RE: [Declude.JunkMail] EasyNet Replacements
Hi, Where can i find this versjon of DLAnalyzer(v2.0.B.I) Amazingly enough at: http://www.dlanalyzer.com G Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EasyNet Replacements
Hi, How is your ROUTING test defined in your GLOBAL.CFG? Is that the 'SPAMROUTING' test? If so - yes, 42% seems extremely high. but how to find more info about route problem You should look into the headers of some of the emails that fail the ROUTE test. If you can't tell why they failed the ROUTE test, then post one here for us to inspect. One immediate thought is - do you have a BACKUP MX? Did you identify that BACKUP MX to Declude, so that it knows to skip the header for your BACKUP MX. If (by chance), your BACKUP MX uses an IP range assigned to a different country, that alone may account for your high ROUTE failures. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMROUTING, high failure rate
Hi, If 42% of your mail fails the routing test, then you probably will get such a mail sometime today and you can post the header then? Also - note Scott's response. It appears as if the SPAMROUTING test is hard-wired to the U.S. That alone may be a clue to what's going on. The headers will certainly confirm that. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EasyNet Replacements
Hi, With the demise of EasyNet (which was my most successful list), I'm investigating replacements? I have seen the following recommendations: A) SORBS - SORBS will be including dynablock.easynet.nl by importing their zone data B) NJABL - has a nice DUL C) http://psbl.surriel.com/ Any comments? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] FIVETENDUL, no hits?
Hi, Looking at my Global.cfg: FIVETENDUL ip4rblackholes.five-ten-sg.com 127.0.0.3 5 0 I noticed that it never seems to have any hits? Scott: General question - if I include a test in Global.cfg (used for weighting only), but do NOT include it in a *.junkmail file, will it still be included in the weight (e.g., is the default action log). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AHBL Anyone?
Hi, These are probably the useful ones: AHBLRELAYS ip4rdnsbl.ahbl.org 127.0.0.2 5 0 AHBLPROXIES ip4rdnsbl.ahbl.org 127.0.0.3 8 0 AHBLSOURCES ip4rdnsbl.ahbl.org 127.0.0.4 7 0 AHBLPSSLip4rdnsbl.ahbl.org 127.0.0.5 5 0 AHBLFORMMAIL ip4r dnsbl.ahbl.org 127.0.0.6 8 0 AHBLENDUSER ip4rdnsbl.ahbl.org 127.0.0.9 5 0 AHBLDOMAINS rhsbl rhsbl.ahbl.org * 4 0 # WHITELIST: AHBLEXEMPT ip4rdnsbl.ahbl.org * -8 0 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, November 21, 2003 10:03 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] AHBL Anyone? Hello, All, I am interested in knowing if anyone on here uses the The Abusive Hosts Blocking List, http://www.ahbl.org/. I had some questions about implementing it. Thanks, Much! Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamCop news
May be a commercial enterprise will be more open to adding a hands-off reporting system. Manually confirming every spam that I already determined as spam makes the system not practical. What they need is a commercial (for fee) account which includes the (revocable) right to submit directly into their system. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Hi, Is the reverse DNS valid, e.g., does the Reverse DNS actually point to one of these registered domains? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Here is what I do. I have a script rdnsbl.cmd that builds my own RDNS BL list: dnscmd \\your.dns.server /RecordAdd yourdomain.com. *.%1.rdns.yourdomain.com. A 127.0.0.2 dnscmd \\your.dns.server /RecordAdd yourdomain.com. %1.rdns.yourdomain.com. A 127.0.0.2 Submit all the spam domain names (e.g., spamdomain.com) with one line per domain like this: call rdnsbl spamdomain.com Add the RDNSBL test to your Declude config file: RDNSBL dnsbl %REVDNS%.rdns.yourdomain.com* 8 0 Enclosed is a zone file to get you started - obviously, you need to customize to your OWN domain name where you want to host your RDNS BL. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, November 14, 2003 04:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Who Is This Spammer? Yes. The FROM address, the reverse DNS and the HELO all match the same domain. They tend not to trip any tests unless the IPs have been reported to Spamcop or another IP4R provider. yourdomain.com.dns Description: Binary data
RE: [Declude.JunkMail] Who Is This Spammer?
Hi Tom: The zone file is for YourDomain.com. So: *.somename.net.rdns A 127.0.0.2 expands to: *.somename.net.rdns.YourDomain.com. A 127.0.0.2 and means that ANY hostname that ends with .somename.net.rdns.Yourdomain.com. will return 127.0.0.2. The Global.cfg defines: RDNSBL dnsbl %REVDNS%.rdns.yourdomain.com* 8 0 That means, take the REVDNS from a message, prepend it to RDNS.YourDomain.com and if you get any valid address (e.g., 127.0.0.2) then assign a weight of 8. So, if a an email was sent from ANY host at .somename.net it will look up somehost.somename.net.rdns.yourdomain.com - which will return a 127.0.0.2. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
Title: Message I question the importance tomake the interface "cross platform" - when the tool that you are managing (Imail and Declude) are Windows specific? I'd personally rather use the web server that is already optimized for that environment and offers me plenty of control: IIS. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: Thursday, November 06, 2003 05:35 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] OT: Do you use ColdFusion? - Java? OT - sort of. We do most of our heavy web work in Java/JSP.We've tossed around the idea of building a Java app that would accept HTTP connections (perhaps on an alternate port) and provide an interface to Declude other spam management tools for users admins. Our development schedule is _very_ full, but if there is a significant interest in this I couldexplore shifting some effort in that direction. As a dedicated Java app it would be cross-platform compatible (in theory), relatively secure, lightweight,and could be configured to run along side any web services that might be present (such as KWM). In an IMail environment we could even present a postini-like interface for users to "release" their held spam - and generate accurate false positive reporting in the process, etc... (these are the ideas we have anyway...) Thoughts? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew BrambleSent: Thursday, November 06, 2003 4:46 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] OT: Do you use ColdFusion?I've got one, but don't really use it. I much prefer ASP, if just for the integration and stability.Matt
RE: [Declude.JunkMail] Request status %TESTSFAILED%
something like UNREPORTEDTESTS WEIGHT10 WEIGHT20 NOLEGITCONTENT IPNOTINMX That would be great. Because currently email that fails the WHITELIST is treated as SPAM when my Outlook client is looking at the X-Declude header - just the opposite of what Whitelisting is trying to accomplish. I have to use more complex rules so that positive tests (IPNOTINMX, NOVALIDCONTENT, etc.) and whitelist get's detected by Outlook BEFORE it attempts to recognize the true SPAM tests. That has prevented me from introducing client-side header filtering to my clients - it's just to complex at the moment. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP Account
I don't see the reasoning behind sending SPAMCOP thousands of e-mails per day that are already stopped by your system. Presence in SPAMCOP is temporary. To REMAIN listed, you need to keep submitting SPAM so that the senders keep getting listed. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bypass Whitelisting Problem?
Title: Message Hi Scott: Do we STILL have a whitelisting problem. Since 1.76i11, I now get: 10/27/2003 11:46:22 Q4bdb16ce00f471ae nNOLEGITCONTENT:-3 . Total weight = -310/27/2003 11:46:22 Q4bdb16ce00f471ae NOT bypassing whitelisting of E-mail with weight =20 (-858993460) and at least 1 recipients (1).10/27/2003 11:46:22 Q4bdb16ce00f471ae NOT bypassing whitelisting of E-mail with weight =15 (-858993460) and at least 4 recipients (1).10/27/2003 11:46:37 Q4beb16d100f4ad5f nNOLEGITCONTENT:-3 . Total weight = -310/27/2003 11:46:37 Q4beb16d100f4ad5f NOT bypassing whitelisting of E-mail with weight =20 (-858993460) and at least 1 recipients (1).10/27/2003 11:46:37 Q4beb16d100f4ad5f NOT bypassing whitelisting of E-mail with weight =15 (-858993460) and at least 4 recipients (1).10/27/2003 11:46:46 Q4bf10cae010ac7ec nIPNOTINMX:-2 nNOLEGITCONTENT:-3 . Total weight = -510/27/2003 11:46:46 Q4bf10cae010ac7ec NOT bypassing whitelisting of E-mail with weight =20 (-858993460) and at least 1 recipients (1).10/27/2003 11:46:46 Q4bf10cae010ac7ec NOT bypassing whitelisting of E-mail with weight =15 (-858993460) and at least 4 recipients (1).10/27/2003 11:46:49 Q4bf60cb2010ad99f nNOLEGITCONTENT:-3 WEIGHTFILTER:3 . Total weight = 010/27/2003 11:46:49 Q4bf60cb2010ad99f NOT bypassing whitelisting of E-mail with weight =20 (-858993460) and at least 1 recipients (1).10/27/2003 11:46:49 Q4bf60cb2010ad99f NOT bypassing whitelisting of E-mail with weight =15 (-858993460) and at least 4 recipients (1). Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] Bypasswhitelisting Not working?
Uh - then the Version Announcement (back in September) and your online Declude Release Notes are both in error: Release Notes: JM ADD Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Your Version Announcement: From: R. Scott Perry Subject: RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released Date: Fri, 19 Sep 2003 11:11:51 -0700 o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, October 09, 2003 07:54 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Bypasswhitelisting Not working? My Global.cfg contains: BYPASSWHITELIST bypasswhitelisting 20 1 0 0 BYPASSMULTIRECP bypasswhitelisting 15 4 0 0 If you change those to: BYPASSWHITELIST bypasswhitelist 20 1 0 0 BYPASSMULTIRECP bypasswhitelist 15 4 0 0 it should fix it. It seems that the test type is bypasswhitelist, not bypasswhitelisting. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bypasswhitelisting Not working?
Well it DOES work - now I see it full of log entries that actually report the action it takes. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Baumbach Sent: Thursday, October 09, 2003 09:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Bypasswhitelisting Not working? interesting, I was using bypasswhitelisting too, I just changed it to bypasswhitelist I found no errors in the logs, lets see if it works now. Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 - - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 9:08 AM Subject: RE: [Declude.JunkMail] Bypasswhitelisting Not working? Uh - then the Version Announcement (back in September) and your online Declude Release Notes are both in error: Release Notes: JM ADD Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Your Version Announcement: From: R. Scott Perry Subject: RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released Date: Fri, 19 Sep 2003 11:11:51 -0700 o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, October 09, 2003 07:54 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Bypasswhitelisting Not working? My Global.cfg contains: BYPASSWHITELIST bypasswhitelisting 20 1 0 0 BYPASSMULTIRECP bypasswhitelisting 15 4 0 0 If you change those to: BYPASSWHITELIST bypasswhitelist 20 1 0 0 BYPASSMULTIRECP bypasswhitelist 15 4 0 0 it should fix it. It seems that the test type is bypasswhitelist, not bypasswhitelisting. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ scanned for spam to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 10/09/2003 at 09:11:52-0500et. ] [ scanned for viruses to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 10/09/2003 at 09:11:55-0500et. ] [ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 10/09/2003 at 09:29:38-0500et. ] This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email is prohibited. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message. [ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 10/09/2003 at 09:29:41-0500et. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] maybe its just one of AOL's servers???
Fred: The ONLY header info you can trust is the one that your OWN mail server inserted. E.g., if your mail server inserted this first header: Received: from scmp-m01.mail.aol.com [163.163.163.163] by mail.fredsserver.com... then you could trust the following: - The connection to your mail server was made from IP address 163.163.163.163 - The machine connecting to you used a HELO string of scmp-m01.mail.aol.com - That the date/time shown is the time used on YOUR machine You can NOT trust: - that the machine truly IS scmp-m01.mail.aol.com because that string is controlled by the SENDING machine, thus can be (and frequently is) forged or at least wrong. However, you can NOT trust any header claimed to have been inserted by any server OTHER than your's, e.g.: Received: from scmp-m01.mail.aol.com (scmp-m01.mail.aol.com [172.20.75.169]) by omr-m01.mx.aol.com (v95.1) with ESMTP id is made to look as if it was inserted by omr-m01.mx.aol.com - but since (I assume) this is not YOUR machine, you can't (and should not) imply that any of this information is valid. Indeed, the IP address used is in the IANA reserved range and I doubt that AOL would/could use those ranges for external mail servers. That particular header line does look like a fake. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Thursday, October 09, 2003 09:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] maybe its just one of AOL's servers??? This was take directly off the header of emails I receive from AOL notifying me that someone from one of my subnets was reported sending un-wanted email. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bypasswhitelisting Not working?
Scott: My Global.cfg contains: BYPASSWHITELIST bypasswhitelisting 20 1 0 0 BYPASSMULTIRECP bypasswhitelisting 15 4 0 0 PREWHITELISTON AUTOWHITELIST ON Yet, here's one of many messages with 6 recipients and a weight of 26 that does get whitelisted: 10/08/2003 23:39:15 Qd81d109f0148f5b6 DSBL:5 SPAMCOP:7 EASYNET-DYNA:5 CBL:7 HEUR8:2 . Total weight = 26 10/08/2003 23:39:15 Qd81d109f0148f5b6 E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 10/08/2003 23:39:15 Qd81d109f0148f5b6 Subject: Andy_schmidt, Fast easy way to get your medication today!zybvblxou jre ghph ztskkm hbavwmwh sh di 10/08/2003 23:39:15 Qd81d109f0148f5b6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 24.197.251.74 ID: 22002968 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNSReport C-Class Warning
Hi Scott: http://www.dnsreport.com/tools/dnsreport.ch?domain=FRENCHRENDEZVOUS.CC First claims: All of your nameservers (listed at the parent nameservers) are in the same Class C address space... [If the parent servers have no glue for your domain, this could be a false positive.] And then continues to report (correctly): 65.119.204.32: No version info available (CHAOS not implemented). 63.107.174.24: No version info available (CHAOS not implemented). Now - whether the parent servers do have or don't have any glue - why would THAT effect your ability to compare 65.119.204.32 with 63.107.174.24 and plainly see that they are NOT in the same Class C address space? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] eBay - scam..
Title: Message not to speak of trademark and or copyrightinfringement (which is NOT a civil matter - stakes are higher). These web sites are made to look exactly as the "realthing", using their logo, etc. I have reported many of these emails with all headers to them- and offered logs etc and never got more than an automated reply. Not worth my time. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, October 02, 2003 09:06 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
RE: [Declude.JunkMail] Backup MX / Spam
No I don't think that was the intention. I think the intention is that there is no reason for mail to come through the backup MX server during normal operations. The only ones who intentionally contact the backup MX are likely to be viruses and spammers. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, October 02, 2003 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Backup MX / Spam Use the IPBYPASS %sec mx ip% feature within the GLOBAL.CFG file. It will skip the ip address of your secondary mx record and run the check on the ip address of the originating server. IPBYPASSxxx.xxx.xxx.xxx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, October 02, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Backup MX / Spam Hi Some large percentage of the spam we get comes to the backup MX and then is relayed to the primary MX. Using Declude JM Standard, is there some test I can use to add additional weight to any mail routed through my backup MX? Thanks, Rob == Robert N. Grosshandler www.iGive.com Turn shopping into Philanthropy --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Understanding Return Codes
Title: Message ISP mail servers thatget used by spammers Uhuh - so?Which ISP is permitting/tolerating/mis-configuring their servers to be abused in that way? I have seen very FEW spammers thatMX mail fromtheir "own" mail servers (as they would be shut down and/or blocked too easily). Nearly everyone is using proxies, open relays or otherwise hi-jacked machines - and the smaller once use consumer broadband accounts. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, September 24, 2003 12:47 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Understanding Return Codes (sigh) Again I'm the voice of dissent... I find that CBL merits no higher than a weight of5out of my HOLD weight of 20. I find that it includes a lot of ISP mail servers thatget used by spammers. They do seem to work at removing them, but meanwhile, it's throwing the baby out with the bath water. I'm sure glad that Declude gives me a weighted system to work with. Andrew 8) -Original Message-From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 9:23 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Understanding Return CodesMaybe it was just down on the day I tested it...I like pure spamtrap RBL's because clean ones have no false positives. CBL is a good one to add if you haven't checked it out, and it produces a lot of hits (with no FP's in a week of monitoring).Bill Landry wrote: - Original Message - From: "Matthew Bramble" [EMAIL PROTECTED] Maybe other "unlisted" entries reflect similar circumstances (not available under normal circumstances)? All of the DNSBLs (ip4r) and RHSBLs listed on the Declude spam databases site (http://www.declude.com/Junkmail/support/ip4r.htm) are publicly accessible, unless it has been noted otherwise in the comments (e.g., MAPS tests). The "SBBL" spam database can be access by using: SBBLip4rsbbl.they.com*30 So far today I have flagged over 900 messages as spam using the SBBL test. Bill
RE: [Declude.JunkMail] OT: VerySinn disrupts LAN traffic
Title: Message There are reports of people's printers that stopped working. Essentially, TCP/IP connected printers on a local LAN set up by an ignorant network "admin" withan invalid domain name,connected to a local print server. Somehow, the workstations FIRST did a lookup by the (invalid) host/domain name - and would get a negative response from the external DNS. Then they would do internal name resolution and the printer could be found. After VerySinn's move, the external resolution now points to VerySinn - and the result is a printer failure in a local LAN. The point is, who knows how many things relied on the proper "not found" response to domain lookups - that are now broken and someone will waste time trying to figure out what changed. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] Museum
Title: Message (632 potential sites with a TLD set up to help increase awareness of museums on the Web in general). where is THAT number coming from? There are probably 2 or 3 museums even in smaller towns (I can think of 2 in my home-town of 30,000) Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206
RE: [Declude.JunkMail] VeriSteal is stealing traffic from your domain.
Can't reproduce here. I get regular Not found in my browser. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, September 22, 2003 01:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] VeriSteal is stealing traffic from your domain. I didn't realize this until a second ago, but VeriCorrupt is stealing traffic from every domain name out there on the Internet, regardless of the extension, and regardless of whether or not it is registered. Want to see something else that's quite strange? http://asfdasdsadfdsf.online.museum http://asdfaasdfasdf.site.biz For some reason that brings you to VeriThief's SiteFinder?? If you take out the .online it will take you to the wildcarded MuseDoma site. Seems that VeriSteal has some bleed over. Want to see something even worse? http://asdasdfasdfa.igaia.com http://asdfasdfasdf.declude.com Any lookup, registered or unregistered that doesn't return an A record is being directed at this site. Why the hell are these guys stealing traffic from the domain names that I am paying for? THIS MUST END! Up until now, I only thought this was limited to unregistered domains. VeriHijack can't be allowed to write the rules whatever way they see fit. They quite literally just took over the backbone of the Internet. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MAILFROM catches too much now?
Hi Scott: Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] But, when I check @VM.MARIST.EDU I get: vm.marist.edu. Non-authoritative answer: Name:vm.marist.edu Addresses: 148.100.81.40, 148.100.80.40 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
Uh - cool feature. Currently I have a certain receiving Postmaster account whitelisted (so that the occasional false positive can alert us after we sent them a BOUNCE or ALERT) - which means it gets 80% spam. The real false positives are seldomly more than a few points over our BOUNCE or ALERT limit. Certainly, if they were up to our KILL limit (for which we've never gotten any complaints), they would not know that we blocked them and therefore, are not likely that they'd ever try to contact our Postmaster account. So, if I use: BYPASSWHITELIST bypasswhitelisting 20 0 0 0 it will not whitelist any mails if the weight is 20 (our kill weight) or more and the mail has any number of recipients or no recipients? (At 20, the mail must have failed so many tests that I have NEVER seen any false positives.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 01:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
Scott: X-Declude-Note: Domain lists.msnbc.com has no MX or A records. Sure does: lists.msnbc.com. Non-authoritative answer: lists.msnbc.com internet address = 207.46.169.42 Yet - Declude fails the MAILFROM test! X-Declude: Version 1.76; D499f047e01827d13.SMD from lists.msnbc.com [207.46.169.42] X-Declude: Triggered BONDEDSENDER, MAILFROM, HELOBOGUS [-7] X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, September 19, 2003 02:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM catches too much now? Importance: High Hi Scott: Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] But, when I check @VM.MARIST.EDU I get: vm.marist.edu. Non-authoritative answer: Name:vm.marist.edu Addresses: 148.100.81.40, 148.100.80.40 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
Hi, I have XSENDER OFF. Instead I use: XINHEADER Return-Path: %MAILFROM% I don't have EnvFromStrict. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 02:30 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM catches too much now? Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] What is in the X-Declude-Sender: header (that's the one that Declude looks at)? I just tested here with 1.76, and the MAILFROM test is not triggered on @vm.marist.edu addresses. vm.marist.edu doesn't have an MX record, which is a serious problem (especially now that many people are talking about no longer sending mail to servers with no MX record), but that shouldn't by itself trigger the test (unless you use envfromstrict, but you should know if you are using that). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
:15.631 Q56ec00f1016e71bc [EMAIL PROTECTED] [EMAIL PROTECTED]@optonline.net] *local* 09/19/2003 15:20:15.631 Q56ec00f1016e71bc Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 09/19/2003 15:20:15.631 Q56ec00f1016e71bc Domain name = pianoartist.com, User name = Scott. 09/19/2003 15:20:15 Q56ec00f1016e71bc Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 09/19/2003 15:20:15.631 Q56ec00f1016e71bc .X...XX... 09/19/2003 15:20:15.631 Q56ec00f1016e71bc Test #17 [MAILFROM weight=0] triggered; action = 15 [Domain mail.matchevents.com has no MX or A records.] 09/19/2003 15:20:15 Q56ec00f1016e71bc Msg failed MAILFROM (Domain mail.matchevents.com has no MX or A records.). Action=HOLD. 09/19/2003 15:20:15.631 Q56ec00f1016e71bc Test #21 [HELOBOGUS weight=3] triggered; action = 5 [Domain mail.matchevents.com has no MX or A records.] 09/19/2003 15:20:15 Q56ec00f1016e71bc Msg failed HELOBOGUS (Domain mail.matchevents.com has no MX or A records.). Action=WARN. 09/19/2003 15:20:15.631 Q56ec00f1016e71bc X-Declude-Note: Domain mail.matchevents.com has no MX or A records. 09/19/2003 15:20:15.631 Q56ec00f1016e71bc Test #26 [NOLEGITCONTENT weight=0] triggered; action = 0 [No content unique to legitimate E-mail detected.] 09/19/2003 15:20:15 Q56ec00f1016e71bc Subject: Upcoming Nyack Party 09/19/2003 15:20:15 Q56ec00f1016e71bc From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 209.123.232.152 ID: 09/19/2003 15:20:15.647 Q56ec00f1016e71bc Done Looping 09/19/2003 15:20:15.647 Q56ec00f1016e71bc AlterRecip( 5, (null), (null)); 09/19/2003 15:20:15.647 Q56ec00f1016e71bc AlterRecip: Saving queuefile 09/19/2003 15:20:15 Q56ec00f1016e71bc Last action = HOLD. 09/19/2003 15:20:15.647 Q56ec00f1016e71bc X-Declude: Version 1.76; D56ec00f1016e71bc.SMD from mail.matchevents.com [209.123.232.152] X-Declude: Triggered MAILFROM, HELOBOGUS, NOLEGITCONTENT [1] X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] 09/19/2003 15:20:15.647 Q56ec00f1016e71bc AlterMessage 09/19/2003 15:20:15.647 Q56ec00f1016e71bc Set process priority back to 32. 09/19/2003 15:20:15.647 Q56ec00f1016e71bc Adding warning 09/19/2003 15:20:15.662 Q56ec00f1016e71bc Last Action=HOLD. 09/19/2003 15:20:15.662 Q56ec00f1016e71bc Unlocked D:\IMAIL\spool\Q56ec00f1016e71bc.SMD. 09/19/2003 15:20:15.662 Q56ec00f1016e71bc Moving file to spam hold directory 09/19/2003 15:20:15.662 Q56ec00f1016e71bc Total Time: 1595ms Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Next release
if you are running a version of IMail that supports it, such as 8.x). A line WHITELIST AUTH in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. Uhhh, finally a good reason to upgrade to 8.x. Until now it seemed like a waste of good money. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
Scott: May be I misunderstand The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. If the forwarding is handled by Imail AFTER Declude processed it - then would Declude first ACT on the incoming email (e.g., bounce, delete, warn - and Virus checking) and only messages that make it past the Declude filters would eventually be forwarded? If it works that way - then where's the problem? There is no reason to rescan the forwarded copies, if the original was already processed? If it doesn't work that way, e.g., if one can really entirely bypass Declude simply by sending mail to a forwarding email account - then this would be a huge security hole? But I can't imagine that being the case!? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SMTP Relay Limit
If all you need is a relay server or backup MX, then IIS' built-in SMTP server works just fine for us. We actually think of Imail as a mailbox server and try to offload all outbound or relay functions to the MS SMTP. Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 03:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
But if you use an action that causes the E-mail to be delivered (such as SUBJECT, WARN, MAILBOX), then the forwarded E-mail will be delivered. I'm a bit dense today - and why would THAT be a problem? Or are you saying the forwarded email would be an entirely new email message and Declude's subject or header inserts would not appear in those forwarded copies? Some of our clients do use forwarding mailboxes - so I just want to be clear about the implications. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Article on News.Com
Oh, they are not blocking the servers from spamming to the REST of the world, they are only blacklisting servers from delivering mails into China. E.g., they are targeting servers in Taiwan and elsewhere that are spamming INTO China. Servers that are in China and are spamming into the U.S. don't seem to be included. PS: But I agree, it can only help that they suddenly have some awareness of SPAM and at least some people get the concept of open relays. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
SUBJECT 40 CONTAINS =?ISO-8859-1?b? Assuming you don't ever get emails from European countries, Canada or other locations that use accented characters. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OSRELAY Replacement..
Please review these archives - several people have been posting their replacement config files in the past 2 days. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, August 28, 2003 08:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OSRELAY Replacement.. So what are y'all beginning to use instead of the OSRELAY tests? I was using this and one of the other OS tests. Even though I still had 350 messages in my spam account this morning, I would like another test to replace these. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OSRELAY Replacement question.
Here is the replacements that I'm using (marked up red) with the results for the last few hours: Best Regards Andy Schmidt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Wednesday, August 27, 2003 09:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OSRELAY question. Anyone have any recommendations on what to replace: #OSDUL ip4rrelays.osirusoft.com127.0.0.3 5 0 #OSFORM ip4rrelays.osirusoft.com127.0.0.8 5 0 #OSLIST ip4rrelays.osirusoft.com127.0.0.7 5 0 #OSRELAYip4rrelays.osirusoft.com 127.0.0.2 5 0 #OSSMARTip4rrelays.osirusoft.com 127.0.0.5 5 0 #OSSOFT ip4rrelays.osirusoft.com127.0.0.6 5 0 #OSSRC ip4rrelays.osirusoft.com127.0.0.4 5 0 With? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [280K attachment removed]
RE: [Declude.JunkMail] OSRELAY Replacement question.
Hm - may be this list doesn't support HTML mail (or doesn't support attachments), here is that screen shot again, this time as a BMP file. The replacements that I'm using are marked up red with the results for the last few hours Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, August 27, 2003 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OSRELAY Replacement question. Here is the replacements that I'm using (marked up red) with the results for the last few hours: Best Regards Andy Schmidt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Wednesday, August 27, 2003 09:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OSRELAY question. Anyone have any recommendations on what to replace: #OSDUL ip4rrelays.osirusoft.com127.0.0.3 5 0 #OSFORM ip4rrelays.osirusoft.com127.0.0.8 5 0 #OSLIST ip4rrelays.osirusoft.com127.0.0.7 5 0 #OSRELAYip4rrelays.osirusoft.com 127.0.0.2 5 0 #OSSMARTip4rrelays.osirusoft.com 127.0.0.5 5 0 #OSSOFT ip4rrelays.osirusoft.com127.0.0.6 5 0 #OSSRC ip4rrelays.osirusoft.com127.0.0.4 5 0 With? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [280K attachment removed]
RE: [Declude.JunkMail] OSRELAY Replacement question.
The replacements that I'm using are marked up red with the results for the last few hours. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Wednesday, August 27, 2003 09:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OSRELAY question. Anyone have any recommendations on what to replace: #OSDUL ip4rrelays.osirusoft.com127.0.0.3 5 0 #OSFORM ip4rrelays.osirusoft.com127.0.0.8 5 0 #OSLIST ip4rrelays.osirusoft.com127.0.0.7 5 0 #OSRELAYip4rrelays.osirusoft.com 127.0.0.2 5 0 #OSSMARTip4rrelays.osirusoft.com 127.0.0.5 5 0 #OSSOFT ip4rrelays.osirusoft.com127.0.0.6 5 0 #OSSRC ip4rrelays.osirusoft.com127.0.0.4 5 0 With? attachment: Declude.PNG
RE: [Declude.JunkMail] Strange Badheader
Most likely, it's a non-Y2K-compliant header Seems like an error in the decoder CGI? It should be able to handle this bit mask? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 25, 2003 06:39 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Badheader 08/25/2003 18:15:51 Q8a94039b0274da59 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [a010010f].). Action=WARN. But http://www.declude.com/tools/header.php?code=a010010f displays: Code: a010010f. I can't tell from (code a010010f) what tests it failed. I am not that smart, I am just a computer. Sorry! Now what? These odd codes can occur sometimes. In this case, the problem is with the Date: header (the same as the code 8010010f). Most likely, it's a non-Y2K-compliant header (which should only occur in SMTP software written in the 1980s). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange Badheader
Hi Scott: 08/25/2003 18:15:51 Q8a94039b0274da59 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [a010010f].). Action=WARN. But http://www.declude.com/tools/header.php?code=a010010f displays: Code: a010010f. I can't tell from (code a010010f) what tests it failed. I am not that smart, I am just a computer. Sorry! Now what? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
Hi, Some providers will delegate a classless reverse lookup zone to you. That's what you expected. Some providers will NOT delegate the zone to you - instead they have THEIR name server act as secondary to your master name server for that zone, i.e., they do zone transfers from your master server to their name servers - and then their name servers answer the queries. The customer's CIDR Block: 65.69.21.192/27 If I nslookup 65.69.201.195 So which is it? 65.69.201.x or 65.69.21.x? http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.195 shows that there is a valid Reverse DNS - so why do you want to change it? It also indicates that there is NO delegation from the SWBELL name server to yours. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Tuesday, July 29, 2003 01:45 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Reverse Lookup Delegation Scott, I have a customer who hosts their web and DNS with me and their mail on SWBell DSL. SWBell would not create a custom PTR but will delegate the reverse zone of their IP's to my name server (which is cool). The problem is I do not think they did it correctly or my NS handles it in an odd way. The customer's CIDR Block: 65.69.21.192/27 Zone in my NS: 192/27.21.69.65.in-addr.arpa (this is from the SimpleDNS Plus reverse zone wizard) Mail server: smtp.gbltx.com [65.69.201.195] If I nslookup 65.69.201.195, all is fine, if I nslookup 195.201.69.65.in-addr.arpa, it only lists NS records (mine and swbell.net's). This is my first time dealing with reverse zones for anything other than /24 CIDR blocks. Thanks, Chuck Frolick ArgoNet, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
It's a bit unconventional - and not fool-proof - but functional for now. They added the following information to their name servers: A) for each IP address a CNAME to the delegated classless zone, e.g. In their 69.65.in-addr.arpa. 192.201 CNAME 192.192.201.69.65.in-addr.arpa. 193.201 CNAME 193.192.201.69.65.in-addr.arpa. 194.201 CNAME 194.192.201.69.65.in-addr.arpa. ... Etc 192.201 NS argo21.argohouston.com. 192.201 NS argo22.argohouston.com. B) To match their entries, you need to create your own zone on your name servers: Zone 192.201.69.65.in-addr.arpa. 192 PTR Host192.argohouston.com. 193 PTR Host193.argohouston.com. 194 PTR Host194.argohouston.com. (etc - pick whatever valid host names you desire.) Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Tuesday, July 29, 2003 04:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Reverse Lookup Delegation I typoed, it is 65.69.201.192/27, and my zone is 192/27.201.69.65.in-addr.arpa. And lookup of http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.192 shows: Asking d.root-servers.net for 192.201.69.65.in-addr.arpa PTR record: d.root-servers.net says to go to FIGWORT.arin.net. (zone: 65.in-addr.arpa.) Asking FIGWORT.arin.net. for 192.201.69.65.in-addr.arpa PTR record: figwort.arin.net says to go to NS2.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS2.SWBELL.NET. for 192.201.69.65.in-addr.arpa PTR record: ns2.swbell.net says to go to argo21.argohouston.com. (zone: 192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 192.201.69.65.in-addr.arpa PTR record: Got unknown response (rc=0 an=0 type= err=). But http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.195 shows: Asking b.root-servers.net for 195.201.69.65.in-addr.arpa PTR record: b.root-servers.net says to go to DILL.arin.net. (zone: 65.in-addr.arpa.) Asking DILL.arin.net. for 195.201.69.65.in-addr.arpa PTR record: dill.arin.net says to go to NS1.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS1.SWBELL.NET. for 195.201.69.65.in-addr.arpa PTR record: Got CNAME referral to argo21.argohouston.com. (zone 195.192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 195.192.201.69.65.in-addr.arpa. PTR record: Got unknown response (rc=0 an=0 type= err=). The CNAME response is weird to me. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, July 29, 2003 1:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Reverse Lookup Delegation Actually, http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.192 shows that swbell isn't delegating authority for the reverse DNS to your servers -- it is simply reporting an answer of adsl-65-69-21-192.dsl.hstntx.swbell.net. You'll need to contact swbell.net to have them delegate authority for the reverse DNS to your servers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reverse Lookup Filter Not Resolving CNAMEs?
Hi Scott: This log entry shows that WEIGHTFILTER line 18 was triggered: 07/29/2003 17:29:11 Qe72424c300ae45b3 OSSRC:6 nIPNOTINMX:-2 nNOLEGITCONTENT:-3 WEIGHTFILTER:4 . Total weight = 5 07/29/2003 17:29:11 Qe72424c300ae45b3 Msg failed OSSRC ([1] IMGDirect, see http://spews.org/ask.cgi?S804). Action=WARN. 07/29/2003 17:29:11 Qe72424c300ae45b3 Msg failed WEIGHTFILTER (Message failed WEIGHTFILTER test (18)). Action=IGNORE. 07/29/2003 17:29:11 Qe72424c300ae45b3 Subject: Re: FW: you bounced my email as spam 07/29/2003 17:29:11 Qe72424c300ae45b3 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 208.237.120.134 ID: My Weightfilter line 18 is: REVDNS 4 ENDSWITH.in-addr.arpa However, DNSstuff resolves the DNS correctly to secnap2.secnap.net. It appears as if Declude 1.75 is not resolving PTR CNAMEs correctly? I thought we had fixed that problem in an earlier beta? http://www.dnsstuff.com/tools/ptr.ch?ip=208.237.120.132 Country: UNITED STATES Preparation: The reverse DNS entry for an IP is found by reversing the IP, adding it to in-addr.arpa, and looking up the PTR record. So, the reverse DNS entry for 208.237.120.132 is found by looking up the PTR record for 132.120.237.208.in-addr.arpa. All DNS requests start by asking the root servers, and they let us know what to do next. See How Reverse DNS Lookups Work for more information. How I am searching: Asking i.root-servers.net for 132.120.237.208.in-addr.arpa PTR record: i.root-servers.net says to go to EPAZOTE.arin.net. (zone: 208.in-addr.arpa.) Asking EPAZOTE.arin.net. for 132.120.237.208.in-addr.arpa PTR record: epazote.arin.net says to go to AUTH00.NS.UU.NET. (zone: 237.208.in-addr.arpa.) Asking AUTH00.NS.UU.NET. for 132.120.237.208.in-addr.arpa PTR record: auth00.ns.uu.net says to go to ns2.airface.com. (zone: 120.237.208.in-addr.arpa.) Asking ns2.airface.com. for 132.120.237.208.in-addr.arpa PTR record: Got CNAME referral to caerulus.cerintha.com. (zone 208.237.132.secnap.net.) Asking caerulus.cerintha.com. for 208.237.132.secnap.net. PTR record: Reports secnap2.secnap.net. Answer: 208.237.120.132 PTR record: secnap2.secnap.net. [TTL 3600s] [A=208.237.120.132] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Yahoo Groups.
Hi, I'm running WebBoard. Advantage: You can 'subscribe' to the list and read/reply as before. You can open the board using NNTP newsreaders (e.g., Outlook Express) You can read/reply/post/search on the web - and have attachments. It's a threaded board - no need to quote entire messages just to add I agree. Most importantly, one can have multiple sections (e.g., New Beta Features, Sample Configurations, Bug Reports, Enhancements) as well as read-only sections where Scott could post announcements, etc. Disadvantage - to subscribe you first need to set up a user profile. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 22, 2003 01:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Yahoo Groups. No thanks. This is less than ideal, but I like Yahoo Groups even less. I am also not in favour of a Wiki board, because I mistrust the nature of it, that is, the ability for anyone to modify any post. Declude JunkMail is a small fish in a big ocean, but remember that the spammers won't like us. Giving them the ability to delete our reference work is double plus ungood. Adding security on top of that will make unwanted work for somebody. There must be other more appropriate message board based products, and I suspect that John T. will implement something along those lines. Andrew.. -Original Message- From: Rifat Levis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 5:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Yahoo Groups. Hi , I dont know if anyone else has made a suggestion like this. Do you think that we can move the declude list to yahoo for the following reasons. People can put their config files and share it with others, we can use the database feature. Using the bookmarks ,we can put the link to some interesting web pages , etc. The final decision belong to Scott of course. Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Musical MX Records
Hi Pat: The fix is for the client to firewall block IPs that aren't mine but this doesn't feel right. Why not? If INDEED their IP address is not listed on any domain's MX record, then this server should indeed only accept contacts from your IP range. Any other contact is either a SPAM, dictionary, virus or hack attack. Not only does it feel right - but it is recommend practice to block ANY ports (and/or addresses) that are not used for legitimate purposes on a particular machine. As far as that server still being used..., yes, that is somewhat unusual. However, possible explanations include that the machine is or once was an open proxy, an open relay (and thus is traded between spammers as a known friendly entity), or, that the client has OTHER domain names that may have MX record pointing to this server. Finally, without knowing the domain names, we even have to allow for the fact, that not all authoritative name servers have current and valid zone information. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Friday, July 18, 2003 05:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Musical MX Records I run a gateway configuration with clients changing their entire MX record to my servers, which in turn point back to the client's server. In this way, clients don't need to change anything else on their end and everyone is happy. The original email server stays wide open and no one is the wiser, until: A client changed their MX record away from me, then later back to me (they tried to go it alone). Since then, spammers have been sending some spam directly to their server, ignoring the MX record and bypassing my servers/filters all together. I wasn't to worried about it until it happened again, a different clients ISP accidentally changed the MX record, then switched it back - and spam started going around. The fix is for the client to firewall block IPs that aren't mine but this doesn't feel right. Is there something about DNS/MX switching that might explain how a spammer was able to target a clients IP address based soley on on/off/on record change? Thanks Dan On Friday, July 18, 2003 10:22, Russ Uhte [EMAIL PROTECTED] wrote: What is happening here is that the spammer is using their own software (spamware) to send the spam. Knowing that many people don't scan E-mail that comes through their backup mailserver(s), their spamware chooses to try the backup mailservers first. If your Exchange server isn't running any anti-spam or anti-virus, I would recommend removing it from the MX record. Here's my .02. Usually this spamware will do a normal DNS lookup and choose the MX record with the highest priority (which is wrong.) Make a 4th MX record that has the highest priority, and point it at your primary mail server. This will usually trick the spamware into sending to your primary mail server, and still keep your redundancy with real mailservers!! -Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ORDB problem, slightly off topic
Title: Message What are your Imail settings with respect to relaying? Looks as if you may have defined "permit for local hosts" - which is misleading, because all it requires is that the sender use one of your domain names to be able to relay through your system. You need to either do NOT allow relaying (and have your dial-upusers use SMTP AUTH) and/or only allow relaying based on specific IP addresses (your own and any trusted IP blocks). Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn BrooksSent: Friday, July 18, 2003 09:01 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] ORDB problem, slightly off topicWe got listed on the ORDB database as a mail relay...everywhere I test mail relay, it says we are not running a relay. When looking at the logs...it appears ORDB can get my mail server to mail to their email address of [EMAIL PROTECTED] from my [EMAIL PROTECTED]you can see the report at: http://ordb.org/lookup/?host=216.165.193.28I can not for the life of me block this action for retesting by ORDBI have had ORDB retest 5 times...and it still goes through.anyone have any suggestions Glenn BrooksWebWize, Inc.713-688-4382http://www.webwize.com
RE: [Declude.JunkMail] I HATE these......
100124,1011 is a valid CompuServe ID account format and [EMAIL PROTECTED] the valid compuserve email address format - not at all toomanynumbersbeforethe@'. In Europe, you will often see: [EMAIL PROTECTED] Also a perfectly valid email address for the largest European provider. Even in the U.S., you can see those kind of email addresses, e.g., for email accounts associated with cell phones, DSL numbers etc. Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of paul Sent: Monday, June 30, 2003 05:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] I HATE these.. Everyone, As I'm not up-to-date with all the latest beta bits etc., here's a quick question: [EMAIL PROTECTED] [68.154.27.18] What is the best way to block these? I've seen so much junk from these types of addresses it makes me sick! Now each address has a different # before the @, and different IP, I could crank up SPAMDOMAINS to be a larger fail if NOT compuserve, but moreso my question is - Is there currently a test, or will there be a test, like TOOMANY NUMBERSINADDRESS to catch this sort of stuff? Just as soon as the SPAMDOMAINS is raised they'll no doubt change the name to something else, but continue to use #s before the @. Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Another Spamdomain entry
shaw.ca shawcable.net Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS sprintpcs.com
Hi, Actually, your sprintPCS email did NOT have ANY valid Reverse DNS according to the header you included: X-Note: This E-mail was sent from [No Reverse DNS] ([63.167.114.16]). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Tuesday, June 24, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS sprintpcs.com I have two today that I question. First it seems sprintpcs.com is coming from not only sprint.com but sprintip.com: Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A859C0A90086; Mon, 23 Jun 2003 18:24:41 -0700 Received: from dedicated59-bos.wh.sprintip.net (unknown [63.167.114.16]) by Hyperion.tenforward.com (Postfix) with ESMTP id A42663AE0B for [EMAIL PROTECTED]; Mon, 23 Jun 2003 18:24:38 -0700 (PDT) Received: from TRAVELERS (000-116-823.area7.spcsdns.net [68.25.203.238]) by dedicated59-bos.wh.sprintip.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTPA id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 24 Jun 2003 01:24:38 + (GMT) Date: Mon, 23 Jun 2003 18:24:29 -0700 From: traveler [EMAIL PROTECTED] Subject: delivery problem please help To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. X-Mailer: Microsoft Outlook Express 6.00.2600. Content-type: multipart/mixed; boundary=Boundary_(ID_CWjq/YnYkzKdW4cfcZlOYw) X-Priority: 3 X-MSMail-priority: Normal X-Declude-Sender: [EMAIL PROTECTED] [63.167.114.16] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from [No Reverse DNS] ([63.167.114.16]). X-Spam-Prob: 0.000430 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319667998 Would the SD.TXT file work with: sprintpcs.comsprint No punctuation or anything? How about: sprintsprint And then Prodigy strikes again with: Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A57C14C20150; Tue, 24 Jun 2003 05:35:08 -0700 Received: from pimout6-ext.prodigy.net (pimout6-ext.prodigy.net [207.115.63.78]) by Hyperion.tenforward.com (Postfix) with ESMTP id 5094D3ACEB for [EMAIL PROTECTED]; Tue, 24 Jun 2003 05:35:06 -0700 (PDT) Received: from compaq (adsl-65-43-166-101.dsl.bcvloh.ameritech.net [65.43.166.101]) by pimout6-ext.prodigy.net (8.12.9/8.12.9) with SMTP id h5OCZ46r029590 for [EMAIL PROTECTED]; Tue, 24 Jun 2003 08:35:04 -0400 Message-ID: [EMAIL PROTECTED] From: Joan Gibbs [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fw: Undeliverable Mail Date: Tue, 24 Jun 2003 08:35:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 X-Declude-Sender: [EMAIL PROTECTED] [207.115.63.78] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from pimout6-ext.prodigy.net ([207.115.63.78]). X-Spam-Prob: 0.000430 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319668419 Is Ameritech part of Prodigy/Yahoo? What a mess... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting problems
Yes, that is a problem. Ideally, the postmaster should be white listed conditionally - e.g., if it is the ONLY recipient, then it is white listed - however, if the email has multiple recipient, then it is not white listed. I could then add this to our email policy and any automated notices: if people want to send email to postmaster and bypass any blocks, then it cannot contain any other recipients. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Tuesday, June 24, 2003 11:38 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Whitelisting problems It seems some spammers are figuring out that postmaster is whitelisted. Therefor they are making sure postmaster is in the CC or BCC field as in the headers below. Then everyone gets the spam email!!! Any ideas on how to keep this from happening? Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A16642430150; Tue, 24 Jun 2003 07:34:14 -0700 Received: from 210006095043.ctinets.com (210006095043.ctinets.com [210.6.95.43]) by Hyperion.tenforward.com (Postfix) with SMTP id D4E6B3AD12; Tue, 24 Jun 2003 07:34:09 -0700 (PDT) Received: from h8ni.wxio.net ([105.164.244.193]) by 210006095043.ctinets.com with ESMTP id 612508-69068 for [EMAIL PROTECTED]; Tue, 24 Jun 2003 14:29:57 -0100 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: are they OK for you? Date: Tue, 24 Jun 03 14:29:57 GMT X-Mailer: Microsoft Outlook Express 5.00.2919.6700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=.8E11._.7D X-Priority: 3 X-MSMail-Priority: Normal X-Declude-Sender: [EMAIL PROTECTED] [210.6.95.43] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from 210006095043.ctinets.com ([210.6.95.43]). X-Spam-Prob: 0.934722 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319668496 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIAGRA won't die
Title: Message yes, email from Europe or Quebec may use ISO encoding to includenational language characters. Or email where the subject line refers to individuals with foreignnames or places, e.g. SUBJECT: Meeting at 1 PM with Mr. Déjà Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike GableSent: Tuesday, June 24, 2003 01:21 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] VIAGRA won't die Apparently, this means "Generic Viagra" as revealed in the Declude Log file: =?iso-8859-1?B?R2VuZXJpYyBWaWFncmE=?= What can you do about obfuscated subjects using ISO character sets? I was thinking of filtering them based on partial string, like this: SUBJECT 30 CONTAINS=?iso-8859 Is it safe tofilter this? In other words,would alegitimateor casual sender ever use such a method to display a subject? Is there a list of ISO charcter sets that can be filtered? Thanks! Mike
RE: [Declude.JunkMail] Challenge Response- No way to win
Title: Message The key is to use Challenge/Response systems ONLY if the sender is questionable, e.g., is an open relay, has no Reverse DNS, has a bogus HELO, etc. This way, the sending party has the option to properly set up a COMPLIANT mail server and they will NOT have to deal with responding to any challenges. If they want to conduct eCommerce, let's get it right. If they don't, then they deserve that their emails are treated as "questionable" and may never get delivered. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Tuesday, June 17, 2003 04:15 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Challenge Response- No way to win Hi; Look at the new challenge response we just received. There is no way to fix this problem. - *** Attention! *** In order to complete delivery of your email to [[EMAIL PROTECTED]] please reply on this message by typing the following passcode on the first line. Please reply within 4 day(s) to avoid automatic deletion of your original email. Keep this text in your reply. - MailSword_Code: 6482 -- MailSword 1.20 Beta -- MailSword_Verify: [EMAIL PROTECTED] MailSword_Original_Message_Id: 348618345 MailSword_Local_Message_Id: ###91FD7332### === Now there is a code that you have to type before your message is delivered. eCommerce is dead! Regards, Kami
RE: [Declude.JunkMail] Spamdomains lookup timeout
Markus, The idea is, that we don't want to block VALID email. So, if a reverse lookup times out, there is no way to determine if there is no valid match and we can't just assume that it is SPAM. Time-outs could be temporary problems with a particular DNS server, it could be a routing problem on the Internet - any number of reasons. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, June 14, 2003 09:22 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spamdomains lookup timeout Hi all, I'm not sure about this, but I've seen some spam messages coming from domains contained in our sd-file. (hotmail.com) However the messages hasn't failed the SPAMDOMAINS test. For example from the Sender-IP: 218.25.255.18 Can it be, because it's not possible to finish the REVDNS-query? http://www.dnsstuff.com/tools/ptr.ch?ip=218.25.255.18 Question? If it's so, that a timeout in a REVDNS-query doesn't trigger the test, can we change this, so that a timeout triggers the test? What if a query for a legit sender-IP times out? Why a REVDNS-query can time out? Isn't so, that any reachable IP is assigned to someone? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
I decided against notifying the recipient for Vulnerabilities. Apparently, vulnerabilities are essentially spam - and notifying the recipient would mean that they end up getting an unwanted message after all. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, June 14, 2003 03:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS I have seen it discussed as something some wanted, but I never saw anything talking about being able to use a vulnerability.eml file in a release of Declude. I tried searching the archives but vulnerability.eml actually shows every email with vulnerability in it which is a lot of mail. Also I didn't see anything on declude.com/Virus/manual.htm about it. Is this in 1.70beta ? Is it new? It is not new, but included as of about 1.65 I think. I use it quite successfully. Here is my vulnerability.eml file: ___ SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability From: [EMAIL PROTECTED] To: %ALLRECIPS%,[EMAIL PROTECTED] Subject: We blocked an e-mail sent to you! Delivery blocked: %ALLRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid e-mail that you want or should have received, please let us know. Otherwise, the e-mail will be deleted after 3 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% ___ John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Garbled Variables
Title: Message Hi Scott: I noticed that most email coming from the t-online servers have mangled X-Declude Headers, e.g. the Reverse DNS is always replaced with the trailing end of the first "Received" time-stamp and the beginning of the Message-ID or whichever header happens to follow, e.g. "31:22 +0200 \n Message-ID: 0 " or "53:02 +0200 \n Reply-To: in" etc Also, the X-Countries has a "null string". I have: XINHEADERX-Declude: Version %VERSION%; %QUEUENAME% from %REVDNS% [%REMOTEIP%]XINHEADERX-Declude: Triggered %TESTSFAILED% [%WEIGHT%]XINHEADERX-Countries: %COUNTRYCHAIN%XINHEADERReturn-Path: %MAILFROM% Here are TWO different emails from two different senders using the same provider: Received: from mailout03.sul.t-online.com [194.25.134.81] by hm-software.com with ESMTP (SMTPD32-7.07) id A88AF4F0076; Fri, 13 Jun 2003 14:31:38 -0400Received: from fwd07.aul.t-online.de by mailout03.sul.t-online.com with smtp id 19QtKs-0005Fh-04; Fri, 13 Jun 2003 20:31:38 +0200Received: from harald ([EMAIL PROTECTED]]) by fwd07.sul.t-online.comwith smtp id 19QtKc-1MKVvM0; Fri, 13 Jun 2003 20:31:22 +0200Message-ID: [EMAIL PROTECTED]Reply-To: "Harald_Mergard" [EMAIL PROTECTED]From: [EMAIL PROTECTED] (Harald_Mergard)To: "Andy A Schmidt" [EMAIL PROTECTED]Subject: =?iso-8859-1?Q?Fw:_element_5_Marketing_Agreement_-_Marketingunterst=FCtzu?==?iso-8859-1?Q?ng=2C_die_sich_lohnt!?=Date: Fri, 13 Jun 2003 20:31:21 +0200MIME-Version: 1.0Content-Type: multipart/mixed;boundary="=_NextPart_000_002A_01C331EA.C01C8A30"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2800.1158X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165X-Seen: falseX-ID: [EMAIL PROTECTED]X-Declude: Version 1.70i11; D188a0f4f0076db0f.SMD from 31:22 +0200Message-ID: 0 [194.25.134.81]X-Declude: Triggered Whitelisted [0]X-Countries: Return-Path: [EMAIL PROTECTED]X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 353555725 Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-7.07) id A1017DAF0072; Fri, 13 Jun 2003 04:53:21 -0400Received: from fwd04.aul.t-online.de by mailout08.sul.t-online.com with smtp id 19QkJF-0003TD-04; Fri, 13 Jun 2003 10:53:21 +0200Received: from gerharddell ([EMAIL PROTECTED]]) by fwd04.sul.t-online.comwith smtp id 19QkIw-0YPJQG0; Fri, 13 Jun 2003 10:53:02 +0200Reply-To: [EMAIL PROTECTED]From: [EMAIL PROTECTED] (Gerhard Huss)To: [EMAIL PROTECTED]Subject: mechanik-fruehwein.deDate: Fri, 13 Jun 2003 10:54:27 +0200Message-ID: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain;charset="iso-8859-1"Content-Transfer-Encoding: 8bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)Importance: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.X-Seen: falseX-ID: [EMAIL PROTECTED]X-Declude: Version 1.70i11; D91017daf00726e29.SMD from 53:02 +0200Reply-To: inf [194.25.134.20]X-Declude: Triggered Whitelisted [0]X-Countries: Return-Path: [EMAIL PROTECTED]X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 353555634 Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] Using SPAMDOMAINS and negative weights?
Would it? In my opinion, yes. What he basically wants is: A) if domain does not appear in the SPAMDOMAINS file, then the weight should remain uneffected (the outcome is: N/A - Not applicable). B) if domain DOES appear in SPAMDOMAINS file and matches, then credit is given for good behavior C) if domain DOES appear in SPAMDOMAINS file and mismatches, then weight is added for bad behavior. It does make sense to me that these comparative tests against a filtered list (e.g., the SPAMDOMAIN file) could have the does not apply outcome where NO weight is modified. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, June 09, 2003 04:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Using SPAMDOMAINS and negative weights? The problem here is that instead of having a test with 2 results (pass/fail), you've got a test with 3 results (pass/fail/na). That would require a major change to the Declude architecture to handle. But it would make sense G. Would it? The only tests I can think of that can have more than 2 different outcomes would be set up as multiple tests. In the meantime, couldn't he define the test TWICE, once assigning a positive weight for failure and one with a negative weight for non-failure? Not the way I am looking at it. This would have the same effect as having the test defined once, with both a weight for failure and a negative weight for non-failure. What he is talking about is something like having the SPAMDOMAINS test being split into 2 tests, one that says For E-mail with a return address of yahoo.com or hotmail.com, the E-mail should fail TEST1 if the reverse DNS entry doesn't have yahoo.com or hotmail.com in it, and another that says All E-mail should fail TEST2 unless it comes from yahoo.com or hotmail.com. I think it might be possible to do this with a filter, but this gets very confusing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spamdomains list
Here two big international ones: t-online.de t-online.com wanadoo.fr Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Friday, May 30, 2003 01:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] spamdomains list Here is my list thus far: amazon.com aol.com apple.com att. attbi.com bellsouth.net charter.net comcast. compuserve.com cox. earthlink. excite.com gte. hotmail.com juno.com .untd.com lycos.com microsoft.com mindspring. msn.com .hotmail.com netscape. psi. qwest. .rr.com verio. verizon. .bellatlantic. yahoo.com Bill - Original Message - From: Scott MacLean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 9:49 AM Subject: Re: [Declude.JunkMail] spamdomains list If someone has a comprehensive spamdomains listing they are happy with,could they post it for others to analyze/use? At 10:36 AM 5/30/2003, Bill Landry wrote: One comment. Instead of having: yahoo.com yahoo.ca yahoo.com yahoo.de yahoo.com yahoo.dk yahoo.com yahoo.es yahoo.com yahoo.fr yahoo.com yahoo.it yahoo.com yahoo.no yahoo.com yahoo.se yahoo.com yahoo.co.jp yahoo.com yahoo.co.uk yahoo.com yahoo.com.ar yahoo.com yahoo.com.au yahoo.com yahoo.com.br yahoo.com yahoo.com.cn yahoo.com yahoo.com.hk yahoo.com yahoo.co.kr yahoo.com yahoo.com.mx yahoo.com yahoo.com.tw yahoo.com Why not just consolidate this down to: yahoo.yahoo.com Bill - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 7:20 AM Subject: [Declude.JunkMail] spamdomains list Attached is a list of spamdomains and their coresponding aliases that I've compiled thus far. Anybody want to comment or expand upon this? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] More Spam Tests?
Hi Scott: This tool did some filtering that may be of interest to you? * 3.5 -- Forged mail pretending to be from MS Outlook * 0.5 -- Message has X-MSMail-Priority, but no X-MimeOLE I'm enclosing the header and their entire assessment of this message (it had a fake sender, so the bounce got back to me). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- Message which triggered moderation From [EMAIL PROTECTED] Tue Jun 3 13:58:37 2003 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost [127.0.0.1]) by polaris.dazza.org (Postfix) with ESMTP id 33A0425410A for [EMAIL PROTECTED]; Tue, 3 Jun 2003 13:58:37 -0700 (PDT) Received: by polaris.dazza.org (Postfix, from userid 79) id 2EC3725410B; Tue, 3 Jun 2003 13:58:36 -0700 (PDT) Received: from localhost [127.0.0.1] by polaris.dazza.org with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp); Tue, 03 Jun 2003 13:58:36 -0700 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Approved Date: Tue, 3 Jun 2003 13:56:05 --0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Status: Yes, hits=8.5 required=5.0 tests=DATE_IN_PAST_06_12,FORGED_MUA_OUTLOOK,INVALID_DATE, MIME_MISSING_BOUNDARY,MISSING_MIMEOLE,NO_REAL_NAME, RAZOR2_CHECK version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_3EDD0BFC.2FD31CBE X-Virus-Scanned: by AMaViS snapshot-20020300 This is a multi-part message in MIME format. =_3EDD0BFC.2FD31CBE Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Start SpamAssassin results 8.50 points, 5 required; * 0.8 -- From: does not include a real name * 0.6 -- Invalid Date: header (not RFC 2822) * 0.2 -- RAW: MIME section missing boundary * 2.1 -- Listed in Razor2, see http://razor.sf.net/ * 0.8 -- Date: is 6 to 12 hours before Received: date * 3.5 -- Forged mail pretending to be from MS Outlook * 0.5 -- Message has X-MSMail-Priority, but no X-MimeOLE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Apparent Problem with REVDNS Filter in Version 1.70i2
Hi Scott: Here are three relevant lines of the WEIGHTFILTER.TXT: #16: #17:REVDNS 4 ENDSWITH.in-addr.arpa #18: DNSStuff reports a valid REVDNS: 12.29.228.5 PTR record: oldtfw04.pearsontc.com. [TTL 86400s] [A=12.29.228.5] Yet, the mail failed WEIGHTFILTER at line 17. See the log filter - the ONLY place where I see the string in-addr.arpa is in your ID: field - behind some apparent garbled caharacters. Is there a problem with the REVDNS ENDSWITH filter, e.g., some buffer overrun? 06/05/2003 17:51:09 Qbb4535320128b6b9 HELOBOGUS:3 HEUR10:4 WEIGHTFILTER:4 . Total weight = 11 06/05/2003 17:51:09 Qbb4535320128b6b9 Msg failed HELOBOGUS (Domain oldtms705.pearsontc.com has no MX or A records.). Action=WARN. 06/05/2003 17:51:09 Qbb4535320128b6b9 Msg failed HEUR10 (Heuristic spam detection level 10 [1.00]). Action=IGNORE. 06/05/2003 17:51:09 Qbb4535320128b6b9 Msg failed WEIGHTFILTER (Message failed WEIGHTFILTER test (17)). Action=IGNORE. 06/05/2003 17:51:09 Qbb4535320128b6b9 Msg failed WEIGHTREPORT (Total weight between 11 and 15.). Action=ALERT. 06/05/2003 17:51:09 Qbb4535320128b6b9 Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=SUBJECT. 06/05/2003 17:51:09 Qbb4535320128b6b9 Subject: Screen shots: Merrill Lynch store 06/05/2003 17:51:09 Qbb4535320128b6b9 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 12.29.228.5 ID: [EMAIL PROTECTED]5.228.29.12.in-addr.arpa Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] %HELOHOST% in Virus Recipient Notifications - Suggestion
Hi, Thanks to the 1.70i4 mishap we finally had the rare opportunity, to actually receive some of these viruses that normally get blocked by Declude. I noticed, that our recipient notifications use the following variables: %REMOTEHOST%, %SENDERHOST%, %LOCALHOST%, %RECIPHOST% But none of them list the HELO name used by the infected workstation (which, in case of BugBear.B may show me the name of the Windows Workstation who's spreading the virus.) Scott, I noticed that the above four variables are 50% redundant - yet, none of them truly inserts the sender host (e.g., the configured name used in the HELO). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 02:22 PM To: [EMAIL PROTECTED] Subject: Virus Firewall has Blocked an Email to You Argos Networks' Virus Firewall has rejected an incoming message sent to 1 recipient(s). It was using a from address of [Forged]. (Please note, some vira have the ability to forge the email address of the sender.) The message with the subject of virus bei mir angekommen carried a virus: File: Old Excel Documents.lnk.zlo Result: Found the W32/[EMAIL PROTECTED] virus !!! For more information see http://vil.mcafee.com/. TRACKING INFORMATION Their Domain: t-online.de for t-online.de (may be forged!) IP Address:194.25.134.80 Message ID:[EMAIL PROTECTED] Our Domain:hm-software.com for hm-software.com Queue ID: Ddbd212f50202d9a9.SMD of 06/06/2003 14:22:14 Version: 1.70 TRACKING FORGED SENDERS If the infected email came from a forged sender, then it is often impractical to track down the actual infected party. The following two links can help identify either the ISP or the organisation, who owns the IP address that the infected party was using: http://www.dnsstuff.com/tools/whois.ch?ip=194.25.134.80 http://www.dnsstuff.com/tools/ptr.ch?ip=194.25.134.80 IMPORTANT LEGAL NOTICE As a courtesy to customers, we attempt to block incoming vira before they reach your mailbox. However, Argos Networks cannot warrant that this will always be successful. We do not accept any liability in case a virus passes through. You are solely responsible for taking your own protective measures to avoid any infections of your computers. Sincerely, Argos Networks http://www.ArgosWeb.net/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Best use of Header and total Weight
In the Global.cfg have: WEIGHTHDR weightrange x x 6 7 In your $Default$.Junkmail have: WEIGHTHDR WARNX-RBL-Warning: Failed %TESTSFAILED% [%WEIGHT%] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Purtell Sent: Friday, June 06, 2003 04:52 PM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] Best use of Header and total Weight I'm trying to come up with the best way to insert a header into the body of our incoming corporate email, which will tell the recipient that the sender's message has almost acquired enough weight to be deleted. The header should only appear if the email is within a few points of deletion. I understand how to use the HEADER action as described in the manual. It's making it contingent on the WEIGHT variable that I'm not sure about. Just upgraded to the Pro version. Archive still down. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Non-unique MessageID vs. BADHEADERS ?
Title: Message Hi Scott: Shouldn't this message ID cause a "BADHEADERS" failure: Message-ID: [EMAIL PROTECTED] since "athlon" is not guaranteed to be a unique occurrence (because it's not a FQDN)? -Original Message- Received: from athlon [208.169.85.246] by hm-software.com (SMTPD32-7.07) id A2D53DD0246; Tue, 03 Jun 2003 15:11:17 -0400x-esmtp: 0 0 1Message-ID: [EMAIL PROTECTED]Return-Receipt-To: [EMAIL PROTECTED]Errors-to: [EMAIL PROTECTED]Return-Path: [EMAIL PROTECTED]Organization: Ingresos por InternetDisposition-Notification-To: [EMAIL PROTECTED]From: "Julio" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: =?iso-8859-15?Q?Gane_$40,000_d=F3lares_en_60_d=EDas,_garantizado?=Date: Tue, 3 Jun 2003 13:19:10 -0500MIME-Version: 1.0Content-Type: multipart/alternative; boundary="=_NextPart_20918151083799218191033"X-Declude-Note: Domain athlon returns a server failure for MX or A records.X-Declude: Version 1.70i2; Df2d503dd0246cf62.SMD from (timeout) [208.169.85.246]X-Declude: Triggered HELOBOGUS, IPNOTINMX, HEUR8 [2]X-Countries: UNITED STATES-destinationReturn-Path: [EMAIL PROTECTED]X-Spam-Prob: 0.203525X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 353553890From: Julio [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 02:19 PMTo: [EMAIL PROTECTED]Subject: Gane $40,000 dólares en 60 dÃas, garantizadoImportance: Low ¡Gane $40,000 dólares en 60 dÃas, garantizado! Este mensajese le envÃa sólo unavez y por lo tanto ésta es su única oportunidad! Hola amig@ emprendedor@ !! Estamos todos en lo mismo: tratando de generar ingresos extras a travéz del Internet, pero sabÃas que entre todas las ofertas de programas para ganar dinero que circulan actualmente en la red, existe una que supera a todos los demás y está haciendo furor? Por qué? Porque puedes comprobar facilmente la honestidad de quien te está invitando a participar y la del programa. Recibes tus ganacias directo en la puerta de tu casa, sin intermediarios y no tienes que leer mails por mÃseros centavos, no tienes que comprar ni vender costosos productos, no tienes que pagar costosas incripciones. Yo no creia al principio, pero me arriesgué y probé y ahora estoy recibiendo mis regalos (US$) directo en casa! Es real! Y como realmente se que funciona, me atrevo a invitarte, solo debes tener US$ 10 (ó 10 euros) para invertir. Te estoy hablando de ganar $40,000 dólares en 60 dÃas, !!! garantizado !!!. Participa, no te arrepentirás! Saludos Julio Para más información reenvÃe este e-mail colocando en asunto "solicito más información" IMPORTANTE Solo se enviará mas información si UD. lo solicita expresamente Mis disculpas si con ésto le he causado alguna molestia - NO SPAM Su dirección fue obtenida de un sitio público y nuestra intención es sólo informarle sobre nuestra propuesta, le pedimos disculpas si ésta no resultase de su interés. A todos los efectos nos adherimos a las consideraciones establecidas por el United States Federal Requirements for Commercial E-mail Bill, Section 301 párrafo (a) C) de S. 1618 tÃtulo 3ro, aprobado por el 105 congreso basado en las normativas internacionales las cuales establecen que un email no podrá ser considerado SPAM mientras incluya una forma de ser REMOVIDO. En caso de recibirlo nuevamente seria por un error y si eso ocurriera, le pido por favor me lo retorne solicitandome que lo remueva. Sus datos no forman parte de ninguna base de datos en mi poder. Para dejar de recibir información sobre éste programa, por favor reenvÃe éste email colocando en asunto la palabra "Remover". Gracias por su atención.
RE: [Declude.JunkMail] Non-unique MessageID vs. BADHEADERS ?
Ouch... So the HELOBOGUS will apply the same logic and NO longer check for BOGUS host names? If not - then why doesn't the same logic apply? Frankly, I rather prefer to have a test that does it advertises to do (e.g., check for BAD HEADERS), and then let ME decide via weights, how highly I want to rate this. Remember: Nobody is forced to use the BADHEADERS test - but those who do should be able to 'rely' on it discovering non-compliancy. E.g., I might choose to use is as a NEGATIVE test, where I give email credit for having valid, compliant headers! For all other purposes you have the SPAMHEADERS test that is designed/advertised to be flexible and which is expected to adopt based on occurrence of certain issues in the wild - so THERE it would make sense to leave the MessageID FQDN check out of SPAMHEADERS. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, June 03, 2003 03:34 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Non-unique MessageID vs. BADHEADERS ? Shouldn't this message ID cause a BADHEADERS failure: Message-ID: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] n since athlon is not guaranteed to be a unique occurrence (because it's not a FQDN)? Technically, it should. :) We used to have the BADHEADERS test check for this. However, the problem is that probably at least 1/2 of all mail clients are not RFC-compliant, in that they use a non-fully-qualified hostname (athlon rather than athlon.example.com). I just checked the last 3 personal E-mails I received, and all 3 had Message-ID: headers with a non-fully-qualified hostname. Although we normally like to push people into compliance, this is a war we won't be able to win. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM - correct?
Hi Scott: No - neither was the case - those were normal firstname.lastname email addresses. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Saturday, May 31, 2003 08:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] MAILFROM - correct? So, why did this fail MAILFROM: Return-Path: [EMAIL PROTECTED] Were there any non-alphanumeric characters in the ...removed... section? For example, if it was [EMAIL PROTECTED]@skanskausa.com or user:[EMAIL PROTECTED] or [EMAIL PROTECTED], those could cause problems. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SkanskaUSA.com in disarray
Hi Darin, No - the domain has been back for a while - but it's a terrible mess. See: http://www.dnsreport.com/tools/dnsreport.ch?domain=skanskausa.com for an independent review. A) their name server lists has the following NS records: dns-sku-par-0. cbru.br.ns.els-gms.att.net. dbru.br.ns.els-gms.att.net. cmtu.mt.ns.els-gms.att.net. dmtu.mt.ns.els-gms.att.net. Obivously dns-sku-par-0. is not a valid FQDN - it's missing the domain portion. B) their registratr's root server includes an NS record for: cbru.br.ns.els-gms.att.net. [199.191.128.105] But that server does not respond. C) their SOA record has a contact of admin, but that's not a valid email address format! It must be something like admin.skanskausa.com. MOST IMPORTANTLY: D) their name server has an MX pointer for mail.skanskausa.com - but there is no A record resolving that mail host to an address. No one can send any mail to mail.skanskausa.com ! If it makes a difference - I'm sitting on a TON of bounced email intended for your client (from a client of their's) - they have been trying to organize a mutual project. Whoever is assigned to that account at your firm is not doing their job. They should charge them for about 2 minutes of consulting services - that's how little time it takes for someone who is the least bit knowledgable to straighten out their domain. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin T. Cox Sent: Saturday, May 31, 2003 09:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM - correct? Hi Andy, I believe it should be straightened out now. Skanska is a customer of ours. Someone there forgot to renew their domain, so it expired Friday morning. They quickly re-registered, but the damage was done for a day. I believe that's what caused the MAILFROM and HELOBOGUS errors we were receiving when sending to them. They've also had periodic problems managing their mail servers, however. Much of it is probably due to major internal IT restructuring (personnel, corporate identity, and merging of several separate infrastructures from mergers) that has been occurring within their organization for the past few months. We talk to their IT personnel periodically to help them straighten out these problems when they occur. Darin. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Enhancement Request: XUNIQUEINHEADER
Hi, Would be nice if Declude could be told not insert a header if one already exists, e.g.: XUNIQUEINHEADER Return-Path: %MAILFROM% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
Darrell / Scott: We do not whitelist the postmaster account, instead you setup a filter test that contains an allrecips for the postmasters email address and assign this test a really high negative value to prevent the message from being bounced. Then you set the action up for the test as a routeto back to the postmasters account. Hm - I assume your method only works, if I don't use a DELETE and/or BOUNCE action directly on individual tests - or will routeto supercede delete and/or bounce? Let's assume... Bounce on: Any OSDUL/OSSOFT Weight = 10 Hold on: Any MailFrom/Percent I delete on: Weight = 20 If someone needs assistance who gets caught by the MailFrom/Percent or OSDUL/OSSOFT and all your test does is reduce weights - I assume the people's emails would still not get through? So I do need to whitelist the PostMaster? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spamdomains list
Bill, MX records only tell you where email is SENT to. It doesn't tell you anything about OUTBOUND mail. I have in fact received emails where signed @excite.com but where sent through the excitenetwork's server. The only way how you can determine, which other RDNS are used, is by checking your Declude log files, use FILESTR to find the SPAMDOMAINS failures and then filter for excite... Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Friday, May 30, 2003 03:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] spamdomains list From what I see, they look to be mutually exclusive: == dig mx excite.com ; DiG 9.2.1 mx excite.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15919 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;excite.com.IN MX ;; ANSWER SECTION: excite.com. 900 IN MX 10 xmxpita.excite.com. ;; AUTHORITY SECTION: excite.com. 900 IN NS dns5.imgfarm.com. excite.com. 900 IN NS dns4.imgfarm.com. ;; ADDITIONAL SECTION: xmxpita.excite.com. 900 IN A 208.45.133.107 ;; Query time: 81 msec ;; SERVER: 204.189.38.2#53(204.189.38.2) ;; WHEN: Fri May 30 11:50:28 2003 ;; MSG SIZE rcvd: 114 == dig mx excitenetwork.com ; DiG 9.2.1 mx excitenetwork.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2577 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;excitenetwork.com. IN MX ;; ANSWER SECTION: excitenetwork.com. 300 IN MX 25 mx.excitenetwork.com. ;; AUTHORITY SECTION: excitenetwork.com. 300 IN NS dns5.imgfarm.com. excitenetwork.com. 300 IN NS dns4.imgfarm.com. ;; ADDITIONAL SECTION: mx.excitenetwork.com. 300 IN A 63.108.110.20 ;; Query time: 121 msec ;; SERVER: 204.189.38.2#53(204.189.38.2) ;; WHEN: Fri May 30 11:51:56 2003 ;; MSG SIZE rcvd: 116 == Bill - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 11:45 AM Subject: RE: [Declude.JunkMail] spamdomains list Bill, You need to update: excite.com excitenetwork.com Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Friday, May 30, 2003 01:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] spamdomains list Here is my list thus far: amazon.com aol.com apple.com att. attbi.com bellsouth.net charter.net comcast. compuserve.com cox. earthlink. excite.com gte. hotmail.com juno.com .untd.com lycos.com microsoft.com mindspring. msn.com .hotmail.com netscape. psi. qwest. .rr.com verio. verizon. .bellatlantic. yahoo.com Bill - Original Message - From: Scott MacLean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 9:49 AM Subject: Re: [Declude.JunkMail] spamdomains list If someone has a comprehensive spamdomains listing they are happy with,could they post it for others to analyze/use? At 10:36 AM 5/30/2003, Bill Landry wrote: One comment. Instead of having: yahoo.com yahoo.ca yahoo.com yahoo.de yahoo.com yahoo.dk yahoo.com yahoo.es yahoo.com yahoo.fr yahoo.com yahoo.it yahoo.com yahoo.no yahoo.com yahoo.se yahoo.com yahoo.co.jp yahoo.com yahoo.co.uk yahoo.com yahoo.com.ar yahoo.com yahoo.com.au yahoo.com yahoo.com.br yahoo.com yahoo.com.cn yahoo.com yahoo.com.hk yahoo.com yahoo.co.kr yahoo.com yahoo.com.mx yahoo.com yahoo.com.tw yahoo.com Why not just consolidate this down to: yahoo.yahoo.com Bill - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 7:20 AM Subject: [Declude.JunkMail] spamdomains list Attached is a list of spamdomains and their coresponding aliases that I've compiled thus far. Anybody want to comment or expand upon this? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http
RE: [Declude.JunkMail] MAILFROM - correct?
Hi Scott: Granted, based on http://www.dnsreport.com/tools/dnsreport.ch?domain=skanskausa.com this domain is a mess - but, it DOES have a MX record and the lowest priority MX record (5) has an A record and IS even answered. Most of the cc:'s in this email when to @skanskausa.com and WERE indeed delivered - proving that MAILFROM is valid. So, why did this fail MAILFROM: Received: from mlx-sku-par-1.skubi.com [12.3.242.12] by mail.webhost.hm-software.com with ESMTP (SMTPD32-7.07) id AC05147F0162; Fri, 30 May 2003 11:43:01 -0400 Received: from mlx-sku-par-1.skubi.com ([127.0.0.1]) by mlx-sku-par-1.skubi.com with Microsoft SMTPSVC(5.0.2195.5329); Fri, 30 May 2003 11:38:19 -0400 Received: by mlb-sku-par-1.skanskausa.com with Internet Mail Service (5.5.2653.19) id L9132BXP; Fri, 30 May 2003 11:41:00 -0400 Message-ID: [EMAIL PROTECTED] From: ...removed... To: ...removed... Cc: ...removed..., ...removed... ...removed..., ...removed... ...removed..., ...removed... ...removed... Subject: MDY Date: Fri, 30 May 2003 11:42:01 -0400 Importance: high X-Priority: 1 Return-Receipt-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/html; charset=iso-8859-1 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 30 May 2003 15:38:19.0640 (UTC) FILETIME=[7EEB4F80:01C326C1] X-Declude-Note: Domain mlx-sku-par-1.skubi.com has no MX or A records. X-Declude: Version 1.70i1; D7c05147f0162cb7b.SMD from gateway1.skubi.com [12.3.242.12] X-Declude: Triggered MAILFROM, HELOBOGUS, IPNOTINMX, NOLEGITCONTENT [3] X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] X-Spam-Prob: 0.768622 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Autogenerated response
Challenges should probably be handled like vacation notices - they should only be sent ONCE per sender. The sender only has to confirm one challenge, and all held emails for this sender are released. Like vacation notices, there should be a revolving log file of pending challenges with the sender email address. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/
[Declude.JunkMail] DNSreport.com - suggestion
Hi Scott: The following should issue a 'warning' - two MX records pointing to the SAME IP address offers no benefit (there IS no backup!) but causes unnecessary retries at times when the server at this IP address doesn't or cannot answer. INFO MX Record Your 2 MX records are: 10 post-com.mr.outblaze.com. [TTL=86400] IP=205.158.62.23 (No Glue) [TTL=21600] 20 post-com-bk.mr.outblaze.com. [TTL=86400] IP=205.158.62.23 (No Glue) [TTL=21600] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Autogenerated response
David, What happens in challenge/response when you have two challenge/response mechanisms talking to each other, each wanting a challenge/response to a challenge/response? Table tennis? The challenge (or any other alerts/bounce messages) should be sent by from a service account (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) or even an unattended (non-existing) account - which is set up to NEVER return automated emails. So - even if the other side were to send an automated email back - at WORST it would end up in the service account but not lead to an endless confirmation request loop. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/
RE: Re: [Declude.JunkMail] observation to share...
Hi: ORDB hatte für den Open-Relay-Check zwei GMX-Adressen verwendet, die nicht auf SMTP-Auth konfiguriert waren. In der eigenen Open-Relay-Definition beschreibe ORDB ein solches System aber als einen Mail-Server, der Nachrichten weiterleite, bei denen weder der Sender noch der Empfänger ein lokaler Nutzer ist. In den von ORDB dokumentierten Fällen habe es sich aber eindeutig um local user gehandelt. May be there IS more to the story, but, it is expected and normal, that anyone who gets listed as an open relay will claim that they really were not and that the process was flawed. In reality, ORDB will send a test message to its own server and watch if it gets delivered. If the round-trip was successful, then the result is a pretty convincing case of an open relay. Bottom line, if ORDB found a way/trick to relay a message - then a spammer will too. Unless they can show an actual flaw on ORDB's testing method, I go by the assumption that as long as GMX's server allowed for that way/trick they rightfully would have been listed. It is interesting to note that they eventually resubmitted the server (presumingly after closing that hole) and they were de-listed. I do agree, that the lack of a real-time operations center of some of the databases (some don't even offer contact forms) does make them somewhat risky to use - but when viewed against the daily benefits, it's a risk worth taking. Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, May 28, 2003 02:14 AM To: [EMAIL PROTECTED] Subject: RE: Re: [Declude.JunkMail] observation to share... I agree completly with scott ,and would like to add that deleting mail only with rbl test does not mean anything. Today I've read an article on a german website (c't computer magazine) http://www.heise.de/newsticker/data/hob-27.05.03-000/ In short there's the information that the big freemailer GMX whas listed from Sunday evening to Monday in the ORDB blacklist. GMX some months ago has announced antispam actions since they have the same problem like msn, aol and co. Last Sunday ORDB has tested a GMX mailserver positive as an open relay (even if the method of testing is controversial) GMX was not very happy that ORDB was not reachable over a fast way and GMX-Admin's has had to fill out the standard form on the ORDB website asking to be removed as fast as possible. The result: On Monday a lot of mails was not deliverable because other mailservers blocked any connection from GMX (based on the ORDB blacklist) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More Selective Whitelist-TO
Hm, Scott: I may be off-base here, but I would imagine this could work: A) Declude inspects the D... and Q... File, correct? B) once Declude decides, that there is a TO whitelist for a particular email, it will determine if the Q file lists more than one R line (Recipient). C) if there is MORE than one R, it will create a duplicate of the D... and Q... File with a new unique name. In the original Q file the R lines for the whitelisted entry is removed (thus, the other recipients can be blocked/processed as originally intended) D) the newly created Q file ONLY contains the whitelisted R lines so that the mail can be delivered during the next queue run. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] TAIWAN not detected
Uh - okay. I thought there was a file I had downloaded once before - but when I saw no mention in the Junkmail/manual.htm I thought I was remembering wrong. Thanks. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, March 28, 2003 04:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] TAIWAN not detected The DNSSTUFF IPWHOIS detects 218.187.138.151 as TAIWAY, and NetGeo as Australia - however, Declude says APNIC Unlisted? If you download the all_list.dat file from http://www.declude.com/release/165/all_list.dat , it should take care of the problem. The IP/country allocations change occasionally, which can cause this discrepancy to occur. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude in the news
I think it is a good sign that mainstream products are starting to include DNS BL lookups. Symantec's products (and similar big names) are setting somewhat of a de-facto industry standard for the vast majority of less sophisticated part-time mail administrators who are only casually interested in email issues. I suspect, this will aid in the broader proliferation of SPAM filtering, give more credence to open relay databases - hopefully putting more pressure on innocent open relay servers to get their act together and in the long run allowing us to use them more aggressively. Currently, the usual defense of ignorant administrators running open relay or RFC non-compliant SMTP servers is that we never had a problem sending to everyone else - putting US on the defensive trying to explain why RFCs must be followed so that the variety of hardware, software, operating system and application brands all can communicate across the one Internet. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Why BADHEADER for this?
Hi Scott: This one returned code 802c (This E-mail has a bogus Date: header.) - however, the Date: header does look just fine? May be the problem is the Subject header - as it appears to wrap around into a second line? But, then again, multi-line headers appear to be quite normal, because even the Received and To headers are multiline? Received: from exthub02.tgt.com [161.225.2.41] by mail.webhost.hm-software.com with ESMTP (SMTPD32-7.07) id A0A3F17006E; Mon, 24 Mar 2003 11:21:55 -0500 Received: from msphub02.tgt.com ([10.104.240.124]) by exthub02.tgt.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id FKTDP30V; Mon, 24 Mar 2003 10:27:38 -0600 Received: by msphub02.tgt.com with Internet Mail Service (5.5.2653.19) id FGTAZ922; Mon, 24 Mar 2003 10:21:51 -0600 Message-ID: [EMAIL PROTECTED] From: Stacey.Riney [EMAIL PROTECTED] To: 'Boehm-Bezing, Inga' [EMAIL PROTECTED], Stacey.Riney [EMAIL PROTECTED] Cc: Richard D'Angelo [EMAIL PROTECTED] Subject: RE: MERVYNS CFM SMPL AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL K Date: Mon, 24 Mar 2003 10:23:28 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C2F221.B3D37EE0 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Why BADHEADER for this?
Are you sure you matched this up correctly? Declude Version 1.68i5. Here is the chain of evidence I followed: A) The snippet of our own, highly informative, bounce message showing the DECLUDE variables: ... (verbose text omitted) ... Mail Server: 161.225.2.41 for target.com [target.com] DNS Pointer: [No Reverse DNS] Host Name: exthub02.tgt.com Triggers: BADHEADERS, REVDNS, HELOBOGUS, IPNOTINMX, WEIGHTREPORT, WEIGHTHDR, WEIGHT10 (Total weight between 10 and 19.) More Info: http://www.dnsstuff.com/tools/ip4r.ch?ip=161.225.2.41 (Your server must not be black-listed!) http://www.dnsstuff.com/tools/ptr.ch?ip=161.225.2.41 (Your server must be properly registered in DNS with a reverse lookup pointer!) http://www.dnsstuff.com/tools/lookup.ch?name=exthub02.tgt.comtype=A (Your server must have a valid host name!) Countries: UNITED STATES-destination (Your email should not be routed back and forth between countries.) Message ID: [EMAIL PROTECTED] Queue ID: D30a30f17006e558b.SMD on Maywood-IS-0002.Webhost.HM-Software.com B) Here a snippet of the matching Declude log: Please note how the subject line is cut off after BL - exactly at the same point where the subject header advances to a new line! 03/24/2003 11:22:05 Q30a30f17006e558b BADHEADERS:5 REVDNS:5 HELOBOGUS:3 11:22:05 Q30a30f17006e558b Msg failed BADHEADERS (This E-mail was sent from a broken mail client [802c].). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 161.225.2.41 with no reverse DNS entry.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed HELOBOGUS (Domain exthub02.tgt.com has no MX or A records.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTREPORT (Weight of 13 reaches or exceeds the limit of 11.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTHDR (Weight of 13 reaches or exceeds the limit of 1.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=BOUNCE. 03/24/2003 11:22:05 Q30a30f17006e558b Subject: RE: MERVYNS CFM SMPL AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL 03/24/2003 11:22:05 Q30a30f17006e558b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 161.225.2.41 ID: 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed BADHEADERS (This E-mail was sent from a broken mail client [802c].). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 161.225.2.41 with no reverse DNS entry.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed HELOBOGUS (Domain exthub02.tgt.com has no MX or A records.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTREPORT (Weight of 13 reaches or exceeds the limit of 11.). Action=ALERT. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHTHDR (Weight of 13 reaches or exceeds the limit of 1.). Action=WARN. 03/24/2003 11:22:05 Q30a30f17006e558b Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=BOUNCE. 03/24/2003 11:22:05 Q30a30f17006e558b Subject: RE: MERVYNS CFM SMPL AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL 03/24/2003 11:22:05 Q30a30f17006e558b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 161.225.2.41 ID: C) Here again the message header as appended by Declude to the Bounce message: From/To and Message ID matches the bounce message. Date/time in the Received header matches the beginning of the Declude header within 10 seconds. Received: from exthub02.tgt.com [161.225.2.41] by mail.webhost.hm-software.com with ESMTP (SMTPD32-7.07) id A0A3F17006E; Mon, 24 Mar 2003 11:21:55 -0500 Received: from msphub02.tgt.com ([10.104.240.124]) by exthub02.tgt.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id FKTDP30V; Mon, 24 Mar 2003 10:27:38 -0600 Received: by msphub02.tgt.com with Internet Mail Service (5.5.2653.19) id FGTAZ922; Mon, 24 Mar 2003 10:21:51 -0600 Message-ID: [EMAIL PROTECTED] From: Stacey.Riney [EMAIL PROTECTED] To: 'Boehm-Bezing, Inga' [EMAIL PROTECTED], Stacey.Riney [EMAIL PROTECTED] Cc: Richard D'Angelo [EMAIL PROTECTED] Subject: RE: MERVYNS CFM SMPL AD SMPL Style:H-6659F LEA: F/C VOYAGER/ BL K Date: Mon, 24 Mar 2003 10:23:28 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C2F221.B3D37EE0 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 1.68 - new variables
Hi: Adds %IP4R%, %RHSBL%, %MAILFROMBL% and %HELO% variables. Okay, I can guess what IP4R and HELO inserts - but what do strings do the two ...BLs insert? Where are those variables valid? A) in Declude SMTP headers? B) in alert/bounce messages templates? C) in ... ? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Request - TESTSRESULT header variable
Hi Scott: My client try to rely on filtering by looking at the header that I insert with declude: XINHEADER X-Declude: Version %VERSION%; %QUEUENAME% from %REVDNS% [%REMOTEIP%] XINHEADER X-Declude: Failed %TESTSFAILED% [%WEIGHT%] XINHEADER X-Countries: %COUNTRYCHAIN% XINHEADER Return-Path: %MAILFROM% The problem is with the XINHEADER X-Declude: Failed %TESTSFAILED% [%WEIGHT%] They used to be able to use Outlook to trigger on X-Declude: Failed and then flag messages as low importance, reset the new message flag or even sort it to a different order. But unfortunately this line will also be set off by WHITELISTED[0] or NOTINMIX[-3] - where they do NOT indicate SPAM. So - how about you could distinguish between real FAILURES (e.g., NOT including the whitelist and not include total weights that are equal/less than 0), e.g. a %TESTSRESULT% variable that inserts the string PASSED (if whitelisted or total weight = 0) or the string FAILED in any other case that at least one test failed. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IP WhiteList or PASS Action
Hi Scott: I'm trying to come up with a scheme that lets me whitelist certain IP addresses PER DOMAIN. Of course, I probably could use something like that in the default Junkmail file of a domain folder: WHITELIST ipfile C:\IMail\Declude\ipwhitelist.txt x -20 0 However, that will not truly work as a whitelist - because I hold or delete for certain tests (e.g., MAILFROM). Reducing the weight will be ineffective. Going through the Declude manual I noticed that two features would be helpful: A) an IP whitelist to match the IP blacklist feature B) a new PASS action. Then I could (ab)use the ipfile option to define an IP whitelist and define the PASS action (to let mail pass), which hopefully would supercede all other actions based on other tests. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] TMDA style test...
Hi Scott: decided to keep a list of all the E-mail addresses that sent SpamArrest users E-mail, and then started spamming them! Because of that, a lot of people are leery about responding to confirmation requests. Which of course is not really an issue. By the time the INITIAL email is received at the provider, that provider ALREADY has the email address. If they have malicious intents with their clients' email addresses then they would not need to wait for the confirmations. Personally, I WISH there was an automated feature in Declude that would allow a person to respond to a challenge and auto-list their sender for that particular user. The list would have columns (for most recently used and denied). The denied column would allow us to override the confirmation, the MRU list would help to eventually expire unused entries. Any feature where future false positives can be reduced and their management can be totally automated is highly desirable and worth an upgrade charge. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail/Declude as Gateway?
Hi, I'm trying to set up Declude Junkmail and Virus as a gateway for one of my customers. (All my other customers use mailboxes on my Imail server, but this one has their own exchange server). The Imail gateway function is set up and works fine, e.g., the MX is pointing to MY Imail machine, and the HOSTS file has a line for the domain pointing to their exchange server's IP. Their email is routed properly. However, Declude is acting unexpectedly: - Junkmail: Doesn't seem to scan for or block any spam (as far as I can tell from the log files) - Imail simply rdelivers every message to their exchange server without ever logging at loglevel mid. - Virus: Doesn't seem to scan any mails - Declude simply logs Skipping virus scanning for outgoing E-mail. For Virus I have scanning for outbound messages turned OFF. Shouldn't Declude scan the messages when they are received by Imail? For JunkMail, I have very little outbound scanning defined in Global.cfg: MAILFROMSUBJECT [Invalid Sending Domain!] BADHEADERS WARN SPAMHEADERS WARN SPAMROUTING WARN REVDNS WARN PERCENT HOLD But I don't even see a log entry, if I intentionally send an email where the MAILFROM is bogus. What am I doing wrong? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Weight Filter - Sample List
Hi, this list has served me well so far: HELO8 CONTAINS$domain REVDNS 8 ENDSWITH.a83c9d.net REVDNS 8 ENDSWITH.are.net REVDNS 8 ENDSWITH.azogle.com REVDNS 8 ENDSWITH.bestpost.net REVDNS 8 ENDSWITH.bigtimevalues.com REVDNS 20 IS casinoandcash.com REVDNS 8 ENDSWITH.consumerinfo.com REVDNS 8 ENDSWITH.DailyInBox.com REVDNS 8 ENDSWITH.dartmail.net REVDNS 8 ENDSWITH.dealcop.com REVDNS 8 ENDSWITH.deliverenetworks.com REVDNS 6 ENDSWITH.dsl-verizon.net REVDNS 8 ENDSWITH.easymailers.net REVDNS 8 ENDSWITH.email-specials.net REVDNS 8 ENDSWITH.emailcourrier.com REVDNS 8 CONTAINS.emailoffers REVDNS 8 ENDSWITH.emailsvc.net REVDNS 8 ENDSWITH.emipsusa.com REVDNS 8 ENDSWITH.etransmail5.com REVDNS 8 ENDSWITH.evaluemail.com REVDNS 8 ENDSWITH.greatofferstoday.com REVDNS 8 ENDSWITH.hispeedmediaoffers.com REVDNS 8 ENDSWITH.hot-info.net REVDNS 8 ENDSWITH.IConNet.net REVDNS 8 ENDSWITH.ioffersdirect.com REVDNS 8 ENDSWITH.mail-gw.net REVDNS 8 ENDSWITH.mailmalls.net REVDNS 8 IS mediaprint.lt REVDNS 8 ENDSWITH.my-specials.com REVDNS 8 ENDSWITH.obdirectmail.com REVDNS 8 ENDSWITH.offer-exchange.com REVDNS 8 ENDSWITH.offersonthenet.com REVDNS 8 ENDSWITH.oneoffer.net REVDNS 8 ENDSWITH.owe-less.com REVDNS 8 ENDSWITH.primetimedirect.net REVDNS 8 ENDSWITH.ramosglobalmarketing.com REVDNS 8 ENDSWITH.real-net.net REVDNS 8 ENDSWITH.roving.com REVDNS 8 ENDSWITH.specialoffers4you.com REVDNS 8 ENDSWITH.steamyxxxads.com REVDNS 8 ENDSWITH.superstorespecials.com REVDNS 8 ENDSWITH.temd.net REVDNS 8 ENDSWITH.tepmail.com REVDNS 8 ENDSWITH.tiburondeltigre.com REVDNS 8 ENDSWITH.truemail.net REVDNS 8 ENDSWITH.virtual-domain.com REVDNS 8 ENDSWITH.webmailer.de REVDNS 8 ENDSWITH.xpwebnet.com HEADERS 3 CONTAINScharset=euc-kr HEADERS 3 CONTAINScharset=big5 COUNTRIES 3 CONTAINScn COUNTRIES 3 CONTAINSkr COUNTRIES 2 CONTAINSbr COUNTRIES 2 CONTAINShk COUNTRIES 2 CONTAINSru COUNTRIES 2 CONTAINStw COUNTRIES 2 CONTAINSuy attachment: winmail.dat
RE: [Declude.JunkMail] Comments
Hi, not one message deleted by Declude was a false positive John, how would you know - since they were DELETED and you have no way to determine their content after the fact? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reject Msg based on Size
Why not control the message size in Imail - you can set it per domain and, I believe, per user. If the message exceeds the max message size, Imail will reject it - and it will result in a bounce from the SENDING server. In fact, Imail's ESMTP will announce the max message size to the sending server so that it can be rejected BEFORE it is transmitted (at EHLO time!) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Reject Msg based on Size
Sorry - I can't tell whether your old Imail 5 has that feature - or, whether it was added in Version 6 or 7. I would consult IPswitch's web site for historic information going that many years back. I started with Imail 4 and don't recall if/that it WAS added after that - but I may not have paid attention. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reject Msg based on Size
These are just the defaults for creating new users, The limits themselves are actually set on the userlevel. No - they are NOT. I went through this with IPSwitch when messages were rejected for an inbound IP address (IP bound domain), even though the VIRTUAL domain and INDIVIDUAL users were defined for HIGHER limits. The IP bound level is the UPPER limit for ALL virtual domains and users. IPswitch (in EHLO mode) announces the max message size defined for that IP address - causing other ESMTP servers to ABORT the transmission even BEFORE the recipient domain and user are identified! They considered that a documentation problem. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNSstuff IPWHOIS lookup - constructs bad URL for cache off
Hi Scott: I believe I found a bad link in your IPWHOIS lookup. I had to update my SWIP entry and your site had cached the old answer. When trying to use the get fresh results link - I suddenly ended up on a screen that convinced me that my Backbone Provider had deleted my entry entirely. http://www.dnsstuff.com/tools/whois.ch?ip=65.119.204.0 lists the correct swip entry. Following the link to: http://www.dnsstuff.com/tools/whois.ch?ip=!NET-65-119-204-0-1server=whois.a rin.net I had been showing the old/incorrect information (by now it does show the correct info, because I found out the RIGHT way how to refresh your cache - read on) All the while, I had been following the link to cache off - which constructs THIS URL: http://www.dnsstuff.com/tools/whois.ch?domain=!NET-65-119-204-0-1cache=off The resulting display of NetRange: 0.0.0.0 - 0.255.255.255 CIDR: 0.0.0.0/8 NetName:RESERVED-1 NetHandle: NET-0-0-0-0-1 caused me to think that MY entry !NET-65-119-204-0-1 was bad/deleted. I never even bothered verifying your display with ARIN (shame on me). Notice how your Query Parameters switched from: ip=!NET-65-119-204-0-1server=whois.arin.net to: domain=!NET-65-119-204-0-1cache=off Clearly, the switch from ip=!NET... to domain=!NET... is the problem. If instead, I manually constructed the URL: http://www.dnsstuff.com/tools/whois.ch?ip=!NET-65-119-204-0-1server=whois.a rin.netcache=off I started seeing the CORRECT information (and it refreshed your cache). So - I believe in the ip=!NET... detail screen your CACHE OFF link is constructed incorrectly. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.hm-software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Still not using the intended recipient
Scott, would you like for me to downloaded a new interim release to CONFIRM that it has since been fixed (you apparently thought back then, that it had been fixed already)? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Still not using the intended recipient
Hi, then - sorry - but i21 still doesn't appear to work: 01/17/2003 13:41:51 Q4e6d4dac00e4e077 WEIGHTFILTER:-20 . Total weight = -20 01/17/2003 13:41:51 Q4e6d4dac00e4e077 E-mail whitelisted - automatically passing all spam tests [63.107.174.] 01/17/2003 13:41:51 Q4e6d4dac00e4e077 Subject: Test Email - Please Ignore 01/17/2003 13:41:51 Q4e6d4dac00e4e077 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] even though the email was addressed to my alias domain of: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, January 17, 2003 01:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Still not using the intended recipient would you like for me to downloaded a new interim release to CONFIRM that it has since been fixed (you apparently thought back then, that it had been fixed already)? Sure, you can download the latest interim release at http://www.declude.com/release/165i/declude.exe . -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How obscene is Basement?
Title: Message Oh, this is all sementics. :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kami RazvanSent: Thursday, January 16, 2003 10:31 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] How obscene is Basement? Scott... Hopefully in one of the future releases we can come up with a filter that works with before and after space.. After all how obscene is the word basement? Drawings were being sent to me for our office that were not reaching me! Why? the filter: SUBJECT12 CONTAINSsemen Oh well... its weight was taken down... Lesson learned.. Regards, Kami
[Declude.JunkMail] Wrong Domain Name Used with 1.65i10
Scott: 01/06/2003 07:48:50 Q7b294a1d00d4e815 SPAMROUTING:3 WEIGHTFILTER:8 . Total weight = 11 01/06/2003 07:48:50 Q7b294a1d00d4e815 Msg failed SPAMROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=WARN. 01/06/2003 07:48:50 Q7b294a1d00d4e815 Msg failed WEIGHTFILTER (Message failed WEIGHTFILTER test (31)). Action=IGNORE. 01/06/2003 07:48:50 Q7b294a1d00d4e815 Msg failed WEIGHTREPORT (Weight of 11 reaches or exceeds the limit of 11.). Action=ALERT. 01/06/2003 07:48:50 Q7b294a1d00d4e815 Msg failed WEIGHT10 (Total weight between 10 and 19.). Action=BOUNCE. 01/06/2003 07:48:50 Q7b294a1d00d4e815 Subject: EUMEL A1-2 B-2 01/06/2003 07:48:50 Q7b294a1d00d4e815 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] However, the actually recipient domain was NOT [EMAIL PROTECTED] it was [EMAIL PROTECTED] We have different SPAM settings defined for this domain - so this email should NOT have been BOUNCED. Here is the matching IMail log, showing the REAL domain name: 01:06 07:48 SMTPD(4A1D00D4) [63.107.174.78] connect 192.67.198.73 port 33271 01:06 07:48 SMTPD(4A1D00D4) [192.67.198.73] EHLO mailin.webmailer.de 01:06 07:48 SMTPD(4A1D00D4) [192.67.198.73] MAIL From:[EMAIL PROTECTED] 01:06 07:48 SMTPD(4A1D00D4) [192.67.198.73] RCPT To:[EMAIL PROTECTED] 01:06 07:48 SMTPD(4A1D00D4) [192.67.198.73] D:\IMAIL\spool\D7b294a1d00d4e815.SMD 1913 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wrong Domain Name Used with 1.65i10
Hi Scott: Yes... LOGFILE D:\imail\spool\dec.log LOGLEVELMID LOG_OK NONE HOP 0 CONSOLE OFF XINHEADER X-Declude: Version %VERSION%; %QUEUENAME% from %REVDNS% [%REMOTEIP%] XINHEADER X-Declude: Failed %TESTSFAILED% [%WEIGHT%] XINHEADER X-Countries: %COUNTRYCHAIN% XINHEADER Return-Path: %MAILFROM% XOUTHEADER X-Note: Report any abuse to [EMAIL PROTECTED] XSENDER OFF XSPOOLNAME OFF SWITCHRECIP ON Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Monday, January 06, 2003 04:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Wrong Domain Name Used with 1.65i10 does it change your mind, if I tell you that before my update to 1.65i10, Declude WAS correctly using the intended recipient domain when looking up the Junkmail configuration? Look at the SAME daily email on 12/23 (the last time this email went through) and notice how Declude reports the INTENDED domain, not the FINAL domain: Are you using the SWITCHRECIP ON option in your \IMail\Declude\global.cfg file? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamRouting Triggered - all German IPs
Hi Scott: The following header tripped SPAMROUTING. However, http://www.dnsstuff.com/tools/whois.ch?ip=192.67.198.73 is located in Karlsruhe, Germany http://www.dnsstuff.com/tools/whois.ch?ip=217.72.192.180 is located in Karlsruhe, Germany http://www.dnsstuff.com/tools/whois.ch?ip=145.254.191.86 is located in Eschborn, Germany. So there is no funny country ping-pong going on!? Received: from mailin.webmailer.de [192.67.198.73] by hm-software.com with ESMTP (SMTPD32-7.07) id A55A29A01A0; Tue, 31 Dec 2002 13:43:38 -0500 Received: from smtp.web.de (smtp01.web.de [217.72.192.180]) by mailin.webmailer.de (8.9.3/8.8.7) with ESMTP id TAA02895 for [EMAIL PROTECTED]; Tue, 31 Dec 2002 19:43:05 +0100 (MET) Received: from [145.254.191.86] (helo=marcus) by smtp.web.de with smtp (WEB.DE(Exim) 4.93 #1) id 18TRMS-0005Rv-00 for [EMAIL PROTECTED]; Tue, 31 Dec 2002 19:43:32 +0100 Message-ID: 007b01c2b0fc$f76a9640$56bffe91@marcus Reply-To: Marcus Sopicki [EMAIL PROTECTED] From: Marcus Sopicki [EMAIL PROTECTED] To: Uli Grepel [EMAIL PROTECTED] Subject: Frohes neues Jahr Date: Tue, 31 Dec 2002 19:20:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNSREPORT/DNSSTUFF: DNS Lookup is Broken?
http://www.dnsreport.com/tools/dnsreport.ch?domain=grepel.de results in: [ERROR: The root servers say that the domain grepel.de does not have any NS records (although they may have some other information on that zone). I can not do a DNS report on a hostname (such as mail.example.com) or a domain name that does not have its own zone.] http://www.dnsstuff.com/tools/dnstime.ch?name=grepel.detype=SOA results in: Searching for SOA record for grepel.de at m.root-servers.net: Got referral to DNS.DENIC.de. [took 241 ms] Searching for SOA record for grepel.de at DNS.DENIC.de.: Reports no SOA records (NODATA type 2). 187ms. Answer: Does not exist. I've been retrying for 15 minutes or so. Yet, at the same time, following that same chain MANUALLY: nslookup server m.root-servers.net. Default Server: m.root-servers.net Address: 202.12.27.33 set type=soa grepel.de. Server: m.root-servers.net Address: 202.12.27.33 de nameserver = AUTH03.NS.DE.UU.NET de nameserver = DNS.DENIC.de de nameserver = SUNIC.SUNET.SE de nameserver = SSS-AT.DENIC.de de nameserver = SSS-NL.DENIC.de de nameserver = SSS-DE1.DE.NET de nameserver = SSS-UK.DE.NET de nameserver = DNS2.DE.NET de nameserver = SSS-JP.DENIC.de de nameserver = SSS-US1.DE.NET de nameserver = SSS-US2.DENIC.de AUTH03.NS.DE.UU.NET internet address = 192.76.144.16 DNS.DENIC.deinternet address = 194.246.96.79 SUNIC.SUNET.SE internet address = 192.36.125.2 SSS-AT.DENIC.de internet address = 193.171.255.34 SSS-NL.DENIC.de internet address = 193.0.0.237 SSS-DE1.DE.NET internet address = 193.159.170.187 SSS-UK.DE.NET internet address = 62.53.3.68 DNS2.DE.NET internet address = 194.246.96.49 SSS-JP.DENIC.de internet address = 210.81.13.179 SSS-US1.DE.NET internet address = 206.65.170.100 SSS-US2.DENIC.deinternet address = 167.216.196.131 server dns.denic.de. Default Server: dns.denic.de Address: 194.246.96.79 grepel.de. Server: dns.denic.de Address: 194.246.96.79 de primary name server = dns.denic.de responsible mail addr = ops.denic.de serial = 2003010330 refresh = 10800 (3 hours) retry = 7200 (2 hours) expire = 360 (41 days 16 hours) default TTL = 86400 (1 day) Is your DNSREPORT/DNSSTUFF lookup broken? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, January 03, 2003 03:08 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamRouting Triggered - all German IPs http://www.dnsstuff.com/tools/whois.ch?ip=192.67.198.73 is located in Karlsruhe, Germany http://www.dnsstuff.com/tools/whois.ch?ip=217.72.192.180 is located in Karlsruhe, Germany http://www.dnsstuff.com/tools/whois.ch?ip=145.254.191.86 is located in Eschborn, Germany. So there is no funny country ping-pong going on!? The problem is that the 145.*.*.* and 192.*.*.* IP ranges aren't designated to a specific region. Hopefully, we'll be able to change the SPAMROUTING test to use the IP-Country database, which would significantly improve upon the test (it would be useful in areas it currently can't be used in, and would be able to detect country hops that couldn't be detected before). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNSREPORT/DNSSTUFF: DNS Lookup is Broken?
Hi Scott, sorry - that reply just makes no sense: a) When a DNS server returns a SOA record in response to a query, it means that the queried resource doesn't exist. No - in this case it means I specifically INSTRUCTED NSLOOKUP to return the SOA as my sample showed: set type=soa b) If you go to http://www.dnsstuff.com/tools/lookup.ch?name=www3.grepel.detype=A Why would I do that? Why www3? Where you do get that name from? c) My question was specific to: http://www.dnsstuff.com/tools/dnstime.ch?name=grepel.detype=SOA http://www.dnsreport.com/tools/dnsreport.ch?domain=grepel.de I expect BOTH of these to look for the SOA records, not for some imaginary www3 records. Why else does DNSSTUFF let me specify name=grepel.detype=SOA ? d) But, since I'm a good sport, I also tried to look up www3.grepel.de: D:\nslookup server m.root-servers.net. Default Server: m.root-servers.net Address: 202.12.27.33 www3.grepel.de. Server: m.root-servers.net Address: 202.12.27.33 Name:www3.grepel.de Served by: - AUTH03.NS.DE.UU.NET 192.76.144.16 de - DNS.DENIC.de 194.246.96.79 de - SUNIC.SUNET.SE 192.36.125.2 de - SSS-AT.DENIC.de 193.171.255.34 de - SSS-NL.DENIC.de 193.0.0.237 de - SSS-DE1.DE.NET 193.159.170.187 de - SSS-UK.DE.NET 62.53.3.68 de - DNS2.DE.NET 194.246.96.49 de - SSS-JP.DENIC.de 210.81.13.179 de - SSS-US1.DE.NET 206.65.170.100 de server dns.denic.de. Default Server: dns.denic.de Address: 194.246.96.79 set type=a www3.grepel.de. Server: dns.denic.de Address: 194.246.96.79 So again I ask - why can NSLOOKUP find the www3.grepel.de - but DNSSTUFF can't? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, January 03, 2003 04:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNSREPORT/DNSSTUFF: DNS Lookup is Broken? http://www.dnsreport.com/tools/dnsreport.ch?domain=grepel.de results in: [ERROR: The root servers say that the domain grepel.de does not have any NS records (although they may have some other information on that zone). I can not do a DNS report on a hostname (such as mail.example.com) or a domain name that does not have its own zone.] http://www.dnsstuff.com/tools/dnstime.ch?name=grepel.detype=SOA results in: Searching for SOA record for grepel.de at m.root-servers.net: Got referral to DNS.DENIC.de. [took 241 ms] Searching for SOA record for grepel.de at DNS.DENIC.de.: Reports no SOA records (NODATA type 2). 187ms. Answer: Does not exist. The problem is with grepel.de. If you go to http://www.dnsstuff.com/tools/lookup.ch?name=www3.grepel.detype=A , you'll see that the parent (root) servers for .de say that www3.grepel.de doesn't exist -- without ever sending you to NS records for www3.grepel.de. I've been retrying for 15 minutes or so. Yet, at the same time, following that same chain MANUALLY: But: grepel.de. Server: dns.denic.de Address: 194.246.96.79 de primary name server = dns.denic.de responsible mail addr = ops.denic.de serial = 2003010330 refresh = 10800 (3 hours) retry = 7200 (2 hours) expire = 360 (41 days 16 hours) default TTL = 86400 (1 day) That's the SOA record for .de. When a DNS server returns a SOA record in response to a query, it means that the queried resource doesn't exist. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.