Re: [Declude.JunkMail] Scoring headers

[Gerald V. Livingston II]

On Sat, 20 Dec 2003 20:20:20 -0800 
Bill Landry said something about Re: [Declude.JunkMail] Scoring headers:

> - Original Message - 
> From: "Gerald V. Livingston II" <[EMAIL PROTECTED]>
> 
> > Is it possible to get Declude to insert a score like SpamAssassin in
> > the form of "Spam_Score: ***"?
> >
> > I'm trying to set up a way for users to choose their own weight at
> >
> > X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT10 [10], WEIGHT11 [11],
> > WEIGHT12 [12], WEIGHT13 [13], WEIGHT14 [14], WEIGHT15 [15], WEIGHT16
> >
> > I'd like to be able to shorten that to:
> >
> > X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT []
> 
> Have you tried using the %WEIGHT% variable, which will display the total
> weight of the e-mail message?
> 
> Bill

That won't work because it only gives the total as a decimal number. That
would place more burden on users that I'm already going to have
trouble explaining the concept of "headers" to. 

Using just the total weight as a decimal number a user who wanted
everything above a score of 10 deleted would have to set up a separate
filter to check for each possible total from 10 through 19 (since *we*
delete at 20). I want a way for them to create a SINGLE filter. A hit with
19 "*" symbols will match a filter looking for 10.

With 6000+ usernames on the server I REALLY don't want to have to try to
set up per-user filtering since there doesn't seem to be any easy way to do
it. And at some point I'd like to start adjusting our filters for finer
control and moving to a 0 - 100 scoring system rather than 0 - 20. Using
the weight headers the way they are now would make for a 20K message size
on one that scored high enough to squeak under the delete line at 99
points.

G

-- 
Gerald V. Livingston II

Configure your Email to send TEXT ONLY -- See the following page:
http://expita.com/nomime.html

'74 Kombi (to be renamed - LifeSaver doesn't 'feel' right)
'69 Type 1 - AirBall the Rolling Basket Case
http://www.phorce1.com
http://www.buskatiers.org

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Scoring headers

[Bill Landry]

- Original Message - 
From: "Gerald V. Livingston II" <[EMAIL PROTECTED]>

> Is it possible to get Declude to insert a score like SpamAssassin in the
> form of "Spam_Score: ***"? Right now I'm having it insert a
> header for every point above 10 that it fails and we delete mail at 20.
>
> I'm trying to set up a way for users to choose their own weight at which
to
> delete mail using the IMail filters so I don't have to find an "easy" way
> to do per-user Declude filtering. Right now they can add a filter to
delete
> if "WEIGHTx [x]" is in the headers. BUT, I end up with headers like this
>
> X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT10 [10], WEIGHT11 [11],
> WEIGHT12 [12], WEIGHT13 [13], WEIGHT14 [14], WEIGHT15 [15], WEIGHT16 [16]
>
> I'd like to be able to shorten that to:
>
> X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT []

Have you tried using the %WEIGHT% variable, which will display the total
weight of the e-mail message?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Unclear/truncated warning message in logs

[Bill Landry]

Scott, since upgrading from the beta release v1.77 to the interim release I
have been noticing log entries like:
==
12/20/2003 18:10:57 Q011f1f8b00a28d06 Unknown Var: %X-RBL-Warning: %TES
12/20/2003 18:10:57 Q011f1f8b00a28d06 Unknown Var: %: %WARNING%
==

I turned on debug logging and it only added one line to the log in reference
to this warning:
==
12/20/2003 18:14:09 Q01c71fa300a21de2 Unknown Var: %TESTNAMEX-RBL-Warni
12/20/2003 18:14:09 Q01c71fa300a21de2 Unknown Var: %: %WARNING%
12/20/2003 18:14:10.015 Q01c71fa300a21de2 X-RBL-Warning: [Unknown
Var]TESTNAME[Unknown Var]WARNING
==

Most messages do not log any of these warnings, but it seems like about 1 in
50 do.  I have reviewed my global.cfg and $default$.junkmail file and they
looks fine to me.  Can you tell me what might be causing this warning
message?

Thanks,

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Scoring headers

[Gerald V. Livingston II]

Is it possible to get Declude to insert a score like SpamAssassin in the
form of "Spam_Score: ***"? Right now I'm having it insert a
header for every point above 10 that it fails and we delete mail at 20.

I'm trying to set up a way for users to choose their own weight at which to
delete mail using the IMail filters so I don't have to find an "easy" way
to do per-user Declude filtering. Right now they can add a filter to delete
if "WEIGHTx [x]" is in the headers. BUT, I end up with headers like this

X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT10 [10], WEIGHT11 [11],
WEIGHT12 [12], WEIGHT13 [13], WEIGHT14 [14], WEIGHT15 [15], WEIGHT16 [16]

I'd like to be able to shorten that to:

X-Spam-Tests-Failed: HELOBOGUS, REVDNS, WEIGHT []

Thanks

G

-- 
Gerald V. Livingston II

Configure your Email to send TEXT ONLY -- See the following page:
http://expita.com/nomime.html

'74 Kombi (to be renamed - LifeSaver doesn't 'feel' right)
'69 Type 1 - AirBall the Rolling Basket Case
http://www.phorce1.com
http://www.buskatiers.org

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 8.05- Declude not seen..

[Keith Anderson]

Are you running Hijack in addition to Junkmail?

We're extremely high volume and have been watching for this problem since it
was first mentioned...  perhaps we're just missing it, but I'm not aware of
it happening here.

> -Original Message-
> From: Linette Casey [mailto:[EMAIL PROTECTED]
> Sent: Saturday, December 20, 2003 10:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] 8.05- Declude not seen..
>
>
> We have seen it with Imail 7.07 infrequently (no Declude
> headers and "Could
> not lock" in the log).  We process a low mail volume on this server.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 8.05- Declude not seen..

[Bill Landry]

- Original Message - 
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>

> To all: Is there a reason why we need to get multiple copies of each
> message? (i.e. Sending to both Imail and Junkmail lists.)

If the original poster copies both lists, or the issue is relevant to both
lists, or the message is posted to one list, but is relevant to the other
list as well, then the answer is probably yes.  Not everyone on the IMail
list subscribes to the JunkMail list, and possibly vise versa.

Besides, how often do you see this happen?  If it were a major occurrence,
or if irrelevant posts were consistently going to one list or the other, I
could understand your concern.  Finally, a quick press of the "delete" key
makes short shrift of duplicate messages.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 8.05- Declude not seen..

[John Tolmachoff \(Lists\)]

To all: Is there a reason why we need to get multiple copies of each
message? (i.e. Sending to both Imail and Junkmail lists.)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 8.05 OK?

[Bill Landry]

- Original Message - 
From: "Rich" <[EMAIL PROTECTED]>

> I'm assuming that the problem Kami is having isn't globally there and we
can
> update to 8.05 safely, or?

This is not an 8.05 issue, in fact, this issue was supposed to be resolved
by the 8.05 release.  Reports have been made that this issues is experienced
with IMail v7.xx, as well, so I would say you are probably safe to update to
8.05.  I have...  ;-)

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Bill Landry]

- Original Message - 
From: "Bill Landry" <[EMAIL PROTECTED]>

> Are these possibly headers that were added
> with older versions of IMail, but not with 8.0 versions, which is what I
am
> running?
>
> If that's the case, then we still have a problem with Declude not placing
> its headers in certain messages.

Update:  It appears that these headers (Status: and X-UIDL:), are only added
if the messages are delivered to local IMail accounts, which is not the case
for my e-mail, which are relayed to my Exchange server account.  So this is
why you did not see these headers in the sample message headers I have
posted to the JunkMail list in the past.

Also, I am noticing more often situations where Declude headers are missing
from delivered messages, and from several different senders.  So I still
believe this is a Declude issue and not a corrupted or malformed mail issue.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] 8.05 OK?

[Rich]

I'm assuming that the problem Kami is having isn't globally there and we can
update to 8.05 safely, or?

Rich


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Bill Landry]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>

> >Check your logs to see if these messages are actually getting processed
or
> >not.  I suspect that they are being processed by Declude and that for
some
> >reason Declude cannot place it's headers in the message.
>
> FYI, the E-mails that I have seen that do not have the Declude headers but
> were scanned (as evidenced by the log Declude log file entries) also do
not
> have IMail delivery headers (Status: and X-UIDL:), indicating that there
> was something causing *both* Declude and IMail not to be able to add the
> headers as expected.  That's why I suspect a malformed E-mail, as it
> affects both IMail and Declude.  Since the E-mails are being scanned, the
> only issue is that some expected headers either aren't present, or (more
> likely) aren't where they are expected to be.

Scott, just check the headers of this message and there are no Status: or
X-UIDL: headers, yet Declude added its headers to this message:
==
Received: from seamail02.pointshare.net ([206.114.137.47]) by
psmail02.pointshare.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2656.59)
 id Z2PT1PC3; Sat, 20 Dec 2003 13:12:46 -0800
Received: from gw1.pointshare.com [204.189.38.4] by seamail02.pointshare.net
with ESMTP
  (SMTPD32-8.05) id AB36CE60096; Sat, 20 Dec 2003 13:12:22 -0800
Received: from list.ipswitch.com (list.ipswitch.com [156.21.1.21])
 by gw1.pointshare.com (Mail Gateway) with ESMTP id 7E259ADA76
 for <[EMAIL PROTECTED]>; Sat, 20 Dec 2003 13:12:22 -0800 (PST)
Received: from declude.com [24.107.232.14] by list.ipswitch.com with ESMTP
  (SMTPD32-8.04) id AA12CD3002C; Sat, 20 Dec 2003 16:07:30 -0500
Received: from panda.declude.com [192.168.0.4] by declude.com with ESMTP
  (SMTPD32-7.06) id A9945BFB03B2; Sat, 20 Dec 2003 16:05:24 -0500
Message-Id: <[EMAIL PROTECTED]>
X-Sender: [EMAIL PROTECTED]
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Sat, 20 Dec 2003 16:05:20 -0500
To: [EMAIL PROTECTED]
From: "R. Scott Perry" <[EMAIL PROTECTED]>
Subject: Re: [IMail Forum] 8.05- Declude not seen..
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-CYBERsitter-SpoolFile: Db9945bfb03b2f883.SMD
X-CYBERsitter-Sender: [EMAIL PROTECTED] [192.168.0.4]
X-Note: This E-mail was scanned for viruses by Declude Virus
(www.declude.com)
Organization: Computerized Horizons
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
X-Alligate-In: IGNORED - WhiteListed (declude.com)
X-Alligate-Tracking: 1CA7CEC477622491
X-Alligate-Signature: 0
X-Alligate-SpoolFile: Dbb360ce6009676ce.SMD
X-Alligate-Sender: [EMAIL PROTECTED] [156.21.1.21]
X-RBL-Warning: BLARSBL: This E-mail came from 24.107.232.14, a potential
spam source listed in BLARSBL.
X-RBL-Warning: WEB-O-TRUST: "http://www.declude.com/web-o-trust.txt";
X-RBL-Warning: SNIFFER-WHITERULE: Message failed SNIFFER-WHITERULE: 0.
X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 3.
X-RBL-Warning: REDUCTION-FILTER: Message failed REDUCTION-FILTER test (line
1337, weight -35)
X-RBL-Warning: WOT-WL: WOT Reduction
X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.21]
X-Declude-Spoolname: Dbb360ce6009676ce.SMD
X-Country-Chain: UNITED STATES->destination
X-Note: This e-mail was scanned for viruses & filtered for spam
X-Note: Total spam test weight: -47
==

In fact, I parsed over 25,000 thousand of messages in my hold directory and
none of them had any of these apparent IMail related "Status:" or  "X-UIDL:"
headers (possibly they get added until after Declude hands the messages back
to IMail for delivery).  However, I don't see either of these headers in any
of the messages processed and delivered by IMail version 8.0 that I've
reviewed in my inbox, as well.  Are these possibly headers that were added
with older versions of IMail, but not with 8.0 versions, which is what I am
running?

If that's the case, then we still have a problem with Declude not placing
its headers in certain messages.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] COPYTO

[John Tolmachoff \(Lists\)]

Is it possible to use a variable in the copy to command?

Example:

TEST1   COPYTO  %SENDER%

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Weight processing

[Bill Landry]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>

> >Scott, I have setup my filter files with "SKIPIFWEIGHT 36", which is my
> >delete weight.  However, I just noticed that it appears that not all
other
> >JM processing happens before the filter files are called
>
> That is by design.  We may make an attempt to get the filter tests to run
> last, but we cannot guarantee the order of the tests.

Okay, I have modified my SKIPIFWEIGHT accordingly.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Weight processing

[R. Scott Perry]

Scott, I have setup my filter files with "SKIPIFWEIGHT 36", which is my
delete weight.  However, I just noticed that it appears that not all other
JM processing happens before the filter files are called
That is by design.  We may make an attempt to get the filter tests to run 
last, but we cannot guarantee the order of the tests.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPF broken with v1.77i4?

[R. Scott Perry]

Any fix on this.
Not yet, most likely it will be taken care of tomorrow.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[R. Scott Perry]

IMail Log file:

20031220 075445 127.0.0.1   SMTPD (015F0046) [68.76.191.150] 
S:\\D4695015f0046b39b.SMD 2733

I don't see any entries in the Declude regarding this email.
Assuming that there are no references to "4695015f0046b39b" in the Declude 
log files, this appears to be the same issue as before, the one that IMail 
v8.05 should have fixed.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Weight processing

[Kami Razvan]

Hi Matt:

I agree but in case of mailing lists .. It seems like one way to help with
the mailing lists that keep changing their providers is to whitelist them by
their address in the Header.

Since Declude looks at the sender email and does not see the FROM address
the best way to handle some mailing lists is by giving negative weight for
the email found in header.

In those cases we have given enough negative weight to them to make sure
they come through regardless of the spam databases they are in.

Regards,
Kami 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Saturday, December 20, 2003 2:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Weight processing

Kami Razvan wrote:

>I wish we could also skip the tests for negative weight.. Because right 
>now the emails that we want to be delivered by negative weight actually 
>will go through all tests since none can exit on a negative limit.
>  
>
I believe the idea here is to place the negative weight filters before the
positive weight ones.  Unless you want to totally whitelist something based
on a filter (as opposed to pseudo-whitelisting it by crediting just some
points), it makes sense that you wouldn't have a minimum weight.  I guess
I'm not really very trusting of anything not whitelisted on my system.

I start my order with pseudo-whitelists, and then pseudo-blacklists, then
the highest scoring filters that don't make much use of the body down to the
lowest scoring filters that do heavy body searches.  When I have ANTI files,
I list those before the main tests.  The logic is a little sloppy in the
middle, but it seems to be the right idea.

Naturally, it would also make sense to have absolutely everything else run
before the custom filters.  I suspect the IPNOTINMX thing is a bug instead
of something by design.

Matt

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Bill Landry]

- Original Message - 
From: "Matthew Bramble" <[EMAIL PROTECTED]>

> This can result in two copies of the file, one passed to Declude, and
> one stolen by the running of the queue.  So it can still appear in the
> Declude logs, and chances are probably 80% that the Declude copy will at
> least be held on one of our systems and therefore we may not know about
> them.  When I caught this on my server, the Declude copy was deleted.

Good point.  However, of the messages I have noticed with missing Declude
headers, they were messages that did not meet a hold or delete weight
requirement and were delivered normally.  If IMail were delivering the
message pre-Declude, as well as copy after being tested by Declude, wouldn't
I get two copies of the message in my inbox, one delivered by IMail
pre-Declude, and one post-Declude?

I can post proof of this, if anyone is interested.  Or, if you check the
list archives, you will find previous posts I have made to this list with
the audit trail to prove my point:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg10996.html
http://www.mail-archive.com/[EMAIL PROTECTED]/msg12246.html

> I'm not sure what the full scope of the errors being experienced are,
> but the queue thing that was suggested to have been fixed is one easily
> identified by a line in your log in the middle of the entries for a
> particular message being received that says the queue is being run.

I'll look into this and see if I can find a correlation.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Weight processing

[Matthew Bramble]

Kami Razvan wrote:

I wish we could also skip the tests for negative weight.. Because right now
the emails that we want to be delivered by negative weight actually will go
through all tests since none can exit on a negative limit.
 

I believe the idea here is to place the negative weight filters before 
the positive weight ones.  Unless you want to totally whitelist 
something based on a filter (as opposed to pseudo-whitelisting it by 
crediting just some points), it makes sense that you wouldn't have a 
minimum weight.  I guess I'm not really very trusting of anything not 
whitelisted on my system.

I start my order with pseudo-whitelists, and then pseudo-blacklists, 
then the highest scoring filters that don't make much use of the body 
down to the lowest scoring filters that do heavy body searches.  When I 
have ANTI files, I list those before the main tests.  The logic is a 
little sloppy in the middle, but it seems to be the right idea.

Naturally, it would also make sense to have absolutely everything else 
run before the custom filters.  I suspect the IPNOTINMX thing is a bug 
instead of something by design.

Matt

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPF broken with v1.77i4?

[Frederick Samarelli]

Any fix on this.

Fred
- Original Message - 
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 19, 2003 7:21 PM
Subject: [Declude.JunkMail] SPF broken with v1.77i4?


> Scott, I updated to v1.77i4 for the added logging, however, now SPF
appears
> not to be working at all.  Logging shows up in spf.none, but no logging
> shows up in spf.log any longer.  I sent a test message through that failed
> SPF on v1.77i3, but passed right through without notice with v1.77i4.
>
> Bill
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Matthew Bramble]

Bill,

This can result in two copies of the file, one passed to Declude, and 
one stolen by the running of the queue.  So it can still appear in the 
Declude logs, and chances are probably 80% that the Declude copy will at 
least be held on one of our systems and therefore we may not know about 
them.  When I caught this on my server, the Declude copy was deleted.

I'm not sure what the full scope of the errors being experienced are, 
but the queue thing that was suggested to have been fixed is one easily 
identified by a line in your log in the middle of the entries for a 
particular message being received that says the queue is being run.

Matt



Bill Landry wrote:

Kami, I also periodically see messages without any Declude headers, 
however I find that the messages were processed by Declude because all 
of the normal log entries appear in the log file for the messages.  I 
reported see this several months ago, but the explanation from Scott 
was "My guess is that there is something incorrect with the original 
E-mail (perhaps using a CR to end a line rather than CRLF)."
 
Check your logs to see if these messages are actually getting 
processed or not.  I suspect that they are being processed by 
Declude and that for some reason Declude cannot place it's headers in 
the message.
 
Bill

- Original Message -
From: Kami Razvan 
To: [EMAIL PROTECTED]

Cc: [EMAIL PROTECTED]

Sent: Saturday, December 20, 2003 7:07 AM
Subject: [IMail Forum] 8.05- Declude not seen..
Hi;

I think the problem still exists..

The following is the header for an email that I received with no
Declude header.
==
Received: from adsl-68-76-191-150.dsl.akrnoh.ameritech.net
[68.76.191.150] by clickandpledge.com
  (SMTPD32-8.05) id A69515F0046; Sat, 20 Dec 2003 07:54:45 -0500
Received: from [236.246.27.25] by
adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP id
34330738; Sun, 21 Dec 2003 08:51:50 +0600
Message-ID: <[EMAIL PROTECTED]>
From: "Albert Estrada" <[EMAIL PROTECTED]>
Reply-To: "Albert Estrada" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: your
vacation
k qnkgtyhxvodlqbi

Date: Sun, 21 Dec 03 08:51:50 GMT
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_25AA.AC__.0"
X-Priority: 3
X-MSMail-Priority: Normal
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 362538172
==
So the line about 3rd party software having issues is still
un-resolved.
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Weight processing

[Kami Razvan]

Hi Bill:

I noticed this a while back and what I did was I elevated the skip weight by
10.. & it took care of this..

But I agree with you.. It is hard to know what is happening when tests are
not done in order and one skips the tests only to see a surprise negative
weight being applied..

I wish we could also skip the tests for negative weight.. Because right now
the emails that we want to be delivered by negative weight actually will go
through all tests since none can exit on a negative limit.

Kami 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Saturday, December 20, 2003 2:15 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Weight processing

Scott, I have setup my filter files with "SKIPIFWEIGHT 36", which is my
delete weight.  However, I just noticed that it appears that not all other
JM processing happens before the filter files are called.  You will see from
the log snippet below that most of my filter files were skipped because of a
weight "(>=36}" was met.  However, it appears that the negative weight of -3
from the nIPNOTINMX was applied after the filter file processing, which
reduced the weight to 33, so the message was held instead of deleted.

Would you be willing to change this so that all other Declude JM tests are
run before the filters are called?

Thanks,

Bill
=
Filter HEADERS-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter SUBJECT-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter DYNAMIC-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter HELO-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter MAILFROM-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter FORGEDHELO-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter VERP-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter REVDNS-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter BODY-FILTER: Skipping E-mail with a current weight of 36 (>=36)
SPEWS:2 MAILPOLICE-BULK:5 nIPNOTINMX:-3 LONGSUBJECT:3 SUBJECTSPACES:5
ALLIGATE-SPAM-L1:1 ALLIGATE-SPAM-L2:2 SNIFFER-PORN:12 SPAMCHECK:6 .  Total
weight = 33.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 8.05- Declude not seen..

[Matthew Bramble]

Keith,

I would imagine that this affects versions all the way back to 7.0 and 
quite possibly far before then.  The issue is very rare on an IMail 7 
server because the window of opportunity for swiping a message by a 
queue run is so much smaller due to the speed at which something is 
passed on to Declude.  It's even possible to get two copies, one 
scanned, and one not scanned.

I worked out some math figuring 1/5th of a second as the window with 
5,000 messages a day with the queue run 24 times a day and literally got 
a likelihood of 100% at 360 days.  Obviously the steal window is 
something that I've guessed about.

BTW, motivation beyond 7.07 would be primarily in the form of DOS 
patches, though I have found bugs that compelled me along the way :)

Matt

Keith Anderson wrote:

This has never happened while running Imail 7.07, which is the version that
has proven to be stable here.  I see little motivation to upgrade to
anything beyond 7.07
-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]
Hi;
I think the problem still exists..
The following is the header for an email that I received with no Declude
header.
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Weight processing

[Bill Landry]

Scott, I have setup my filter files with "SKIPIFWEIGHT 36", which is my
delete weight.  However, I just noticed that it appears that not all other
JM processing happens before the filter files are called.  You will see from
the log snippet below that most of my filter files were skipped because of a
weight "(>=36}" was met.  However, it appears that the negative weight of -3
from the nIPNOTINMX was applied after the filter file processing, which
reduced the weight to 33, so the message was held instead of deleted.

Would you be willing to change this so that all other Declude JM tests are
run before the filters are called?

Thanks,

Bill
=
Filter HEADERS-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter SUBJECT-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter DYNAMIC-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter HELO-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter MAILFROM-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter FORGEDHELO-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter VERP-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter REVDNS-FILTER: Skipping E-mail with a current weight of 36 (>=36)
Filter BODY-FILTER: Skipping E-mail with a current weight of 36 (>=36)
SPEWS:2 MAILPOLICE-BULK:5 nIPNOTINMX:-3 LONGSUBJECT:3 SUBJECTSPACES:5
ALLIGATE-SPAM-L1:1 ALLIGATE-SPAM-L2:2 SNIFFER-PORN:12 SPAMCHECK:6 .  Total
weight = 33.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Bill Landry]

8.05- Declude not seen..Thanks for the update, Kami.  Please keep us posted
on the results...

Bill
- Original Message - 
From: Kami Razvan
To: [EMAIL PROTECTED]
Sent: Saturday, December 20, 2003 10:17 AM
Subject: RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

Hi Bill:

IMail Log file:

20031220 075444 127.0.0.1   SMTPD (015F0046) [12.5.20.81] connect
68.76.191.150 port 3309
20031220 075444 127.0.0.1   SMTPD (015F0046) [68.76.191.150] HELO
adsl-68-76-191-150.dsl.akrnoh.ameritech.net
20031220 075445 127.0.0.1   SMTPD (015F0046) [68.76.191.150] MAIL FROM:
<[EMAIL PROTECTED]>
20031220 075445 127.0.0.1   SMTPD (015F0046) [68.76.191.150] RCPT TO:
<[EMAIL PROTECTED]>
20031220 075445 127.0.0.1   SMTPD (015F0046) [68.76.191.150]
S:\\D4695015f0046b39b.SMD 2733
20031220 075446 127.0.0.1   SMTPD (015F0046) performing antispam checks

I don't see any entries in the Declude regarding this email.

I searched for: 15F0046 as well as looked at the Declude log file for that
time period and nothing is there.

I might be blind.. I sent the log files to Scott and we soon will find out..

Kami




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Saturday, December 20, 2003 12:58 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..


Kami, I also periodically see messages without any Declude headers, however
I find that the messages were processed by Declude because all of the normal
log entries appear in the log file for the messages.  I reported see this
several months ago, but the explanation from Scott was "My guess is that
there is something incorrect with the original E-mail (perhaps using a CR to
end a line rather than CRLF)."

Check your logs to see if these messages are actually getting processed or
not.  I suspect that they are being processed by Declude and that for some
reason Declude cannot place it's headers in the message.

Bill
- Original Message - 
From: Kami Razvan
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, December 20, 2003 7:07 AM
Subject: [IMail Forum] 8.05- Declude not seen..


Hi;
I think the problem still exists..
The following is the header for an email that I received with no Declude
header.
==
Received: from adsl-68-76-191-150.dsl.akrnoh.ameritech.net [68.76.191.150]
by clickandpledge.com
  (SMTPD32-8.05) id A69515F0046; Sat, 20 Dec 2003 07:54:45 -0500
Received: from [236.246.27.25] by
adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP id 34330738; Sun, 21
Dec 2003 08:51:50 +0600
Message-ID: <[EMAIL PROTECTED]>
From: "Albert Estrada" <[EMAIL PROTECTED]>
Reply-To: "Albert Estrada" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: your vacation
k qnkgtyhxvodlqbi
Date: Sun, 21 Dec 03 08:51:50 GMT
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_25AA.AC__.0"
X-Priority: 3
X-MSMail-Priority: Normal
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 362538172
==
So the line about 3rd party software having issues is still un-resolved.
Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Kami Razvan]

Title: 8.05- Declude not seen..



Hi Bill:
 
IMail Log file:
 
20031220 075444 
127.0.0.1   SMTPD (015F0046) [12.5.20.81] 
connect 68.76.191.150 port 330920031220 075444 
127.0.0.1   SMTPD (015F0046) [68.76.191.150] 
HELO adsl-68-76-191-150.dsl.akrnoh.ameritech.net20031220 075445 
127.0.0.1   SMTPD (015F0046) [68.76.191.150] 
MAIL FROM: <[EMAIL PROTECTED]>20031220 
075445 127.0.0.1   SMTPD (015F0046) 
[68.76.191.150] RCPT TO: <[EMAIL PROTECTED]>20031220 
075445 127.0.0.1   SMTPD (015F0046) 
[68.76.191.150] S:\\D4695015f0046b39b.SMD 273320031220 075446 
127.0.0.1   SMTPD (015F0046) performing 
antispam checks
 
I don't see any entries in the Declude regarding this 
email.
 
I searched for: 15F0046 as well as looked at the 
Declude log file for that time period and nothing is there.
 
I might be blind.. I sent the log files to Scott and we 
soon will find out.. 
 
Kami


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bill 
LandrySent: Saturday, December 20, 2003 12:58 PMTo: 
[EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: 
Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not 
seen..

Kami, I also periodically see messages without any 
Declude headers, however I find that the messages were processed by Declude 
because all of the normal log entries appear in the log file for the 
messages.  I reported see this several months ago, but the explanation from 
Scott was "My guess is that there is 
something incorrect with the original E-mail (perhaps using a CR to end a line 
rather than CRLF)."
 
Check your logs to see if these messages are 
actually getting processed or not.  I suspect that they are being processed 
by Declude and that for some reason Declude cannot place it's headers in 
the message.
 
Bill

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Cc: [EMAIL PROTECTED] 
  
  Sent: Saturday, December 20, 2003 7:07 
  AM
  Subject: [IMail Forum] 8.05- Declude not 
  seen..
  
  Hi; 
  I think the problem still exists.. 
  The following is the header for an email that I 
  received with no Declude header. 
  == 
  Received: from 
  adsl-68-76-191-150.dsl.akrnoh.ameritech.net [68.76.191.150] by 
  clickandpledge.com   (SMTPD32-8.05) 
  id A69515F0046; Sat, 20 Dec 2003 07:54:45 -0500 Received: from [236.246.27.25] by 
  adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP id 34330738; Sun, 21 
  Dec 2003 08:51:50 +0600
  Message-ID: 
  <[EMAIL PROTECTED]> From: "Albert Estrada" <[EMAIL PROTECTED]> Reply-To: "Albert Estrada" 
  <[EMAIL PROTECTED]> To: 
  [EMAIL PROTECTED] Subject: your 
  vacation 
  k qnkgtyhxvodlqbi
  Date: Sun, 21 Dec 03 08:51:50 GMT 
  X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 
  (9.0.2910.0) MIME-Version: 1.0 
  Content-Type: multipart/alternative; 
      boundary="_25AA.AC__.0" X-Priority: 3 X-MSMail-Priority: 
  Normal X-RCPT-TO: 
  <[EMAIL PROTECTED]> Status: 
  U X-UIDL: 362538172 == 
  So the line about 3rd party software having 
  issues is still un-resolved. 
  Regards, Kami 

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[Bill Landry]

Title: 8.05- Declude not seen..



Kami, I also periodically see messages without any 
Declude headers, however I find that the messages were processed by Declude 
because all of the normal log entries appear in the log file for the 
messages.  I reported see this several months ago, but the explanation from 
Scott was "My guess is that there is 
something incorrect with the original E-mail (perhaps using a CR to end a line 
rather than CRLF)."
 
Check your logs to see if these messages are 
actually getting processed or not.  I suspect that they are being processed 
by Declude and that for some reason Declude cannot place it's headers in 
the message.
 
Bill

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Cc: [EMAIL PROTECTED] 
  
  Sent: Saturday, December 20, 2003 7:07 
  AM
  Subject: [IMail Forum] 8.05- Declude not 
  seen..
  
  Hi; 
  I think the problem still exists.. 
  The following is the header for an email that I 
  received with no Declude header. 
  == 
  Received: from 
  adsl-68-76-191-150.dsl.akrnoh.ameritech.net [68.76.191.150] by 
  clickandpledge.com   (SMTPD32-8.05) 
  id A69515F0046; Sat, 20 Dec 2003 07:54:45 -0500 Received: from [236.246.27.25] by 
  adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP id 34330738; Sun, 21 
  Dec 2003 08:51:50 +0600
  Message-ID: 
  <[EMAIL PROTECTED]> From: "Albert Estrada" <[EMAIL PROTECTED]> Reply-To: "Albert Estrada" 
  <[EMAIL PROTECTED]> To: 
  [EMAIL PROTECTED] Subject: your 
  vacation 
  k qnkgtyhxvodlqbi
  Date: Sun, 21 Dec 03 08:51:50 GMT 
  X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 
  (9.0.2910.0) MIME-Version: 1.0 
  Content-Type: multipart/alternative; 
      boundary="_25AA.AC__.0" X-Priority: 3 X-MSMail-Priority: 
  Normal X-RCPT-TO: 
  <[EMAIL PROTECTED]> Status: 
  U X-UIDL: 362538172 == 
  So the line about 3rd party software having 
  issues is still un-resolved. 
  Regards, Kami 

RE: [Declude.JunkMail] 8.05- Declude not seen..

[Linette Casey]

We have seen it with Imail 7.07 infrequently (no Declude headers and "Could
not lock" in the log).  We process a low mail volume on this server.  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson
Sent: Saturday, December 20, 2003 9:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] 8.05- Declude not seen..



This has never happened while running Imail 7.07, which is the version that
has proven to be stable here.  I see little motivation to upgrade to
anything beyond 7.07

-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]

Hi;
I think the problem still exists..
The following is the header for an email that I received with no Declude
header.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail message was scanned for viruses by the mailservers at
http://www.ucdlink.com.]


---
[This E-mail message was scanned for viruses by the mailservers at 
http://www.ucdlink.com.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 8.05- Declude not seen..

[John Tolmachoff \(Lists\)]

Title: 8.05- Declude not seen..









Could
this have been in HOLD1 by Hijack?

 



John Tolmachoff

Engineer/Consultant/Owner

eServices For You



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kami Razvan
Sent: Saturday,
 December 20, 2003 7:08 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] 8.05-
Declude not seen..

 

Hi;


I
think the problem still exists.. 

The
following is the header for an email that I received with no Declude header.


==

Received:
from adsl-68-76-191-150.dsl.akrnoh.ameritech.net [68.76.191.150] by
clickandpledge.com 
 
(SMTPD32-8.05) id A69515F0046; Sat, 20
 Dec 2003 07:54:45 -0500

Received:
from [236.246.27.25] by adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP
id 34330738; Sun, 21 Dec 2003 08:51:50 +0600

Message-ID:
<[EMAIL PROTECTED]> 
From:
"Albert Estrada" <[EMAIL PROTECTED]> 
Reply-To:
"Albert Estrada" <[EMAIL PROTECTED]> 
To:
[EMAIL PROTECTED] 
Subject:
your
vacation
k qnkgtyhxvodlqbi

Date:
Sun, 21 Dec 03 08:51:50 GMT 
X-Mailer:
Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) 
MIME-Version:
1.0 
Content-Type:
multipart/alternative; 
    boundary="_25AA.AC__.0"

X-Priority:
3 
X-MSMail-Priority:
Normal 
X-RCPT-TO:
<[EMAIL PROTECTED]> 
Status:
U 
X-UIDL:
362538172 
==


So
the line about 3rd party software having issues is still un-resolved.


Regards,

Kami

RE: [Declude.JunkMail] Messages not scanned before shutdown...possible solution

[John Tolmachoff \(Lists\)]

It has been stated by Scott and others that it is best to stop all Imail
services then shutdown. That is the procedure I know use.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matthew Bramble
> Sent: Saturday, December 20, 2003 6:48 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Messages not scanned before
> shutdown...possible solution
> 
> I was worried when I saw another message come through last night without
> Declude headers in it considering that the queue issue has only been
> fixed in IMail 8.05 and not 7.15H3 which is what I'm using (and I don't
> yet care to upgrade, though I'm starting to get tempted with that fix).
> 
> What happened this time is when my server was in the process of a
> shutdown, and the message that got through had the same exact time stamp
> on it as Event Viewer logged itself being stopped, and 4 seconds before
> the last IMail log entry.  I'm assuming that as a part of shutdown,
> IMail must have executed some process that pushed this stuff out, or
> maybe it never got pushed to Declude and sat in the queue until after
> the server came back up, effectively bypassing Declude.  This is a
> little worrisome considering that there were two other messages received
> in the few seconds after that one was passed, and I only get about 5,000
> a day.  I'm thinking that maybe this needs to be corrected in IMail
> similar to the queue processing behavior.  While I'm still under the
> belief that the queue processing problem should only be seen about once
> a year on average, my server gets rebooted far more frequently than
> that.  I wonder if shutting down IMail before a reboot would resolve
> this issue?  A snippet of the log is below.
> 
> I'm also wondering if maybe I could set something fancy up with IMail
> rules to check for the Declude headers and reprocess the message if
> missing.  I have a feeling that I would need to create a program alias
> to handle something like this, and then redirect it through something
> like MS SMTP with IPBYPASS on for both server addresses?  Or maybe I
> could just call SMTP32.exe or Declude.exe directly from the program
> alias (which gets passed a file name of the received E-mail, though I
> don't know that it's ready to be sent in a single file format.  Anyone
> have any thoughts on this?  This would probably be a good tool for all
> IMail users regardless of the version so that such issues are stopped,
> and it would resolve the queue issue on v7 despite no patch being
> available.
> 
> Matt
> 
> 
> 20031220 044132 127.0.0.1   SMTPD (000A0016) [66.183.6.10] HELO
> d66-183-6-10.bchsia.telus.net  <-- This is the one that got through if
> not others.
> 20031220 044133 127.0.0.1   SMTPD (000A0016) [66.183.6.10] MAIL
> FROM: <[EMAIL PROTECTED]>
> 20031220 044133 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] HELO
> c-67-161-143-190.client.comcast.net
> 20031220 044133 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] MAIL
> FROM: <[EMAIL PROTECTED]>
> 20031220 044133 127.0.0.1   SMTPD (000A0016) [66.183.6.10] RCPT TO:
> <[EMAIL PROTECTED]>
> 20031220 044134 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] RCPT
> TO: <[EMAIL PROTECTED]>
> 20031220 044135 127.0.0.1   SMTP (3316) processing
> E:\spool\Q1936000600161a3b.SMD
> 20031220 044135 127.0.0.1   SMTP (3316) ldeliver **.com
> bpettit-main (1)
> [EMAIL PROTECTED]
> 40545
> 20031220 044135 127.0.0.1   SMTP (3316) finished
> E:\spool\Q1936000600161a3b.SMD status=1
> 20031220 044135 127.0.0.1   SMTPD (033B01CA) [67.161.143.190]
> E:\spool\D194d033b01ca7490.SMD 1805
> 20031220 044136 127.0.0.1   SMTPD (000A0016) [66.183.6.10]
> E:\spool\D194d000a00167396.SMD 1577
> 20031220 044136 127.0.0.1   SMTPD (0002008C) [208.7.179.59] connect
> 204.127.131.126 port 63674
> 20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] EHLO
> mtiwgwc16.worldnet.att.net
> 20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] MAIL
> FROM:<[EMAIL PROTECTED]>
> 20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] RCPT
> TO:<[EMAIL PROTECTED]>
> 20031220 044137 127.0.0.1   SMTPD (0002008C) [204.127.131.126]
> E:\spool\D1952008c81b0.SMD 3383
> SYSLOGD 7.15, Copyright C 1994-2001, Ipswitch, Inc.
> 20031220 044427 0.0.0.0:514 Server ready for action
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, jus

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

[R. Scott Perry]

I think the problem still exists..

The following is the header for an email that I received with no Declude 
header.
What are the Declude and IMail log file entries for this E-mail?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Windows Server 2003

[Steve :-)]

Hi all
We run Imail on 2k3 with no problems at all. We do not run DNS on it 
2k3, we have a linux server that is just for imail/delcude to use.
It seems to run smooth. We process around 100,000 pieces of mail a day.
Steve

DLAnalyzer Support wrote:

John,
I remember you did a survey awhile back on problems with Imail/etc.  
Were the results of that ever posted?
Darrell

Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com

John Tolmachoff (Lists) writes:

For the majority, W2K3 is the way to go if you are able to. Ipswitch 
does
support running Imail on W2K3.
There are some possible issues.
1. Running MS DSN service on W2K3 WITH Imail Anti-Spam DNS tests is a
problem.
2. Some issues have been reported on the Imail list when the server
processes a high volume of messages per day. Nothing seems to be 
conclusive
as far as I know to date, and from the posts, I have not seen a definite
pattern.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You

-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Jonathan
Sent: Thursday, December 18, 2003 10:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Windows Server 2003
So I haven't heard anything else back on this .. are you guys all 
staying
away from Windows 2003 and Imail? I'm having a hard time trying to 
justify
the risk of running new servers on 2k3 when 2k works just fine .. 
but then
again, 2k3 seems more stable over time  but not if Imail doesn't
support it well yet.
g
Thoughts?
Jonathan
At 05:04 PM 12/4/2003, you wrote:
>The issues seem to appear at high volumes.
>
>Besides, I am more than willing to use those licenses for you. ;)
>
>John Tolmachoff
>Engineer/Consultant/Owner
>eServices For You
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > [EMAIL PROTECTED] On Behalf Of Jonathan
> > Sent: Thursday, December 04, 2003 2:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.JunkMail] Windows Server 2003
> >
> > So, what's the scoop with current Imail 8, declude, sniffer, etc on
> > Windows
> > 2003 Server? We're thinking about moving it to some new iron
internally,
> > and Ive got some 2k3 licenses just burning a hole in my pocket. :)
> >
> > I heard some stability issues, saw some imail patches/etc .. things
stable
> > (and *robust*) now? Relatively high volumes of email ..
> >
> > Jonathan
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses as a service to Keeling Inc. 
Customers]





---
[This E-mail was scanned for viruses as a service to Keeling Inc. Customers]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 8.05- Declude not seen..

[Keith Anderson]

This has never happened while running Imail 7.07, which is the version that
has proven to be stable here.  I see little motivation to upgrade to
anything beyond 7.07

-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]

Hi;
I think the problem still exists..
The following is the header for an email that I received with no Declude
header.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] 8.05- Declude not seen..

[Kami Razvan]

Title: 8.05- Declude not seen..






Hi;


I think the problem still exists..


The following is the header for an email that I received with no Declude header.


==

Received: from adsl-68-76-191-150.dsl.akrnoh.ameritech.net [68.76.191.150] by clickandpledge.com

  (SMTPD32-8.05) id A69515F0046; Sat, 20 Dec 2003 07:54:45 -0500

Received: from [236.246.27.25] by adsl-68-76-191-150.dsl.akrnoh.ameritech.net with ESMTP id 34330738; Sun, 21 Dec 2003 08:51:50 +0600

Message-ID: <[EMAIL PROTECTED]>

From: "Albert Estrada" <[EMAIL PROTECTED]>

Reply-To: "Albert Estrada" <[EMAIL PROTECTED]>

To: [EMAIL PROTECTED]

Subject: your vacation k qnkgtyhxvodlqbi

Date: Sun, 21 Dec 03 08:51:50 GMT

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

MIME-Version: 1.0

Content-Type: multipart/alternative;

    boundary="_25AA.AC__.0"

X-Priority: 3

X-MSMail-Priority: Normal

X-RCPT-TO: <[EMAIL PROTECTED]>

Status: U

X-UIDL: 362538172

==


So the line about 3rd party software having issues is still un-resolved.


Regards,

Kami

[Declude.JunkMail] Messages not scanned before shutdown...possible solution

[Matthew Bramble]

I was worried when I saw another message come through last night without 
Declude headers in it considering that the queue issue has only been 
fixed in IMail 8.05 and not 7.15H3 which is what I'm using (and I don't 
yet care to upgrade, though I'm starting to get tempted with that fix).

What happened this time is when my server was in the process of a 
shutdown, and the message that got through had the same exact time stamp 
on it as Event Viewer logged itself being stopped, and 4 seconds before 
the last IMail log entry.  I'm assuming that as a part of shutdown, 
IMail must have executed some process that pushed this stuff out, or 
maybe it never got pushed to Declude and sat in the queue until after 
the server came back up, effectively bypassing Declude.  This is a 
little worrisome considering that there were two other messages received 
in the few seconds after that one was passed, and I only get about 5,000 
a day.  I'm thinking that maybe this needs to be corrected in IMail 
similar to the queue processing behavior.  While I'm still under the 
belief that the queue processing problem should only be seen about once 
a year on average, my server gets rebooted far more frequently than 
that.  I wonder if shutting down IMail before a reboot would resolve 
this issue?  A snippet of the log is below.

I'm also wondering if maybe I could set something fancy up with IMail 
rules to check for the Declude headers and reprocess the message if 
missing.  I have a feeling that I would need to create a program alias 
to handle something like this, and then redirect it through something 
like MS SMTP with IPBYPASS on for both server addresses?  Or maybe I 
could just call SMTP32.exe or Declude.exe directly from the program 
alias (which gets passed a file name of the received E-mail, though I 
don't know that it's ready to be sent in a single file format.  Anyone 
have any thoughts on this?  This would probably be a good tool for all 
IMail users regardless of the version so that such issues are stopped, 
and it would resolve the queue issue on v7 despite no patch being available.

Matt

20031220 044132 127.0.0.1   SMTPD (000A0016) [66.183.6.10] HELO 
d66-183-6-10.bchsia.telus.net  <-- This is the one that got through if 
not others.
20031220 044133 127.0.0.1   SMTPD (000A0016) [66.183.6.10] MAIL 
FROM: <[EMAIL PROTECTED]>
20031220 044133 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] HELO 
c-67-161-143-190.client.comcast.net
20031220 044133 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] MAIL 
FROM: <[EMAIL PROTECTED]>
20031220 044133 127.0.0.1   SMTPD (000A0016) [66.183.6.10] RCPT TO: 
<[EMAIL PROTECTED]>
20031220 044134 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] RCPT 
TO: <[EMAIL PROTECTED]>
20031220 044135 127.0.0.1   SMTP (3316) processing 
E:\spool\Q1936000600161a3b.SMD
20031220 044135 127.0.0.1   SMTP (3316) ldeliver **.com 
bpettit-main (1) 
[EMAIL PROTECTED] 
40545
20031220 044135 127.0.0.1   SMTP (3316) finished 
E:\spool\Q1936000600161a3b.SMD status=1
20031220 044135 127.0.0.1   SMTPD (033B01CA) [67.161.143.190] 
E:\spool\D194d033b01ca7490.SMD 1805
20031220 044136 127.0.0.1   SMTPD (000A0016) [66.183.6.10] 
E:\spool\D194d000a00167396.SMD 1577
20031220 044136 127.0.0.1   SMTPD (0002008C) [208.7.179.59] connect 
204.127.131.126 port 63674
20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] EHLO 
mtiwgwc16.worldnet.att.net
20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] MAIL 
FROM:<[EMAIL PROTECTED]>
20031220 044136 127.0.0.1   SMTPD (0002008C) [204.127.131.126] RCPT 
TO:<[EMAIL PROTECTED]>
20031220 044137 127.0.0.1   SMTPD (0002008C) [204.127.131.126] 
E:\spool\D1952008c81b0.SMD 3383
SYSLOGD 7.15, Copyright © 1994-2001, Ipswitch, Inc.
20031220 044427 0.0.0.0:514 Server ready for action

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[Darrell LaRock]

Matt,

I think you are right.  My guess is that for some reason they dropped the domain out 
of the root servers for a period of time and the major isps grabed the worldnic 
servers as being authoratative.

Not much we can do, other than wait...

Darrell
-- Original Message --
From: Matthew Bramble <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Sat, 20 Dec 2003 00:02:14 -0500

>Darrell,
>
>It looks like your name server records were maybe munged for a period of 
>time from a root update that is now fixed.  Those munged records though 
>are being cached and they should get a good copy once they expire.  This 
>might explain why all of us seem to be able to resolve your domain, 
>being that we aren't likely to have it cached being smaller providers, 
>however the larger providers seem to have bad records for it because 
>they hit your domain while the data was bad.  Just guessing of course.
>
>If you have some local ISP's which are likely to have chached an earlier 
>copy of the records, try querying their servers to see what it returns.  
>I suspect that they will have a bad copy also, at least for a short 
>period of time.  I don't believe there is anything you can do about this 
>if I am correct.
>
>Matt
>
>
>
>Darrell LaRock wrote:
>
>>Scott,
>>
>>On the DNSSTUFF, I used the cached ISP report looking at the NS record.  What does 
>>it mean when an ISP has the name server set to ns92.worldnic.com?  Does this mean at 
>>one time when the domain was looked up it was not resolved from the root servers?
>>
>>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. 
>>[TTL=1d 9h 38m 50s] 
>>AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. 
>>[TTL=1d 4h 18m 50s] 
>>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. 
>>[TTL=1d 2h 53m 53s] 
>>AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] 
>>NS=ns92.worldnic.com. [TTL=10h 45m 11s] 
>>
>>Taking wild stabs in the dark :)
>>Darrell
>>
>>-- Original Message --
>>From: "R. Scott Perry" <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>Date:  Fri, 19 Dec 2003 22:56:28 -0500
>>
>>  
>>
However, something is seriously wrong as the major ISP's can't resolve it 
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
after the whois info was updated to the new authoratative servers.
  

>>>That's probably the problem.
>>>
>>>Once the first .com parent server gets the new NS records, it takes up to 
>>>about 6 hours for all the other .com parent servers to get updated, and 
>>>another 48 hours before TTL values expire on DNS servers throughout the 
>>>world.  Earthlink, Charter, and some other larger ISPs almost certainly 
>>>have the old values cached, which will take up to 48 hours to expire after 
>>>the change.  During that time, they will be using the old NS records.
>>>
>>>   -Scott
>>>
>>>
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

[R. Scott Perry]

Check this out
1.) Do a direct query against ns1.loudcloud.com for wltx.com - Returns 
66.54.32.202.

2.) Do a direct query against ns1.infi.net for wltx.com - Returns 
66.54.32.202.

3.) Do a direct query against ns1.mindspring.net or ns2. or ns3 and the 
query will in general 9 out of 10 times timeout.  We can also duplicate 
this behavior on Charter and Road Runner.

I can't even come up with a possible explanation...  The zone files are 
the same
That is odd.  At first I thought that it was just a generic problem with 
their DNS servers, but they handle declude.com fine.

Note that they are reporting a SERVER FAILURE response, which technically 
should only happen if their DNS servers fail for some reason.  However, 
there are cases where BIND will return the SERVER FAILURE if it gets that 
message from the remote DNS server -- which could in theory have caused the 
problem.  They may have 10 DNS servers at each IP, 9 of which have a cached 
SERVER FAILURE response, and 1 does not.  Unfortunately, this bit of 
information doesn't offer a solution.

> On the DNSSTUFF, I used the cached ISP report looking at the NS 
record.  What does it mean when an ISP has the name server set to > 
ns92.worldnic.com?  Does this mean at one time when the domain was looked 
up it was not resolved from the root servers?

> AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] 
NS=ns2.infi.net. [TTL=1d 9h 38m 50s]
> AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] 
NS=ns2.infi.net. [TTL=1d 4h 18m 50s]
> AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] 
NS=ns2.infi.net. [TTL=1d 2h 53m 53s]
> AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] 
NS=ns92.worldnic.com. [TTL=10h 45m 11s]

It means that one of AT&T's DNS servers thinks that ns91.worldnic.com and 
ns92.worldnic.com are your DNS servers.  If their servers are working 
properly, it means that about 38 hours earlier (the 48 hour TTL for .com NS 
records minus the 10+ hours left on their TTL) they connected to the .com 
parent servers and were told that ns91.worldnic.com and ns92.worldnic.com 
are the NS records for wltx.com.

If you read Matt's response, I think he figured it out -- his explanation 
(corrupt information at the .com parent servers) sounds like it would fit 
what happened.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] FOOTER action

[R. Scott Perry]

I assume the FOOTER action only works for the "plain-text" version of an 
email?  Since most SPAM is using HTML, the footer will never be visible to 
the viewer?
That is up to your mail client.  Unfortunately, most mail clients will not 
display a header or footer in a MIME-encoded E-mail, so with most mail 
clients, the header/footer is not visible in MIME-encoded E-mail (such as 
HTML E-mail).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Christmas Card- redirects..

[Kami Razvan]

Title: Christmas Card- redirects.. 






Hi;


Quite interesting indeed.


We have caught several spam appearing as Christmas cards - click here to view your card.. Then the link goes to some gambling or porn site.

The trick I guess is if we hold and review the email before releasing it - we may think it is a legitimate card.


Regards,

Kami


Example:




Date: Fri, 19 Dec 2003 16:35:57 +1600

From: [EMAIL PROTECTED]

Subject: [43~]Adv:You Received Virtual X-mas Card

To: ***

Precedence: list

UID: QkFSQkBTSUxWRVItQ09NLkNPTQ==

Message-Id: <[EMAIL PROTECTED]>

X-IMAIL-SPAM-DNSBL: (SPAMCOP,37355852,127.0.0.2)

X-RBL-Warning: HEUR: Heuristic spam detection level 9 [0.999897]

X-RBL-Warning: IP-BLACKLIST: 

X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 36, weight 18)

X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed FILTER-BODY-GIBBERISH test (line 84, weight 10)

X-RBL-Warning: FILTER-SUBJECT: Message failed FILTER-SUBJECT test (line 31, weight 10)

X-Declude-Sender: [EMAIL PROTECTED] [66.154.111.2]

X-Declude-Spoolname: D9b0d023a014cad0e.SMD


Hello,

You received a Christmas scratch card from Linda Nelson.
To see it, please click here
http://www.bestbonuses.net/webtracer/bin/redirect.pl?refer=1017&cd=bb&ec=QkFSQkBTSUxWRVItQ09NLkNPTQ==
http://www.bestbonuses.net/webtracer/bin/redirect.pl?refer=1017&cd=bb&ec=QkFSQkBTSUxWRVItQ09NLkNPTQ==">

Thank you!

Virtual Cards Service

Remove Instructions:

(c) 2003 Sonic Media, LLC, 211 South Street, #353, Philadelphia,
PA. 19147 Toll Free: 1-877-571-8411
You have received the Best Bonuses newsletter by subscribing
to our affiliate partners. If you wish to be removed from our database
please respond to this newsletter and type "REMOVE" in the subject line.

Please allow 48-72 hours for your request to be processed.
If you continue to receive our newsletter please contact our
abuse department at [EMAIL PROTECTED]

RE: [Declude.JunkMail] Windows Server 2003

[John Tolmachoff \(Lists\)]

IMHO,   go with W2K3. There are some issues, but not wide spread, and IMHO
may not be the fault of the OS.

I gave my opinion. You want to research more, read the Imail archives.

BTW, traffic size is not the most important factor. Number of messages is
what matters along with how users connect. 

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Jonathan
> Sent: Friday, December 19, 2003 3:39 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Windows Server 2003
> 
> That's kind of conflicting, isnt it? Saying it's the way to go, but then
> it
> has weird, unidentifiable problems with large volumes of mail. :)
> 
> I'm not sure how you define large volumes, the Imail server in question
> will move over 2Mbps sustained of mail at some points of the day. That's
> quite a bit, considering it's mostly text.
> 
> Is there a compelling reason to go with win2k3?
> 
> Jonathan
> 
> At 12:12 PM 12/19/2003, you wrote:
> >For the majority, W2K3 is the way to go if you are able to. Ipswitch does
> >support running Imail on W2K3.
> >
> >There are some possible issues.
> >
> >1. Running MS DSN service on W2K3 WITH Imail Anti-Spam DNS tests is a
> >problem.
> >
> >2. Some issues have been reported on the Imail list when the server
> >processes a high volume of messages per day. Nothing seems to be
> conclusive
> >as far as I know to date, and from the posts, I have not seen a definite
> >pattern.
> >
> >John Tolmachoff
> >Engineer/Consultant/Owner
> >eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > > [EMAIL PROTECTED] On Behalf Of Jonathan
> > > Sent: Thursday, December 18, 2003 10:44 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [Declude.JunkMail] Windows Server 2003
> > >
> > > So I haven't heard anything else back on this .. are you guys all
> staying
> > > away from Windows 2003 and Imail? I'm having a hard time trying to
> justify
> > > the risk of running new servers on 2k3 when 2k works just fine .. but
> then
> > > again, 2k3 seems more stable over time  but not if Imail doesn't
> > > support it well yet.
> > >
> > > g
> > >
> > > Thoughts?
> > >
> > > Jonathan
> > >
> > > At 05:04 PM 12/4/2003, you wrote:
> > > >The issues seem to appear at high volumes.
> > > >
> > > >Besides, I am more than willing to use those licenses for you. ;)
> > > >
> > > >John Tolmachoff
> > > >Engineer/Consultant/Owner
> > > >eServices For You
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > > > > [EMAIL PROTECTED] On Behalf Of Jonathan
> > > > > Sent: Thursday, December 04, 2003 2:43 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: [Declude.JunkMail] Windows Server 2003
> > > > >
> > > > > So, what's the scoop with current Imail 8, declude, sniffer, etc
> on
> > > > > Windows
> > > > > 2003 Server? We're thinking about moving it to some new iron
> > > internally,
> > > > > and Ive got some 2k3 licenses just burning a hole in my pocket. :)
> > > > >
> > > > > I heard some stability issues, saw some imail patches/etc ..
> things
> > > stable
> > > > > (and *robust*) now? Relatively high volumes of email ..
> > > > >
> > > > > Jonathan
> > > > >
> > > > > ---
> > > > > [This E-mail was scanned for viruses by Declude Virus
> > > > > (http://www.declude.com)]
> > > > >
> > > > > ---
> > > > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > > > at http://www.mail-archive.com.
> > > >
> > > >---
> > > >[This E-mail was scanned for viruses by Declude Virus
> > > >(http://www.declude.com)]
> > > >
> > > >---
> > > >This E-mail came from the Declude.JunkMail mailing list.  To
> > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > >type "unsubscribe Declude.JunkMail".  The archives can be found
> > > >at http://www.mail-archive.com.
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
>

RE: [Declude.JunkMail] Windows Server 2003

[Jonathan]

That's kind of conflicting, isnt it? Saying it's the way to go, but then it 
has weird, unidentifiable problems with large volumes of mail. :)

I'm not sure how you define large volumes, the Imail server in question 
will move over 2Mbps sustained of mail at some points of the day. That's 
quite a bit, considering it's mostly text.

Is there a compelling reason to go with win2k3?

Jonathan

At 12:12 PM 12/19/2003, you wrote:
For the majority, W2K3 is the way to go if you are able to. Ipswitch does
support running Imail on W2K3.
There are some possible issues.

1. Running MS DSN service on W2K3 WITH Imail Anti-Spam DNS tests is a
problem.
2. Some issues have been reported on the Imail list when the server
processes a high volume of messages per day. Nothing seems to be conclusive
as far as I know to date, and from the posts, I have not seen a definite
pattern.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Jonathan
> Sent: Thursday, December 18, 2003 10:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Windows Server 2003
>
> So I haven't heard anything else back on this .. are you guys all staying
> away from Windows 2003 and Imail? I'm having a hard time trying to justify
> the risk of running new servers on 2k3 when 2k works just fine .. but then
> again, 2k3 seems more stable over time  but not if Imail doesn't
> support it well yet.
>
> g
>
> Thoughts?
>
> Jonathan
>
> At 05:04 PM 12/4/2003, you wrote:
> >The issues seem to appear at high volumes.
> >
> >Besides, I am more than willing to use those licenses for you. ;)
> >
> >John Tolmachoff
> >Engineer/Consultant/Owner
> >eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > > [EMAIL PROTECTED] On Behalf Of Jonathan
> > > Sent: Thursday, December 04, 2003 2:43 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [Declude.JunkMail] Windows Server 2003
> > >
> > > So, what's the scoop with current Imail 8, declude, sniffer, etc on
> > > Windows
> > > 2003 Server? We're thinking about moving it to some new iron
> internally,
> > > and Ive got some 2k3 licenses just burning a hole in my pocket. :)
> > >
> > > I heard some stability issues, saw some imail patches/etc .. things
> stable
> > > (and *robust*) now? Relatively high volumes of email ..
> > >
> > > Jonathan
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.