior that is required. The problem is that you are dealing with a single E-mail with multiple recipients, not multiple E-mails. We are working on some creative ways to get around this, but there would still be some definite limitations. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Habeas headers
If anyone is using the Habeas headers whitelist option you should be aware that topica.com is sending their messages with habeas headers. We have them blacklisted but since the whitelisting overrides everything, their messages were getting through. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Question On behavior
We have our domains postmaster addresses whitelisted. I noticed that a message coming in that has multiple recipients will be delivered to all the recipients mailboxes as long as it has a whitelisted postmaster address. This is not exactly the desired behavior I am looking for. It should have blocked this mail from all recipients except the postmaster. 03/24/2003 22:08:17 Qc816661e001c6824 WORDFILTER:13 DSBL:5 WIREHUB-DNSBL:3 NOPOSTMASTER:1 BASE64:5 SNIFFER:8 . Total weight = 35 03/24/2003 22:08:17 Qc816661e001c6824 E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 03/24/2003 22:08:17 Qc816661e001c6824 L1 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 12.233.204.136 ID: 03/24/2003 22:08:17 Qc816661e001c6824 L2 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 12.233.204.136 ID: 03/24/2003 22:08:17 Qc816661e001c6824 L3 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Penis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 12.233.204.136 ID: 20030324 220817 127.0.0.1 SMTP (1812) processing e:\imail\spool\Qc816661e001c6824.SMD 20030324 220817 127.0.0.1 SMTP (1812) ldeliver mail1.gannett-tv.com dlarock-main (1) [EMAIL PROTECTED] 4166 20030324 220817 127.0.0.1 SMTP (1812) ldeliver wfmy.com 2wantstoknow-main (1) [EMAIL PROTECTED] 4166 20030324 220817 127.0.0.1 SMTP (1812) forwarded message to [EMAIL PROTECTED],[EMAIL PROTECTED] 20030324 220817 127.0.0.1 SMTP (1812) finished e:\imail\spool\Qc816661e001c6824.SMD status=1 Any thoughts? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude in the news
I think it is a good sign that "mainstream" products are starting to include DNS BL lookups. Symantec's products (and similar big names) are setting somewhat of a de-facto industry standard for the vast majority of less sophisticated "part-time" mail administrators who are only casually interested in email issues. I suspect, this will aid in the broader proliferation of SPAM filtering, give more credence to open relay databases - hopefully putting more pressure on "innocent" open relay servers to get their act together and in the long run allowing us to use them more aggressively. Currently, the usual defense of ignorant administrators running open relay or RFC non-compliant SMTP servers is that "we never had a problem sending to everyone else" - putting US on the defensive trying to explain why RFCs must be followed so that the variety of hardware, software, operating system and application brands all can communicate across the one Internet. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude in the news
Get this... Declude.com gets a positive side-mention in this article describing the new version of Symantec's antivirus mail gateway, which includes some spam filtering capabilities. http://www.itworld.com/Net/3241/030324symantecgateway/ Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.