RE: [Declude.JunkMail] Block on HELO
-Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: 17 March 2004 22:03 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Block on HELO Yes, it would do the trick. As long as they never travel, dial another ISP, and use your server. Kevin Bilbee In that case they would AUTH. I just wanted to make sure that if the whitelist on my IP range didn't work - and it explicitly had to by Auth, then I'd have to get all my clients to re-config. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Hi Matt, As Darrell pointed out, short-lived processes are problematic to monitor as it's difficult to get a continuous aggregate read for a particular type of process. If you're just looking for more general statistics on processor, IO, storage, RAM, etc. it works quite well to log it to a SQL Server for trending. We use the perfcheck.dll that came with either W2K Resource Kit or Support Tools and call it from a SQL job to loop through defined counters from one table every few minutes and store the sampled value in another. Currently we just clear it out when it gets too big, but have been considering aggregating to report tables for daily, weekly, and/or monthly usage trends. You can go hog wild with these things, but we've found a few simple counters are enough and give us the necessary info to project hardware needs. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 9:49 PM Subject: [Declude.JunkMail] OT: Windows 2000 Performance Monitor I've never bothered to run monitoring before, but I need to do so now so that I can make more informed decisions. Does anyone have a good config/setup that they want to share which is most effective at tracking usage primarily related to an IMail/Declude/Sniffer setup? Should I be storing this data in SQL Server? Etc. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fprot
Nope. Darin. - Original Message - From: Doris Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 4:58 PM Subject: Re: [Declude.JunkMail] Fprot I have been having this problem as well ... if I make the change do I have to reboot or stop and start anything ??? TIA Doris - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 1:22 PM Subject: Re: [Declude.JunkMail] Fprot I get this error very frequently. Any Help on how to fix it. Fprot site had no information I could find. Running windows 2000 server Application popup: 16 bit MS-DOS Subsystem : C:\scanner\FSI\F-prot\F-Prot.exe X#=0D, CS=01CF IP=5703. The NTVDM CPU has encountered an unhandled exception. Choose 'Close' to terminate the application. If you switch to fpcmd.exe (changing F-Prot.exe to fpcmd.exe in the SCANFILE line in your \IMail\Declude\virus.cfg file, and removing /NOFLOPPY from that line), it will take care of the problem. F-Prot.exe is a 16-bit process, which needs to use NTVDM, whereas fpcmd.exe is a 32-bit process that doesn't require NTVDM. Plus, some servers have a hard time dealing with 16-bit processes, so the switch to fpcmd.exe may also show a noticeable performance improvement. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hour Test
I am trying to test out the new HOUR test, I can't get it to work. Is this the correct format in my global.cfg: HOURhour23 6 5 0 Will this tag everything between 11 PM and 6 AM with a weight of 5 correct? I am using Declude Junkmail Pro 1.78. Thanks, Kris [AUTOMATED NOTE: Your mail server [65.66.8.3] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hour Test
I am trying to test out the new HOUR test, I can't get it to work. Is this the correct format in my global.cfg: HOURhour23 6 5 0 Will this tag everything between 11 PM and 6 AM with a weight of 5 correct? I am using Declude Junkmail Pro 1.78. I believe the problem is the overlap -- what you'll want to do is use two separate tests: HOURhour23 23 5 0 HOURhour0 5 5 0 Those would catch anything between 11:00PM and 11:59PM, and anything from 12:00AM to 5:59AM. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Subject Missing
I would doubt that it has anything to do with those filters specifically. Could be some really convoluted bug that gets started by the use of a filter and eventually shows up in a process that actually modifies headers, however I would doubt that. Sounds like the headers are the actual problem. Fix the newsletter's headers and all should be fine. You shouldn't have lines in your headers consisting of only a space and a CRLF. This is definitely not compliant and it might even be something that Declude Virus will block. Matt Kevin Shimwell wrote: Junk Mail Group I have been testing allot ofscenarios try to get a handle on a problem where the subject line message just disapears from incoming mail when the message is created from a Cold Fusion online newsletter editor. Here is what I found out and how I fixed it. #GIBBERISH filter E:\IMail\Declude\Filters\Gibberish.txt x 6 0 #ANTI-GIBBERISH filter E:\IMail\Declude\Filters\Anti-Gibberish.txt x -6 0 With both of these filter in placethere is a intermittent problem with subject summary missing and showing up in the body of the email. According to Imail tech support the reason for this isaspace with return line in the header of the email. This put a space in the header above the subject. Whenaccuresthe email on delievery its shows the suject matterin the body of the email not the subject line. When I disable the filters it goes away. Any Ideas or imput. Kevin Shimwell Link Brokers Group, LLC ( Support ) 1600 Hwy 17 South North Myrtle Beach, SC 29582 Phone: 843-663-1004 Fax: 843-663-1007 Email: [EMAIL PROTECTED] 24/7 Support http://www.linkbrokers.com/support_ticket.cfm Support M-F 1-888-546-5631 -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Subject Missing
I have been testing allot of scenarios try to get a handle on a problem where the subject line message just disapears from incoming mail when the message is created from a Cold Fusion online newsletter editor. Here is what I found out and how I fixed it. #GIBBERISHfilter E:\IMail\Declude\Filters\Gibberish.txtx 6 0 #ANTI-GIBBERISH filter E:\IMail\Declude\Filters\Anti-Gibberish.txt x -6 0 With both of these filter in place there is a intermittent problem with subject summary missing and showing up in the body of the email. What action are you using on those two tests? I'm guessing that you are using the WARN action with a custom header with no : in it. For example, GIBBERISH WARNWarning- This E-mail failed the GIBBERISH test could cause what you describe (since there is no : in the header that would be added). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] JunkMail and Aliases
Does JunkMail have difficulties performaing actions against messages destined for aliases? No. We seem to be experiencing a large amount of Junk getting through to users via Alias/list membership. Note that if you are using per-domain or per-user settings, the address that the alias points to will be used to determine which config files to use. Also, you should make sure that the aliases do not just point to username, but instead have the actual address ([EMAIL PROTECTED]). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hour Test
Scott, I saw your reply to Kris suggesting two tests. Mine is set up with one test...to subtract 1 for messages between 7 a.m. and 10:59 p.m., and add 6 for messages outside that time range. HOURhour7 22 -1 6 Is this not also correct? It seems to be working. Couldn't Kris use: HOURhour6 22 0 5 Thanks, Shayne I am trying to test out the new HOUR test, I can't get it to work. Is this the correct format in my global.cfg: HOURhour23 6 5 0 Will this tag everything between 11 PM and 6 AM with a weight of 5 correct? I am using Declude Junkmail Pro 1.78. I believe the problem is the overlap -- what you'll want to do is use two separate tests: HOURhour23 23 5 0 HOURhour0 5 5 0 Those would catch anything between 11:00PM and 11:59PM, and anything from 12:00AM to 5:59AM. -Scott --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject Missing
Accually I looked at my $default$ and I did not have a line for GIBBERISH WARN or ANTI-GIBBERISH WARN Whould that have caused the problem and Do I need both of them there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, March 18, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Subject Missing I have been testing allot of scenarios try to get a handle on a problem where the subject line message just disapears from incoming mail when the message is created from a Cold Fusion online newsletter editor. Here is what I found out and how I fixed it. #GIBBERISHfilter E:\IMail\Declude\Filters\Gibberish.txtx 6 0 #ANTI-GIBBERISH filter E:\IMail\Declude\Filters\Anti-Gibberish.txt x -6 0 With both of these filter in place there is a intermittent problem with subject summary missing and showing up in the body of the email. What action are you using on those two tests? I'm guessing that you are using the WARN action with a custom header with no : in it. For example, GIBBERISH WARNWarning- This E-mail failed the GIBBERISH test could cause what you describe (since there is no : in the header that would be added). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Link Brokers Group, Inc Virus Protection] [This E-mail scanned for viruses by Link Brokers Group, Inc Virus Protection] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject Missing
I looked at my $default$ and I did not have a line for GIBBERISH WARN or ANTI-GIBBERISH WARN Whould that have caused the problem and Do I need both of them there? What matters is the action that appears in whatever config file that Declude JunkMail is using. That could be the \IMail\Declude\global.cfg file (if the E-mail is outgoing), the \IMail\Declude\$default$.JunKMail file (if the E-mail is incoming), or a per-user/per-domain config file. Do you have the full headers for one of the E-mails that this happened to? That could help in determining what happened. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WARN
There are certain domains that we used to use the WARN action for say the BADHEADERS test, and the warning would give you a little code to find out what exactly was wrong with the header. The WARN action on this test is still there, but another one of the tests uses the ATTACH action. In the spamattach.eml file, we are displaying the %HEADERS% but these do not include the WARNing with the code, and when I open the email attached and view the internet headers they're blank. Anyway of being able to find out the BADHEADER codes etc? Thanks, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WARN
In the spamattach.eml file, we are displaying the %HEADERS% but these do not include the WARNing with the code, and when I open the email attached and view the internet headers they're blank. Anyway of being able to find out the BADHEADER codes etc? Those should appear in the headers of the actual E-mail that is received (the one containing the spam in the attachment). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WARN
So they are - apologies. Didn't think they'd be there because that's the email from my server, but I guess it makes sense. -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: 18 March 2004 17:26 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] WARN In the spamattach.eml file, we are displaying the %HEADERS% but these do not include the WARNing with the code, and when I open the email attached and view the internet headers they're blank. Anyway of being able to find out the BADHEADER codes etc? Those should appear in the headers of the actual E-mail that is received (the one containing the spam in the attachment). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOP and HOPHIGH
Scott, Presently, the HOP and HOPHIGH parameters in my global.cfg are remarked out. When I try to set HOP to 0,the overflow directory begins to fill up. Any thoughts? Thanks, Steve
Re: [Declude.JunkMail] HOP and HOPHIGH
Presently, the HOP and HOPHIGH parameters in my global.cfg are remarked out. When I try to set HOP to 0, the overflow directory begins to fill up. Any thoughts? That's not good. If the HOP line isn't there, the source IP of E-mails will not be scanned. The overflow directory will fill up if E-mail can't be scanned and delivered as fast as it comes it. This is normally due to a DNS issue. Is your DNS server (the one listed in the IMail SMTP settings) working properly? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOP and HOPHIGH
Scott,The DNS server appears to be working OK. There are times when our mailserver's CPU utilization is over 90%. It doesn't remain at that level forextended periods, but it does reach this level which concerns me. Is itpossible that when I introduce the HOP scan within Declude, that the mailserver can't keep up with the load place on it??Steve- Original Message - From: "R. Scott Perry" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Thursday, March 18, 2004 2:20 PMSubject: Re: [Declude.JunkMail] HOP and HOPHIGH Presently, the HOP and HOPHIGH parameters in my global.cfg are remarked out. When I try to set HOP to 0, the overflow directory begins to fillup. Any thoughts? That's not good. If the "HOP" line isn't there, the source IP of E-mails will not be scanned. The overflow directory will fill up if E-mail can't be scanned and delivered as fast as it comes it. This is normally due to a DNS issue.Is your DNS server (the one listed in the IMail SMTP settings) workingproperly? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.JunkMail] HOP and HOPHIGH
The DNS server appears to be working OK. There are times when our mail server's CPU utilization is over 90%. It doesn't remain at that level for extended periods, but it does reach this level which concerns me. Is it possible that when I introduce the HOP scan within Declude, that the mail server can't keep up with the load place on it?? Yes, it is almost definite that the mail server can't keep up with the load. The question, though, it why (too much CPU usage, slow processing of E-mail, etc.). I would recommend using the debug mode in this case. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after about a minute, you can then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me (off-list) the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] More problems with: Whitelist setup problem
My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: The have a file whitelist.txt which for now has these entries: [EMAIL PROTECTED] [EMAIL PROTECTED] There are two blank lines after the scott listing. This file is referenced in their $default$.junkmail file as follows: REVDNS WARN ROUTING WARN SPAMHEADERS WARN WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt WEIGHT5 MAILBOX InSpamLow WEIGHT10 MAILBOX InSpam (This is a section out of the file, because I figured you would recognize the placement. It's right between the individual tests and the weighted tests.) This morning they received an email with this header (again, just an excerpt): From: Thiel, Scott [EMAIL PROTECTED] To: Nancy [EMAIL PROTECTED], Steve [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 Mar 2004 16:13:17.0345 (UTC) FILETIME=[6D0B3110:01C40AA8] X-RBL-Warning: HELOBOGUS: Domain CHSCOWA.exch.chsroot has no MX or A records. X-Declude-Sender: [EMAIL PROTECTED] [205.235.215.4] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, WEIGHT5, WEIGHT5s [5] X-Note: This E-mail was sent from mailx.chsinc.com ([205.235.215.4]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 372121280 This message was caught by the weight5 test, which sends the message to the InSpamLow mailbox. The client wants this sender to be whitelisted, so that his emails always go to the regular Inbox. So why did JM process this email? It seems the X-Declude-Sender matches the line in the whitelist.txt file (since it's not case-sensitive). What am I missing? Thanks, Ben BC Web - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 12, 2004 10:09 AM Subject: Re: [Declude.JunkMail] Whitelist setup problem Did I miss something here? I created a whitelist for a client (we use DJ Pro) by adding this line to their domain-specific $default$.junkmail file: WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt (I put it in right before their list of weighted tests). Inside the whilte list file, I have an entry: [EMAIL PROTECTED] I thought that this would cause email from this person to bypass the spam system. However, messages from him are still being scored and processed. When I checked the declude-x-sender line, the address is: [EMAIL PROTECTED] Is the whitelisting system case-sensitive? It isn't case sensitive. Is that the last line in the file? If so, can you move the cursor to the line below it? If not, you need to go to the end of the line and hit ENTER (most Windows programs won't be able to see the last line in the file without a CRLF at the end). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Darin and Darrell, Thanks to both of you for the pointers. Certainly that saved me some time. I did manage to capture all of the process information by selecting all instances for the Process % Processor Time. Using System Monitor it was easy to set up graphs from the logs showing this info, including all numbered instances. The graphs though suck. The averages seem to help a bit more. One piece of data that I seem to be missing is F-Prot's usage though. Any idea what that shows up as? I'm looking to compare that to avgscan.exe. Also, do you guys (or anyone else) have an idea about how disk load times might be reflected as far as utilization goes? I have over 60 custom filters that get loaded for almost every message, though they only get run about 60%-70% of the time on average. I'm thinking that my excessive filter use might be an important component of my processor peaks, peaks that I need to better control because of my current mixed environment with hosting. Sniffer for instance reports very low utilization as a process, however loading the rulebase according to Pete represents about 90% of the time to process a message, but it doesn't appear to be reflected in my stats as utilization except when tracking the overall processor usage. Regardless of the pieces that are still lacking, I was definitely able to get a better grasp on some other things. Thanks, Matt Darin Cox wrote: Hi Matt, As Darrell pointed out, short-lived processes are problematic to monitor as it's difficult to get a continuous aggregate read for a particular type of process. If you're just looking for more general statistics on processor, IO, storage, RAM, etc. it works quite well to log it to a SQL Server for trending. We use the perfcheck.dll that came with either W2K Resource Kit or Support Tools and call it from a SQL job to loop through defined counters from one table every few minutes and store the sampled value in another. Currently we just clear it out when it gets too big, but have been considering aggregating to report tables for daily, weekly, and/or monthly usage trends. You can go hog wild with these things, but we've found a few simple counters are enough and give us the necessary info to project hardware needs. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 9:49 PM Subject: [Declude.JunkMail] OT: Windows 2000 Performance Monitor I've never bothered to run monitoring before, but I need to do so now so that I can make more informed decisions. Does anyone have a good config/setup that they want to share which is most effective at tracking usage primarily related to an IMail/Declude/Sniffer setup? Should I be storing this data in SQL Server? Etc. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More problems with: Whitelist setup problem
My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: I can't see any problems here. I would recommend using the debug mode to track this down. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through that just be whitelisted, and then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me (off-list) the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can see what the problem is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More problems with: Whitelist setup problem
As far as I can tell that is all that needs to be added for the whitelist to work. I don't have any blank lines in front of the entry or after it. As an alternative you can set up a whitelist file just like the black list file and assign a negative weight to it. This is what I have and I haven't had any problems with it. Global.cfg WHITELISTADDR fromfilec:\imail\declude\whitelistaddresses.txt x -20 0 Defaultjunkmail WHITELISTADDR WARN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Thursday, March 18, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] More problems with: Whitelist setup problem My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: The have a file whitelist.txt which for now has these entries: [EMAIL PROTECTED] [EMAIL PROTECTED] There are two blank lines after the scott listing. This file is referenced in their $default$.junkmail file as follows: REVDNS WARN ROUTING WARN SPAMHEADERS WARN WHITELISTFILE D:\IMail\Declude\PaulsonCommodities\whitelist.txt WEIGHT5 MAILBOX InSpamLow WEIGHT10 MAILBOX InSpam --- [This E-mail scanned for viruses by Declude Virus] [AUTOMATED NOTE: Your mail server [170.94.138.34] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Hi Matt, Graphs are pretty but not often useful. We use daily/monthly avg and stdev for meaningful info. F-prot should show up as the exe name, fpcmd.exe Certainly threading with files remaining loaded in memory and checked for changes periodically would be a lot quicker than loading the files every time, but lacking that...shrug. I haven't seen anyone use one in years, but a ramdisk might help. That way the files do remain loaded in ram. I'm sure there's a product somewhere that still does that. I don't know of any way to separate out disk usage by one process or exe, so any performance counters there probably wouldn't do much good. If you're having disk IO problems overall, though I would suggest running SCSI RAID level 1 with multiple, striped disks so reading can be done from multiple disks at once. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 4:16 PM Subject: Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor Darin and Darrell, Thanks to both of you for the pointers. Certainly that saved me some time. I did manage to capture all of the process information by selecting all instances for the Process % Processor Time. Using System Monitor it was easy to set up graphs from the logs showing this info, including all numbered instances. The graphs though suck. The averages seem to help a bit more. One piece of data that I seem to be missing is F-Prot's usage though. Any idea what that shows up as? I'm looking to compare that to avgscan.exe. Also, do you guys (or anyone else) have an idea about how disk load times might be reflected as far as utilization goes? I have over 60 custom filters that get loaded for almost every message, though they only get run about 60%-70% of the time on average. I'm thinking that my excessive filter use might be an important component of my processor peaks, peaks that I need to better control because of my current mixed environment with hosting. Sniffer for instance reports very low utilization as a process, however loading the rulebase according to Pete represents about 90% of the time to process a message, but it doesn't appear to be reflected in my stats as utilization except when tracking the overall processor usage. Regardless of the pieces that are still lacking, I was definitely able to get a better grasp on some other things. Thanks, Matt Darin Cox wrote: Hi Matt, As Darrell pointed out, short-lived processes are problematic to monitor as it's difficult to get a continuous aggregate read for a particular type of process. If you're just looking for more general statistics on processor, IO, storage, RAM, etc. it works quite well to log it to a SQL Server for trending. We use the perfcheck.dll that came with either W2K Resource Kit or Support Tools and call it from a SQL job to loop through defined counters from one table every few minutes and store the sampled value in another. Currently we just clear it out when it gets too big, but have been considering aggregating to report tables for daily, weekly, and/or monthly usage trends. You can go hog wild with these things, but we've found a few simple counters are enough and give us the necessary info to project hardware needs. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 9:49 PM Subject: [Declude.JunkMail] OT: Windows 2000 Performance Monitor I've never bothered to run monitoring before, but I need to do so now so that I can make more informed decisions. Does anyone have a good config/setup that they want to share which is most effective at tracking usage primarily related to an IMail/Declude/Sniffer setup? Should I be storing this data in SQL Server? Etc. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Darin, What I'm trying to do is polish up my config in the expectation of a lot more business over the short term. Things are definitely moving around here. I'm also concerned about storms of viruses and spam attacks. I figure that now is the time to get a handle on what needs to be done in order to improve efficiency instead of when it is biting me in the a**. I figured out the fpcmd.exe thing. Curiously it didn't show up after 15 minutes when polled every second. This speaks to the incredible performance of F-Prot, in fact here are some stats from the last hour comparing fpcmd.exe to avgscan.exe: avgscan.exe - Average: 1.556 Maximum: 57.813 fpcmd.exe - Average: 0.486 Maximum: 3.125 My server started getting hammered about 30 minutes ago by a NetSky.D virus storm, once every couple of seconds all from the same computer. This has been happening for several days now in fact, but it's hit or miss when it happens. As a result, I have data showing up to 12 Declude processes at once. I assume that the other peak number of processes were also reached during that time, with avgscan.exe recording up to 7 processes, but fpcmd.exe only 2. Sniffer also only made it to 3, probably because the viruses were all blocked. I also looked a DEBUG virus logs a few days ago and found that the scan time was about 4 times longer for avgscan.exe than it was for fpcmd.exe...conclusion: AVG is not a good candidate for higher volumes, even in 32-bit mode. I think I can save myself a lot of processing by finding a more efficient second scanner, one on par with F-Prot. If my box was not doubling as a Web server, I would be willing to push it much harder. It's the peaks that bother me right now, and they're massive. This is one of the reasons why I suggested that the SKIPIFWEIGHT stuff appear in the Global.cfg, thinking that it would save the loading of these files and the minimal parsing necessary to tell Declude the limit has already been reached. Good E-mail and virus scanning takes more processing power by far than spam does because it hits every test. Regarding your suggestion about a RAMDISK, Pete is actually working on a persistent instance of Sniffer with all sorts of fancy words to describe how it works :) My machine is a 4 active drive RAID 5 array on some 10K Cheetahs. It was build for redundancy/reliability and not necessarily for speed. It does great as a Web server, but as a gateway machine, I understand fully the challenges and how that affects your choices. When I move the mail scanning onto a different box, it will be optimized for speed. Still though, I don't want to be throwing something like a inefficient virus scanner at a setup and impacting my ability to scale. It could also be that I chose inefficient switches when I configured AVG, so I'll take a look at that as well. If anyone wants to help test out virus scanners for efficiency, contact me off list and we'll come up with a standard way to test them (probably on my box if folks don't mind). Thanks again, Matt Darin Cox wrote: Hi Matt, Graphs are pretty but not often useful. We use daily/monthly avg and stdev for meaningful info. F-prot should show up as the exe name, fpcmd.exe Certainly threading with files remaining loaded in memory and checked for changes periodically would be a lot quicker than loading the files every time, but lacking that...shrug. I haven't seen anyone use one in years, but a ramdisk might help. That way the files do remain loaded in ram. I'm sure there's a product somewhere that still does that. I don't know of any way to separate out disk usage by one process or exe, so any performance counters there probably wouldn't do much good. If you're having disk IO problems overall, though I would suggest running SCSI RAID level 1 with multiple, striped disks so reading can be done from multiple disks at once. Darin. - Original Message - From: "Matt" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 4:16 PM Subject: Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor Darin and Darrell, Thanks to both of you for the pointers. Certainly that saved me some time. I did manage to capture all of the process information by selecting "all instances" for the Process % Processor Time. Using System Monitor it was easy to set up graphs from the logs showing this info, including all numbered instances. The graphs though suck. The averages seem to help a bit more. One piece of data that I seem to be missing is F-Prot's usage though. Any idea what that shows up as? I'm looking to compare that to avgscan.exe. Also, do you guys (or anyone else) have an idea about how disk load times might be reflected as far as utilization goes? I have over 60 custom filters that get loaded for almost every message, though they only get run about 60%-70% of the time on average. I'm thinking that my excessive filter use might be an important component of my processor peaks, peaks that I need to
Re: [Declude.JunkMail] More problems with: Whitelist setup problem
I sent you the JM log file off-line as you request. However, once I looked at it closer, I found these lines: 03/18/2004 14:26:00.973 Q21f8015800fcaa67 Domain name = paulsoncommodities.com, User name = Steve. 03/18/2004 14:26:00 Q21f8015800fcaa67 Using [incoming] CFG file D:\IMAIL\Declude\paulsoncommodities.com\$default$.junkmail. 03/18/2004 14:26:00.973 Q21f8015800fcaa67 Could not open whitelist file D:\IMail\Declude\PaulsonCommodities\whitelist.txt. For a while I didn't understand this, and I even ran additional tests. Then I realized the obvious: if you compare the second and third lines of the excerpt, you'll see that one refers to paulsoncommodities.com (correct) and the other to paulsoncommodities (incorrect). My apologies to everyone for wasting time and bandwidth on what was a really trivial mistake. I'm going to go to the local pasta bar and ask for a hundred lashes with a wet noodle. Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 1:25 PM Subject: Re: [Declude.JunkMail] More problems with: Whitelist setup problem My client says they are still have getting email spam filtered by JM when it should be white listed. Here is what I have: I can't see any problems here. I would recommend using the debug mode to track this down. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through that just be whitelisted, and then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me (off-list) the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can see what the problem is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
At 05:18 PM 3/18/2004, you wrote: Regarding your suggestion about a RAMDISK, Pete is actually working on a persistent instance of Sniffer with all sorts of fancy words to describe how it works :) My Matt, I'm pretty happy with the beta - so far no glitches or gotchas on my test server nor any reported from the list. If you've not yet tried it you might give it a shot. The production version is not likely to change except for cleaning out some debug/monitoring code and adding a few tuning / management features. The last thing we'll need to do is chose an MS Service stub utility to recommend, but in the mean time it's been working ok on my box as a .cmd nailed up and hidden behind a password protected screen saver setting. Just a thought. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Pete, I've definitely been reading up on the other list and all looks great so far. I can't leave my server logged into, so I'm going to sit back for a little bit longer until you get the service stub thing going (recommendations, et. al) It also appears that defeating Sniffer with a weight qualifier may be of almost no consequence at this point, so I'm giving up on that project. I had run into a roadblock where I couldn't get the code from Sniffer using VBScript and the directions that we found said it would work the way we did it. The funny thing is that we could get other information about the process...just not the code. Anyway, I learned a few new tricks. Thanks again, Matt Pete McNeil wrote: At 05:18 PM 3/18/2004, you wrote: Regarding your suggestion about a RAMDISK, Pete is actually working on a persistent instance of Sniffer with all sorts of fancy words to describe how it works :) My Matt, I'm pretty happy with the beta - so far no glitches or gotchas on my test server nor any reported from the list. If you've not yet tried it you might give it a shot. The production version is not likely to change except for cleaning out some debug/monitoring code and adding a few tuning / management features. The last thing we'll need to do is chose an MS Service stub utility to recommend, but in the mean time it's been working ok on my box as a .cmd nailed up and hidden behind a password protected screen saver setting. Just a thought. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.