[Declude.JunkMail] DNSReport C-Class Warning

[Andy Schmidt]

Hi Scott:

http://www.dnsreport.com/tools/dnsreport.ch?domain=FRENCHRENDEZVOUS.CC

First claims:
All of your nameservers (listed at the parent nameservers) are in the same
Class C address space...
[If the parent servers have no glue for your domain, this could be a false
positive.] 

And then continues to report (correctly):
65.119.204.32: No version info available (CHAOS not implemented).
63.107.174.24: No version info available (CHAOS not implemented).


Now - whether the parent servers do have or don't have any glue - why would
THAT effect your ability to compare 65.119.204.32 with 63.107.174.24 and
plainly see that they are NOT in the same Class C address space?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] maybe its just one of AOL's servers???

[Joshua Levitsky]

On Oct 7, 2003, at 9:55 PM, Karen D. Oland wrote:

Then you have to add one for each MX number (the ones I've seen are
formatted with "mx5.aol.com", etc.

Most spam I get from *.ptr.aol.com fails so many other tests that they dont'
get thru anyway.

I don't believe "mx5.aol.com" should be any of our mail server zones or servers...



Servers that deliver outbound mail from members using third-party mail clients. For example, Outlook, Eudora.

rly-ip0[3-5].mx.aol.com

Servers that deliver bounced messages

omr-d0[3-7].mx.aol.com
omr-m[01-11].mx.aol.com
omr-r09.mx.aol.com

Servers that deliver members' outbound mail

imo-d[01-10].mx.aol.com
imo-r[01-10].mx.aol.com
imo-m[01-10].mx.aol.com


--
Joshua Levitsky, CISSP, MCSE
System Engineer
AOL Time Warner
[5957 F27C 9C71 E9A7 274A  0447 C9B9 75A4 9B41 D4D1]

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

[Karen D. Oland]

We get those too -- they test "clean" and pass thru the A/V portion. We
catch them  with rules similar to yours.  Along with the undeliverable mail
reject messages and "you have a virus" messages from other postmasters
(which is why I think it forges addresses quite a bit, since we do not have
any infected machines and have not sent any out from here).  Quite a few,
however, now get caught with other viruses in them (but the same text as
SWEN and same attachment name).

Karen

> -Original Message-
> From: John Tolmachoff
>
> And here, all this time, I thought it was corrupt or uncomplete
> versions of
> Swen.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] maybe its just one of AOL's servers???

[Karen D. Oland]

> I think you mean..
>
> REVDNS -20 ENDSWITH  MX.AOL.COM

Then you have to add one for each MX number (the ones I've seen are
formatted with "mx5.aol.com", etc.

Most spam I get from *.ptr.aol.com fails so many other tests that they dont'
get thru anyway.

Karen

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] maybe its just one of AOL's servers???

[Tom Baker | Netsmith Inc]

http://postmaster.info.aol.com/servers.html

-Original Message-
From: Joshua Levitsky [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 7:26 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] maybe its just one of AOL's servers???

The reason for the above is that our customers use "ptr.aol.com" and 
well there's just a bunch of other prefixes before .aol.com and only MX 
is used for our mail servers. (Nobody here has seen actual email from 
aol.com coming from something other than *.mx.aol.com right?)

-Josh

--
Joshua Levitsky, CISSP, MCSE
System Engineer
AOL Time Warner
[5957 F27C 9C71 E9A7 274A  0447 C9B9 75A4 9B41 D4D1]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] maybe its just one of AOL's servers???

[Joshua Levitsky]

On Oct 7, 2003, at 11:25 AM, Karen D. Oland wrote:

Sorry about the blank post.

Try adding:

REVDNS -20 ENDSWITH .AOL.COM
I think you mean..

REVDNS -20 ENDSWITH  MX.AOL.COM

The reason for the above is that our customers use "ptr.aol.com" and 
well there's just a bunch of other prefixes before .aol.com and only MX 
is used for our mail servers. (Nobody here has seen actual email from 
aol.com coming from something other than *.mx.aol.com right?)

-Josh

--
Joshua Levitsky, CISSP, MCSE
System Engineer
AOL Time Warner
[5957 F27C 9C71 E9A7 274A  0447 C9B9 75A4 9B41 D4D1]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Mail.com spamdomains

[Kami Razvan]

Title: Mail.com spamdomains






Hi..


Has anyone figured out the spamdomain entry for mail.com?


This is what we have from a recent email from that domain:


X-Note: Sent from Reverse DNS:  205-158-62-67.outblaze.com


Should we just add:


@mail.com   .outblaze.com


Anything else?


Regards,

Kami

RE: [Declude.JunkMail] Strange Email getting past checks

[Karen D. Oland]

> Blacklisted meaning I've created a blacklist file of known spamming return
> addresses that if found adds a weight of 50 which would exceed the delete
> action of 40.

Which this email did not fail (since it's name was not in the list of failed
tests)
>
> Not sure what you mean by weightrange... My rules are very simple
> ignore up
> to 10 attach between 11-39 and delete everything over 40.

Yet, a msg with weight over 50 is failing every one of your weights.

>
> No spaces at the end of what?

at the end of the line

.pn01.com

Use "end" key to make sure the line stops immediately after the "m" (yes,
you said you could not "see" any white space there, but does that mean you
checked it this way?).

Also, you showed the from/to info from the header -- but the blacklist must
use the "declude sender". Do you have that info?

Either the actual return address (declude sender) is different (not
.pn01.com) or you have some extra whitespace on the line (or, you don't have
the test set up correctly and it never works for any email ... you could
tell by searching for the test name in you DEC*.LOG files -- if it never is
listed, it probably isn't working, in which case you need to check the
global.cfg file setup.

Karen

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] URL? What does it mean?

[Kami Razvan]

Title: Message



Thanks to all who responded..
 
I just could not 
figure out since the syntax in URL's for passing parameters is nothing like 
this... but it seems like it is an open territory on what they can 
do.
 
Regards,
Kami



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pete 
McNeilSent: Tuesday, October 07, 2003 2:17 PMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] URL? What 
does it mean?

They are, theoretically, an account reference. However they are often 
used as parameters for spammers who track connections and they are sometimes 
only added as obfuscation (useless but in place to cause you 
confusion).
 
The truth is that since URLs are very flexible, if you own the web server 
you can interpret this data any way you want.

RE: [Declude.JunkMail] URL? What does it mean?

[Pete McNeil]

Title: Message



They are, theoretically, an account reference. However they are often 
used as parameters for spammers who track connections and they are sometimes 
only added as obfuscation (useless but in place to cause you 
confusion).
 
The truth is that since URLs are very flexible, if you own the web server 
you can interpret this data any way you want.
 
Hope this helps,
_M

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kami RazvanSent: Tuesday, October 07, 2003 1:55 
  PMTo: JunkMail ListSubject: [Declude.JunkMail] URL? What 
  does it mean?
  Hi; 
  Could someone educate me please.. 
  http://[EMAIL PROTECTED]/e.html 
  
  What does this URL mean? 
  All that stuff before the www And the @ 
  sign. 
  These are not parameters.. How does this 
  work? 
  Regards, Kami 

Re: [Declude.JunkMail] URL? What does it mean?

[R. Scott Perry]

Could someone educate me please..

http://[EMAIL PROTECTED]/e.html 

What does this URL mean?

All that stuff before the www And the @ sign.

These are not parameters.. How does this work?
The URL Deobfuscator at 
http://www.dnsstuff.com/tools/[EMAIL PROTECTED] 
shows that it is really just http://www.accentedcx.com/e.html (using a 
username of www.adgdABqDB2lQavb25K0iVWeFPA1WaleZTvdu6E7THuARZKU4wUnrQD8Tea 
with no password).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] URL? What does it mean?

[Colbeck, Andrew]

Title: Message



All that stuff in 
front of any number of @ signs is a way to stuff a username and password into a 
URL so that the authentication for a web page can be encoded in one 
stroke.
 
In spam it is 
usually garbage to throw people off the scent, e.g.
 
http://[EMAIL PROTECTED]
 
Andrew 
8)

  
  -Original Message-From: Kami Razvan 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 
  10:55 AMTo: JunkMail ListSubject: [Declude.JunkMail] 
  URL? What does it mean?
  Hi; 
  Could someone educate me please.. 
  http://[EMAIL PROTECTED]/e.html 
  
  What does this URL mean? 
  All that stuff before the www And the @ 
  sign. 
  These are not parameters.. How does this 
  work? 
  Regards, Kami 

RE: [Declude.JunkMail] Can a blacklist file have too many entries... entries...

[Chuck Schick]

Scott:

I am not sure that it is always the last line, but I will start watching it
more closely and I will make sure there is a return after the last entry.

Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Tuesday, October 07, 2003 11:43 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Can a blacklist file have too many
> entries... entries...
>
>
>
> >I have a blacklist of spammers and in the last week I have
> seen emails come
> >through that should of failed that test - and these are the
> entries at the
> >end of the file (the latest entries).  The Declude log files
> show that the
> >blacklist is working but entries at the end of the file are
> not triggering a
> >failure.  Could it be the file is now too long and Declude
> is not processing
> >it to the end??
>
> The blacklist files can contain an unlimited number of entries.
>
> Is it always the last line?  If so, you need to remember that
> lines in text
> files must end (most programs can't properly process them
> otherwise).  In
> technical terms, you need a carriage return and linefeed
> ("ENTER" key on
> the keyboard) at the end of every line; in non-technical
> terms, you need to
> make sure that if you move the cursor as far down in the file
> as possible,
> you reach a blank line.
>
> This also holds true with the IMail mailing list files, for
> example -- if
> you manually add an entry without hitting the ENTER key at
> the end of the
> line, you'll get a mixed-up entry combining two users.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail
> mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day
> evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] URL? What does it mean?

[Kami Razvan]

Title: URL?  What does it mean?






Hi;


Could someone educate me please..


http://[EMAIL PROTECTED]/e.html


What does this URL mean?


All that stuff before the www And the @ sign.


These are not parameters.. How does this work?


Regards,

Kami

Re: [Declude.JunkMail] Can a blacklist file have too many entries... entries...

[R. Scott Perry]

I have a blacklist of spammers and in the last week I have seen emails come
through that should of failed that test - and these are the entries at the
end of the file (the latest entries).  The Declude log files show that the
blacklist is working but entries at the end of the file are not triggering a
failure.  Could it be the file is now too long and Declude is not processing
it to the end??
The blacklist files can contain an unlimited number of entries.

Is it always the last line?  If so, you need to remember that lines in text 
files must end (most programs can't properly process them otherwise).  In 
technical terms, you need a carriage return and linefeed ("ENTER" key on 
the keyboard) at the end of every line; in non-technical terms, you need to 
make sure that if you move the cursor as far down in the file as possible, 
you reach a blank line.

This also holds true with the IMail mailing list files, for example -- if 
you manually add an entry without hitting the ENTER key at the end of the 
line, you'll get a mixed-up entry combining two users.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Can a blacklist file have too many entries...

[Chuck Schick]

I have a blacklist of spammers and in the last week I have seen emails come
through that should of failed that test - and these are the entries at the
end of the file (the latest entries).  The Declude log files show that the
blacklist is working but entries at the end of the file are not triggering a
failure.  Could it be the file is now too long and Declude is not processing
it to the end??

Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

[Karen D. Oland]

Also, make sure you scan ZIP files (many people don't)

> -Original Message-
> From: Robert Grosshandler
> 
> John provided a great filter, since fprot and Norton didn't see 
> the probably corrupt virus.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

[Robert Grosshandler]

John provided a great filter, since fprot and Norton didn't see the probably
corrupt virus.

Thanks.

Rob


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions?

[Robert Grosshandler]

Karen said:

>Buy a good AV scanner.

And I replied:

We use Frisk on the server, Norton on the desktop, neither flagged it.

Rob


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[Greg Foulks]

Karen,
Blacklisted meaning I've created a blacklist file of known spamming return
addresses that if found adds a weight of 50 which would exceed the delete
action of 40.

Not sure what you mean by weightrange... My rules are very simple ignore up
to 10 attach between 11-39 and delete everything over 40.

No spaces at the end of what?

Greg

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Karen D. Oland
Sent: Tuesday, October 07, 2003 11:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Strange Email getting past checks


Your logs would be much easier to read (and your rules more clear) if you
used weightrange instead of weight for your tests (unless you are adding
labels and not doing some type of route/hold/delete action.  Even with
labels, the users' rules could get confused trying to deal with mail that
failed all the weight tests, unless they are in the exact order of testing
highest weight first, then each lower weight in order.

If you are deleting on 40, you don't really need a test for a higher weight,
do you?

what exactly do you mean by "blacklisted"?  do you have a rule with delete
action? if so, what is it - in global.cf, $junkmail and the actual line in
the filter file (make sure no spaces at the end of it)?

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
[This E-mail was scanned for viruses by Declude Virus Scanner on
mail.nfti.com]


--
[This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions? suggestions?

[John Tolmachoff \(Lists\)]

And here, all this time, I thought it was corrupt or uncomplete versions of
Swen.

I have a force hold test in JM.

Here is the filter file I have:

HEADERS 0   CONTAINS@technet.msdn.net
HEADERS 0   CONTAINSMicrosoft Corporation Program Security
HEADERS 0   CONTAINS@technet.net
HEADERS 0   CONTAINSLatest Net Critical Upgrade
SUBJECT 0   CONTAINSLast Net Security Patch
SUBJECT 0   CONTAINSCurrent Network Update
SUBJECT 0   CONTAINSNewest Network Security Pack
SUBJECT 0   CONTAINS{VIRUS?}
SUBJECT 0   CONTAINSCurrent Microsoft Patch
SUBJECT 0   CONTAINSMicrosoft Security Pack
SUBJECT 0   CONTAINSNet Pack
SUBJECT 0   CONTAINSNew Critical Update
SUBJECT 0   CONTAINSNew Net Upgrade
SUBJECT 0   CONTAINSLast Internet Critical Update
SUBJECT 0   CONTAINSCurrent Security Update
SUBJECT 0   CONTAINSInternet Update
SUBJECT 0   STARTSWITH  Bug Report
SUBJECT 0   CONTAINSLast Net Patch
SUBJECT 0   CONTAINSNew Patch
SUBJECT 0   CONTAINSLatest Critical PacK
SUBJECT 0   CONTAINSinternet critical update
SUBJECT 0   CONTAINSNew Internet Patch
SUBJECT 0   CONTAINSAbort Advice
SUBJECT 0   CONTAINSMicrosoft Pack
SUBJECT 0   CONTAINSAbort Message
SUBJECT 0   CONTAINSLast Net Pack
SUBJECT 0   CONTAINSLast Internet Update
SUBJECT 0   CONTAINSbug letter
SUBJECT 0   CONTAINSNew Net Critical Patch
SUBJECT 0   CONTAINSLatest Network Security Pack
SUBJECT 0   CONTAINSLast Update
SUBJECT 0   CONTAINSMicrosoft Critical Upgrade

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Tuesday, October 07, 2003 7:59 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Obvious spam not failing my tests,
suggestions?
> suggestions?
> 
> 
> >The following headers tell the story.  Anything I should be adding to add
> >weight to this?  It didn't trigger Sniffer or Alligate, but that's a
> >different issue. The mailbox it was sent to was harvested from usenet,
fwiw.
> 
> This is actually a virus:
> 
> >FROM: "Microsoft Network Security Section" <[EMAIL PROTECTED]>
> >TO: " " <[EMAIL PROTECTED]>
> >SUBJECT: New Internet Security Pack
> >Mime-Version: 1.0
> >Content-Type: multipart/mixed; boundary="gkxrxour"
> >Message-Id: <[EMAIL PROTECTED]>
> >Date: Mon, 6 Oct 2003 08:33:57 +1300
> 
> This appears to be W32/Harmony.A.
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obvious spam not failing my tests, suggestions?

[Karen D. Oland]

> This is actually a virus:
>
> >FROM: "Microsoft Network Security Section" <[EMAIL PROTECTED]>
> >TO: " " <[EMAIL PROTECTED]>
> >SUBJECT: New Internet Security Pack
> >Mime-Version: 1.0
> >Content-Type: multipart/mixed; boundary="gkxrxour"
> >Message-Id: <[EMAIL PROTECTED]>
> >Date: Mon, 6 Oct 2003 08:33:57 +1300
>
> This appears to be W32/Harmony.A.
>
> -Scott

SWEN was such a hit, we've been seeing a number of these messages where
another virus has infected the SWEN attachment and sent itself out. So far,
CIH and FUNLOVE are winning as secondary infections here.

Obviously, you can set up a rule to hold anything with "Microsoft Network
Security" in the subject.

Or, buy a decent A/V program, as you are always far behind with trying to
stop viruses with mail rules (including attachment bans, as the latest,
smarter attempts are using .zip, the only attachment that nearly everyone
allows in and that many people don't scan inside).

K

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[Karen D. Oland]

Your logs would be much easier to read (and your rules more clear) if you
used weightrange instead of weight for your tests (unless you are adding
labels and not doing some type of route/hold/delete action.  Even with
labels, the users' rules could get confused trying to deal with mail that
failed all the weight tests, unless they are in the exact order of testing
highest weight first, then each lower weight in order.

If you are deleting on 40, you don't really need a test for a higher weight,
do you?

what exactly do you mean by "blacklisted"?  do you have a rule with delete
action? if so, what is it - in global.cf, $junkmail and the actual line in
the filter file (make sure no spaces at the end of it)?

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[Greg Foulks]

I've seen a couple others that are not working and honestly I have just
started to look at it so I don't recall which of the other's are not
working.

No I do not see any spaces or tabs at the end of the .pn01.com line.

Greg

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Tuesday, October 07, 2003 11:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Strange Email getting past checks



>Here are a couple of lines from my blacklist file
>
>@hungermail.com
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>.pn01.com
>@4hermail.com
>@mho.net
>@mynet.com

Are other lines from your blacklist file working?  Could there be any
spaces/tabs at the end of the ".pn01.com" line?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
[This E-mail was scanned for viruses by Declude Virus Scanner on
mail.nfti.com]


--
[This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[R. Scott Perry]

Here are a couple of lines from my blacklist file

@hungermail.com
[EMAIL PROTECTED]
[EMAIL PROTECTED]
.pn01.com
@4hermail.com
@mho.net
@mynet.com
Are other lines from your blacklist file working?  Could there be any 
spaces/tabs at the end of the ".pn01.com" line?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] maybe its just one of AOL's servers???

[Karen D. Oland]

Sorry about the blank post.

Try adding:

REVDNS -20 ENDSWITH .AOL.COM


in a filter file (with an appropriate weight to let your legit AOL mail pass
(or to offset what you add for spamcop).

Karen

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] maybe its just one of AOL's servers???

[Karen D. Oland]

try adding:


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[Greg Foulks]

Scott,
Here are a couple of lines from my blacklist file

@hungermail.com
[EMAIL PROTECTED]
[EMAIL PROTECTED]
.pn01.com
@4hermail.com
@mho.net
@mynet.com

I am currently running 1.75

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Tuesday, October 07, 2003 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Strange Email getting past checks



>Okay so I checked the logs again and found two emails with the same subject
>for this person. The other email with the weight of 17 should have been
>deleted because I have a blacklisted the .pn01.com domain... Why didn't it
>catch it?

Are you blacklisting based on the return address
([EMAIL PROTECTED])? What
does the line in your blacklist file say?  Which version of Declude
JunkMail are you running ("\IMail\Declude -diag" from a command prompt will
show you)?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
[This E-mail was scanned for viruses by Declude Virus Scanner on
mail.nfti.com]


--
[This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Obvious spam not failing my tests, suggestions?

[R. Scott Perry]

The following headers tell the story.  Anything I should be adding to add
weight to this?  It didn't trigger Sniffer or Alligate, but that's a
different issue. The mailbox it was sent to was harvested from usenet, fwiw.
This is actually a virus:

FROM: "Microsoft Network Security Section" <[EMAIL PROTECTED]>
TO: " " <[EMAIL PROTECTED]>
SUBJECT: New Internet Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="gkxrxour"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 6 Oct 2003 08:33:57 +1300
This appears to be W32/Harmony.A.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Obvious spam not failing my tests, suggestions?

[Robert Grosshandler]

Hi

The following headers tell the story.  Anything I should be adding to add
weight to this?  It didn't trigger Sniffer or Alligate, but that's a
different issue. The mailbox it was sent to was harvested from usenet, fwiw.

Thanks, Rob

Received: from standby2.xtra.co.nz [210.86.15.58] by smtp.igive.com with
ESMTP
  (SMTPD32-8.02) id A1A4AC70246; Tue, 07 Oct 2003 09:45:56 -0500
Received: from mta201-rme.xtra.co.nz ([210.86.15.143])
  by standby2.xtra.co.nz with ESMTP
  id
<[EMAIL PROTECTED]>;
  Wed, 8 Oct 2003 03:45:54 +1300
Received: from ptyzwjc ([210.55.144.85]) by web4-rme.xtra.co.nz with SMTP
  id <[EMAIL PROTECTED]>;
  Mon, 6 Oct 2003 08:33:18 +1300
FROM: "Microsoft Network Security Section" <[EMAIL PROTECTED]>
TO: " " <[EMAIL PROTECTED]>
SUBJECT: New Internet Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="gkxrxour"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 6 Oct 2003 08:33:57 +1300
X-Alligate-In: Passed - Adult: 0 (Req: 18) Spam: 13 (Req: 18) Tot: 9 (Req:
20)
X-Alligate-Tracking: 9ECF7612DB13F5CF
X-Alligate-Signature: -2102883752
X-Alligate-SpoolFile: Dd1a40ac70246a220.SMD
X-Alligate-Sender: [EMAIL PROTECTED] [210.86.15.58]
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: HELOBOGUS: Domain standby2.xtra.co.nz has no MX or A records.
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
detected.
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: IPNOTINMX, HELOBOGUS, NOLEGITCONTENT, GIBBERISH,
ANTIGIBBERISH, SPAM-NONE
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 328950976

--gkxrxour
Content-Type: multipart/related; boundary="cnbqatbhjuzobno";
type="multipart/alternative"

--cnbqatbhjuzobno
Content-Type: multipart/alternative; boundary="tsuapoqqaudzkhe"

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[R. Scott Perry]

Okay so I checked the logs again and found two emails with the same subject
for this person. The other email with the weight of 17 should have been
deleted because I have a blacklisted the .pn01.com domain... Why didn't it
catch it?
Are you blacklisting based on the return address 
([EMAIL PROTECTED])? What 
does the line in your blacklist file say?  Which version of Declude 
JunkMail are you running ("\IMail\Declude -diag" from a command prompt will 
show you)?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Strange Email getting past checks

[Greg Foulks]

Scott,
Okay so I checked the logs again and found two emails with the same subject
for this person. The other email with the weight of 17 should have been
deleted because I have a blacklisted the .pn01.com domain... Why didn't it
catch it?

Here are the logs for both emails...

10/06/2003 00:27:34 Qef1a1d8 MAILPOLICE-BULK:40 SPAMCHK:17 .  Total weight =
57
10/06/2003 00:27:34 Qef1a1d8 Msg failed MAILPOLICE-BULK (This E-mail came
from 22.pn01.com, a potential spam source listed in MAILPOLICE-BULK.).
Action=WARN.
10/06/2003 00:27:34 Qef1a1d8 Msg failed SPAMCHK (Message failed SPAMCHK:
17.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT10 (Weight of 57 reaches or
exceeds the limit of 10.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT14 (Weight of 57 reaches or
exceeds the limit of 14.). Action=ATTACH.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT16 (Weight of 57 reaches or
exceeds the limit of 16.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT20 (Weight of 57 reaches or
exceeds the limit of 20.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT26 (Weight of 57 reaches or
exceeds the limit of 26.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT30 (Weight of 57 reaches or
exceeds the limit of 30.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT40 (Weight of 57 reaches or
exceeds the limit of 40.). Action=DELETE.
10/06/2003 00:27:34 Qef1a1d8 Msg failed WEIGHT50 (Weight of 57 reaches or
exceeds the limit of 50.). Action=IGNORE.
10/06/2003 00:27:34 Qef1a1d8 Deleting spam from
[EMAIL PROTECTED] to
[EMAIL PROTECTED]
10/06/2003 00:27:34 Qef1a1d8 Subject: RE: Christian Single?
10/06/2003 00:27:34 Qef1a1d8 From:
[EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 69.6.28.29 ID: PAA18749


10/06/2003 13:00:11 Q9f791da SPAMCHK:17 .  Total weight = 17
10/06/2003 13:00:11 Q9f791da Msg failed SPAMCHK (Message failed SPAMCHK:
17.). Action=IGNORE.
10/06/2003 13:00:11 Q9f791da Msg failed WEIGHT10 (Weight of 17 reaches or
exceeds the limit of 10.). Action=IGNORE.
10/06/2003 13:00:11 Q9f791da Msg failed WEIGHT14 (Weight of 17 reaches or
exceeds the limit of 14.). Action=ATTACH.
10/06/2003 13:00:11 Q9f791da Msg failed WEIGHT16 (Weight of 17 reaches or
exceeds the limit of 16.). Action=IGNORE.
10/06/2003 13:00:11 Q9f791da L1 Message OK
10/06/2003 13:00:11 Q9f791da Subject: RE: Christian Single?
10/06/2003 13:00:11 Q9f791da From:
[EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 69.6.28.28 ID: CAA09196

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Tuesday, October 07, 2003 9:52 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Strange Email getting past checks



>I have this email a user forwarded to me that he received yesterday. By all
>indications in the logs the message should have been deleted because of all
>the tests it failed. I delete emails with a weight of 40 or more.

Are you *positive* that the user received the same E-mail that the log file
entries refer to?

>10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT40 (Weight of 141 reaches or
>exceeds the limit of 40.). Action=DELETE.

This one shows that the DELETE action was going to be used on this E-mail,
unless a WHITELIST entry was there to override it.

>10/05/2003 12:12:24 Q42df204 Deleting spam from
>[EMAIL PROTECTED] to
>[EMAIL PROTECTED]

And this one shows that Declude JunkMail deleted it.

I'm guessing these log file entries were for a different E-mail.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
[This E-mail was scanned for viruses by Declude Virus Scanner on
mail.nfti.com]


--
[This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Strange Email getting past checks

[R. Scott Perry]

I have this email a user forwarded to me that he received yesterday. By all
indications in the logs the message should have been deleted because of all
the tests it failed. I delete emails with a weight of 40 or more.
Are you *positive* that the user received the same E-mail that the log file 
entries refer to?

10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT40 (Weight of 141 reaches or
exceeds the limit of 40.). Action=DELETE.
This one shows that the DELETE action was going to be used on this E-mail, 
unless a WHITELIST entry was there to override it.

10/05/2003 12:12:24 Q42df204 Deleting spam from
[EMAIL PROTECTED] to
[EMAIL PROTECTED]
And this one shows that Declude JunkMail deleted it.

I'm guessing these log file entries were for a different E-mail.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Knowing why Whitelisted

[R. Scott Perry]

The "[Declude]" in the "E-mail whitelisted" line means that you the word 
"Declude" triggered the whitelist.  For example, "WHITELIST ANYWHERE 
Declude" could have generated that log file entry.  If you search your 
filter file, and the E-mail, for "Declude", you should find out why it was 
whitelisted.
Sorry, that shouldn't be "filter file"; it should be the WHITELIST entries 
in the global.cfg file, or other whitelist locations (such as the 
WHITELISTFILE option, or address books).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Knowing why Whitelisted

[R. Scott Perry]

How can I know why this email was whitelisted when it was supposed to be 
deleted:

==
10/07/2003 07:23:30 Qa216005702005a75 nIPNOTINMX:-8 nNOLEGITCONTENT:-8 
COMMENTS:93 FILTER-BODY:70 FILTER-HEADER-XMAIL:12 COUNTRY:10 .  Total 
weight = 169
10/07/2003 07:23:30 Qa216005702005a75 E-mail whitelisted - automatically 
passing all spam tests [Declude]
10/07/2003 07:23:30 Qa216005702005a75 L1 Message OK
10/07/2003 07:23:30 Qa216005702005a75 Subject: Keep Your Employment
10/07/2003 07:23:30 Qa216005702005a75 From: 
[EMAIL PROTECTED] To: 
[EMAIL PROTECTED]  IP: 12.35.151.134 ID: 
A0AD1D40017C
===

The Addressbook in IMail is empty and no emails are listed.  So there is 
no way this email could be in the address book.
The "[Declude]" in the "E-mail whitelisted" line means that you the word 
"Declude" triggered the whitelist.  For example, "WHITELIST ANYWHERE 
Declude" could have generated that log file entry.  If you search your 
filter file, and the E-mail, for "Declude", you should find out why it was 
whitelisted.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Knowing why Whitelisted

[Kami Razvan]

Hi John:
 
We do not whitelist IP's.  We only whitelist 
REVDNS.
 
this is why I am so confused.
 
It would be a good idea for the log file to show why 
something is whitelisted.  Right now it is so hard to find a 
mistake.
 
Regards,
Kami


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff 
(Lists)Sent: Tuesday, October 07, 2003 9:21 AMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Knowing 
why Whitelisted


Could you have 
base.net whitelisted in the Global.cfg file?
Or how about part of 
the IP address?
What is the 
ID?
 


John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
 

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kami 
RazvanSent: 
Tuesday, October 07, 
2003 4:42 
AMTo: 
[EMAIL PROTECTED]Subject: [Declude.JunkMail] Knowing why 
Whitelisted
 

Hi Scott:

 

How can I know why this email was 
whitelisted when it was supposed to be deleted:

 

==

10/07/2003 
07:23:30 
Qa216005702005a75 nIPNOTINMX:-8 nNOLEGITCONTENT:-8 COMMENTS:93 FILTER-BODY:70 
FILTER-HEADER-XMAIL:12 COUNTRY:10 .  Total weight = 
16910/07/2003 
07:23:30 
Qa216005702005a75 E-mail whitelisted - automatically passing all spam tests 
[Declude]10/07/2003 
07:23:30 
Qa216005702005a75 L1 Message OK10/07/2003 
07:23:30 
Qa216005702005a75 Subject: Keep Your Employment10/07/2003 
07:23:30 
Qa216005702005a75 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
12.35.151.134 ID: A0AD1D40017C

===

 

The Addressbook in IMail is empty 
and no emails are listed.  So there is no way this email could be in the 
address book.

 

This is 
strange...

 

Regards,

Kami

[Declude.JunkMail] Strange Email getting past checks

[Greg Foulks]

I have this email a user forwarded to me that he received yesterday. By all
indications in the logs the message should have been deleted because of all
the tests it failed. I delete emails with a weight of 40 or more.

This email had a weight of 141 and was still attached and sent to the user.

Here is the declude log showing what happened to the email. Does anyone have
any ideas why this email was still able to be delivered? (Do I need to
remove the WEIGHT50 action?)

10/05/2003 12:12:23 Q42df204 EASYNET-DNSBL:20 SPAMCOP:40 SECURITYSAGE:20
MAILPOLICE-BULK:40 REVDNS:2 SPAMCHK:19 .  Total weight = 141
10/05/2003 12:12:23 Q42df204 Msg failed EASYNET-DNSBL (Blacklisted by
easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html). Action=WARN.
10/05/2003 12:12:23 Q42df204 Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?69.60.142.7). Action=WARN.
10/05/2003 12:12:23 Q42df204 Msg failed SECURITYSAGE
(mail07.emailpls.com.blackhole.securitysage.com.). Action=WARN.
10/05/2003 12:12:23 Q42df204 Msg failed MAILPOLICE-BULK (This E-mail came
from mail07.emailpls.com, a potential spam source listed in
MAILPOLICE-BULK.). Action=WARN.
10/05/2003 12:12:23 Q42df204 Msg failed REVDNS (This E-mail was sent from a
MUA/MTA 69.60.142.7 with no reverse DNS entry.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed SPAMCHK (Message failed SPAMCHK:
19.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT10 (Weight of 141 reaches or
exceeds the limit of 10.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT14 (Weight of 141 reaches or
exceeds the limit of 14.). Action=ATTACH.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT16 (Weight of 141 reaches or
exceeds the limit of 16.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT20 (Weight of 141 reaches or
exceeds the limit of 20.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT26 (Weight of 141 reaches or
exceeds the limit of 26.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT30 (Weight of 141 reaches or
exceeds the limit of 30.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT40 (Weight of 141 reaches or
exceeds the limit of 40.). Action=DELETE.
10/05/2003 12:12:24 Q42df204 Msg failed WEIGHT50 (Weight of 141 reaches or
exceeds the limit of 50.). Action=IGNORE.
10/05/2003 12:12:24 Q42df204 Deleting spam from
[EMAIL PROTECTED] to
[EMAIL PROTECTED] 
10/05/2003 12:12:24 Q42df204 Subject: RE: Are you a Christian Single?
10/05/2003 12:12:24 Q42df204 From:
[EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 69.60.142.7 ID: JAA80040

Greg Foulks
NewFound Technologies, Inc.
[EMAIL PROTECTED]
http://www.nfti.com
614.318.5036

<>

RE: [Declude.JunkMail] Knowing why Whitelisted

[John Tolmachoff \(Lists\)]

Could you have base.net whitelisted in
the Global.cfg file?

Or how about part of the IP address?

What is the ID?

 





John Tolmachoff MCSE CSSA

Engineer/Consultant

eServices For You

www.eservicesforyou.com





 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Tuesday,
 October 07, 2003 4:42 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Knowing why Whitelisted

 



Hi Scott:





 





How can I know why this email was whitelisted when it was
supposed to be deleted:





 





==





10/07/2003 07:23:30
Qa216005702005a75 nIPNOTINMX:-8 nNOLEGITCONTENT:-8 COMMENTS:93 FILTER-BODY:70
FILTER-HEADER-XMAIL:12 COUNTRY:10 .  Total weight = 169
10/07/2003 07:23:30
Qa216005702005a75 E-mail whitelisted - automatically passing all spam tests
[Declude]
10/07/2003 07:23:30 Qa216005702005a75
L1 Message OK
10/07/2003 07:23:30
Qa216005702005a75 Subject: Keep Your Employment
10/07/2003 07:23:30
Qa216005702005a75 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]  IP:
12.35.151.134 ID: A0AD1D40017C





===





 





The Addressbook in IMail is empty and no emails are
listed.  So there is no way this email could be in the address book.





 





This is strange...





 





Regards,





Kami

RE: [Declude.JunkMail] maybe its just one of AOL's servers???

[Keith Anderson]

Okay, sorry about that, somehow I missed that one.

> 
> in the global config file:
> 
> NOLEGITCONTENT  nolegitcontent  x x   0   -4
> 
> If you're asking me what it does I can only paraphrase Scott. 
>  It looks for
> things that are uncommon in spam but common in legitimate 
> e-mails so that it
> can give it some negative weight.
> 
> Marc


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Knowing why Whitelisted

[Kami Razvan]

Hi 
Scott:
 
How can I know why 
this email was whitelisted when it was supposed to be 
deleted:
 
==
10/07/2003 
07:23:30 Qa216005702005a75 nIPNOTINMX:-8 nNOLEGITCONTENT:-8 COMMENTS:93 
FILTER-BODY:70 FILTER-HEADER-XMAIL:12 COUNTRY:10 .  Total weight = 
16910/07/2003 07:23:30 Qa216005702005a75 E-mail whitelisted - automatically 
passing all spam tests [Declude]10/07/2003 07:23:30 Qa216005702005a75 L1 
Message OK10/07/2003 07:23:30 Qa216005702005a75 Subject: Keep Your 
Employment10/07/2003 07:23:30 Qa216005702005a75 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
12.35.151.134 ID: A0AD1D40017C
===
 
The Addressbook in 
IMail is empty and no emails are listed.  So there is no way this email 
could be in the address book.
 
This is 
strange...
 
Regards,
Kami