Re: [Declude.JunkMail] OT: How to define spam and ham
Hi, Amazon I happen to know first hand so if it's *realy* from amazone I would have a quick look why it was held but. all the other domain names I don't know them. Neither do I have the time to investigate these things. It's like you wrote, if I see then held... There's probably a reason for it. Being the postmaster overhere is a part-time job, this is primarily a mailserver for us internaly. We are a "school"with about 2000 students and staff. I'm processing about 4K messages a day. As to "rules", I don't have specific rules, I just want to make sure we keep our mail as clean as possible. It is primarily for internal use. If that means some automated messages from some sources don't get through, to bad. I'll look into it when someone complains. So far,except for some individual cases, no onehas complained certain messages did not get to them, which to me means I'm doing not to bad. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 3:30 AM Subject: Re: [Declude.JunkMail] OT: How to define "spam" and "ham" Bonno,Unfortunately 'knowing' is rarely the result of first hand experience in this case, at least without a good deal of focus and research over time. Personally, I have found that E-mail coming from the the better bulk-mail providers rarely breaks my rules. Generally if you have heard of the company represented in the E-mail and it comes from a first rate bulk-mail provider, they do in fact not violate the rules very often if at all. Some companies also perform their own bulk-mailing such as Amazon, and they should be especially aware of the potential of being blacklisted. There are others of course that don't really care, and the primary violation is typically some form of harvesting where they purchase addresses or re-use them from other resources. It's rare that a company that you have heard of not honoring opt-outs, though sometimes due to multiple internal working groups and not having a central repository for managing such subscriptions, a company might unsubscribe you to one list only to introduce another one that you are default-opted-into.I guess what I was really after was what people like yourself do when you find that an ad for Amazon, J.Crew, Office Max, or even Orbitz is blocked by your system. Do you block them purposefully? Do you just go with the flow figuring that if they are blacklisted there is a reason? Do you research the sender and take corrective action? Or do you just simply wait for users to complain about something being blocked? And regardless of the action that you take, what are your 'rules', or are there any specific rules that you or others use?Thanks,MattBonno Bloksma wrote: Matt, Although I agree with your reasoning, my problem would then be how do I determine who belongs to what catagorie? Overhere I see stuff getting caught which is definitely a newsletter of some sorts but I don't know whether the user requested it or not. Nor whether the user might want it or not. As we have a lot of students with a very divers interest area it's impossible to know what is normal. Also being the mail admin is only a (small) part-time job overhere, as long as it's running. ;-) I keep telling my students "don't unsubscribe as it will only increase your spam". Now maybe *I* can make a exeption by reading a list of companies that honor opt-out but I know most of our students and staff would not. They'd either unsubscribe or not, without reading such a list, "it's too much work". ;-( Groetjes, Bonno Bloksma - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Monday, December 20, 2004 2:01 PM Subject: [Declude.JunkMail] OT: How to define "spam" and "ham" This was the subject of a recent off-list discussion between myself and Pete where there was a perception that my definition of spam was too conservative or rather my definition of ham was too liberal. While I readily admit that in practice, I do personally wish to block many fewer things that I consider to be legitimate first-party advertising than most do, I don't necessarily get the impression that the definitions that I use are all that much off the mark. I have also found that the folks at BondedSender think that I am some sort of anti-advertising zealot for reporting what is near universally what we would consider to be spam, so it does go both ways :) So I wanted to throw this topic out for some feedback and other presentations of one's own
RE: [Declude.JunkMail] OT: How to define spam and ham
First of allspam is anything comming from nonexistant, or forged senders having "hidden" content But what you're asking for is the difference between our human brain and stupid computers (Pete, your comment please ;-) Generaly Isimply try to keep our customers mailbox as clean as possible from all this automatic generated stuff. Human brains are so intelligent but computers are much faster to send out billions of messages in a very short time. Our life is short enough to not spend it on handling all this stuff manualy. For sure: There is also legit automatic stuff. In this case the challenge is not to identify spam but to identify and let pass computer-generated ham. One good qualification for "bad content" is the weighting system and combo tests. If many different tests fail on the same message we all know it's a good indicator of spam. If there is someone sending out legit messages failing many different tests then he definitively does something wrong and has to rethink what he does in order to do it successfull. Consider the numerous "spam-filters" out there, blocking messages based on single indicators of spam. (for example if failing on one single IP-blacklist) or this pure text filter solutions catching only arround 60% of spam. As long as there are such services I and my customers can live with the knowledge that nobody is 100% perfect. At the moment I'm working on a new system that will clasify messages in the follwing 4 categories: 80 - 120% of our current hold weight = Subject: [spam low] 120% - 170%of our current hold weight = send out a notifcation to the recipient The notifications are a little bit problematic: As there are many customers using our server as gateway we doesn't know if the recipients adress is real existing. So at the moment I try to look if this recipient has received legit messages (50% of the hold weight) in the previous - let's say - two weeks. This should prevent us to send out a big number of unneccessary messages (for example after dictionary attacks to gateway domains) I want to send out as few notifications as possible. SoI plan to generate them two times each day: the first time at around 9:00am of local time. The second at around 05:00 pm. With this strategy I hope to notify each recipient the same day as the false positive was hold on our system, but not more then two times each day, even if I have enough data to send notifications each hour. (if not recipients with a big spam volume would receive a notification each hour)The notifiaction contains only a link (containing a long random string as access security) to a dynamic website. This website will show him a list (datetime /sender / subject) of all messages between 120 and 170% of our current hold weight. I believe we can't send out notifactions containing recipient addresses and subject lines in the body, as spam filters like them included in MS Outlook will block them another time.With the dynamic website I can track the visits and so prevent any further notification until the customer has visited the website. This should reduce our notifications another time. All this work with the notifiactions has the following benefits: not we but our customers can decide what's ham and whats spam (at least in the mentioned grey zone) customers can see our service we have a copy of each "false positive" and can concentrate our work on preventing this in the future beside the work of keeping the 120-170 zone as clean as possible from messages in order to reduce the review work of our customers (for example with my AVFILTER-COMBO test) At the moment I'm working on this and so many ideas are still theory, but I'm happy for any feedback. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, December 21, 2004 3:48 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] OT: How to define "spam" and "ham" Markus,I have found that my users miss about 99% of the false positives using a system where I set up review accounts in Web-mail for each domain and only capture less than 2% of their blocked volume for them to review. Reprocessing and reporting the message is done with a single click using a link that I added to the interface for this purpose. I know that they miss this much because we also do review for the hold range across our entire user base, however we don't guarantee in any way that we will find every false positive or review this with specific regularity. Obviously as volume increases, so does the work required for us to do this, but it is quite easy for all but a couple of our domains to be reviewed because the number of held messages are generally below 20 a day, and only 7 days are kept.I too am looking to move to a 'push' format, figuring that if you
RE: [Declude.JunkMail] Whitelisting Issue
Hi Chris: No- that statement goes into Global.cfg. In our global statement all Whitelist issues are at the top so in ours it is one of the first few lines.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Monday, December 20, 2004 6:17 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting Issue Very Nice, Should I add anything to the default.junkmail file? EMERGENCYBYPASS WARN ?? Thanks, Chris Patterson, CCNA Network Engineer Rapid Systems -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Monday, December 20, 2004 5:57 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting Issue Chris: We were having a similar issue- Scott suggested the following: EMERGENCYBYPASS bypasswhitelist 40 2 0 0 So now if the weight passes 40 the whitelist will not work if 2 more people are in the list. You can adjust the settings per your environment. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Monday, December 20, 2004 5:50 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Whitelisting Issue Hi all, I am having trouble with an issue where spam is getting by showing whitelisted in the header. Neither the domain or e-mail address that it is coming from is whitelisted in the global config, nor are they showing as Auth-user. However, one of the recipients (local user) is Whitelisted; which you can't see because they are apparently in the BCC field . Apparently it is causing all recipients on this e-mail to receive it as Whitelisted. Has anyone else ran into this issue? Thanks, Chris Patterson, CCNA Network Engineer Rapid Systems --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] tweaking
Greetings: We are new users of junkman man and was looking for friendly advise on how to manage this beast. In running of only one day we have seen a large drop in spam (40%). But I would like to use blacklists and and others features unknown to me. Would people like to post there cfg file for viewing?? Any suggestions? Thanks. ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
[Declude.JunkMail] tools/weights
http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
Re: [Declude.JunkMail] tools/weights
6.10 Test Definitions Tests are defined in the \IMail\Declude\global.cfg file. The format of a test definition is the name of the testfollowed by the test type, followed by two test-specific pieces of information (an x placeholder if only one piece is needed)followed by two weights: The weight that will be assigned to the test if an E-mail fails the test, and the weight that will be assigned if the E-mail does not fail the test (normally 0). Tests: I'd highly recommend Message Sniffer from Sort Monster. It's a paid test, less than a $1 per day and it is my most effective test. - Original Message - From: Schmeits, Roger To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 8:43 AM Subject: [Declude.JunkMail] tools/weights http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##Disclaimer:The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
RE: [Declude.JunkMail] tools/weights
I would have to agree with Matt. After installing Sniffer about4 months ago it's already more then paid for itself when you consider thetime we spent constantly tweaking our filter files. It's a great add-on. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, December 21, 2004 10:06 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] tools/weights Buy Sniffer. It is the optimal add-on for Declude (and other systems). It will tag over 95% of your spam with ~99.8% accuracy (depending on your definitions). For the time that you would invest in getting your system even close to what the combination would provide, you will have easily paid for Sniffer. Most of those that participate on this list use it, and it might well provide you with the level of results that you seek without doing anything else. It might be a little difficult to understand from skimming the site, but there is plenty of help available in this group to get you up and running.MattSchmeits, Roger wrote: http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##Disclaimer:The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] tools/weights
Buy Sniffer. It is the optimal add-on for Declude (and other systems). It will tag over 95% of your spam with ~99.8% accuracy (depending on your definitions). For the time that you would invest in getting your system even close to what the combination would provide, you will have easily paid for Sniffer. Most of those that participate on this list use it, and it might well provide you with the level of results that you seek without doing anything else. It might be a little difficult to understand from skimming the site, but there is plenty of help available in this group to get you up and running. Matt Schmeits, Roger wrote: http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] tools/weights
I've been thinking about the Sniffer, but i had a few questions: Do i have to have Pro to run it, i.e. external tests? and How effective is it against Phishing? or would it be better to add Mcafee and Clam for this problem? We currently are limited to phrase filtering in Imail for the Phishing part. Thanks ! Steve Flook wrote: I would have to agree with Matt. After installing Sniffer about 4 months ago it's already more then paid for itself when you consider the time we spent constantly tweaking our filter files. It's a great add-on. Steve *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Tuesday, December 21, 2004 10:06 AM *To:* Declude.JunkMail@declude.com *Subject:* Re: [Declude.JunkMail] tools/weights Buy Sniffer. It is the optimal add-on for Declude (and other systems). It will tag over 95% of your spam with ~99.8% accuracy (depending on your definitions). For the time that you would invest in getting your system even close to what the combination would provide, you will have easily paid for Sniffer. Most of those that participate on this list use it, and it might well provide you with the level of results that you seek without doing anything else. It might be a little difficult to understand from skimming the site, but there is plenty of help available in this group to get you up and running. Matt Schmeits, Roger wrote: http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Richard Lanard Information Technology Support University of Georgia Business Outreach Services /SBDC --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] tools/weights
In addition to (or possibly instead of) Sniffer, SpamC32/Spamassassin gets great results. Jerry - Original Message - From: Schmeits, Roger To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 9:43 AM Subject: [Declude.JunkMail] tools/weights http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##Disclaimer:The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
Re: [Declude.JunkMail] tools/weights
Richard Lanard wrote: I've been thinking about the Sniffer, but i had a few questions: Do i have to have Pro to run it, i.e. external tests? Any Declude version works with external tests. and How effective is it against Phishing? or would it be better to add Mcafee and Clam for this problem? Very good, though not as good as with standard spam, probably because the phishers are a step above the typical zombie spammer and they use more tricks and clean addresses. We currently are limited to phrase filtering in Imail for the Phishing part. If you have custom filtering capabilities, there is a host of opportunities for improvement, or as a supplement to things like Sniffer. One of my more recent tricks to to create a 'combo' filter where one filter checks for the URL or name of a bank that is being used, and another filter checks for a link containing an IP address (IPLINKED). The combination of hits is near perfect, though there are other linking mechanisms that they use. Between the two of these things, phishing is mostly weighted very high on my system. Take note that the biggest weakness of my system remains the Advance Fee Fraud (Nigerian) stuff. These messages almost always come from legitimate hosts (Web-mail accounts), and the content is so variable that the only possible improvement might be bayesian filtering, which I think only SpamAssassin could provide. I have one customer that is hammered by this stuff for some reason (many each day), and he always lets me know when one gets through. The increase in it's volume makes us look like we're going backwards on the issue :( Still, if this was about whether or not to choose Sniffer, I think you would be hard pressed to find any single product that came close to their detection rates and accuracy. Paired with Declude, you get the best of both worlds, and you can become damn near perfect. Matt Steve Flook wrote: I would have to agree with Matt. After installing Sniffer about 4 months ago it's already more then paid for itself when you consider the time we spent constantly tweaking our filter files. It's a great add-on. Steve *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Tuesday, December 21, 2004 10:06 AM *To:* Declude.JunkMail@declude.com *Subject:* Re: [Declude.JunkMail] tools/weights Buy Sniffer. It is the optimal add-on for Declude (and other systems). It will tag over 95% of your spam with ~99.8% accuracy (depending on your definitions). For the time that you would invest in getting your system even close to what the combination would provide, you will have easily paid for Sniffer. Most of those that participate on this list use it, and it might well provide you with the level of results that you seek without doing anything else. It might be a little difficult to understand from skimming the site, but there is plenty of help available in this group to get you up and running. Matt Schmeits, Roger wrote: http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Richard Lanard Information Technology Support University of Georgia Business Outreach Services /SBDC --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from
Re: [Declude.JunkMail] tools/weights
I second that, SpamAssassin does a wicked good job of picking off the spam via Declude. That, and its uber easy to train it on what is and is not spam. Sam Jerry Murdock wrote: In addition to (or possibly instead of) Sniffer, SpamC32/Spamassassin gets great results. Jerry - Original Message - From: Schmeits, Roger To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 9:43 AM Subject: [Declude.JunkMail] tools/weights http://www.declude.com/Articles.asp?ID=100 There are numerous tools on this page. Are there favorites? Dogs? Question: In the manual it talks about assigning weights for blacklists. Example Testname fromfile c:\imail\declude\badpeople.txt x 5 0 Would some explain the purpose of the placeholder and the two weights? Is this a standard format through declude files? I am the learning mode... ## Roger Schmeits Sr. Network Engineer Clarkson College http://www.clarksoncollege.edu (402) 552-2542 ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you. -- S.J.Stanaitis Network Administrator, Decorative Product Source http://www.dpsource.com/ [EMAIL PROTECTED] (877)-650-8054 x160 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] tools/weights
- Original Message - From: Richard Lanard [EMAIL PROTECTED] I've been thinking about the Sniffer, but i had a few questions: Do i have to have Pro to run it, i.e. external tests? and How effective is it against Phishing? or would it be better to add Mcafee and Clam for this problem? We currently are limited to phrase filtering in Imail for the Phishing part. Sniffer does well at tagging phishing messages. However, adding ClamAV (clamd) is also a very good addition, both for detecting phish and virus laden messages. You can also use the MailPolice fraud list, which includes phish domains. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] [OT] Exchange2aliases Proper switch for LDAP Query
Now that I have a handle on ldap2aliases I am trying to setup Exchange2aliases. I am having problems getting the exchange server to give up it's users. I can get the script to the exporting users section, but it never gets any users. The AD name is east-undershirt.k12.ia.us so I use dc=east-undershirt,dc=k12,dc=ia,dc=us I am pretty sure this part is correct because if I change it in anyway the script fails before the exporting users section. Because LDAP is not my strong point here are the questions Are there any special settings on the exchange server that have to be set to allow me to query it across the Internet? I know my client has LDAP working because their Barracuda filter is also using LDAP. The Barracuda does have to have a username and password to access though. Do I need to specify a user and password on the command line of Exchange2Aliases then to query LDAP The AD on the exchange server has users in several OU's such as Staff and Admin Building. How does that change the command line? _ Scott Fosseen - Systems Engineer -Prairie Lakes AEA http://fosseen.us/scott _ If at first you don't succeed, skydiving is not for you. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] $default$.JunkMail file mods
I'm trying to add a header to failed mail in the $default$.JunkMail file. The lines I've added are: WEIGHT20 HEADER FAILED WEIGHT TEST WEIGHT20 ROUTETO [EMAIL PROTECTED] The messages are being routed but without the header. What am I doing wrong? I'm using Declude 1.81 --- [This E-mail scanned for viruses by Surfside Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] OT: How to define spam and ham
On Tuesday, December 21, 2004, 4:49:33 AM, Markus wrote: MG First of all spam is anything MG comming from nonexistant, or forged senders MG having hidden content MG But what you're asking for is the difference between our MG human brain and stupid computers (Pete, your comment please ;-) Well... I'm having fun lurking and I don't want to spoil that. I'm anxious to learn what folks are thinking about all of this (without my nudging). The current implementation of Sniffer is a kind of broad spectrum hybrid learning system. We use statistical models to try and keep the core rulebase targeting what our users _seem_ to want filtered then we customize individual rulebases to match specific preferences. The learning model isn't perfect, but it has shown that by and large there is a strong agreement for most folks about what should be filtered - even if that definition cannot be clearly and consistently stated. (Note I did not say what is spam because that is getting to be more precise and more contentious these days.) What I find (and it really stands out when working with Matt) is that the definition indicated by the standing rules in our core rulebase is a mixed bag of features and that the definition is highly fluid around the edges. For example, in large part Matt's rules would indicate traffic from chtah is not spam but even he admits it's not acceptable to make that definition hard (not ok to white-list chtah). One more liberal definition of ham holds that if the recipient has a first party relationship with the sender then any content from that sender should not be filtered... Clearly from the volume of direct advertising that is submitted to us as spam (even as recurring spam problems) this definition does not hold for most of our users. This edge definition problem was predicted and so far our model is doing a reasonably good job of dealing with it - though improvements are clearly needed and are on their way (albeit slowly). In the mean time, end-user specific bayesian classification can often solve the edge problem -- thus reinforcing that the fluidity at the edge is largely due to differences in the filtering preferences of the end users and the variability thereof. Add to that the problem of data collection and the problem becomes not only difficult to solve, but difficult to measure --- Imagine piloting a supersonic fighter jet through a narrow winding canyon with your eyes shut and you've just about got the picture. As for the stupidity of machines... I personally believe that strong intelligence can be built artificially (and in fact I do that for fun and profit)... The big challenge with using AI for spam is the same as for many AI systems where people's expectations are concerned: The AI cannot and does not have a human frame of reference and so even if it did match or exceed the innate intelligence of a human counterpart, it would not be in a position to predict or model human behaviors precisely. Said another way (partly tongue in cheek) - since computers don't have sex, they don't grok porn and (ahem) organ enhancement spam. Without a social frame of reference they are reduced to guessing at otherwise meaningless patterns. You or I could do no better in that world. So, what we do with the design of Sniffer is to build a highly integrated hybrid with both human and machine components. Each gives the other strong leverage where it's needed. The machines remember better than we do, find and learn patterns well, and manage large datasets without too much effort. The humans understand the social contexts, predict and decode the strategies that are used by spammers, and interpret the needs and desires of our customers. I think I might be rambling... Were these the kinds of comments you were looking for? _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [OT] Exchange2aliases Proper switch for LDAP Query
TheADnameis east-undershirt.k12.ia.us so I use dc=east-undershirt,dc=k12,dc=ia,dc=us I am pretty sure this part is correct. . . Yes, that looks okay. Are there any special settings on the exchange server that have to be set to allow me to query it across the Internet? You need to be running the script using credentials that are valid on the remote server. You can create a dummy local account to match the remote account name, and the passwords must match. The AD on the exchange server has users in several OU's such as Staff and Admin Building. How does that change the command line? You'd just loop through each OU and run ex2a against each: ou=ou_name, dc=east-undershirt, dc=k12. . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] $default$.JunkMail file mods
You can only have one action per test. You need to define another test like Weight20 (perhaps WEIGHT20_Header) with the action being to add the header. Darin. - Original Message - From: Terry Parks [EMAIL PROTECTED] To: Declude. JunkMail Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 12:13 PM Subject: [Declude.JunkMail] $default$.JunkMail file mods I'm trying to add a header to failed mail in the $default$.JunkMail file. The lines I've added are: WEIGHT20 HEADER FAILED WEIGHT TEST WEIGHT20 ROUTETO [EMAIL PROTECTED] The messages are being routed but without the header. What am I doing wrong? I'm using Declude 1.81 --- [This E-mail scanned for viruses by Surfside Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: How to define spam and ham
Pete, I'm still exploring this topic, or at least trying to...hoping for some others to share their own definitions or practices (nudge, nudge, wink, wink) so the sample would be slightly more scientific. I am certainly not at all looking to convince anyone to change their own definitions. Instead my goal is to try to further the awareness of the differences that may or may not exist and hopefully apply this programatically and maybe in policy to the way that either Sniffer works, or I work with Sniffer...or both. I might also find that I need to change my own implementation of the definition that I use because as Marcus stated, life is short enough to not spend it on handling all this stuff manually. Fixing FP's on ads is a thankless job most of the time. I do understand the balance that works for Sniffer in handling such matters, but I don't want to be the guy that reports FP's for the things that another user reports as spam. One of us would be wasting our time and pissing off the other. The other day for instance, someone manually reported the HarryandDavid first-party ad, and then I manually reported it as a false positive. Who is right? Because of this, and regardless of the present system for handling such things, I do think that Sniffer should have a definition for this type of E-mail and a generalized set of rules to follow (soft edges of course). Today for instance you decided to bring backscatter into your definition of spam/unwanted E-mail, a fully conscious choice, and one that needed to be done with purpose and qualification. I believe that when it comes to first-party advertising, this should be done similarly when it comes to qualifying manual reports of both false positives and false negatives, and also in qualifying some tertiary links that can land in spamtraps assigning guilt to an innocent source (maybe the association is guilt enough). Although you allow for customizations among your individual clients to handle such differences, this is not the best use of any of our time to feel our way through this unless it is a part of a process of finding a larger consensus. I am not of course so bold as to suggest that my preference would be the best choice for anyone but myself, and hence the query to the list for feedback. I also think that the discussion could be fruitful in many other regards...if people would be willing to share their opinions. Matt Pete McNeil wrote: On Tuesday, December 21, 2004, 4:49:33 AM, Markus wrote: MG First of all spam is anything MG comming from nonexistant, or forged senders MG having hidden content MG But what you're asking for is the difference between our MG human brain and stupid computers (Pete, your comment please ;-) Well... I'm having fun lurking and I don't want to spoil that. I'm anxious to learn what folks are thinking about all of this (without my nudging). The current implementation of Sniffer is a kind of broad spectrum hybrid learning system. We use statistical models to try and keep the core rulebase targeting what our users _seem_ to want filtered then we customize individual rulebases to match specific preferences. The learning model isn't perfect, but it has shown that by and large there is a strong agreement for most folks about what should be filtered - even if that definition cannot be clearly and consistently stated. (Note I did not say what is spam because that is getting to be more precise and more contentious these days.) What I find (and it really stands out when working with Matt) is that the definition indicated by the standing rules in our core rulebase is a mixed bag of features and that the definition is highly fluid around the edges. For example, in large part Matt's rules would indicate traffic from chtah is not spam but even he admits it's not acceptable to make that definition hard (not ok to white-list chtah). One more liberal definition of ham holds that if the recipient has a first party relationship with the sender then any content from that sender should not be filtered... Clearly from the volume of direct advertising that is submitted to us as spam (even as recurring spam problems) this definition does not hold for most of our users. This edge definition problem was predicted and so far our model is doing a reasonably good job of dealing with it - though improvements are clearly needed and are on their way (albeit slowly). In the mean time, end-user specific bayesian classification can often solve the edge problem -- thus reinforcing that the fluidity at the edge is largely due to differences in the filtering preferences of the end users and the variability thereof. Add to that the problem of data collection and the problem becomes not only difficult to solve, but difficult to measure --- Imagine piloting a supersonic fighter jet through a narrow winding canyon with your eyes shut and you've just about got the picture. As for the stupidity of machines... I
Re[2]: [Declude.JunkMail] OT: How to define spam and ham
On Tuesday, December 21, 2004, 1:06:58 PM, Matt wrote: M Pete, M I'm still exploring this topic, or at least trying to...hoping for some M others to share their own definitions or practices (nudge, nudge, wink, M wink) so the sample would be slightly more scientific. Me too. It might be hard to get scientific about it though --- My suspicion / experience is that most folks are not scientific about it really. I think it is common to take an I know it when I see it approach to defining spam. It's good to get some more data on this though. M I am certainly not at all looking to convince anyone to change their own M definitions. Instead my goal is to try to further the awareness of the M differences that may or may not exist and hopefully apply this M programatically and maybe in policy to the way that either Sniffer M works, or I work with Sniffer...or both. I might also find that I need M to change my own implementation of the definition that I use because as M Marcus stated, life is short enough to not spend it on handling all M this stuff manually. Fixing FP's on ads is a thankless job most of the M time. In a way I've taken an open ended approach to this - as a matter of design I've stated that we do not know, nor can we know with any certainty what the policies and definitions of our customers are going to be, so the goal is to continuously learn and approximate this knowledge in a core rulebase and then drive any needed specificity into the user's ruelbases. It could be (I think it is) that in a world where there is no hard definition - or at least no such definition that satisfies all users - this open ended approach is better able to cope than one which is attempts to be more rigid at it's core. Perhaps the extreme effort that I know you put into your system is evidence of the stress between a fuzzy reality and a rigid concept - you are filling in the gaps with personal effort. M I do understand the balance that works for Sniffer in handling such M matters, but I don't want to be the guy that reports FP's for the things M that another user reports as spam. One of us would be wasting our time M and pissing off the other. The other day for instance, someone manually M reported the HarryandDavid first-party ad, and then I manually reported M it as a false positive. Who is right? Because of this, and regardless In SNF you both are. Sometimes when this conflict arises the core will define the content as spam (filtered) and sometimes ham (not filtered). This decision depends upon the available statistics. After that - one or the other specific rulebase will be changed to accommodate the difference - either blocking the rule, or whitelisting the content, or adding a specific black rule, etc... Here in the boundaries there is always some additional effort (cost) required. One of the key elements to the system is the diversity of opinions that drive it. As a matter of practice, yours tends to be off center - so you get more of these conflicts than most of our users. It would be a real shame if the costs (time, effort, etc...) caused you to go silent. In the end the system is only going to be as good as the effort we all put in. M of the present system for handling such things, I do think that Sniffer M should have a definition for this type of E-mail and a generalized set M of rules to follow (soft edges of course). Today for instance you M decided to bring backscatter into your definition of spam/unwanted M E-mail, a fully conscious choice, and one that needed to be done with M purpose and qualification. I believe that when it comes to first-party M advertising, this should be done similarly when it comes to qualifying M manual reports of both false positives and false negatives, and also in M qualifying some tertiary links that can land in spamtraps assigning M guilt to an innocent source (maybe the association is guilt enough). Many of the elements involved are difficult to measure and predict - so I'll respond by comparing the two proposed mechanisms and hope that this keeps us on topic: One is relatively easy (cost/benefit) while the other is relatively hard. When attempting to filter backscatter we can formulate a process that has a high probability of success with the resources at hand - and in addition the statistics show that we would have almost no conflict with our customers if we did this. (Many have expressed an interest in this and none have expressed a desire to protect these messages.) When considering first party advertising things are very different. It is difficult to formulate a process that can capture the required data in real-time or even near real-time - and our data shows that we already have a high degree of conflict in this area. Some customers aggressively submit messages that they want filtered which others do not. Where the system meets your edge the data is very clear. The vast majority of rules that you have removed for your system have been
[Declude.JunkMail] Declude incorrectly detecting subject.
I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=test1; d=earthlink.net; h=Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:Disposition-Notification-To:X-MimeOLE; b=H9fY2Cru32tHwdaPFHrSFBzeyUyQqtUytw+BMgWWUP1/ysmDK1csSmzr9OiVFC3B; Subject:Re: [infogurumarketing] Credit Card Processing --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. This is fixed in v2.0b. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
Where do I download the version. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 5:30 PM Subject: Re: [Declude.JunkMail] Declude incorrectly detecting subject. I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. This is fixed in v2.0b. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
I upgraded to 2.0b and now get Failed to get temporary file name: 267 in the log file. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 5:30 PM Subject: Re: [Declude.JunkMail] Declude incorrectly detecting subject. I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. This is fixed in v2.0b. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
Scott, Where can I download version 2.0? Thanks, Frances Tong Information Technology Manager Naperville Public Library NAPERVILLE'S NEIGHBORHOOD OF KNOWLEDGE 3015 Cedar Glade Drive Naperville, IL 60564 (630) 961-4100 Ext. 4980 [EMAIL PROTECTED] -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Tue, 21 Dec 2004 17:30:04 -0500 I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. This is fixed in v2.0b. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fw: Declude 2.0b Install
Nice to know that Declude is listening to our requests. Thanks Ralph! Bill - Original Message - From: Ralph Krausse To: [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 10:57 AM Subject: Declude 2.0b Install Hello Bill, I wanted to let you know that I was monitoring the email thread on the Declude forums. I will add an option to the install (and all future installs) to be able to do a manual install where it will prompt you for a folder where the install will just copy the files into that folder and exit. Then you will be able to do the upgrades you are used to. We are trying to make installs and upgrades easier for users but I realize that some customers do like the hand on approach. I will try to accommodate everyone. Thank you, Ralph Krausse
