RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Dear Matt: >> it would be a bug in Declude to behave in this way << You may be right - but I'm not that certain about that being a bug (unless you expect Declude to perform a "syntax check" of these user headers). RFC822 states: 3.1.1. LONG HEADER FIELDS Each header field can be viewed as a single, logical line of ASCII characters, comprising a field-name and a field-body. For convenience, the field-body portion of this conceptual entity can be split into a multiple-line representation; this is called "folding". The general rule is that wherever there may be linear-white-space (NOT simply LWSP-chars), a CRLF immediately followed by AT LEAST one LWSP-char may instead be inserted. In other words, as long as CRLF is followed by a SPACE in the new line, the line X-Spam-Tests-Failed Weight would have to be treated as a conintuation of the PRIOR header field. However, in the absence of: a) a leading space, b) a valid header field name it might actually be PROPER to err on the side of safety and consider this the "end" of the headers. After all, we don't want to create a vulnerability where someone could insert "data" into the header that Outlook might skip... Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, April 13, 2005 04:37 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6Fred,Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one.The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems.MattFrederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus.XINHEADER X-Note: Sent from: %MAILFROM%XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Rec
[Declude.JunkMail] Problem with spamc32 to Linux spamd box
Hi all, I’m a Linux newbie, so I think this may have to do with that end of things, since I seem to have a problem there as well. I have Redhat Fedora Core 3. I have spamd running with –d to daemonize, –i to allow all IPs. Even if I leave at the defaults and run it, spamc test on that box just sits at the command line and doesn’t do anything. Running a test with spamassassin from the command line gives the expected output on the 2 test files. I don’t know where to find any helpful info about what is going wrong. Turning on debug with spamc –l doesn’t do anything either. On the IMail end (IMail 8.15, Declude JunkMail Pro v. 1.81 on Windows 2000) when I run spamd as follows: spamc32.exe -d -f C:\Mail-SpamAssassin-3.0.2\sample\sample-spam.txt -$ > c:\results.txt I get results.txt containing: SPAMC32: Max file size 32000 SPAMC32: CHECK option selected SPAMC32: Current weight -1 SPAMC32: Skip-if weight -1 SPAMC32: SPAMD IP 169.204.52.18 SPAMC32: SPAMD port 783 SPAMC32: High threshold -1 SPAMC32: Low threshold -1 SPAMC32: Timeout 10 SPAMC32: Filename C:\Mail-SpamAssassin-3.0.2\sample\sample-spam.txt SPAMC32: Loading C:\Mail-SpamAssassin-3.0.2\sample\sample-spam.txt And the debug output on the DOS console shows: SPAMC32: Message Length = 825 SPAMC32: Connecting to 169.204.52.18:783 SPAMC: Connected to :783 SPAMC: Socket Closed SPAMC32: Retrying connection to 169.204.52.18:783 SPAMC: Connected to :783 SPAMC32: Sending Data to SpamD... SPAMC32: SENT 60 REMAINING 0 SPAMC32: Send Complete SPAMC32: Message Data not sent to SpamD! Is the SPAMC part of this the problem? It appears from the output that it’s connecting to the spamd server, but then closing right away. However, I don’t have a spamc.exe on my drive. Maybe the SPAMC in the output is just generated by SPAMC32 then. I did install a Windows spamd server and it works fine with SPAMC32…. I have looked all over the Web for answers, but I think my lack of familiarity with Linux may be causing me to miss something. SPAMD is running as root on the Linux box. Thanks for any ideas. Maybe there’s just a “duh” sort of solution? Geoff
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Andy, Knowing Scott, I could see him adding a double line break when the header name was invalid so as to not write an invalid header. I suppose that could be seen as a form of error handling, though it's not the way that I would tend to approach the same issue if in fact the case. I also suppose that it is possible that his E-mail client is adding the double line breaks to the interpreted output that he is viewing and it might in fact all appear without line breaks in the uninterpreted source. Either way, I'm sure that this fixed the issue. Matt Andy Schmidt wrote: Dear Matt: >> it would be a bug in Declude to behave in this way << You may be right - but I'm not that certain about that being a bug (unless you expect Declude to perform a "syntax check" of these user headers). RFC822 states: 3.1.1. LONG HEADER FIELDS Each header field can be viewed as a single, logical line of ASCII characters, comprising a field-name and a field-body. For convenience, the field-body portion of this conceptual entity can be split into a multiple-line representation; this is called "folding". The general rule is that wherever there may be linear-white-space (NOT simply LWSP-chars), a CRLF immediately followed by AT LEAST one LWSP-char may instead be inserted. In other words, as long as CRLF is followed by a SPACE in the new line, the line X-Spam-Tests-Failed Weight would have to be treated as a conintuation of the PRIOR header field. However, in the absence of: a) a leading space, b) a valid header field name it might actually be PROPER to err on the side of safety and consider this the "end" of the headers. After all, we don't want to create a vulnerability where someone could insert "data" into the header that Outlook might skip... Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 13, 2005 04:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one. The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems. Matt Frederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-RBL-Warning: Total weight: %WEIGHT% XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus. XINHEADER X-Note: Sent from: %MAILFROM% XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADER X-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an ema
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: <>X-Note: Sent from: <>X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message He said they are included in the BODY of the email, not the headers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Wednesday, April 13, 2005 10:02 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: <>X-Note: Sent from: <>X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
[Declude.JunkMail] Which IPs does WHITELIST look at?
I have recently setup a SMTP load balancer, with 3 iMail servers running declude behind it. Previously, I was using WHITELIST IP to whitelist our local IP range. Mail comming from those internal servers (a web-based email front-end) is guarenteed to have been sent by our users. Now, that whitelist rule is causing all mail to get whitelisted, because external mail now also passes through the load balancer. My question is, if I restrict the whitelist to a CIDR range including the web servers but not the load balancer, will the WHITELIST rule look past the last hop to decide whether to let the message through? Example: Webserver 172.16.0.50 originates a messages. Load Balancer 172.16.0.37 relays the message to an iMail server. The hops read 172.16.0.37, then 172.16.0.50 going from the top to the bottom of the header. If I WHITELIST 172.16.0.50, but NOT 172.16.0.37, will the whitelist rule still fire because this IP was somewhere in the header? Or does it only look at last hop? -Chase Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440 x119 | www.bullhorn.com
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: <>X-Note: Sent from: <>X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Any chance of a Double CR in one of your XINHEADER lines? That could cause a mail client to think everything below it is part of the body...perhaps even a blank XINHEADER could cause it... Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:13 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: <>X-Note: Sent from: <>X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
RE: [Declude.JunkMail] Which IPs does WHITELIST look at?
I believe you want to IPBYPASS your load balancer? IPBYPASS 172.16.0.37 In your global.cfg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chase Seibert Sent: Wednesday, April 13, 2005 10:15 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Which IPs does WHITELIST look at? I have recently setup a SMTP load balancer, with 3 iMail servers running declude behind it. Previously, I was using WHITELIST IP to whitelist our local IP range. Mail comming from those internal servers (a web-based email front-end) is guarenteed to have been sent by our users. Now, that whitelist rule is causing all mail to get whitelisted, because external mail now also passes through the load balancer. My question is, if I restrict the whitelist to a CIDR range including the web servers but not the load balancer, will the WHITELIST rule look past the last hop to decide whether to let the message through? Example: Webserver 172.16.0.50 originates a messages. Load Balancer 172.16.0.37 relays the message to an iMail server. The hops read 172.16.0.37, then 172.16.0.50 going from the top to the bottom of the header. If I WHITELIST 172.16.0.50, but NOT 172.16.0.37, will the whitelist rule still fire because this IP was somewhere in the header? Or does it only look at last hop? -Chase Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440 x119 | www.bullhorn.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, It would help if you could share the entire source of the E-mail including the headers. This sounds like something is inserting an extra line break in the headers and your mail client is interpreting that as the start of the body. Matt Frederick Samarelli wrote: Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5] X-Spam-Time:00:00:12 X-Note: Total spam weight of this E-mail is 5 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROM X-Weight: 5 X-Mailfrom: <> X-Note: Sent from: <> X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1]) X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] Something new with v 2.0.6
HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition
Re: [Declude.JunkMail] Something new with v 2.0.6
I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition
Re: [Declude.JunkMail] Something new with v 2.0.6
See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition GLOBAL.CFG Description: Binary data
Re: [Declude.JunkMail] WHITELISTFILE Question
Don't know if you resolved this, but looks like one entry ends in "or" and the other in "er". Neal R. Mathews Network Systems Engineer The Carriage House Co.'s, Inc. 716-673-8321 "Goran Jovanovic" <[EMAIL PROTECTED] op.com>To Sent by: Declude.JunkMail- cc [EMAIL PROTECTED] Subject [Declude.JunkMail] WHITELISTFILE 04/08/2005 09:29 Question AM Please respond to Declude.JunkMail@ declude.com Hi, I have the following entries in a domain specific WHITELISTFILE [EMAIL PROTECTED] . . . @autocontacter.com Now I realize that the second one includes the first one but I got an e-mail From:[EMAIL PROTECTED] And it did not get recognized by the whitelist file. Now I am going to remove the [EMAIL PROTECTED] One but my question is why did the second more general one trigger? Is there perhaps some login in the WHITELIST file processing that stops looking at the file after the first one that sort of matches? Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. |--| |If you are not the intended addressee indicated in this message (or | |responsible for delivery of the message to such person), you may not copy | |or deliver this message to anyone. In such case, you should destroy this | |message and kindly notify the sender by reply email. Please advise | |immediately if you or your employer do not consent to internet email for | |messages of this kind.| |--| --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ProcessCounter location
On 12 Apr 2005 at 17:00, Ralph Krausse wrote: Hi Ralph > It is in > > C:\Program Files\Computerized Horizons\Declude Why? The 'wizard' on a manual install does this? Also on my system it ended up on D:\Program Files\Computerized Horizons\Declude -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400 Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400 SUBJECT: Virus Found Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: WEIGHT10: Total weight between 10 and 14. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC601002507EA4CF6.SMD X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC5E1035404704CAF.SMD X-Note: Total spam weight of this E-mail is 3. X-RBL-Warning: Total weight: 3 X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus. X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUS X-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1] X-Spam-Time:03:10:29 X-Weight: 3 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination From: [EMAIL PROTECTED] Date: Wed, 13 Apr 2005 03:10:29 -0400 X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10] X-Spam-Time:03:10:59 X-Note: Total spam weight of this E-mail is 10 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10 X-Weight: 10 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.
RE: [Declude.JunkMail] ProcessCounter location
The installer installs all the files to drive\ Files\Computerized Horizons\Declude and from there, custom DLL copy the files to other folder like your imail or smartermail folders. The manual install doesn't remove the files that the installer copied, something that needs to be changed. As for why ProcessCounter stays there, well applications that fall under Declude in general will be kept there, other files associated with Imail or Smartermail will go to their respective folders. Thanks Rallph -- -Original Message- -- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- -- [EMAIL PROTECTED] On Behalf Of Nick -- Sent: Wednesday, April 13, 2005 11:25 AM -- To: Declude.JunkMail@declude.com -- Subject: Re: [Declude.JunkMail] ProcessCounter location -- -- On 12 Apr 2005 at 17:00, Ralph Krausse wrote: -- -- Hi Ralph -- > It is in -- > -- > C:\Program Files\Computerized Horizons\Declude -- Why? -- -- The 'wizard' on a manual install does this? Also on my system it -- ended up on D:\Program Files\Computerized Horizons\Declude -- -- -Nick -- --- -- This E-mail came from the Declude.JunkMail mailing list. To -- unsubscribe, just send an E-mail to [EMAIL PROTECTED], and -- type "unsubscribe Declude.JunkMail". The archives can be found -- at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ProcessCounter location
On 13 Apr 2005 at 12:13, Ralph Krausse wrote: Thank you Ralph! I just wanted to better understand the process -Nick > The installer installs all the files to drive\ Files\Computerized > Horizons\Declude and from there, custom DLL copy the files to other > folder like your imail or smartermail folders. The manual install > doesn't remove the files that the installer copied, something that > needs to be changed. As for why ProcessCounter stays there, well > applications that fall under Declude in general will be kept there, > other files associated with Imail or Smartermail will go to their > respective folders. > > > Thanks > Rallph > -- -Original Message- > -- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > -- [EMAIL PROTECTED] On Behalf Of Nick -- Sent: Wednesday, April 13, > 2005 11:25 AM -- To: Declude.JunkMail@declude.com -- Subject: Re: > [Declude.JunkMail] ProcessCounter location -- -- On 12 Apr 2005 at > 17:00, Ralph Krausse wrote: -- -- Hi Ralph -- > It is in -- > -- > > C:\Program Files\Computerized Horizons\Declude -- Why? -- -- The > 'wizard' on a manual install does this? Also on my system it -- ended > up on D:\Program Files\Computerized Horizons\Declude -- -- -Nick -- > --- -- This E-mail came from the Declude.JunkMail mailing list. To -- > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and -- type > "unsubscribe Declude.JunkMail". The archives can be found -- at > http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Something new with v 2.0.6
This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was se
Re: [Declude.JunkMail] Something new with v 2.0.6
Found the problem. It was this line. #XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% I removed it and problem went away. Any thoughts.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (S
Re: [Declude.JunkMail] Something new with v 2.0.6
We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a mi
Re: [Declude.JunkMail] Something new with v 2.0.6
Which line? Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:58 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday
RE: [Declude.JunkMail] ProcessCounter location
Help me out here. When I extracted the files by manual process, I was given the option to specify the directory (which I did - d:\Declude 2.0.6\) Why did anything end up in C:\program files\declude\? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ralph Krausse Sent: Wednesday, April 13, 2005 11:13 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] ProcessCounter location The installer installs all the files to drive\ Files\Computerized Horizons\Declude and from there, custom DLL copy the files to other folder like your imail or smartermail folders. The manual install doesn't remove the files that the installer copied, something that needs to be changed. As for why ProcessCounter stays there, well applications that fall under Declude in general will be kept there, other files associated with Imail or Smartermail will go to their respective folders. Thanks Rallph -- -Original Message- -- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- -- [EMAIL PROTECTED] On Behalf Of Nick -- Sent: Wednesday, April 13, 2005 11:25 AM -- To: Declude.JunkMail@declude.com -- Subject: Re: [Declude.JunkMail] ProcessCounter location -- -- On 12 Apr 2005 at 17:00, Ralph Krausse wrote: -- -- Hi Ralph -- > It is in -- > -- > C:\Program Files\Computerized Horizons\Declude -- Why? -- -- The 'wizard' on a manual install does this? Also on my system it -- ended up on D:\Program Files\Computerized Horizons\Declude -- -- -Nick -- --- -- This E-mail came from the Declude.JunkMail mailing list. To -- unsubscribe, just send an E-mail to [EMAIL PROTECTED], and -- type "unsubscribe Declude.JunkMail". The archives can be found -- at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where ther
RE: [Declude.JunkMail] Something new with v 2.0.6
Hi Fred and Matt, The received headers showed that the mail went through the following hosts: ads.tcbinc.net mail.tcbinc.net dns2.tcbinc.net bks.tcbinc.com It seems like two of those hosts were running Imail/declude (or one was a multi-homed machine running Imail/declude that was given the email twice). Fred probably isn't explaining his setup because it works well in all other cases and he doesn't think the configuration is relevant to this problem - but it is confusing for the outsider who is analyzing the problem. It also looks to me like the email routing may be relevant to the problem. If the problem is reproducible in an environment without the extra routing, then it should be investigated and fixed. I'm not able to test this at the moment however. Even if it occurs only in a set up with the extra routing it should still be investigated to determine if it is a bug in declude or in something else - but only those with multiple decludes would be able to test that. Sorry I can't help more. Best Regards Mike Higgins H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x14 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 13, 2005 2:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL
Re: [Declude.JunkMail] Something new with v 2.0.6
Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: <[EMAIL PROTECTED]>Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli <[EMAIL PROTECTED]>Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Based on this I would agree then that the %TESTSFAILEDWITHWEIGHTS% variable is inserting a double CRLF instead of a single one, and this would seem to explain everything else that I was commenting on as it would seem to follow that the other things were merely effects of this, and complicated/obfuscated by the double-processing that isn't present in this example. Maybe you could try one thing; retype that line from scratch after deleting it just to make sure there are not garbage non-printing characters showing up at the end of the line. Beyond that, I would imagine that someone at Declude has been listening and will shortly confirm the issue, or maybe someone else that has already installed 2.0.6 could set up an account to forward using this header variable in their config and check to see if the same behavior repeats itself on other systems. Matt Frederick Samarelli wrote: Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]> Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: <[EMAIL PROTECTED]> Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli <[EMAIL PROTECTED]> Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: <[EMAIL PROTECTED]>Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli <[EMAIL PROTECTED]>Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus.XINHEADER X-Note: Sent from: %MAILFROM%XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: <[EMAIL PROTECTED]>Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli <[EMAIL PROTECTED]>Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Well - NONE of those have an embedded space in the Header name!? X-Note: X-RBL-Warning: vs. X-Spam-Tests-Failed Weight: Have you TRIED what I suggested? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 04:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus.XINHEADER X-Note: Sent from: %MAILFROM%XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s): %REALRECIPS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message It may be an issue with having a space before the first colon. I seem to remember something like that in the past. Worth a try anyway... Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:27 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus.XINHEADER X-Note: Sent from: %MAILFROM%XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: <[EMAIL PROTECTED]>Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli <[EMAIL PROTECTED]>Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Fredrick, But with these there are no spaces in the x line: but with this one X-Spam-Tests-Failed<->Weight: there is a space. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 4:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus.XINHEADER X-Note: Sent from: %MAILFROM%XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]>Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: <[EMAIL PROTECTED]>Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli <[EMAIL PROTECTED]>Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES->destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%__ NOD32 1.1059 (20050412) Information __
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Fred, Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one. The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems. Matt Frederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-RBL-Warning: Total weight: %WEIGHT% XINHEADER X-Note: This E-mail was scanned & filtered by TCB [%VERSION%] for SPAM & virus. XINHEADER X-Note: Sent from: %MAILFROM% XINHEADER X-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADER X-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADER X-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name (due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to) =>>> [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: <[EMAIL PROTECTED]> Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: <[EMAIL PROTECTED]> Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli <[EMAIL PROTECTED]> Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADER X-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- =
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
Okay,
let me try it this way...
RFC
822 states:
3.1.2. STRUCTURE OF HEADER
FIELDS Once a field has been
unfolded, it may be viewed as being
com- posed of a field-name followed by a colon (":"), followed by
a field-body, and
terminated by a
carriage-return/line-feed. The field-name must be composed
of printable ASCII characters
(i.e., characters that have values between 33.
and 126., decimal, except
colon). The field-body may be composed of
any ASCII characters, except CR or
LF. (While CR and/or LF may
be present in the actual
text, they are removed by the action
of unfolding the
field.)
My
reading of the RFC is, that 0x20 (32) is NOT permitted as a header field name!
Thus:
X-Spam-Tests-Failed Weight:
is NOT to be
interpreted as a valid header!
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Frederick SamarelliSent: Wednesday, April 13,
2005 04:28 PMTo: Declude.JunkMail@declude.comSubject:
Re: [Declude.JunkMail] Something new with v 2.0.6
Good Thought but I have these others without
problem. Thanks.
XINHEADER X-Note: Total spam weight
of this E-mail is %WEIGHT%.XINHEADER X-RBL-Warning: Total
weight: %WEIGHT%XINHEADER X-Note: This E-mail was scanned &
filtered by TCB [%VERSION%] for SPAM &
virus.XINHEADER X-Note: Sent from:
%MAILFROM%XINHEADER X-Note: Sent from Reverse DNS:
%REVDNS% ([%REMOTEIP%])XINHEADER X-Note: Recipient(s):
%REALRECIPS%- Original Message -
From:
Andy Schmidt
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:02
PM
Subject: RE: [Declude.JunkMail]
Something new with v 2.0.6
Hi
Frederick:
I
don't know if this has been asked/suggested already and I don't have time to
go back to the RFCs to see if embedded spaces are permitted in the header
name. But have you ever tried eliminating that space:
XINHEADER X-Spam-Tests-Failed
Weight: %TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADER X-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May be the problem is that there is a CR/LF followed by a line that
contains no header name (due to the embedded space) following by
another CR/LF. May be those two CR/LF without valid header information
inbetween are interpreted as "start of message body" by some
entities?
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail]
Something new with v 2.0.6
Mike/Matt (thanks for your help) You
should be able to duplicated by just forwarding an email to an outside
account using the problem line at the bottom.
As not to confuse things I simplified
the process.
Send an email from [EMAIL PROTECTED] =>>> [EMAIL PROTECTED] (forwarded to)
=>>> [EMAIL PROTECTED]
This run through only one server on
my network.
Header from My AOL
account.
Return-Path: <[EMAIL PROTECTED]>Received:
from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by
air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132;
Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com
(bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with
ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21
-0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id
A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from
web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com
(SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received:
(qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment:
DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE=
;Message-ID: <[EMAIL PROTECTED]>Received:
from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr
2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From:
Frederick Samarelli <[EMAIL PROTECTED]>Subject:
test10To: [EMAIL PROTECTED]MIME-Version:
1.0Content-Type: text/plain; charset
RE: [Declude.JunkMail] Something new with v 2.0.6
On 13 Apr 2005 at 16:44, Andy Schmidt wrote:
Very well done Andy..
-Nick
>
> Okay, let me try it this way...
>
> RFC 822 states:
>
> 3.1.2. STRUCTURE OF HEADER FIELDS
>
> Once a field has been unfolded, it may be viewed as being com-
> posed of a field-name followed by a colon (":"), followed by a
> field-body, and terminated by a carriage-return/line-feed.
> The field-name must be composed of printable ASCII characters
> (i.e., characters that have values between 33. and 126.,
> decimal, except colon). The field-body may be composed of any
> ASCII characters, except CR or LF. (While CR and/or LF may be
> present in the actual text, they are removed by the action of
> unfolding the field.)
> My reading of the RFC is, that 0x20 (32) is NOT permitted as a header
> field name! Thus:
>
> X-Spam-Tests-Failed Weight:
>
> is NOT to be interpreted as a valid header!
> Best Regards
> Andy Schmidt
>
> Phone: +1 201 934-3414 x20 (Business)
> Fax: +1 201 934-9206
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday,
> April 13, 2005 04:28 PM To: Declude.JunkMail@declude.com Subject: Re:
> [Declude.JunkMail] Something new with v 2.0.6
>
> Good Thought but I have these others without problem. Thanks.
>
> XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.
> XINHEADERX-RBL-Warning: Total weight: %WEIGHT%
> XINHEADERX-Note: This E-mail was scanned & filtered by TCB
> [%VERSION%] for SPAM & virus.
> XINHEADERX-Note: Sent from: %MAILFROM%
> XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])
> XINHEADERX-Note: Recipient(s): %REALRECIPS%
> - Original Message -
> From: Andy Schmidt
> To: Declude.JunkMail@declude.com
> Sent: Wednesday, April 13, 2005 4:02 PM
> Subject: RE: [Declude.JunkMail] Something new with v 2.0.6
>
> Hi Frederick:
>
> I don't know if this has been asked/suggested already and I don't have
> time to go back to the RFCs to see if embedded spaces are permitted in
> the header name. But have you ever tried eliminating that space:
>
> XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
>
> replace with:
>
> XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS%
>
>
>
> May be the problem is that there is a CR/LF followed by a line that
> contains no header name(due to the embedded space) following by
> another CR/LF. May be those two CR/LF without valid header information
> inbetween are interpreted as "start of message body" by some entities?
> Best Regards Andy Schmidt
>
> Phone: +1 201 934-3414 x20 (Business)
> Fax: +1 201 934-9206
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday,
> April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re:
> [Declude.JunkMail] Something new with v 2.0.6
>
> Mike/Matt (thanks for your help) You should be able to duplicated by
> just forwarding an email to an outside account using the problem line
> at the bottom.
>
> As not to confuse things I simplified the process.
>
> Send an email from [EMAIL PROTECTED]>>>
> [EMAIL PROTECTED](forwarded to) =>>> [EMAIL PROTECTED]
>
> This run through only one server on my network.
>
>
> Header from My AOL account.
> Return-Path: <[EMAIL PROTECTED]>
> Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com
> [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id
> MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received:
> from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by
> rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-
> 606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from
> SMTP32-FWD by bks.tcbinc.com
> (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42
> Received: from web51806.mail.yahoo.com [206.190.38.237] by
> bks.tcbinc.com
> (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400
> Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -
> Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=s1024; d=yahoo.com;
>
> b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuK
> oj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8
> HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID:
> <[EMAIL PROTECTED]> Received: from
> [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005
> 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From:
> Frederick Samarelli <[EMAIL PROTECTED]> Subject: test10 To:
> [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain;
> charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed
> SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]
> X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight
> of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This
> E-m
