RE: [Declude.JunkMail] SPEWS problem
Goran, mail.lanshoppe.com is not listed in SPEWS; your provider, HopOne is. Other than complain to HopOne, there is nothing you can do except switch your inbound mail server somewhere else, like swapping with your outbound mail service, for example. You can read information about SPEWS, and HopOne's listing(s) by using this excellent web resource, and following the links. http://openrbl.org/ Andrew 8) p.s. Nope, never been in SPEWS. -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 9:10 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPEWS problem Anyone have any experience with SPEWS.ORG? It seems that the IP address of our server we are using is listed in SPEWS. Has anyone ever got themselves de-listed? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Requeue links for junkmail
The requeue.asp by Markus works great. Wonder if something similar exists for junkmail where users get an end of day email listing the senders and subjects of "holded" spam, and they can click on a link if they recognize a specific message ? TIA - Original Message - From: "Adolfo Justiniano" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 14, 2004 4:44 AM Subject: RE: [Declude.Virus] .smd files in c:/ > > Care to share ? > > I apologize for any errors in my writing, English is not my native > language. > > I'm using this script that Markus was gentle to share to the list: > http://www.mail-archive.com/[EMAIL PROTECTED]/msg04996.html > > And my vulnerability.eml has these lines: > > SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability > From: [EMAIL PROTECTED] > To: %ALLRECIPS% > Subject: We blocked an E-mail sent to you! > > NOTE: This is an AUTOMATIC message. > > We caught an E-mail addressed to you that explores a vulnerability and > have > quarantined it for your protection. > > Following is the information about the E-mail: > > From: %MAILFROM% > To: %ALLRECIPS% > Subject: %SUBJECT% > Vulnerability: %VIRUSNAME% > Attachment: %VIRUSFILE% > Date: %DATE% @ %TIME% > Spool name: %QUEUENAME% > > If you recognize the above information as a valid E-mail that you want > or > should have received, request it's automatic unblocking by clicking in > the > following link: http://www.mydomain.com/requeue.asp?id=%QUEUENAME% > > If the unblocking isn't requested the E-mail will be deleted after 3 > days. > > Headers Follow: > > %HEADERS% > > Adolfo Justiniano > Santa Cruz BBS > e-mail: [EMAIL PROTECTED] > http://www.scbbs.net > > --- > [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPEWS problem
Anyone have any experience with SPEWS.ORG? It seems that the IP address of our server we are using is listed in SPEWS. Has anyone ever got themselves de-listed? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] f-prot
Where can we purchase the command line scanner? Thanks, Aaron Caviglia On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote: For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is "non-existant" and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] f-prot On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a "Do I really need it?". Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. <<< [EMAIL PROTECTED] 5/15 12:29p >>> Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] f-prot
> For the latter there is an outstanding request to Scott to > kill additional scanning once a scanner detects a virus.. So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is "non-existant" and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Nick Hayer > Sent: Monday, May 17, 2004 10:03 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] f-prot > > On 17 May 2004 at 9:13, Goran Jovanovic wrote: > > > For the folks using multiple scanners, do you have any stats on how > > often the secondary scanner found a virus that the first one missed? > Hi Goran, > > Here are my latest stats: > Virus Totals: > 441 F-Prot > 412 AVG > 446 McAfee > - > Vunerabilities: > 349 > - > > I update the defs for all every 4 hrs on a staggered schedule. > Because of possible false positives I have found it hard to rank one > particular scanner over another. For me the advantage to have more > than one is one [varies] company will always come out with protection > for a new outbreak before another. The downside is cost and cpu > overhead. For the latter there is an outstanding request to Scott to > kill additional scanning once a scanner detects a virus.. > > -Nick Hayer > > > > > > > > I realize that the cost of F-Prot (which I am using) is quite low and > > others might be as well, so it is not a cost issue but rather a "Do I > > really need it?". > > > > Thanx > > > > > > Goran Jovanovic > > The LAN Shoppe > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > > [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, > > > 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: > > > [Declude.JunkMail] f-prot > > > > > > I find the Mcafee is the best at detecting viruses within encrupted > > zips. > > > Otherwise they are pretty even. > > > > > > I'd recommend using F-Prot and Mcafee. > > > Mcafee for the DOS command line scanner is dirt cheap. I'll see if I > > can > > > find my price tomorrow. > > > > > > <<< [EMAIL PROTECTED] 5/15 12:29p >>> > > > Can anyone tell me how f-prot compares to mcafee or symantec when it > > comes > > > to keeping their database up with new viruses? That just seems > > > pretty cheap but hey that's exactly what I'm looking for as long as > > > it works well > > :) > > > > > > thanks, > > > > > > Larry Craddock > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. --- [This E-mail scanned for viruses by > > > Declude Virus] > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Misunderstood DUL/DYNA
- Original Message - From: "Don Brown" <[EMAIL PROTECTED]> > Being able to whitelist "all" users is important. This can be done > with Imail 8 and by using WHITELISTED AUTH in Declude's Global.cfg. > However, whether or not "all" users do actually AUTH, still depends > upon the SMTP SECURITY setting in Imail 8. For instance, if SMTP > SECURITY is set to relay for addresses, then some users may not AUTH > and, therefore, not get whitelisted with WHITELIST AUTH. While this it true, you can also use "WHITELIST IP" in your global.cfg file: WHITELIST IP xxx.xxx.xxx.0/24 to whitelist the same IP addresses in JunkMail that you have listed in your "relay for address" in IMail. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Misunderstood DUL/DYNA
Being able to whitelist "all" users is important. This can be done with Imail 8 and by using WHITELISTED AUTH in Declude's Global.cfg. However, whether or not "all" users do actually AUTH, still depends upon the SMTP SECURITY setting in Imail 8. For instance, if SMTP SECURITY is set to relay for addresses, then some users may not AUTH and, therefore, not get whitelisted with WHITELIST AUTH. Thanks, Monday, May 17, 2004, 10:48:27 AM, Matt <[EMAIL PROTECTED]> wrote: M> Andy, M> I think there is some confusion here on your part. M> What was discovered and initially discussed in this thread M> though isthat Declude will not test the last hot with such tests M> when the Mail>From matches a local address. That was also good M> design, but if youcan whitelist all local senders, it is best to M> turn this off. Asuitable work around for this issue has been M> provided. The work aroundthat was discussed will only test the M> last hop. When Decludeuses the %IP4R% variable, this comes from M> the connecting IP (unlessIPBYPASSed), and there is only one value M> tested. M> Matt M> Andy Schmidt wrote: M> >> You don't haveto remove the tests, you just have to M> rename them. I renamed mine withDYN, that way Declude doesn't see M> them as matching DUL/DYNA/DUHL andtherefore will not skip them when M> the Mail From matches a local address. << M> M> But Matt - please correct me if I'm wrong. Ibelieve we manage M> to talk about two different things. You are focusedon the LAST hop M> - but I believe, you have lost sight of the purpose ofDUL/DYNA/DUHL M> - which is the FIRST hop. M> M> Let's look at a sample to make sure thatwe're talking apples and apples: M> M> Sender: [EMAIL PROTECTED] M> 2nd hop: M> smtp.cable.com -> mymailserver.andy.com M> 1st hop: M> some-dynamic-ip-host.cable.com ->smtp.cable.com M> M> The "some-dynamic-ip-host.cable.com" islisted in the M> "DYNA/DUHL" lists - and it should be. M> M> As long as I have "DYNA/DUHL" in the name,Declude will NOT M> test the first hop - e.g., it will correctlypermit the rest of the M> world to reach me through their providers' SMTPservers. The M> DYNA/DUHL tests only test the 2nd and subsequent hops- because M> THOSE should not be on a blacklist. Most importantly, theytest the M> LAST hop (the one to my mail server) - because a DYNA/DUHL IPshould M> never try to relay off me (unless it's using SMTP AUTH). M> M> Now, if I were to follow your example andremove DYNA/DUHL M> from the name, then these tests will also test theFIRST hop - and M> thus I'd be swamped with false positives for anydialup/broadband M> user who CORRECTLY uses his/her provider's smtp server. M> M> M> It seems that you are focused only on theLAST hop - but by M> removing DYNA/DUHL from the name, you end up hurtingthe FIRST hop. M> M> The "conditional" check at the lasthop was NOT the reason to M> introduce DYNA/DUHL, that's just a quirky"quick-fix" which should M> be optional for those who don't need thisbackdoor open. The reason M> for DYNA/DUHL was proper handling of the first hop - and that's why M> it can't be removed. M> Best Regards M> Andy Schmidt M> H M Systems Software, Inc. M> 600 East Crescent Avenue, Suite 203 M> Upper Saddle River, NJ 07458-1846 M> Phone: +1 201 934-3414x20 (Business) M> Fax: +1 201 934-9206 M> http://www.HM-Software.com/ Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "SPAMHEADERS"?
You can use the tool Scott has setup to look up the reason a message has failed. http://www.declude.com/tools/header.php?code=420e Here is the link to your error code. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Dave Doherty > Sent: Monday, May 17, 2004 11:26 AM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] "SPAMHEADERS"? > > > Hi, > > Can anyone tell me why this one failed the SPAMHEADERS test? > > -Dave Doherty > Skywaves, Inc. > > > > Received: from IlanXP [68.236.177.124] by inettec.com with ESMTP > (SMTPD32-8.05) id A69B29201E4; Mon, 17 May 2004 13:30:03 -0400 > From: "Ilan Cyzner" <[EMAIL PROTECTED]> > To: "'Dave Doherty'" <[EMAIL PROTECTED]> > Subject: [11] whitelist > Date: Mon, 17 May 2004 13:32:41 -0400 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_0066_01C43C13.6E051AD0" > X-Mailer: Microsoft Office Outlook, Build 11.0.5510 > Thread-Index: AcQ8NPSd4vuOexbQSj+TGJ7Rqs6ypw== > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 > Message-Id: <[EMAIL PROTECTED]> > X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam > [420e]. > X-RBL-Warning: MAILPOLICE-DYNA-REVDNS: This E-mail came from a potential > spam source listed in MAILPOLICE-DYNA-REVDNS. > X-Spam-Tests-Failed: SPAMHEADERS [3], MAILPOLICE-DYNA-REVDNS [8] > X-Spam-Total-Weight: [11] > X-Declude-Sender: [EMAIL PROTECTED] [68.236.177.124] > X-Declude-Spoolname: Df69b029201e40c72.SMD > X-Note: This E-mail was sent from > dpvc-68-236-177-124.ny325.east.verizon.net > ([68.236.177.124]). > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 343954817 > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] "SPAMHEADERS"?
http://www.declude.com/tools/header.php?code=420e - Original Message - From: "Dave Doherty" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 17, 2004 2:26 PM Subject: [Declude.JunkMail] "SPAMHEADERS"? > Hi, > > Can anyone tell me why this one failed the SPAMHEADERS test? > > -Dave Doherty > Skywaves, Inc. > > > > Received: from IlanXP [68.236.177.124] by inettec.com with ESMTP > (SMTPD32-8.05) id A69B29201E4; Mon, 17 May 2004 13:30:03 -0400 > From: "Ilan Cyzner" <[EMAIL PROTECTED]> > To: "'Dave Doherty'" <[EMAIL PROTECTED]> > Subject: [11] whitelist > Date: Mon, 17 May 2004 13:32:41 -0400 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_0066_01C43C13.6E051AD0" > X-Mailer: Microsoft Office Outlook, Build 11.0.5510 > Thread-Index: AcQ8NPSd4vuOexbQSj+TGJ7Rqs6ypw== > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 > Message-Id: <[EMAIL PROTECTED]> > X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam > [420e]. > X-RBL-Warning: MAILPOLICE-DYNA-REVDNS: This E-mail came from a potential > spam source listed in MAILPOLICE-DYNA-REVDNS. > X-Spam-Tests-Failed: SPAMHEADERS [3], MAILPOLICE-DYNA-REVDNS [8] > X-Spam-Total-Weight: [11] > X-Declude-Sender: [EMAIL PROTECTED] [68.236.177.124] > X-Declude-Spoolname: Df69b029201e40c72.SMD > X-Note: This E-mail was sent from dpvc-68-236-177-124.ny325.east.verizon.net > ([68.236.177.124]). > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 343954817 > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] "SPAMHEADERS"?
Hi, Can anyone tell me why this one failed the SPAMHEADERS test? -Dave Doherty Skywaves, Inc. Received: from IlanXP [68.236.177.124] by inettec.com with ESMTP (SMTPD32-8.05) id A69B29201E4; Mon, 17 May 2004 13:30:03 -0400 From: "Ilan Cyzner" <[EMAIL PROTECTED]> To: "'Dave Doherty'" <[EMAIL PROTECTED]> Subject: [11] whitelist Date: Mon, 17 May 2004 13:32:41 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0066_01C43C13.6E051AD0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcQ8NPSd4vuOexbQSj+TGJ7Rqs6ypw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-RBL-Warning: MAILPOLICE-DYNA-REVDNS: This E-mail came from a potential spam source listed in MAILPOLICE-DYNA-REVDNS. X-Spam-Tests-Failed: SPAMHEADERS [3], MAILPOLICE-DYNA-REVDNS [8] X-Spam-Total-Weight: [11] X-Declude-Sender: [EMAIL PROTECTED] [68.236.177.124] X-Declude-Spoolname: Df69b029201e40c72.SMD X-Note: This E-mail was sent from dpvc-68-236-177-124.ny325.east.verizon.net ([68.236.177.124]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 343954817 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Hi Andy, Look at the example, again and note the %IP4R%. That tests ONLY the 1st HOP (or for clarity, the IP which delivered the mail to your server). "Change this: NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 10 0 To this: NJABL-HOP1 dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 10 0" Saturday, May 15, 2004, 5:01:47 PM, Andy Schmidt <[EMAIL PROTECTED]> wrote: >>> Then, in either cases, scanning the first hop is a simple matter of AS> changing the test name to eliminate the reserved string of DUL, DYNA or DUHL AS> and using the hack which Matt found. << AS> NO - removing DUL/DYNA/DUHL is NOT an option. Because MUCH of the private AS> emails originate from some address that is on that list - but only on the AS> FIRST hope. Thus, the DUL/DYNA/DUHL skip tests on the FIRST hop! AS> They can't be omitted - otherwise we'd block most private mail relayed AS> through other providers SMTP servers. AS> Best Regards AS> Andy Schmidt AS> Phone: +1 201 934-3414 x20 (Business) AS> Fax:+1 201 934-9206 AS> -Original Message- AS> From: [EMAIL PROTECTED] AS> [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown AS> Sent: Saturday, May 15, 2004 04:19 PM AS> To: Matt AS> Cc: [EMAIL PROTECTED] AS> Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank AS> This wasn't a bug or a larger issue of Declude trust based upon the 'from AS> Address.' There was no choice but to skip DUL/DYNA/DUHL tests (which were AS> the only ones skipped) when the 'from address' was spoofed as a local AS> address. Imail 8 and WHITELIST AUTH help, but they don't solve this issue, AS> either. AS> Imail 8 can still be configured where the Client is NOT required to Auth in AS> order to send. One example of that is 'Relay for Addresses.' AS> So, if we have IPs on a DUL/DYNA/DUHL list, are using anything but 'No Mail AS> Relay' in Imail 8 and we run a DYNA/DUL/DUHL test on the first hop, we will AS> definitely tag our own customers. AS> So, the way I see it, running DYNA/DUL/DUHL tests on the first hop of ALL AS> mail, is only safe for those folks who: (1) are sure that none of their IP AS> addresses are on any DYNA/DUL/DUHL list (and will never be on AS> one) -OR- (2) run Imail 8, have it configured for 'No Mail Relay' and have AS> WHITELIST AUTH specified in the Declude's Global.cfg. Then, in either cases, AS> scanning the first hop is a simple matter of changing the test name to AS> eliminate the reserved string of DUL, DYNA or DUHL and using the hack which AS> Matt found. For instance: AS> Change this: AS> NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 10 0 AS> To this: AS> NJABL-HOP1 dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 10 0 AS> I don't think a switch in Declude is really needed. AS> Thanks, AS> Saturday, May 15, 2004, 10:01:11 AM, Matt <[EMAIL PROTECTED]> wrote: M>> Andy, M>> It's only been a matter of months since a realistic work around M>> wasavailable for most users (using WHITELIST AUTH). To the best of M>> myknowledge, I'm the only one of us that has said anything about it M>> onthis list (first time in March, but of course I could be wrong). M>> LikeI indicated though, there is a way to fix the problem using the M>> dnsbltrick, and it works immediately. I would however like to see a M>> switchgiven also, but this seems more like a convenience if you M>> useDUL/DYNA/DUHL the way that they were meant to be used in the M>> firstplace (which I was not), but still, it only means some extra M>> lookups. M>> Matt M>> Andy Schmidt wrote: M>> Thanks - ouch. M>> M>> I'd say that's a bug in design. M>> M>> Since AUTH is supported in Imail 8 and sinceothers may not allow M>> local users to send through their Imail server (myoutbound is going M>> through IIS SMTP with SMTP AUTH), there should be ATLEAST a config M>> option to turn this "spam me by faking sender" featureoff! M>> Best Regards M>> Andy Schmidt M>> Phone: +1 201 934-3414 x20(Business) M>> Fax: +1 201 934-9206 M>> -Original Message- M>> M>> From:[EMAIL PROTECTED]:Declude.JunkMail-owner M>> @declude.com] M>> On Behalf Of Matt M>> Sent: Saturday, May 15, 2004 01:49 AM M>> To:[EMAIL PROTECTED] M>> Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK isblank M>> In absentia... M>> M>> http://www.mail-archive.com/[EMAIL PROTECTED]/msg17162.htm M>> l M>> This made a lot of sense before, and it was the only way to disable M>> DULtests for local users prior to IMail 8 and JunkMail ~1.76. M>> Decludewon't disable the tests for gatewayed domains, only where an M>> addressmatches a local account. You can also work around this by M>> using thednsbl trick like so: M>> DNSRBL-DYN dnsbl %IP4R%.dun.dnsrbl.net 127.0.0.3 M>> 0 0 NJABL-DYN-A dnsbl %IP4R%.dnsbl.njabl.org M>> 127.0.0.3 0 0 NJABL-DYN-B dnsbl M>> %IP4R%.dynablock.njabl.org 127.0.0.3 0 0 SORBS-DYN M>> dnsbl %
Re: [Declude.JunkMail] [OT] Declude Web Site - is it down?
If you need it, try backup.dnsstuff.com Darin. - Original Message - From: "Bruce Loughlin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 17, 2004 11:04 AM Subject: RE: [Declude.JunkMail] [OT] Declude Web Site - is it down? I just happened to go to dnsstuff.com and received a 425 error about 15 minutes ago.(same now) Bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Maze Sent: Monday, May 17, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] [OT] Declude Web Site - is it down? Was just wondering if anyone else can bring up the Declude website. I'm updating my favorites (gonna giving FireFox a run) and the Declude site isn't coming up for me. Anyone else having that same problem? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments in "SPAMDOMAINS" text file
Dan Geiser wrote: will those "# Added: 05/17/2004" comments mess up the functioning of the file? I believe they will. Declude typically sees anything after the final delimiter (space or tab) as one full string, even if it has another space or tab in it. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Darrell LaRock wrote: Matt, But if you rename the tests to DYN – than how you are configuring non-DUL tests twice? For DUL-type tests, I am only configuring them once, i.e. DNSRBL-DYN dnsbl %IP4R%.dun.dnsrbl.net 127.0.0.3 0 0 NJABL-DYN-A dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 0 0 NJABL-DYN-B dnsbl %IP4R%.dynablock.njabl.org 127.0.0.3 0 0 SORBS-DYN dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.10 0 0 You seem confused about how I was using one of the magic names for a hack that I was using for non-DUL-type tests. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Markus Gufler wrote: But there are other tests like FIVETEN-SRC that has had a wrong result in the same range for 9100 messages. The question is if FIVETEN-SRC allows a %IP4R% lookup. They are all in fact IP4R lookups (if that is what the test is set for). If you set Declude to say HOPHIGH 3 and use the test in standard fashion, Declude will test as many as 4 IP's against the 'ip4r' test. If you use the hack and define it as a 'dnsbl' test with the %IP4R% variable, regardless of the HOPHIGH setting, it will only test the last appropriate IP (bypasses IP's that are IPBYPASSed). I have been scoring last hop and all hops differently for several months now with good results. Certainly the last hop is most important, but a little bit of spam is being relayed through legitimate servers or from one open relay to another, which is why I test on multiple hops. There are noticeably more false positives though on tests that track open relays because many of those lists don't expire their listings quickly enough, re-test, or do anything at all to remove old entries. Because of this, I score the last hop relatively high with one test (now using the %IP4R% variable and a dnsbl type test), and another test that is set up the normal way and scored lower because it can hit any of the hops where it might hit one of those old entries in a spamtrap/open relay type test. I have found that this technique is not measurably useful with tests that track static sources such as SBL, AHBL-SOURCES, NJABL-SOURCES, and some others. The reason is because these are 99.9% IP's belonging to spammers, delegated to them by their ISP's. So if you chose to split up tests with this technique, you only need to use it on spamtrap/open relay tests like ORDB, XBL, SPAMCOP and other similar resources. Note that FIVETEN-SRC and SORBS-SPAM are supposedly source tests, but they do mix IP's from zombies that have sent them spam, and their removal procedures are almost non-existant. I also don't like their way of breaking down data, as FIVETEN for instance can produce a hit for an open relay on as many as 3 of their tests, and that doesn't work well with Declude unless you combo the test with a custom filter so that it only scores once. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Misunderstood DUL/DYNA
Andy, I think there is some confusion here on your part. What was discovered and initially discussed in this thread though is that Declude will not test the last hot with such tests when the Mail >From matches a local address. That was also good design, but if you can whitelist all local senders, it is best to turn this off. A suitable work around for this issue has been provided. The work around that was discussed will only test the last hop. When Declude uses the %IP4R% variable, this comes from the connecting IP (unless IPBYPASSed), and there is only one value tested. Matt Andy Schmidt wrote: Message >> You don't have to remove the tests, you just have to rename them. I renamed mine with DYN, that way Declude doesn't see them as matching DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a local address. << But Matt - please correct me if I'm wrong. I believe we manage to talk about two different things. You are focused on the LAST hop - but I believe, you have lost sight of the purpose of DUL/DYNA/DUHL - which is the FIRST hop. Let's look at a sample to make sure that we're talking apples and apples: Sender: [EMAIL PROTECTED] 2nd hop: smtp.cable.com -> mymailserver.andy.com 1st hop: some-dynamic-ip-host.cable.com -> smtp.cable.com The "some-dynamic-ip-host.cable.com" is listed in the "DYNA/DUHL" lists - and it should be. As long as I have "DYNA/DUHL" in the name, Declude will NOT test the first hop - e.g., it will correctly permit the rest of the world to reach me through their providers' SMTP servers. The DYNA/DUHL tests only test the 2nd and subsequent hops - because THOSE should not be on a blacklist. Most importantly, they test the LAST hop (the one to my mail server) - because a DYNA/DUHL IP should never try to relay off me (unless it's using SMTP AUTH). Now, if I were to follow your example and remove DYNA/DUHL from the name, then these tests will also test the FIRST hop - and thus I'd be swamped with false positives for any dialup/broadband user who CORRECTLY uses his/her provider's smtp server. It seems that you are focused only on the LAST hop - but by removing DYNA/DUHL from the name, you end up hurting the FIRST hop. The "conditional" check at the last hop was NOT the reason to introduce DYNA/DUHL, that's just a quirky "quick-fix" which should be optional for those who don't need this backdoor open. The reason for DYNA/DUHL was proper handling of the first hop - and that's why it can't be removed. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.JunkMail] f-prot
>Someone have the link to CLAM-AV ? ClamAV home: http://www.clamav.net/ ClamAV for Windows: http://www.sosdg.org/clamav-win32/index.php See our utility page http://www.smartbusiness.com/imail/declude/ for 2 utilities: a) RunClamd - an nt service which keeps clamd running as a service b) Runclamscan - returns virus name for Declude Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] f-prot
Someone have the link to CLAM-AV ? thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] Declude Web Site - is it down?
I just happened to go to dnsstuff.com and received a 425 error about 15 minutes ago.(same now) Bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Maze Sent: Monday, May 17, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] [OT] Declude Web Site - is it down? Was just wondering if anyone else can bring up the Declude website. I'm updating my favorites (gonna giving FireFox a run) and the Declude site isn't coming up for me. Anyone else having that same problem? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [OT] Declude Web Site - is it down?
Nope. It's up. Darin. - Original Message - From: "Jeff Maze" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 17, 2004 10:30 AM Subject: [Declude.JunkMail] [OT] Declude Web Site - is it down? Was just wondering if anyone else can bring up the Declude website. I'm updating my favorites (gonna giving FireFox a run) and the Declude site isn't coming up for me. Anyone else having that same problem? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Misunderstood DUL/DYNA
Title: Message >> You don't have to remove the tests, you just have to rename them. I renamed mine with DYN, that way Declude doesn't see them as matching DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a local address. << But Matt - please correct me if I'm wrong. I believe we manage to talk about two different things. You are focused on the LAST hop - but I believe, you have lost sight of the purpose of DUL/DYNA/DUHL - which is the FIRST hop. Let's look at a sample to make sure that we're talking apples and apples: Sender: [EMAIL PROTECTED] 2nd hop: smtp.cable.com -> mymailserver.andy.com1st hop: some-dynamic-ip-host.cable.com -> smtp.cable.com The "some-dynamic-ip-host.cable.com" is listed in the "DYNA/DUHL" lists - and it should be. As long as I have "DYNA/DUHL" in the name, Declude will NOT test the first hop - e.g., it will correctly permit the rest of the world to reach me through their providers' SMTP servers. The DYNA/DUHL tests only test the 2nd and subsequent hops - because THOSE should not be on a blacklist. Most importantly, they test the LAST hop (the one to my mail server) - because a DYNA/DUHL IP should never try to relay off me (unless it's using SMTP AUTH). Now, if I were to follow your example and remove DYNA/DUHL from the name, then these tests will also test the FIRST hop - and thus I'd be swamped with false positives for any dialup/broadband user who CORRECTLY uses his/her provider's smtp server. It seems that you are focused only on the LAST hop - but by removing DYNA/DUHL from the name, you end up hurting the FIRST hop. The "conditional" check at the last hop was NOT the reason to introduce DYNA/DUHL, that's just a quirky "quick-fix" which should be optional for those who don't need this backdoor open. The reason for DYNA/DUHL was proper handling of the first hop - and that's why it can't be removed. Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
[Declude.JunkMail] [OT] Declude Web Site - is it down?
Was just wondering if anyone else can bring up the Declude website. I'm updating my favorites (gonna giving FireFox a run) and the Declude site isn't coming up for me. Anyone else having that same problem? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] f-prot
My 1 year McAfee VirusScan Command Line license was $11 through CDW. I think only CLAM-AV can beat that price. On Sunday McAfee caught these that F-Prot did not catch: 1 Exploit MHTRedir 4 Exploit-ObjectData Trojan 2 W32 Bagle pwdzip (typically catches more of these) 3 Netsky P F-Prot caught 1 Netsky.P that McAfee did not catch. These are usually corrupt variants. McAfee 260 caught, F-prot 251. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/17/04 08:13AM >>> For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a "Do I really need it?". Thanx Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Monday, May 17, 2004 12:49 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] f-prot > > I find the Mcafee is the best at detecting viruses within encrupted zips. > Otherwise they are pretty even. > > I'd recommend using F-Prot and Mcafee. > Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can > find my price tomorrow. > > <<< [EMAIL PROTECTED] 5/15 12:29p >>> > Can anyone tell me how f-prot compares to mcafee or symantec when it comes > to keeping their database up with new viruses? That just seems pretty > cheap > but hey that's exactly what I'm looking for as long as it works well :) > > thanks, > > Larry Craddock > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comments in "SPAMDOMAINS" text file
To my recollection, you can not have comments on the same lines in SpamDomains. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, May 17, 2004 6:39 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Comments in "SPAMDOMAINS" text file Hello, All, Is "spamdomains" one of the tests that permits comments on the same line as it's entries or not? For example, if I have a "spamdomains" file that looks like... @adelphia.net .adelphia.net # Added: 05/17/2004 @att.net # Added: 05/17/2004 @attbi.com @bellsouth.net @eudoramail.com @juno.com .untd.com @lycos.com @mindspring.com blount.mail.mindspring.net @msn.com .hotmail.com @netzero.net .untd.com will those "# Added: 05/17/2004" comments mess up the functioning of the file? Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
RE: [Declude.JunkMail] f-prot
On 17 May 2004 at 9:13, Goran Jovanovic wrote: > For the folks using multiple scanners, do you have any stats on how > often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer > > I realize that the cost of F-Prot (which I am using) is quite low and > others might be as well, so it is not a cost issue but rather a "Do I > really need it?". > > Thanx > > > Goran Jovanovic > The LAN Shoppe > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, > > 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: > > [Declude.JunkMail] f-prot > > > > I find the Mcafee is the best at detecting viruses within encrupted > zips. > > Otherwise they are pretty even. > > > > I'd recommend using F-Prot and Mcafee. > > Mcafee for the DOS command line scanner is dirt cheap. I'll see if I > can > > find my price tomorrow. > > > > <<< [EMAIL PROTECTED] 5/15 12:29p >>> > > Can anyone tell me how f-prot compares to mcafee or symantec when it > comes > > to keeping their database up with new viruses? That just seems > > pretty cheap but hey that's exactly what I'm looking for as long as > > it works well > :) > > > > thanks, > > > > Larry Craddock > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. --- [This E-mail scanned for viruses by > > Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Thank you so much, Kami! I can definitely understand your concise explanation and it sounds like a great way to handle what I am trying to do or at least add another trick in the bag. I'll have to see how I can incorporate this into my current setup. Thanks, Again! Dan - Original Message - From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 14, 2004 4:32 PM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? > "I don't even know how to mentally parse the below code that you've listed." > > REVDNS END ENDSWITH .hotmail.com > MAILFROM 3 ENDSWITH @hotmail.com > HELO 5 ENDSWITH .hotmail.com > > Hi Dan: > > This is what the above means. > > REVDNS END ENDSWITH .hotmail.com > > -- if reverse dns ends with Hotmail.com end the filter and do not process > the rest of the filter. This way it won't even trigger the test as being > run. What that means is the reverse DNS is hotmail.com > > MAILFROM 3 ENDSWITH @hotmail.com > > -- naturally if line 2 is executed it means that reverse DNS is NOT > hotmail.com and if the mailfrom endswith hotmail.com then add 3 to the > weight. As stated this is one of the many filters we have on Good ISP > filters. This filter penalizes an email if the sender's email is hotmail > but the reverse dns and helo are not. > > Similarly on line 3- > > HELO 5 ENDSWITH .hotmail.com > > Add 5 points if HELO ends with hotmail.com > > So if someone's email is [EMAIL PROTECTED] and the reverse dns is not > hotmail.com the email gets 3 and if HELO is hotmail.com then it gets 8 > points. > > Hope that explains it.. > > Kami > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments in "SPAMDOMAINS" text file
Hello, All, Is "spamdomains" one of the tests that permits comments on the same line as it's entries or not? For example, if I have a "spamdomains" file that looks like... @adelphia.net .adelphia.net # Added: 05/17/2004@att.net # Added: 05/17/2004@attbi.com @bellsouth.net@eudoramail.com@juno.com .untd.com@lycos.com@mindspring.com blount.mail.mindspring.net@msn.com .hotmail.com@netzero.net .untd.com will those "# Added: 05/17/2004" comments mess up the functioning of the file? Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Re[2]: [Declude.JunkMail] f-prot
GJ> For the folks using multiple scanners, do you have any stats on how GJ> often the secondary scanner found a virus that the first one missed? I run f-prot as #1, NAI as #2, and ClamAV as #3. I do keep daily stats for my Imail/Declude server. I'm not sure what you want to know but all 3 vary some every day. The variance is greater when a new outbreak event occurs. After a few days the variance becomes less. Just as an example my report for yesterday appears below. GJ> I realize that the cost of F-Prot (which I am using) is quite low and GJ> others might be as well, so it is not a cost issue but rather a "Do I GJ> really need it?". I have three running and I've definitely seen occasions where one of the three worked and the other 2 didn't. But I've also seen occasions where none of the three worked. From: 05/16/2004 00:00:20 Thru 05/16/2004 23:59:58 Log files: vir0516.log Scanner 1 Virus names VBS/[EMAIL PROTECTED] = 2 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 3 W32/[EMAIL PROTECTED] = 2 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 19 W32/[EMAIL PROTECTED] = 48 W32/[EMAIL PROTECTED] = 10 W32/[EMAIL PROTECTED] = 62 W32/[EMAIL PROTECTED] (corrupted) = 1 W32/[EMAIL PROTECTED] = 11 W32/[EMAIL PROTECTED] = 26 Scanner 1 Days 05/16/2004 = 187 Scanner 2 Virus names Exploit-MhtRedir.gen trojan !!! = 1 Exploit-ObjectData trojan !!! = 8 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 2 W32/[EMAIL PROTECTED] = 3 W32/[EMAIL PROTECTED] = 2 W32/[EMAIL PROTECTED] = 1 W32/Mydoom.f!zip = 1 W32/[EMAIL PROTECTED] = 8 W32/[EMAIL PROTECTED] = 9 W32/[EMAIL PROTECTED] = 47 W32/[EMAIL PROTECTED] = 10 W32/[EMAIL PROTECTED] = 48 W32/[EMAIL PROTECTED] = 15 W32/Netsky.q.dam = 3 W32/[EMAIL PROTECTED] = 7 W32/[EMAIL PROTECTED] = 1 W32/[EMAIL PROTECTED] = 26 Scanner 2 Days 05/16/2004 = 193 Scanner 3 Virus names Exploit.MhtRedir = 1 Trojan.Dropper.C = 1 Worm.Bagle.Gen-vbs = 2 Worm.Bagle.Z = 1 Worm.Dumaru.A = 3 Worm.Klez.H = 2 Worm.Mydoom.F = 1 Worm.SomeFool.Gen-1 = 65 Worm.SomeFool.I = 10 Worm.SomeFool.P = 63 Worm.SomeFool.Q = 11 Worm.SomeFool.Z = 26 Scanner 3 Days 05/16/2004 = 186 Scanner Comparison Q030a0e560130e7ae = 2: the Exploit-ObjectData trojan !!! Attachment= Q09d025bb01485ef4 = 1: W32/[EMAIL PROTECTED] Attachment= [0] I: W32/[EMAIL PROTECTED] Attachment= Q2d16263a01142959 = 2: the Exploit-ObjectData trojan !!! Attachment= Q32b620500124216d = 2: the Exploit-ObjectData trojan !!! Attachment= Q367d26760148e0eb = 2,3: the Exploit-MhtRedir.gen trojan !!! Attachment= Q3b422806010a8200 = 1,3: W32/[EMAIL PROTECTED] Attachment= Q6d391fe400c2af25 = 2: the Exploit-ObjectData trojan !!! Attachment= Q729625c2010aa3ee = 1: W32/[EMAIL PROTECTED] Attachment= [0] I: W32/[EMAIL PROTECTED] Attachment= Q81061a8700f008d2 = 2: the Exploit-ObjectData trojan !!! Attachment= Q976d2b9300de8a7d = 2: the Exploit-ObjectData trojan !!! Attachment= Qaf581bbd00f0f88d = 2: the Exploit-ObjectData trojan !!! Attachment= Qbfe31cbb00f097d5 = 2: the Exploit-ObjectData trojan !!! Attachment= --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Matt, But if you rename the tests to DYN – than how you are configuring non-DUL tests twice? Darrell From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, May 15, 2004 6:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank Andy, I think there might be some confusion here. If you change the test names and use the %IP4R%/dnsbl trick, it will always test the first hop regardless of what the Mail From is, unless of course you are whitelisting the sender. You don't have to remove the tests, you just have to rename them. I renamed mine with DYN, that way Declude doesn't see them as matching DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a local address. The only drawback that I have found with this work around is when you try configuring non-DUL tests twice, once only for the first hop, and once for all hops, in which case the work around will cause some extra lookups, but that's minor, and I'm only aware of a few people besides myself that are doing this. Nothing else appears to be a problem in anyway whatsoever. Matt Andy Schmidt wrote: Then, in either cases, scanning the first hop is a simple matter of changing the test name to eliminate the reserved string of DUL, DYNA or DUHLand using the hack which Matt found. << NO - removing DUL/DYNA/DUHL is NOT an option. Because MUCH of the privateemails originate from some address that is on that list - but only on theFIRST hope. Thus, the DUL/DYNA/DUHL skip tests on the FIRST hop! They can't be omitted - otherwise we'd block most private mail relayedthrough other providers SMTP servers. Best RegardsAndy Schmidt Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Don BrownSent: Saturday, May 15, 2004 04:19 PMTo: MattCc: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank This wasn't a bug or a larger issue of Declude trust based upon the 'fromAddress.' There was no choice but to skip DUL/DYNA/DUHL tests (which werethe only ones skipped) when the 'from address' was spoofed as a localaddress. Imail 8 and WHITELIST AUTH help, but they don't solve this issue,either. Imail 8 can still be configured where the Client is NOT required to Auth inorder to send. One example of that is 'Relay for Addresses.' So, if we have IPs on a DUL/DYNA/DUHL list, are using anything but 'No MailRelay' in Imail 8 and we run a DYNA/DUL/DUHL test on the first hop, we willdefinitely tag our own customers. So, the way I see it, running DYNA/DUL/DUHL tests on the first hop of ALLmail, is only safe for those folks who: (1) are sure that none of their IPaddresses are on any DYNA/DUL/DUHL list (and will never be onone) -OR- (2) run Imail 8, have it configured for 'No Mail Relay' and haveWHITELIST AUTH specified in the Declude's Global.cfg. Then, in either cases,scanning the first hop is a simple matter of changing the test name toeliminate the reserved string of DUL, DYNA or DUHL and using the hack whichMatt found. For instance: Change this: NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 10 0 To this: NJABL-HOP1 dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 10 0 I don't think a switch in Declude is really needed. Thanks, Saturday, May 15, 2004, 10:01:11 AM, Matt <[EMAIL PROTECTED]> wrote:M> Andy, M> It's only been a matter of months since a realistic work around M> wasavailable for most users (using WHITELIST AUTH). To the best of M> myknowledge, I'm the only one of us that has said anything about it M> onthis list (first time in March, but of course I could be wrong). M> LikeI indicated though, there is a way to fix the problem using the M> dnsbltrick, and it works immediately. I would however like to see a M> switchgiven also, but this seems more like a convenience if you M> useDUL/DYNA/DUHL the way that they were meant to be used in the M> firstplace (which I was not), but still, it only means some extra M> lookups. M> Matt M> Andy Schmidt wrote: M> Thanks - ouch.M> M> I'd say that's a bug in design.M> M> Since AUTH is supported in Imail 8 and sinceothers may not allow M> local users to send through their Imail server (myoutbound is going M> through IIS SMTP with SMTP AUTH), there should be ATLEAST a config M> option to turn this "spam me by faking sender" featureoff! M> Best RegardsM> Andy Schmidt M> Phone: +1 201 934-3414 x20(Business)M> Fax: +1 201 934-9206 M> -Original Message-M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-ownerM> @declude.com]M> On Behalf Of MattM> Sent: Saturday, May 15, 2004 01:49 AMM> To:[EMAIL PROTECTED]M> Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK isblank M> In absentia... M> M> http://www.mail-archive.com/[EMAIL PROTECTED]/msg17162.htmM> l M> This made a lot of sense before, and it was the only way to disable
RE: [Declude.JunkMail] f-prot
For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a "Do I really need it?". Thanx Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Monday, May 17, 2004 12:49 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] f-prot > > I find the Mcafee is the best at detecting viruses within encrupted zips. > Otherwise they are pretty even. > > I'd recommend using F-Prot and Mcafee. > Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can > find my price tomorrow. > > <<< [EMAIL PROTECTED] 5/15 12:29p >>> > Can anyone tell me how f-prot compares to mcafee or symantec when it comes > to keeping their database up with new viruses? That just seems pretty > cheap > but hey that's exactly what I'm looking for as long as it works well :) > > thanks, > > Larry Craddock > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ALLRECIPs filter trouble
I have some old e-mail addresses like that. Between 3 or 4 of them I can get up to 500 SPAM mail a day. I assigned all the ids as aliases to a SPAMTrap id and I use that id to gauge how Declude is doing. It is very helpful to me. Then I just clean out the messages. Right now there are 5079 messages in that mailbox since last Monday at 6:30 PM. Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Monday, May 17, 2004 12:44 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] ALLRECIPs filter trouble > > I'm currently using Imail/Declude as a gateway forwarding the e-mail onto > my mail server. > > Out of my top 20 recipients, about 8 are employees that are long gone from > my company or e-mail addresses that have never been. I assign these 20 > points over my delete weight since I don't want the e-mails and what good > is bouncing the sender with a user not found. If they were going to remove > from the list, they had years to do it. > > Also by forcing lots of points to these dead accounts earlier in the > process, they'll trigger the skipifweight and skip the bulk of my filters > saving some CPU time. > > <<< [EMAIL PROTECTED] 5/16 4:32p >>> > Scott, > > I am interested in what you are doing with this filter? Obviously you > are checking if an incoming e-mail is for someone and assigning 20 > points to it, but why? > > > > Goran Jovanovic > The LAN Shoppe > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Scott Fisher > > Sent: Friday, May 14, 2004 10:37 AM > > To: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] ALLRECIPs filter trouble > > > > I'm running 179i7. > > > > I'm not getting any matches on ALLRECIPS filters with the IS. Anyone > have > > any tips? > > > > ALLRECIPS 20 IS [EMAIL PROTECTED] > > > > > > I am getting matches with the CONTAINS filter. > > > > ALLRECIPS 20 CONTAINS[EMAIL PROTECTED] > > > > Scott Fisher > > Director of IT > > Farm Progress Companies > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Matt I understand the logic and I think it can be very usefull for certain IP Blacklist a having relative high FP rate. From my reports I can see that XBL has had a FP (or "wrong result") in the last 14 days and 123000 messages only in 54 cases. This is a very low FP-rate. But there are other tests like FIVETEN-SRC that has had a wrong result in the same range for 9100 messages. The question is if FIVETEN-SRC allows a %IP4R% lookup. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, May 14, 2004 10:30 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank Bill,The value is in scoring the last hop hits higher than prior hop hits. In this case, a hit on XBL for the last appropriate hop (not IPBYPASSED) would result in 8 points (6 + 2), while a hit on a prior hop would result in just 2 points. Note that the number of false positives is much higher with prior hops on tests that populate from spamtraps or are designed to detect open relays. Tests like SBL and other static spam source tests have very little danger in scoring the same for every hop, though SBL will sometimes list spam zombies that are unresolved for periods of time (I wish they didn't do that).MattBill Landry wrote: - Original Message - From: "Matt" <[EMAIL PROTECTED]> XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4 60 XBL(ALL)ip4rsbl-xbl.spamhaus.org 127.0.0.420 Scott/Matt, would a configuration like above require multiple DNS queries since the hostnames defined in the tests are no longer identical? Or is the variable (in this case "%IP4R%") ignored in the hostname, so that as far as Declude is concerned, the hostnames are still identical? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
