Re: [Declude.JunkMail] What Header does Whitelist file use?
Title: What Header does Whitelist file use? Sorry, you're right... Sometimes when I'm under the weather I switch things around... Have you checked the other suggestion... making sure the last line has a carriage return afterwards? Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 6:26 PM Subject: RE: [Declude.JunkMail] What Header does Whitelist file use? Hi Darin, I just checked the manual regarding theSWITCHRECIP ON. The description sounds like it affects who the message is addressed to rather than where it comes from. Am I missing something? Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 1:02 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? This may be an issue where the FROM listed in the email is different from the MAILFROM address found in the envelope. If so, putting SWITCHRECIP ONin your Declude Global.cfg should fix it. You can read more about this config option in the Declude Junkmail manual. Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 12:09 PM Subject: [Declude.JunkMail] What Header does Whitelist file use? Hello, I'm still having trouble whitelisting a few incoming messages. Can you tell me, what part of incoming mail does the whitelist trigger on? Should the reverse DNS" domain or the mail header, or the address listed in the To: list be used, or perhaps the helo information. Below is an example of diagnostic from a message recently received along with my whitelist entry. Do I need to whitelist the reverse DNS (lunarpages.com) instead? My current whitelist entry: @tempager.com HeaderCode: c020020c ReverseDNS: draco.lunarpages.com RemoteIP: 216.193.215.150 Testname: WEIGHT10-29B MessageID: [EMAIL PROTECTED] Quename: D5b4810be01c401ae.SMD Sniffer: Headers: Received: from draco.lunarpages.com [216.193.215.150] by msx.renoairport.com with ESMTP (SMTPD32-8.15) id AB4810BE01C4; Mon, 29 Aug 2005 12:00:24 -0700 Received: from localhost.int.lunarpages.com ([127.0.0.1] helo=draco.lunarpages.com) by draco.lunarpages.com with esmtp (Exim 4.50) id 1E9orj-00075B-Vq; Mon, 29 Aug 2005 12:00:19 -0700 From: [EMAIL PROTECTED] Subject: TemPageR_Users Digest, Vol 7, Issue 5 To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.5p1 Precedence: list List-Id: TemPageR User Group tempager_users_tempager.com.tempager.com List-Unsubscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] List-Archive: /pipermail/tempager_users_tempager.com List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - draco.lunarpages.com X-AntiAbuse: Original Domain - renoairport.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tempager.com X-Source: X-Source-Args: X-Source-Dir: Message-Id: [EMAIL PROTECTED]
RE: [Declude.JunkMail] OT - Removal from SPEWS
As other have noted - don't waste your time. One of our class C's is part of a class B that a spammer at some time had a couple of IP blocks in. As their approach is that any collateral damage is acceptable, they blocked the entire class B. As reputable and competent administrators do not use Spews to block email, we have had very few problems with customers mail not getting through. When it does come up we offer to move these clients to another mail server but also explain that it is a misguided guerilla warfare attempt by spews. Almost every time once the client has understood what is going on they have informed the person not receiving the email to contact their host so they are not blocked. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton Sent: Thursday, September 01, 2005 11:00 AM To: Declude Junkmail Forum Subject: [Declude.JunkMail] OT - Removal from SPEWS Hey All, How does one go about getting their IP address delisted with SPEWS? I understand how I got listed and that problem has been successfully removed. But now is the daunting task of getting delisted. While most blacklists do provide some sort of removal process, SPEWS seems to only tell you you're listed. Any suggestions here? Troy D. Hilton Serveon, Inc. [EMAIL PROTECTED] 302-529-8640 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail 8.2
Ok of course I upgraded and never thought to check this mailing list, I'm trying to catch up, but what are the issues with Declude and Imail 8.2? Should I disable declude? Big reason I'm asking is I'm getting slow delivery, wondering if this is because of 8.2 and declude not getting along?? I'm running Declude 2.0.5 Thanks __ __ __ __ Sent via the CMS Internet Webmail system at mail1.cmsinter.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Suggestions on catching a spam message?
Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name:sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s): fwd[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=6225115l=0; img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Suggestions on catching a spam message?
Best recommendation? Add message sniffer from sortmonster.com. It is the single best test on our system. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 12:59 PM Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s):fwd[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=6225115l=0; img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Suggestions on catching a spam message?
Dave, One of the biggest things you can do since to help out since you are already running Sniffer is look at adding URI filtering. For example that domain is currently listed in black.uribl.com. If you want to give URI filtering a try check out our site - http://www.invariantsystems.com (invURIBL). URI filtering is very effective. Hopefully, other will comment on how well URI filtering is working for them as well. Darrell Dave Beckstrom writes: Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name:sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s): fwd[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=6225115l=0; img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestions on catching a spam message?
He said he is running mesage sniffer? He should add INVURIBL to check the URI Black lists. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox Sent: Friday, September 02, 2005 10:35 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Suggestions on catching a spam message? Best recommendation? Add message sniffer from sortmonster.com. It is the single best test on our system. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 12:59 PM Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s):fwd[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=622 5115l=0 img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
Re: [Declude.JunkMail] Suggestions on catching a spam message?
Hi Dave: Welcome! You'll find that tweaking weights and flters is an ongoing proposition. You have BADHEADERS weighted at more than half your tag weight, so that is a good start. I do not add any weight for SPFUNKNOWN, and I have found the country filter to be of little use. One suggestion: The message apparently passed Sniffer, so the first thing is to forward it to spam @ sortmonster.com They will have a look and add it to their database. They are very, very good, and I find it is the best single test I have running. -Dave Doherty Skywaves, Inc. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 12:59 PM Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s):fwd[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=6225115l=0; img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestions on catching a spam message?
Welcome to the list, Dave! Sometimes the bad guys win. Like virus detection, spam detection is mostly a matter of reacting to the bad guys and blocking them, so they do get some in. If you try to achieve 100% spam blocking, you will devote your life to it and you'll burn out after spending too much time finding false positives and dealing with the resultant customer complaints. A couple of points about this particular message: 1) I got one copy of it in my organization, too. It scored 15 of 20 so it passed. The recipient didn't complain. 2) At the time it came in, the netblock was clean. SPEWS2 is the only RBL I know of that listed it at that point, and it still does. Nobody who has customers uses SPEWS2 to fight spam. Most don't use SPEWS1 for that matter. There's been a thread about this in the last few days. 3) Sniffer hadn't seen the message yet, so it didn't trigger either. I still recommend Sniffer. 4) URI blacklisting hadn't seen the message yet, so it didn't trigger either. I still recommend URI blacklisting. 5) Snips of text like -mydomain.com? and myaddress@ in the MAILFROM can be tested for, but must have a light weight or only be used in combination with other tests. VERP is commonly used by legitimate mailers so that they can scrub their lists when an email account is cancelled and they receive bounces, or scrub their list when a legitimate subscriber reports them as spammers because they're too lazy to unsubscribe. 6) Not that *I* would do such a thing, but if *one* were to strobe the /24 netblock that the message came from, you would see definite patterns in the naming conventions and could certainly predict how the spammer is going to change his domain names for the next spam runs. I've put them into my IP blacklist text file. 206.131.224.0/19 matched 206.131.224.0/19 SPEWS OffersCentral, see http://spews.org/html/S1528.html Sep-02-2005 Along with the neighbours which have been there for a long time: 206.128.156.0/24 matched 206.128.156.0/24 SPEWS stubberfield, see http://spews.org/ask.cgi?S359 206.131.243.0/24 matched 206.131.243.0/24 SPEWS elistmarketers, see http://spews.org/ask.cgi?S1710 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 9:59 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note:
RE: [Declude.JunkMail] What Header does Whitelist file use?
Title: What Header does Whitelist file use? I just added a carriage return, but my entry in question wasn't at the end. I've tweeked my list to hopefully cover all the options, but now it's a waiting game to see if it actually works since the senders in question don't send usthings very often and what they do send is automated (makes troubleshooting that muc more difficult) Thanks again for your help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 1:03 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? One other thing... Make sure you have a carriage return at the end of the file. If there isn't one on the last line, the last line will not be used. Darin. - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 4:01 PM Subject: Re: [Declude.JunkMail] What Header does Whitelist file use? This may be an issue where the FROM listed in the email is different from the MAILFROM address found in the envelope. If so, putting SWITCHRECIP ONin your Declude Global.cfg should fix it. You can read more about this config option in the Declude Junkmail manual. Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 12:09 PM Subject: [Declude.JunkMail] What Header does Whitelist file use? Hello, I'm still having trouble whitelisting a few incoming messages. Can you tell me, what part of incoming mail does the whitelist trigger on? Should the reverse DNS" domain or the mail header, or the address listed in the To: list be used, or perhaps the helo information. Below is an example of diagnostic from a message recently received along with my whitelist entry. Do I need to whitelist the reverse DNS (lunarpages.com) instead? My current whitelist entry: @tempager.com HeaderCode: c020020c ReverseDNS: draco.lunarpages.com RemoteIP: 216.193.215.150 Testname: WEIGHT10-29B MessageID: [EMAIL PROTECTED] Quename: D5b4810be01c401ae.SMD Sniffer: Headers: Received: from draco.lunarpages.com [216.193.215.150] by msx.renoairport.com with ESMTP (SMTPD32-8.15) id AB4810BE01C4; Mon, 29 Aug 2005 12:00:24 -0700 Received: from localhost.int.lunarpages.com ([127.0.0.1] helo=draco.lunarpages.com) by draco.lunarpages.com with esmtp (Exim 4.50) id 1E9orj-00075B-Vq; Mon, 29 Aug 2005 12:00:19 -0700 From: [EMAIL PROTECTED] Subject: TemPageR_Users Digest, Vol 7, Issue 5 To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.5p1 Precedence: list List-Id: TemPageR User Group tempager_users_tempager.com.tempager.com List-Unsubscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] List-Archive: /pipermail/tempager_users_tempager.com List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - draco.lunarpages.com X-AntiAbuse: Original Domain - renoairport.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tempager.com X-Source: X-Source-Args: X-Source-Dir: Message-Id: [EMAIL PROTECTED]
RE: [Declude.JunkMail] What Header does Whitelist file use?
Title: What Header does Whitelist file use? Darin, I'm still confused on what part of the message converstation would be compared to the whitelist entry. A message often has a different values for the From Header and the envelope (not sure if I'm using the correct terms). The Reverse DNS is also different from the other two. Using the format of .sub.domain.com and @sub.domain.com, I would have to make six entries to cover all the bases, when probably the correct two would take care of it. Suggestions? BTW, are you with Declude or a helpful bystander? Thanks again for your help and hope you are feeling better. Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 7:49 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? Sorry, you're right... Sometimes when I'm under the weather I switch things around... Have you checked the other suggestion... making sure the last line has a carriage return afterwards? Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 6:26 PM Subject: RE: [Declude.JunkMail] What Header does Whitelist file use? Hi Darin, I just checked the manual regarding theSWITCHRECIP ON. The description sounds like it affects who the message is addressed to rather than where it comes from. Am I missing something? Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 1:02 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? This may be an issue where the FROM listed in the email is different from the MAILFROM address found in the envelope. If so, putting SWITCHRECIP ONin your Declude Global.cfg should fix it. You can read more about this config option in the Declude Junkmail manual. Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 12:09 PM Subject: [Declude.JunkMail] What Header does Whitelist file use? Hello, I'm still having trouble whitelisting a few incoming messages. Can you tell me, what part of incoming mail does the whitelist trigger on? Should the reverse DNS" domain or the mail header, or the address listed in the To: list be used, or perhaps the helo information. Below is an example of diagnostic from a message recently received along with my whitelist entry. Do I need to whitelist the reverse DNS (lunarpages.com) instead? My current whitelist entry: @tempager.com HeaderCode: c020020c ReverseDNS: draco.lunarpages.com RemoteIP: 216.193.215.150 Testname: WEIGHT10-29B MessageID: [EMAIL PROTECTED] Quename: D5b4810be01c401ae.SMD Sniffer: Headers: Received: from draco.lunarpages.com [216.193.215.150] by msx.renoairport.com with ESMTP (SMTPD32-8.15) id AB4810BE01C4; Mon, 29 Aug 2005 12:00:24 -0700 Received: from localhost.int.lunarpages.com ([127.0.0.1] helo=draco.lunarpages.com) by draco.lunarpages.com with esmtp (Exim 4.50) id 1E9orj-00075B-Vq; Mon, 29 Aug 2005 12:00:19 -0700 From: [EMAIL PROTECTED] Subject: TemPageR_Users Digest, Vol 7, Issue 5 To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.5p1 Precedence: list List-Id: TemPageR User Group tempager_users_tempager.com.tempager.com List-Unsubscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] List-Archive: /pipermail/tempager_users_tempager.com List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://tempager.com/mailman/listinfo/tempager_users_tempager.com, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - draco.lunarpages.com X-AntiAbuse: Original Domain - renoairport.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tempager.com X-Source: X-Source-Args: X-Source-Dir: Message-Id: [EMAIL PROTECTED]
Re: [Declude.JunkMail] Suggestions on catching a spam message?
I agree with Andrew's #6 6) Not that *I* would do such a thing, but if *one* were to strobe the /24 netblock that the message came from, you would see definite patterns in the naming conventions and could certainly predict how the spammer is going to change his domain names for the next spam runs. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 1:16 PM Subject: RE: [Declude.JunkMail] Suggestions on catching a spam message? Welcome to the list, Dave! Sometimes the bad guys win. Like virus detection, spam detection is mostly a matter of reacting to the bad guys and blocking them, so they do get some in. If you try to achieve 100% spam blocking, you will devote your life to it and you'll burn out after spending too much time finding false positives and dealing with the resultant customer complaints. A couple of points about this particular message: 1) I got one copy of it in my organization, too. It scored 15 of 20 so it passed. The recipient didn't complain. 2) At the time it came in, the netblock was clean. SPEWS2 is the only RBL I know of that listed it at that point, and it still does. Nobody who has customers uses SPEWS2 to fight spam. Most don't use SPEWS1 for that matter. There's been a thread about this in the last few days. 3) Sniffer hadn't seen the message yet, so it didn't trigger either. I still recommend Sniffer. 4) URI blacklisting hadn't seen the message yet, so it didn't trigger either. I still recommend URI blacklisting. 5) Snips of text like -mydomain.com? and myaddress@ in the MAILFROM can be tested for, but must have a light weight or only be used in combination with other tests. VERP is commonly used by legitimate mailers so that they can scrub their lists when an email account is cancelled and they receive bounces, or scrub their list when a legitimate subscriber reports them as spammers because they're too lazy to unsubscribe. 6) Not that *I* would do such a thing, but if *one* were to strobe the /24 netblock that the message came from, you would see definite patterns in the naming conventions and could certainly predict how the spammer is going to change his domain names for the next spam runs. I've put them into my IP blacklist text file. 206.131.224.0/19 matched 206.131.224.0/19 SPEWS OffersCentral, see http://spews.org/html/S1528.html Sep-02-2005 Along with the neighbours which have been there for a long time: 206.128.156.0/24 matched 206.128.156.0/24 SPEWS stubberfield, see http://spews.org/ask.cgi?S359 206.131.243.0/24 matched 206.131.243.0/24 SPEWS elistmarketers, see http://spews.org/ask.cgi?S1710 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 9:59 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:
RE: [Declude.JunkMail] Suggestions on catching a spam message?
I'll comment. ;-) invURIBL and Sniffer are very effective. With these two alone we have nearly removed ALL body/subject/header/etc... Filtering from Declude. The email that you questioned about and as Darrell pointed out, did fail invURIBL on our system as well. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 02, 2005 7:55 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Suggestions on catching a spam message? Dave, One of the biggest things you can do since to help out since you are already running Sniffer is look at adding URI filtering. For example that domain is currently listed in black.uribl.com. If you want to give URI filtering a try check out our site - http://www.invariantsystems.com (invURIBL). URI filtering is very effective. Hopefully, other will comment on how well URI filtering is working for them as well. Darrell Dave Beckstrom writes: Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for agnheqe3.com and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the /track? in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: q8tz5,[EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: X-Note: Spam Score: [6] X-Note: Scan Time:07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s): fwd[EMAIL PROTECTED] X-Note: Country Chain:UNITED STATES-destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: html bodybr a href=http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1m=6225115 l=0 img src=http://agnheqe3.com/t?m=6225115l=3; border=0/abrbr img src=http://agnheqe3.com/t?m=6225115l=2; border=0/abrbr a href=http://agnheqe3.com/t?m=6225115l=4; img src=http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6zm=6225115l=1; border=0/abr brbrfont color='#ff' face='arial,helvetica' size='1'5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115/font/body/html --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail.
Re: [Declude.JunkMail] What Header does Whitelist file use?
Title: What Header does Whitelist file use? Hi Corby, The best way to determine explicitly what it's using is to add custom header to the email. There are several you may find useful, but the one I'm referring to can be added by adding a line like XINHEADERX-Note: FROM: %MAILFROM% to your Global.cfg file. We add several headers for diagnostic purposes... XINHEADERX-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-Note: Spam Tests Failed: %TESTSFAILEDWITHWEIGHTS%XINHEADERX-Note: REMOTEIP: %REMOTEIP%XINHEADERX-Note: REVDNS: %REVDNS%XINHEADERX-Note: FROM: %MAILFROM%XINHEADERX-Note: TO: %RECIPHOST% TheFROM address that will be reported there is exactly what Declude woulduse when checking against your whitelists. REVDNS is almost always a different domain than the sending address, since most email domains are hosted on common servers. While you may have reason to block or whitelist on REVDNS, which would be a different test completely, the FROM whitelist would only need the two entries you specify. BTW, though we've been calling it whitelisting, it is generally recommended to use the "whitelists" as negative weights instead of true whitelists. That way if something is really bad (i.e. bad enough that your negative weight doesn't keep it from being tagged, held, or deleted), then it is still detected. True whitelisting would let it through no matter how bad it was. We hold on a weight of 100 and delete on 300, and have three FROM "whitelists" defined like FROMWHITELIST_LOWfromfileC:\IMail\Declude\fromwhitelist_low.txtx-1000FROMWHITELIST_MEDfromfileC:\IMail\Declude\fromwhitelist_med.txtx-2000FROMWHITELIST_HIGHfromfileC:\IMail\Declude\fromwhitelist_high.txtx-5000 We also have FROM blacklists, IP white and black lists, content-based white and black lists, and test-specific counterweights thatmatch againstMAILFROM and/or REVDNS. We favor adding to the counterweight tests first, then FROM whitelists, and finally IP whitelists, though you could argue the order of the last two. Just another list member..been using IMail for 5 years or so, and Declude for about 3.5 years now. Thanks, man. Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 3:03 PM Subject: RE: [Declude.JunkMail] What Header does Whitelist file use? Darin, I'm still confused on what part of the message converstation would be compared to the whitelist entry. A message often has a different values for the From Header and the envelope (not sure if I'm using the correct terms). The Reverse DNS is also different from the other two. Using the format of .sub.domain.com and @sub.domain.com, I would have to make six entries to cover all the bases, when probably the correct two would take care of it. Suggestions? BTW, are you with Declude or a helpful bystander? Thanks again for your help and hope you are feeling better. Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 7:49 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? Sorry, you're right... Sometimes when I'm under the weather I switch things around... Have you checked the other suggestion... making sure the last line has a carriage return afterwards? Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 6:26 PM Subject: RE: [Declude.JunkMail] What Header does Whitelist file use? Hi Darin, I just checked the manual regarding theSWITCHRECIP ON. The description sounds like it affects who the message is addressed to rather than where it comes from. Am I missing something? Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Thursday, September 01, 2005 1:02 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] What Header does Whitelist file use? This may be an issue where the FROM listed in the email is different from the MAILFROM address found in the envelope. If so, putting SWITCHRECIP ONin your Declude Global.cfg should fix it. You can read more about this config option in the Declude Junkmail manual. Darin. - Original Message - From: Agid, Corby To: Declude.JunkMail@declude.com Sent: Thursday, September 01, 2005 12:09 PM Subject: [Declude.JunkMail] What Header does Whitelist file use? Hello, I'm still having trouble whitelisting a few incoming messages. Can you tell me, what part of incoming mail does the whitelist trigger on? Should the reverse DNS" domain or the mail header, or the address listed in the To: list be used, or perhaps the helo information. Below is an example of
Re: [Declude.JunkMail] Suggestions on catching a spam message?
The first one of these hit my system at about 8:30 a.m. From the first dozen, two passed and 10 failed a score of 13 (my minimum weight to block the message for most domains). By 11:30 a.m. messages from this class C were being picked up by MailPolice, SURBL, Sniffer and SpamCop and they have been scoring 75 or more ever since (I don't run custom filters after the score reaches 25 in most cases, so it probably would have been over 100). IMO, it's often not worth it to spend time dealing with high volume sources as they will often be picked up before you can react to them. This guy is 2 for 29 so far today on what was a clean block, though I was already giving Minerva's IP space a few points for being a notorious Spam supporter. Matt Colbeck, Andrew wrote: Welcome to the list, Dave! Sometimes the bad guys win. Like virus detection, spam detection is mostly a matter of reacting to the bad guys and blocking them, so they do get some in. If you try to achieve 100% spam blocking, you will devote your life to it and you'll burn out after spending too much time finding false positives and dealing with the resultant customer complaints. A couple of points about this particular message: 1) I got one copy of it in my organization, too. It scored 15 of 20 so it passed. The recipient didn't complain. 2) At the time it came in, the netblock was clean. SPEWS2 is the only RBL I know of that listed it at that point, and it still does. Nobody who has customers uses SPEWS2 to fight spam. Most don't use SPEWS1 for that matter. There's been a thread about this in the last few days. 3) Sniffer hadn't seen the message yet, so it didn't trigger either. I still recommend Sniffer. 4) URI blacklisting hadn't seen the message yet, so it didn't trigger either. I still recommend URI blacklisting. 5) Snips of text like "-mydomain.com?" and "myaddress@" in the MAILFROM can be tested for, but must have a light weight or only be used in combination with other tests. VERP is commonly used by legitimate mailers so that they can scrub their lists when an email account is cancelled and they receive bounces, or scrub their list when a legitimate subscriber reports them as spammers because they're too lazy to unsubscribe. 6) Not that *I* would do such a thing, but if *one* were to strobe the /24 netblock that the message came from, you would see definite patterns in the naming conventions and could certainly predict how the spammer is going to change his domain names for the next spam runs. I've put them into my IP blacklist text file. 206.131.224.0/19 matched 206.131.224.0/19 SPEWS OffersCentral, see http://spews.org/html/S1528.html Sep-02-2005 Along with the neighbours which have been there for a long time: 206.128.156.0/24 matched 206.128.156.0/24 SPEWS stubberfield, see http://spews.org/ask.cgi?S359 206.131.243.0/24 matched 206.131.243.0/24 SPEWS elistmarketers, see http://spews.org/ask.cgi?S1710 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 9:59 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for "agnheqe3.com" and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the "/track?" in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: [EMAIL PROTECTED] Fri Sep 02
[Declude.JunkMail] Paradise.net.nz
Any comments about this ISP? It was in my bad mail file and I can not find why it was put in there. John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 8.2
We upgraded to 8.21 and experienced an extremely slow smtp. It got so bad that connecting MTA's we giving up and retrying, when the message was actually received but Imail was too slow to acknowledge it. We rolled back to 8.15. That was on a box running 2003 WEB edition. We've since tested (o.k.) on 2000 Server (Std) and will be building a 2003 Server (Std) box for test/implementation. The tech at Ipswitch said they hadn't seen our issue before, but he didn't think the diff between Web and Std editions would make any difference, either. Friday, September 2, 2005, 11:37:47 AM, Timothy Bohen [EMAIL PROTECTED] wrote: TB Ok of course I upgraded and never thought to check this mailing TB list, I'm trying to catch up, but what are the issues with Declude TB and Imail 8.2? Should I disable declude? TB Big reason I'm asking is I'm getting slow delivery, wondering if TB this is because of 8.2 and declude not getting along?? I'm running Declude 2.0.5 Thanks TB TB __ __ __ __ TB Sent via the CMS Internet Webmail system at mail1.cmsinter.net TB TB TB --- TB This E-mail came from the Declude.JunkMail mailing list. To TB unsubscribe, just send an E-mail to [EMAIL PROTECTED], and TB type unsubscribe Declude.JunkMail. The archives can be found TB at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Sniffer Question
I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Question
Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Personally, my sniffer is set to 2/3 of my hold weight, that test really doesn't give me troube as long as I keep my .snf file updated. I'm curious as to what other people do as well. - greg I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EServices Autowhite?
Does anyone happen to know how Eservice's autothite program validates its license key against the official host name? Does it compare to an IMAIL registry key or does it look somewhere else? I run smartermail and I'm wondering if I add the IMAIL registery keys that contain the OHN if it wouldn't fake out Autowhite and allow it to work with smartermail? I emailed John a few times but I've not heard back from him and I'd kind of like to get this going. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EServices AutoWhite?
I have responded to each e-mail, including the one you sent 15 minutes ago. On the phone on Wednesday, I did explain that AutoWhite is not tested in a SmarterMail configuration. AutoWhite for Declude does indeed look at the Imail registry for the OHN. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 01, 2005 10:32 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] EServices Autowhite? Does anyone happen to know how Eservice's autothite program validates its license key against the official host name? Does it compare to an IMAIL registry key or does it look somewhere else? I run smartermail and I'm wondering if I add the IMAIL registery keys that contain the OHN if it wouldn't fake out Autowhite and allow it to work with smartermail? I emailed John a few times but I've not heard back from him and I'd kind of like to get this going. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Question
In the Global.cfg, as long as the Sniffer call line is the same except for the return code area, Declude will only call Sniffer once and compare the exit code to those configured. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, September 02, 2005 5:19 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Sniffer Question
Sorry to but in - can't resist... ;-) The test will run only once, but it will be evaluated for each possible result (Declude is smart that way). You might even have more than one test use SNF and add weight.. for example, SNIFFER ... nonzero and SNFSPECIFIC ... result. Many folks and the AI system's we've been experimenting with tend to put the SNF weight at about 70% of the hold weight. Hope this helps, _M On Friday, September 2, 2005, 8:19:11 PM, Dave wrote: DD John, does that mean sniffer runs 17 times on each mesage, or does it return DD multiple codes? DD - Original Message - DD From: John Tolmachoff (Lists) [EMAIL PROTECTED] DD To: Declude.JunkMail@declude.com DD Sent: Friday, September 02, 2005 8:02 PM DD Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. DD --- DD This E-mail came from the Declude.JunkMail mailing list. To DD unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DD type unsubscribe Declude.JunkMail. The archives can be found DD at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Thanks. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:49 PM Subject: RE: [Declude.JunkMail] Sniffer Question In the Global.cfg, as long as the Sniffer call line is the same except for the return code area, Declude will only call Sniffer once and compare the exit code to those configured. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, September 02, 2005 5:19 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
It runs Sniffer once and caches the exit code comparing it to the other identical sniffer calls with different return codes. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:19 PM Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Thanks for all your help. I'll refer to the Sniffer list in the future. But for the moment - I was wondering what the other Sniffer tests would look like in your global.cfg file. How do you test for certain return codes? Also, what criteria are you using for these return codes (in other words, how have you figured to add a certain weight to return code 56, and a different weight to return code 87 for example)? Thanks John Tolmachoff (Lists) wrote: Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Temp Folder backing up.
Hi everyone, First I want to thank all of you who responded to my earlier question about catching the spam that was missed. I adopted some of the suggestions and I appreciate all of the good advice that was offered. You guys know your stuff! I wanted to respond to you all but unfortunately I've been swamped. The reason I'm behind on responding to my email is I've been fighting problems with email all day. The first problem I discovered is that Declude is blocking large attachments. I have more testing to do yet to figure out why. I disabled anti-virus and all of my custom filters in an attempt to narrow down the cause of the problem. If I disable Declude the attachments will go through. With Declude in place, if the attachments are larger, they do not go through. However, before I was able to solve the above problem I discovered another problem which was more urgent and is why I'm emailing you now to see if you might have some ideas. Apparently Declude will move email to a spool/proc directory when it gets behind. I found 17,000 messages in that directory. I de-installed Delude and then I moved those messages back into the spool and they processed and were delivered okay. Here is what the Delcude manual says: === Overflow System for SmarterMail - An overflow process (like the IMail version) has been added. IMail follows the recommendation from Microsoft that states that a limit of 30 processes should not be exceeded. By default Smartermail will not be able to run more than 25 processes. * If Declude runs and finds that there are more processes running than allowed, it will move the email to a temp storage area and exit. * If Declude runs and finds that there are less than the allowed processes running and there are emails in that temp storage, it will process them. This means during high volume some email may be temporally delayed but Declude will process them when it finds itself running during lower volume. = Okay, here is my question -- I currently have 12 emails sitting in the spool being processed for delivery. When I look in the PROC directory, which is what Declude uses for the overflow directory in smartermail, I have 95 messages that are sitting in there. The PROC directory is growing, too. With smartermail being fairly idle why would Declude not process those messages in the PROC directory? Why are they queueing in there to begin with? There must be some setting that needs to be changed. I assume having to do with the number of processes. Thoughts? Thanks, Dave --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EServices AutoWhite?
John, I just found 17,000 messages backed up in my spool/proc directory. I have yet to do some research and find out if that is a smartermail directory or perhaps the declude overflow directory. I moved them back into the spool and the 17,000 messages just went through. There were 26 messages to the declude list that I didn't receive until just a minute ago. Your responses were part of what I didn't receive. Okay...what I need is for someone to export their imail registry branch with the key that has the OHN. What I can do then is put my OHN in that key and import it into my registry. I don't use IMAIL but autowhite won't know that. If it finds the OHN in the imail key and it matches my license then I should be able to get past this first hurdle and find out if there is any other reason it won't work in a smartermail environment. Can someone send me that branch please? -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, September 02, 2005 7:33 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] EServices AutoWhite? I have responded to each e-mail, including the one you sent 15 minutes ago. On the phone on Wednesday, I did explain that AutoWhite is not tested in a SmarterMail configuration. AutoWhite for Declude does indeed look at the Imail registry for the OHN. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 01, 2005 10:32 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] EServices Autowhite? Does anyone happen to know how Eservice's autothite program validates its license key against the official host name? Does it compare to an IMAIL registry key or does it look somewhere else? I run smartermail and I'm wondering if I add the IMAIL registery keys that contain the OHN if it wouldn't fake out Autowhite and allow it to work with smartermail? I emailed John a few times but I've not heard back from him and I'd kind of like to get this going. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Kevin, Here is a post to the archive which as an example: http://www.mail-archive.com/declude.junkmail@declude.com/msg15084.html Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 9:41 PM Subject: Re: [Declude.JunkMail] Sniffer Question Thanks for all your help. I'll refer to the Sniffer list in the future. But for the moment - I was wondering what the other Sniffer tests would look like in your global.cfg file. How do you test for certain return codes? Also, what criteria are you using for these return codes (in other words, how have you figured to add a certain weight to return code 56, and a different weight to return code 87 for example)? Thanks John Tolmachoff (Lists) wrote: Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Temp Folder backing up.
I have a theory. I found the Declude process counter tool and I ran it. It showed an average between 0 - 2 Declude process running. I shut down as much other stuff as I could and the PROC folder began clearing out. As soon as I reenabled invURIBL and Message Sniffer the PROC queue began to fill. I suspect because of the number of processes running with those additional tests spawning their own processes? Is there a parameter somewhere that I can set to override this process limit that Declude is enforcing? I'd like to test my theory. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 8:46 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude Temp Folder backing up. Hi everyone, First I want to thank all of you who responded to my earlier question about catching the spam that was missed. I adopted some of the suggestions and I appreciate all of the good advice that was offered. You guys know your stuff! I wanted to respond to you all but unfortunately I've been swamped. The reason I'm behind on responding to my email is I've been fighting problems with email all day. The first problem I discovered is that Declude is blocking large attachments. I have more testing to do yet to figure out why. I disabled anti-virus and all of my custom filters in an attempt to narrow down the cause of the problem. If I disable Declude the attachments will go through. With Declude in place, if the attachments are larger, they do not go through. However, before I was able to solve the above problem I discovered another problem which was more urgent and is why I'm emailing you now to see if you might have some ideas. Apparently Declude will move email to a spool/proc directory when it gets behind. I found 17,000 messages in that directory. I de-installed Delude and then I moved those messages back into the spool and they processed and were delivered okay. Here is what the Delcude manual says: === Overflow System for SmarterMail - An overflow process (like the IMail version) has been added. IMail follows the recommendation from Microsoft that states that a limit of 30 processes should not be exceeded. By default Smartermail will not be able to run more than 25 processes. * If Declude runs and finds that there are more processes running than allowed, it will move the email to a temp storage area and exit. * If Declude runs and finds that there are less than the allowed processes running and there are emails in that temp storage, it will process them. This means during high volume some email may be temporally delayed but Declude will process them when it finds itself running during lower volume. = Okay, here is my question -- I currently have 12 emails sitting in the spool being processed for delivery. When I look in the PROC directory, which is what Declude uses for the overflow directory in smartermail, I have 95 messages that are sitting in there. The PROC directory is growing, too. With smartermail being fairly idle why would Declude not process those messages in the PROC directory? Why are they queueing in there to begin with? There must be some setting that needs to be changed. I assume having to do with the number of processes. Thoughts? Thanks, Dave --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Temp Folder backing up.
Dave, What is the CPU like of your box with the external tests enabled? Is your CPU at 100%? Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 10:09 PM Subject: RE: [Declude.JunkMail] Declude Temp Folder backing up. I have a theory. I found the Declude process counter tool and I ran it. It showed an average between 0 - 2 Declude process running. I shut down as much other stuff as I could and the PROC folder began clearing out. As soon as I reenabled invURIBL and Message Sniffer the PROC queue began to fill. I suspect because of the number of processes running with those additional tests spawning their own processes? Is there a parameter somewhere that I can set to override this process limit that Declude is enforcing? I'd like to test my theory. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 8:46 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude Temp Folder backing up. Hi everyone, First I want to thank all of you who responded to my earlier question about catching the spam that was missed. I adopted some of the suggestions and I appreciate all of the good advice that was offered. You guys know your stuff! I wanted to respond to you all but unfortunately I've been swamped. The reason I'm behind on responding to my email is I've been fighting problems with email all day. The first problem I discovered is that Declude is blocking large attachments. I have more testing to do yet to figure out why. I disabled anti-virus and all of my custom filters in an attempt to narrow down the cause of the problem. If I disable Declude the attachments will go through. With Declude in place, if the attachments are larger, they do not go through. However, before I was able to solve the above problem I discovered another problem which was more urgent and is why I'm emailing you now to see if you might have some ideas. Apparently Declude will move email to a spool/proc directory when it gets behind. I found 17,000 messages in that directory. I de-installed Delude and then I moved those messages back into the spool and they processed and were delivered okay. Here is what the Delcude manual says: === Overflow System for SmarterMail - An overflow process (like the IMail version) has been added. IMail follows the recommendation from Microsoft that states that a limit of 30 processes should not be exceeded. By default Smartermail will not be able to run more than 25 processes. * If Declude runs and finds that there are more processes running than allowed, it will move the email to a temp storage area and exit. * If Declude runs and finds that there are less than the allowed processes running and there are emails in that temp storage, it will process them. This means during high volume some email may be temporally delayed but Declude will process them when it finds itself running during lower volume. = Okay, here is my question -- I currently have 12 emails sitting in the spool being processed for delivery. When I look in the PROC directory, which is what Declude uses for the overflow directory in smartermail, I have 95 messages that are sitting in there. The PROC directory is growing, too. With smartermail being fairly idle why would Declude not process those messages in the PROC directory? Why are they queueing in there to begin with? There must be some setting that needs to be changed. I assume having to do with the number of processes. Thoughts? Thanks, Dave --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Temp Folder backing up.
Darrell, It averages between 25% - 40% with occasional spikes to about 80%. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 02, 2005 9:20 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude Temp Folder backing up. Dave, What is the CPU like of your box with the external tests enabled? Is your CPU at 100%? Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 10:09 PM Subject: RE: [Declude.JunkMail] Declude Temp Folder backing up. I have a theory. I found the Declude process counter tool and I ran it. It showed an average between 0 - 2 Declude process running. I shut down as much other stuff as I could and the PROC folder began clearing out. As soon as I reenabled invURIBL and Message Sniffer the PROC queue began to fill. I suspect because of the number of processes running with those additional tests spawning their own processes? Is there a parameter somewhere that I can set to override this process limit that Declude is enforcing? I'd like to test my theory. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 8:46 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude Temp Folder backing up. Hi everyone, First I want to thank all of you who responded to my earlier question about catching the spam that was missed. I adopted some of the suggestions and I appreciate all of the good advice that was offered. You guys know your stuff! I wanted to respond to you all but unfortunately I've been swamped. The reason I'm behind on responding to my email is I've been fighting problems with email all day. The first problem I discovered is that Declude is blocking large attachments. I have more testing to do yet to figure out why. I disabled anti-virus and all of my custom filters in an attempt to narrow down the cause of the problem. If I disable Declude the attachments will go through. With Declude in place, if the attachments are larger, they do not go through. However, before I was able to solve the above problem I discovered another problem which was more urgent and is why I'm emailing you now to see if you might have some ideas. Apparently Declude will move email to a spool/proc directory when it gets behind. I found 17,000 messages in that directory. I de-installed Delude and then I moved those messages back into the spool and they processed and were delivered okay. Here is what the Delcude manual says: === Overflow System for SmarterMail - An overflow process (like the IMail version) has been added. IMail follows the recommendation from Microsoft that states that a limit of 30 processes should not be exceeded. By default Smartermail will not be able to run more than 25 processes. * If Declude runs and finds that there are more processes running than allowed, it will move the email to a temp storage area and exit. * If Declude runs and finds that there are less than the allowed processes running and there are emails in that temp storage, it will process them. This means during high volume some email may be temporally delayed but Declude will process them when it finds itself running during lower volume. = Okay, here is my question -- I currently have 12 emails sitting in the spool being processed for delivery. When I look in the PROC directory, which is what Declude uses for the overflow directory in smartermail, I have 95 messages that are sitting in there. The PROC directory is growing, too. With smartermail being fairly idle why would Declude not process those messages in the PROC directory? Why are they queueing in there to begin with? There must be some setting that needs to be changed. I assume having to do with the number of processes. Thoughts? Thanks, Dave --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
[Declude.JunkMail] Declude 3.0.3 update
We installed the latest 3.0.3 beta tonight; the decludeproc service shot to 99% of CPU and stayed there for 15 minutes. During this time we accumulated over 1000 items in the proc folder; nothing was going out. Anyone else experienced this? We stopped/re-started the decludeproc service, as well as the SMTPd32 and Queuemgr and no change for the better. We had same experience when trying to load the initial 3.0 beta. Had to revert back to the 2.0.6.16 again. Randy Armbrecht Global Web Solutions, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 3.0.3 update
Randy, One issue I found with 3.0.3 that has been reported to Declude is that the work directory is not created by default or at least it was not on my system. Make sure you have a work directory - if not create it (i.e. /spool/proc/work). Also, they are investigating another issue where the service would go to sleep when messages exist in the proc directory instead of continuing to process them. This may be related to a multiprocessor machine, but this is not confirmed. Other than that 3.0.3 went in and installed fine and appears to be working well with the exception of the sleep issue I mentioned above. I am confident that the sleep issue will be resolved fairly quickly. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Webmaster - GlobalWeb.net [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 11:11 PM Subject: [Declude.JunkMail] Declude 3.0.3 update We installed the latest 3.0.3 beta tonight; the decludeproc service shot to 99% of CPU and stayed there for 15 minutes. During this time we accumulated over 1000 items in the proc folder; nothing was going out. Anyone else experienced this? We stopped/re-started the decludeproc service, as well as the SMTPd32 and Queuemgr and no change for the better. We had same experience when trying to load the initial 3.0 beta. Had to revert back to the 2.0.6.16 again. Randy Armbrecht Global Web Solutions, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Temp Folder backing up.
Dave, A couple of questions. First off, what is your average daily volume of E-mail on your server? Secondly, what is your CPU and hard drive configuration. Thirdly, what version of Declude are you running? Lastly, when you login as admin and go to Settings General Settings, what is your Delivery Delay set to? To answer your question more directly, there is a way to control the number of processes that Declude can spawn, but based on what you have said, this isn't likely the issue, and the default is fine for all but the busiest installations. Matt Dave Beckstrom wrote: I have a theory. I found the Declude process counter tool and I ran it. It showed an average between 0 - 2 Declude process running. I shut down as much other stuff as I could and the PROC folder began clearing out. As soon as I reenabled invURIBL and Message Sniffer the PROC queue began to fill. I suspect because of the number of processes running with those additional tests spawning their own processes? Is there a parameter somewhere that I can set to override this process limit that Declude is enforcing? I'd like to test my theory. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 8:46 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude Temp Folder backing up. Hi everyone, First I want to thank all of you who responded to my earlier question about catching the spam that was missed. I adopted some of the suggestions and I appreciate all of the good advice that was offered. You guys know your stuff! I wanted to respond to you all but unfortunately I've been swamped. The reason I'm behind on responding to my email is I've been fighting problems with email all day. The first problem I discovered is that Declude is blocking large attachments. I have more testing to do yet to figure out why. I disabled anti-virus and all of my custom filters in an attempt to narrow down the cause of the problem. If I disable Declude the attachments will go through. With Declude in place, if the attachments are larger, they do not go through. However, before I was able to solve the above problem I discovered another problem which was more urgent and is why I'm emailing you now to see if you might have some ideas. Apparently Declude will move email to a spool/proc directory when it gets behind. I found 17,000 messages in that directory. I de-installed Delude and then I moved those messages back into the spool and they processed and were delivered okay. Here is what the Delcude manual says: === Overflow System for SmarterMail - An overflow process (like the IMail version) has been added. IMail follows the recommendation from Microsoft that states that a limit of 30 processes should not be exceeded. By default Smartermail will not be able to run more than 25 processes. * If Declude runs and finds that there are more processes running than allowed, it will move the email to a temp storage area and exit. * If Declude runs and finds that there are less than the allowed processes running and there are emails in that temp storage, it will process them. This means during high volume some email may be temporally delayed but Declude will process them when it finds itself running during lower volume. = Okay, here is my question -- I currently have 12 emails sitting in the spool being processed for delivery. When I look in the PROC directory, which is what Declude uses for the overflow directory in smartermail, I have 95 messages that are sitting in there. The PROC directory is growing, too. With smartermail being fairly idle why would Declude not process those messages in the PROC directory? Why are they queueing in there to begin with? There must be some setting that needs to be changed. I assume having to do with the number of processes. Thoughts? Thanks, Dave --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] EServices Autowhite?
Does anyone happen to know how Eservice's autothite program validates its license key against the official host name? Does it compare to an IMAIL registry key or does it look somewhere else? It uses the IMail top-level hostname from the registry, like old versions of Declude. I run smartermail and I'm wondering if I add the IMAIL registery keys that contain the OHN if it wouldn't fake out Autowhite and allow it to work with smartermail? You will probably need to add the virtual host keys as well, but you certainly will be able to fake it out using the Registry alone. No IMail EXEs will be necessary to install. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
