RE: [Declude.JunkMail] error 0xC0000142 smtp.exe
Hi, Even though I am running an Imail server for a bachelor level education with about 2500 active mailboxes and about 15.000 mails per day, I still have Declude set to max 150 THREADS. That is plenty to get the mail delivered in time. Declude itself can handle a lot more and using the build in Sniffer helps keeping the max heap problem down, but I have never found a good reason the increase the THREAD count. As a matter of fact I have had it even lower in the past and still mail was delivered quickly enough for users never to notice it. Yours sincerely, Bonno Bloksma senior systeembeheerder tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 <mailto:b.blok...@tio.nl> b.blok...@tio.nl / <http://www.tio.nl> www.tio.nl Follow us at <http://twitter.com/#!/hogeschooltio> Twitter / <http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610> Facebook / <http://cognatio.hyves.nl/> Hyves / <http://www.youtube.com/user/hogeschooltio> YouTube Van: IMail Admin [mailto:imailad...@bcwebhost.net] Verzonden: donderdag 5 mei 2011 22:10 Aan: Declude.JunkMail@declude.com Onderwerp: Re: [Declude.JunkMail] error 0xC142 smtp.exe That sounds like me. What’s the cure? Drop the number of threads in declude.cfg? I haven’t looked at it yet to see what I have. From: Andy Schmidt <mailto:andy_schm...@hm-software.com> Sent: Thursday, May 05, 2011 1:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe I had encountered the problem when I introduced another Declude add-on to the mix (e.g., another command line program that Declude was launching). Eventually there were too many command line processes using up too much heap… Some of us were using the old command-line sniffer and 2 or 3 anti-virus command line tools, and invURIBL and various other – each one chipping away at the heap. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 2:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what’s happening. What Declude originally called the “mystery heap” is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn’t explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking out loud. From: Pete McNeil <mailto:madscient...@microneil.com> Sent: Wednesday, May 04, 2011 8:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the "mystery heap" problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in
RE: [Declude.JunkMail] email being delivered with blank body. What happened to body?
Hi, Time to call Declude on the line or (Linda) via Skype and ask them. I am using “regular” Declude on an Imail system, not the interceptor version. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 <mailto:b.blok...@tio.nl> b.blok...@tio.nl / <http://www.tio.nl> www.tio.nl Volg ons op <http://twitter.com/#!/hogeschooltio> Twitter / <http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610> Facebook / <http://cognatio.hyves.nl/> Hyves / <http://www.youtube.com/user/hogeschooltio> YouTube Van: Rick Davidson [mailto:rdavid...@nat.com] Verzonden: dinsdag 5 april 2011 20:52 Aan: Declude.JunkMail@declude.com Onderwerp: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? So running the 3.4.10.59 (or .49 what ever it is supposed to be) resulted in a bit of chaos for me So there were no more blank email bodies but instead it randomly started mixing up the Q and D files and delivering message bodies to unintended recipients (yea no kidding) The headers look normal, exactly like they are supposed to be, however the message is delivered to the wrong recipient Received: from nateet1.nat.com (64.143.180.230) by mail.nat.com (10.101.226.10) with Microsoft SMTP Server (TLS) id 8.3.137.0; Tue, 5 Apr 2011 11:53:48 -0500 Received: from mx1.nat.com (64.143.180.231) by nateet1.nat.com (64.143.180.231) with Microsoft SMTP Server id 8.3.137.0; Tue, 5 Apr 2011 11:53:42 -0500 Received: from fnbtc.net [209.149.254.11] by mx1.nat.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id for ; Tue, 05 Apr 2011 11:53:23 -0500 Received: from ([192.168.3.1]) by mail.fnbtc.net with ESMTP id J3NF5H1.30523111;Tue, 05 Apr 2011 12:16:50 -0400 Received: by fnb_tc_02.fnb_tc with Internet Mail Service (5.5.2657.72) id <2KAZYZJ7>; Tue, 5 Apr 2011 12:37:54 -0400 Message-ID: <4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc> From: Mrs Someone To: 'Mr Someone' Subject: chairs Date: Tue, 5 Apr 2011 12:37:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/alternative; boundary="_=_NextPart_001_01CBF3AF.CF9AC848" X-MXRate-Prob: 0 X-MXRate-Country: US X-MXRate-Action: NONE X-Alligate-ReceivingIP: [64.143.180.230] X-Alligate-Country-Chain: United States->Destination X-Alligate-Tarpit: NOSUBD;GREY (20secs) X-Alligate-Grey: Passed X-Alligate-REVDNS: mail.fnbtc.net X-Alligate-HELO: fnbtc.net X-Alligate-Spam: NOSUBD;TARPIT; X-Alligate-MsgScan: (10) NOTGOODSNDR[10]; X-Alligate-ID: 245564 X-Originating-IP: 209.149.254.11 X-Alligate-RcptTo: Return-Path: some...@seacoastnational.com X-RBL-Warning: WEIGHTER: Message failed WEIGHTER test (line 29, weight 1) X-Declude-Sender: some...@seacoastnational.com [209.149.254.11] X-Declude-Spoolname: D005433486.smd X-Declude-RefID: str=0001.0A020202.4D9B4913.0045:SCFSTAT2058654,ss=1,fgs=0 X-SendingHost: seacoastnational.com X-Country-Chain: UNITED STATES->destination X-Recipients: some...@nat.com X-Declude-Fail: BACKSCATTER [4], COMMENTS [7], WEIGHTER [1] X-Declude-Score: 12 Alligate 11:53:07.578 - (245564) Cmd recd: MAIL FROM: size=5349 11:53:07.734 - (245564) Cmd recd: RCPT TO: Declude Junkmail 04/05/2011 11:53:39.156 Q005433486.smd From: some...@seacoastnational.com To: some...@nat.com IP: 209.xxx.xxx.xx ID: J3NF5H1.30523111 Here is where it goes bad, the handoff from Declude to Exchange, there are two new recipients and an additional sender address 2011-04-05T16:53:42.453Z,64.143.180.231,,64.143.180.231,mx1,08CDBFF5751E827C;2011-04-05T16:53:42.296Z;0,mx1\Inbound From Internet,SMTP,RECEIVE,31471,<4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc>,someo...@nat.com;someo...@nat.com,,9626,2,,,chairs,some...@seacoastnational.com,some...@msn.com,10I: the message above was delivered to someo...@nat.com and someo...@nat.com from some...@msn.com instead of what was contained in the headers Rolled back to previous version… -- Rick From: Rick Davidson Sent: Tuesday, April 05, 2011 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Login to the interim area Go to interceptor There is a dir called 3.4.10.59 Swap out the decludeproc.exe files I am running it this morning and indeed that issue does not exist, however the diags.txt says it is 3.4.10.49 -- rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Tuesday, April 05, 2011 8:05 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Where did you get 4
RE: [Declude.JunkMail] email being delivered with blank body. What happened to body?
Hi, Which version of Declude are you running? I remember chasing a wierd bug that was sometimes truncating a message to 1k, which mostly affected html mail. After declude found the cause for that issue they released interim version Declude 4.10.59 which is what I am running now. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 <mailto:b.blok...@tio.nl> b.blok...@tio.nl / <http://www.tio.nl> www.tio.nl Volg ons op <http://twitter.com/#!/hogeschooltio> Twitter / <http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610> Facebook / <http://cognatio.hyves.nl/> Hyves / <http://www.youtube.com/user/hogeschooltio> YouTube Van: Harry Vanderzand [mailto:ha...@intown.net] Verzonden: dinsdag 5 april 2011 0:54 Aan: Declude.JunkMail@declude.com Onderwerp: [Declude.JunkMail] email being delivered with blank body. What happened to body? This is occurring to one of my domains. No others that I can figure. I see no pattern as to why the mail gets delivered but the body is missing. Any help is sure appreciated. I run imail with an Alligate front end. And of course Declude. Thank you in advance for your assistance. Thank you Harry Vanderzand Intown internet & Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ipv6 and exchange
Hi, Somewhere this year, maybe even before the summer, we will switch from using IMail to Exchange. As a school we get a REAL GOOD deal on the licenses and we want to use other software, like a Blackberry server, that does not work together with IMail :-( but does with Exchange. 1) Who has done an IMail to Exchange migration and can give me their migration path. That would save me a lot of searching for "the best way" to do it. Of course we have allready thought about it and thought about how to do it but we probably missed some things. The proper order in which to do things is important of course. Password migration is not a problem as all users are allready in our AD. 2) As the ipv4 resourse pool nears depletion at the RIR level as well, and as we do a lot of international business with both Africa and Asia, I can start to see ipv6 ONLY machines in the near future that need to connect to our webservers and mailserver. How far is Declude in it's ipv6 support? I will enable ipv6 on my Exchange server when we launch it. 3) As I want to have a Alligate/Declude server in front of my Exchange server... Is seems I need to switch from seperate Alligate / Declude subsciptions to an intigrated subscription. Do I need to contact Declude or Alligate for this? I allready have combined Declude and Sniffer and Commtouch is part of my Declude subscription so letting Declude handle this would seem te proper way. 4) As an alternative to handling my own spam/virus filter I can outsource it to Microsoft or some other company that does handle ipv6 by now. Does anyone know of a lists who supports ipv6 as of now of in the next few months? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 1.8Gig logs dir
Hi, To those of you never running Hijack and never bothered to look at it I was looking where some of my diskspace had gone to and found 1,8Gig of hijack logs saying nothing but... 07/26/2009 00:00:44.469 q807b03a1f79c.smd Hijack Test is OFF. No Hijack.CFG file found. 07/26/2009 00:00:44.500 q806303d1f789.smd Hijack Test is OFF. No Hijack.CFG file found. Seems I have 1 year worth of hijack logs and only the fact that hijack uses the hiMMDD format kept it from growing further. :-( Declude... please fix this, we don't need hijack logs when there is no hijack. Everybody else see what you have in the Declude\Logs directory. I never looked at that directory as every other log file is in my IMail\spool directory or in the application directory like the snf log. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
Hi, I'm running IMail 2006.23 as well and running the latest Declude with build in sniffer. It is the easiest to set up. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Sunday, August 01, 2010 8:40 PM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? Hi Pete, Thanks. I think I'll try your installer first. I checked and my Sniffer subscription runs out in late September. I'm considering the possibility of upgrading Declude (first time in many years) and getting the OEM Sniffer with it. If I do that, it'll be in September. My system is so old (Imail 2006.23 running on top of Windows Server 2000) that I worry it won't handle the newest versions of these products. Thanks, Ben --- [This E-mail was checked by Declude] - Original Message - From: "Pete McNeil" To: Sent: Sunday, August 01, 2010 11:28 AM Subject: Re: [Declude.JunkMail] What's wrong with my Declude? > On 8/1/2010 1:36 PM, Imail Admin wrote: >> Hi Pete, >> >> By SNF I assume you mean Sniffer? How do I tell for sure which version >> is running and whether it is getting the latest downloads? I know it's >> running at least partially because the report lists it. I checked the >> cfg file and it says "configuration for v2r3", so I assume that's version >> 2 and not version 3? Then I checked my old emails and found that my last >> license renewal was at the end of last August, so I have a valid license. >> I haven't received any noticed since then about newer versions or even >> renewing my license this year. > > That all sounds about right. > I'm betting (based on the above) that you simply never upgraded to version > 3. > > The best way to do that is to use our installer. > > http://www.armresearch.com/products/snfClientServerWinInstaller.jsp > http://www.armresearch.com/message-sniffer/download/SNF_CS_Installer.exe > > Another good way (if you're upgrading Declude also) is to switch to the > built-in OEM version of SNF in Declude. (contact Declude about that if you > wish to switch). > > _M > > --- > [This E-mail was checked by Declude] > > -- > President > MicroNeil Research Corporation > www.microneil.com > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Release 4.10.53 now available
Hi, Just downloaded the latest global.cfg file to compare mine with and it still has the old ZEROHOUR 12 line. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.junkmail@declude.com ; declude.vi...@declude.com ; declude.relea...@declude.com Sent: Thursday, July 08, 2010 6:18 PM Subject: [Declude.JunkMail] Release 4.10.53 now available · Updated AVG SDK to 1.7.9836 to fix the problem with using the SDK on a machine with AVG 9.0.837 · Allow the user to specify HOMEREGION specifically designed for users outside of North America and applies to the ROUTING test. Add one of the following depending on your region to the declude.cfg (North America is the default) More information on your specific country can be found here HOMEREGION Afrinic HOMEREGION Apnic HOMEREGION Anic HOMEREGION Lacnic HOMEREGION Ripe_ncc · Changed ZEROHOUR test to work the same as other tests. Remove the old line ZEROHOUR 12 Located in the Global.cfg add the new configuration COMMTOUCH ZEROHOUR x x 12 0 · Added "nonzero" option for SNF test. Located in the Global.cfg SNIFFER SNF x NONZERO 10 0 · Changed from message id = "TestMessage" to display the spool name David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dns servers for declude
Hi David, 1) I my case the primary dns server had a failure I was able to repair but *I* was on vacation and the helpdesk operator did not have the proper permissions/knowlege. For all other operations this was no problem as any of the other 4 dns servers were able to take over and it was a low priority event. That is, until we realised mai was flowing extreem slow. :-( 2) Normal behaviour for a dns resolver is to try the next dns server after a delay of 2 sec. When there are more then two dns servers and the second does not answer as well the timeout round robin gets a bit more complicated on a full scale situation. For Declude it might be a bit more simple. First 2sec timeout, just try the next dns server. Second to (tenth?) failure, same behaviour but keep track. After that mark the active dns server as the first one to be attempted and every 100? attempts check to see if the first dns server has come back. If the first dns server responds to queries once more switch back as there is probably a good reason we marked is as the first dns server. A simple fail over mechanism might be enough for most of us. I think very few of us have more then two dns servers defined in the setup of any machine. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, July 06, 2010 5:54 PM Subject: RE: [Declude.JunkMail] dns servers for declude Hi Bono, We can look at adding a second DNS entry to declude. 1. What was your DNS failure ? 2. Under what circumstances would you want Declude to switch to the secondary DNS server ? Does anyone have ideas as to what this should look like so that I can scope the requirement. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Sunday, July 04, 2010 4:37 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] dns servers for declude Hi, I have 5 sites and 5 dns servers. Each is primary for it's own site and secondary for another site. I can survive any single dns server failure except when it comes to Declude. A long time ago we were told Declude does not properly follow the Windows settings for primary, secondary and if neccesary tertiary dns server and we needed to provide ONE dns server in the Declude config. After a Declude upgrade a while ago I started with a fresh default config file and noticed the dns settings were comented so I left them at that and assumed Declude would one again use the same dns servers Windows has configured. Unfortunately the dns server reponsible for the site where the mailserver is failed yesterday for most of the day after a problem during maintenance. The secondary server took over for just about all servers / services except the Declude service. Mail was realy slow of course. :-( Is the problem that prevented us in the past from defining more then one dns server finaly resolved? Can I have a secondary dns server in Declude today? If not now, when can I? I know I can solve the problem for Declude by using a cluster of dns servers with one public ip-number but I have not done anything with clusters yet and: - my current dns servers have a load of close to nothing - my current dns servers are also my Active Directory DCs Yes, we will have virtual servers pretty soon too so I can have fast fail over on the dns server But... What if I want to do a fail over to my backup site? The mail server might still want to use the dns server at my primary site which will probably have a problem because I have switched to the backup site. Any clustering of dns servers at my primary site would then still be usesless. I simply want Declude to use any of the 5 dns servers I have today. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail".
[Declude.JunkMail] dns servers for declude
Hi, I have 5 sites and 5 dns servers. Each is primary for it's own site and secondary for another site. I can survive any single dns server failure except when it comes to Declude. A long time ago we were told Declude does not properly follow the Windows settings for primary, secondary and if neccesary tertiary dns server and we needed to provide ONE dns server in the Declude config. After a Declude upgrade a while ago I started with a fresh default config file and noticed the dns settings were comented so I left them at that and assumed Declude would one again use the same dns servers Windows has configured. Unfortunately the dns server reponsible for the site where the mailserver is failed yesterday for most of the day after a problem during maintenance. The secondary server took over for just about all servers / services except the Declude service. Mail was realy slow of course. :-( Is the problem that prevented us in the past from defining more then one dns server finaly resolved? Can I have a secondary dns server in Declude today? If not now, when can I? I know I can solve the problem for Declude by using a cluster of dns servers with one public ip-number but I have not done anything with clusters yet and: - my current dns servers have a load of close to nothing - my current dns servers are also my Active Directory DCs Yes, we will have virtual servers pretty soon too so I can have fast fail over on the dns server But... What if I want to do a fail over to my backup site? The mail server might still want to use the dns server at my primary site which will probably have a problem because I have switched to the backup site. Any clustering of dns servers at my primary site would then still be usesless. I simply want Declude to use any of the 5 dns servers I have today. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ipv6
Hello, I am making an inventory right now of all the software that does something with ip-numbers and may not support ipv6 numbers yet. Later this year I will open up our DMZ servers to some ipv6 testing and foremost I will need software that does not have a problem with an ipv6 address coming by. Does the current version of Declude indeed have no problem if it sees an ipv6 address or wil it sort of crash? Does the current version fully support ipv6 yet and if not is there an expected target date for it? If nothing else at least our mailservers and webservers will fully need to support ipv6. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] stop scanning after x points
Hi, I use Declude with build-in Sniffer and InvURIbl. Other then that mostly the default tests. Using the new 4.10.42 version. I would like Declude to examine the points scored so far before launching Sniffer or InvURIbl as those are body tests and need more cpu. I hold at 20 and delete at 30. I want Sniiffer and InvURI not called if standard dns tests have allready scored 60+ points. Is that possible? I know I can do something like that in tests I create myself but I have no such tests. If there is not yet a way to tell Delcude to evaluate tests that can score negative weights first maybe that would be a good idea as well to combine with the conditional calling of more tests. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] multistage filtering [OT]
Hi, With the amount of spam I have to throw away each day no reaching consistant levels of over 90%... I can of course get an even faster mailserver but I think I would be better of with an extra smtp server in front of my mailserver which filters the most blatant spam mail purly based on session info. What passes that server can go on to my IMail server and have more contect based filtering using Declude, Sniffer, InvURIBL etc. What would be a good first step server? I have experience with (Debian) Linux so a Linux based solution is no problem. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] old decludeproc files
Hi, In my IMail folder I have a number of files with names like decludeproc.exe Are these old files laft over after an upgrade? If so, I can probably delete them right? Strangely enough I would have expected one of them to have a filedate of today as I did an upgrade today but that is not the case. Maybe the original timestamp is retained and only the filename has been changed. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Oops deleted declude.exe
Hi, Small bug in eye brain keyboard interface make me delete the wrong file, \imail\declude.exe. :-( Had it restored from backup in a few minutes but in those few minutes I had several lines like: 06:06 17:51 SMTPD(5d0803e2505d) (CP) error 2 executing "C:\IMail\Declude.exe" "C:\IMail\spool\Q5d0803e2505d.SMD" 06:06 17:51 SMTPD(5cf903e55025) (CP) error 2 executing "C:\IMail\Declude.exe" "C:\IMail\spool\Q5cf903e55025.SMD" 06:06 17:51 SMTPD(5cf904585026) (CP) error 2 executing "C:\IMail\Declude.exe" "C:\IMail\spool\Q5cf904585026.SMD" in my log. I now have several D*smd A*.smd pairs in my \imail\spool directory. Can I simply rename A to Q and drop the pairs in the \imail\spool\proc directory? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] INVURIBL WEIGHT?
Hi, I score it at 25% of my hold weight. A mail may contain a "bad link" for what ever reason. I might increase this in the near future but never more then 50%. I would never hold on any one test, that's the power of Declude. Having said that, I do hold on certain Sniffer results alone like porn. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Dave Beckstrom To: declude.junkmail@declude.com Sent: Tuesday, April 22, 2008 3:55 PM Subject: [Declude.JunkMail] INVURIBL WEIGHT? Hi everyone, I would appreciate hearing some opinions. How heavy are you weighing INVURIBL? Would half of the hold weight be too much weight? Would you hold on INVURIBL alone? Thanks, Dave No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.2/1389 - Release Date: 4/21/2008 8:34 AM --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] getting corresponding subjects
Hi, Probably someone overhere has needed to do this before. I have had to look at OLD logfiles where someone claimed to have sent us a mail and is now sueing us for not reacting to that mail. Now we all know mail is not garanteed delevered but... she also states that we have replied to that mail. I want to create a list of all mail from and to her. I have a list of all SMTP and SMTPD loglines for mail to and from that mailaddress but I want the corresponding subjects as well. Those are in my Declude log. What I need is a script that can analyse a file full of loglines like this line (but also contains other loglines): log0520.txt:20060520 235124 127.0.0.1 SMTP (8f560d10de78) rdeliver hotmail.com [EMAIL PROTECTED] (1) <[EMAIL PROTECTED]> 6207 And get the subject line from declude for that session. dec0520.log:05/20/2006 23:51:21 Q8F560D10DE78 Subject: Tio aanmelding I have several standard Unix tools on my Windows XP machine and cluld install .Net as well if thats needed. What I would like is: 1) For me to create a file with all lines where her e-mail addresses are in, she has used at least two different addresses. This is the simple step, just a simple grep command. 2) Maybe I now need to generate a list of session ID's for each mail, maybe including the date 3a) Get complete mail sessions from the logMMDD.txt files for those sessions and the complete mail sessions from the decMMDD.log files 3b) For a simpler overview in court I want a second file with just the rdeliver/ldeliver lines and the Subject line. Who can help? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] counting mail
Hi Darrell, I know about DLAnalyzer but that does to much for me. :-) I just want a few simple numbers. I've also tried it with --- grep "Cumulative action(s) on this email" %1 > CumAction.txt grep -c "LAST ACTION=DELETE" CumAction.Txt >> LastDel.Txt grep -v -c "LAST ACTION=DELETE" CumAction.Txt >> LastNonDel.Txt --- But that also produces different numbers. Of course in this case I understand why, as 1 mail can go to lot's of users. We sometimes send mails to 1500+ recipients. That's why I was counting all the individual action lines Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.junkmail@declude.com Sent: Friday, February 08, 2008 4:17 PM Subject: Re: [Declude.JunkMail] counting mail Bonno, With emails that have multiple recipients its not uncommon to see last actions multiple times for the same message. This will skew your results. Your better off using a tool like DLAnalyzer to analyze your logs as it takes all of this into account. Plus it can be scheduled to run automatically and email you the results. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: > Hi, > > I've got IMail reporting on so I get an e-mail every day telling me how > many rdeliverd en ldeliverd. > I also have my Declude logfiles with action lines for each recipient of > a mail. > A lot of mail is within our mailserver as students and staff communicate > between each other. > > On a given day, let's take feb 1st, I have: > IMail LocalDeliver 8837 and RemoteDeliver 1240 > Couting from the Declude log using: > CountAction.cmd decl0201.txt > --- > grep "Action(s) taken for" %1 > Action.txt > grep -c "LAST ACTION=DELETE" Action.Txt >> LastDel.Txt > grep -v -c "LAST ACTION=DELETE" Action.Txt >> LastNonDel.Txt > exit > --- > I get 23758 for LastDel and 4123 for LastNonDel > > I cannot find any match in those numbers, nothing even close. > I would have expected the LastNonDel to be the total of Local and/or > Remote delivered. > What am I missing? > > > > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > tio hogeschool hospitality en toerisme > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl > <http://www.tio.nl> > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] counting mail
Hi, I've got IMail reporting on so I get an e-mail every day telling me how many rdeliverd en ldeliverd. I also have my Declude logfiles with action lines for each recipient of a mail. A lot of mail is within our mailserver as students and staff communicate between each other. On a given day, let's take feb 1st, I have: IMail LocalDeliver 8837 and RemoteDeliver 1240 Couting from the Declude log using: CountAction.cmd decl0201.txt --- grep "Action(s) taken for" %1 > Action.txt grep -c "LAST ACTION=DELETE" Action.Txt >> LastDel.Txt grep -v -c "LAST ACTION=DELETE" Action.Txt >> LastNonDel.Txt exit --- I get 23758 for LastDel and 4123 for LastNonDel I cannot find any match in those numbers, nothing even close. I would have expected the LastNonDel to be the total of Local and/or Remote delivered. What am I missing? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AFTERJM
Hi, Of course I knew it was AVAFTERJM. Seems I made a consistent typo. ;-) And then of course we would want AVAFTERJM NODELETE, we do not need to scan deleted mails anymore. :-) Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Wednesday, February 06, 2008 3:39 PM Subject: RE: [Declude.JunkMail] AFTERJM The directive is AVAFTERJM We can look at setting an option for DELETE only. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Wednesday, February 06, 2008 9:28 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] AFTERJM Hi, For years we have had AFTERJM as a way to first delete al spam mail and then scan the remainder for virusses. Lots of us have not used it because a mail that was held or something like it would not be scanned. If after that it was put back in the queue it would never have been scanned. A few years ago that wasn't a problem, today it is when 90+% of the mail is spam and less then 1% is virus. Virusscanning uses the most cpu as far as I can see. With the way Declude works now with a Decludeproc service keeping track of everything can we not simply have Declude scan all mail for virusses etc unless it is deleted first by junkmail? So whatever action junkmail takes, excluding deleting, the mail will be scanned for virusses. That way we don't have to worry anymore when resubmitting FP spam to the queue. Together with the new Sniffer engine I'd love to use AFTERJM. Reason for this mail I just had my mailserver brought to it's knees scanning a spamburst for nonexisting virusses. I know there are lots of other ways to catch spam before it hits the IMail server but that's not needed (yet) if I can user AFTERJM. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AFTERJM
Hi, For years we have had AFTERJM as a way to first delete al spam mail and then scan the remainder for virusses. Lots of us have not used it because a mail that was held or something like it would not be scanned. If after that it was put back in the queue it would never have been scanned. A few years ago that wasn't a problem, today it is when 90+% of the mail is spam and less then 1% is virus. Virusscanning uses the most cpu as far as I can see. With the way Declude works now with a Decludeproc service keeping track of everything can we not simply have Declude scan all mail for virusses etc unless it is deleted first by junkmail? So whatever action junkmail takes, excluding deleting, the mail will be scanned for virusses. That way we don't have to worry anymore when resubmitting FP spam to the queue. Together with the new Sniffer engine I'd love to use AFTERJM. Reason for this mail I just had my mailserver brought to it's knees scanning a spamburst for nonexisting virusses. I know there are lots of other ways to catch spam before it hits the IMail server but that's not needed (yet) if I can user AFTERJM. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] link to documentation
Hi, Whenever I got a normal mail with a bug in it like: > Declude Virus v4.3.46 caught the [Outlook 'MIME segment in MIME Preamble' > Vulnerability] virus in [No attachment] > from [EMAIL PROTECTED] to: [EMAIL PROTECTED] I wanted to send them a warning about it. Of course just the warning woud not be enogh, I needed to tell them WHAT the error was. I used to be able to simply send a link to the proper part of the manual on the Declude site but. where did it go? Where is the explanation about what each Vulnerability is? The junkmail manual does not seem to have them, in fact searching for the word vulnerability in that entire maniual shows zero hits. Lookin for preamble in the knowledgebase does not show one relevant topic. Where did all that information go? And if it is still there... if I cannot find it how is someone less determined going to find it. I did spend a fair amount of time going over the site. :-( p.s. On the page: http://www.declude.com/articles.asp?ID=100 I tried to click on BADHEADER Lookup pointing to http://shopping.declude.com/tools/header.php. But that resulted in a 404 error. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] badheaders
Hi, IKEA sends a big mailrun, headers for one of the mail is below. If I check the BADHEADERS code 802d at tools.declude.com I get: SMTP Dialog MX record Lookup failed (error #0 (). Trying A record for ...A record Lookup failed (error #0 (). You need an MX record for in order to send mail to it. Sorry! but that seems not correct somehow. Who "...needs an MX record for ..."WHAT"... in order to send mail to it? Does 217.150.51.120 need to have an MX record? Is THAT the BAD in de HEADER? Seems to me something with the badheader code 802d isn't right. --- Received: from mr120.yzmail.nl [217.170.51.120] by student.tio.nl with ESMTP (SMTPD-9.21) id A10B0A28; Thu, 06 Dec 2007 11:38:03 +0100 Message-Id: <[EMAIL PROTECTED]> Received: from unknown (HELO localhost.localdomain) ([172.16.0.213]) by mr120.yzmail.nl with ESMTP; 06 Dec 2007 09:41:58 +0100 Content-Type: multipart/alternative; boundary="--=_1196930458-27165-74380" Content-Transfer-Encoding: binary MIME-Version: 1.0 From: "IKEA FAMILY" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [SPAM: 26]Comfortabel slapen - IKEA FAMILY MAIL december 2007 Return-Path: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] X-Mailer: Yourzine.nl X-IMAIL-SPAM-VALFROM: (d10a064b3ec9) X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [802d]. X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED]) From: ([EMAIL PROTECTED]) mismatch. X-RBL-Warning: SUBCHARS-50: Subject with at least 50 characters found. X-Declude-Sender: [EMAIL PROTECTED] [217.170.51.120] X-Declude-Spoolname: Dd10a064b3ec9.smd X-Declude-RefID: str=0001.0A0B0204.4757C53F.0119,ss=3,sh,fgs=0 X-Declude-Note: Scanned by Declude 4.3.46 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [26] at 11:38:27 on 06 Dec 2007 X-Declude-Fail: BADHEADERS [8], FROMNOMATCH [3], SUBCHARS-50 [1], SPAMSUBJECT [12], SPAMHOLD [20], ZEROHOUR [14] X-Country-Chain: NETHERLANDS->destination X-fpReview-Weight: 26 ------- Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] filters
Hi, Every example I see at the Declude site for lines in a filter files seems to indicate that I HAVE to have a weight listed or some other action. What if I want to create a filter file that identifies the specific mails and then assign a weight in de global file? For instance, we not get some spam with a specific subject, a specific line of text in each mail and a link to geocities. I want mail that has all characteristics to get a certaing weight. Global.cfg FILTER-VRIEND filter C:\IMail\Declude\Filters\Vriend.txt x 0 0 Vriend.txt SUBJECT 10 IS zoek een vaste vriend BODY 2 CONTAINS http://geocities.com/ BODY 5 CONTAINS http://geocities.com/KatieDavenport89 BODY 5 CONTAINS http://geocities.com/ElbertMacias BODY 5 CONTAINS http://geocities.com/ZachariahBuck33 BODY 5 CONTAINS http://geocities.com/JanHammond97 BODY 5 CONTAINS http://geocities.com/GenaroRogers BODY 5 CONTAINS Ik zoek een vriend / seks-partner But this is not quite what I want. I want to assign 15 points if the subject is correct, if the specific line of text is there and if there is a geocities link. And then I could add some weight is a specific geocities link is present. So... how do I do that? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ZEN test
Hi, > Due to your HOP setting you are checking multiple hops. Ok, that was the intent. > Since you use a multihop setting you should score the hops differently > or run into problems like you identified. That's one way of handling it. > I would suggest reducing it to 1. This will score the last two hops. And that's what I don't get. As far as I know I'm at hop 0, the machine sending it to me is hop 1. The machine sending it to that machine is hop 2. That's as far as I want to check, but in the case below it seemed as if it was checking hop 3. The > Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl > [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id line was the third Received line and it was caught bij the ZEN test > X-RBL-Warning: ZEN: "http://www.spamhaus.org/query/bl?ip=83.116.227.41"; So, am I mistaken in the meaning of the Hop count, or is something else going on? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.junkmail@declude.com Sent: Wednesday, August 01, 2007 4:48 PM Subject: Re: [Declude.JunkMail] ZEN test Bonno, Due to your HOP setting you are checking multiple hops. Since you use a multihop setting you should score the hops differently or run into problems like you identified. I would suggest reducing it to 1. This will score the last two hops. Than you can modify your tests like the following. The first one only checks the last ip recevied. The second one checks all of them. One thing to keep in mind if the LAST test hits so will the ALL test. So for example if you want the last hop (who connected to you) to have a weight of 3 for the SORBS-SPAM test than you will want to make sure that the sum of the two tests equal that weight. SORBS-SPAM(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 2 0 SORBS-SPAM(ALL) ip4r dnsbl.sorbs.net 127.0.0.6 1 0 So in the case above if the second hop was listed we would only assign a score of "1" from the SORBS-SPAM(ALL) test. If the last hop was listed than we would have a score of "3" since both the (LAST) and (ALL) test would hit. Let me know if this is not clear, Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: > Hi, > > Maybe using the ZEN test isn't such a good idea. It is caching a DSL > line that is several hops down. > > In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that > the cause? If so > As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, > the me-wanadoo.net should then be Hop 2. > So the hulsbeek.nl (adsl-dc-34529 line) should be Hop 3 and not be > checked. > > Why was that ip number checked? > > -- > Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with > ESMTP (SMTPD-9.21) id A33707C8; > Mon, 30 Jul 2007 09:28:55 +0200 > Received: from me-wanadoo.net (localhost [127.0.0.1])by > mwinf6301.orange.nl (SMTP Server) with ESMTP id E8495784for > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; > Mon, 30 Jul 2007 09:28:54 +0200 (CEST) > Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl > [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id > AF5A9782for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; > Mon, 30 Jul 2007 09:28:54 +0200 (CEST) > X-ME-UUID: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > Subject: [SPAM: 22]RE: 5 augustus > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="_=_NextPart_001_01C7D27B.467F4FA9" > Date: Mon, 30 Jul 2007 09:28:50 +0200 > Content-class: urn:content-classes:message > X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 > Message-ID: > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: 5 augustus > thread-index: AcfSClRkqB1y6CB4TkymtwIq3Exp3QAZtfQA > From: "Erve Hulsbeek" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > Sender: "Piet Heuvelmans" <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> > To: "Nienke Koster" <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> > X-RBL-Warning: F
[Declude.JunkMail] ZEN test
Hi, Maybe using the ZEN test isn't such a good idea. It is caching a DSL line that is several hops down. In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that the cause? If so As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, the me-wanadoo.net should then be Hop 2. So the hulsbeek.nl (adsl-dc-34529 line) should be Hop 3 and not be checked. Why was that ip number checked? -- Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with ESMTP (SMTPD-9.21) id A33707C8; Mon, 30 Jul 2007 09:28:55 +0200 Received: from me-wanadoo.net (localhost [127.0.0.1])by mwinf6301.orange.nl (SMTP Server) with ESMTP id E8495784for <[EMAIL PROTECTED]>; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id AF5A9782for <[EMAIL PROTECTED]>; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) X-ME-UUID: [EMAIL PROTECTED] Subject: [SPAM: 22]RE: 5 augustus MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_NextPart_001_01C7D27B.467F4FA9" Date: Mon, 30 Jul 2007 09:28:50 +0200 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 5 augustus thread-index: AcfSClRkqB1y6CB4TkymtwIq3Exp3QAZtfQA From: "Erve Hulsbeek" <[EMAIL PROTECTED]> Sender: "Piet Heuvelmans" <[EMAIL PROTECTED]> To: "Nienke Koster" <[EMAIL PROTECTED]> X-RBL-Warning: FIVETEN-SRC: 41.227.116.83.blackholes.five-ten-sg.com. X-RBL-Warning: MXRATE-BLOCK: "http://www.mxrate.com/lookup/refused.asp?ipaddress=193.252.22.249"; X-RBL-Warning: ZEN: "http://www.spamhaus.org/query/bl?ip=83.116.227.41"; X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=193.252.22.249"; X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED]) From: ([EMAIL PROTECTED]) mismatch. X-Declude-Sender: [EMAIL PROTECTED] [193.252.22.249] X-Declude-Spoolname: D933701b3b7de.smd X-Declude-RefID: str=0001.0A0B0204.46AD933D.0104,ss=1,fgs=0 X-Declude-Note: Scanned by Declude 4.3.46 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [22] at 09:29:18 on 30 Jul 2007 X-Declude-Fail: FIVETEN-SRC [3], MXRATE-BLOCK [7], ZEN [7], SPAMCANNIBAL [2], FROMNOMATCH [3], SPAMSUBJECT [12], SPAMHOLD [20], ZEROHOUR [0] X-Country-Chain: NETHERLANDS->FRANCE->destination X-fpReview-Weight: 22 -- Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] logsize
Hi, Lately more spam is reaching our mailserver, and more is getting deleted. :-) However, my DecMMDD logfile is growing to 30+ MB each day. So far I have not seen any impact but would it be a good idea to start splitting the logfile or can Declude easily handle this. I'd rather not split but if needed Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] cloudmark
Hi, Anybody had a look at Cloudmark? http://cloudmark.com/ Seems they have a software solution that will intigrate with several different MTA's. Maybe it could be connected to Declude? Anyone at Declude had a look into this yet? Is it something like Comtouch Zerohour? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] all_list.dat
Hi, I understand the dynamic nature of the network assingments. That was why I wrote part 2 of my message. I like to have a way to see how many errors I get about corrupt data. If it's just a few per week, no problem. If it gets to be sever a day maybe it's time for a new all_list.dat. Right now I don't seem to have a way to detect that. :-( Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Gary Steiner To: declude.junkmail@declude.com Sent: Friday, June 29, 2007 7:37 PM Subject: re: [Declude.JunkMail] all_list.dat The "corrupt RIPE data" should be referring to 145.53.30.139. Though if you go to www.ripe.net and do a search, 145.53.0.0/16 is listed as belonging to Planet Technologies with an email address of [EMAIL PROTECTED] and being in The Netherlands. Which is essentially the same as the listing for 213.75.0.0/16. Unfortunately the entries in the RIPE database don't have dates associated with them, so you can't tell if those listings were the same back in May when the all_list.dat was created. The listings change all the time, so essentially the all_list.dat file is outdated as soon as it comes out. And it also doesn't help that RIPE, ARIN, APNIC, LACNIC, etc. are all separate independent entities with separate databases, so when things change Declude has to look in many places to update the all_list.dat. Gary ---- Original Message > From: "Bonno Bloksma" <[EMAIL PROTECTED]> > Sent: Friday, June 29, 2007 4:15 AM > To: Declude.JunkMail@declude.com > Subject: [Declude.JunkMail] all_list.dat > > Hi, > > I'm using the all-list.dat from may 2007. Occasionaly I was checking the declude junkmail logs to see if any new problems with unknown networks would arise. > But today I found out that information is not in the Declude log at level high. In the headers of a mail I found: > X-Country-Chain: 'EU' [corrupt RIPE data]->NETHERLANDS->destination > > The Received lines are: > Received: from hpsmtp-eml16.kpnxchange.com [213.75.38.116] by student.tio.nl with ESMTP (SMTPD-9.21) id A48204B4; > Fri, 29 Jun 2007 08:19:46 +0200 > Received: from hpsmtp-eml05.kpnxchange.com ([213.75.38.105]) by hpsmtp-eml16.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.1830); > Fri, 29 Jun 2007 08:19:46 +0200 > Received: from colligno601a0c ([145.53.30.139]) by hpsmtp-eml05.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.3959); > Fri, 29 Jun 2007 08:19:45 +0200 > > In the loglines for this message there is no mention of "corrupt RIPE data" which is what I was looking for all the time. So: > > 1) Can we have a new all_list.dat with updated info please. KPN is a large telco which has 4 ISPs covering the Netherlands. > > 2) In what way can I detect when the all_list.dat file is getting oudated, when information about networks is missing/corrupt? > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > > > tio hogeschool hotelmanagement en toerisme > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] / www.tio.nl > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] all_list.dat
Hi, I'm using the all-list.dat from may 2007. Occasionaly I was checking the declude junkmail logs to see if any new problems with unknown networks would arise. But today I found out that information is not in the Declude log at level high. In the headers of a mail I found: X-Country-Chain: 'EU' [corrupt RIPE data]->NETHERLANDS->destination The Received lines are: Received: from hpsmtp-eml16.kpnxchange.com [213.75.38.116] by student.tio.nl with ESMTP (SMTPD-9.21) id A48204B4; Fri, 29 Jun 2007 08:19:46 +0200 Received: from hpsmtp-eml05.kpnxchange.com ([213.75.38.105]) by hpsmtp-eml16.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Jun 2007 08:19:46 +0200 Received: from colligno601a0c ([145.53.30.139]) by hpsmtp-eml05.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 29 Jun 2007 08:19:45 +0200 In the loglines for this message there is no mention of "corrupt RIPE data" which is what I was looking for all the time. So: 1) Can we have a new all_list.dat with updated info please. KPN is a large telco which has 4 ISPs covering the Netherlands. 2) In what way can I detect when the all_list.dat file is getting oudated, when information about networks is missing/corrupt? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] fiveten-src list
Hi, I'm using the Fiveten-src test FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 7 0 But at the dnsstuff site it says don't use the fivetensrc test. What's right? I've got the FIVETEN-SRC test from the Declude default config file, listed at 7 points. I hold at 20. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: server monitoring
Hi, We use http://www.activexperts-nl.com/ and indeed most report come by e-mail. But some that have to do with the connections, or the urgent ones, come via SMS. Also reports about the mailserver itself are sent via SMS, I assume one can guess why. ;-) The monitoring server has it's own GSM modem. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Tuesday, May 22, 2007 4:23 PM Subject: RE: [Declude.JunkMail] OT: server monitoring That is also why in my monitoring server I have a modem connected to an analog phone line. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Tuesday, May 22, 2007 5:29 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: server monitoring One thing to think about... If you set up your own in-house monitoring, you probably will not get an alert if your Internet feed fails or you have a massive power problem. Outsourcing the monitoring function would eliminate these problems. -d - Original Message - From: Kevin Bilbee To: declude.junkmail@declude.com Sent: Monday, May 21, 2007 6:05 PM Subject: [Declude.JunkMail] OT: server monitoring I am doing research on purchasing/open source server monitoring and would like to know what Declude administrators recommend. Survey sais? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases
Hi, Just read the release notes and noticed that you deleted some tests as well. Why were those deleted? Ineffective of deprecated lists? p.s. Just reduced the weight on UCEPROTEC 1 a 2 to the new level. I'll install the latest version this evening, I'm still running 4.3.23 but I have 2 other virus test. ;-) Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Thursday, April 19, 2007 3:06 PM Subject: RE: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases Also if you check our release notes http://www.declude.com/searchresults.asp?Cat=89 you will see that we had suggested lowering the weights on UCEPROTECT1 and UCEPROTECT2 David Barker Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, April 19, 2007 7:04 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases Yeah, UCEPROTECT in particular seems to have added a lot of major ISPs recently. We started counterweighting ISPs by REVDNS, but we were spending too much time doing that, so we reduced the weight of the UCEPROTECT1 and UCEPROTECT2 tests. Darin. - Original Message - From: Bonno Bloksma <mailto:[EMAIL PROTECTED]> To: Declude.JunkMail@declude.com Sent: Thursday, April 19, 2007 6:57 AM Subject: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases Hi, How do you guys deal with it, LOTS of legit mailservers are listed in what used to be reliable spamsender databases. X-RBL-Warning: SPAMBAG: 109.176.216.212.blacklist.spambag.org. X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=212.216.176.109"; X-RBL-Warning: UCEPROTECT-1: "Sorry 212.216.176.109 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; X-RBL-Warning: UCEPROTECT-2: "Sorry 212.216.176.109 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; But 212.216.176.109 is a normail mailserver vsmtp21.tin.it and is trying to deliver mail from a "customer" to us. Have spammers won this race, can we no longer trust these databases? Is there a ip list with "all" legitimate mailservers for most ISP that I can use to reduce points? For the hotmail mailservers it was easy to reduce the points, it's a lot harder to do for all the other "real" mailservers. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl> --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] lot's of legit mailservsr in spamdatabases
Hi, How do you guys deal with it, LOTS of legit mailservers are listed in what used to be reliable spamsender databases. X-RBL-Warning: SPAMBAG: 109.176.216.212.blacklist.spambag.org. X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=212.216.176.109"; X-RBL-Warning: UCEPROTECT-1: "Sorry 212.216.176.109 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; X-RBL-Warning: UCEPROTECT-2: "Sorry 212.216.176.109 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; But 212.216.176.109 is a normail mailserver vsmtp21.tin.it and is trying to deliver mail from a "customer" to us. Have spammers won this race, can we no longer trust these databases? Is there a ip list with "all" legitimate mailservers for most ISP that I can use to reduce points? For the hotmail mailservers it was easy to reduce the points, it's a lot harder to do for all the other "real" mailservers. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] hotmail mailservers in several spamdatabases
Hi, Ik had to put an extra ip file in place to reduce the points on the hotmail mailservers. Several hundred ip numbers for hotmail mailservers are listed in several spam databases. I just added an ipfile with: 65.54.244.0/24 hotmail.com mailservers 65.54.245.0/24 hotmail.com mailservers 65.54.246.0/24 hotmail.com mailservers Which will subtrack 25% of my hold weight to make sure these get through. How are you guys/gals dealing with this? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Turning outbound scanning off
Hi, In virus.cfg you need INCOMING ON OUTGOING OFF Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Robert Grosshandler To: declude.junkmail@declude.com Sent: Thursday, December 07, 2006 1:55 AM Subject: [Declude.JunkMail] Turning outbound scanning off Hi Declude is working wonderfully, too wonderfully. It is scanning e-mail we're sending out from our server, and we don't want it to do that, since it adds headers and "stuff" that have no purpose, and might actually cause filter issues on the receiving end. We don't need it to do outbound virus scanning, either. That is, when I compose and send e-mail from my client (Outlook), send it out via our Imail server, and the Imail server sends it on its merry way to, say Hotmail, it ends up at Hotmail with Declude headers. Obviously, we've missed something. We've got the following directive in our global.cfg: OUTBOUNDSCANNINGSPAM OFF INBOUNDSCANNINGSPAM ON What else do we need, and where do we need it? Thanks in advance. Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] clean up virus folder
Hi, How about a simple commandline? C: cd \imail\spool\virus del . Y should bring you a long way. If you want to break it down a bit do "Del a*.*", "Del b*.*", etc. to be able to let the server "get some air" in between. For the future... Here is what I use each night: DTLog is a small program I wrote which prepends each line with a date/time stamp. You need to modify those lines. The batchfile below is based on what someone else submitted here a while ago. -- rem @Echo Offrem BB 10-mei-2004rem E-mails met virussen niet automatisch verwijderen maar een X aantalrem dagen bewaren. We doen dit door een aantal directories te gebruikenrem en deze steeds verder op te schuiven door de naam te veranderen. Derem oudste directory gooien we weg.SET LOGFILE=C:\Beheer\Logs\Virrot.logSET DTLOG=C:\Beheer\DTLog.exe %DTLOG% %LOGFILE% Rotating virus directories C:cd \IMail\Spool\Virus rem BB 6-dec-2004rem We bewaren nu 7 dagen i.p.v. 5 dagen. If Exist VirusDay7 RD /S /Q VirusDay7IF ErrorLevel 1 Goto ErrDel7Set RotDay=6If Exist VirusDay6 Ren VirusDay6 VirusDay7IF ErrorLevel 1 Goto ErrRotSet RotDay=5If Exist VirusDay5 Ren VirusDay5 VirusDay6IF ErrorLevel 1 Goto ErrRotSet RotDay=4If Exist VirusDay4 Ren VirusDay4 VirusDay5IF ErrorLevel 1 Goto ErrRotSet RotDay=3If Exist VirusDay3 Ren VirusDay3 VirusDay4IF ErrorLevel 1 Goto ErrRotSet RotDay=2If Exist VirusDay2 Ren VirusDay2 VirusDay3IF ErrorLevel 1 Goto ErrRotSet RotDay=1If Exist VirusDay1 Ren VirusDay1 VirusDay2IF ErrorLevel 1 Goto ErrRotMD VirusDay1IF Exist *.SMD Move *.SMD VirusDay1IF ErrorLevel 1 Goto ErrMov1sIF Exist *.GSC Move *.GSC VirusDay1IF ErrorLevel 1 Goto ErrMov1g%DTLOG% %LOGFILE% Rotating VirusDay directories OKDir VirusDay1 > Temp1Find "File(s)" < Temp1 >> %LOGFILE%Del Temp1Goto Einde :ErrDel7%DTLOG% %LOGFILE% Error deleting VirusDay7 directory and/or filesGoto einde :ErrRot%DTLOG% %LOGFILE% Error Renaming VirusDay%RotDay% directoryGoto einde :ErrMov1s%DTLOG% %LOGFILE% Error moving SMD files to VirusDay1 directoryDir . /a >> %LogFile%Goto Einde :ErrMov1g%DTLOG% %LOGFILE% Error moving GSC files to VirusDay1 directoryDir . /a >> %LogFile%Goto Einde :EindeSET LOGFILE=SET DTLOG=Exit-- Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: netsolution webmaster To: declude.junkmail@declude.com Sent: Tuesday, November 14, 2006 10:24 AM Subject: [Declude.JunkMail] clean up virus folder I have more than 800'000 files in the spool/virus folder.I can not delete these files through windows explorer, windows search or whatever because of the huge number of files.Which tool/method can you recommend to delete all these files?Thanks---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] One step forward, ten back
Hi, As a matter of fact he doesn't have to use weightrange in this case. I use: SPAMSUBJECT weight x x 12 0SPAMHOLD weightrange x x 20 24SPAMDELETE weight x x 25 0 SPAMSUBJECT SUBJECT [SPAM: %WEIGHT%]SPAMHOLD HOLDSPAMDELETE DELETE As the delete action overrules the holdaction the weightrange is not really neccesary but it makes me feel good and is a bit cleaner. I WANT the spamsubject action in case of held mail (anything over 12 points) as I want to have the ability to sort spam mail by points, this way I can do that by sorting it on the subject. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Kevin Bilbee To: declude.junkmail@declude.com Sent: Friday, November 03, 2006 7:05 AM Subject: RE: [Declude.JunkMail] One step forward, ten back Yes the can coexist but be sure to use weightrange to instead of weight.SPAM-LOW weightrange x x 8 13SPAM-MED weightrange x x 14 24SPAM-HIGH weight x x 25 0SPAM-LOW SUBJECT [%WEIGHT%]SPAM-MED HOLDSPAM-HIGH DELETE> -Original Message-> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dave Doherty> Sent: Thursday, November 02, 2006 9:20 PM> To: declude.junkmail@declude.com> Subject: Re: [Declude.JunkMail] One step forward, ten back> > > > I wondered if it's> > possible to set another one higher to do the deleting, as > I'm seeing a > > lot of stuff at 40 or more.> > Absolutely. Several action directives can coexist peacefully in your > $default$.junkmail file, like this:> > WEIGHT10 SUBJECT [%WEIGHT%]> WEIGHT20 MAILBOX SPAM> WEIGHT30 DELETE> > Any message scoring at least 10 will have the weight added at > the head of > the subject in brackets, like:> > [12] Buy My Stuff!> > Any message with 20-29 points will be diverted to the spam > folder, and > anything scoring 30+ will be deleted.> > > > > - Original Message - > From: "Todd Richards" <[EMAIL PROTECTED]>> To:> Sent: Thursday, November 02, 2006 11:55 PM> Subject: RE: [Declude.JunkMail] One step forward, ten back> > > >> > Thanks Dave. Actually, I do, but with settings of weight20 > > > spam> > mailbox>. I was worried about too many false positives. I > wondered > > mailbox>if> > it's> > possible to set another one higher to do the deleting, as > I'm seeing a > > lot of stuff at 40 or more.> >> > As an update, I found that I had a discrepancy in my weights. I > > corrected that, and my filtering is doing great now. I > logged into my > > spam mailbox a little bit ago and the few hundred messages > that are in > > there are definitely> > spam. So it's catching things now and keeping them from my > mailbox - > > which> > was my main goal. However, now I'd like to clean things up > just a little> > more...> >> > Todd> >> >> > -Original Message-> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Dave Doherty> > Sent: Thursday, November 02, 2006 9:34 PM> > To: declude.junkmail@declude.com> > Subject: Re: [Declude.JunkMail] One step forward, ten back> >> > It seems like you're detecting things OK, but not taking > action on the > > results.> >> > Make sure you have directives like> >> > WEIGHT14 MAILBOX SPAM> > WEIGHT20 DELETE> >> > in your default.junkmail file> >> >> >> >> > - Original Message -> > From: "Todd Richards" <[EMAIL PROTECTED]>> > To: > > Sent: Thursday, November 02, 2006 7:38 PM> > Subject: [Declude.JunkMail] One step forward, ten back> >> >> >>> >> Hi Everyone -> >>> >> We are getting completely hammered by spam and I'm about > at my wits > >> end. A few weeks ago I added a 30-day trial of Message > Sniffer and it > >> doesn't seem> >> to be doing any good. Today, I upgraded to the newest version of > >> Declude.> >> I "think" everything went ok. After reading through the > documentation> >> (again) I went through my global.cfg file and cleaned up > some things that> >> were questionable. For instance, we had several domains > in the WHITELIST> >> TO> >> and WHITELIST FROM. From what I've read and heard through > the lists, > >> it's> >> not a good idea to whitelist anything. In fact, earlier > today I had> >> some> >> spam come through that was "from" a whitelisted domain so > it just let it> >> through. So I commented them out and planned to watch my > spam account> >> (instead of deleting I have caught messages sent to > another account for> >> review) to see the results.> >>> >> So... This happened about 5pm tonight. I went through a > short spurt > >> but in the last 90 minutes since then I alone have > received over
Re: [Declude.JunkMail] Declude 4.3
Hi Gary, What I find particularly amusing is the line "Restrictions apply to service providers." If there is anyone subscribed to this mailing list who is not a service provider, please raise your hand. Hand !!! We are a school. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme julianalaan 9 / 7553 ab hengelo netherlands t +31 74 255 06 10 / f +31 74 255 06 16 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT user profile settings
Hi, > Serge, basic question here: What is the purpose for moving it in the first > place? > several reasons > first, i am almost out of space on c:, > but i also find easier to maintain, and i do not like having my files on the > system partition, in case i need to reformat or something It is virtually impossible to move the whole C:\D&S\... tree to D:\D&S. I've tried and given up. :-( This to me seems a major bug in the D&S mechanism but alas, so far no solution. However The majority of the problem can be solved by transferring just a few things, the my documents folder and the Outlook Express mail, to the data drive. What I do: Select the properties for "my documents" for the selcted user. Change C: into D: and let it transfer the files. That creates a branch for the currect user on D: The go to the D:\D&S\\ folder and create a "Outlook Express" folder. Start Outlook Express, go to extra*, options*, maintenance*, and change the archive folder* to the new location (D:\D&S\\OE). Stop and start OE to transfer all data. By now you have moved all the "important" stuff to the D: drive. If needed you can do the same for the Outlook *.PST files, relocate them to D:\D&S\\Outlook. * These are translated from a Dutch version so I hope I have the right names. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Imail queue viewing
Hi John, To jump in on a tangent... I'm making the jump from Imail 6 on NT4 clear up to Imail 2006.03 on 2kServer. If you are starting with a new server might I suggest Win2k3 in stead of Win2k. As we all know Win2k support will end soon. For a server connected to the internet one would want a server where there will be patches etc for a while. For me that means I will be replacing the Win2K server with Imail 8.22 in a few months. I'm starting testing with the new setup in a few weeks. I'll load the latest Imail and the latest Declude on the latest Windows platform. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Funny RDNS
Hi, I got a laugh when I saw this RDNS. ip-66-234-163-182.static.dialup.wireweb.net A dedicated IP on a dial up. Are we going backwards? I still have a few dial-up accounts with a static ip number. I only allow VPN connections from ip-numbers I know so that's a bonus. It's a left over from early days but has it's advantages. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] large mail to large number op recips
Hi, Indeed that is what I want, to catch the exceptions. So WHO has the tool Darin is talking about? Anyone? How can I determine whether recipients * mailsize > treshold I could indeed simply create a test for it and have those mails put aside. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 4:07 PM Subject: Re: [Declude.JunkMail] large mail to large number op recips Certainly not for all mail, just for these circumstances... but I understand you want to avoid situations where this is done accidentally. I think a couple of people had a size test, and you could key off of the number of recipients in combination with this to perform a custom action like routing or deleting... or route it to a program alias that sends you an alert notification. Darin. - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 9:46 AM Subject: Re: [Declude.JunkMail] large mail to large number op recips Hi, Nope, we don't want to go that way for ALL mail. We''ve got several options to upload files for several purpouses within our school. Our website has lot's of option for that but.. sometimes we want to send something as an attachment. In this case it was a newsletter for our staf which was supposed to be about 200-300 KB, we want those newsletters sent as attachment, not as a link. For some reason the newsletter ended up to be a Word document 5MB large and was sent without realising it. After that it was sent once more. This time as a PDF file... which happened to be 33MB large and was created using the Word document as a base. :-( Both mails went to 250+ recipients. The first mail did not kill the mailserver, the second did. :-( For exceptions like these I want to have a tool to catch them before it fills up the server. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 3:31 PM Subject: Re: [Declude.JunkMail] large mail to large number op recips How about implementing a web-based upload/download site for this. I've done this for a couple of graphic design firms to allow their customers to upload files, which then sends the intended recipient an email notification with a link to download. Much, much more efficient than SMTP (mail encoding generally runs up the file size about 33% or so), faster, and much less network traffic in a distribution situation since many of the recipients will not download the file. Also doesn't hang the user's mailbox when sending/receiving for several minutes while uploading/downloading. Darin. ----- Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 8:51 AM Subject: [Declude.JunkMail] large mail to large number op recips Hi, We are a school and: - sometimes someone needs to send a large e-mail (20-30 MB) to one of the staf or students. - several times a day we send e-mails to large groups of students so the BCC field might contain up to 1500 addresses. Both items are no problem until they are combined like some tried today. :-( Suddenly I lost around 15GB of diskspace on my mailserver. At least that is what IMail tried because I only had about 10GB left on my mailbox drive. Guess what happened? Is there a way using Declude Junkmail to flag this situation and stopping the e-mail while still allowing the two items above? I'm currently using Declude 2.16, Junkmail Std and AV Pro. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl
Re: [Declude.JunkMail] large mail to large number op recips
Hi, I can not do it, I'm not that good with _vbscript_ but we have people who can do it. How would I attach this script to the mail IMail/Declude chain. Use the undocumented DAISYCHAIN option in Declude? If so, what is the correct keyword ans in which file do I put it? Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 4:51 PM Subject: Re: [Declude.JunkMail] large mail to large number op recips You can write it in _vbscript_ and pass the recipients into the script with the argument %RECIPIENTS%Once you have the number of recipients (found by counting the @ symbols in that argument), you can then get the message size and do some multiplication.Here's one big issue though. If you whitelist your own users, as most of us do, this filter won't work, or at least it shouldn't work. There is a bug though introduced in 2.x that causes all tests to run despite the sender being whitelisted, but it will cause messages to still score 0 (just wastes resources). Therefore you might try just deleting or moving the message file with the script instead of filtering it with Declude.MattDarin Cox wrote: Certainly not for all mail, just for these circumstances... but I understand you want to avoid situations where this is done accidentally. I think a couple of people had a size test, and you could key off of the number of recipients in combination with this to perform a custom action like routing or deleting... or route it to a program alias that sends you an alert notification. Darin. - Original Message ----- From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 9:46 AM Subject: Re: [Declude.JunkMail] large mail to large number op recips Hi, Nope, we don't want to go that way for ALL mail. We''ve got several options to upload files for several purpouses within our school. Our website has lot's of option for that but.. sometimes we want to send something as an attachment. In this case it was a newsletter for our staf which was supposed to be about 200-300 KB, we want those newsletters sent as attachment, not as a link. For some reason the newsletter ended up to be a Word document 5MB large and was sent without realising it. After that it was sent once more. This time as a PDF file... which happened to be 33MB large and was created using the Word document as a base. :-( Both mails went to 250+ recipients. The first mail did not kill the mailserver, the second did. :-( For exceptions like these I want to have a tool to catch them before it fills up the server. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 3:31 PM Subject: Re: [Declude.JunkMail] large mail to large number op recips How about implementing a web-based upload/download site for this. I've done this for a couple of graphic design firms to allow their customers to upload files, which then sends the intended recipient an email notification with a link to download. Much, much more efficient than SMTP (mail encoding generally runs up the file size about 33% or so), faster, and much less network traffic in a distribution situation since many of the recipients will not download the file. Also doesn't hang the user's mailbox when sending/receiving for several minutes while uploading/downloading. Darin. - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 8:51 AM Subject: [Declude.JunkMail] large mail to large number op recips Hi, We are a school and: - sometimes someone needs to send a large e-mail (20-30 MB) to one of the staf or students. - several times a day we send e-mails to large groups of students so the BCC field might contain up to 1500 addresses. Both items are no problem until they are combined like some tried today. :-
Re: [Declude.JunkMail] large mail to large number op recips
Hi, Nope, we don't want to go that way for ALL mail. We''ve got several options to upload files for several purpouses within our school. Our website has lot's of option for that but.. sometimes we want to send something as an attachment. In this case it was a newsletter for our staf which was supposed to be about 200-300 KB, we want those newsletters sent as attachment, not as a link. For some reason the newsletter ended up to be a Word document 5MB large and was sent without realising it. After that it was sent once more. This time as a PDF file... which happened to be 33MB large and was created using the Word document as a base. :-( Both mails went to 250+ recipients. The first mail did not kill the mailserver, the second did. :-( For exceptions like these I want to have a tool to catch them before it fills up the server. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 3:31 PM Subject: Re: [Declude.JunkMail] large mail to large number op recips How about implementing a web-based upload/download site for this. I've done this for a couple of graphic design firms to allow their customers to upload files, which then sends the intended recipient an email notification with a link to download. Much, much more efficient than SMTP (mail encoding generally runs up the file size about 33% or so), faster, and much less network traffic in a distribution situation since many of the recipients will not download the file. Also doesn't hang the user's mailbox when sending/receiving for several minutes while uploading/downloading. Darin. ----- Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Tuesday, February 14, 2006 8:51 AM Subject: [Declude.JunkMail] large mail to large number op recips Hi, We are a school and: - sometimes someone needs to send a large e-mail (20-30 MB) to one of the staf or students. - several times a day we send e-mails to large groups of students so the BCC field might contain up to 1500 addresses. Both items are no problem until they are combined like some tried today. :-( Suddenly I lost around 15GB of diskspace on my mailserver. At least that is what IMail tried because I only had about 10GB left on my mailbox drive. Guess what happened? Is there a way using Declude Junkmail to flag this situation and stopping the e-mail while still allowing the two items above? I'm currently using Declude 2.16, Junkmail Std and AV Pro. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl
[Declude.JunkMail] large mail to large number op recips
Hi, We are a school and: - sometimes someone needs to send a large e-mail (20-30 MB) to one of the staf or students. - several times a day we send e-mails to large groups of students so the BCC field might contain up to 1500 addresses. Both items are no problem until they are combined like some tried today. :-( Suddenly I lost around 15GB of diskspace on my mailserver. At least that is what IMail tried because I only had about 10GB left on my mailbox drive. Guess what happened? Is there a way using Declude Junkmail to flag this situation and stopping the e-mail while still allowing the two items above? I'm currently using Declude 2.16, Junkmail Std and AV Pro. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl
Re: [Declude.JunkMail] Best Sniffer Weights
Hi, Sniffer is verry reliable. Place it above the weight you use to mark messages as probable spam en below your weight for holding. If you want you can have different weights for the different catagories, see below I score the travel catagorie lower as we are a travel related school. So what others might consider spam we might see as ham. I score the porn etc catagories at my hold level as I want to allways hold those and the false positives in those catagotires are virulually zilz. I mark the subject at 12 points and hold at 20. So I use. SNIFFER-TRAVEL external 047 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 16 0 SNIFFER-INSURANCE external 048 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-AV-PUSH external 049 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-WAREZ external 050 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-SPAMWARE external 051 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-SNAKEOIL external 052 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-SCAMS external 053 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 20 0 SNIFFER-PORN external 054 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 20 0 SNIFFER-MALWARE external 055 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-ADVERTISING external 056 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-SCHEMES external 057 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 20 0 SNIFFER-CREDIT external 058 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-GAMBLING external 059 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 19 0 SNIFFER-GENERAL external 060 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 17 0 SNIFFER-EXP-ABSTR external 061 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 17 0 SNIFFER-OBFUSCATION external 062 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 18 0 SNIFFER-IP-RULES external 063 "C:\IMail\Declude\Sniffer\sniffer-id.exe sniffer-key" 17 0 Groetjes, Bonno Bloksma - Original Message - From: "Chris Anton" <[EMAIL PROTECTED]> To: Sent: Monday, January 30, 2006 10:56 PM Subject: [Declude.JunkMail] Best Sniffer Weights Hi all. We just installed message sniffer tonight and are working on tweaking it. What are your recommendations for best weights? Also, suggestions on other settings welcomed. Thanks! -Anton --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CMDSPACE Percent of Weight based on your (DELETE) action
Hi, I would like to ask those that having been using CMDSPACE; what percentage of your weight do you assign to this? Zero. I have backup and anti virus software using Microsoft DLLs which have the same bug. So if I were to use the CMDSPACE it would push some mails to my "subject modification" level. Those senders are on PC which also will fail several other tests and do not do smtp auth so no bypass possible. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decludeproc abend
Title: Message Hi, I just missed "the goold ol' days" with the cards. We still had them but us new guys were allowed to use a screen editor. Even the line terminals were for the other guys. Funny thing was... the computer we were to use was about two by two by two (yards) and could handle about twelfe to fifteen users editing plain tekst files. It was so busy handling the the editing that the programs we were creating were then submitted to the "real" computer, which was either a Dec 1060 or 2060. Later the 1060 was upgraded to 2060 as well. The job which then ran as a job on the big Dec, and they were big in a physical way, ran as a batchjob from a card reader, the input would show "x cards read". :-) Nice thing about that setup. the jobs we were submitting ran at the operator level so.. guess what else we could do. :-) I never found out how to create an account but I was able to copy my files ot another existing account and then break in on that account, which was childs play. Breaking in on an account was simply entering the login name and then hitting Ctrl-Y (I thing it was Ctrl-Y) rappidly to send a break to the login program. In would then somtimes forget to ask for the password. If it didn't work the first time just try it again, at least one in ten times would be successfull. :-) Groetjes, Bonno Bloksma - Original Message - From: Dave Beckstrom To: Declude.JunkMail@declude.com Sent: Friday, December 23, 2005 6:17 AM Subject: RE: [Declude.JunkMail] Decludeproc abend I started off on an IBM 370/168 in 1980. The characters on the console were rendered in green print and looked like they had been hand drawn on the screen. The computer had a CPU meter on it. The needle would go to 100% utilization and stay there most of the night. I remember just a few days after starting for the Company someone called me up and asked me to turn on their focus. I thought to myself, what an idiot. Its impossible for me to turn on their focus that must be a knob on their screen It was only later I found out Focus was some kind of software application that they wanted me to run. LOL! We used to have to remove the disk platters from the disk drives and swap them with other platters. I think these were 3350 drives I dont recall for sure that was 26 years ago. We had fourteen 3420 tape drives that I had to kept fed and they were hungry buggers! Id walk around with about 10 reels of tape on my arm and Id keep those drives loaded with tapes and have to take the old reels off and hang them back on the racks. I believer the racks held something in the neighborhood of 18,000 reels of tape. The first PC we had was one my dad had bought. It booted off of a tape drive. There was no such thing as a hard drive at that time He was gone to work one day and I typed into the computer, what is your name? The PC responded with some cryptic error message that made no sense to me. I asked a few more questions and finally concluded that the PC was just plain stupid and that it didnt know a thing! It was about 2 years later that I went to school for programming. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. SpivackSent: Thursday, December 22, 2005 10:37 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Decludeproc abend Ah, you mean using a magic marker to write a visual stripe on the edge of the cards, right? Bah, we just NEVER dropped our card decks. Afterall, using columns 72 to 80 for sequence numbers was always for wimps, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave DohertySent: Thursday, December 22, 2005 7:20 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Decludeproc abend Thanks for the trip down memory lane, Andy. For me it was a new 360(?) in college in 1968. One of the seniors showed me how to run a thin diagonal stripe down the side of the card deck to aid in sorting, should it ever be necessary... ABEND was absolutely in the vocabulary at that time. Both as "evening" from my German classes and ABnormalENDing, courtesy of IBM. Now I have REALLY dated myself. -d - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, December 21, 2005 11:44 PM Subject: RE: [Declude.JunkMail] Decludeproc abend Ha - long before Gates started college, there was a company called International Business Machines. And you had to program sorter/merger machine
[Declude.JunkMail] copy to action
Hi, We want to keep track of all mail from our students to the staff and vice versa. All mail where the sender is part of student.tio.nl and any one of the recipients (To, CC or BCC) is in tio.nl then a copy needs to be sent to a special mailbox [EMAIL PROTECTED] The same for mail coming from tio.nl where any recipient is in student.tio.nl needs to be sent to another special mailbox, [EMAIL PROTECTED] Of course the copied mail by the action itself should not be copied to that mailbox, otherwise I'll have a nice loop. :-( Of course I don't want spam to be copied, define spam as any mail that meets my deleteweight (SPAMDELETE tag). Of course I don't want virsses to be copied (but I'm using Declude Virus and AVAFTERJM is nowhere in my configs). How do I set this up? I'll probably need JunkmailPro (I've got Junkmail Standard) or can I do this with standard IMail (v8.22) rules? p.s. Still using Declude 2.06 but I'll switch to 3.x when I'll upgrade my mailserver to IMail 9 next year. I could upgrade Declude to 3.x if needed. Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl
Re: [Declude.JunkMail] outgoing mail declude junkmail
Hi, Travis what you have there is the rule defined Now you need to have an action IE Weight10 hold Weight20 delete By the way you make it confusing by saying weight10 is a hold at 16. Why not call it weight16? I do have them specified as hold/delete in the default.junkmail file, this is working for incoming mail, just doesn't appear to work for outgoing mail. Right, so define those actions as well in the global.cfg file if you want them applied to outgoing mail. I have it scored at 16, it makes it easier to change the levels as I improve the ham/spam ratio... easier than renaming tests... Yes, but it is quite easy to just rename those two tests as to not include the weight number but the wanted action. That is why my deafult action names are: SPAMSUBJECT SPAMHOLD SPAMDELETE At the definition I can then assing any weight or weight range I want and after that it is clear which action to set. It's a one time thing to change all (2 in global 1 in default) WEIGHT10 names into SPAMSUBJECT, etc. Travis Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CMDSPACE Failures
Hi, > If MS were to fix it, we wouldn't be detecting a lot of the spam. So, while > on one hand it would be nice if it were fixed... on the other hand the > CMDSPACE test wouldn't be catching nearly as much. It seems this library is broken. Sophos also has this problem as they use this MS lib: --- The library is called CDO (Collaboration Data Objects). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ dncdsys/html/cdo_roadmap.asp --- If MS were to fix that lot's of software would be fixed. > WHITELIST AUTH and custom filters to negate specific senders and servers > that fail this test is how we manage false positives. But I cannot get this software, and my backup software, and whatever else is using this library, to use SMTP AUTH. :-( Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] testing mailserver
H David, What you saw in the message below was all there is, that was the entire message body after my test. First line was the Received: line, last line was the X-IMail-ThreadID: line. As to how to reproduce it, do as I did, I describe exactly what I did. Groetjes, Bonno Bloksma - Original Message - From: David Franco-Rocha [ Declude ] To: Declude.JunkMail@declude.com Sent: Thursday, November 03, 2005 8:24 PM Subject: Re: [Declude.JunkMail] testing mailserver Bonno, The text actually did appear as the body of the email. The problem was that the headers were added after the body, which has been an ongoing problem. Declude was not able to determine where the headers actually ended and the body began, so it only *looks* like the text is not in the body. Please send the actual message file as an attachment to [EMAIL PROTECTED] so that we can look at the raw data format of the message. With regard to these broken emails where headers are placed in the wrong location, we are still doing some testing and expect to have a solution very shortly. David Franco-Rocha Declude Technical / Engineering - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Wednesday, November 02, 2005 6:31 AM Subject: [Declude.JunkMail] testing mailserver Hi, I was testing our mailserver by setting up a telnet session on port 25 and then entering the commands. I must have done something realy wrong as my tekst appears in the headers in a way not even Outlook Express can see. ;-0 It will show a blank message. This is wat was delivered to me: Received: from TEST [194.109.165.42] by tio.nl (SMTPD-8.21) id AE3902D0; Wed, 02 Nov 2005 12:08:41 +0100dit is een testX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200041].X-Declude-Sender: [EMAIL PROTECTED] [194.109.165.42]X-Declude-Spoolname: D9DFC01B0059C.SMDX-Declude-Note: Scanned at tio.nl by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam.X-Declude-Scan: Score [8] at 12:09:30 on 02 Nov 2005X-Declude-Tests: BADHEADERSX-Country-Chain: NETHERLANDS->destination---[E-mail scanned at tio.nl for viruses by Declude Virus]From: [EMAIL PROTECTED]Date: Wed, 2 Nov 2005 12:09:30 +0100X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 383765952X-IMail-ThreadID: 9dfc01b0059c See the "dit is een test" below the received from line? This is what I did: Start (Windows) telnetset LOCAL_ECHOopen mail.tio.nl 25HELO TESTMAIL FROM:<[EMAIL PROTECTED]>RCPT TO:<[EMAIL PROTECTED]>DATAdit is een test.QUIT Did I make a BIG mistake? I know I should have added a msgid somewhere and a date line to have a proper valid message but is that nessecary in order to have the text after the DATA command appear as the body part of a mail? I'm using Declude 2.0.6 Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
[Declude.JunkMail] testing mailserver
Hi, I was testing our mailserver by setting up a telnet session on port 25 and then entering the commands. I must have done something realy wrong as my tekst appears in the headers in a way not even Outlook Express can see. ;-0 It will show a blank message. This is wat was delivered to me: Received: from TEST [194.109.165.42] by tio.nl (SMTPD-8.21) id AE3902D0; Wed, 02 Nov 2005 12:08:41 +0100dit is een testX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200041].X-Declude-Sender: [EMAIL PROTECTED] [194.109.165.42]X-Declude-Spoolname: D9DFC01B0059C.SMDX-Declude-Note: Scanned at tio.nl by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam.X-Declude-Scan: Score [8] at 12:09:30 on 02 Nov 2005X-Declude-Tests: BADHEADERSX-Country-Chain: NETHERLANDS->destination---[E-mail scanned at tio.nl for viruses by Declude Virus]From: [EMAIL PROTECTED]Date: Wed, 2 Nov 2005 12:09:30 +0100X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 383765952X-IMail-ThreadID: 9dfc01b0059c See the "dit is een test" below the received from line? This is what I did: Start (Windows) telnetset LOCAL_ECHOopen mail.tio.nl 25HELO TESTMAIL FROM:<[EMAIL PROTECTED]>RCPT TO:<[EMAIL PROTECTED]>DATAdit is een test.QUIT Did I make a BIG mistake? I know I should have added a msgid somewhere and a date line to have a proper valid message but is that nessecary in order to have the text after the DATA command appear as the body part of a mail? I'm using Declude 2.0.6 Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
[Declude.JunkMail] upgrade to 3.0.5
Hi, Currently using Declude 2.0.6 Do I just stop the queue service and then performe the Upgrade or do I have to stop more? Groetjes, Bonno Bloksma
[Declude.JunkMail] X-Declude-Sender header
Hi, What ip number wil Declude list in the sender line? Will that allways be the connecting ip number or will it indeed skip numbers listed in an ipbypass line and list the first number after that? Found this in a mail I was looking at: X-Declude-Sender: [EMAIL PROTECTED] [217.114.97.6] It has the ip number of the backup mailserver listed as the sender. I have this ip number in my global.cfg file listed with an ip bypass line IPBYPASS 217.114.97.6 This was in a (fake ebay) mail held by declude because of a CR vulnerability. So maybe the declude junkmail processing would have corected this line if it had gotten that far but.I'd like to know if that's indeed what would have happened or not. Groetjes, Bonno Bloksma
Re: [Declude.JunkMail] VIRUS WARNING
Hi, A slight addendum to your instructions. [.] Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe Before rebooting my server I allways RENAME a dangerous file which I am not able to delete. Renaming has allways worked so far in cases where I am not able to delete a file. That way if I mis a reg key, or don't want to go hunting for all keys which launch a virus/trojan/etc., I can still disable it and remove it. p.s. You wrote no virusscanner found it yet, you did report this virus to you virus vendor didn't you? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SmarterMail shortcomings in a gateway environment
Hi, Thank you for the detailed analysis - We have been considering SmarterMail as a migration path from IMail but will probably "go slow" until they grow up a bit more. How about open source? I seem to recall there are a few open source mail servers based on decent code (ASP.NET) that run on Windows servers. The core of Novell netmail has been release to open source http://www.novell.com/news/press/archive/2005/02/pr05014.html and is now being delevoped as the HULA mail server. However, it's not on a Windows server, it will run on Linux. It's got a decent webinterface and also supports calendaring. Synchronisation with PDA etc. is allready possible but is being further developed as well. Development of the HULA mailserver is going mucht faster that Novell had expected, they have decided to discontinue development of the netmail server as HULA will have overtaken it in just one year. Only the core was realse to open sorce but that did not stop people from developing the bells and whissels around it. :-) They have most things down pat, one problem they were running into a while ago with the user database it that Microsoft had "improved" it's version of LDAP in the Active Directory so it would not work in a normal LDAP way. Right now I'm not thinking about it yet but in the near future.. Also the RedHat Enterprise server, which comes with a pricetag, now has it's exact freeware copy http://www.centos.org/ (without the RH logo's). So a rock stable Linux server platform is now also available for free. A quote: At the same time, the new Hula project brings the mail and calendaring technology of the Novell NetMail product to the open source realm. Hula is positioned to be to collaboration what Apache is to Web serving. Performance: It scales. Hula can scale up to 200,000 registered users on a single properly configured server, with 50,000 users simultaneously accessing the system. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Layman's Explanation of E-Mail Spoofing
Hi, Just ask them "What is preventing you neighbour to drop a letter in the mailbox (as in a city mailbox on the corner of the streest where hundres of people drop mail in) with *your* address as the sender address?" When the mailman opens the box it cannot be know who dropped what in the box and whether the information on the envelope is correct. Groetjes, Bonno Bloksma - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 17, 2005 4:57 PM Subject: [Declude.JunkMail] Layman's Explanation of E-Mail Spoofing > Hello, All, > I'm having a hard time explaining to some of our customers why there is > nothing that we can do to stop some unscrupulous spammer or anti-virus > author from using their e-mail address and spoofing messages to look like > they are sent "from" them. > > It seems that no matter how many times I explain it they just don't get it. > > Does anyone know of a good reputable source on the Internet which explains > how e-mail addresses are spoofed which I can point them to? If it was in > layman's terms all the better but I think just showing them an outside > resource might be good enough as they seem to think we should be able to > control it and are shirking our duties. > > Thanks, > Dan Geiser > [EMAIL PROTECTED] > > > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BCC test
Hi, I was just looking at the Junkmail manual and noticed the documentation on the BCC test does tell what is does but it does not tell how it is supposed to be confugured. Now as a seasoned Declude user I quickly determined the meaning of the 10 x 5 0 sequence in the default config but shouldn't the documentation be made for first time users? Nowhere have I been able to find a explanation of the 4 numbers and/or placeholder x's after a test, nor how a testline is constructed. It's probably somewhere but shouldn't that info be in the junkmail manual at http://www.declude.com/Version/Manuals/2.0.6.asp ? Also in the docs it states for the BCC test: "This test will catch E-mail that has a lot of local recipients that are not listed in the E-mail headers. This test is normally only used in advanced setups, as most mailing list E-mail has many recipients not listed in the headers." However, in the default setup this test is enabled, that's different from "... normally only used in advanced setups". Groetjes, Bonno Bloksma
Re: [Declude.JunkMail] Email not being scanned by Declude.
Hi, Although the IMail services don't have any dependencies I was thinking of linking some services in order to prevent stuff like this. I would have Syslog run first, then the Queuemanager and then the other services. This would for instance automatically stop the SMTP service when stop/starting the Queuemenager. So Most services, incl. queue manager, depend on Syslog. SMTP depends on queuemanager (and syslog)? Any caveats I should know about? Groetjes, Bonno Bloksma - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, February 14, 2005 4:47 PM Subject: Re: [Declude.JunkMail] Email not being scanned by Declude. > It's actually during the shut down that this happens during a window of > a few seconds. In order to avoid this, always stop the SMTP service > before shutting down, and also before stopping the QueueManager service. > > Matt > > > > Darrell ([EMAIL PROTECTED]) wrote: > > >> No changes have been made to Imail. There is a scheduled task that runs > >> at 3:00 AM that reboots the Imail server. I suspect that the first > >> queue run after reboot was when they were delivered. > > > > > > Others will chime in, but this is a known issue that after a reboot > > that the QueueManager will grab email that has not been scanned by > > Declude yet and deliver them. > > Darrell > > > > Check out http://www.invariantsystems.com for utilities for Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, MRTG Integration, and Log Parsers. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
Hi, I had a couple of false positives this morning caused in part by SPAMHEADERS apparently objecting to 2005 as an invalid year. When I checked my normal mail, everything I checked failed SPAMHEADERS. Time to disable the "SpamHeaders" test until this gets fixed. I set it to zero weight temporarily. Just did the same. I also sent an email direct to Scott and Barry. To the urgent@ account? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
Hi, I had a couple of false positives this morning caused in part by SPAMHEADERS apparently objecting to 2005 as an invalid year. When I checked my normal mail, everything I checked failed SPAMHEADERS. Using Declude 1.79i7. Hmmm running 1.81 overhere and same problem. SPAMHEADERS on every mail I have checked. Were there any warnings on this? None that I know. Is anybody else seeing it? Yup. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: How to define "spam" and "ham"
Hi, Amazon I happen to know first hand so if it's *realy* from amazone I would have a quick look why it was held but. all the other domain names I don't know them. Neither do I have the time to investigate these things. It's like you wrote, if I see then held... There's probably a reason for it. Being the postmaster overhere is a part-time job, this is primarily a mailserver for us internaly. We are a "school" with about 2000 students and staff. I'm processing about 4K messages a day. As to "rules", I don't have specific rules, I just want to make sure we keep our mail as clean as possible. It is primarily for internal use. If that means some automated messages from some sources don't get through, to bad. I'll look into it when someone complains. So far, except for some individual cases, no one has complained certain messages did not get to them, which to me means I'm doing not to bad. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Tuesday, December 21, 2004 3:30 AM Subject: Re: [Declude.JunkMail] OT: How to define "spam" and "ham" Bonno,Unfortunately 'knowing' is rarely the result of first hand experience in this case, at least without a good deal of focus and research over time. Personally, I have found that E-mail coming from the the better bulk-mail providers rarely breaks my rules. Generally if you have heard of the company represented in the E-mail and it comes from a first rate bulk-mail provider, they do in fact not violate the rules very often if at all. Some companies also perform their own bulk-mailing such as Amazon, and they should be especially aware of the potential of being blacklisted. There are others of course that don't really care, and the primary violation is typically some form of harvesting where they purchase addresses or re-use them from other resources. It's rare that a company that you have heard of not honoring opt-outs, though sometimes due to multiple internal working groups and not having a central repository for managing such subscriptions, a company might unsubscribe you to one list only to introduce another one that you are default-opted-into.I guess what I was really after was what people like yourself do when you find that an ad for Amazon, J.Crew, Office Max, or even Orbitz is blocked by your system. Do you block them purposefully? Do you just go with the flow figuring that if they are blacklisted there is a reason? Do you research the sender and take corrective action? Or do you just simply wait for users to complain about something being blocked? And regardless of the action that you take, what are your 'rules', or are there any specific rules that you or others use?Thanks,MattBonno Bloksma wrote: Matt, Although I agree with your reasoning, my problem would then be how do I determine who belongs to what catagorie? Overhere I see stuff getting caught which is definitely a newsletter of some sorts but I don't know whether the user requested it or not. Nor whether the user might want it or not. As we have a lot of students with a very divers interest area it's impossible to know what is normal. Also being the mail admin is only a (small) part-time job overhere, as long as it's running. ;-) I keep telling my students "don't unsubscribe as it will only increase your spam". Now maybe *I* can make a exeption by reading a list of companies that honor opt-out but I know most of our students and staff would not. They'd either unsubscribe or not, without reading such a list, "it's too much work". ;-( Groetjes, Bonno Bloksma - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Monday, December 20, 2004 2:01 PM Subject: [Declude.JunkMail] OT: How to define "spam" and "ham" This was the subject of a recent off-list discussion between myself and Pete where there was a perception that my definition of spam was too conservative or rather my definition of ham was too liberal. While I readily admit that in practice, I do personally wish to block many fewer things that I consider to be legitimate first-party advertising than most do, I don't necessarily get the impression that the definitions that I use are all that much off the mark. I have also found that the folks at BondedSender think that I am some sort of anti-advertising zea
Re: [Declude.JunkMail] OT: How to define "spam" and "ham"
Matt, Although I agree with your reasoning, my problem would then be how do I determine who belongs to what catagorie? Overhere I see stuff getting caught which is definitely a newsletter of some sorts but I don't know whether the user requested it or not. Nor whether the user might want it or not. As we have a lot of students with a very divers interest area it's impossible to know what is normal. Also being the mail admin is only a (small) part-time job overhere, as long as it's running. ;-) I keep telling my students "don't unsubscribe as it will only increase your spam". Now maybe *I* can make a exeption by reading a list of companies that honor opt-out but I know most of our students and staff would not. They'd either unsubscribe or not, without reading such a list, "it's too much work". ;-( Groetjes, Bonno Bloksma - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Monday, December 20, 2004 2:01 PM Subject: [Declude.JunkMail] OT: How to define "spam" and "ham" This was the subject of a recent off-list discussion between myself and Pete where there was a perception that my definition of spam was too conservative or rather my definition of ham was too liberal. While I readily admit that in practice, I do personally wish to block many fewer things that I consider to be legitimate first-party advertising than most do, I don't necessarily get the impression that the definitions that I use are all that much off the mark. I have also found that the folks at BondedSender think that I am some sort of anti-advertising zealot for reporting what is near universally what we would consider to be spam, so it does go both ways :) So I wanted to throw this topic out for some feedback and other presentations of one's own definitions and maybe learn something in the process.First off, I naturally follow the basic definition of spam that is widely promoted where spam is both unsolicited and bulk. What causes such wide derivation from this common definition however is the sub-definition of what constitutes unsolicited, and the gray area that exists beyond this definition due to abuse.The definition that I use to qualify advertising or newsletter related ham is as follows: This definition starts with me treating things as ham if it comes from a first-party relationship with the sender, however there are some exceptions as follows: [.]
Re: [Declude.JunkMail] Email being released today - Advance Notice
Hi Darin, > But my question was on receiving an SA with the purchase of an upgrade. > > So, if we purchase a level upgrade, do we get the current version, or are we > stuck with the version that was available when our SA ran out? Talked to someone from Declude about just that a while ago. Their point *then* was you would be allowed to use the version which was current at the moment your SA ran out. My point to then was: a "level upgrade" should include an upgrade to the version current at the time of the upgrade. Of course for any bugfix/update after that one would need a valid SA. I still thing this is a "normal" way of doing business. The other way allows me to buy an "old" product at today's price. At that time they did not agree with me but maybe their point has changed. > Darin. Groetjes, Bonno Bloksma > - Original Message - > From: "Don Schreiner" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 01, 2004 11:48 AM > Subject: RE: [Declude.JunkMail] Email being released today - Advance Notice > > > Barry, > > I hate to disagree with you! See below email. I am also working on > finding in my archive another email between Scott and self clarifying > Service Agreements this same topic. > > -Don > > -Original Message- > From: R. Scott Perry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 14, 2003 2:41 PM > To: [EMAIL PROTECTED] > Subject: Declude Service Agreement > > Thank you for your order for a Service Agreement. > > This E-mail confirms the purchase of your 1 Year Service Agreement, > which > will be good through January 31, 2004. > > The Service Agreement entitles you to free upgrades and support during > the > term of the service agreement. The Service Agreement covers all Declude > > programs that you have purchased in the past. You do not need a new > activation code; your current activation code will continue to work. > > Please note that we now have a special E-mail address for urgent support > > issues ([EMAIL PROTECTED]). Standard support questions can be sent to > [EMAIL PROTECTED] > > If you have any questions, please let me know. Thanks. > -Scott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Barry Simpson > Sent: Wednesday, December 01, 2004 11:10 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Email being released today - Advance > Notice > > > Explanation of Service Agreements > > 1. Service Agreements have always been "Per Server", that is to say that > if > you own JunkMail on Two Servers then you should have paid two service > agreements. In the past this would have cost you $295 * 2 - $590. Today > it > will be $132 * 2 = $264. A significant saving. > > 2. The rules on upgrades have always been that an upgrade between > product > levels e.g. Lite to Standard, does NOT include any extension in Service > Agreement. > > Both these rules have been set by Scott years ago. > > - Barry > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Don Schreiner > Sent: Wednesday, December 01, 2004 10:58 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Email being released today - Advance > Notice > > That is how I recall it too, but not sure based on the sites verbiage. > We > have license for Declude Pro AV/JM on one server and separate license > for > Declude Standard AV/JM at another server/location. Does the $264 JM/AV > Service Agreement option cover both these licenses as in the past? > > -Don > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 01, 2004 10:34 AM > Subject: Re: [Declude.JunkMail] Email being released today - Advance > Notice > > > Sounds like some good changes. > > How does upgrading one or more products affect service agreements? For > example, if we have JM and AV standard, and upgrade one to Pro, what > service > > agreement would we end up with? > > I believe in the old model, upgrading one would effectively result in a > year > > support for both, but I may be incorrect. > > Darin. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP block
Hi, [..] > This E-mail actually came from 68.251.177.107. That IP *may* have received > it from 222.126.26.96, but unless you can trust that IP, you have to assume > that it really came from 68.251.177.107. > > One option here would be to use a line "HOPHIGH 2" in your > \IMail\Declude\global.cfg file, which would scan the first two hops, which > would also cause the 222.126.26.96 IP to be scanned. Hold on, maybe I have misunderstood the hophigh feature all this time. Do you mean to say that by using hophigh 2 I test all ip-numers in the first *and* in the second hop? I could definitely use that feature as I have mail forwarded to me from the ISP that we get some of our (consumer) ADSL connections from. They sent any info regarding a connection to the e-mail address corresponding with that connection. Of course I have all those adresses forwarded to me but there is also a lot of spam coming from those adresses. As they have a massive mailserver farm it is impossible for me to list all mailservers in my ipbypass list. If hophigh is doing what I think you said I can suddenly enable all ip based tests on those forwarded mails by increasing the hophigh count. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: expanding beyond one mailhost
Hi Mark, > Andrew, > We have 3 equal MX records and 3 A records for "load balancing" and > redundancy. > We also have a 4th MX which is physically off-site that's a lower preference > level. > > I put load-balancing in quotes because we still see our number 1 server take > the brunt of the load. Yup, a normal round-robin setup on a DNS server will also rotate the list of ip-numbers presented to the "client". Most clients will try the first ip-number given and if that fails try the second etc. As MX records probably don't get the "normal" round-robin treatment it is allways the first listed ip-number which is presented first in the list to the client, and which thereby gets used most often. I might be wrong but I think that's the reason fo the observed behaviour. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPSwitch ICS
Hi, > > Perhaps the time has arrived for the folks at Computerized Horizons to > > release their own full blown MTA... > Add my vote, too! > > WebMail, POP, IMAP and SMTP. No need for the rest of it, IMHO. I have > calendaring turned off, and I do not want to get involved with instant > messaging and the rest. I could probably live without IMAP, too. Sorry, the reason we went with IMail was the webmail support at the time. We have completely rewritten the webmail templates to seemlessly integrate it with our website where our students and teachers can read the mail. As it also supports POP and IMAP we can also use it for the "regular" e-mail accounts the staff has, who mostly use Outlook (Express) on their computer (POP) and the "shared" e-mail accounts which are used by the helpdesk etc. (IMAP) and people like me who have 2 to 3 systems where they need to be able to access the mail. Of course an antivirus and antispam product like Declude only helped to swing the vote in IMail's favor at the time. We will be looking for something new in the future ass well. I had not renewed my SA either because I could not see any new developments we "wanted to have" in the lastest IMail product. Rights now we are at 8.05 and we'll probably stay there for a while. Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam?
Hi, > Hi all. We've been struggling a bit with this issue. We have a variety of > tests in place, and basically have just changed our settings to: > > WEIGHT10 WARN > WEIGHT20 BOUNCEONLYIFYOUMUST > WEIGHT40 DELETE > > The hope is that it will bounce some of the false positives back to the > senders so we don't get complaints from people that they are not receiving > their emails To bad, but no go. If you have the standard weights in place, chances you are becoming a spammer yourself is about 80%. That's the spam hitrate for the weight20 test minus the nonforged headers. About 90% of all spam has a forged header, the remaining being from "advertising senders" having a bounce mechanism. So you are sending a lot of spam to innocent victims who's e-mail adres has been used as a from adres. Also, have a look at your postmaster account, it should fill up nicely with bounces to forged adresses that do not exist. The reason it is called BOUNCEONLYIFYOUMUST is just that. Bounce only if you MUST and be aware of what you are doing. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spam review
Hi, [... sorting on spam weight in spamreview...] > > I've solved this be marking the subject line of all hold > > messages with "[spam %weight%]" Well, I have that too now but. that did not solve the problem because the subject column in the top windows is empty. Strange, as the subject line in the window below that *does* show the subject. Anybody else have this problem too? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] added test on Declude site
Hi, I'd like an extra test on the Declude site where I can send an email with all three "problems" in them. Reason I'm asking is I sometimes want to test what happens when I'n reaching the weight where I change the subject or something else. Having just one test fail won't get me there. ;-) Of course I can wait until the next virus comes along that does reach my subject weight but does *not* reach my delete weight. However, the point of having a test available isto catch any problem before it is a problem right? ;-) Groetjes, Bonno Bloksma
[Declude.JunkMail] spam review
Hi, Is Spam Review still being maintained? I have been able to retrieve an update in the past few months (now using 1.0.48) but there is still a bug in there which I would have expected to be fixed by now. 1) When I have a look at spam the Junk Mail Wanings windows only shows the lines starting with X-RBL-Warning:. Ok however, that does not include several other Declude headers. Not a real bug but a minor point, meaning I have to look at all headers (at the end) to see what Declude added. 2) Maybe related to 1) But the Weight at the top of the Junk Mail Warnings window is allways empty. 3) Feature request (if possible) I would like to sort on this weight. That way I could pay more attention to the messages barely failing my review weight and merely glance at those almost reaching my delete weight. 4) Feature request (if possible)If 2) is related to 1) maybe it wouldbe possible to have a list of headers to show in the Junk Mail Warnings window. Something like: X-Note: X-Spam-Tests-Failed: where X-RBL-Warning: and/or X-RBL: are included by default. I have sent a feature request to the author of spam review al long time ago about the Message Body window. Unfortunately I never got a answer but in case someone who knows more about it reads this 5) Feature request (if possible) It would be nice if the Message Body window had a third option, beside Text and HTML, Stipped HTML where all HTML code, and anything that pretends to be so, would be stipped and only the bare tekst (in the HTML section) would be shown. That way it is a lot easier to see whether something is Spam without activating any hidding features spammers like to use to identifi active e-mail accounts. I seems something which can be verry quickly added as most code is allready there, al that is needed is stripping any stuff right? Or am I missing something? Groetjes, Bonno Bloksma
Re: [Declude.JunkMail] How do I get a copy of all messages that fail a certain test?
Hi, > > Read the archives. A mesage cannot be *both* deleted and send to someone > > else. A copy to action is just adding an extra recipient to the smtp > > envelope. As soon as that has been done the delete action will delete it > > all, including the just modified smtp envelope. > > > > If you want a copyto/delete combination, use the routeto action. That will > > send the mesage to another e-mail adderess in stead of to the intended > > recipient. > > Routeto doesn't produce any better results than copyto. If the weight of the > incoming message exceeds our delete weight then I don't receive a version of > the message. Like I wrote, routeto is to be used in steds of *BOTH* the Copyto *and* the delete action. But. > I'm using the latest interim, with 2 duplicate tests with different actions. But you have given them different names right? > The second test uses the routeto (or copyto) action while the first test > uses the warn action. I have an independent .junkmail file for the routeto > (or copyto) e-mail address with no delete actions in that file. Ok, no delete action. So that should be the solution. Now have a look at the logfile for messages which meet the criterea. Just put the loglevel at high for a while if you havene't done so allready. Debug isn't neccesary here (yet). Have look what happens, whats actions is declude taking on those mesages? > For example, a message is sent to [EMAIL PROTECTED] (which uses a .junkmail > file that does contain delete actions) and the message fails SPECIALTEST and > fails enough other tests to exceed our delete weight. Instead of the copyto > or routeto action happening (to a special e-mail address with it's own > .junkmail file which contains no delete actions) the incoming message gets > deleted. Right, no delete action. > 1. Things work perfectly if the message fails the SPECIALTEST and the weight > of the incoming message is below the delete weight. > > 2. I can't remove the delete action for the delete weight, as over 100,000 > messages a day exceed the delete weight. Ahum, so the message get's deleted same problem, same cause. However. there is also an action called COPYFILE (i think). Read the archives as it is maybe in a beta or in one of the latest interims. The copyfile action makes a copy but does *not* (yet) include all the declude headers as the copy gets made before declude adds all it's stuff to the meaasge, although that may have changed by now. > > 3. The [EMAIL PROTECTED] address was just an example. Any message to any > subscriber could fail the SPECIALTEST and be over the delete weight. > > I simply want a copy of every message that fails the SPECIALTEST. Ideas? I'm not sure about the action name but it's something like that. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do I get a copy of all messages that fail a certain test?
Hi, Read the archives. A mesage cannot be *both* deleted and send to someone else. A copy to action is just adding an extra recipient to the smtp envelope. As soon as that has been done the delete action will delete it all, including the just modified smtp envelope. If you want a copyto/delete combination, use the routeto action. That will send the mesage to another e-mail adderess in stead of to the intended recipient. Groetjes, Bonno Bloksma - Original Message - From: "System Administrator" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 13, 2004 3:35 PM Subject: Re: [Declude.JunkMail] How do I get a copy of all messages that fail a certain test? > on 8/13/04 9:18 AM, Bud Durland wrote: > > > I belive the remedy is to create a second test, of the same type with > > the same criteria, and make COPYTO the action for that new test > > I'm currently doing that. Apparently, the over the delete weight messages > get deleted before the copyto takes place. > > Greg > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] logfile naming
Hi, Get the UnixTools for Windows http://unxutils.sourceforge.net/ and use all the Unix commands you've always wanted in a Windows environment. ;-) Met vriendelijke groet, Bonno Bloksma - Original Message - From: "Roderick A. Anderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 1:10 AM Subject: Re: [Declude.JunkMail] logfile naming > > > You could use something like: > > LOGFILE spool\dec2004.log > > I was hoping to avoid a kludge like this. Coming from a UNIX background > I don't like to manually do tasks that should be automatic (or > automagical :-) and easy. > > I'm getting pretty good at writing scripts that run from the scheduler > and do what has to be done. > > Thanks to all for the suggestions.. > > > Rod > > -- > Roderick A. Anderson > Project Manager > Technology Services Management Group <http://www.technologyservicesmanagementgroup.com/> > Spokane WA, 99202 > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] spf test
Hi, Per instructions on http://spf.pobox.com/wizard.html I have set up my SPF record. However, this TXT record now has a ~all in it to signify there may be exeptions to the rule, signifying those would be a softfail in stead of a hardfail using the -all rule. Testing this at http://www.dnsstuff.com/pages/spf.htm will generate an error: Testing '~all' on IP=80.126.46.32, target domain tio.nl, CIDR 32, default=PASS. ERROR: unrecognized mechanism '~all'. Returning UNKNOWN per section 3.6.Scott, is there something still missing in Declude? Should I use the current spf TXT record? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
[Declude.JunkMail] Sniffer and Declude
Hi,I want to score sniffer higher in my Declude points but I don't want to score all sniffer results equal. There is an experimental group as well as a grey group which I would like to score at the level I have it now, where I mark the subject. Do I need to define all sniffer external results, or can I have a few lines like:SNIFFER-GREYMAIL external 060 ...\ID.exe AuthCode 10 0SNIFFER-EXPERIMENTAL external 062 ...\ID.exe AuthCode 10 0 SNIFFER external nonzero ...\ID.exe AuthCode 15 0 Where the last line catches all other results of the test?Groetjes,Bonno Bloksma
Re: [Declude.JunkMail] Hijack question
Hi, > > > >Is it possible to get Hijack to run after DJMP? This would help me > > > >to better manage my backup mailserver - > > > > > > The only way to do that would be if you are also running Declude Virus, you > > > could use the "AVAFTERJM ON" option to force Declude Virus to run after > > > Declude JunkMail, which also forces Declude Hijack to run last (since > > > Declude Hijack always runs after Declude Virus). > > > >Wasn't there something about *no virusscanning* if a held e-mail was > >returned to the queue using this option? > > In the past, that was the case. However, Declude Virus will now always run > before Declude Hijack, so this is not an issue anymore. Eventhough the poster was talking about HiJack, I forgot to mention I was asking about JunkMail. When using this option will a message held by Junkmail and returned to the queue ever be scannen for virusses? I remember reading JM would move it to the hold before VIR could scan it for virusses. When later returning it to the queue it would never be scanned again, nor for JM nor for virusses. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack question
Hi, > > >Is it possible to get Hijack to run after DJMP? This would help me > >to better manage my backup mailserver - > > The only way to do that would be if you are also running Declude Virus, you > could use the "AVAFTERJM ON" option to force Declude Virus to run after > Declude JunkMail, which also forces Declude Hijack to run last (since > Declude Hijack always runs after Declude Virus). Wasn't there something about *no virusscanning* if a held e-mail was returned to the queue using this option? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi, We are Dutch, based in the Netherlands and we have a .nl domain name. So it's at least more then just .de domains that get spammed. It looks like these mails are news reports which are sent to various addresses. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:23 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Same here. I've updated and simplyfied the initialy posted filters several times in the last hours. For best results please download the newest filter files from http://www.zcom.it/decludeupdater/polit_filter.zip I'm interested if this wave of spam mails is a global phenomenon, or if they are able to restrict delivery to recipientsof a certain language/country. Any info's? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Thursday, June 10, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus
Re: [Declude.JunkMail] Upgrade Declude
Hi, [] > We normally recommend the latest version (either 1.75 (the latest released > version) or 1.80 (the latest beta)). But you need to make sure that your [] Hmmm, are you ahead of yourself here? I have not seen a message about 1.80 being released, nor do the junkmail and virus manuals list it. Maybe time for a vacation. ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Piecing together a Partial Vulnerability
Hi, > > Copy the D*.SMD and Q*.SMD files back to you IMail spool > > directory. It will > > be delivered on the next queue run. > > > > As I suspected, this is only half the battle. Now the user has a two part > message and Outlook apparently doesn't know what to do with it. That is strange. Either the action you took with Declude was something other then standard hold, or maybe did you add a footer? If it was just hold outlook, any most other mail clients, should be able to put it back together. If you added a footer edit the D* file or the resulting e-mail source on the client side. Remove the footer and have outlook handle the attachment. > > You might try SpamReview for an easy way to inspect and delete/requeue > > messages. > > > > Would it handle this two-part case? Can you give me a pointer? Spamreview wil not modify the e-mail when Declude simply is told to hold it. With spamreview one can look at the held messages, either via text mode or html, and simply requeue or delete them. http://www.slsoft.com/spamreview.htm Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] missing log part and funny mail
Hi, My question is part Declude JM and part IMail but I assumed this would be the best place. A student gets a funny mail from a user claiming to be [EMAIL PROTECTED]. This e-mail address does not exist. Having a look at the logs it seems this message was created by IMail1.exe so it probably was a user using the webinterface, which covers about 90% of our userbase. :-( If it was indeed a user using the webinterface, how was that user able to change the "from" address as there is no field for it in the web interface. As we do not log the webinterface usage, I have just changed that, I don't know who was logged it at that time. Which log do I need to enable to find out which user sent this message, wil just enabling the log for the webinterface be enough? The option "Ignore source address in security check" is enabled, should I disable this? Why is that option in IMail at all, it this a common problem? What is really puzzling it that at the same time there is a gap in the log for Declude JM. The Imail log and the Declude virus log show this message being parsed but the JM part never saw it. Nor did it see several messages after that. There is a gap of almost 2 minutes in the JM log. Anybody any idea what happened, what would cause something like this? I'm using IMail 8.03 and Declude 1.75 Declude virus LogLevel MID Declude JM LogLevel LOW log1127:20031127 091726 127.0.0.1 SMTP (03CC01FA) finished C:\IMail\spool\Qb314003e011cf42d.SMD status=120031127 091728 127.0.0.1 SMTP (03CC01FB) processing C:\IMail\spool\Q31afc5b0770.GSC20031127 091728 127.0.0.1 SMTP (03CC01FB) ERR tio.nl not local mondeling from <[EMAIL PROTECTED]>20031127 091728 127.0.0.1 SMTP (03CC01FB) Creating message from Postmaster20031127 091728 127.0.0.1 SMTP (03D00049) processing C:\IMail\spool\Q03cc01fb06fa.GSE20031127 091728 127.0.0.1 SMTP (03CC01FB) finished C:\IMail\spool\Q31afc5b0770.GSC status=220031127 091728 127.0.0.1 SMTP (03D00049) ldeliver student.tio.nl r.modderman-main (1) 123420031127 091728 127.0.0.1 SMTP (03D00049) finished C:\IMail\spool\Q03cc01fb06fa.GSE status=120031127 091732 127.0.0.1 SMTP (03CC01FC) processing C:\IMail\spool\Q31b0d3403c8.GSC[..]20031127 091914 127.0.0.1 SMTPD (005C00AC) [212.61.73.64] C:\IMail\spool\Db381005c00aca037.SMD 440220031127 091916 127.0.0.1 SMTP (03CC0200) processing C:\IMail\spool\Qb381005c00aca037.SMD vir1127:11/27/2003 09:17:25 Qb314003e011cf42d Scanned: Virus Free [MIME: 2 1625]11/27/2003 09:17:27 Q31afc5b0770 Scanned: Virus Free [MIME: 1 246]11/27/2003 09:17:31 Q31b0d3403c8 Scanned: Virus Free [MIME: 1 235] dec1127:11/27/2003 09:17:26 Qb314003e011cf362 L1 Message OK11/27/2003 09:17:26 Qb314003e011cf362 L2 Message OK11/27/2003 09:17:26 Qb314003e011cf42d L1 Message OK11/27/2003 09:17:26 Qb314003e011cf42d L2 Message OK11/27/2003 09:19:04 Qb376005200fc75dc L1 Message OK11/27/2003 09:19:10 Qb37b005900ac8608 L1 Message OK11/27/2003 09:19:16 Qb381005c00aca037 L1 Message OK Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
Re: [Declude.JunkMail] MS Customer Assistance SPAM
Hi Kami, I have looked at it and probably overlooked it. I want to filter centain messages like the "a virus has been removed, see the attached info for more information" with a VirusWarning.txt attachment about which virus was detected in which file etc. I want a filter server wide, or at least domain wide but where do I set this up? Do you use Declude Junkmail for that or is it a feature in IMail? Met vriendelijke groet, Bonno Bloksma - Original Message - From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 09, 2003 2:34 PM Subject: RE: [Declude.JunkMail] MS Customer Assistance SPAM > Samantha: > > Our experience shows that the ones that are delivered are not infected. > > It appears that the server that the email is sent through has detected the > virus and has cleaned the attachment and then sent the email. > > We have received many emails stating that the email was detected with a > virus and disinfected using ... > > Every single email that has been delivered and not caught was not infected > in our case. We are now filtering it based on content. > > Regards, > Kami > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bridges, Samantha > Sent: Thursday, October 09, 2003 8:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] MS Customer Assistance SPAM > > I know it is not coming from Microsoft. I know it is a virus. What I don't > understand is why Declude is not catching it? Or how to stop it if the > system is not recognizing it as a virus or spam. > > How did you stop it? > > Thanks > > Samantha > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] > > --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] bypassing uplink
Hi, At my ISP I have a few mailboxes that are forewarded to me. Unfortunately this domain (xs4all.nl) is verry popular with spammers as xs4all has tried several times legally to have spammers procecuted. Hurray but :-( because of the spam. They have allready installed spam filters so not a lot is coming through but sometimes a spam mail is deliverded to me. Is there a way to filter this. Problem is, it's a very large ISP with a lot of mailservers so it's not just one server I have to skip but probably a whole ISP. Here are the headers from one mail. Received: from mxzilla4.xs4all.nl [194.109.6.48] by mailie.tio.nl with ESMTP (SMTPD32-7.07) id A200593005C; Fri, 11 Jul 2003 01:08:48 +0200 Received: from maildrop8.xs4all.nl (maildrop8.xs4all.nl [194.109.127.18]) by mxzilla4.xs4all.nl (8.12.3/8.12.3) with ESMTP id h6AN6WvS071750; Fri, 11 Jul 2003 01:06:32 +0200 (CEST) Received: from mxzilla1.xs4all.nl (mxzilla1.xs4all.nl [194.109.6.54]) by maildrop8.xs4all.nl (8.12.6/8.12.6) with ESMTP id h6AN6W3s036473; Fri, 11 Jul 2003 01:06:32 +0200 (CEST) X-XS4ALL-DNSBL-Checked: mxzilla1.xs4all.nl checked 200.160.248.42 against DNS blacklists X-XS4ALL-Pad: empty Received: from srv1.cotacao.com.br (www.dolaronline.com.br [200.160.248.42] (may be forged)) by mxzilla1.xs4all.nl (8.12.3/8.12.3) with ESMTP id h6AN6TiK028786; Fri, 11 Jul 2003 01:06:30 +0200 (CEST) Received: from doramail-com-bk.mr.outblaze.com ([200.160.248.250]) by srv1.cotacao.com.br (8.9.3p2/8.9.3) with SMTP id UAA07478; Thu, 10 Jul 2003 20:13:34 -0300 Message-Id: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> From: "loving touches" <[EMAIL PROTECTED]> Subject: Women: Experience Rapid & Intense Orgasms During Intercourse Date: Thu, 10 Jul 2003 19:01:12 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Declude-Sender: [EMAIL PROTECTED] [194.109.6.48] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX [0] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 355773255 [..] Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [Declude.Virus] Updating Declude Junk Mail
Hi, > To take advantage of the latest tests, you may occasionally want to upgrade > your \IMail\Declude\global.cfg file (and possibly the > \IMail\Declude\$default$.JunkMail file as well). Now would be a good time, > as we recently added several new DNS-based spam tests that should help the > weighting system (WEIGHT10/WEIGHT20 tests) catch more spam. So I would replace my global.cfg file with yours and then add/replace my stuff? Do I need 1.70 for this or can I use 1.65 as there was a small problem in 1.70 for me? Or should I just get 1.70iXX? Bonno --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes & Server Load
Hi Scott, > >I see the same (with a very small domain and very light usage). The mail > >server is nowhere near the strongest, but is sometmies stressed with 1.70 > >(and was the same with 1.69b) but not 1.65. > > My recommendation for those that are experiencing this is to try adding a > line "DECODE OFF" to the \IMail\Declude\global.cfg file, and see if this > takes care of the problem. There were some base64 and HTML decoding > functions added since 1.65, which use more CPU time than most Declude > JunkMail functionality. They can be disabled with the "DECODE OFF" line. Well as you can read in another mail I went back to 1.65 first. This server has been running normally for several hours however I also went back from daisychaining to normal IpSwitch smtp32. If it all runs stable today then tonight I'll enable daisychaining again to make sure attachments via the webinterface get scanned. If all still runs normal on tuesday (monday is a holiday overhere) then I'll go bacl to 1.70 and see if the problem returs. If it does I'll enable the DECODE OFF option te see if that solves the problem. > I'm also going to investigate the changes to the ip4r tests, to see if that > may be the root of the problem. It *shouldn't* be, but then again there > isn't anything in Declude JunkMail that *should* cause 100% CPU usage. :) Right, this setup has been rocksolid for two years so if it realy has been Declude which was responsible, then that's a first. ;-) Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes & Server Load
Hi, After three days where the server would max out at 100% due to a lot of smtp32 processes but.. also where there were not so many smtp32 processes I have now tried to revert back to 1.65, was using 1.70i1. In the past few days I have reset the server several times but it would max out againafter a while. A few minutes ago I reverted Declude, reset the server and so far it is behaving normally. I'll keep track today and will let you know what the end result is at the end of the day. If it does not max out at the end of the day then Scott will have some bug hunting to do. ;-) Met vriendelijke groet, Bonno Bloksma - Original Message - From: "Dan Patnode" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2003 12:19 AM Subject: Re: [Declude.JunkMail] Declude Processes & Server Load Thats interesting, I upgraded both of the problem servers to 1.70 two days (about 36 hours) before this hit. I'm going to see if I can switch back to 1.69iX to see if there is a difference. Dan On Wednesday, June 4, 2003 14:50, Frederick Samarelli <[EMAIL PROTECTED]> wrote: >I have noticed that using the v1.65 I never see Declude use more the 45% >CPU. > >Using 1.70 Beta I see Declude Max the CPU's 100% > >Has anyone else seen the same. > >Fred > > > > >- Original Message - >From: "R. Scott Perry" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, June 04, 2003 4:36 PM >Subject: Re: [Declude.JunkMail] Declude Processes & Server Load > > >> >> >Assuming we're all talking about the same thing, Declude continues to run >> >as a process waiting for replies from IP4r requests but does not consume >> >much CPU time while doing so. >> >> That is correct. It should use very, very little CPU time while waiting >> for the results to come back. >> >> >Does pulling out IP4r tests during an episode show a immidiate decline in >> >CPU use? >> >> It shouldn't cause a noticeable decline in CPU use -- I can't explain >> Kami's results. >> >> >Does anyone know how the people hosting the IP4r tests feel about us >> >slamming them with queries? >> >> You're not. Specifically, they will see the same number of queries >whether >> you are running IMail v8's anti-spam, Declude JunkMail's, or some other >> anti-spam solution. >> >> The reason for this is that your local DNS server will cache the results. >> >> >Suppose I'm cruising along with 20,000 queries a day, then jump to >500,000 >> >over a few weeks, surely that makes an impression somewhere? Is there a >> >point were we should ask about doing more? >> >> There are some spam databases that request that heavy users (typically >> 100,000+ E-mails/day) do zone transfers (downloading the DNS data a couple >> times a day). >> >> However, if 80% of the lookups are cached, you're talking about 20,000 >> queries hitting the spam database for every 100,000 E-mails. The root DNS >> servers are able to handle up to tens of thousands of queries every >second; >> DNS is very efficient. >> >> -Scott >> --- >> Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >> Declude Virus: Catches known viruses and is the leader in mailserver >> vulnerability detection. >> Find out what you have been missing: Ask for a free 30-day evaluation. >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] question on spammer
Hi, > >I am a brand new user of Junk Mail and have a question. > >I have received a lot of spam from this sender in the past day: [..] > Are you positive that it isn't related to an opt-in list from > promotiondaily.com that you may have subscribed to? Those IPs are listed > in INTERSIL and XBL, but aren't listed in some of the major spam databases > such as SPAMCOP (which means that people receiving the E-mail typically > aren't complaining about it). If it possibly is an opt-in list but I or my users are not interested I usually sent a mail to the postmaster of the sending domein asking them to delete all e-mail addresses belonging to our domain from their mailing lists. I'm not giving away any information as a) They allready know our domain exists and b) The mail is just coming from the postmaster address which anybody "knows" will exist. Sometimes I get an answer that they removed said addresses, sometimes e-mail stop coming. If they do keep on coming I will start reporting them as spam. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments
Hi Scott! Yes you, no not him, the other one. ;-), If I understood you wrong at first then please read the last line. > Now that we have the Comments tag, I now find spam with tons of these > peppered throughout: > > Standard HTML stuff I think. > Not really comments, as they are functional, but they're put randomly > throughout the email. Functional, but pointless. Any ideas? The whole idea behind the Comments tag was to flag e-mail that has been made unique by inserting lots of comments which usually are identical in one e-mail but different in between mails. That way they don't get caught by pattern recognizers, however, Declude would catch them by simply counting the number of comments, which *should* not be to high. Let's leave the rest of the stuff alone, in my opion it would only burden Declude with stuff it is not supposed to handle anyway. What would you do with those mail that change the color, delete them, put them on hold? Or.. do you think these color statments are used in the same way the comment tags are being used, with several tags after one another and the last having the correct color? Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [Declude.Virus] Mozilla email client
Hi Scott, I read about this Bayesian filtering/scanning at some other forum as well. Is this something that Declude Junkmail does right now or will do in the (near) future? Would be nice if it were a feature of the scanner on the server in stead of changing all mail client software? ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: "Leonard Jacobs" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 23, 2003 6:40 PM Subject: [Declude.Virus] Mozilla email client > Has anyone experimented with the new Mozilla 1.3 alpha email client > that does Bayesian filtering? http://www.mozilla.org/mailnews/spam.html > Please let us know your experiences. > > Thanks. > > === > > Leonard Jacobs > Shambhala Publications > 300 Massachusetts Avenue > Boston, MA 02115 > http://www.shambhala.com > (617) 424-6277, ext. 235 voice > (617) 236-1563 fax > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus using f-prot] > > --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] An optional web interface for Declude JunkMail?
Hi, > >That's already there -- the configuration files are plain text files, and > >can be accessed with ASP, PHP, proprietary interface, etc. :) > > > >I'm not sure if the advantages of an API (not having to deal with the text > >files directly) would outweigh the disadvantages (less flexibility). > >-Scott > > Maybe a simple answer to this problem would be a seperate exe > (decutil.exe(?)) that you could call via the command line (or > perl/php/etc/etc) to edit the config files. Something that worked along the > lines of: > decutil.exe [mail_account][action][data], or for example > decutil.exe [EMAIL PROTECTED] whitelist [EMAIL PROTECTED] Although *we* would probably not get the added option for manipulating the spam control, this would let us integrated it in our system quite easily. We are a school (post highschool and bachelors university) and have all our student info in a MS SQL database. However we decided to use the IMail database for all the e-mail box info so we use the commandline tool to create / change / delete new e-mail boxes. A similar tool would let us manipulate the spam controll. However, as a school I would simply enforce the spam control and too bad some legitimate mail gets caught. I will have a look at those mails once or twice a week and forward them if they seem legit. For THAT I would like a simple to use tool, either a small web interface or a gui tool to quickly look at those mails and hit a forward or a delete key. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] An optional web interface for Declude JunkMail?
Hi, > > Many people, including me, have asked IpSwitch to do something like > > this. Also because declude does NOT get called when e-mail in > > entered using the web interface. > > I have Declude scanning all mail using an undocumented technique. I > will post it, if you promise not to ask Scott directly (seriously). Please pretty please. I have had one virus infetion on our PCs allready because one test was distributed by e-mail to all teachers containing a virus. It took me a while it was not caught by Declude because the e-mail was entered via the web interface and not via a normail mailclient. :-( I am very glad I have insisted in installing a virusscanner on all clients eventhough the mailserver and most other servers are allready protected. Nothing should have come through but.. > > IpSwitch will simply not include this because it would cost them in > > their virus version sales. :-( > > I believe it was actually a simple oversight on their part in IMAIL1 > that hurts them as well, and I have faith that they will fix it the > next time they work on that module. :) Let's hope so. Simply having Declude scann all mail for virusses, and pretty soon probably for spam as well, is simplicity itself and is pretty much an "install and forget" issue. Only once in a while do I check the logs and. see that Declude is still doing it's work. :-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] An optional web interface for Declude JunkMail?
Hi, > Say the word and I'm sure that we'll be more than happy to start > campaigning Ipswitch to do it! :) Many people, including me, have asked IpSwitch to do something like this. Also because declude does NOT get called when e-mail in entered using the web interface. IpSwitch will simply not include this because it would cost them in their virus version sales. :-( So unless we actually pay for those 20 lines I don't think we'll get it unless.. everybody refuses to upgrade untill they DO put those few lines in. That's my policy so far. There is no sense for me in upgrading until they ad features I WANT and not features IpSwitch thinks I need. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? > > -Original Message- > > > > >Is there any hook into the iMail web interface/server? > > > > No. > > > > With about 10-20 lines of code, IMail could do it, but they > > don't seem to > > think there is a need. :( > > > > If they had, we likely would have had a web interface within > > a week or so > > after they added the interface (yes, it would be very easy if > > they had a > > web interface). > > -Scott --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP4R Tests Not Happening AfterRe-Install
Hi, > >The DNS servers appear to be working fine. NSLOOKUP from a DOS prompt > >on the mail server to either of the DNS servers specified in IMail's > >SMTP service settings answers all of my queries, authoritative and > >recursive. Is there another test I might perform? There is one problem that I have seen only on my private Windoes 2000 Pro machine so far but.. after a while a nslookup hostname will correctly give me the ip number but... any program trying to use the hostname will get a "host not found" from the resolver. Somehow this problem had been on my machine for a long time and only resetting it seems to help. So if a nslookup works, see if a ping or something else that does a hostname lookup throug the resolver still works. Groetjes, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.