RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS

[Markus Gufler]

> And I have nothing for the recip.eml file, so I would like 
> suggestions on that one as well. (I screwed up earlier in the 
> week and deleted them all... I should know better than to do 
> work when I have the flu...).

At the moment I can't find any other virusname to skip.

For the recip.eml I've set 
SKIPIFVIRUSNAMEHAS Vulnerability

And I've creted a new vulnerability.eml with
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability

So I can send out two different warnings for a real virus and a
vulnerability warning.

Markus

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] WHITELISTFILE Logging issue

[Kevin Bilbee]

Scott,

I noticed the following error in my log file today. I am running LOGLEVEL
HIGH

06/13/2003 09:54:56 Q01dd03c7027e1f3c Using [incoming] CFG file
D:\IMAIL\Declude\$default$.junkmail.
06/13/2003 09:54:56 Q01dd03c7027e1f3c Skipping E-mail from [EMAIL PROTECTED];
whitelisted [EMAIL PROTECTED]
06/13/2003 09:54:56 Q01dd03c7027e1f3c Warning: misconfiguration in following
line in configuration file (D:\IMail\Declude\Whitelist.txt is not an
ACTION). May be a duplicate test definition?


This is the line in the $default$.junkmail
WHITELISTFILE D:\IMail\Declude\Whitelist.txt


Looking at this log fragment the whitelist is working but the pass checking
actions does not like the WHITELISTFILE line in the .junkmail file.


Kevin Bilbee

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] spamdomains btinternet.com

[Sheldon Koehler]

Added:

btinternet.com


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Junkmail hiccup

[Karen D. Oland]

Scott,

I received a spam msg tonight that had no declude headers on it at all.  The
message was received last night just before the server was brought down for
maintenance and virus scanned just before that time as well. However, before
Junkmail got a chance to process it, down went the server.  It sat somewhere
(probably the queue) all night and 24 hours later dropped into my email box
(reason I checked headers was to add the new sender to our banned list -- no
headers there at all). Checking the various logs, Junkmail never saw the
message, but the message id was processed last thing last night and this
evening by IMAIL and last night by Virus.

So, just wanted to let you know that you can get messages that skip Junkmail
processing if they come in as you are going down for maint.  Perhaps for
scheduled things, there should be a recommended procedure to shut down the
IMAIL services for a few minutes first, until the queue is all delivered
(not that it will help during random or emergency shutdowns -- power outages
here sometimes result in unscheduled reboots).

Karen

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SKIPIFVIRUSNAMEHAS

[Sheldon Koehler]

OK, I am going through my config files and in the sender.eml file I have:

SKIPIFVIRUSNAMEHAS Yaha
SKIPIFVIRUSNAMEHAS Lentin
SKIPIFVIRUSNAMEHAS Magistr
SKIPIFVIRUSNAMEHAS Klez
SKIPIFVIRUSNAMEHAS Vulnerability
SKIPIFVIRUSNAMEHAS Bugbear
SKIPIFVIRUSNAMEHAS Bridex
SKIPIFVIRUSNAMEHAS Braid
SKIPIFVIRUSNAMEHAS Sobig
SKIPIFVIRUSNAMEHAS Palyh

And want to know if I am missing anything.

And I have nothing for the recip.eml file, so I would like suggestions on
that one as well. (I screwed up earlier in the week and deleted them all...
I should know better than to do work when I have the flu...).

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spam domains shaw.ca?

[Sheldon Koehler]

> First problem I heard about with Bell Canada.

I get a few of these per month from them:

> Reporting-MTA: dns; Hyperion.tenforward.com
> Arrival-Date: Mon,  9 Jun 2003 09:15:34 -0700 (PDT)
>
> Final-Recipient: rfc822; [EMAIL PROTECTED]
> Action: failed
> Status: 4.0.0
> Diagnostic-Code: X-Postfix; connect to
smtp.bellnexxia.net[209.226.175.82]:
> Operation timed out

Customer emails do not get through and they blame me for it... This happens
mostly with hosted domains on their system. This has been going on for about
2 years. Emails have never been responded to. Very frustrating!


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain





---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] spam domains shaw.ca?

[John Tolmachoff \(Lists\)]

First problem I heard about with Bell Canada. 

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Sheldon Koehler
> Sent: Friday, June 13, 2003 5:25 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] spam domains shaw.ca?
> 
> How can I look up what are legal rDNS's for shaw.ca? We get a lot of spam
> from them. Or are they like Bell Canada and could care less about being
> setup correctly?
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] spam domains shaw.ca?

[Sheldon Koehler]

How can I look up what are legal rDNS's for shaw.ca? We get a lot of spam
from them. Or are they like Bell Canada and could care less about being
setup correctly?

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Counting

[Bill Landry]

Scott, in this vein, would it be possible to include ALL line numbers that
fail a particular filter test, at least in the logs at MID level logging?
It would be nice to know all lines of the filter file that were flagged.

Thanks,

Bill
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 13, 2003 7:59 AM
Subject: Re: [Declude.JunkMail] Counting


>
> >How did this get to Weight of 24.
>
> The easiest way to find out is to use LOGLEVEL MID, which will include a
> line in the log file with the weights.
>
> >If it finds the item in the email more then once does it accumulate.
>
> For a filter, it will only look at the first occurrence.  But, if multiple
> lines in the filter match the E-mail, then all of them will be used.  So
if
> you have a filter that starts off at 5 points with:
>
> BODY  1  CONTAINS  Hello
> BODY  2  CONTAINS  Goodbye
>
> and you have an E-mail that says "Hello Goodbye Goodbye", a total of 8
> points will be added to the E-mail (5 for failing the test, 1 for having
> "Hello" in there, and 2 for having "Goodbye" in there).
>
> >X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (936)
>
> Note that the "936" means that the line 936 is one of the lines that the
> E-mail failed.  There may be others.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you have been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Character Entities

[Keith Johnson]

Title: Message



Are 
these type of emails been seen for awhile or are they new?  
Thanks...
 
Keith

  
  -Original Message-From: Keith Johnson 
  Sent: Friday, June 13, 2003 11:38 AMTo: 
  [EMAIL PROTECTED]Subject: [Declude.JunkMail] Character 
  Entities
  We are starting to see a flood of email that are 
  using character entities for letters and numbers (maybe a newbie question, 
  please forgive) that represent HTML hyperlinks to spam websites.  For 
  example, the number 9 represented with the numeric entity of & # 0 5 7 ; 
  (put together no spaces).  Has others seen this, and how are you 
  detecting it.  Thanks for the info.
  ___ 
  Keith 
  Johnson Network 
  Engineer Network Advocates, Inc. 
  Tel:   
  502.412.1050 Fax:  502.412.1058 Email:  [EMAIL PROTECTED] 
  "Good pings come in small packets" 

RE: [Declude.JunkMail] spam domains

[Karen D. Oland]

most likely, the problem is compuserve mail coming from bellsouth.net
(should be compuserve or aol.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Serge
Sent: Friday, June 13, 2003 3:37 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] spam domains


shouldn't this have failed spamdomains ?
Maybe i have a config problem, how to check ?


X-Priority: 3
X-MSMail-Priority: Normal
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8014000e].
X-Declude-Sender: [EMAIL PROTECTED] [67.34.40.127]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: BADHEADERS
X-weight: 8
X-Note: This E-mail was sent from adsl-34-40-127.mia.bellsouth.net
([67.34.40.127]).
X-RCPT-TO: 
Status: U
X-UIDL: 352738778

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude Garbled Variables

[R. Scott Perry]

I noticed that most email coming from the t-online servers have mangled 
X-Declude Headers, e.g. the Reverse DNS is always replaced with the 
trailing end of the first "Received" time-stamp and the beginning of the 
Message-ID or whichever header happens to follow, e.g.
There is a new interim release v1.70i14 at 
http://www.declude.com/release/170i/declude.exe that takes care of this 
corruption.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] $default.$JunkMail

[Dale McDiarmid]

Thanks! That all makes sense now. Insert  here. ;o)

I'll set the postmasters to resolve to mailhost.etc.

D.



At 04:02 PM 6/13/2003 -0400, you wrote:

Are there any host aliases for "bookmans.com"?  Is 
"[EMAIL PROTECTED]" an alias that points to another user (and if 
so, what user)?
-One host alias for mailhost.bookmans.com, which is bookmans.com.
In this case, IMail will translate user accounts to 
"[EMAIL PROTECTED]" (the directory that Declude JunkMail would 
use), but:

-Postmaster alias resolves to [EMAIL PROTECTED]
For E-mail to the postmaster@ account, Declude JunkMail will use the 
\IMail\Declude\bookmans.com directory.

So in this case, you can either have the alias point to 
[EMAIL PROTECTED], or have 2 separate directories with the config 
files.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude Garbled Variables

[Andy Schmidt]

Title: Message



Hi 
Scott:
 
I noticed that most 
email coming from the t-online servers have mangled X-Declude Headers, e.g. the 
Reverse DNS is always replaced with the trailing end of the first "Received" 
time-stamp and the beginning of the Message-ID or whichever header happens to 
follow, e.g. 
 
    
"31:22 +0200 \n Message-ID: <0 "  or
    
"53:02 +0200 \n Reply-To: 
 
Also, the 
X-Countries has a "null string".
 
I 
have:
XINHEADER X-Declude: Version %VERSION%; 
%QUEUENAME% from %REVDNS% [%REMOTEIP%]XINHEADER X-Declude: Triggered 
%TESTSFAILED% [%WEIGHT%]XINHEADER X-Countries: 
%COUNTRYCHAIN%XINHEADER Return-Path: 
<%MAILFROM%>
 
 
Here are TWO 
different emails from two different senders using the same 
provider:
 
Received: from mailout03.sul.t-online.com 
[194.25.134.81] by hm-software.com with ESMTP  (SMTPD32-7.07) id 
A88AF4F0076; Fri, 13 Jun 2003 14:31:38 -0400Received: from 
fwd07.aul.t-online.de  by mailout03.sul.t-online.com with smtp 
 id 19QtKs-0005Fh-04; Fri, 13 Jun 2003 20:31:38 +0200Received: from 
harald ([EMAIL PROTECTED]]) 
by fwd07.sul.t-online.com with smtp id 19QtKc-1MKVvM0; Fri, 13 Jun 2003 
20:31:22 +0200Message-ID: <[EMAIL PROTECTED]>Reply-To: 
"Harald_Mergard" <[EMAIL PROTECTED]>From: 
[EMAIL PROTECTED] 
(Harald_Mergard)To: "Andy A Schmidt" <[EMAIL PROTECTED]>Subject: 
=?iso-8859-1?Q?Fw:_element_5_Marketing_Agreement_-_Marketingunterst=FCtzu?= =?iso-8859-1?Q?ng=2C_die_sich_lohnt!?=Date: 
Fri, 13 Jun 2003 20:31:21 +0200MIME-Version: 1.0Content-Type: 
multipart/mixed; boundary="=_NextPart_000_002A_01C331EA.C01C8A30"X-Priority: 
3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 
6.00.2800.1158X-MIMEOLE: Produced By Microsoft MimeOLE 
V6.00.2800.1165X-Seen: falseX-ID: [EMAIL PROTECTED]X-Declude: 
Version 1.70i11; D188a0f4f0076db0f.SMD from 31:22 +0200Message-ID: <0 
[194.25.134.81]X-Declude: Triggered Whitelisted [0]X-Countries: 
Return-Path: <[EMAIL PROTECTED]>X-RCPT-TO: 
<[EMAIL PROTECTED]>Status: 
UX-UIDL: 353555725
 
 
 
Received: from mailout08.sul.t-online.com 
[194.25.134.20] by hm-software.com with ESMTP  (SMTPD32-7.07) id 
A1017DAF0072; Fri, 13 Jun 2003 04:53:21 -0400Received: from 
fwd04.aul.t-online.de  by mailout08.sul.t-online.com with smtp 
 id 19QkJF-0003TD-04; Fri, 13 Jun 2003 10:53:21 +0200Received: from 
gerharddell ([EMAIL PROTECTED]]) 
by fwd04.sul.t-online.com with smtp id 19QkIw-0YPJQG0; Fri, 13 Jun 2003 
10:53:02 +0200Reply-To: <[EMAIL PROTECTED]>From: 
[EMAIL PROTECTED] 
(Gerhard Huss)To: <[EMAIL PROTECTED]>Subject: 
mechanik-fruehwein.deDate: Fri, 13 Jun 2003 10:54:27 +0200Message-ID: 
<[EMAIL PROTECTED]>MIME-Version: 
1.0Content-Type: 
text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 
8bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: 
Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)Importance: 
NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.X-Seen: 
falseX-ID: [EMAIL PROTECTED]X-Declude: 
Version 1.70i11; D91017daf00726e29.SMD from 53:02 +0200Reply-To: X-Declude: Triggered Whitelisted [0]X-Countries: 
Return-Path: <[EMAIL PROTECTED]>X-RCPT-TO: 
<[EMAIL PROTECTED]>Status: 
UX-UIDL: 353555634
 
 
Best 
RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206http://www.HM-Software.com/ 
 

Re: [Declude.JunkMail] $default.$JunkMail

[R. Scott Perry]

Are there any host aliases for "bookmans.com"?  Is 
"[EMAIL PROTECTED]" an alias that points to another user (and if 
so, what user)?
-One host alias for mailhost.bookmans.com, which is bookmans.com.
In this case, IMail will translate user accounts to 
"[EMAIL PROTECTED]" (the directory that Declude JunkMail would 
use), but:

-Postmaster alias resolves to [EMAIL PROTECTED]
For E-mail to the postmaster@ account, Declude JunkMail will use the 
\IMail\Declude\bookmans.com directory.

So in this case, you can either have the alias point to 
[EMAIL PROTECTED], or have 2 separate directories with the config 
files.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spam domains

[R. Scott Perry]

shouldn't this have failed spamdomains ?
Maybe i have a config problem, how to check ?
X-Declude-Sender: 
[EMAIL PROTECTED] [67.34.40.127]
X-Note: This E-mail was sent from adsl-34-40-127.mia.bellsouth.net 
([67.34.40.127]).
This one is up to you to determine -- is there a line in your spamdomains 
text file that  would cause this E-mail to get caught?  You would need 
something like "compuserve.com" in your spamdomains.txt file for this to 
get caught.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] $default.$JunkMail

[Dale McDiarmid]

Are there any host aliases for "bookmans.com"?  Is 
"[EMAIL PROTECTED]" an alias that points to another user (and if so, 
what user)?
-One host alias for mailhost.bookmans.com, which is bookmans.com.
-Postmaster alias resolves to [EMAIL PROTECTED]
[EMAIL PROTECTED] is forwarded to [EMAIL PROTECTED]
[EMAIL PROTECTED] is forwarded to the employee who received the spam.
Sysadmin's the bucket for these and other assorted admin accounts.

For my other two domains:
-Each as one alias, theirdomain.com
-Postmaster resolves to [EMAIL PROTECTED]
[EMAIL PROTECTED] is forwarded to [EMAIL PROTECTED]
If nothing else, this question has me straightening some other admin 
accounts into a more organized setup.

Thx,
D.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] spam domains

[Serge]

shouldn't this have failed spamdomains 
?
Maybe i have a config problem, how to check 
?
 
 
X-Priority: 3X-MSMail-Priority: 
NormalX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [8014000e].X-Declude-Sender: [EMAIL PROTECTED] 
[67.34.40.127]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
spam.X-Spam-Tests-Failed: BADHEADERSX-weight: 8X-Note: This E-mail 
was sent from adsl-34-40-127.mia.bellsouth.net ([67.34.40.127]).X-RCPT-TO: 
Status: UX-UIDL: 
352738778

Re: [Declude.JunkMail] $default.$JunkMail

[R. Scott Perry]

But, as I said, I'm just curious how this would happen. I didn't think any 
messages used the root's $default.$JunkMail if all my domain's have their own.
That is correct.  But there are some catches.

To: [EMAIL PROTECTED]
Are there any host aliases for "bookmans.com"?  Is 
"[EMAIL PROTECTED]" an alias that points to another user (and if so, 
what user)?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] $default.$JunkMail

[Dale McDiarmid]

I think I've solved this one, but am curious how it could have
happened...
I had an employee receive a spam which should have been labeled as spam
but was not. My setup has a $default.$JunkMail at the root of Declude
which only warns. Then I have a $default.$JunkMail for the domain which
labels spam as [Spam?]. All this has been working fine for
years.
It's as though this message was treated by the root's $default$JunkMail,
not the domain's. Perhaps it has something do with the message addressed
to [EMAIL PROTECTED] with the rest of the recipients as BCCs. But,
the postmaster was for mydomain so it should have been using the domain's
$default.$JunkMail.
Either way, I set the root $default.$JunkMail to label spam instead of
just warning, so this shouldn't happen again.
But, as I said, I'm just curious how this would happen. I didn't think
any messages used the root's $default.$JunkMail if all my domain's have
their own.
Thanks,
D.
Here's the gory details:
Reply-To: "Matthewson Jackson"<[EMAIL PROTECTED]>
From: "Matthewson Jackson"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject:
=?ISO-8859-3?B?cG9zdG1hc3RlcixTYW1wbGUgb2Ygd2VpZ2h0IGxvc3MgcHJvZHVjdCEg?=
Date: Fri, 13 Jun 2003 01:38:33 GMT
X-Mailer: Microsoft Outlook Express 6.00.2462.
X-RBL-Warning: ORDB: This mail was handled by an open relay - please
visit

X-RBL-Warning: OSRELAY: This entry was last confirmed open on
6/11/2003
X-RBL-Warning: SPAMCOP: Blocked - see
http://spamcop.net/bl.shtml?211.91.4.14
X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: REVDNS: This E-mail was sent from a mail server
211.91.4.14 with no reverse DNS entry.
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[4000120f].
X-RBL-Warning: WEIGHT10: Weight of 37 reaches or exceeds the limit of
10.
X-Declude-Spoolname: Df609128.SMD
X-Spam-Tests-Failed: ORDB, OSRELAY, SPAMCOP, NOABUSE, NOPOSTMASTER,
REVDNS, SPAMHEADERS, WEIGHT10

Re: [Declude.JunkMail] Counting

[R. Scott Perry]

Scott. Do you have any thoughts on how to get a list of all items in a test
that fails.
Yes.  This is something that we plan to add.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Counting

[Frederick Samarelli]

Scott. Do you have any thoughts on how to get a list of all items in a test
that fails.


- Original Message - 
From: "Paul Navarre" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 13, 2003 11:02 AM
Subject: RE: [Declude.JunkMail] Counting


> > How did this get to Weight of 24.
>
> > FILTER-BODY filter c:\IMail\Declude\IMail_Filter_TextinBody.txt x 0 0
> > Item Listed had a weight of  4
>
> I am guessing that it caught more than one line in your filter. From what
I can see, it only lists
> the last item caught in your filter file, although it will give all of the
points for all of the
> lines caught.
>
> Scott, is there a way to have it list all of the lines caught in the
filter? I would find this very
> helpful.
>
> Paul Navarre
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: Altavista

[Bill B.]

No, they don't have any paid email service.  They used to outsource their free mail 
service to critical path, but were paying too much for it with little ROI, so they 
just cut it out all together.

However I'd bet their corporate users still use @altavista.com, so always adding a 
weight may cause problems if your users receive mail from Altavista corportate.  But I 
bet all their employees will be switching to @overture.com email accounts soon anyway, 
so it might not be an issue.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 11:51:57 -0400
Subject: RE: [Declude.JunkMail] Spamdomains: Altavista


Hi Bill:

This is good to know... 

Do they have any paid service or any email with Altavista is not correct?
If they are not serving it then this email should not exist.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
Sent: Friday, June 13, 2003 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Spamdomains: Altavista


Altavista discontinued their free email service about 2 years ago.  So if
you're still seeing spam using their domain, you could probably just add a
weight to any email from @altavista.com.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 06:58:41 -0400
Subject: [Declude.JunkMail] Spamdomains: Altavista


Hi;
 
Anyone knows much about Altavista for SPAMDOMAINS.
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: att.net

[Bill B.]

Here is my latest spamdomains list as well.  I updated the att.net as you mentioned, 
however I'd list it as "@att." in order to prevent false positives w/ something like 
"@matt.com".

Bill


-Original Message-
From: "Sheldon Koehler"
Sent: Fri, 13 Jun 2003 09:09:51 -0700
Subject: Re: [Declude.JunkMail] Spamdomains: att.net


> > I started out with Bill B.'s file and have been following this list with
> > changes. So far SPAMDOMAINS has worked like a dream.
>
> Could you post what you have so far? I was waiting for a good example file
> before I jumped in to using the test.

Attached is my latest version. But if you followed the list starting with
Bill B.'s version it should be pretty much the same. Thanks Bill!!!

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain






sd.zip
Description: Zip archive

RE: [Declude.JunkMail] Spamdomains: att.net

[John Tolmachoff \(Lists\)]

> I wish we could have a central place that would maintain a list with
> up-to-date information so we all could use.
> 
> How can we do this?

I would be willing to host it. I could set up a specific e-mail address that
everyone could send updates to and I would then review and add it to the
list. It would then be a website text file.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spamdomains.. like COUNTRY

[Kami Razvan]

Title: Message



Scott:
 
Any chance of you 
handling spamdomains much like the Country filter?
 
you are perhaps 
best equipped to come up with a central depository that knows the addresses and 
their respective REVDNS info.
 
This is a great 
test and one that if we all can use effectively can all by itself block much 
spam.
 
Regards,
Kami

RE: [Declude.JunkMail] Spamdomains: att.net

[Kami Razvan]

Sheldon:

We have been so impressed with this test and I recently moved it to hold
weight.  No false positives.

I wish we could have a central place that would maintain a list with
up-to-date information so we all could use.

How can we do this?

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler
Sent: Friday, June 13, 2003 11:48 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Spamdomains: att.net


I had a spam get through that only failed sniffer. It said it came from
att.com and I only had att.net in the sd.txt file. So I changed it to:

att.att.

I started out with Bill B.'s file and have been following this list with
changes. So far SPAMDOMAINS has worked like a dream.

With the exception of the one this morning (to one of my alias's), spam has
only got past if a user is whitelisted. I sure wish there was a way to stop
spam from going to the users that are not whitelisted...

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time to pause
and reflect." Mark Twain


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: att.net

[Sheldon Koehler]

> > I started out with Bill B.'s file and have been following this list with
> > changes. So far SPAMDOMAINS has worked like a dream.
>
> Could you post what you have so far? I was waiting for a good example file
> before I jumped in to using the test.

Attached is my latest version. But if you followed the list starting with
Bill B.'s version it should be pretty much the same. Thanks Bill!!!

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain

amazon.com
aol.com netscape.net
att.att.
attbi.com
bellatlantic.netverizon.net
bellsouth.net
charter.net
china.com
comcast.net
compuserve.com  .aol.com
concentric. .cnchost.com
cox.net
cs.com  .aol.com
earthlink.
email.itwebmessenger.it
excite.com  excitenetwork.com
gte.net verizon.net
hotmail.com msn.com
juno.comuntd.com
lycos.com
lycos.atspray.net
mac.com apple.com
mailcity.comlycos.com
mindspring. earthlink.
msn.com hotmail.com
netscape.netaol.com
netzero.com untd.com
prodigy.prodigy.
qwest.net
.rr.com
sympatico.cabellnexxia.net
usa.net mx.net
@yahoo. .yahoo.
zzn.com mailcentro.com

@2die4.com  outblaze.com
@accountant.com outblaze.com
@adexec.com outblaze.com
@africamail.com outblaze.com
@allergist.com  outblaze.com
@alumnidirector.com outblaze.com
@archaeologist.com  outblaze.com
@arcticmail.com outblaze.com
@artlover.com   outblaze.com
@asia.com   outblaze.com
@australiamail.com  outblaze.com
@berlin.com outblaze.com
@bikerider.com  outblaze.com
@catlover.com   outblaze.com
@cheerful.com   outblaze.com
@chemist.comoutblaze.com
@clerk.com  outblaze.com
@cliffhanger.comoutblaze.com
@columnist.com  outblaze.com
@comic.com  outblaze.com
@consultant.com outblaze.com
@counsellor.com outblaze.com
@cutey.com  outblaze.com
@deliveryman.comoutblaze.com
@diplomats.com  outblaze.com
@doctor.com outblaze.com
@doglover.com   outblaze.com
@dr.com outblaze.com
@dublin.com outblaze.com
@earthling.net  outblaze.com
@email.com  outblaze.com
@engineer.com   outblaze.com
@europe.com outblaze.com
@execs.com  outblaze.com
@financier.com  outblaze.com
@gardener.com   outblaze.com
@geologist.com  outblaze.com
@graphic-designer.com   outblaze.com
@hairdresser.netoutblaze.com
@hot-shot.com   outblaze.com
@iname.com  outblaze.com
@inorbit.comoutblaze.com
@insurer.comoutblaze.com
@japan.com  outblaze.com
@journalist.com outblaze.com
@lawyer.com outblaze.com
@legislator.com outblaze.com
@lobbyist.com   outblaze.com
@london.com outblaze.com
@loveable.com   outblaze.com
@mad.scientist.com  outblaze.com
@madrid.com outblaze.com
@mail.com   outblaze.com
@mindless.com   outblaze.com
@minister.com   outblaze.com
@moscowmail.com outblaze.com
@munich.com outblaze.com
@musician.org   outblaze.com
@myself.com outblaze.com
@nycmail.comoutblaze.com
@optician.com   outblaze.com
@paris.com  outblaze.com
@pediatrician.com   outblaze.com
@playful.comoutblaze.com
@poetic.com outblaze.com
@popstar.comoutblaze.com
@post.com   outblaze.com
@presidency.com outblaze.com
@priest.com outblaze.com
@programmer.net outblaze.com
@publicist.com  outblaze.com
@realtyagent.comoutblaze.com
@registerednurses.com   outblaze.com
@repairman.com  outblaze.com
@representative.com outblaze.com
@rescueteam.com outblaze.com
@rome.com   outblaze.com
@saintly.comoutblaze.com
@samerica.com   outblaze.com
@sanfranmail.comoutblaze.com
@scientist.com  outblaze.com
@seductive.com  outblaze.com
@singapore.com  outblaze.com
@sociologist.comoutblaze.com
@soon.com   outblaze.com
@teacher.comoutblaze.com
@techie.com outblaze.com
@tokyo.com  outblaze.com
@umpire.com outblaze.com
@usa.comoutblaze.com
@whoever.comoutblaze.com
@winning.comoutblaze.com
@witty.com  outblaze.com
@writeme.comoutblaze.com
@yours.com  outblaze.com

RE: [Declude.JunkMail] Counting

[R. Scott Perry]

I am guessing that it caught more than one line in your filter. From what 
I can see, it only lists
the last item caught in your filter file, although it will give all of the 
points for all of the
lines caught.

Scott, is there a way to have it list all of the lines caught in the 
filter? I would find this very
helpful.
That's something we are going to try to add.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Why did this fail MAILFROM?

[R. Scott Perry]

Can someone help me understand why the below e-mail failed the MAILFROM
test?
The MAILFROM test checks to see if the domain in the return address can 
accept mail (it needs to have either an MX or A record).  In this case:

X-Declude-Sender: [EMAIL PROTECTED] [66.163.168.183]
The return address is [EMAIL PROTECTED], and the "awhitfield.net" 
domain doesn't exist.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: att.net

[Joshua Levitsky]

> From: "Sheldon Koehler" <[EMAIL PROTECTED]>
> Organization: www.tenforward.com
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 13 Jun 2003 08:48:07 -0700
> To: <[EMAIL PROTECTED]>
> Subject: [Declude.JunkMail] Spamdomains: att.net
> 
> I had a spam get through that only failed sniffer. It said it came from
> att.com and I only had att.net in the sd.txt file. So I changed it to:
> 
> att.att.
> 
> I started out with Bill B.'s file and have been following this list with
> changes. So far SPAMDOMAINS has worked like a dream.

Could you post what you have so far? I was waiting for a good example file
before I jumped in to using the test.

-Josh

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Why did this fail MAILFROM?

[Dan Geiser]

Hello, All,
Can someone help me understand why the below e-mail failed the MAILFROM
test?

-
Received: from smtp804.mail.sc5.yahoo.com [66.163.168.183] by
communitycenterbanking.com
  (SMTPD32-6.06) id A2B1F6B010E; Thu, 12 Jun 2003 21:02:41 -0400
Received: from adsl-65-43-151-114.dsl.bcvloh.ameritech.net (HELO Toshiba01)
([EMAIL PROTECTED]@65.43.151.114 with login)
  by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP; 13 Jun 2003
01:02:40 -
From: "Anthony R. Whitfield - Personal" <[EMAIL PROTECTED]>
To: "Paul Taylor" <[EMAIL PROTECTED]>
Subject: June
Date: Thu, 12 Jun 2003 21:02:35 -0400
Organization: The Information Technologists
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/related;
 boundary="=_NextPart_000_0007_01C33125.F3C0B6B0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Declude-Sender: [EMAIL PROTECTED] [66.163.168.183]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: MAILFROM, IPNOTINMX, WEIGHT07, WEIGHT09, WEIGHT10 [12]
X-Spam-Prob: 0.516189
-

Thanks, Much!
Dan Geiser [EMAIL PROTECTED]


This E-mail is scanned and free from viruses. www.nexustechgroup.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spamdomains: Altavista

[Kami Razvan]

Hi Bill:

This is good to know... 

Do they have any paid service or any email with Altavista is not correct?
If they are not serving it then this email should not exist.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
Sent: Friday, June 13, 2003 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Spamdomains: Altavista


Altavista discontinued their free email service about 2 years ago.  So if
you're still seeing spam using their domain, you could probably just add a
weight to any email from @altavista.com.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 06:58:41 -0400
Subject: [Declude.JunkMail] Spamdomains: Altavista


Hi;
 
Anyone knows much about Altavista for SPAMDOMAINS.
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spamdomains: att.net

[Sheldon Koehler]

I had a spam get through that only failed sniffer. It said it came from
att.com and I only had att.net in the sd.txt file. So I changed it to:

att.att.

I started out with Bill B.'s file and have been following this list with
changes. So far SPAMDOMAINS has worked like a dream.

With the exception of the one this morning (to one of my alias's), spam has
only got past if a user is whitelisted. I sure wish there was a way to stop
spam from going to the users that are not whitelisted...

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Character Entities

[Keith Johnson]

Title: Character Entities






We are starting to see a flood of email that are using character entities for letters and numbers (maybe a newbie question, please forgive) that represent HTML hyperlinks to spam websites.  For example, the number 9 represented with the numeric entity of & # 0 5 7 ; (put together no spaces).  Has others seen this, and how are you detecting it.  Thanks for the info.

___


Keith Johnson

Network Engineer

Network Advocates, Inc.

Tel:   502.412.1050

Fax:  502.412.1058

Email:  [EMAIL PROTECTED]


"Good pings come in small packets"

RE: [Declude.JunkMail] Counting

[Paul Navarre]

> How did this get to Weight of 24.

> FILTER-BODY filter c:\IMail\Declude\IMail_Filter_TextinBody.txt x 0 0
> Item Listed had a weight of  4

I am guessing that it caught more than one line in your filter. From what I can see, 
it only lists
the last item caught in your filter file, although it will give all of the points for 
all of the
lines caught.

Scott, is there a way to have it list all of the lines caught in the filter? I would 
find this very
helpful.

Paul Navarre

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Counting

[R. Scott Perry]

How did this get to Weight of 24.
The easiest way to find out is to use LOGLEVEL MID, which will include a 
line in the log file with the weights.

If it finds the item in the email more then once does it accumulate.
For a filter, it will only look at the first occurrence.  But, if multiple 
lines in the filter match the E-mail, then all of them will be used.  So if 
you have a filter that starts off at 5 points with:

BODY  1  CONTAINS  Hello
BODY  2  CONTAINS  Goodbye
and you have an E-mail that says "Hello Goodbye Goodbye", a total of 8 
points will be added to the E-mail (5 for failing the test, 1 for having 
"Hello" in there, and 2 for having "Goodbye" in there).

X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (936)
Note that the "936" means that the line 936 is one of the lines that the 
E-mail failed.  There may be others.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: Altavista

[Bill B.]

Altavista discontinued their free email service about 2 years ago.  So if you're still 
seeing spam using their domain, you could probably just add a weight to any email from 
@altavista.com.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 06:58:41 -0400
Subject: [Declude.JunkMail] Spamdomains: Altavista


Hi;
 
Anyone knows much about Altavista for SPAMDOMAINS.
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Counting

[Frederick Samarelli]

How did this get to Weight of 24.

If it finds the item in the email more then once does it accumulate.

X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (936)
X-RBL-Warning: HELOBOGUS: Domain wdcsun022.usdoj.gov has no MX or A records.
X-Declude-Sender: [EMAIL PROTECTED] [149.101.1.103]
X-Declude-Spoolname: Dbfd2034d02a88998.SMD
X-Note: Total spam weight of this E-mail is 24.


global.cfg
HELOBOGUS helovalid x x 1 0

FILTER-BODY filter c:\IMail\Declude\IMail_Filter_TextinBody.txt x 0 0
Item Listed had a weight of  4

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spamdomains: Altavista

[Kami Razvan]

Title: Message



Hi;
 
Anyone knows much 
about Altavista for SPAMDOMAINS.
 
Regards,
Kami