[Declude.JunkMail] blacklist file
Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
RE: [Declude.JunkMail] blacklist file
Craig: I am not aware of BLACKLIST filter name.. In Declude filtering is done in 2 steps. First test definition and then the action on the test. In general: Global statement is where you define the tests $default$.junkmail is where you take actions For example in a case like yours: Test definition in the global statement: BLACKLIST filter C:\IMAIL\Declude\Filters\blacklist.txt x 20 0 Then blacklist.txt entry: Add the following to your blacklist.txt file. MAILFROM 0 ENDSWITH @mastercardconfirm.com Then an entry in your $default$.junkmail BLACKLIST DELETE If you want to delete an email without any other considerations and you are sure that email is to be killed then why not add it to IMail's kill list? You can simply add that to the kill.lst file and it will do the same before it even hits Declude. The good thing about Declude is its flexibility - you can do this a number of different ways and this is one of those ways Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Tuesday, February 21, 2006 5:44 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] blacklist fileImportance: HighSensitivity: Confidential Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
RE: [Declude.JunkMail] Banks (and Ebay) Phising Filters
Kami, Thank you for the files; this is great! We can use this and customize for us. Thank you, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Monday, February 20, 2006 10:40 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Banks (and Ebay) Phising Filters Erik: We have a set of filters as follows: - Phish_Body_bankName.txt - Phish_Body_words.txt - Phish_Header_Bankname.txt - Phish_TestsFailed.txt Hope it is not a problem to send zip files (3k) to the list. [PHISH.EXCEPTION.PAYPAL]filter C:\IMail\Declude\Filters\Phish_Exception_PayPal.txt x 0 0 [PHISH.HEADER.BANKNAME] filter C:\IMail\Declude\Filters\Phish_HEADER_BankName.txt x 0 0 [PHISH.BODY.BANKNAME] filter C:\IMail\Declude\Filters\Phish_Body_BankName.txtx 0 0 [PHISH.BODY.WORDS] filter C:\IMail\Declude\Filters\Phish_Body_Words.txt x 0 0 [PHISH.ATTEMPT] filter C:\IMail\Declude\Filters\Phish_TestsFailed.txt x 1000 0 I reroute any weight of 1000 and more to the admin account for review with PHISH in the subject. WEIGHT-REDIRECT-FRAUD-S SUBJECT [PHISH: %WEIGHT%] WEIGHT-REDIRECT-FRAUD-R ROUTETO [EMAIL PROTECTED] So far we have not had any false positives.. A few happened when people were using ebay response to ask seller options. So we wrote an exception filter. It works like a charm. We are seeing now clean IP's and new tactics .. Like using: @secure-chase.com Our filters were looking for @chase.com - so this is a new set of changes I am making as I am seeing them. Hope this helps. Regards, - Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Friday, February 17, 2006 6:32 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Banks (and Ebay) Phising Filters Help from you all: We've setup the following individual filters for major banks that are phising scams (and ebay.com) Do you see any problems with using the following (we mark as SPAM at weight 70): HEADERS END NOTCONTAINS wellsfargo.com BODY 0 CONTAINS .wellsfargo.com SUBJECT 30 CONTAINS account REVDNS 50 NOTENDSWITH .wellsfargo.com #Give weight back for users that forward or use reply for REAL email from wellsfargo.com SUBJECT -40 STARTSWITH re: SUBJECT -40 STARTSWITH fwd: SUBJECT -40 STARTSWITH fw: Citibank uses different REVDNS from what we've noticed. The envelope from is generally @citibank.com and the REVDNS is .ssmb.com OR .citibank.com or .citicorp.com How do you all deal with this? Same with SearsCard.com... they are also Citibank and coming from ssmb.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Banks (and Ebay) Phising Filters
Scott, So Clam AV detects these? We do have Declude AV but, not the PRO version and I think only this version can use multiple AV programs? We use the standard with F-PROT. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Sunday, February 19, 2006 8:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters If you have Declude Virus, and can afford the CPU time... The best phish beater I have is Clam AV and PRESCAN ON. With bank consolodations, the using the reverse dns can be dicey. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 17, 2006 5:32 PM Subject: [Declude.JunkMail] Banks (and Ebay) Phising Filters Help from you all: We've setup the following individual filters for major banks that are phising scams (and ebay.com) Do you see any problems with using the following (we mark as SPAM at weight 70): HEADERS END NOTCONTAINS wellsfargo.com BODY 0 CONTAINS .wellsfargo.com SUBJECT 30 CONTAINS account REVDNS 50 NOTENDSWITH .wellsfargo.com #Give weight back for users that forward or use reply for REAL email from wellsfargo.com SUBJECT -40 STARTSWITH re: SUBJECT -40 STARTSWITH fwd: SUBJECT -40 STARTSWITH fw: Citibank uses different REVDNS from what we've noticed. The envelope from is generally @citibank.com and the REVDNS is .ssmb.com OR .citibank.com or .citicorp.com How do you all deal with this? Same with SearsCard.com... they are also Citibank and coming from ssmb.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SKIPIFWEIGHT - RUNIFWEIGHT?
I do not think this would work - WEIGHT and WEIGTRANGE tests run last. [I think!] As Scott suggested the only way I believe is to use the SKIPIFWEIGHT directive. For me it would sure be nice if we could use variables in the filter files eg IF %WEIGHT% xx ELSE END sort of thingy.. -Nick Chris Haycox wrote: Kami, You should be able to say something like: TESTSFAILED END NOTCONTAINS WEIGHT50 TESTSFAILED END CONTAINS WEIGHT65 ...rest of filter, etc. Also, make sure that WEIGHT50 and WEIGHT65, or whatever weight value rangeyou want to "RUNIFWEIGHT" at are real tests themselves, as defined in global.cfg as a standard weight test. -Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Monday, February 20, 2006 11:39 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] SKIPIFWEIGHT - RUNIFWEIGHT? Hi; Is there anyway one can run a test if the weight, at the time the filter is run, is above a certain point and below a certain point? I know we can skip tests if a certain weight is reached but it seems like we can not run a test only if the weight is above a certain level. This can be handy as a final test/review to push an email to delete in cases of extreme violation of all rules.. Regards, - Kami
AW: [Declude.JunkMail] blacklist file
hi, according to the manual (http://www.declude.com/Version/Manuals/JunkMail/JM_3.0.5.asp) "6.9 Your own sender blacklists" you need some file (blacklist.txt) with the adresses you want to block. this file needs lines like: @mastercardconfirm.com bad adress [EMAIL PROTECTED] spams my folders badserver.com spamsending server please note, that you need an adress AND a reason in every line. the next thing is a line in you're global cfg like: BLACKLIST fromfileC:\IMAIL\Declude\Filters\blacklist.txtx200 this would punish every mail that was send by an adress that is in you're blacklist.txt with a weight of 20 points (so this would only block the mail if you hold mails with a weight of 20 or more). if you want to block the mail right away you need a line in you're $default$.junkmail like BLACKLIST HOLD or BLACKLIST DELETE an other way to block mails by the senderadress is imail itselfe. there should be something like a "SMTP inbound kill list" (i have something like that in my imail 7.14). hope it helps best regards from germany mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Craig EdmondsGesendet: Dienstag, 21. Februar 2006 11:44An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] blacklist fileWichtigkeit: HochVertraulichkeit: Vertraulich Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
Re: [Declude.JunkMail] blacklist file
Did the reason become a requirement in 2.0 or 3.0? It isn't required in versions prior to 2.0. Darin. - Original Message - From: Guhl, Markus (LDS) To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 9:08 AM Subject: AW: [Declude.JunkMail] blacklist file hi, according to the manual (http://www.declude.com/Version/Manuals/JunkMail/JM_3.0.5.asp) "6.9 Your own sender blacklists" you need some file (blacklist.txt) with the adresses you want to block. this file needs lines like: @mastercardconfirm.com bad adress [EMAIL PROTECTED] spams my folders badserver.com spamsending server please note, that you need an adress AND a reason in every line. the next thing is a line in you're global cfg like: BLACKLIST fromfileC:\IMAIL\Declude\Filters\blacklist.txtx200 this would punish every mail that was send by an adress that is in you're blacklist.txt with a weight of 20 points (so this would only block the mail if you hold mails with a weight of 20 or more). if you want to block the mail right away you need a line in you're $default$.junkmail like BLACKLIST HOLD or BLACKLIST DELETE an other way to block mails by the senderadress is imail itselfe. there should be something like a "SMTP inbound kill list" (i have something like that in my imail 7.14). hope it helps best regards from germany mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Craig EdmondsGesendet: Dienstag, 21. Februar 2006 11:44An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] blacklist fileWichtigkeit: HochVertraulichkeit: Vertraulich Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
Re: [Declude.JunkMail] blacklist file
Remove the "BLACKLIST FROM " text from the blacklist.txt file and it should work fine. Darin. - Original Message - From: Craig Edmonds To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 5:44 AM Subject: [Declude.JunkMail] blacklist file Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
RE: [Declude.JunkMail] blacklist file
Title: Message There's a manual for Declude? Where? hahaha joking... I don't think the "manual" has been updated since the 14th Century. Every timewe've needed to lookup a statement in Declude from searching on the list that others are using; it's not in the "manual". A product should have a manual. Declude lacks in this. A manual needs to go with "a working" product. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guhl, Markus (LDS)Sent: Tuesday, February 21, 2006 3:09 PMTo: Declude.JunkMail@declude.comSubject: AW: [Declude.JunkMail] blacklist fileSensitivity: Confidential hi, according to the manual (http://www.declude.com/Version/Manuals/JunkMail/JM_3.0.5.asp) "6.9 Your own sender blacklists" you need some file (blacklist.txt) with the adresses you want to block. this file needs lines like: @mastercardconfirm.com bad adress [EMAIL PROTECTED] spams my folders badserver.com spamsending server please note, that you need an adress AND a reason in every line. the next thing is a line in you're global cfg like: BLACKLIST fromfileC:\IMAIL\Declude\Filters\blacklist.txtx200 this would punish every mail that was send by an adress that is in you're blacklist.txt with a weight of 20 points (so this would only block the mail if you hold mails with a weight of 20 or more). if you want to block the mail right away you need a line in you're $default$.junkmail like BLACKLIST HOLD or BLACKLIST DELETE an other way to block mails by the senderadress is imail itselfe. there should be something like a "SMTP inbound kill list" (i have something like that in my imail 7.14). hope it helps best regards from germany mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Craig EdmondsGesendet: Dienstag, 21. Februar 2006 11:44An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] blacklist fileWichtigkeit: HochVertraulichkeit: Vertraulich Newbie question here... Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
AW: [Declude.JunkMail] blacklist file
hi darin, maybe my english isn't good enough. by reading it again it looks like a blank-reason is possible (all versions). it's a german habbit to follow the writen word. mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Darin CoxGesendet: Dienstag, 21. Februar 2006 15:26An: Declude.JunkMail@declude.comBetreff: Re: [Declude.JunkMail] blacklist file Did the reason become a requirement in 2.0 or 3.0? It isn't required in versions prior to 2.0. Darin. - Original Message - From: Guhl, Markus (LDS) To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 9:08 AM Subject: AW: [Declude.JunkMail] blacklist file hi, according to the manual (http://www.declude.com/Version/Manuals/JunkMail/JM_3.0.5.asp) "6.9 Your own sender blacklists" you need some file (blacklist.txt) with the adresses you want to block. this file needs lines like: @mastercardconfirm.com bad adress [EMAIL PROTECTED] spams my folders badserver.com spamsending server please note, that you need an adress AND a reason in every line. the next thing is a line in you're global cfg like: BLACKLIST fromfileC:\IMAIL\Declude\Filters\blacklist.txtx200 this would punish every mail that was send by an adress that is in you're blacklist.txt with a weight of 20 points (so this would only block the mail if you hold mails with a weight of 20 or more). if you want to block the mail right away you need a line in you're $default$.junkmail like BLACKLIST HOLD or BLACKLIST DELETE an other way to block mails by the senderadress is imail itselfe. there should be something like a "SMTP inbound kill list" (i have something like that in my imail 7.14). hope it helps best regards from germany mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Craig EdmondsGesendet: Dienstag, 21. Februar 2006 11:44An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] blacklist fileWichtigkeit: HochVertraulichkeit: Vertraulich Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
Re: [Declude.JunkMail] blacklist file
Gotcha. Just making sure it wasn't a new requirement. We're hoping to hear 3.0 is stable enough in the near future to upgrade. From what I hear IMail 2006.03 may be stable enough to upgrade. Darin. - Original Message - From: Guhl, Markus (LDS) To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 9:39 AM Subject: AW: [Declude.JunkMail] blacklist file hi darin, maybe my english isn't good enough. by reading it again it looks like a blank-reason is possible (all versions). it's a german habbit to follow the writen word. mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Darin CoxGesendet: Dienstag, 21. Februar 2006 15:26An: Declude.JunkMail@declude.comBetreff: Re: [Declude.JunkMail] blacklist file Did the reason become a requirement in 2.0 or 3.0? It isn't required in versions prior to 2.0. Darin. - Original Message - From: Guhl, Markus (LDS) To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 9:08 AM Subject: AW: [Declude.JunkMail] blacklist file hi, according to the manual (http://www.declude.com/Version/Manuals/JunkMail/JM_3.0.5.asp) "6.9 Your own sender blacklists" you need some file (blacklist.txt) with the adresses you want to block. this file needs lines like: @mastercardconfirm.com bad adress [EMAIL PROTECTED] spams my folders badserver.com spamsending server please note, that you need an adress AND a reason in every line. the next thing is a line in you're global cfg like: BLACKLIST fromfileC:\IMAIL\Declude\Filters\blacklist.txtx200 this would punish every mail that was send by an adress that is in you're blacklist.txt with a weight of 20 points (so this would only block the mail if you hold mails with a weight of 20 or more). if you want to block the mail right away you need a line in you're $default$.junkmail like BLACKLIST HOLD or BLACKLIST DELETE an other way to block mails by the senderadress is imail itselfe. there should be something like a "SMTP inbound kill list" (i have something like that in my imail 7.14). hope it helps best regards from germany mfgi.a.gez.markus guhl***lds nrwref. 241tel.: 0211 9449 6947fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Craig EdmondsGesendet: Dienstag, 21. Februar 2006 11:44An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] blacklist fileWichtigkeit: HochVertraulichkeit: Vertraulich Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
Re: [Declude.JunkMail] blacklist file
No. The fromfile format is: @mastercardconfirm.com This will also not catch [EMAIL PROTECTED], so sometimes you'll need .mastercardconfirm.com. I always preface with a period or @. - Original Message - From: Craig Edmonds To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 4:44 AM Subject: [Declude.JunkMail] blacklist file Newbie question here Using Declude 3.05 on IMAIL. I want to blacklist email addresses so that when a spammer sends an email to my server, the email does not go through to my end users. my global.cfg file has the following line.. BLACKLIST fromfile C:\IMAIL\Declude\Filters\blacklist.txtx200 My blacklist.txt file has the following entry BLACKLIST FROM @mastercardconfirm.com Is the above syntax correct for blocking email addresses/domains? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 7:27 AM Subject: RE: [Declude.JunkMail] Banks (and Ebay) Phising Filters Scott, So Clam AV detects these? We do have Declude AV but, not the PRO version and I think only this version can use multiple AV programs? We use the standard with F-PROT. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Sunday, February 19, 2006 8:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters If you have Declude Virus, and can afford the CPU time... The best phish beater I have is Clam AV and PRESCAN ON. With bank consolodations, the using the reverse dns can be dicey. - Original Message - From: Erik [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 17, 2006 5:32 PM Subject: [Declude.JunkMail] Banks (and Ebay) Phising Filters Help from you all: We've setup the following individual filters for major banks that are phising scams (and ebay.com) Do you see any problems with using the following (we mark as SPAM at weight 70): HEADERS END NOTCONTAINS wellsfargo.com BODY 0 CONTAINS .wellsfargo.com SUBJECT 30 CONTAINS account REVDNS 50 NOTENDSWITH .wellsfargo.com #Give weight back for users that forward or use reply for REAL email from wellsfargo.com SUBJECT -40 STARTSWITH re: SUBJECT -40 STARTSWITH fwd: SUBJECT -40 STARTSWITH fw: Citibank uses different REVDNS from what we've noticed. The envelope from is generally @citibank.com and the REVDNS is .ssmb.com OR .citibank.com or .citicorp.com How do you all deal with this? Same with SearsCard.com... they are also Citibank and coming from ssmb.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
- Original Message - From: Scott Fisher [EMAIL PROTECTED] You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. Actually, you would need to have PRESCAN OFF in order to catch most phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all messages and finds that most phish messages contain nothing worth scanning and thus bypasses the virus scanners. Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
Aaarrgg. Good catch Bill. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 12:03 PM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters - Original Message - From: Scott Fisher [EMAIL PROTECTED] You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. Actually, you would need to have PRESCAN OFF in order to catch most phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all messages and finds that most phish messages contain nothing worth scanning and thus bypasses the virus scanners. Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] imail to smartermail migration
I moved some of the domains I host in Imail to Smartermail. I run 17 domains and 230 users in Smartermail running Declude Antivirus and Junkmail. I took me half day to figure out how the migration tool works and how to migrate domains from time to time and not all at once. The migration worked almost fine. I don't use IMAP. I don't recall exactly but I remember having problems with some alias since I did rename a couple of domains prior to the migration and then rename them back in smartermail. Nothing to worry about.. But I don't recall what it was exactly. I followed instructions to install declude under smartermail and it was pretty easy to setup. I used same configuration I used in Imail (copy paste files), making sure I changed paths to reflect new smartermail paths in the declude necessary config files. Some Declude actions doesn't work in Smartermail. Declude can give you details about it, or you can read their product manuals. They will tell you what features or actions don't work in smartermail. My opinion. 1. I am very happy with the webmail interface and webmail administration. My users are more than happy with it. 2. Domain administrators have said that they feel they have a powerful administration tool (webmail interface) 3. To understand how it works is not that hard. But it nees time and dedication to get hold of all the important details within the server in order to administer Smartermail properly. 4. I am not exactly thrill about their logs. They use 3 logs (POP, SMTP and Delivery -probably they have Imap log, but I don't use it-). In my personal opinion, Imail delivered far better and deeper information in their logs. Declude logs are fully compatible with smartermail logs in order to track down a message. Very useful. 5. Smartermail version 3 has now more new and innovative features than Imail. Obviously there are some that only Imail has, but for me Smartermail now does the job. 6. Smartermail support team is very open to suggestions and to help you out with problems. I am still hesitating on moving the remaining base of users and domains, primaraly because of some administration features I require to better administer my domains and userbase, something I am asking Smartermail to consider. Secondly because I am afraid Smartermail cannot handle the load I require, which seems to be pretty small, but I haven't had the chance to read or talk to any one using Smartermail with the load I use to confirm how stable it is. Imail has been very trustable and stable since the time I first installed it 4 years ago, I process 40K messages per day (About 4000 users and 300 plus domains). If you have specific questions just shoot. I will be more than happy to answer them. Regards -Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy C. Bohen Sent: Lunes, 20 de Febrero de 2006 11:46 a.m. To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] imail to smartermail migration I figure this is one of the better places to get real 3rd party opinions on this topic. I'm getting more and more fedup with Imail, I was hoping 2006 would improve things but from the sounds of it, it may be worse then 8.x. Who has made the move from imail/declude to smartermail/declude? How did it go? Whats your opinion post move? I can go into my problems with imail, but I have so many I'm not sure where to start. But here are some of the big ones. - Slow performance - Real bad webmail performance -Weird behavior, SMTP stops randomly, queue pileups occur randomly - Bugginess of new versions is scary.. Thanks --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses] [Email escaneado contra virus] __ [Email scanned for viruses] [Email escaneado contra virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
BTW, if you are running ClamAV, and want to take full advantage of it's phish catching capabilities, you might was to take a look at adding the phish signature file that Steve Basford put together (see the attached e-mail for details). I have been running them for a few weeks, and they are quite awesome. Steve periodically updates the phish signatures, as well, so check regularly for an updated file. Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 10:14 AM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters Aaarrgg. Good catch Bill. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 12:03 PM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters - Original Message - From: Scott Fisher [EMAIL PROTECTED] You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. Actually, you would need to have PRESCAN OFF in order to catch most phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all messages and finds that most phish messages contain nothing worth scanning and thus bypasses the virus scanners. Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---BeginMessage--- Can someone please tell me how ClamAV goes about phishing detection? I presume it has something to do with libcurl going out to a web site and some checks being performed on whatever is returned. Not normally... most fishing detection is done by matching text/html that is common, looks odd or bad spelling in the email. We have had several phishes get through -- most appear to be Google, About, or Ebay redirects, such as: href=http://www.google.com/url?sa=Uq=http://81.196.204.130:82/webscr/index.php; (A PayPal phish.) Well, the above is just using Google to re-direct to the phishing site. I think they could on the people hovering the mouse over the link, seeing Google and then trusting the site, which you normally wouldn't do. Sites were hot at the time the messages were received, so either my concept of how ClamAV blocks phishing is wrong or the detection method is not as generic as I would have thought. Generic fishing signature can be done... but... they are very difficult to get right, without any false positives. Also, I would add that I have submitted a few of these phishes to ClamAV's virus submission and they all seem to get discarded without comment. Basically, ClamAV is there to project you from viruses, Trojans and then fishing attempts (roughly in that order). Signature makers are very busy doing virus signatures... after all, I'd much prefer to have a virus stopped than a fishing attempt. Having said that, I've come up with my own un-official signatures, designed to catch fishing attempts that ClamAV official signatures let through. Not everyone will want to use them... after all, do you trust me to do signatures? (Just in case this helps... I've been part of the Windows SpamPal Anti-Spam support team for the last two or three years, see: http://www.spampal.org/credits.html) Anyway, to grab the un-official signatures, go the the site here and download the phish.ndb file and place in the same directory as your daily.cvd file: http://www.sanesecurity.com/clamav/ There's also a pdf file there, showing how I put a signature together. For what it's worth, I would certainly still submit your fishing emails to the ClamAV team and I would also suggest submitting the emails to this fishing tracker site: http://www.dslreports.com/phishtrack Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html ---End Message---