Re: [Declude.JunkMail] logfile naming

[smb]

Having done this (rename, move, zip) the Declude logfiles the tricky part is
dealing with the rollover of the logfile at midnight and at the end each month. 

Stu


At 04:10 PM 06/30/2004 -0700, you wrote:
>
>> You could use something like:
>> LOGFILE spool\dec2004.log
>
>I was hoping to avoid a kludge like this.  Coming from a UNIX background
>I don't like to manually do tasks that should be automatic (or
>automagical :-) and easy.
>
>I'm getting pretty good at writing scripts that run from the scheduler
>and do what has to be done.
>
>Thanks to all for the suggestions..
>
>
>Rod
>
>-- 
>Roderick A. Anderson
>Project Manager
>Technology Services Management Group

>Spokane WA, 99202
>
>---
>[This E-mail scanned for viruses by Declude Virus]
>
>---
>[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
>
-
CSOnline Technical Support Normal hours - Monday thru Saturday 8am - 12pm 

CSOnline Technical Support Numbers 
Seneca814-677-2447   Clarion   814-227-3638   Cochranton   814-425-1696
Parker724-399-1158   GremLan   814-337-7060 
http://www.csonline.net  http://www.cshowcase.com  http://www.learncenter.com
http://www.gremlan.org  
-

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] logfile naming

[Roderick A. Anderson]

> You could use something like:
> LOGFILE spool\dec2004.log

I was hoping to avoid a kludge like this.  Coming from a UNIX background
I don't like to manually do tasks that should be automatic (or
automagical :-) and easy.

I'm getting pretty good at writing scripts that run from the scheduler
and do what has to be done.

Thanks to all for the suggestions..


Rod

-- 
Roderick A. Anderson
Project Manager
Technology Services Management Group 

Spokane WA, 99202

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] logfile naming

[John Tolmachoff \(Lists\)]

> >> The docs say a  in the filename used with LOGFILE will be replaced
> >> with the month and day.  Is there a way to get the year -- four
> >> (preferred) or two digit -- included?
> >
> >
> You could use something like:
>   LOGFILE spool\dec2004.log

But then he would have to remember to change it on January 1 of each year.

;-)>

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] logfile naming

[R. Scott Perry]

The docs say a  in the filename used with LOGFILE will be replaced
with the month and day.  Is there a way to get the year -- four
(preferred) or two digit -- included?
Unfortunately, there is no way to get the year in there.  Although if you 
are creative, it might be possible to use a batch file to automatically 
rename them each day.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] logfile naming

[Mike Leonard]

The docs say a  in the filename used with LOGFILE will be replaced
with the month and day.  Is there a way to get the year -- four
(preferred) or two digit -- included?

You could use something like:
LOGFILE spool\dec2004.log
That way, you'd only have to remember to change it once a year.
Mike
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] logfile naming

[Roderick A. Anderson]

The docs say a  in the filename used with LOGFILE will be replaced
with the month and day.  Is there a way to get the year -- four
(preferred) or two digit -- included?


TIA,
Rod

-- 
Roderick A. Anderson
Technology Services Management Group 

Spokane WA, 99202

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Logging order

[R. Scott Perry]

I'm Sorry if this is a question that's already been answered (I couldn't 
find anything in the archives).  If an email is tagged as SPAM in Declude 
Junkmail, is it still entered in IMail's log file (log.txt)as being 
received? Does IMail get the email and pass it to Declude, or does Declude 
get it first?
It depends on what Declude does.  If Declude blocks it (with DELETE or 
HOLD, for example), then the IMail SMTP log file will not show it as being 
delivered (it will show the SMTPD entries, but no "processing" or 
"ldeliver" lines) .  However, if Declude does something else such as alter 
the headers or subject, it will show up as being delivered.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[Darin Cox]

I agree that SPF is not very useful in the situation Matt outlined.  We're
in the same boat with users that may use their ISP or us to send mail from
their domain.  While SPF attempts to handle it through a switch that
references other providers' SPF records, It's just not practical to list all
possible ISPs that an end user could use to send mail.

However, I have seen benefit from specifying domains that do not send mail.
Spam that spoofs the from address as one of these domains is getting
blocked...some of which was not previously getting blocked (sorry don't have
firm numbers yet).

Also, it is useful for corporate customers that can guarantee that all email
will pass through one of a few mail servers.  Only problem there is
travelers who would then need to VPN or otherwise authenticate with one of
those servers in order to pass SPF.

Darin.


- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 30, 2004 11:24 AM
Subject: Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May**
etc **May** etc


Grant Griffith - Declude JM wrote:

>If someone sends an email and it shows up on our server as a 64. address.
>What about when the message is delivered to someone at AOL?  Will it also
>see the 64. address, therefore fail the SPF test on their end also?
>
>

Sorry to butt in on this one...Yes, SPF would fail on other systems as
well in that situation.

As far as I can tell, SPF-PASS is not useful because there is nothing
stopping a spammer that owns a server to set SPF up for it.  Setting up
SPF for your domain is also IMO a bad idea unless you can guarantee that
all of your users will only come from certain IP's when they send
E-mail.  For instance, although I prefer to be the outgoing SMTP server
for my clients, some of them are either blocked by their ISP from
sending E-mail through my server (port 25 blocking), or they just simply
chose to set up their computers to use their ISP's mail server instead
of our own.  Therefore, I don't have a single client that I can
guarantee that they will be coming from a particular range of IP's.
While some people around here might only add a few points for such a
failure, some have said that they will automatically hold any such
messages that fail and I'm sure that there are people out there that
will delete on such failures.

You can set up SPF for you domain that states that the domain can be
used from any IP, however I don't see any value in stating that
something can come from anywhere when that in effect is the status quo.

SPF is an interesting idea, but they're missing a step or two that would
really make it useful IMO.  The SPF folks recently agreed to merge their
spec with Microsoft's and that might produce a more accurate test, but I
haven't been following developments closely and can't say for sure.
Practically speaking, it's the openness of E-mail and the fact that it
was never designed or implemented to prevent spoofing that is the cause
of this problem, and the best way to get at the issue might be to simply
re-write SMTP to allow for authentication of non-local E-mail.

I'm sure that Scott, Sandy and others have a different perspective.
They are both fans of SPF and I am not.  Who knows, maybe it is me that
is missing something.  I won't implement SPF on my domains at this time
because of the possibility of some other admin blocking their E-mail in
that 1% that doesn't come through my server, and to list them as
non-specific to address space caries no apparent value.

Matt

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[Matt]

R. Scott Perry wrote:
In this case, what you should do is use "v=spf1 mx ?all".  That says 
"If the E-mail is coming from an IP in our MX record, we authorize 
it.  If it is coming from any other IP, we can't say whether or not it 
is legitimate -- treat it the same as if we have no SPF record."

In theory this works perfectly, but even on this list people have 
suggested adding at least some points for the ?all condition.  You have 
to consider the idiot factor and the problems that this can cause (such 
as blocking on ?all results, and to a lesser extent adding points).  For 
instance, even AOL is using a system that allows for blocking perfectly 
legitimate IP's when messages are forwarded to their servers and someone 
presses their spam submit button.  Challenge/Response is another perfect 
example of mass lunacy, in fact some C|Net figurehead was on CNN just a 
few days ago talking about how all E-mail will eventually move into a 
scenario that requires C/R.  Mass idiocy abounds, and spam protection 
has become the same thing as the Internet circa 1996.

So while the danger is minimal with ?all, it is there and I would prefer 
to not contribute my domains until I can be sure that people can't use 
their systems to punish my users for not coming from my own server.  I 
have no idea what that would take to accomplish unfortunately.  Even 
scoring SPF-FAIL is somewhat problematic because I'm sure that there are 
many administrators that don't list ?all conditions when they should, 
and the potential of false positives aren't worth the benefit currently 
in spam blocking.  The stats that Scott Fisher shared are certainly 
interesting, although anecdotal without my ability to verify them.

I believe that would be the best answer.  Unfortunately, that is a 
huge undertaking -- the amount of time it would take to get a good 
group of people to write it and agree to it, plus the time it would 
take to implement (all mail clients would need to be re-written), 
would make it very time consuming.

Well, I'm not holding my breath waiting for that to happen :)   I would 
of course support it if it did.

As far as I can tell, the only things that are worth whitelisting are 
local authenticated users whereas whitelisting (or crediting in a weight 
system) seems to be what all of this SPF/Caller ID stuff was primarily 
designed for early on, yet it is it's biggest failure thus far.  I don't 
see any possibility of that working in the foreseeable future.

What I do think would work much better in the near term would be for 
every mail server to support and require SMTP AUTH through port 587 as 
proposed, and then have every ISP out there block port 25 which would be 
used exclusively for non-AUTH'ed E-mail between systems.  That would cut 
the zombie problem down dramatically without interrupting service, but 
this will probably take 5 years or more to widely implement.  I think 
this would have a much larger effect than SPF in terms of blocking 
forging E-mail, the majority of which comes from PC's attached to these 
residential ISP's presently.  AUTH hacking, or even server hacking 
however will become much more predominant when the bar is raised in this 
manner, but there should be many fewer machines to track.  For now, I 
consider broadband ISP's to be honeypots for both the spammer and for my 
system of blocking spammers, and I like it that way :)  Probably 90% of 
what gets through my system is from spammers that have their own IP 
space assigned to them, but haven't yet been tagged.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Logging order

[Michael Graveen]

I'm Sorry if this is a question that's already been answered (I couldn't 
find anything in the archives).  If an email is tagged as SPAM in Declude 
Junkmail, is it still entered in IMail's log file (log.txt)as being 
received? Does IMail get the email and pass it to Declude, or does Declude 
get it first?

Thanks,
Mike
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[R. Scott Perry]

Sorry to butt in on this one...Yes, SPF would fail on other systems as 
well in that situation.
If the client connects directly to AOL, SPF would fail.  But if it is sent 
through the mailserver, it should not fail.

As far as I can tell, SPF-PASS is not useful because there is nothing 
stopping a spammer that owns a server to set SPF up for it.
True -- but that makes it easier to detect the spammers.  Once they have a 
domain to use, it can be blocked.  People will likely start RHSBLs listing 
domains that have sent out spam that appear to be owned by spammers.

Setting up SPF for your domain is also IMO a bad idea unless you can 
guarantee that all of your users will only come from certain IP's when 
they send E-mail.  For instance, although I prefer to be the outgoing SMTP 
server for my clients, some of them are either blocked by their ISP from 
sending E-mail through my server (port 25 blocking), or they just simply 
chose to set up their computers to use their ISP's mail server instead of 
our own.  Therefore, I don't have a single client that I can guarantee 
that they will be coming from a particular range of IP's.
In this case, what you should do is use "v=spf1 mx ?all".  That says "If 
the E-mail is coming from an IP in our MX record, we authorize it.  If it 
is coming from any other IP, we can't say whether or not it is legitimate 
-- treat it the same as if we have no SPF record."

If you don't know all the IPs that users may send mail from, using "-all" 
at the end ("anyone not listed in the SPF record is not authorized to send 
mail from this domain" is bad.  But using "?all" at the end lets users who 
do send mail through your mailserver pass SPF, whereas nobody else will 
fail.  Yes, it provides less protection from joe jobs (spammers using your 
domain may or may not get their mail through, since SPF won't prevent 
them), but it also allows your other users to get their mail through.

You can set up SPF for you domain that states that the domain can be used 
from any IP, however I don't see any value in stating that something can 
come from anywhere when that in effect is the status quo.
Using "+all" is definitely bad (you're giving spammers permission to send 
mail from your domain).  But "?all" is fine.

Practically speaking, it's the openness of E-mail and the fact that it was 
never designed or implemented to prevent spoofing that is the cause of 
this problem, and the best way to get at the issue might be to simply 
re-write SMTP to allow for authentication of non-local E-mail.
I believe that would be the best answer.  Unfortunately, that is a huge 
undertaking -- the amount of time it would take to get a good group of 
people to write it and agree to it, plus the time it would take to 
implement (all mail clients would need to be re-written), would make it 
very time consuming.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] DLAnalyzer 3.0 Released (New Free Version Available)

[DLAnalyzer Support]

We are pleased to announce that DLAnalyzer 3.0 is now available.  With 
version 3.0 we are introducing a Lite version that is FREE. 

To download DLAnalyzer 3.0, please visit:
http://www.invariantsystems.com/ 

New Features In DLAnalyzer 3.0
* Last Action Summary Report
* Test Breakdown Summary Report
* Weight Range Summary Report
* IP Summary Report
* Easily Work With Multiple Configurations with the "-c" Command Line 
Parameter
* Ability To Exclude Tests In The Overall Server Test Summary
* Domain Summary - Last Action Filter
* Domain Summary - Weight Range Filter
* Domain Summary - Zero Message Domain Suppression
* Customized Advanced Report Output (HTML & TEXT)
* Advanced Report - Last Action Filter
* Advanced Report - Weight Range Filter
* SMTP Auth Support
* SMTP Multiple To: Addresses
* SMTP BCC: Addresses
* SMTP CC: Addresses
* GUI Configuration Utility Supports Multiple Configuration Files
* Plus Many More... 

If you have any questions let us know.
Darrell 

-
Check out http://www.invariantsystems.com for utilities for Declude and 
Imail. 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[R. Scott Perry]

If someone sends an email and it shows up on our server as a 64. address.
What about when the message is delivered to someone at AOL?  Will it also
see the 64. address, therefore fail the SPF test on their end also?
No.  AOL will only see the IP address of your server, and use that for 
determining if the E-mail should fail SPF.  Since your mailserver is listed 
as one of the IPs that are allowed to send per your SPF record, AOL will 
pass SPF.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[Matt]

Grant Griffith - Declude JM wrote:
If someone sends an email and it shows up on our server as a 64. address.
What about when the message is delivered to someone at AOL?  Will it also
see the 64. address, therefore fail the SPF test on their end also?
 

Sorry to butt in on this one...Yes, SPF would fail on other systems as 
well in that situation.

As far as I can tell, SPF-PASS is not useful because there is nothing 
stopping a spammer that owns a server to set SPF up for it.  Setting up 
SPF for your domain is also IMO a bad idea unless you can guarantee that 
all of your users will only come from certain IP's when they send 
E-mail.  For instance, although I prefer to be the outgoing SMTP server 
for my clients, some of them are either blocked by their ISP from 
sending E-mail through my server (port 25 blocking), or they just simply 
chose to set up their computers to use their ISP's mail server instead 
of our own.  Therefore, I don't have a single client that I can 
guarantee that they will be coming from a particular range of IP's.  
While some people around here might only add a few points for such a 
failure, some have said that they will automatically hold any such 
messages that fail and I'm sure that there are people out there that 
will delete on such failures.

You can set up SPF for you domain that states that the domain can be 
used from any IP, however I don't see any value in stating that 
something can come from anywhere when that in effect is the status quo.

SPF is an interesting idea, but they're missing a step or two that would 
really make it useful IMO.  The SPF folks recently agreed to merge their 
spec with Microsoft's and that might produce a more accurate test, but I 
haven't been following developments closely and can't say for sure.  
Practically speaking, it's the openness of E-mail and the fact that it 
was never designed or implemented to prevent spoofing that is the cause 
of this problem, and the best way to get at the issue might be to simply 
re-write SMTP to allow for authentication of non-local E-mail.

I'm sure that Scott, Sandy and others have a different perspective.  
They are both fans of SPF and I am not.  Who knows, maybe it is me that 
is missing something.  I won't implement SPF on my domains at this time 
because of the possibility of some other admin blocking their E-mail in 
that 1% that doesn't come through my server, and to list them as 
non-specific to address space caries no apparent value.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Bounty Hunters...?

[Jason @ AreaTech]

http://www.msnbc.msn.com/id/5326107/
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] FW: You **MAY** have spam

[Matt]

CIDR ranges do work.  I believe the manual contains examples of this.  
For example:

IPBYPASS24.73.160.162
WHITELISTIP 192.168.0.1/24
Just to be clear on the conditions present, the whitelisting won't work 
if you have users that connect directly (or through your firewall when 
IPBYPASS'ed) from other networks.  For example, a user that is 
connecting from home using their own broadband connection to send E-mail 
directly to your SMTP server will not be whitelisted using this method, 
and this would also result in them failing SPF under this setup, and 
might fail CMDSPACE.  If you have remote users like this, the suggested 
fix won't work as desired and if you are running IMail 7 and not IMail 
8, both SPF and CMDSPACE are probably inappropriate (you can add 
WHITELIST AUTH to your global.cfg with IMail 8 that will take care of 
this problem, but this won't work with IMail 7).

Matt

Sharyn Schmidt wrote:
Chances are that you need to IPBYPASS the firewall's IP in your 
global.cfg and then whitelist your LAN by it's IP space.


Do I have to list each individual address separately (will put it at over
200 addresses so this won't work) or can I use a /24 notation for each
subnet block?
Sharyn
We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc **May** etc

[Grant Griffith - Declude JM]

Figures we would have to upgrade.  We are at 7.1x as it has been very
stable.  Not sure we want to upgrade to problems.

If someone sends an email and it shows up on our server as a 64. address.
What about when the message is delivered to someone at AOL?  Will it also
see the 64. address, therefore fail the SPF test on their end also?

Sincerely,
Grant Griffith
EI8HT LEGS Enhanced Web Management
A Division of ETC
http://www.getafreewebsite.com
877-483-3393

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, June 30, 2004 9:44 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Question on SPF Setup. Was under You
**May** etc **May** etc



>This brings up a good point, if I client is located in another part of the
>US and we have no way to know what IP Address they might be using.  How can
>this be setup?  For example, our server has around 16 IP's, 12.177.8.48 to
>12.177.8.63, but we have clients that will not be connected within this
>range.  They might be something like 64.77.164.248 or something.

That is a good question.  The best way to look at this is ask "How does
IMail let this client send mail, while not allowing spammers to send
mail?"  The answer to that is SMTP AUTH.

If you're using a version of IMail before IMail v8, you're stuck there --
previous versions do not record in the information that Declude JunkMail
gets that SMTP AUTH was used.  In that case, you would need to be creative
(perhaps a filter that subtracts points for MAILFROM's that contain your
domain).

>Does the SPF test use the 64. address when doing the test or the mail
>server that the
>message is being sent from which would be in the IP range listed above?

It uses the IP that connects to the IMail server.  So if the user connects
directly, SPF would see the 64. address.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SPF Setup. Was under You **May** etc

[R. Scott Perry]

This brings up a good point, if I client is located in another part of the
US and we have no way to know what IP Address they might be using.  How can
this be setup?  For example, our server has around 16 IP's, 12.177.8.48 to
12.177.8.63, but we have clients that will not be connected within this
range.  They might be something like 64.77.164.248 or something.
That is a good question.  The best way to look at this is ask "How does 
IMail let this client send mail, while not allowing spammers to send 
mail?"  The answer to that is SMTP AUTH.

If you're using a version of IMail before IMail v8, you're stuck there -- 
previous versions do not record in the information that Declude JunkMail 
gets that SMTP AUTH was used.  In that case, you would need to be creative 
(perhaps a filter that subtracts points for MAILFROM's that contain your 
domain).

Does the SPF test use the 64. address when doing the test or the mail 
server that the
message is being sent from which would be in the IP range listed above?
It uses the IP that connects to the IMail server.  So if the user connects 
directly, SPF would see the 64. address.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Question on SPF Setup. Was under You **May** etc

[Grant Griffith - Declude JM]

This brings up a good point, if I client is located in another part of the
US and we have no way to know what IP Address they might be using.  How can
this be setup?  For example, our server has around 16 IP's, 12.177.8.48 to
12.177.8.63, but we have clients that will not be connected within this
range.  They might be something like 64.77.164.248 or something.  Does the
SPF test use the 64. address when doing the test or the mail server that the
message is being sent from which would be in the IP range listed above?

Sincerely,
Grant Griffith
EI8HT LEGS Enhanced Web Management
A Division of ETC
http://www.getafreewebsite.com
877-483-3393

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, June 30, 2004 7:45 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] FW: You **MAY** have spam



>This is legit, coming from my own mailserver, and it failed the SPF test.
>
>Obviously something is not correct here.
>
>Any suggestions?
>
>I have used the wizard on the pobox site and pasted the text string into a
>text record in my DNS.

The problem is that your SPF record ("v=spf1 a mx ptr -all") doesn't list
IPs that your users may be connecting to your mailserver from.

In this case, you should whitelist your own users ("WHITELIST AUTH" if you
are running IMail v8 and the latest Declude beta).


-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

Chances are that you need to IPBYPASS the firewall's IP in your 
global.cfg and then whitelist your LAN by it's IP space.



Do I have to list each individual address separately (will put it at over
200 addresses so this won't work) or can I use a /24 notation for each
subnet block?

Sharyn


We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Syntax for spf

[Scott Fisher]

To put numbers behind Scott's statement.
For June <1% of all e-mail triggered SPFPASS
and 1.4% of all e-mail triggered SPFFAIL

To confuse the issue somewhat:
26% of the e-mail that triggered SPFPASS was classified as SPAM
3% of the e-mail that triggered SPFFAIL was classified as SPAM

Scott Fisher
Director of IT
Farm Progress Companies

>>> [EMAIL PROTECTED] 06/30/04 07:43AM >>>

>SPFPASS spf passx   -5  0  SPFFAIL 
>spf failx   8   0
>
>I've just added the above lines to my global config. After checking the 
>Declude log, I see no indication that Declude is performing this test. 
>What am I missing?
You'll only see E-mails pass or fail if they have SPF records -- for other 
domains, a response of "unknown" is returned (which won't affect the weight 
of the E-mail with the settings above).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Global configs (=> SORBS results)

[Scott Fisher]

I use sorbs-http with a last hop and a all hop configuartion. 
For June, the -ALL hit on 48 non-spam e-mails
the -LAST hit on 27 non-spam e-mails.

SORBS-HTTP-LAST dnsbl   %IP4R%.dnsbl.sorbs.net  127.0.0.2   0  
 0
SORBS-HTTP-ALL  ip4rdnsbl.sorbs.net 127.0.0.2   0  
 0


Scott Fisher
Director of IT
Farm Progress Companies

>>> [EMAIL PROTECTED] 06/30/04 01:41AM >>>
I have some other numbers. For example SORBS-HTTP
 
Yesterday it has had the correct result for 7% of the processed messages
(776 of 11161 messages)
But it has also had a positive (wrong) result for 17 legit messages. (so one
of this messages was slightly above our hold treeshould => false positive)
 
But SORBS-HTTP catches nearly all spam messages that has already failed
enough other tests to be hold. So it's not really usefull to have ~ 759
correct votes from SORBS-HTTP for spam messages if they have already reached
a weight above 200 % of the hold weight. 
 
On the other side it's problemtic if from the 17 legit messages catched by
SORBS-HTTP 4 are near to or over the hold weight. 
 
My conclusion:
SORBS-HTTP results will have no effect on the detection rate, it increases
only to posibility to have some false positives. (The results will not
change if I look for the last 2 or 4 weeks, and not only yesterday)
Also I can see nearly the same results for SORBS-SPAM (positive result in 8%
/ 23 wrong results for legit messages / 6 legit messages near the hold
weight / all other messages above 200% of the hold weight)
 
Attached you can see a diagramm with the variation of the final weight for
all yesterday messages failing SORBS-HTTP.
 
A similar diagnosis could be made for several other tests. It's only a
little bit of work and I don't know if someone counts on such reports...
 
Markus
 
 


  _  

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent: Monday, June 28, 2004 7:33 PM
To: [EMAIL PROTECTED] 
Subject: RE: [Declude.JunkMail] Global configs


Yesterday's summary:

 
SORBS...5,061...47.70%
SORBS-BADCONF..220.21%
SORBS-DUHL..3,273...30.85%
SORBS-HTTP..1,119...10.55%
SORBS-MISC4764.49%
SORBS-SMTP.790.74%
SORBS-SOCKS.1,157...10.91%
SORBS-WEB..940.89%
SORBS-ZOMBIE80.08% 
 
 
Thanks!
 
I'll take that as a YES!
 
Sharyn 


 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] external tests

[R. Scott Perry]

Any chance of getting an option to run an external test last after the 
filters?
I have some tests that I want to run first.
Maybe externallast?
It's something we will look into, but I'm guessing that we won't be able to 
add such a feature in the near future.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] external tests

[Scott Fisher]

Any chance of getting an option to run an external test last after the filters?
I have some tests that I want to run first.
Maybe externallast?

I was brainstorming that if I had an external test to run the troublemaker e-mails 
that don't score high or low  (<4% of total e-mail) through the dnsbl.net.au rbl. I'd 
be well under the 1000 lookups per day.
But I need filters to run first to get to that low.

Scott Fisher
Director of IT
Farm Progress Companies

>>> [EMAIL PROTECTED] 06/29/04 02:56PM >>>

>Do external tests automatically run before all filters, or do they run 
>where they are located in the global.cfg?

They do run before the filters.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] WAY WAY OT: Attn Greg Foulks

[Greg Foulks]

John,
Thanks for the email this helped to find the problem. Your emails were 
being zapped because it was failing a mailfrom test (which right now I 
have no idea why it failed the mailfrom test because your address is not 
even listed in the file.)

06/29/2004 15:17:09 Qc01a098 SPammers:100 SPAMCHK:-25 .  Total weight = 75.
06/29/2004 15:17:09 Qc01a098 Msg failed SPammers (try again later.). 
Action=WARN.
06/29/2004 15:17:09 Qc01a098 Msg failed SPAMCHK (Message failed SPAMCHK: 
-25.). Action=IGNORE.
06/29/2004 15:17:09 Qc01a098 Msg failed WEIGHT10 (Weight of 75 reaches 
or exceeds the limit of 10.). Action=IGNORE.
06/29/2004 15:17:09 Qc01a098 Msg failed WEIGHT14 (Weight of 75 reaches 
or exceeds the limit of 14.). Action=HOLD.
06/29/2004 15:17:09 Qc01a098 Msg failed WEIGHT40 (Weight of 75 reaches 
or exceeds the limit of 40.). Action=DELETE.
06/29/2004 15:17:09 Qc01a098 Deleting spam from [EMAIL PROTECTED] 
to [EMAIL PROTECTED]
06/29/2004 15:17:09 Qc01a098 Subject: RE: Demo Request (RESEND)
06/29/2004 15:17:09 Qc01a098 From: [EMAIL PROTECTED] To: 
[EMAIL PROTECTED]  IP: 67.94.227.39 ID: A00CC68022C

John Tolmachoff (Lists) wrote:
Sent via list since he claims he has not received e-mails directly from me.
It appears you are not receiving e-mail from me, even though your server
accepted it:
29-06-2004  12:16:47Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) processing F:\Spool\Qc00c0c68022cd4c1.SMD
29-06-2004  12:16:47Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) [x] looking up nfti.com in HOSTS and MX
29-06-2004  12:16:47Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) Trying nfti.com (0)
29-06-2004  12:16:47Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) [x] Connecting socket to service  on host
 using protocol 
29-06-2004  12:16:47Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) Connect nfti.com [12.32.70.215:25] (1)
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 220 X1 Who is this
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >EHLO mail.eservicesforyou.com
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-mail.nfti.com says hello
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-SIZE 0
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-8BITMIME
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-DSN
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-ETRN
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-AUTH LOGIN
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250-AUTH=LOGIN
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250 EXPN
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >MAIL FROM:<[EMAIL PROTECTED]>
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250 ok
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >RCPT To:<[EMAIL PROTECTED]>
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250 ok its for <[EMAIL PROTECTED]>
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >DATA
29-06-2004  12:16:48Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 354 ok, send it; end with .
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >.
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 250 Message queued
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) rdeliver nfti.com [EMAIL PROTECTED] (1)
<[EMAIL PROTECTED]> 235342
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) >QUIT
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) 221 Goodbye
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) [u] closing socket (u)
29-06-2004  12:16:51Local7.Debug127.0.0.1   SMTP
(c00c0c68022cd4c1) finished F:\Spool\Qc00c0c68022cd4c1.SMD status=1
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
.
 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail

Re: [Declude.JunkMail] FW: You **MAY** have spam

[Matt]

Sharyn Schmidt wrote:
I control all the IPS my users are on, it's a local LAN...192.168.x.x (there
are 5 different subnets) but my mail server is on a DMZ off the firewall,
and I have an smtp proxy enabled. This would indicate that in reality, it's
the IP address of the firewall that is actually handling the internal mail,
as well. So, adding the IP address of the firewall (24.73.160.162) should
work.
Chances are that you need to IPBYPASS the firewall's IP in your 
global.cfg and then whitelist your LAN by it's IP space.  The SPF record 
should reflect the last IP of your network before it hits the receiving 
server.  This will cure your CMDSPACE issue as well.  I say "chances 
are" because I'm not sure that all of the relevant information was shared.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

I lowered the weight of the spf fail weight to 1 (warn in headers) to test
this internally.

My internal IPs are still failing the spf test.

How do I go about whitelisting 5 subnets of internal IP addresses with IMAIL
7.15?

It's probably not a bad idea anyway, if it's possible, as everything
internally is failing the cmdspace test too.

Sharyn


We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

Ok..

Does this mean things are working now?

I just ran the test on Scott's website...

SPF lookup of sender [EMAIL PROTECTED] from IP 24.73.160.162:


SPF string used: v=spf1 ip4:24.73.160.162 a mx ptr -all.
Processing SPF string: v=spf1 ip4:24.73.160.162 a mx ptr -all.
Testing 'ip4:24.73.160.162' on IP=24.73.160.162, target domain
24.73.160.162, CIDR 32, default=PASS.  MATCH!
Testing 'a' on IP=24.73.160.162, target domain example.com, CIDR 32,
default=PASS.  Testing 'mx' on IP=24.73.160.162, target domain example.com,
CIDR 32, default=PASS.  Testing 'ptr' on IP=24.73.160.162, target domain
example.com, CIDR 32, default=PASS.  Testing 'all' on IP=24.73.160.162,
target domain example.com, CIDR 32, default=FAIL.  
Result: PASS


This, however, is no guarrantee things are going to work internally though,
is it?



 believe that both CMDSPACE and SPF are inappropriate tests to score unless
you can whitelist your own local users that connect directly to your server
to send E-mail.  If you have IMail 7 and your users are on IP space that you
don't control, you are out of luck, but if you have either IMail 8 and/or
all of your users connect by way of a LAN, then there are ways to do this,
but you should first indicate which of the above applies.


I control all the IPS my users are on, it's a local LAN...192.168.x.x (there
are 5 different subnets) but my mail server is on a DMZ off the firewall,
and I have an smtp proxy enabled. This would indicate that in reality, it's
the IP address of the firewall that is actually handling the internal mail,
as well. So, adding the IP address of the firewall (24.73.160.162) should
work.

I wish there was a way to test this internally. Is there?

Sharyn


We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

The problem is that your SPF record ("v=spf1 a mx ptr -all") doesn't list 
IPs that your users may be connecting to your mailserver from.

The problem may also be that ID 10 T error and I never listed the IP of my
firewall, which uses an SMTP proxy. (Len is laughing if he is reading this)



In this case, you should whitelist your own users ("WHITELIST AUTH" if you 
are running IMail v8 and the latest Declude beta).

Im only running IMAIL 7.15.



I have made the change in the SPF record in DNS, listing my firewall's IP.
Is there a way to test this before I turn everything back on? I've already
had to send out an email to the entire company explaining that I futzed up,
don't want to have to do this again. LOL

Sharyn




   


We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FW: You **MAY** have spam

[Grant Griffith - Declude JM]

This brings up a good point, if I client is located in another part of the
US and we have no way to know what IP Address they might be using.  How can
this be setup?  For example, our server has around 16 IP's, 12.177.8.48 to
12.177.8.63, but we have clients that will not be connected within this
range.  They might be something like 64.77.164.248 or something.  Does the
SPF test use the 64. address when doing the test or the mail server that the
message is being sent from which would be in the IP range listed above?

Sincerely,
Grant Griffith
EI8HT LEGS Enhanced Web Management
A Division of ETC
http://www.getafreewebsite.com
877-483-3393

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, June 30, 2004 7:45 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] FW: You **MAY** have spam



>This is legit, coming from my own mailserver, and it failed the SPF test.
>
>Obviously something is not correct here.
>
>Any suggestions?
>
>I have used the wizard on the pobox site and pasted the text string into a
>text record in my DNS.

The problem is that your SPF record ("v=spf1 a mx ptr -all") doesn't list
IPs that your users may be connecting to your mailserver from.

In this case, you should whitelist your own users ("WHITELIST AUTH" if you
are running IMail v8 and the latest Declude beta).


-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: FW: [Declude.JunkMail] FW: You **MAY** have spam

[Matt]

I believe that both CMDSPACE and SPF are inappropriate tests to score
unless you can whitelist your own local users that connect directly to
your server to send E-mail.  If you have IMail 7 and your users are on
IP space that you don't control, you are out of luck, but if you have
either IMail 8 and/or all of your users connect by way of a LAN, then
there are ways to do this, but you should first indicate which of the
above applies.

Matt



Sharyn Schmidt wrote:

  UPDATE:

ALL my legit todhunter mail is coming as spam

LOL what else can one do but laugh???

Sharyn

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt
Sent: Wednesday, June 30, 2004 8:33 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] FW: You **MAY** have spam




This is legit, coming from my own mailserver, and it failed the SPF test.

Obviously something is not correct here.

Any suggestions?

I have used the wizard on the pobox site and pasted the text string into a
text record in my DNS.

I've had to disable the test for now as all my legit mail is being flagged
as spam.

Sharyn

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Declude JunkMail
Sent: Wednesday, June 30, 2004 8:17 AM
To: [EMAIL PROTECTED]
Subject: You **MAY** have spam


You **MAY** have spam!

Subject:	New Directory  
From:		[EMAIL PROTECTED]
Tests Failed:	11-CMDSPACE, SPFFAIL, WEIGHT10-Daf1a0221059a2e33.SMD

To view the E-mail, just click the attachment.


  
  
  
  

  

Subject:

New Directory
  
  

From: 
"Kay Evanson" <[EMAIL PROTECTED]>
  
  

Date: 
Wed, 30 Jun 2004 08:16:58 -0400
  
  

To: 
<[EMAIL PROTECTED]>
  

  
  
  
  
  New Directory 

  
  Attached is the new company for the
Lake Alfred, Winter haven, and Auburndale facilities. 
  
  Should any changes need to be made
please let me know.
  
   <<...>> 
  
  
  Thank You
  
  
  Kay E
  
  Ext 161
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] Global configs (=> SORBS results)

[Andy Schmidt]

Title: Message



Hi,
 
Using 
a filter, I combine the different blacklists from various sources into 
distinct groups:
 
Proxies
Open-Relay
DUL/DUHL
 
Each 
group has a weight assigned.  This way, I can use the combined know-how of 
multiple sources whether an IP is a Proxy and/or an open-relay and/or a DUL/DUHL 
without worrying about multiple positives in ONE group pushing an email beyond 
the threshold.  As a result, more IPs are being detected and I can assign a 
higher weight to each group - without any one group "controlling" the outcome by 
itself.
Best 
RegardsAndy SchmidtPhone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Wednesday, June 30, 2004 08:06 
  AMTo: [EMAIL PROTECTED]Subject: Re: 
  [Declude.JunkMail] Global configs (=> SORBS 
  results)Markus,Their open relay tests, 
  SORBS-HTTP, SORBS-SOCKS and SORBS-SMTP can all hit on the same message for the 
  same exploit causing a triple hit and therefore it is best to combo these 
  tests with a custom filter.  Throwing in SORBS-MISC into this mix might 
  also be a good idea.The problem isn't that their data is any more 
  unreliable than the others of this type, rather it is the way that they offer 
  up this data, splitting it into 3 categories that have no practical purpose 
  for a system that applies weights instead of 
  ACL's.MattMarkus Gufler wrote:
  

I have some other numbers. For example 
SORBS-HTTP
 
Yesterday it has had the correct result for 7% of the 
processed messages (776 of 11161 messages)
But it has also had a positive (wrong) result for 17 
legit messages. (so one of this messages was slightly above our hold 
treeshould => false positive)
 
But SORBS-HTTP catches nearly all spam messages that 
has already failed enough other tests to be hold. So it's not really usefull 
to have ~ 759 correct votes from SORBS-HTTP for spam messages if they have 
already reached a weight above 200 % of the hold weight. 

 
On the other side it's problemtic if from the 17 legit 
messages catched by SORBS-HTTP 4 are near to or over the hold weight. 

 
My conclusion:
SORBS-HTTP results will have no effect on the detection 
rate, it increases only to posibility to have some false positives. (The 
results will not change if I look for the last 2 or 4 weeks, and not only 
yesterday)
Also I can see nearly the same results for SORBS-SPAM 
(positive result in 8% / 23 wrong results for legit messages / 6 legit 
messages near the hold weight / all other messages above 200% of the hold 
weight)
 
Attached you can see a diagramm with the variation of 
the final weight for all yesterday messages failing 
SORBS-HTTP.
 
A similar diagnosis could be made for several other 
tests. It's only a little bit of work and I don't know if someone counts on 
such reports...
 
Markus
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Sharyn SchmidtSent: Monday, June 28, 2004 
  7:33 PMTo: [EMAIL PROTECTED]Subject: 
  RE: [Declude.JunkMail] Global configs
  Yesterday's summary:
  
 
SORBS...5,061...47.70%SORBS-BADCONF..220.21%SORBS-DUHL..3,273...30.85%SORBS-HTTP..1,119...10.55%SORBS-MISC4764.49%SORBS-SMTP.790.74%SORBS-SOCKS.1,157...10.91%SORBS-WEB..940.89%SORBS-ZOMBIE80.08% 
 
 
Thanks!
 
I'll take that as a 
YES!
 
Sharyn 
 -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] FW: You **MAY** have spam

[R. Scott Perry]

This is legit, coming from my own mailserver, and it failed the SPF test.
Obviously something is not correct here.
Any suggestions?
I have used the wizard on the pobox site and pasted the text string into a
text record in my DNS.
The problem is that your SPF record ("v=spf1 a mx ptr -all") doesn't list 
IPs that your users may be connecting to your mailserver from.

In this case, you should whitelist your own users ("WHITELIST AUTH" if you 
are running IMail v8 and the latest Declude beta).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Syntax for spf

[R. Scott Perry]

SPFPASS spf passx   -5  0  SPFFAIL 
spf failx   8   0

I've just added the above lines to my global config. After checking the 
Declude log, I see no indication that Declude is performing this test. 
What am I missing?
You'll only see E-mails pass or fail if they have SPF records -- for other 
domains, a response of "unknown" is returned (which won't affect the weight 
of the E-mail with the settings above).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

FW: [Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

UPDATE:

ALL my legit todhunter mail is coming as spam

LOL what else can one do but laugh???

Sharyn

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent: Wednesday, June 30, 2004 8:33 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] FW: You **MAY** have spam




This is legit, coming from my own mailserver, and it failed the SPF test.

Obviously something is not correct here.

Any suggestions?

I have used the wizard on the pobox site and pasted the text string into a
text record in my DNS.

I've had to disable the test for now as all my legit mail is being flagged
as spam.

Sharyn

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Declude JunkMail
Sent: Wednesday, June 30, 2004 8:17 AM
To: [EMAIL PROTECTED]
Subject: You **MAY** have spam


You **MAY** have spam!

Subject:New Directory  
From:   [EMAIL PROTECTED]
Tests Failed:   11-CMDSPACE, SPFFAIL, WEIGHT10-Daf1a0221059a2e33.SMD

To view the E-mail, just click the attachment.


--- Begin Message ---
Title: New Directory  







Attached is the new company for the Lake Alfred, Winter haven, and Auburndale facilities. 


Should any changes need to be made please let me know.


 <<...>> 



Thank You



Kay E

Ext 161



--- End Message ---

[Declude.JunkMail] FW: You **MAY** have spam

[Sharyn Schmidt]

This is legit, coming from my own mailserver, and it failed the SPF test.

Obviously something is not correct here.

Any suggestions?

I have used the wizard on the pobox site and pasted the text string into a
text record in my DNS.

I've had to disable the test for now as all my legit mail is being flagged
as spam.

Sharyn

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Declude JunkMail
Sent: Wednesday, June 30, 2004 8:17 AM
To: [EMAIL PROTECTED]
Subject: You **MAY** have spam


You **MAY** have spam!

Subject:New Directory  
From:   [EMAIL PROTECTED]
Tests Failed:   11-CMDSPACE, SPFFAIL, WEIGHT10-Daf1a0221059a2e33.SMD

To view the E-mail, just click the attachment.


--- Begin Message ---
Title: New Directory  







Attached is the new company for the Lake Alfred, Winter haven, and Auburndale facilities. 


Should any changes need to be made please let me know.


 <<...>> 



Thank You



Kay E

Ext 161



--- End Message ---

Re: [Declude.JunkMail] Global configs (=> SORBS results)

[Matt]

Markus,

Their open relay tests, SORBS-HTTP, SORBS-SOCKS and SORBS-SMTP can all
hit on the same message for the same exploit causing a triple hit and
therefore it is best to combo these tests with a custom filter. 
Throwing in SORBS-MISC into this mix might also be a good idea.

The problem isn't that their data is any more unreliable than the
others of this type, rather it is the way that they offer up this data,
splitting it into 3 categories that have no practical purpose for a
system that applies weights instead of ACL's.

Matt



Markus Gufler wrote:

  Message
  
  
  I have some other numbers. For
example SORBS-HTTP
   
  Yesterday it has had the correct
result for 7% of the processed messages (776 of 11161 messages)
  But it has also had a positive
(wrong) result for 17 legit messages. (so one of this messages was
slightly above our hold treeshould => false positive)
   
  But SORBS-HTTP catches nearly
all spam messages that has already failed enough other tests to be
hold. So it's not really usefull to have ~ 759 correct votes from
SORBS-HTTP for spam messages if they have already reached a weight
above 200 % of the hold weight. 
   
  On the other side it's
problemtic if from the 17 legit messages catched by SORBS-HTTP 4 are
near to or over the hold weight. 
   
  My conclusion:
  SORBS-HTTP results will have no
effect on the detection rate, it increases only to posibility to have
some false positives. (The results will not change if I look for the
last 2 or 4 weeks, and not only yesterday)
  Also I can see nearly the same
results for SORBS-SPAM (positive result in 8% / 23 wrong results for
legit messages / 6 legit messages near the hold weight / all other
messages above 200% of the hold weight)
   
  Attached you can see a diagramm
with the variation of the final weight for all yesterday messages
failing SORBS-HTTP.
   
  A similar diagnosis could be
made for several other tests. It's only a little bit of work and I
don't know if someone counts on such reports...
   
  Markus
   
   
  
  

 From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn
Schmidt
Sent: Monday, June 28, 2004 7:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Global configs


Yesterday's summary:

   
  SORBS...5,061...47.70%
SORBS-BADCONF..220.21%
SORBS-DUHL..3,273...30.85%
SORBS-HTTP..1,119...10.55%
SORBS-MISC4764.49%
SORBS-SMTP.790.74%
SORBS-SOCKS.1,157...10.91%
SORBS-WEB..940.89%
SORBS-ZOMBIE80.08% 
   
   
  Thanks!
   
  I'll take that as
a YES!
   
  Sharyn 
  
   

  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] Syntax for spf

[Sharyn Schmidt]

Title: RE: Syntax for spf 







---

To use the new SPF test, you can add lines such as:

SPFPASS spf pass    x   -5  0

SPFFAIL spf fail    x   8   0


to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), "FAIL" for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN).
---



I've just added the above lines to my global config. After checking the Declude log, I see no indication that Declude is performing this test. What am I missing? 

Log snippet pasted below:

06/30/2004 07:39:55 Qa66c030305e846d1 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: xxx.xxx.xxx.xxx ID: 

06/30/2004 07:39:55 Qa66c030305e846d1 Tests failed [weight=25]: NOABUSE=WARN NOPOSTMASTER=WARN BADHEADERS=WARN HELOBOGUS=WARN SPAMHEADERS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE WEIGHT10=ATTACH WEIGHT15=HOLD CATCHALLMAILS=IGNORE InHeadersFilter=WARN 

I am running v 1.79 beta. Everything else seems to be working fine.

Thanks,

Sharyn