[Declude.JunkMail] Somewhat OT: HiJack and mailing lists
I work for an ISP and we have a few users who like to send out weekly menu updates, inspirational messages, forwarded jokes, etc. Occasionally these users are getting caught by Hijack. Since the stuff they are usually sending is simply crap and not SPAM I'd like to figure out a way for them not to get trapped by Hijack. I don't want to increase the threshold settings because they are already fairly liberal. And I'd rather not give these users static IPs and then add an ALLOWIP line for each of them. Could I offer to set up a mailing list for them? How does Hijack behave with lists set up in Imail? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message getting through
I've got a strange situation with one of our users. He keeps getting mail from a porn spammer even though I've set up a specific test just for him to attempt to get rid of all mail from 3 specific domains. I've defined a test in the global.cfg file called PERMBLACKLIST with a weight of 10. The $default$.junkmail file is set to WARN on all defined test, except for the WEIGHT10 test which is set to DELETE. This particular user is still getting mail from the domains listed in PERMBLACKLIST txt file. The headers show that the mail is indeed failing the PERMBLACKLIST test, but for some reason the WEIGHT10 test is not being triggered. Here is a copy of the header info from one of these messages (with redactions to protect both the guilty and the innocent): Received: from pmail23.impulsive.com by mail.qsl.net (8.11.6/8.11.6) with ESMTP id g7L7HrC04636 for [EMAIL PROTECTED]; Wed, 21 Aug 2002 03:17:54 -0400 Received: from absolutefreesmt.com (localhost [127.0.0.1]) by pmail23.impulsive.com (Postfix) with ESMTP id 4A45C7DB59 for [EMAIL PROTECTED]; Wed, 21 Aug 2002 03:15:33 -0400 (EDT) To: [EMAIL PROTECTED] From: Nikki [EMAIL PROTECTED] Subject: ANAL BLISS X-Priority: 3 (Normal) Importance: Normal MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Reply-To: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] Content-type: text/html Message-Id: [EMAIL PROTECTED] Date: Wed, 21 Aug 2002 03:15:33 -0400 (EDT) X-RBL-Warning: PERMBLACKLIST: hardcore porn spammer X-Declude-Sender: [EMAIL PROTECTED] [63.238.179.181] X-Declude-Spoolname: D3dc994a6008694a5.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: PERMBLACKLIST X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 326893399 This email is originally hitting his account at qsl.net which forwards to his account here at stic.net. Is that somehow creating a problem? I've doublechecked to see if his account is using a .junkmail file other than the default, but it isn't. I suppose I can create a separate .junkmail for his mailbox that associates the PERMBLACKLIST test with the DELETE action, but I'd like to first figure out why these messages are not failing the WEIGHT10 test. Thank you, Bart Lackorn --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] console question (yet again)
In the last two days I have added several ip4r tests to my global.cfg and def.jm files, added 2 fromfile blacklist tests, and bumped up the weight of a few tests that were already there. This seems to have significantly cut down on the amount of spam getting through without catching much more legit mail. So I'm happy, but I have noticed something a bit strange. The percentage of mail that is showing up in the console as SPAM has fallen to the 55-60% range, whereas before I made the recent changes it usually hovered around 75-80%. Logic dictates that since there are more tests for a message to fail that there should be a higher percentage of messages showing up as SPAM now than there was before. I can only come up with 2 theories. Theory1 - Some spammers now realize their SPAM is not getting through and have since stopped sending to our mailserver. I consider this HIGHLY unlikely since we don't send out bounces, just delete messages (and also since I doubt this would alter spammer behavior anyway.) Theory2 - Do messages that fail any test associated with the DELETE action not appear in the console? I doubt this is the case either, but it would help to explain the drastic drop in the percentage of mail that the console is listing as SPAM. Anyone have any ideas/theories? Thanks Bart Lackorn STIC.NET --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Console question
I've been curious about how messages show up in the Declude Console as they stream through. In the top third of the console window messages are labeled as I, O, IS, OS, IV, or OV (I assume these standing for incoming/outgoing, SPAM, and Virus). Here's my question: If a message shows up as IS or OS does this mean it has failed *any* SPAM test, or has it failed enough tests to be deleted (or held or bounced)? I work for a medium-sized ISP and about 75-80% of the 200,000 messages going through every day are showing up as IS or OS. I've set up fairly aggressive filtering and all mail that fails the WEIGHT10 test gets deleted. I'm considering easing the tests if indeed 75-80% of our users' mail is getting deleted. However, if this only means that 75-80% of the mail is failing one of the tests (but not necessarily getting deleted) then I think I'll keep the test settings the same. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail]
Messages originating from a mailto script from one of our webservers are failing the spamheaders and badheaders tests. Here's what I get from Declude's site: Code: c020020c. The E-mail failed the BADHEADERS and SPAMHEADERS tests. This E-mail has a bogus Date: header. Here's the full header info from the message (with the email address changed): Received: from computer [204.57.118.20] by imail.stic.net (SMTPD32-7.12) id A6E4AB2028E; Mon, 12 Aug 2002 14:05:08 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SARA Relocation Message-Id: 200208121405609.SM02260@computer X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c020020c]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c020020c]. X-RBL-Warning: WEIGHT10: Weight of 15 reaches or exceeds the limit of 10. X-Declude-Spoolname: D06e40ab2028e3d43.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: BADHEADERS, SPAMHEADERS, WEIGHT10, WEIGHT5 Date: Mon, 12 Aug 2002 14:05:20 -0500 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 326891288 Can someone explain to me why the Date: header is faulty (or send me a link that would explain it)? Sorry if this is a dumb question, but I'm kinda new to this. Thanks. Bart Lackorn STIC.NET --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail]
Note that there is no Date: or Message-ID: header (I removed the headers that were added by Declude and IMail). The lack of a Date: header breaks RFC-compliancy (and causes much of the E-mail to get lost). The missing Message-ID: header is legal, but only allowed under certain circumstances. So I just need to get the webserver to stamp a date and a message-ID on it before it hits Imail? Thanks (and sorry for forgetting to put a subject on this thread) Bart --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hijack Question (somewhat OT)
Sorry if this is a bit off-topic, but I was wondering if you can use the ALLOWIP line in the Hijack.cfg file to allow unlimited SMTP traffic for an entire class C subnet. Occasionally machines in our office send out a lot of internal messages, enough to go over Hijacks second threshold so I'm trying to figure out a work-around without having to add an ALLOWIP line for every machine. For example, would ALLOWIP 2.2.2 allow anyone with a 2.2.2.xx IP address unlimited SMTP traffic? Thanks Bart Lackorn STIC.NET --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Hijack Question (somewhat OT)
-- Original Message -- From: John Tolmachoff [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 29 Jul 2002 16:36:11 -0700 But wouldn't that defeat the purpose of protecting against some one in the office sending out bulk junk e-mail, which is the primary purpose of Hijack? Point taken. But working for an small Internet provider, all of the employees here are well aware of the severe beatings they will receive (from customer and co-worker alike) if they try anything cute like that. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .