Re: [Declude.JunkMail] Spammers Dumping Porn for Financial Services
on 5/26/04 3:49 PM, Kami Razvan wrote: http://internetweek.com/e-business/showArticle.jhtml?articleID=21100229 Time to add new filters.. I believe a minweighttofail type command in a filter would catch these easily. In the following example, if 4 or more filter lines matched the contents of the message, the message would get 100 added to the message weight. If 3 or less lines matched, no weight would be added to the message. Different filters using the same minweighttofail command could be used for catching drug, porn and nigerian type messages. Stocks - SKIPIFWEIGHT60 MINWEIGHTTOFAIL 4 100 BODY 1 CONTAINS attention investors BODY 1 CONTAINS begin making money today BODY 1 CONTAINS big upside potential BODY 1 CONTAINS bonus stock pick BODY 1 CONTAINS explosive stock pick BODY 1 CONTAINS huge gains BODY 1 CONTAINS huge profits BODY 1 CONTAINS for immediate release BODY 1 CONTAINS hot investors weekly BODY 1 CONTAINS hot trading alert BODY 1 CONTAINS investment alert BODY 1 CONTAINS investment opportunity BODY 1 CONTAINS market news alerts BODY 1 CONTAINS microcap analyst newsletter BODY 1 CONTAINS next hot pick BODY 1 CONTAINS stock alert BODY 1 CONTAINS stock buyer's alert BODY 1 CONTAINS stock market watcher BODY 1 CONTAINS strong buy recommendation BODY 1 CONTAINS target price BODY 1 CONTAINS trading alert BODY 1 CONTAINS microcap stock review BODY 1 CONTAINS speculative near term BODY 1 CONTAINS speculative long term BODY 1 CONTAINS Securities Act of 1933 BODY 1 CONTAINS Securities Exchange Act of 1934 BODY 1 CONTAINS hot stocks tip BODY 1 CONTAINS urgent stock alert BODY 1 CONTAINS undervalued BODY 1 CONTAINS statements are based on expectations SUBJECT 1 CONTAINS investment news SUBJECT 1 CONTAINS investors SUBJECT 1 CONTAINS stock alert SUBJECT 1 CONTAINS stock pick SUBJECT 1 CONTAINS stock watch SUBJECT 1 CONTAINS strong buy SUBJECT 1 CONTAINS huge profits SUBJECT 1 CONTAINS trader alert Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Junkmail manual
Has the link to the manual changed? http://www.declude.com/junkmail/manual.htm no longer works. Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail manual
Has the link to the manual changed? http://www.declude.com/junkmail/manual.htm no longer works. I just checked, and it worked for me (with a redirect to the articles URL, but I still use the URL you listed). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail manual
The link in your email worked for me although the final destination was: http://www.declude.com/Articles.asp?ID=116 jeff - Original Message - From: Larry Craddock [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 7:44 AM Subject: [Declude.JunkMail] Junkmail manual Has the link to the manual changed? http://www.declude.com/junkmail/manual.htm no longer works. Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail manual
Thanks ... it started working for me too even though I had tried it several times before asking. Who knows; sometimes cache is the devil :) Larry - Original Message - From: Jeff Pereira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:40 AM Subject: Re: [Declude.JunkMail] Junkmail manual The link in your email worked for me although the final destination was: http://www.declude.com/Articles.asp?ID=116 jeff - Original Message - From: Larry Craddock [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 7:44 AM Subject: [Declude.JunkMail] Junkmail manual Has the link to the manual changed? http://www.declude.com/junkmail/manual.htm no longer works. Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spamdomains test
I think I need a little more detail on the spamdomains test. Here's the entire explanation from the manual: [This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test.] But I'm sure I've seen discussion someplace with reference to lines containing more than just a domain name in the spamdomains.txt file ... or is that all that's needed besides enabling the test? Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
But I'm sure I've seen discussion someplace with reference to lines containing more than just a domain name in the spamdomains.txt file ... or is that all that's needed besides enabling the test? That's a new feature, that allows you to have an alias (for lack of a better word) that can be used in conjunction with the domain name. So a line example.com would require that any E-mail address from @example.com must have a reverse DNS entry containing example.com. However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line example.com example.net. With that line, an E-mail from @example.com could have a reverse DNS entry containing example.com or example.net (but it would not apply to users with an @example.net return address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammers Dumping Porn for Financial Services
SKIPIFWEIGHT60 MINWEIGHTTOFAIL 4 100 BODY 1 CONTAINS attention investors This looks very good and very usefull for me! Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help - Gateway Question
Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57 SMTP-(6709060702908a12) finished D:\IMAIL\spool\Q6709060702908a12.SMD status=1 -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help - Gateway Question Make sure the system you are gatewaying for allows relay from the gateway host. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:27 PM Subject: [Declude.JunkMail] Help - Gateway Question Hello All - I have started providing gateway services to a new host. I see the messages reach the spool and start to be processed. However the SMTP log says that the message keeps requeing and giving me a status of 3 Please help. Any ideas of what to look at would be appreciated. Samantha Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude
RE: [Declude.JunkMail] Help - Gateway Question
Samantha, part of the answer that you're looking for is that when your misd.net server is connecting to their server to deliver the mail, you're not connecting to Trend Micro, the company, you're connecting to their mail server, which has a Trend Micro product in front of their other mail host, which you say is GroupWise. That Trend Micro product is an SMTP gateway which calls itself mailscan and it is accepting your relayed mail (status=1). Your original message asked about status=3, which indicates that the message is re-queued. Here is an Ipswitch Knowledge Base article on the status codes: http://support.ipswitch.com/kb/IM-19990715-DM01.htm Andrew 8) -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help - Gateway Question Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57 SMTP-(6709060702908a12) finished D:\IMAIL\spool\Q6709060702908a12.SMD status=1 -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help - Gateway Question Make sure the system you are gatewaying for allows relay from the gateway host. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:27 PM Subject: [Declude.JunkMail] Help - Gateway Question Hello All - I have started providing gateway services to a new host. I see the messages reach the spool and start to be processed. However the SMTP log says that the message keeps requeing and giving me a status of 3 Please help. Any ideas of what to look at would be appreciated. Samantha Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended
RE: [Declude.JunkMail] Help - Gateway Question
I don't want to connect to Trend (whether on the box or not). I want to connect directly to their GroupWise SMTP (64.88.9.99). How do I get around the Trend SMTP and connect directly to the GroupWise SMTP. In other words, I don't want the mail to pass through Trend at all. Is the setting on their GroupWise server? -Original Message- From: Colbeck, Andrew [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Help - Gateway Question Samantha, part of the answer that you're looking for is that when your misd.net server is connecting to their server to deliver the mail, you're not connecting to Trend Micro, the company, you're connecting to their mail server, which has a Trend Micro product in front of their other mail host, which you say is GroupWise. That Trend Micro product is an SMTP gateway which calls itself mailscan and it is accepting your relayed mail (status=1). Your original message asked about status=3, which indicates that the message is re-queued. Here is an Ipswitch Knowledge Base article on the status codes: http://support.ipswitch.com/kb/IM-19990715-DM01.htm Andrew 8) -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help - Gateway Question Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57 SMTP-(6709060702908a12) finished D:\IMAIL\spool\Q6709060702908a12.SMD status=1 -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help - Gateway Question Make sure the system you are gatewaying for allows relay from the gateway host. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:27 PM Subject: [Declude.JunkMail] Help - Gateway Question Hello All - I have started providing gateway services to a new host. I see the messages reach the spool and start to be processed. However the SMTP log says that the message keeps requeing and giving me a status of 3 Please help. Any ideas of
RE: [Declude.JunkMail] Help - Gateway Question
I believe you need to add the IP address of the GW server to your hosts file for resolution. You are pulling out an MX record somewhere that is saying send to the Trend server. At least that's how I get to my GW server. hosts: 192.0.0.1 domain.com Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/27/04 09:37AM I don't want to connect to Trend (whether on the box or not). I want to connect directly to their GroupWise SMTP (64.88.9.99). How do I get around the Trend SMTP and connect directly to the GroupWise SMTP. In other words, I don't want the mail to pass through Trend at all. Is the setting on their GroupWise server? -Original Message- From: Colbeck, Andrew [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Help - Gateway Question Samantha, part of the answer that you're looking for is that when your misd.net server is connecting to their server to deliver the mail, you're not connecting to Trend Micro, the company, you're connecting to their mail server, which has a Trend Micro product in front of their other mail host, which you say is GroupWise. That Trend Micro product is an SMTP gateway which calls itself mailscan and it is accepting your relayed mail (status=1). Your original message asked about status=3, which indicates that the message is re-queued. Here is an Ipswitch Knowledge Base article on the status codes: http://support.ipswitch.com/kb/IM-19990715-DM01.htm Andrew 8) -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help - Gateway Question Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57 SMTP-(6709060702908a12) finished D:\IMAIL\spool\Q6709060702908a12.SMD status=1 -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help - Gateway Question Make sure the system you are gatewaying for allows relay from the gateway host. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL
[Declude.JunkMail] Can you do WHITELISTING in the $default$.JunkMail.txt file?
I'm wanting to give AntiSpam customers the ability to 'tweek' their spam settings by giving them FTP access to the $default$.JunkMail.txt file. I'm hoping they'll also be able to manage their WHITELISTING (because not everyone wants the same WHITELIST) How could this be done? -Brent attachment: winmail.dat
RE: [Declude.JunkMail] Help - Gateway Question
I believe you need to add the IP address of the GW server to your hosts file for resolution. You are pulling out an MX record somewhere that is saying send to the Trend server. At least that's how I get to my GW server. I did - In the \\..\\winnt\system32\drivers\etc I changed the hosts file to include the line: 64.88.9.99 lsps.org Gotta be something on their endbut what??? Hhhhmmm hosts: 192.0.0.1 domain.com Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/27/04 09:37AM I don't want to connect to Trend (whether on the box or not). I want to connect directly to their GroupWise SMTP (64.88.9.99). How do I get around the Trend SMTP and connect directly to the GroupWise SMTP. In other words, I don't want the mail to pass through Trend at all. Is the setting on their GroupWise server? -Original Message- From: Colbeck, Andrew [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Help - Gateway Question Samantha, part of the answer that you're looking for is that when your misd.net server is connecting to their server to deliver the mail, you're not connecting to Trend Micro, the company, you're connecting to their mail server, which has a Trend Micro product in front of their other mail host, which you say is GroupWise. That Trend Micro product is an SMTP gateway which calls itself mailscan and it is accepting your relayed mail (status=1). Your original message asked about status=3, which indicates that the message is re-queued. Here is an Ipswitch Knowledge Base article on the status codes: http://support.ipswitch.com/kb/IM-19990715-DM01.htm Andrew 8) -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help - Gateway Question Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57 SMTP-(6709060702908a12) finished D:\IMAIL\spool\Q6709060702908a12.SMD status=1 -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help - Gateway Question Make sure the system you are gatewaying for allows relay from the
RE: [Declude.JunkMail] Help - Gateway Question
At 10:08 AM 5/27/2004, Bridges, Samantha wrote: I believe you need to add the IP address of the GW server to your hosts file for resolution. You are pulling out an MX record somewhere that is saying send to the Trend server. At least that's how I get to my GW server. I did - In the \\..\\winnt\system32\drivers\etc I changed the hosts file to include the line: 64.88.9.99 lsps.org Gotta be something on their endbut what??? Are you using Imail 8 by chance? I'm not sure of the order of operations when using IMail 8's DNS cache, but is it possible that you need to clear out that cache? Might want to give that a try. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Can you do WHITELISTING in the $default$.JunkMail.txt file?
Do the per-domain setup.. 1. Create a folder for each domain or domains that you want this per-domain whitelisting for, within the X:\iMail\Declude folder. E.g. example.com (I did all of our domains that we host just because the default $default$.junkmail file was getting huge with all the whitelisted e-mail addresses). 2. Copy $default$.junkmail and the *.eml files to this directory. 3. Edit the $default$.junkmail file and add the following line (I put mine after the SPAMDOMAINS test): WHITELISTFILE %location of whitelist text file% e.g. WHITELISTFILE X:\imail\declude\example.com\%ftp access folder%\whitelist.txt I wouldn't give them full access to all the *.eml files as well as the $default$.junkmail file, so this is why I added the %ftp access folder% listing. 4. Also, you can edit the $default$.junkmail file if you want certain things to happen with messages that fail certain tests. E.g. If this example.com boss only wants messages routed, deleted, etc. for messages that fail the WEIGHT10 test, then you can. This $default$.junkmail file overrides the default $default$.junkmail file within the X:\imail\Declude folder. 5. Create the whitelist.txt file and add e-mail addresses that you wish to have whitelisted for certain domains. whitelist.txt [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] @example.com .morebeforethisdomain.com Hope this helps you out.. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Brashear Sent: Thursday, May 27, 2004 9:53 AM To: Declude Subject: [Declude.JunkMail] Can you do WHITELISTING in the $default$.JunkMail.txt file? I'm wanting to give AntiSpam customers the ability to 'tweek' their spam settings by giving them FTP access to the $default$.JunkMail.txt file. I'm hoping they'll also be able to manage their WHITELISTING (because not everyone wants the same WHITELIST) How could this be done? -Brent attachment: winmail.dat
Re: [Declude.JunkMail] Massive CPU usage
James Nelson wrote: I'll try implementing these here in the next day or so after read up on the documentation for them. Care to explain what the size.vbs file is? There's a lengthy discussion in the archives about that external test. Note that this requires a more recent interim release in order to run as designed, and there are also some bugs in that version that affect whether or not it will run when it's supposed to. I'll probably update that file soon, so maybe holding off would be a better idea. We do not have any nobody aliases (I can guess the problems that could cause) on any of our domains. However, our major domains are provided to dial-up users and have been around for close to 8 years, so I'm sure many of them are probably on spam lists. I'd guess that the most of the 5-8K outgoing messages from postmaster are spam and/or virus related. If you are using the BOUNCE action on blocked messages (now renamed to discourage use), you should turn that off because that creates a problem for those that have had their addresses forged in spam, and those of us that try to block bounce messages from forged spam coming to our users. Regarding virus bounces, you really shouldn't bounce anything but banned extensions for similar reasons. You should read up on the newer capabilities in Declude virus to recognize forging viruses, and I encourage you to turn off (remove) the otherpostmaster.eml and sender.eml files. That seems like that number is way too high for your traffic. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help - Gateway Question
2 thoughts. Are you positive they gave you the correct IP address of the GroupWise server. They may be accustomed to handing out the IP address of the Trend server. Their firewall could be redirecting all port 25 traffic to the trend micro machine. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/27/04 10:08AM I believe you need to add the IP address of the GW server to your hosts file for resolution. You are pulling out an MX record somewhere that is saying send to the Trend server. At least that's how I get to my GW server. I did - In the \\..\\winnt\system32\drivers\etc I changed the hosts file to include the line: 64.88.9.99 lsps.org Gotta be something on their endbut what??? Hhhhmmm hosts: 192.0.0.1 domain.com Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/27/04 09:37AM I don't want to connect to Trend (whether on the box or not). I want to connect directly to their GroupWise SMTP (64.88.9.99). How do I get around the Trend SMTP and connect directly to the GroupWise SMTP. In other words, I don't want the mail to pass through Trend at all. Is the setting on their GroupWise server? -Original Message- From: Colbeck, Andrew [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Help - Gateway Question Samantha, part of the answer that you're looking for is that when your misd.net server is connecting to their server to deliver the mail, you're not connecting to Trend Micro, the company, you're connecting to their mail server, which has a Trend Micro product in front of their other mail host, which you say is GroupWise. That Trend Micro product is an SMTP gateway which calls itself mailscan and it is accepting your relayed mail (status=1). Your original message asked about status=3, which indicates that the message is re-queued. Here is an Ipswitch Knowledge Base article on the status codes: http://support.ipswitch.com/kb/IM-19990715-DM01.htm Andrew 8) -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help - Gateway Question Thanks for the replies. Below are lines from the SMTP log. The new gateway customer is the @lsps.org. They use GroupWise. I can see a message coming in from xxx-solutions.com. It then is received by IMail...spooled The next part of the log is where I need help. Why is the Imail server (apollo.misd.net) connecting to Trend? This customer used to use Trend IMSS but now wants to use IMail/Declude for spam and virus filtering. Did they not properly configure their GroupWise server to accept mail from IMail/Declude? Why is Trend jumping into the mix? I am not real familiar with Groupwise (I run Exchange here) or Trend for that matter (I run Declude). Has anyone seen this before? What can I do or is this normal behavior? Thanks for any help. Samantha 05:26 23:56 SMTPD(6709060702908a12) [64.88.0.98] connect 216.157.193.231 port 2290 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] EHLO ARTEMIS-PORTAL.portal.artemis-solutions.com 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] MAIL FROM:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] RCPT TO:[EMAIL PROTECTED] 05:26 23:56 SMTPD(6709060702908a12) [216.157.193.231] D:\IMAIL\spool\D6709060702908a12.SMD 3561 05:26 23:57 SMTP-(6709060702908a12) processing D:\IMAIL\spool\Q6709060702908a12.SMD 05:26 23:57 SMTP-(6709060702908a12) Trying lsps.org (0) 05:26 23:57 SMTP-(6709060702908a12) Connect lsps.org [64.88.9.99:25] (1) 05:26 23:57 SMTP-(6709060702908a12) 220 mailscan Trend Micro InterScan Messaging Security Suite, Version: 5.5 ready at Wed, 26 May 2004 23:46:43 -0400 05:26 23:57 SMTP-(6709060702908a12) EHLO apollo.misd.net 05:26 23:57 SMTP-(6709060702908a12) 250-mailscan supports the following ESMTP extensions: 05:26 23:57 SMTPD(670f097b01728a1d) [64.88.0.98] connect 24.110.62.129 port 1258 05:26 23:57 SMTP-(6709060702908a12) 250-SIZE 05:26 23:57 SMTP-(6709060702908a12) 250-DSN 05:26 23:57 SMTP-(6709060702908a12) 250-8bitmime 05:26 23:57 SMTP-(6709060702908a12) 250 OK 05:26 23:57 SMTP-(6709060702908a12) MAIL FROM:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Sender Ok 05:26 23:57 SMTP-(6709060702908a12) RCPT To:[EMAIL PROTECTED] 05:26 23:57 SMTP-(6709060702908a12) 250 [EMAIL PROTECTED]: Recipient Ok 05:26 23:57 SMTP-(6709060702908a12) DATA 05:26 23:57 SMTP-(6709060702908a12) 354 mailscan: Send data now. Terminate with . 05:26 23:57 SMTP-(6709060702908a12) . 05:26 23:57 SMTP-(6709060702908a12) 250 mailscan: Message accepted for delivery 05:26 23:57 SMTP-(6709060702908a12) rdeliver lsps.org [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 3784 05:26 23:57 SMTP-(6709060702908a12) QUIT 05:26 23:57 SMTP-(6709060702908a12) 221 mailscan closing connection. Goodbye! 05:26 23:57
Re: [Declude.JunkMail] Can you do WHITELISTING in the $default$.JunkMail.txt file?
Brent Brashear wrote: I'm wanting to give AntiSpam customers the ability to 'tweek' their spam settings by giving them FTP access to the $default$.JunkMail.txt file. I'm hoping they'll also be able to manage their WHITELISTING (because not everyone wants the same WHITELIST) How could this be done? -Brent I would think this could be done better, or at least the whitelisting part, using AUTOWHITELIST ON. Then users would just log in via web messaging, add an address to their address book, and it's whitelisted. Or maybe I missed something important...Btw, allowing end users to edit your $default$.junkmail file sounds like a pretty bad idea to me. Ryan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Question about quoted-printable encoding and filtering
Scott, I'm finding this difficult to test and thought that I would ask it instead. I've found some heavy obfuscation in some Nigerian stuff that has be scratching my head about how to filter it. One such messages contains the following: THE OWNER OF THIS ACCOUNT LATE MR.DENNIS BR= OWN ,HE DIED SINCE 1997 I'm wondering to what extent Declude clears up such encoding for the filters. For instance, would the following work in this instance: BODY 3 CONTAINS MR.DENNIS BROWN or maybe with a space for the line return: BODY 3 CONTAINS MR.DENNIS BR= OWN or rather without the space: BODY 3 CONTAINS MR.DENNIS BR=OWN Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Question about quoted-printable encoding and filtering
I'm finding this difficult to test and thought that I would ask it instead. I've found some heavy obfuscation in some Nigerian stuff that has be scratching my head about how to filter it. One such messages contains the following: THE OWNER OF THIS ACCOUNT LATE MR.DENNIS BR= OWN ,HE DIED SINCE 1997 I'm wondering to what extent Declude clears up such encoding for the filters. For instance, would the following work in this instance: BODY 3 CONTAINS MR.DENNIS BROWN or maybe with a space for the line return: BODY 3 CONTAINS MR.DENNIS BR= OWN or rather without the space: BODY 3 CONTAINS MR.DENNIS BR=OWN Declude JunkMail should translate the CRLF (linefeed) into a space, so it the second line (MR.DENNIS BR= OWN) should catch it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question about quoted-printable encoding and filtering
Thanks. . I'm sure it goes without saying that MIME decoding would be a nice addition whenever that pops to the top of your to-do list. This one message was clearly obfuscated using that technique, and the sender was careful to find a free mail provider that would send quoted-printable encoding headers on plain text messages. This is most problematic on Nigerian scams because it almost always comes from legitimate mail providers and you have to rely exclusively on content filters to block it, although I'm now starting to populate a %MAILFROMBL% test for such addresses, and I should soon see how useful that may be. Matt R. Scott Perry wrote: I'm finding this difficult to test and thought that I would ask it instead. I've found some heavy obfuscation in some Nigerian stuff that has be scratching my head about how to filter it. One such messages contains the following: THE OWNER OF THIS ACCOUNT LATE MR.DENNIS BR= OWN ,HE DIED SINCE 1997 I'm wondering to what extent Declude clears up such encoding for the filters. For instance, would the following work in this instance: BODY 3 CONTAINS MR.DENNIS BROWN or maybe with a space for the line return: BODY 3 CONTAINS MR.DENNIS BR= OWN or rather without the space: BODY 3 CONTAINS MR.DENNIS BR=OWN Declude JunkMail should translate the CRLF (linefeed) into a space, so it the second line (MR.DENNIS BR= OWN) should catch it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Massive CPU usage
Matt wrote: James Nelson wrote: I'll try implementing these here in the next day or so after read up on the documentation for them. Care to explain what the size.vbs file is? There's a lengthy discussion in the archives about that external test. Note that this requires a more recent interim release in order to run as designed, and there are also some bugs in that version that affect whether or not it will run when it's supposed to. I'll probably update that file soon, so maybe holding off would be a better idea. If that's still not ready for use, I'll just leave it alone then. If you are using the BOUNCE action on blocked messages (now renamed to discourage use), you should turn that off because that creates a problem for those that have had their addresses forged in spam, and those of us that try to block bounce messages from forged spam coming to our users. Regarding virus bounces, you really shouldn't bounce anything but banned extensions for similar reasons. You should read up on the newer capabilities in Declude virus to recognize forging viruses, and I encourage you to turn off (remove) the otherpostmaster.eml and sender.eml files. That seems like that number is way too high for your traffic. Currently, we just write a header message in messages that get to a certain weight, redirect that to a special folder in the users' mailbox, and delete it after 14 days. So no bouncing of spam messages, and I've also disabled (a while ago) virus messages to sender (too many viruses forge this for it to make it useful in my opinion). Unfortunately, due to decisions beyond my control, the antivirus spam filtering are sold as seperate services and are enabled per-user and not server wide. Thanks for all the assistance, ::James Nelson --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Spamdomains test
So a line example.com would require that any E-mail address from @example.com must have a reverse DNS entry containing example.com. However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line example.com example.net. Scott, any thoughts on my suggestion of an extended SPFDOMAINS test type with which you could manually maintain SPF-formatted policies for given domains, running the data through the existing SPF parser? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl %REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.2 4 0 In your custom zone, you could construct records like so: *.aol.com.aol.comA 127.0.0.1 TXT ( "Good Entry" ) *.aol.comA 127.0.0.2 TXT ( "Bad Entry" ) I haven't yet tested this, but I believe that the wildcarding will work to give you the proper result. Essentially you define a single bad entry, and then one good entry for every set of reverse DNS with Mail >From domain. Unlike SPAMDOMAINS, this could accomodate more than two different reverse DNS domains. The downside is that I don't know what it will do if Declude can't resolve a reverse DNS entry, or more accurately, what value will Declude use in place of the reverse DNS entry (this might be something to provide as an exception for each entry). Alternatively, you could also use the %HELO% in combination with %RHSBL% since those don't need to do lookups. Same thing goes for %IP4R% as well if you wish to do it in a fashion similar to SPF. Matt Sanford Whiteman wrote: So a line "example.com" would require that any E-mail address from @example.com must have a reverse DNS entry containing "example.com". However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line "example.com example.net". Scott, any thoughts on my suggestion of an extended SPFDOMAINS test type with which you could manually maintain SPF-formatted policies for given domains, running the data through the existing SPF parser? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.JunkMail] Spamdomains test
Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl%REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.240 Interesting idea, Matt. Still way too much management compared to SPF-compatibleformatting,though. The ability to append ._spf.example.com to SPF queries, or use the SPFDOMAINS text list, would be a lot easier. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
I've been planing on trying this for about a week now, and I'm still not convinced that it will work. From my standpoint though, this represents a good way to remove a tad bit more processing and maintain a system to be shared on multiple servers without having to update text files. This idea originally came from my desire to qualify two pieces of information when whitelisting. Using this technique, you could effectively whitelist without fear of forging, though of course the possibility would still exist. You could credit messages that pass such a test such as from amazon.com, coming from an amazon.com reverse DNS entry, and that would be much stronger than systems like BondedSener which relies only on the IP, where servers can still be hijacked or infected. This is also a much more efficient way to credit messages than to maintain long lists of whitelist address and as above, it's a good format for a distributed system with multiple scanning servers that can be updated in real-time. My biggest wish though is that both the To: address and the Reply-To: address were exposed through variables and filters, because that would allow me to apply credit to things that use VERP and also put it in DNS instead of using body or header filters to do the dirty work. Matt Sanford Whiteman wrote: Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl%REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.240 Interesting idea, Matt. Still way too much management compared to SPF-compatibleformatting,though. The ability to append ._spf.example.com to SPF queries, or use the SPFDOMAINS text list, would be a lot easier. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spamdomains test
Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Larry Craddock
Re: [Declude.JunkMail] Spamdomains test
- Original Message - From: Larry Craddock [EMAIL PROTECTED] Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Check the archives, Larry. I have posted mine to the list several times. If you cannot locate it, send me a e-mail off-list and I will send it to you. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
