[Declude.JunkMail] ROUTETO and SUBJECT Line Marking
Scott, I think you are going to tell me that I cannot do this but I am going to ask anyway. I have a client who wants me to send all SPAM to a specific e-mail address (gateway scenario) so no problem WEIGHT10 ROUTETO [EMAIL PROTECTED] but it appears that I cannot do an ATTACH nor can I mark the subject line. I really need a way to put something in the subject line. I do the following with the spamattach.eml file ***[SPAM]***[21]***Wild Saturday SuperBonus: Get 2 FREE Cameras & Save 77% A static marker and the weight. Do I have any options for this? Can I use a unique spamattach.eml file per domain? Anything? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with this header?
We're still running Imail 7.15 -- I have yet to see any value in upgrading to 8.x -- so is there an easy way to do the whitelisting of local accounts for IMail 7.x? Also, what would you think about lowering the weight for CMDSPACE from 8 to 4? Ben - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 18, 2004 9:48 AM Subject: Re: [Declude.JunkMail] What's wrong with this header? > > >Normally, we expect that all the clients we host on our own mail server > >would get very low spam weights. However, I just recieved a message from a > >client with a weight of 7. I'm trying to understand why the high weight. > >Here is the message header: > > > >Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP > > (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 > >X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] > > This E-mail failed 2 tests: CMDSPACE and REVDNS. It failed the REVDNS test > because it was sent from an IP with no reverse DNS entry. That can usually > be fixed quite easily. > > The CMDSPACE test, though, it an odd test -- it is very rare for a > legitimate E-mail from another mailserver to fail the test (less than 1 in > 1,000), but it is very common for E-mail from mail clients to fail that > test. As a result, it may be worth whitelisting your own users (if you use > IMail v8, you can do this with a line "WHITELIST AUTH" in the > \IMail\Declude\global.cfg file if your users authenticate, and you are > running the latest beta of Declude JunkMail). > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What's wrong with this header?
Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 Message-ID: <[EMAIL PROTECTED]> From: "Steve" <[EMAIL PROTECTED]> To: "Dr Ben Bednarz" <[EMAIL PROTECTED]> Subject: SPAM [7]Fw: SPAM [13]ngate antelope.ppt Date: Thu, 17 Jun 2004 14:34:47 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_00BE_01C45478.3D874360" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.75.194.49 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [65.75.194.49] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] X-Note: This E-mail was sent from [No Reverse DNS] ([65.75.194.49]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 387407616 Any thoughts? Ben Bednarz BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Routing Questions
Received: from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk [82.44.97.74] by myserver.mydomain.com (SMTPD32-8.12) id A2FC109014A; Thu, 17 Jun 2004 03:31:24 -0700 X-Message-Info: M910kloPMXge5x274W205+aumRB668UNfe Received: from mail98522.juzoq.overture.com ([151.226.174.214]) by hg94-we19.overture.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 17 Jun 2004 01:35:20 +0200 ... What happens in this case where the email is routed through several servers to get to my user. Does Declude check all the paths or just the last one that it received it from. It appears that Declude would know about the other routes because they are mentioned in the headers. That depends on how you have Declude JunkMail set up. By default, Declude JunkMail will only scan the IP that connected to you (which is what most people historically have done with anti-spam software). However, Declude JunkMail is very flexible; you can have it bypass gateways/backups of yours, and you have it scan multiple hops if you want to. Normally this is only necessary if either you have gateways/backups, or if you have people forwarding E-mail from another address that does not scan the E-mail for spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with this header?
Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] This E-mail failed 2 tests: CMDSPACE and REVDNS. It failed the REVDNS test because it was sent from an IP with no reverse DNS entry. That can usually be fixed quite easily. The CMDSPACE test, though, it an odd test -- it is very rare for a legitimate E-mail from another mailserver to fail the test (less than 1 in 1,000), but it is very common for E-mail from mail clients to fail that test. As a result, it may be worth whitelisting your own users (if you use IMail v8, you can do this with a line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file if your users authenticate, and you are running the latest beta of Declude JunkMail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Virus Scanners Missing Viruses.
For some reason, even though the definations are current and each of them reports that they are able to detect the virus, they are all missing "ZAFI.B" virus. They are succufully catching the "Netsky" variants. What does the Declude Virus log file say? What version of Declude Virus are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: CBL:RE: Re[2]: [Declude.JunkMail] Content Rules plus/vs. Sniffer?
On Friday, June 18, 2004, 5:13:27 AM, Markus wrote: MG> Maybe Pete can provide some tips what would be good combinations. MG> Like IP4R + SNIFFER = good because SNIFFER make's no DNS lookups MG> But not FILTERX + SNIFFER because SNIFFER checks for this already. That's a tough one. SNIFFER is intended to be comprehensive and continues to grow in that way every day. Another way to say that is that SNIFFER already has a lot of overlap with the tests that are available in Declude and other packages. ( Our goal is for SNIFFER to be as comprehensive, efficient, and dynamic as possible. ) For example, a recent R&D process that has been added to SNIFFER is cross-referencing with SBL/ROKSO. As a result, when a spam hits our spamtraps and matches SBL/ROKSO then we will encode that IP range rather than the single IP - this gives the rulebase some efficiency because a hand-full of rules covers many hundreds (or thousands) of IPS. Note: this does not mean that SNIFFER is any substitue for SBL or any other list - far from it. We use many resources when researching and developing our rulebase and we do not aggregate other services (at least not yet). The best way to look at SNIFFER's overlaps with other resources is as an additional vote of confidence - this is how we add value. A match that overlaps another service indicates that not only did that service's R&D develop that rule, but SNIFFER's R&D did also. The overlaps are therefore a stronger indication than where there are no overlaps. Another example of an overlap is bogons (IPs that are not usable). There are lists and tests for these. Most of the known bogons are included in SNIFFER. Another example is the basic IP rule process - each message that hits a spam trap is generally coded for content rules and also it's individual source IP. As a result we encode a large volume of zombies in near real-time. (Note that nothing gets coded without review - so in order for an IP rule to be coded it must at least hit a clean spamtrap and be recognized as spam, and in general it will also match one or more DNSBLs.) There are R&D processes for broken or spamware generated headers such as the recent 9[2 variety. ... I could go on for quite a while, but the point is that there is a lot of overlap with other test and the overlap is likely to continue to grow over time. After all, people are constantly finding new ways to identify spam... and so are we... so we're going to land on the same ground quite a bit. A case in point - the recent development of SURBL is based on a premise that has been at the core of SNIFFER since it began many years ago. While SURBL cannot capture variations and URI patterns the way SNIFFER does, there is clearly a lot of overlap. While SNIFFER is able to capture a much broader spectrum of URI than SURBL, there are still many cases where SURBL might detect the URI before we do. With SURBL and all other lists you should make an effort to determine if the test provides sufficient benefit for your system. In many cases, SNIFFER will be strong enough that the other test is not needed. You should always try things and see how they perform on your system before making a decision. As you point out - one key piece of the equation will be performance. For example, it has been reported that SNIFFER's accuracy is comparable to SpamAssassin "right out of the box". SNIFFER typically scans a message in 100ms or so. There are frequent reports on the SA list of SA requiring on the order of 10 seconds or more! This is largely due to SA's heavy use of DNSBLs but also the fact that SNIFFER's pattern matching engine is superior to SA's. If you find that a DNSBL test has a high overlap with SNIFFER then it's probably a good decision to drop the DNSBL test in exchange for better performance. If you have a number of content rules and you use SNIFFER then you should strongly consider moving those rules into SNIFFER (let us know and we can code them for you). Just keep in mind that in general the current design of SNIFFER is a collection of white/black rules - there's not a lot of room for "fuzzy" rules and there is no internal weighting system. (that's in the next version). -- so what to recommend? I think that the best approach seems to be to use SNIFFER as a strongly weighted opinion, and to use other tests to finally tip the balance over. Many of our users tell us that SNIFFER plus any other test = spam on their system. * Even better, and strongly dependent upon your own system's requirements, you may find that many rule groups in SNIFFER are sufficient to hold or even delete a message while others may require the addition of another test to push a message over the edge. The other test could be a DNSBL or a specialized content filter. Since SNIFFER is very efficient (now scanning messages in under 200ms consistently) and very accurate (most report > 95% accuracy) you might implement parts of SNIFFER so that if a match is found no other tests are run - or a
[Declude.JunkMail] Virus Scanners Missing Viruses.
I have the following config for Virus Scanning: #McAfee Command Line SCANFILE1 Z:\IMail\NAI\SCAN.EXE /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1 Found #CAI v7 SCANFILE2e:\Progra~1\CA\sHARED~1\ScanEn~1\inocmd32.exe -ARC -VER -LIS:report.txt -ENG VET VIRUSCODE2 100 VIRUSCODE2 101 REPORT2 infected by virus: #CAI v7 SCANFILE3 e:\Progra~1\CA\sHARED~1\ScanEn~1\inocmd32.exe -ARC -VER -LIS:report.txt VIRUSCODE3 100 VIRUSCODE3 101 REPORT3 infected by virus: For some reason, even though the definations are current and each of them reports that they are able to detect the virus, they are all missing "ZAFI.B" virus. They are succufully catching the "Netsky" variants. Anyone have any ideas? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Routing Questions
Received: from SMTP32-FWD by myserver.mydomain.com Received: from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk [82.44.97.74] by myserver.mydomain.com (SMTPD32-8.12) id A2FC109014A; Thu, 17 Jun 2004 03:31:24 -0700 X-Message-Info: M910kloPMXge5x274W205+aumRB668UNfe Received: from mail98522.juzoq.overture.com ([151.226.174.214]) by hg94-we19.overture.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 17 Jun 2004 01:35:20 +0200 Received: from DT3 (iwa243.204.198.160.noc80.ndq.icq.com [244.232.20.84]) by mail31.gt.icq.com (530.27.92dkj5/8.71.59) with SMTP id qbn6FLD934Xwzm5432; Thu, 17 Jun 2004 04:36:20 +0500 Message-ID: <[EMAIL PROTECTED]> From: "Jennifer Dennis" <[EMAIL PROTECTED]> To: "Dbaron" [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> Subject: all direct octal dissuade keno Date: Wed, 16 Jun 2004 16:33:20 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--518179476306625" X-RBL-Warning: SORBS-DUHL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=82.44.97.74"; [2-15-7800] X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . [2-23-b800] X-Declude-Sender: [EMAIL PROTECTED] [82.44.97.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS-DUHL, CMDSPACE [8] X-Note: This E-mail was sent from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk ([82.44.97.74]). X-RBL-Warning: SORBS-DUHL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=82.44.97.74"; [2-15-7800] X-Declude-Sender: [EMAIL PROTECTED] [82.44.97.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS-DUHL [-1] X-Note: This E-mail was sent from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk ([82.44.97.74]). Status: U X-UIDL: 375168223 What happens in this case where the email is routed through several servers to get to my user. Does Declude check all the paths or just the last one that it received it from. It appears that Declude would know about the other routes because they are mentioned in the headers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Transfering the Relay IP address list.
We have relay setup for a list of class c ip addresses. We are in the process of moving imail to a different machine. This is fairly large list. Where is this list stored (file/registry) and is it transferable to the other machine without retyping the entire list? It's in the \IMail\smtpd32.loc file. You should just be able to copy that file over to the new machine, without any problems. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] "Grouping" Syntax
I would love it, but really it's a major change. I requested a feature like this about a month ago. Darin. - Original Message - From: "Andy Schmidt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 18, 2004 10:50 AM Subject: [Declude.JunkMail] "Grouping" Syntax Hi Scott: Just thinking out loud. I currently use filters to "group" multiple test results. It works fine - but it's not very intuitive to your new customers. I also don't like maintaining external files where it doesn't offer any other benefits. How about the following "GROUP...GROUPEND" syntax in Global.cfg: OPENRELAY GROUP OR * 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 0 0 AHBLRELAYS ip4r dnsbl.ahbl.org 127.0.0.2 0 0 NJABLRELAYS ip4r qwdnsbl.njabl.org 127.0.0.2 0 0 DSBLSINGLE ip4r list.dsbl.org * 0 0 ORDB ip4r relays.ordb.org * 0 0 KUNDENSERVER ip4r relays.bl.kundenserver.de 127.0.0.2 0 0 * GROUPEND By definition, each test could only be part of one group. Nested grouping would not be supported One could define either "OR" or "AND" condition for the group. This may be a simple way to address some of the frequent request to "combine" tests with AND and OR without having to introduce a complete "scripting" language. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 05:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] IP4R DNS lookup Hi, I have used filters to "summarize" categories of ip4r and other tests. All the open relay tests will fail ONE filter. So whether one or 4 black-lists say it's an open relay - it will only get ONE weight. All the DUL/DUHL will fail ONE filter. So, whether a dial-up or dynamic port is listed in one or many black-lists - it will only get ONE weight. This technique allowed me to check against MORE blacklists AND define a higher weight for each "class" of blacklist. I don't have to fear that just because a dial-up port is "widely known" it will suddenly fail JUST on that. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Transfering the Relay IP address list.
We have relay setup for a list of class c ip addresses. We are in the process of moving imail to a different machine. This is fairly large list. Where is this list stored (file/registry) and is it transferable to the other machine without retyping the entire list? Thank you, Joshua Sunline Team (941)206-7870 (888)512-6100 http://www.sunline.net/
[Declude.JunkMail] "Grouping" Syntax
Hi Scott: Just thinking out loud. I currently use filters to "group" multiple test results. It works fine - but it's not very intuitive to your new customers. I also don't like maintaining external files where it doesn't offer any other benefits. How about the following "GROUP...GROUPEND" syntax in Global.cfg: OPENRELAY GROUP OR * 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 0 0 AHBLRELAYS ip4r dnsbl.ahbl.org 127.0.0.2 0 0 NJABLRELAYS ip4r qwdnsbl.njabl.org 127.0.0.2 0 0 DSBLSINGLE ip4r list.dsbl.org * 0 0 ORDB ip4r relays.ordb.org * 0 0 KUNDENSERVER ip4r relays.bl.kundenserver.de 127.0.0.2 0 0 * GROUPEND By definition, each test could only be part of one group. Nested grouping would not be supported One could define either "OR" or "AND" condition for the group. This may be a simple way to address some of the frequent request to "combine" tests with AND and OR without having to introduce a complete "scripting" language. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 05:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] IP4R DNS lookup Hi, I have used filters to "summarize" categories of ip4r and other tests. All the open relay tests will fail ONE filter. So whether one or 4 black-lists say it's an open relay - it will only get ONE weight. All the DUL/DUHL will fail ONE filter. So, whether a dial-up or dynamic port is listed in one or many black-lists - it will only get ONE weight. This technique allowed me to check against MORE blacklists AND define a higher weight for each "class" of blacklist. I don't have to fear that just because a dial-up port is "widely known" it will suddenly fail JUST on that. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Error allowed message through
What happened here, this message failed miserably and was still delivered to the user. I hold at 30 this weighed in at 81, it says last action IGNORE but I dont have any ignore lines in my junkmail file. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] The problem here is that something is interfering with Declude. Specifically, after Declude JunkMail "locks" the Q*.SMD file per the IMail specs (by renaming it to _*.~MD), something renamed or deleted it. Since the file is gone, Declude JunkMail can't tell what recipients there may have been, and therefore the actions may not end up being what they otherwise would have been. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP4R DNS lookup
I posted my May Ip4R results at this link if you want to compare percents. http://www.mail-archive.com/[EMAIL PROTECTED]/msg19089.html I don't fail on any specific tests, although some are at 90% of my tag weight. Like Andy I also group tests too. I have a DUL-Combo that consists of 4 DUL tests. I have a proxy-combo that has numerous proxy and relay tests. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/17/04 03:57PM >>> I was wondering how reliable the ip4r lookups are. There seems to be a lot of SPAM that is only failing one of the ip4r test (SORBS, SBL, AHBL, etc) and no more of the test, hence delivering the SPAM. Is it safe to increase the weight of all these test to my deletion weight in order to stop them from being delivered or are there some false positives that may be caught? Isaias Hernandez TC Online Internet Support 979-775-6239 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Error allowed message through
What happened here, this message failed miserably and was still delivered to the user. I hold at 30 this weighed in at 81, it says last action IGNORE but I dont have any ignore lines in my junkmail file. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 Msg failed WEIGHT30 (Weight of 81 reaches or exceeds the limit of 30.). Action=ROUTETO. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 L1 Message OK 06/18/2004 09:39:31 Qf08d0038022e15b0 Subject: 06/18/2004 09:39:31 Qf08d0038022e15b0 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.124.183.82 ID: mz199JIWbN93D0AF 06/18/2004 09:39:31 Qf08d0038022e15b0 Tests failed [weight=81]: SORBS-HTTP=WARN SORBS-SOCKS=WARN SORBS-MISC=WARN SORBS-SPAM=IGNORE SPAMCOP=WARN SXBL=WARN HELOBOGUS=WARN REVDNS=WARN IPNOTINMX=WARN GRABBER=ROUTETO WEIGHT30=ROUTETO 06/18/2004 09:39:31 Qf08d0038022e15b0 Last action = IGNORE. 06/18/2004 09:39:31 Qf08d0038022e15b0 WARNING: Could not unlock D:\IMail\spool\_f08d0038022e15b0.~MD; it has been deleted. version 1.79i6 Ideas? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED END Question
Correct format. It should show up at high level logs. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/17/04 05:12PM >>> I seen this post below and wanted to implement the "TESTSFAILED" to exit out of one of my body filters based on if another test was already triggered. Is the below line correct (assuming REVERSEDNSFILTER is one of my filters that occurs before the filter I put the below line in)? TESTSFAILED END CONTAINS REVERSEDNSFILTER [2] When that line is matched does it show in the logs? Darrell - Check out http://www.invariantsystems.com for utilities for Declude and Imail. Scott Fisher writes: > I haven't found any easy way to tell. The information is in the logs at high level. > > But I can chime in that SKIPIFWEIGHT bypasses about 80% of my e-mail that is > obviously spam. TESTSFAILED ENDS for "friendly domains/revdns" drop off about 8% of > e-mail that is most likely not spam, leaving about 12% of the e-mail that I run body > filters on. > > > > Scott Fisher > Director of IT > Farm Progress Companies > [EMAIL PROTECTED] 06/17/04 12:03PM >>> > Matt- > > My body filters only catch about 4% of messages, but I don't know how often > they are run. Is htere a convenient way to tell? > > -d > > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, June 17, 2004 12:40 PM > Subject: Re: [Declude.JunkMail] Declude and attachments > > >> Scott, >> >> I've got a lot more BODY filters than Dave has, though I don't feel that >> they are excessive. I probably have about 1,500 BODY searches, but with >> SKIPIFWEIGHT they only run about 25% of the time. >> >> If Dave is using Declude Virus, I would also look there for the issue. >> Anything besides F-Prot and ClamAV in daemon mode will chug a server on >> a large attachment and it will use up far more processing than Declude >> JunkMail, but it will keep the Declude instance alive for longer. On >> about 65,000 messages a day currently, we generally see from 2 to 10 >> Declude processes running at one time with both F-Prot and AVG enabled >> (much less with just F-Prot). Disabling AVG results in our average >> processor utilization dropping by 1/3 to 1/2 on heavy load hours. >> >> Matt >> >> >> >> R. Scott Perry wrote: >> >> > >> >> One instance of Declude, then two, then three, all in the 25%+ range. > As >> >> soon as it dropped to two Decludes, Queue Manager came right in at >> >> 30-40%, >> >> then the cycles dropped as QueueManager dropped down. >> > >> > >> > It does sound like it is the large files that are causing the problem. >> > >> > One option would be to temporarily disable the BODY filter with the >> > 200 lines in it, to see if that prevents the problem with the high CPU >> > usage in Declude JunkMail. That could indeed be causing the problem. >> > >> > The other would be to use the debug mode ("LOGLEVEL DEBUG" in the >> > \IMail\Declude\global.cfg file) and waiting for one of these files to >> > be sent. We can look at the debug log file entries to get a better >> > idea of where the high CPU usage is occurring. >> > >> >-Scott >> > --- >> > Declude JunkMail: The advanced anti-spam solution for IMail >> > mailservers since 2000. >> > Declude Virus: Ultra reliable virus detection and the leader in >> > mailserver vulnerability detection. >> > Find out what you've been missing: Ask for a free 30-day evaluation. >> > >> > --- >> > [This E-mail was scanned for viruses by Declude Virus >> > (http://www.declude.com)] >> > >> > --- >> > This E-mail came from the Declude.JunkMail mailing list. To >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> > type "unsubscribe Declude.JunkMail". The archives can be found >> > at http://www.mail-archive.com. >> > >> > >> >> -- >> = >> MailPure custom filters for Declude JunkMail Pro. >> http://www.mailpure.com/software/ >> = >> >> >> --- >> [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To >
RE: [Declude.JunkMail] Weight Ranges
> >Also if I so not want these tests to show up in the %TESTSFAILED% > >variable then would I add > > > >HIDETESTS WEIGHT1019 WEIGHT2029.. > > > >And would I need to put in the $default$.junkmail file > > > >WEIGHT1019 LOG > > Correct. Note that you could simply not include the WEIGHT1019 line in > the > $default$.JunkMail file, which would have the same effect. > Personally I like to have it written down in the .junkmail file so that there is no confusion about the test and if it is being employed etc. The KISS principle. Thanx GOran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Weight Ranges
How much extra processing to an e-mail does adding a bunch of weight range statements like: WEIGHT1019 weightrange x x 10 19 WEIGHT2029 weightrange x x 20 29 WEIGHT3034 weightrange x x 30 34 WEIGHT3539 weightrange x x 35 39 I really just want these just to report on from the logs rather than take action on them during e-mail processing. My guess is that it should not take too much CPU. You are correct; the weightrange tests use only a negligible amount of CPU time. Also if I so not want these tests to show up in the %TESTSFAILED% variable then would I add HIDETESTS WEIGHT1019 WEIGHT2029.. And would I need to put in the $default$.junkmail file WEIGHT1019 LOG Correct. Note that you could simply not include the WEIGHT1019 line in the $default$.JunkMail file, which would have the same effect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
CBL:RE: Re[2]: [Declude.JunkMail] Content Rules plus/vs. Sniffer?
Maybe Pete can provide some tips what would be good combinations. Like IP4R + SNIFFER = good because SNIFFER make's no DNS lookups But not FILTERX + SNIFFER because SNIFFER checks for this already. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.