Re: [Declude.JunkMail] Tests turned up
The settings of the tests are really a personal preference, and you will need to tune them over time to meet your specific needs and requirements. The default settings are conservative and safe, so you can certainly start using Declude with these settings. You should only enable the Sniffer test if you actually have the application. You can find out more about the Sniffer plug-in for Declude at www.sortmonster.com. Bill - Original Message - From: News To: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 8:54 PM Subject: [Declude.JunkMail] Tests turned up Does anyone have advice on their favorite settings for the standard tests?: I am using the PRO version, should sniffer be turned on? DSBL HOLD ORDB WARN OSDUL WARN OSFORM WARN OSLIST WARN OSRELAY WARN OSSMART WARN OSSOFT HOLD OSSRC HOLD SPAMCOP HOLD DSN WARN NOABUSE WARN NOPOSTMASTER WARN BADHEADERS WARN HELOBOGUS HOLD MAILFROM WARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS HOLD #SNIFFER WARN WEIGHT10 WARN WEIGHT20 HOLD
[Declude.JunkMail] Tests turned up
Does anyone have advice on their favorite settings for the standard tests?: I am using the PRO version, should sniffer be turned on? DSBL HOLD ORDB WARN OSDUL WARN OSFORM WARN OSLIST WARN OSRELAY WARN OSSMART WARN OSSOFT HOLD OSSRC HOLD SPAMCOP HOLD DSN WARN NOABUSE WARN NOPOSTMASTER WARN BADHEADERS WARN HELOBOGUS HOLD MAILFROM WARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS HOLD #SNIFFER WARN WEIGHT10 WARN WEIGHT20 HOLD
RE: [Declude.JunkMail] Multiple actions and Weight
> I send the TESTSFAILED in the spamattach message body with the attached > mail. It looks like it failed an incredible number of tests but it > really only failed the HELOBOGUS, IPNOTINMX, FROMFILE, SNIFFER Although I do not use spamattach, I only use TESTSFAILED in the headers. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Multiple actions and Weight
Scott > The weight and weightrange test types don't add to the weight of the > E-mail, so that won't be an issue. I did a very poor job of explaining my problem. Very poor. Extremely poor. This is really about reporting. If I have a WEIGHT10 test and a WEIGHT20 test, %TESTSFAILED% will show WEIGHT10, WEIGHT20 plus all the tests that failed assuming the weight hits 20. Because I use a duplicate tests WEIGHT10 and WEIGHT10a, WEIGHT20 and WEIGHT20a etc. I have all the weight tests show in with TESTSFAILED. In reality I have WEIGHT10, WEIGHT12, WEIGHT15, and 20 plus some of them duplicated, to handle some odd situations so TESTSFAILED shows all of them as well as the actual tests. I have had to explain more than once why Grandmas email failed so many tests. I also have a couple of WEIGHTRANGES so that adds to the problem as well. It isn't unusual to have a string as an example HELOBOGUS, IPNOTINMX, FROMFILE, SNIFFER, WEIGHT0, WEIGHT9, WEIGHT9a, WEIGHT10, WEIGHT10a, WEIGHT12, WEIGHT12a, WEIGHT15, WEIGHT15a, WEIGHT20, WEIGHT20a, WEIGHT21_200, WEIGHT21_200a I send the TESTSFAILED in the spamattach message body with the attached mail. It looks like it failed an incredible number of tests but it really only failed the HELOBOGUS, IPNOTINMX, FROMFILE, SNIFFER Thanks David Stavert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AUTH emails can be flagged
I second that. That is one of my biggest issues when people travel and connect with dialup or dsl or the likes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill B. Sent: Wednesday, July 02, 2003 7:00 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] AUTH emails can be flagged Scott, I noticed that IMail 8.0 HF1 now includes the anticipated "A" lines in the Q*.SMD files when a user is authenticated via SMTP AUTH. The format is: [EMAIL PROTECTED] Can you incorporate this into a new test so that we can reduce the weight on emails that are sent using SMTP Authentication? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AUTH emails can be flagged
Scott, I noticed that IMail 8.0 HF1 now includes the anticipated "A" lines in the Q*.SMD files when a user is authenticated via SMTP AUTH. The format is: [EMAIL PROTECTED] Can you incorporate this into a new test so that we can reduce the weight on emails that are sent using SMTP Authentication? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] re: Strange logging
Note some of the log lines in the attached log snip are merged together I caught this when my log analyser told me that I have a test called SPAM07/02/2003 LOGLEVELHIGH Declude version 1.70i14 Look at the time slice if 09:24:32 - 09:24:33 it looks like 6 processes were trying to write to the log at the same time. Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. 07/02/2003 09:24:31 Q072801b4d40e REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:31 Q072801b4d40e Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:24:31 Q072801b4d40e Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=IGNORE. 07/02/2003 09:24:31 Q072801b4d40e Msg failed WEIGHT5 (Weight of 12 reaches or exceeds the limit of 5.). Action=IGNORE. 07/02/2003 09:24:31 Q072801b4d40e Msg failed SPAM-LOW (Total weight between 11 and 12.). Action=IGNORE. 07/02/2003 09:24:31 Q072801b4d40e R1 Message OK 07/02/2003 09:24:31 Q072801b4d40e Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 07/02/2003 09:24:31 Q072803890036d440 REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:31 Q072803890036d440 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:24:31 Q072803890036d440 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=IGNORE. 07/02/2003 09:24:31 Q072803890036d440 Msg failed WEIGHT5 (Weight of 12 reaches or exceeds the limit of 5.). Action=IGNORE. 07/02/2003 09:24:31 Q072803890036d440 Msg failed SPAM-LOW (Total weight between 11 and 12.). Action=IGNORE. 07/02/2003 09:24:31 Q072803890036d440 R1 Message OK 07/02/2003 09:24:31 Q072803890036d440 Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 07/02/2003 09:24:32 Q0728012a00b0d4a4 REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=IGNORE. 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed WEIGHT5 (Weight of 12 reaches or exceeds the limit of 5.). Action=IGNORE. 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed SPAM-LOW (Total weight between 11 and 12.). Action=IGNORE. 07/02/2003 09:24:32 Q0728012a00b0d4a4 R1 Message OK 07/02/2003 09:24:32 Q0728012a00b0d4a4 Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=WARN. 07/02/2003 09:24:32 Q0728012a00b0d4a4 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=WARN. 07/02/2003 09:24:32 Q072803890036d440 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse07/02/2003 09:24:32 Q07297/02/2003 09:24:32 Q072801b4d40e Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=WARN. 07/02/2003 09:24:33 Q072801b4d40e Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=WARN. 07/02/2003 09:24:33 Q072801b4d40e Msg failed WEIGHT5 (Weight of 12 reaches or exceeds the limit of 5.). Action=IGNORE. 07/02/2003 09:24:32 Q0729000e00e2d923 REVDNS:8 ROUTING:4 . Total weight = 12 11 and 12.). Action=SUBJECT. 07/02/2003 09:24:33 Q0729001300ead7ed REVDNS:8 ROUTING:4 . Total weight = 12 rom a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IG07/02/2003 09:24:33 Q0729000e00e6d85b REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:33 Q0729000f00d2d5d0 REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:33 Q0729001200bed685 REVDNS:8 ROUTING:4 . Total weight = 12 07/02/2003 09:24:33 Q0728012a00b0d4a4 L2 Message OK 07/02/2003 09:24:33 Q072803890036d440 Msg failed WEIGHT5 (Weight of 12 reaches or exceeds the limit of 5.). Action=IGNORE. DNS entry.). Action=IGNORE. 07/02/2003 09:24:33 Q0729000f00e8d7f7 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=IGNORE. RE. 07/02/2003 09:24:33 Q0729000e00e4d883 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:24:33 Q0729001400ecd707 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:24:33 Q0729001200bed685 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 203.194.209.177 with no reverse DNS entry.). Action=IGNORE. 07/02/2003 09:
Re: [Declude.JunkMail] Any ideas about Dartmail.net?
Ironically, HELO dell.com is a 100% reliable indicator of spam. Do you think Dell has outgoing mail servers that run SMTP instead of ESMTP? A real server would say EHLO dell.com. Be careful of this one before you apply it willy nilly. Yahoo uses the older SMTP for some of its outoing E-mail so REVDNS helps out there. - Original Message - One word of caution.. We found real fast when a number of spam got through that HELO is not reliable at all. Spammers were faking helo for Dell, IBM, and Microsoft. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMDOMAINS sd.txt file
Is there a site available where I can download the latest sd.txt file that people are using for the SPAMDOMAINS test? Thank you, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] Attachments & JM
KR> SPAM hardly comes with PDF attachments or Word or even less likely KR> with Excel. Perhaps one easy way to combat this is to figure out KR> the attachment (don't know how) & may be we can assign a negative KR> weight to emails with such attachments. .. another 2 cents to echo Scott's reply regarding full MIME decoding. I've recently seen a few bounces that look like a deliberate* method of delivering a spam message from a trusted server/method. Specifically, I've received undeliverable messages to me that originated from spammer X, who sent the message to innocent party A, who then bounced the message to me from postmaster. What I received is a MIME message with another MIME message as an attachment, which was pure spam. So, full MIME decoding would also have to incorporate some recursiveness to decode messages within messages. Andrew 8) * Deliberate? Maybe yes, maybe no. I also got "Joe jobbed" at a different e-mail address where the spammer must have gotten annoyed with me, and for about a month was sending spam as "random name" so I was receiving a lot of postmaster bounces and the odd cease and desist request from an antispam newbie. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Console Problem
> >OK Further investigation shows deccon.exe IS running (so says the taks > >manager) however, there is nothing showing up on the desktop. Weird eh? > > Are you using Terminal Services (which doesn't seem to have any way to > display the default desktop)? Speaking of this, is anyone running Imail with Declude on Windows Server 2003? If so, have you tried making a Remote Desktop connection (not a normal TS connection) from a XP machine to check this function? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
OK Further investigation shows deccon.exe IS running (so says the taks manager) however, there is nothing showing up on the desktop. Weird eh? Are you using Terminal Services (which doesn't seem to have any way to display the default desktop)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
> >Nope, just shut down the services, ran the patch and restarted the server. > >(It didnt say it had to, but it IS a Windows machine) > > Do the Declude log files show any errors? > > -Scott OK Further investigation shows deccon.exe IS running (so says the taks manager) however, there is nothing showing up on the desktop. Weird eh? Any ideas? --- [This E-mail was scanned for viruses at tqci.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Any ideas about Dartmail.net?
Hi Andrew: Thanks for your note... One word of caution.. We found real fast when a number of spam got through that HELO is not reliable at all. Spammers were faking helo for Dell, IBM, and Microsoft. After a couple of spams came through one after another we stopped using HELO. Scott actually mentioned that a while back & I thought spammers are not that smart.. Guess what? We are now getting a lot of spam with emails that use ... @dell.com or @ibm.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, July 02, 2003 4:31 PM To: '[EMAIL PROTECTED]' Subject: re: [Declude.JunkMail] Any ideas about Dartmail.net? Kami, I found that mail from dartmail.net was all legitimate newsletters, but mail from "maildart" was spam. I let the RBLs do their usual job, but then I counterweight with: HELO -50 ENDSWITH dartmail.net although I prefer REVDNS, I find this a reliable middleground (WHITELIST being on the other end). Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
> Do the Declude log files show any errors? > --- None that I can see. Would the error be obvious? It should be -- I was expecting something like lines of "Could not start console" or "Invalid activation code" for each E-mail that is received. Is the \IMail\Deccon.exe file there? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
> Do the Declude log files show any errors? > > -Scott > --- None that I can see. Would the error be obvious? --- [This E-mail was scanned for viruses at tqci.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] Any ideas about Dartmail.net?
Kami, I found that mail from dartmail.net was all legitimate newsletters, but mail from "maildart" was spam. I let the RBLs do their usual job, but then I counterweight with: HELO -50 ENDSWITH dartmail.net although I prefer REVDNS, I find this a reliable middleground (WHITELIST being on the other end). Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Multiple actions and Weight
The weight and weightrange test types don't add to the weight of the E-mail, so that won't be an issue. -Scott At 02:39 PM 7/2/2003, David Stavert wrote: > There actually is an easy way around this. Instead of: > > BADHEADERS1 badheaders x x 8 0 > BADHEADERS2 badheaders x x 8 0 > > you can use: > > BADHEADERS1 badheaders x x 8 0 > BADHEADERS2 badheaders x x 0 0 I use weight or weightrange. Thanks David Stavert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Multiple actions and Weight
> There actually is an easy way around this. Instead of: > > BADHEADERS1 badheaders x x 8 0 > BADHEADERS2 badheaders x x 8 0 > > you can use: > > BADHEADERS1 badheaders x x 8 0 > BADHEADERS2 badheaders x x 0 0 I use weight or weightrange. Thanks David Stavert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
Nope, just shut down the services, ran the patch and restarted the server. (It didnt say it had to, but it IS a Windows machine) Do the Declude log files show any errors? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Console Problem
>Did the Imail directory change? Nope, just shut down the services, ran the patch and restarted the server. (It didnt say it had to, but it IS a Windows machine) --- [This E-mail was scanned for viruses at tqci.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Console Problem
> Declude Console stopped working after the 8.01 Imail Upgrade (Pro). The mail > is getting through the server and is being commented by Declude. I did not > change anything else. I even tried bumping up to 1.70 beta, still no > console. The line in the global and virus .cfg files should read 'Console > On' correct? Did the Imail directory change? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] Misunderstanding something?
Hi, > Please post the JunkMail log for this message. 07/02/2003 16:45:06 Qefee01b302f619ae Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=WARN. 07/02/2003 16:45:06 Qefee01b302f619ae Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 07/02/2003 16:45:06 Qefee01b302f619ae Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). Action=WARN. 07/02/2003 16:45:07 Qefee01b302f619ae Msg failed HELOBOGUS (Domain 213.229.61.98 has no MX or A records.). Action=WARN. 07/02/2003 16:45:07 Qefee01b302f619ae Msg failed REVDNS (This E-mail was sent from a MUA/MTA 24.69.232.164 with no reverse DNS entry.). Action=WARN. 07/02/2003 16:45:07 Qefee01b302f619ae Msg failed WEIGHT10 (Weight of 21 reaches or exceeds the limit of 10.). Action=WARN. 07/02/2003 16:45:07 Qefee01b302f619ae Msg failed WEIGHT20 (Weight of 21 reaches or exceeds the limit of 20.). Action=WARN. > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of interactiveaustria > > Sent: Wednesday, July 02, 2003 8:44 AM > > To: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] Misunderstanding something? > > > > Hi, > > > > I changed the line in my Global.cfg file to not deliver Mail > with a weight > > of 20 (or more): > > > > WEIGHT20HOLD > > > > Why does an E-Mail with a weight of 21 come through? > > > > ... > > X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] > > X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] > > X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken > mail client > > [801e]. > > X-RBL-Warning: HELOBOGUS: Domain 213.229.61.98 has no MX or A records. > > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 24.69.232.164 > > with no reverse DNS entry. > > X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the > limit of 10. > > X-RBL-Warning: WEIGHT20: Weight of 21 reaches or exceeds the > limit of 20. > > ... > > X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, > > HELOBOGUS, > > IPNOTINMX, REVDNS, WEIGHT10, WEIGHT20 [21] > > > > Am I misunderstanding something? > > > > Michael > > +--+ > > | interactiveaustria | > > | Michael Tobisch EDV-Dienstleistungen | > > | Wiesengasse 12, A-8160 Weiz | > > | Tel +43 3172 4930| > > | GSM +43 664 2126941 | > > | EMail [EMAIL PROTECTED]| > > | Web http://www.iaa.at| > > +--+ > > | Kundeninformationen per E-Mail: | > > | http://www.iaa.at/kundeninfo.asp | > > +--+ > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Dieses E-Mail wurde von Declude.Virus auf Virusfreiheit geprueft Ein Service von interactiveaustria, http://www.iaa.at --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Console Problem
Declude Console stopped working after the 8.01 Imail Upgrade (Pro). The mail is getting through the server and is being commented by declude. I did not change anything else. I even tried bumping up to 1.70 beta, still no console. The line in the global and virus .cfg files should read 'Console On' correct? Any Ideas? I dont really use it for anything other than monitoring, but it was kinda nice. Thanks in advance.. --- [This E-mail was scanned for viruses at tqci.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multiple actions and Weight
I use duplicated tests to perform multiple actions. In one I do and ATTACH with one and a ROUTETO to forward the mail to a central mailbox for the domain. The problem with this (or any duplicated test to accomplish multiple actions) is that the weight is cumulative so the failure is double. This is especially a problem with weight based actions but also in reporting using TESTSFAILED. Anyone figured a way around this. There actually is an easy way around this. Instead of: BADHEADERS1 badheaders x x 8 0 BADHEADERS2 badheaders x x 8 0 you can use: BADHEADERS1 badheaders x x 8 0 BADHEADERS2 badheaders x x 0 0 This way, Declude JunkMail will only apply a weight of 8 to E-mails failing the BADHEADERS test, rather than a weight of 16. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail 8 and antispam
Just installed Imail 8 and was wondering what the consensus about the default DNS blackslists are? Are most junkmail/sniffer users leaving these enabled or disabling them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Multiple actions and Weight
I use duplicated tests to perform multiple actions. In one I do and ATTACH with one and a ROUTETO to forward the mail to a central mailbox for the domain. The problem with this (or any duplicated test to accomplish multiple actions) is that the weight is cumulative so the failure is double. This is especially a problem with weight based actions but also in reporting using TESTSFAILED. Anyone figured a way around this. I would still like to see a combo ATTACH / ROUTETO action (ATTACHTO?). It is so sucessful. Mail is routed to a domain based junkmail folder as an attachment. Most domain administrators love it because it takes the mail away from users but still leaves it intact. Company principals love it because sensitive mail is at least semi-concealed from mail administrators when they forward an FP message. Thanks David Stavert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Misunderstanding something?
I changed the line in my Global.cfg file to not deliver Mail with a weight of 20 (or more): WEIGHT20HOLD Why does an E-Mail with a weight of 21 come through? That is because: X-RBL-Warning: WEIGHT20: Weight of 21 reaches or exceeds the limit of 20. The X-RBL-Warning: headers only appear if you use the WARN action. Therefore, the configuration file used to determine the actions to take on this E-mail has "WEIGHT20 WARN" in it. Note that the global.cfg file is used for outgoing mail; for incoming E-mail, you would use the $default$.JunkMail file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Misunderstanding something?
Please post the JunkMail log for this message. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of interactiveaustria > Sent: Wednesday, July 02, 2003 8:44 AM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Misunderstanding something? > > Hi, > > I changed the line in my Global.cfg file to not deliver Mail with a weight > of 20 (or more): > > WEIGHT20 HOLD > > Why does an E-Mail with a weight of 21 come through? > > ... > X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] > X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] > X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client > [801e]. > X-RBL-Warning: HELOBOGUS: Domain 213.229.61.98 has no MX or A records. > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 24.69.232.164 > with no reverse DNS entry. > X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. > X-RBL-Warning: WEIGHT20: Weight of 21 reaches or exceeds the limit of 20. > ... > X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, > HELOBOGUS, > IPNOTINMX, REVDNS, WEIGHT10, WEIGHT20 [21] > > Am I misunderstanding something? > > Michael > +--+ > | interactiveaustria | > | Michael Tobisch EDV-Dienstleistungen | > | Wiesengasse 12, A-8160 Weiz | > | Tel +43 3172 4930| > | GSM +43 664 2126941 | > | EMail [EMAIL PROTECTED]| > | Web http://www.iaa.at| > +--+ > | Kundeninformationen per E-Mail: | > | http://www.iaa.at/kundeninfo.asp | > +--+ > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] opinion about buongiorno.com
We've seen more and more "spam" comming from buongiorno.com. Their IP is also listed on OSSRC and SPAMBAG, but when you go to their website http://www.buongiorno.com/uk/ it looks like they offer a lot of newsletters following the opt-in principle. In addition it's also possible to send the own (legit) newsletter over their system if you have at least 5000 subscribers. A recipient can unsubsribe whenever he want. Buongiornos customers are among others the italian and the austrian government, Warner Bros, top european mobile providers, ...) They earn by adding some advertisement between the newsletter content. What's your opinion: Should I/we whitelist, or give at least a negative weight to messages from buongiorno.com? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Misunderstanding something?
Hi, I changed the line in my Global.cfg file to not deliver Mail with a weight of 20 (or more): WEIGHT20HOLD Why does an E-Mail with a weight of 21 come through? ... X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-RBL-Warning: HELOBOGUS: Domain 213.229.61.98 has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 24.69.232.164 with no reverse DNS entry. X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-RBL-Warning: WEIGHT20: Weight of 21 reaches or exceeds the limit of 20. ... X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, HELOBOGUS, IPNOTINMX, REVDNS, WEIGHT10, WEIGHT20 [21] Am I misunderstanding something? Michael +--+ | interactiveaustria | | Michael Tobisch EDV-Dienstleistungen | | Wiesengasse 12, A-8160 Weiz | | Tel +43 3172 4930| | GSM +43 664 2126941 | | EMail [EMAIL PROTECTED]| | Web http://www.iaa.at| +--+ | Kundeninformationen per E-Mail: | | http://www.iaa.at/kundeninfo.asp | +--+ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] bad country code?
I never saw any comment on the country code problem I was having. Is there an updated list that would have properly identified this email? Is there a way to detect "reserved" countries? You can download the latest IP->Country database from http://www.declude.com/release/170/all_list.dat . Note that there are no known instances of spammers forging IPs, so if there aren't any IP designations that you should always block mail from. While there are some that spammers should never send from -- such as private IPs -- those IPs could possibly be used internally to send mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] bad country code?
Scott, I never saw any comment on the country code problem I was having. Is there an updated list that would have properly identified this email? Is there a way to detect "reserved" countries? Karen -- original msg -- I just received a junk mail (coffee offer) with the following header snippet: X-Declude-Sender: [EMAIL PROTECTED] [69.24.239.48] X-Declude: Failed FIVETEN-SRC, IPNOTINMX, NOLEGITCONTENT [2] X-Note: This E-mail was sent from out028.tpcper.com ([69.24.239.48]). X-Countries: [IANA Reserved]->destination Is there a way to detect countries that have not been assigned (or an updated configuration list)? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam domains
> you would need to have "gmx.at" in the sd.txt file. As I know GMX a european freemailer use also other TLDs. For example gmx.de, gmx.net, gmx.it, So I've set the following line in my sd-file: @gmx. .gmx. Most spam with a gmx-domain we can see here is from gmx.at. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
