RE: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Darrell LaRock 
Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
v_result=ok
if not %v_result%==ok (set v_result=conversion error)  (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/07/04 04:35PM 
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Darrell LaRock 
OK, after some digging I found this

--09:46:15--  http://www.surbl.org/sc.surbl.org.rbldns
   = `surbl.rbldns.tmp'
Resolving www.surbl.org... done.
Connecting to www.surbl.org[66.170.2.60]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:46:15 ERROR 404: Not Found.

After checking the SURBL site I found this under the news section
*.rbldns - going away when no traffic, use *.rbldnsd instead

In the script find the line 
set v_url=http://www.surbl.org/sc.surbl.org.rbldns

and change it to 
set v_url=http://www.surbl.org/sc.surbl.org.rbldnsd

It now works again.

Darrell


-Original Message-
From: Darrell LaRock [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 08, 2004 9:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] SURBL issue

Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
v_result=ok
if not %v_result%==ok (set v_result=conversion error)  (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/07/04 04:35PM 
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank

2004-05-17 Thread Darrell LaRock 








Matt,



But if you rename the tests to DYN 
than how you are configuring non-DUL tests twice? 


Darrell











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Saturday, May 15, 2004 6:42
PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail]
DUL skipping was ISBLANK is blank





Andy,

I think there might be some confusion here. If you change the test names
and use the %IP4R%/dnsbl trick, it will always test the first hop regardless of
what the Mail From is, unless of course you are whitelisting the sender.

You don't have to remove the tests, you just have to rename them. I
renamed mine with DYN, that way Declude doesn't see them as matching
DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a
local address.

The only drawback that I have found with this work around is when you try
configuring non-DUL tests twice, once only for the first hop, and once for all
hops, in which case the work around will cause some extra lookups, but that's
minor, and I'm only aware of a few people besides myself that are doing this.
Nothing else appears to be a problem in anyway whatsoever.

Matt



Andy Schmidt wrote:





Then, in either cases, scanning the first hop is a simple matter of 



changing the test name to eliminate the reserved string of DUL, DYNA or DUHLand using the hack which Matt found. NO - removing DUL/DYNA/DUHL is NOT an option. Because MUCH of the privateemails originate from some address that is on that list - but only on theFIRST hope. Thus, the DUL/DYNA/DUHL skip tests on the FIRST hop! They can't be omitted - otherwise we'd block most private mail relayedthrough other providers SMTP servers.Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Don BrownSent: Saturday, May 15, 2004 04:19 PMTo: MattCc: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blankThis wasn't a bug or a larger issue of Declude trust based upon the 'fromAddress.' There was no choice but to skip DUL/DYNA/DUHL tests (which werethe only ones skipped) when the 'from address' was spoofed as a localaddress. Imail 8 and WHITELIST AUTH help, but they don't solve this issue,either.Imail 8 can still be configured where the Client is NOT required to Auth inorder to send. One example of that is 'Relay for Addresses.'So, if we have IPs on a DUL/DYNA/DUHL list, are using anything but 'No MailRelay' in Imail 8 and we run a DYNA/DUL/DUHL test on the first hop, we willdefinitely tag our own customers.So, the way I see it, running DYNA/DUL/DUHL tests on the first hop of ALLmail, is only safe for those folks who: (1) are sure that none of their IPaddresses are on any DYNA/DUL/DUHL list (and will never be onone) -OR- (2) run Imail 8, have it configured for 'No Mail Relay' and haveWHITELIST AUTH specified in the Declude's Global.cfg. Then, in either cases,scanning the first hop is a simple matter of changing the test name toeliminate the reserved string of DUL, DYNA or DUHL and using the hack whichMatt found. For instance:Change this: NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 10 0To this: NJABL-HOP1 dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 10 0I don't think a switch in Declude is really needed.Thanks,Saturday, May 15, 2004, 10:01:11 AM, Matt [EMAIL PROTECTED] wrote:M Andy,M It's only been a matter of months since a realistic work around M wasavailable for most users (using WHITELIST AUTH). To the best of M myknowledge, I'm the only one of us that has said anything about it M onthis list (first time in March, but of course I could be wrong). M LikeI indicated though, there is a way to fix the problem using the M dnsbltrick, and it works immediately. I would however like to see a M switchgiven also, but this seems more like a convenience if you M useDUL/DYNA/DUHL the way that they were meant to be used in the M firstplace (which I was not), but still, it only means some extra M lookups.M MattM Andy Schmidt wrote: M Thanks - ouch.M M I'd say that's a bug in design.M M Since AUTH is supported in Imail 8 and sinceothers may not allow M local users to send through their Imail server (myoutbound is going M through IIS SMTP with SMTP AUTH), there should be ATLEAST a config M option to turn this spam me by faking sender featureoff! M Best RegardsM Andy Schmidt M Phone: +1 201 934-3414 x20(Business)M Fax: +1 201 934-9206 M -Original Message-M M From:[EMAIL PROTECTED]:Declude.JunkMail-ownerM @declude.com]M On Behalf Of MattM Sent: Saturday, May 15, 2004 01:49 AMM To:[EMAIL PROTECTED]M Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK isblank M In absentia... M M http://www.mail-archive.com/[EMAIL PROTECTED]/msg17162.htmM l M This made a lot of sense before, and it was the only way to disable M DULtests for local users prior to IMail 8 and JunkMail ~1.76. M Decludewon't disable the tests for gatewayed domains, only where an M addressmatches

[Declude.JunkMail] Hotmail Sending Mail From IP's with No Reverse DNS

2004-04-22 Thread Darrell LaRock 
Has anyone else noticed over the last day or so that some of the hotmail
messages are coming from servers without revdns..  This is a snag cause they
are failing both revdns and spamdomains..  Any thoughts?

Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with
ESMTP
  (SMTPD32-8.05) id A6657F0180; Wed, 21 Apr 2004 18:32:05 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
 Wed, 21 Apr 2004 15:30:14 -0700
Received: from 134.84.102.157 by sea2-dav3.sea2.hotmail.com with DAV;
Wed, 21 Apr 2004 22:30:14 +
X-Originating-IP: [134.84.102.157]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: x [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [POTENTIAL SPAM]Assignment Desk
Date: Wed, 21 Apr 2004 17:27:30 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_0009_01C427C5.ECC21740
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: [EMAIL PROTECTED]
X-OriginalArrivalTime: 21 Apr 2004 22:30:14.0967 (UTC)
FILETIME=[377B2C70:01C427F0]
X-RBL-Warning: SPAMDOMAINS: Spamdomain 'hotmail.com' found: Address of
[EMAIL PROTECTED] sent from invalid [No Reverse DNS]. [2-10-5000]
X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] [2-48-18000]
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.68.164.107
with no reverse DNS entry. [2-53-1a800]
X-Declude-Sender: [EMAIL PROTECTED] [207.68.164.107]
X-Declude-Spoolname: Df665007f01804541.SMD
X-Declude-Sender: [EMAIL PROTECTED] [12.25.87.100]
X-Declude-Spoolname: Df66c3910081cb3c8.SMD
X-Spam-Tests-Failed: Whitelisted
X-Spam-Weight: 0
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 377609636


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAMCOP

2004-04-01 Thread Darrell LaRock 
I noticed that several RBL's have not been triggered off one of our backup
mail servers over the last 24 hours.  For example SPAMCOP hasn't.  I turned
on DEBUG mode and noticed that it was reporting this

04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test
#18 [ORDB=*]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as Test
#19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test
#20 [DSBL=*]. Answer=root.loopback.?

Is this a normal answer?
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP

2004-04-01 Thread Darrell LaRock 
Scott,

It's ATT's DNS servers.  I wonder if they are doing something to block
those kinds of lookup's.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, April 01, 2004 11:02 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP


I noticed that several RBL's have not been triggered off one of our backup
mail servers over the last 24 hours.  For example SPAMCOP hasn't.  I turned
on DEBUG mode and noticed that it was reporting this

04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test
#18 [ORDB=*]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as
Test
#19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.?
04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test
#20 [DSBL=*]. Answer=root.loopback.?

Is this a normal answer?

No, that is not a normal answer -- the Answer=root.loopback.? indicates 
that the DNS server is responding, but reporting an answer of 
root.loopback which isn't correct.  It sounds like your DNS server is 
having problems.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Atriks - Pt.2

2004-01-06 Thread Darrell LaRock 
How aggressive is SBL compared to SPEWS?  I know with SPEWS they list a lot
of adjacent net blocks of the spammers...  Does SBL employ the same tactics?

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Tuesday, January 06, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Atriks - Pt.2

Forgive me for repeating myself on this one, but I'm a proponent of 
blocking outright on SBL.  There's a good reason for spammers to be in 
their list, and it's not some community project where anyone and 
everyone makes nominations, so it's practically flawless.

Another trick for Green Horse is the following lines in a custom filter 
somewhere:

# Green Horse Corporation (SBL12495)
BODY28CONTAINS/img/c.0/
BODY28CONTAINS/img/o.0/
BODY28CONTAINS/img/v.0/

This is just in case they break out into new address space.  28 is my 
delete weight plus Declude's negative weight tests (because they tend to 
get added in after custom filters and I use SKIPIFWEIGHT functionality).

Matt


Fritz Squib wrote:

Amazing, I knew that I saw a lot more spam coming from individual cable/dsl
modems, but I had no idea...

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495

http://groups.google.com/groups?scoring=dq=atriks.com+group:*abuse*

Fritz

Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net

()  ascii ribbon campaign - against html mail 
/\- against microsoft attachments

  



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-20 Thread Darrell LaRock 
Matt,

I think you are right.  My guess is that for some reason they dropped the domain out 
of the root servers for a period of time and the major isps grabed the worldnic 
servers as being authoratative.

Not much we can do, other than wait...

Darrell
-- Original Message --
From: Matthew Bramble [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Sat, 20 Dec 2003 00:02:14 -0500

Darrell,

It looks like your name server records were maybe munged for a period of 
time from a root update that is now fixed.  Those munged records though 
are being cached and they should get a good copy once they expire.  This 
might explain why all of us seem to be able to resolve your domain, 
being that we aren't likely to have it cached being smaller providers, 
however the larger providers seem to have bad records for it because 
they hit your domain while the data was bad.  Just guessing of course.

If you have some local ISP's which are likely to have chached an earlier 
copy of the records, try querying their servers to see what it returns.  
I suspect that they will have a bad copy also, at least for a short 
period of time.  I don't believe there is anything you can do about this 
if I am correct.

Matt



Darrell LaRock wrote:

Scott,

On the DNSSTUFF, I used the cached ISP report looking at the NS record.  What does 
it mean when an ISP has the name server set to ns92.worldnic.com?  Does this mean at 
one time when the domain was looked up it was not resolved from the root servers?

ATT Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. 
[TTL=1d 9h 38m 50s] 
ATT Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. 
[TTL=1d 4h 18m 50s] 
ATT Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. 
[TTL=1d 2h 53m 53s] 
ATT Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] 
NS=ns92.worldnic.com. [TTL=10h 45m 11s] 

Taking wild stabs in the dark :)
Darrell

-- Original Message --
From: R. Scott Perry [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 22:56:28 -0500

  

However, something is seriously wrong as the major ISP's can't resolve it 
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
after the whois info was updated to the new authoratative servers.
  

That's probably the problem.

Once the first .com parent server gets the new NS records, it takes up to 
about 6 hours for all the other .com parent servers to get updated, and 
another 48 hours before TTL values expire on DNS servers throughout the 
world.  Earthlink, Charter, and some other larger ISPs almost certainly 
have the old values cached, which will take up to 48 hours to expire after 
the change.  During that time, they will be using the old NS records.

   -Scott




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Darrell LaRock 
This is off topic, but I need some help in a bad way to figure out a DNS problem I am 
having that is preventing one of our sites from receiving mail and thier web site from 
loading.

We recently (this week) switched the name servers from our current provider to another 
provider.   The zone files are duplicate between providers.

However, something is seriously wrong as the major ISP's can't resolve it (Earthlink, 
Charter, Some AOL Users, Road Runner).  This occured right after the whois info was 
updated to the new authoratative servers.

Now the crazy thing is I can resolve the site using the auth. servers, but not off one 
of Earthlink's or charters.  

The site is wltx.com.

Can you resolve it?

How can I verify that the site did not fall out of the root servers? Anyone else have 
any input?

Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Darrell LaRock 
I am absolutly baffled.

Eathlink Dial-up - Does not work
Charter Cable Connection - Does not work
ATT T1 using local bind server - Works
Roadrunner Cable - Does not work
AOL - Intermittent.
Several users who replied - Works

Darrell


-- Original Message --
From: Scott Winberg [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 19:13:55 -0700

Hello Darrell,

Working from here. Denver, CO area.


Scott

Friday, December 19, 2003, 6:59:06 PM, you wrote:

Darrell This is off topic, but I need some help in a bad way to figure out a DNS 
problem I am having that is preventing one of our sites from receiving mail and thier 
web site from loading.

Darrell We recently (this week) switched the name servers from our current provider 
to another provider.   The zone files are duplicate between providers.

Darrell However, something is seriously wrong as the major ISP's can't resolve it 
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right after the 
whois info was updated to the new
Darrell authoratative servers.

Darrell Now the crazy thing is I can resolve the site using the auth. servers, but 
not off one of Earthlink's or charters.  

Darrell The site is wltx.com.

Darrell Can you resolve it?

Darrell How can I verify that the site did not fall out of the root servers? Anyone 
else have any input?

Darrell Darrell
Darrell ---
Darrell [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

Darrell ---
Darrell This E-mail came from the Declude.JunkMail mailing list.  To
Darrell unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
Darrell type unsubscribe Declude.JunkMail.  The archives can be found
Darrell at http://www.mail-archive.com.



-- 

 Scottmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Darrell LaRock 
Andrew,

One question that I have is the TTL stuff shouldnt matter since the zone files that 
were moved over are the same.  All we are doing is switching DNS providers right now.

Darrell

-- Original Message --
From: Colbeck, Andrew [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 18:45:00 -0800

I'd say that the domain is fine at its new home; the question is what was
the TTL on the domain before it was moved?

I would go very little out on a limb and say that the folks with trouble to
wltx.com were cacheing the DNS for longer than the TTL on the domain, or it
was really high before the change, and they're respecting that.

If you didn't already know it, this site, courtesy of declude.com, is a
wonderful resource:

http://www.dnsreport.com/

Andrew 8)

-Original Message-
From: Darrell LaRock [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 19, 2003 5:59 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OT: DNS Issue (HELP)


This is off topic, but I need some help in a bad way to figure out a DNS
problem I am having that is preventing one of our sites from receiving mail
and thier web site from loading.

We recently (this week) switched the name servers from our current provider
to another provider.   The zone files are duplicate between providers.

However, something is seriously wrong as the major ISP's can't resolve it
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right after
the whois info was updated to the new authoratative servers.

Now the crazy thing is I can resolve the site using the auth. servers, but
not off one of Earthlink's or charters.  

The site is wltx.com.

Can you resolve it?

How can I verify that the site did not fall out of the root servers? Anyone
else have any input?

Darrell
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Darrell LaRock 
Scott,

We duplicated the zone files between both providers.  So all records are identical.  
If the zone files are the same than all of the timeouts should not matter.

Check this out
1.) Do a direct query against ns1.loudcloud.com for wltx.com - Returns 66.54.32.202.

2.) Do a direct query against ns1.infi.net for wltx.com - Returns 66.54.32.202.

3.) Do a direct query against ns1.mindspring.net or ns2. or ns3 and the query will in 
general 9 out of 10 times timeout.  We can also duplicate this behavior on Charter and 
Road Runner.

I can't even come up with a possible explanation...  The zone files are the same

Thanks
Darrell


-- Original Message --
From: R. Scott Perry [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 22:56:28 -0500


However, something is seriously wrong as the major ISP's can't resolve it 
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
after the whois info was updated to the new authoratative servers.

That's probably the problem.

Once the first .com parent server gets the new NS records, it takes up to 
about 6 hours for all the other .com parent servers to get updated, and 
another 48 hours before TTL values expire on DNS servers throughout the 
world.  Earthlink, Charter, and some other larger ISPs almost certainly 
have the old values cached, which will take up to 48 hours to expire after 
the change.  During that time, they will be using the old NS records.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Darrell LaRock 
Scott,

On the DNSSTUFF, I used the cached ISP report looking at the NS record.  What does it 
mean when an ISP has the name server set to ns92.worldnic.com?  Does this mean at one 
time when the domain was looked up it was not resolved from the root servers?

ATT Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. [TTL=1d 
9h 38m 50s] 
ATT Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. [TTL=1d 
4h 18m 50s] 
ATT Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. [TTL=1d 
2h 53m 53s] 
ATT Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] NS=ns92.worldnic.com. 
[TTL=10h 45m 11s] 

Taking wild stabs in the dark :)
Darrell

-- Original Message --
From: R. Scott Perry [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Dec 2003 22:56:28 -0500


However, something is seriously wrong as the major ISP's can't resolve it 
(Earthlink, Charter, Some AOL Users, Road Runner).  This occured right 
after the whois info was updated to the new authoratative servers.

That's probably the problem.

Once the first .com parent server gets the new NS records, it takes up to 
about 6 hours for all the other .com parent servers to get updated, and 
another 48 hours before TTL values expire on DNS servers throughout the 
world.  Earthlink, Charter, and some other larger ISPs almost certainly 
have the old values cached, which will take up to 48 hours to expire after 
the change.  During that time, they will be using the old NS records.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread Darrell LaRock 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics

snip
our gateway now handles all incoming mail and there is no spam coming into
our mail servers to test. The new test platforms will allow us to move some
domains 
/snip

So are you saying your product when used as a gateway is 100% effective at
removing spam?  Nothing slips through

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filter Entry Not Being Triggered

2003-11-10 Thread Darrell LaRock 
BODY5   CONTAINS href=#104;#116;#116;#112;

Should there by any reason why the above filter entry wouldn't be triggered
on an email that contains that string in the html source?

What am I doing wrong?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filter question On Short Keywords

2003-10-16 Thread Darrell LaRock 
We make extensive use of filters based on keywords.  With short keywords
like like S_e_x we sometimes run into problems with keyword being triggered
based on base64 encoding of an attachment.

Example:
10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER
on sex [weight-2; SExQlAnjsABzk

My Questions:
1.) Is it possible to have a test created that detects attachments?
2.) Is there some kind of general text that is inserted into the headers or
body that indicates that an attachment is present?

Thanks
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAM DOMAINS

2003-10-16 Thread Darrell LaRock 
We have a listing in our spam domains file 
mac.com apple.com

this line seems to be tripping off on the following
X-RBL-Warning: SPAMDOMAINS: Spamdomain 'mac.com' found: Address of
[EMAIL PROTECTED] sent from invalid [No Reverse DNS].

How do I prevent the mac.com spam domain entry from picking up on for
example freediemac.com?

Thanks
Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filters And Attachments

2003-10-14 Thread Darrell LaRock 


Darrell LaRock
Systems Analyst
Gannett Television
716-849-2272
Hod do most folks deal with word filters being triggered on attachments.
See below for example?

10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER
on sex [weight-2; SExQlAnjsABzk

Is there something that is put in the body of a message that indicates there
is an attachment so that potentially reverse weight can be applied?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Starting Declude to Force a Queue Run

2003-08-20 Thread Darrell LaRock 
Title: RE: [Declude.JunkMail] Alligate









Scott,



I have a backup mail server that is a bit
under-speed of our primary mail server. Right now the backup mail server is
being pounded with SoBig which has forced the box to 100% cpu and the queue is
growing slowly.



I am going to stop the smtp service in
imail on this backup server while I swap a faster server into its place. How
can I manually force declude to start processing the messages in the overflow
directory once I stop the smtp service..



Darrell



-Original Message-
From: Keith Johnson
[mailto:[EMAIL PROTECTED] On
Behalf Of Keith Johnson
Sent: Wednesday, August 20, 2003
10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail]
Alligate





John, 





We
have it as a Declude only test











Keith







-Original
Message- 
From: John Tolmachoff (Lists)
[mailto:[EMAIL PROTECTED] 
Sent: Wed 8/20/2003 1:05 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.JunkMail]
Alligate



Do you mean as a Declude ONLY test?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Tuesday,
 August 19, 2003 7:18 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate

 Does anyone have any configs they are willing to share that they are using
in
 production for Alligate with Declude? Thanks for the aid.

 Keith
 NyuujjrxNrzujryjmrxjqy








attachment: winmail.dat

RE: [Declude.JunkMail] Starting Declude to Force a Queue Run

2003-08-20 Thread Darrell LaRock 
Scott,

I am going to stop the smtp service so no mail will be coming in.
Essentially, at that point I need to clear out that overflow queue..

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 2:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Starting Declude to Force a Queue Run


I have a backup mail server that is a bit under-speed of our primary mail 
server.  Right now the backup mail server is being pounded with SoBig 
which has forced the box to 100% cpu and the queue is growing slowly.



I am going to stop the smtp service in imail on this backup server while I 
swap a faster server into its place.  How can I manually force declude to 
start processing the messages in the overflow directory once I stop the 
smtp service..

Declude will automatically start processing E-mails from the overflow 
directory as soon as the next E-mail arrives.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts Points Instead of Adding

2003-08-05 Thread Darrell LaRock 
We use the following...

REVDNS  -10 ENDSWITH .thisdomain.com

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Tuesday, August 05, 2003 4:16 PM
To: Declude JunkMail
Subject: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts
Points Instead of Adding

Hello, All,
I had posted this message a couple of weeks ago and didn't hear anything so
I thought I'd give it another shot.

Is there anyway that the SPAMDOMAINS test can be setup so that if a message
passes the SPAMDOMAINS test then points are subtracted from the total
weight?  I think of this as the opposite of points being added to the
total weight if a message fails the SPAMDOMAINS test but my thinking might
be wrong.

Thanks In Advance,
Dan Geiser [EMAIL PROTECTED]

- Original Message - 
From: Dan Geiser [EMAIL PROTECTED]
To: Declude JunkMail [EMAIL PROTECTED]
Sent: Tuesday, July 22, 2003 7:41 PM
Subject: [Declude.JunkMail] Test Like SPAMDOMAINS But Subtracts Points
Instead of Adding


 Hello, All,
 I don't know if this would require a separate test or of there is some way
 you can twist SPAMDOMAINS to have the desired result...

 But as SPAMDOMAINS can be configured to add points on to the weight of a
 message if the message fails the test I would also like to be able to have
a
 test which subtracts points from the total weight if the Reverse DNS of
the
 IP address matches the Sender's domain name.  Does that make sense?  If
so,
 does anyone know how to implement this?

 Thanks In Advance,
 Dan Geiser [EMAIL PROTECTED]

 
 This E-mail is scanned and free from viruses. www.nexustechgroup.com

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 
 This E-mail is scanned and free from viruses. www.nexustechgroup.com




This E-mail is scanned and free from viruses. www.nexustechgroup.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] dlanalyzer reporting system

2003-08-01 Thread Darrell LaRock 
Their has been an overwhelming request for this much more than I have
anticipated.

I am setting up a webpage for this.  I have to get the documentation
together, because there are a lot of options that need to be documented so
that you will actually be able to use.

I am hoping I will have everything together before the weekends over.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks
Sent: Friday, August 01, 2003 12:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Report System

It's become blatantly apparent that there is a VERY STRONG NEED for an
application such as this. Are the Declude people listening?

Terry

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of i360 Support
Sent: Friday, August 01, 2003 9:14 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Report System

Please add me too.

Would like to see it.

Thanks
Heimir


- Original Message -
From: James James [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, August 01, 2003 10:53 AM
Subject: Re: [Declude.JunkMail] Report System


 I hate filling the list with another of these, but I would like a copy to.
 This sounds like the utility I've always wanted but could never find.

 Thanks
 James James
 Help Desk/Systems Administration
 Lile International

 - Original Message -
 From: Dave Jordan [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, August 01, 2003 8:44 AM
 Subject: Re: [Declude.JunkMail] Report System


  Hey, Don't leave me out!  It looks like it's just what the Dr. ordered.
 
  Dave Jordan
 
  - Original Message -
  From: GlobalWeb.net Webmaster [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Friday, August 01, 2003 11:23 AM
  Subject: RE: [Declude.JunkMail] Report System
 
 
   Add me to the list too - a donation will be in order...
  
  
   Sincerely,
  
   Randy Armbrecht
   Global Web SolutionsR, Inc.
   804-346-5300 ext. 1
   877-800-GLOBAL (4562) ext. 1
   http://globalweb.net
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry
   Sent: Friday, August 01, 2003 11:07 AM
   To: [EMAIL PROTECTED]
   Subject: RE: [Declude.JunkMail] Report System
  
  
   Darrel,
  
   Maybe you should start charging for it. As long as you're not...please
   include me. (Actually, I'd consider a donation if it works as well as
   you claim.)
  
   Thanks,
   Shayne Embry
   [EMAIL PROTECTED]
  
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn
Brooks
Sent: Friday, August 01, 2003 9:48 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Report System
   
   
add me, also
   
At 12:17 PM 8/1/2003 +0200, you wrote:
Hi Darrel,

Please add me to your list, I'd love to try it out

Best regards
Lachezar
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of VanTech.Net
Sent: Thursday, July 31, 2003 11:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Report System


Darrel,

I would be interested in trying it out.  I like Delog, but I
would like
to have some format options such as .html.

Thank you,
Aaron Caviglia
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Darrell LaRock
Sent: Thursday, July 31, 2003 2:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Report System


Terry,

I used delog for awhile, but I needed several other features
that did
not come with delog.  So I developed an application that had
all of the
features that I needed.  Below is a sample report that I
generated(tab
format).  The reports can be in tab, csv, or html format and
you have
the ability to email them as well.

There are many other things that dlanalyzer can report on.
You can get
reports on domains, users, tests, and different reporting
periods.  The
combinations are endless.

Right now I am finishing up database support and a few other
miscellaneous features I wanted to add in..

If you would like to try it out let me know and I will make it
available..

Darrell


Start Time: 6/1/2003 12:00:00 AM
End Time: 6/2/2003 12:00:00 AM
Total Messages: 25935
Messages That Failed: 18252
Spam Percentage: 70.38%

TEST# FAILEDPercentage
BADHEADERS  373514.40%
BASE64  12034.64%
BLACKLIST   13255.11%
COMMENTS668 2.58%
DECREASEIPWGHT  40  0.15%
DECREASEWEIGHT  557 2.15%
DECREASEWEIGHTLOW   313

RE: [Declude.JunkMail] Report System

2003-07-31 Thread Darrell LaRock 
Terry,

I used delog for awhile, but I needed several other features that did not
come with delog.  So I developed an application that had all of the features
that I needed.  Below is a sample report that I generated(tab format).  The
reports can be in tab, csv, or html format and you have the ability to email
them as well.

There are many other things that dlanalyzer can report on.  You can get
reports on domains, users, tests, and different reporting periods.  The
combinations are endless.

Right now I am finishing up database support and a few other miscellaneous
features I wanted to add in..

If you would like to try it out let me know and I will make it available..

Darrell


Start Time: 6/1/2003 12:00:00 AM
End Time: 6/2/2003 12:00:00 AM
Total Messages: 25935
Messages That Failed: 18252
Spam Percentage: 70.38%

TEST# FAILEDPercentage
BADHEADERS  373514.40%
BASE64  12034.64%
BLACKLIST   13255.11%
COMMENTS668 2.58%
DECREASEIPWGHT  40  0.15%
DECREASEWEIGHT  557 2.15%
DECREASEWEIGHTLOW   313 1.21%
DSBL380714.68%
DSN 12154.68%
EASYNET-DNSBL   741828.60%
FXBLACKLIST 25749.92%
HELOBOGUS   477618.42%
HEUR10  289911.18%
IPBLACKLIST 5   0.02%
MAILFROM385 1.48%
NJABL   408 1.57%
NOABUSE 334112.88%
NONENGLISH  214 0.83%
NOPOSTMASTER402015.50%
OLDEMPLOYEE 29  0.11%
ORDB261 1.01%
OSDUL   113 0.44%
OSLIST  2   0.01%
OSRELAY 343 1.32%
OSSOFT  326512.59%
OSSRC   330812.75%
POSTMASTER  12  0.05%
REVDNS  423116.31%
ROUTING 14875.73%
SNIFFER 328512.67%
SNIFFERAV   12  0.05%
SNIFFERCASINO   159 0.61%
SNIFFERDEBT 815 3.14%
SNIFFEREXP  269 1.04%
SNIFFERGETRICH  630 2.43%
SNIFFERGREY 421 1.62%
SNIFFERINK  196 0.76%
SNIFFERINSURAN  58  0.22%
SNIFFEROBFUS350 1.35%
SNIFFERPHARM17276.66%
SNIFFERPORN 16306.28%
SNIFFERSCAM 1   0.00%
SNIFFERSPAMWAR  127 0.49%
SNIFFERTHEFT138 0.53%
SNIFFERTRAVEL   438 1.69%
SPAMCOP 417216.09%
SPAMHEADERS 416016.04%
WEIGHT1010482   40.42%
WEIGHT5 769 2.97%
WORDFILTER  782630.18%

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks
Sent: Thursday, July 31, 2003 2:26 PM
To: Declude. JunkMail
Subject: [Declude.JunkMail] Report System

While it's quiet I'd like to know which system is best at reporting status
of the email system in terms of most messages sent from/delivered to
address, etc. I need a good summary reporting system that will email me
these results. I've tried delog but the email feature doesn't work.

Terry


---
[This E-mail scanned for viruses by Surfside Internet]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Kodak picture CD and Spam Domains

2003-06-23 Thread Darrell LaRock 
I have been seeing a lot of mail failing the spam domains test with kodak's
picture cd.  It allows users to use their own email address when sending
pictures, but it comes from Kodak's servers.

Is their any other way around this?  Right now I setup a filter to subtract
the spam domains weight if picturecd.kodak.com is found in the headers.

Also, not to mention their mail fails the BADHEADERS test for a bogus time
zone.

Darrell

 **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF 
 YOU FEEL THIS MESSAGE IS IN ERROR**
 Received: from picturecd2.kodak.com [192.232.121.246] by
mail1.gannett-tv.com with ESMTP
   (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400
 Received: from picturecd.kodak.com
(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71])
 by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484
 for [EMAIL PROTECTED]; Sun, 22 Jun 2003 23:42:25 -0400 (EDT)
 Message-Id: [EMAIL PROTECTED]
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: clouds 2nd try
 Date: 22 Jun 2003 21:42:44 Mountain Standard Time
 Content_Description:
 Content_Description:
 Content_Description:
 MIME-Version: 1.0
 Content-Type: multipart/mixed; boundary=3_boundary

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Kodak picture CD and Spam Domains

2003-06-23 Thread Darrell LaRock 
Kami,

Great idea!!!  This is much better then using contains on the header (since header 
forging is easy).

Darrell

-- Original Message --
From: Kami Razvan [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 23 Jun 2003 18:15:06 -0400

Hi;

Do you know what the REVDNS is?  We are finding good results for adding
negative weight to domains that are like this.  We simply have a negative
REVDNS list.

REVDNS  -20  CONTAINS  .yahoo.com
REVDNS  -20  CONTAINS  .aol.com

The above are two entries in our list.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock
Sent: Monday, June 23, 2003 5:55 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains


I have been seeing a lot of mail failing the spam domains test with kodak's
picture cd.  It allows users to use their own email address when sending
pictures, but it comes from Kodak's servers.

Is their any other way around this?  Right now I setup a filter to subtract
the spam domains weight if picturecd.kodak.com is found in the headers.

Also, not to mention their mail fails the BADHEADERS test for a bogus time
zone.

Darrell

 **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF
 YOU FEEL THIS MESSAGE IS IN ERROR**
 Received: from picturecd2.kodak.com [192.232.121.246] by
mail1.gannett-tv.com with ESMTP
   (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400
 Received: from picturecd.kodak.com
(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71])
 by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484
 for [EMAIL PROTECTED]; Sun, 22 Jun 2003 23:42:25 -0400 (EDT)
 Message-Id: [EMAIL PROTECTED]
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: clouds 2nd try
 Date: 22 Jun 2003 21:42:44 Mountain Standard Time
 Content_Description:
 Content_Description:
 Content_Description:
 MIME-Version: 1.0
 Content-Type: multipart/mixed; boundary=3_boundary

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

2003-06-12 Thread Darrell LaRock 
Scott,

I will attempt to reproduce the original problem with the large amount of
recipients with debug on.  

However, while going through the logs with debug on, I noticed other
fromfilters not triggering with valid addresses.  In this case there is a
reverseweightlow fromfilter that has the @aol.com address in the file.
The sender is from @aol.com but there was no match form the filter.

Here is a snippet of the log in the attached text file.

Darrell


Darrell LaRock
Systems Analyst
Gannett Television
716-849-2272


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, June 11, 2003 2:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


I have a from filter that contains email addresses.  When this filter is
triggered it will routeto another email address.

When I test this with one recipient it works.  However, I am having an
issue
when mail that comes in that has many recipients (30+) the email addresses
from the filter is not being detected.

I am using version 1.70 of declude.  Scott I am emailing directly to you
snippets of the log and config files for a gander.

Would there be any chance of trying to reproduce this with the debug mode 
on (LOGLEVEL DEBUG in the \IMail\Declude\global.cfg file temporarily)?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


filterlog.zip
Description: Zip compressed data

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

2003-06-12 Thread Darrell LaRock 
The config files were sent to your [EMAIL PROTECTED] account.

Darrell




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, June 12, 2003 9:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


However, while going through the logs with debug on, I noticed other
fromfilters not triggering with valid addresses.  In this case there is a
reverseweightlow fromfilter that has the @aol.com address in the file.
The sender is from @aol.com but there was no match form the filter.

Isn't that the same user and same test that was having the problem before 
(when there were lots of recipients)?

Could you E-mail me your \IMail\Declude\global.cfg file and the file used 
with the reverseweightlow test, so I can try to reproduce the problem here?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients

2003-06-12 Thread Darrell LaRock 
Scott,

Looks like it fixed it.

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, June 12, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With
Messages That Have Many Recipients


The config files were sent to your [EMAIL PROTECTED] account.

Wow, this was a tricky one.

It turns out that there was a problem where the first line of a fromfile 
blacklist might not work properly if multiple fromfile blacklists were used.

There is an interim release v1.70i11 at 
http://www.declude.com/release/170i/declude.exe that fixes this issue.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelist and mult rcpt

2003-05-30 Thread Darrell LaRock 
Karen,

This is something that I brought up on the list awhile back with how to
avoid this.  As we were getting hammered with spam getting to the end user
cause they were tagging the whitelisted postmaster account to it.

We do not whitelist the postmaster account, instead you setup a filter
test that contains an allrecips for the postmasters email address and
assign this test a really high negative value to prevent the message from
being bounced.  Then you set the action up for the test as a routeto back
to the postmasters account.

What this does is the following

[1] Allows all messages regardless of how many spam tests they fail to
always be routed to the postmaster
[2] If the message contains a user account other than the postmaster the
mail will be delivered to the user if the message is under your spam
threshold and if it is over your spam threshold whatever action you have
specified will then be enacted on that message.

Darrell

Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karen Oland
Sent: Thursday, May 29, 2003 12:57 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] whitelist and mult rcpt

We've been getting a lot of spam in the last week or so that bypasses all
our spam filters -- they are all copied to the postmaster@ account for our
domain.  Apparently, they are taking advantage of the common practice of
whitelisting the postmaster and the inability of spam filtering programs to
separate actions on messages sent to multiple users.  No doubt, it won't be
long before most messages do the same, rendering both your postmaster
account and spam filters useless.

I know it has been asked for before and said to be impossible (programmer
speak, for don't want to do it -- I know, being one), but PLEASE consider
creating multiple copies of messages that arrive for multiple recipients, so
that the spam filters can operate (yes, this means some complications, but a
little trickery could reduce problems -- for example, only making a copy for
the recipient(s) that are whitelisted).

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] IPNOTINMX

2003-04-02 Thread Darrell LaRock 
Why didn't negative weight get added for this piece of mail I received
from the IPNOTINMX Test.

Global.cfg
IPNOTINMX   ipnotinmx   x   x   0   -3

Default.junkmail file
IPNOTINMX   IGNORE


DNS Lookup
 set q=mx
 netaff.com.
Server:  wgrz-lclci01.us.ad.gannett.com
Address:  10.4.41.134

netaff.com  MX preference = 20, mail exchanger = mail.crosspoint.com
netaff.com  MX preference = 10, mail exchanger = mail.netaff.com
netaff.com  nameserver = ns2.crosspoint.com
netaff.com  nameserver = ns1.crosspoint.com
mail.netaff.com internet address = 63.136.220.30
mail.crosspoint.com internet address = 63.136.220.20
ns1.crosspoint.com  internet address = 63.136.220.20
ns2.crosspoint.com  internet address = 63.136.220.30

Received: from mail.netaff.com [63.136.220.30] by mail1.gannett-tv.com
with ESMTP
  (SMTPD32-7.12) id AE102A4F0086; Mon, 31 Mar 2003 18:24:00 -0500
Received: by mail.netaff.com
with MailBeamer v3.32 ;
Mon, 31 Mar 2003 16:23:58 -0700
From: Tammy Kehe [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: FW: Wildfire practice
Date: Mon, 31 Mar 2003 16:23:00 -0700
X-Mailer: MailBeamer v3.32
Message-ID: [EMAIL PROTECTED]
X-Priority: 3
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary=_NextPart_0_vIFomJIuuVmGbDWQZXMDQyuCaiU

Dce102a4f0086c057.SMD

03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary
encoded text or HTML section was found in this E-mail.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed
SNIFFER: 63.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13
reaches or exceeds the limit of 10.). Action=BOUNCE.
03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice
03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 63.136.220.30 ID:



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IPNOTINMX

2003-04-02 Thread Darrell LaRock 
Are you sure about that?

03/31/2003 18:24:22 Qce246c0a00a00dbb WORDFILTER:4 nIPNOTINMX:-3 .
Total weight = 1
03/31/2003 18:24:22 Qce246c0a00a00dbb L1 Message OK

It seems to get triggered for other pieces of mail.

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Patrick
Childers
Sent: Wednesday, April 02, 2003 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] IPNOTINMX

 Why didn't negative weight get added for this piece of mail I 
 received from the IPNOTINMX Test.
 
 Global.cfg
 IPNOTINMX   ipnotinmx   x   x   0   -3
 
 Default.junkmail file
 IPNOTINMX IGNORE


Because you set the action to IGNORE. Change it to WARN and it
should
work. :)
~Patrick

---
[This E-mail scanned for viruses by Declude/McAfee]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IPNOTINMX

2003-04-02 Thread Darrell LaRock 
Scott,

My expected behavior would be that this piece of mail *SHOULD* have had
-3 subtracted from it.  This is the behavior that I am shooting for.

Now you asked 
So, I would need to ask, why do you think that the weight of 3 was not

subtracted from the total weight of the E-mail?

The log files for Declude show that it wasn't subtracted

03/31/2003 18:24:33 Qce102a4f0086c057 BASE64:5 SNIFFER:8 .  Total weight
= 13
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary
encoded text or HTML section was found in this E-mail.). Action=WARN.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed
SNIFFER: 63.). Action=COPYTO.
03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13
reaches or exceeds the limit of 10.). Action=BOUNCE.
03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice
03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 63.136.220.30 ID:

Amy I missing something?

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, April 02, 2003 9:56 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] IPNOTINMX


Why didn't negative weight get added for this piece of mail I received
from the IPNOTINMX Test.

The E-mail definitely should not fail the IPNOTINMX test, as the IP it
came 
from is in the MX record for the domain in the return address.  The log 
file snippet confirms that the E-mail did not fail the IPNOTINMX test.

So the question is whether or not the negative weight was used.

Global.cfg
IPNOTINMX   ipnotinmx   x   x   0   -3

Given this, the E-mail should have had a weight of 3 subtracted from its

total weight, since it did not fail the IPNOTINMX test.

So, I would need to ask, why do you think that the weight of 3 was not 
subtracted from the total weight of the E-mail?
  -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail??

2003-03-27 Thread Darrell LaRock 
Scott,

A couple of notes...

1.) We started with IMail Antivirus and next week it looks like we will
be adding another imail server purchasing Declude AntiVirus for it and
another license for our existing server.  My main problem is that to
continue to run Imail AV it costs about $6,500 for a 1 year
subscription(unlimited users).  To me that price is ridiculous.  Also,
it lacks many features like suppress virus notifications for certain
viruses and the ability to block certain file attachments.

2.) Potentially is it possible for Imail to ween the ability for your
add on products to work.

I'll hang up now and listen. (man, I have been listening way to much to
sports radio.)

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 27, 2003 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail??


Have you tested IMail v8.0 yet with Declude?

No -- as far as I know, the beta testing hasn't begun yet (although 
Ipswitch does have it running on their own mailservers now).

It has built-in anti-spam functionality from what I hear.
Is this going to have an adverse effect on your product.

Well, hear is the key word here.  Does hear mean full featured 
anti-spam product bundled with IMail at no cost, very basic anti-spam 
functionality at high cost, etc?  Right now, I'm looking at a box for 
IMail v6.0 that has a quote on the side Stopped the spam dead cold.
:)

A year and a half ago, Ipswitch came out with IMail AntiVirus, and
Declude 
has fared quite well.  We even have some people who pay for a year with 
IMail AntiVirus, and switch to Declude before their year is up, because
of 
problems where the mail delivery stops occasionally.  As you know, that 
isn't an issue with Declude -- mail delivery won't stop with Declude.
For 
mission critical mailservers, that's a big issue.

Also, it's important to remember that (aside from filtering/rules)
Ipswitch 
doesn't have much anti-spam experience.  We started selling anti-spam 
software over 5 years ago.  It takes a lot of time to develop anti-spam 
software that works well.  For example, does the DNS engine that
Ipswitch 
uses with IMail handle TXT records?

If you are correct that v8 will have built-in anti-spam functionality,
it 
most likely won't be very full featured (if they aren't going to be
making 
money off of it, it may end up like the built-in mailing list 
functionality), so people will still need Declude JunkMail, whether or
not 
they upgrade to v8.  If it is a separate add-on, it is likely that it
will 
be similar to the situation now with AV software (a product with fewer 
features at a high cost).

In any case, we've been through this before, and can do it again.  :)
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Year 2020

2003-03-27 Thread Darrell LaRock 
I have seen random date changes when the battery that powers the RTC
(Real Time Clock) on the MB goes bad..  However, I have only seen this
in really old computers.

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel
Sent: Thursday, March 27, 2003 11:46 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Year 2020

I don't know if this is the right place for this question, but I'm
looking
for some feedback. The date has randomly changed to the year 2020 on our
mail server. This has happened twice now. Has anybody ever heard of this
happening before and what might cause it?


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question On behavior

2003-03-26 Thread Darrell LaRock 
Scott,

To get around this problem do you think this is possible?

Add a lot of negative weight to the message that has a recipient as
postmaster so it won't get bounced.  Then create a test that will route
the message back to the postmaster's account?  This would then route the
message to the postmaster and not the other recipients?  I am only
pursing this because some really offensive email has been getting
through where they are including the postmaster@ address in the mail.

Is it possible to accomplish something like that?

Darrell


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, March 25, 2003 10:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Question On behavior


We have our domains postmaster addresses whitelisted.  I noticed that a
message coming in that has multiple recipients will be delivered to all
the recipients mailboxes as long as it has a whitelisted postmaster
address.

This is not exactly the desired behavior I am looking for.

Unfortunately, that is the behavior that is required.  The problem is
that 
you are dealing with a single E-mail with multiple recipients, not
multiple 
E-mails.  We are working on some creative ways to get around this, but 
there would still be some definite limitations.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Not Failing the comments test

2003-03-26 Thread Darrell LaRock 
I assume this didn't fail the comments test because it is actually not
formatted like a true html comment !--some comment

If you would like to unsub 
  !pNcTpTxGpDsYxVNtNsvMbEBbWbhHmKgDm
  scribe your e-m 
  !kEnTFsDduWqCeYyOiUqQUxLmDpIeAsPkKtphUnPsFkWo
  ail addr 
  !yvnfYpXnLmThFsDoNmCnGorA
  ess from our new 
  !tQmOsQiJpQmKRpNmiPcQDnFjyUoVWbUfkBtWVpChaNhQ
  sletterBR
  we will do this for you at any time. Please A
HREF=http://rd.yahoo.com/iQbVsWtWwCqLPrFsqKwBoTwMaRa/*http://iQbVsWtWwC
qLPrFsqKwBoTwMaRa.shopping-station.com/unsubscribe/Cli 
  !pNcTpTxGpDsYxVNtNsvMbEBbWbhHmKgDm
  ck He 
  !T21W
  re/Anbsp; and sub 
  !yvnfYpXnLmThFsDoNmCnGorA
  mit yourBR
  em 
  !iQbVsWtWwCqLPrFsqKwBoTwMaRa
  ail addre 
  !xHxKqCcEqJwBgPfXFjPsnVdJd
  ss on the form given to you

Any thoughts (declude 1.68i2)

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question On behavior

2003-03-26 Thread Darrell LaRock 
Scott,

We have achieved the desired behavior with that setup.  I sent a test
message tripping off one of the filters and the mail was delivered to
the postmaster and was not delivered to the other recipients.

This is just a testament on how flexible this product is..

Thanks for the help
Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, March 26, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Question On behavior


To get around this problem do you think this is possible?

Add a lot of negative weight to the message that has a recipient as
postmaster so it won't get bounced.  Then create a test that will route
the message back to the postmaster's account?

It might be possible to do something like that.  An action ROUTETO 
[EMAIL PROTECTED] would prevent the other users from seeing the 
E-mail.  Perhaps adding a filter that includes a line ALLRECIPS 0
CONTAINS 
[EMAIL PROTECTED], and then having the action for that filter set
to 
ROUTETO [EMAIL PROTECTED]?  That way, any E-mail that was
addressed 
to [EMAIL PROTECTED] would get sent only to [EMAIL PROTECTED]
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Question On behavior

2003-03-26 Thread Darrell LaRock 
John,

You are absolutely right on this should be implemented instead of
whitelisting the postmaster or abuse account.  This week I can't tell
you how many messages got through because postmaster@ was listed as a
recipient.

That shouldn't happen anymore...

Darrell 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
Sent: Wednesday, March 26, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Question On behavior

 We have achieved the desired behavior with that setup.  I sent a test
 message tripping off one of the filters and the mail was delivered to
 the postmaster and was not delivered to the other recipients.

Thanks for that update Darrell.

Sounds like something that should be implemented by any one whitelisting
postmaster or root or abuse.

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] What does this mean: internet.e-mail

2003-03-26 Thread Darrell LaRock 
Title: Message









Kami,



I seen several messages today that had
that listed right at the top of the message source.,



Darrell

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Wednesday, March 26, 2003
12:16 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] What
does this mean: internet.e-mail





Hi;











We have a watch words file that if
with an entry in the default file - simply to know if these words appear and
how often.











One such entry in the spam emails
is:











!-- saved from url=""
--











more importantly the last
part: http://internet.e-mail











Does anyone know if this is an
output generated bya special software -- I hardly see this in any other
emails.











So far 100% of all the emails
reported with this entry are spam.











Regards,





Kami

[Declude.JunkMail] Question On behavior

2003-03-25 Thread Darrell LaRock 
We have our domains postmaster addresses whitelisted.  I noticed that a
message coming in that has multiple recipients will be delivered to all
the recipients mailboxes as long as it has a whitelisted postmaster
address.

This is not exactly the desired behavior I am looking for.

It should have blocked this mail from all recipients except the
postmaster.

03/24/2003 22:08:17 Qc816661e001c6824 WORDFILTER:13 DSBL:5
WIREHUB-DNSBL:3 NOPOSTMASTER:1 BASE64:5 SNIFFER:8 .  Total weight = 35
03/24/2003 22:08:17 Qc816661e001c6824 E-mail whitelisted - automatically
passing all spam tests [EMAIL PROTECTED]
03/24/2003 22:08:17 Qc816661e001c6824 L1 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills
- Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 12.233.204.136 ID: 
03/24/2003 22:08:17 Qc816661e001c6824 L2 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills
- Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [EMAIL PROTECTED]  IP: 12.233.204.136 ID: 
03/24/2003 22:08:17 Qc816661e001c6824 L3 Message OK
03/24/2003 22:08:17 Qc816661e001c6824 Subject: Penis Enlargement Pills -
Order today!
03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]  IP:
12.233.204.136 ID:

20030324 220817 127.0.0.1   SMTP (1812) processing
e:\imail\spool\Qc816661e001c6824.SMD
20030324 220817 127.0.0.1   SMTP (1812) ldeliver
mail1.gannett-tv.com dlarock-main (1) [EMAIL PROTECTED] 4166
20030324 220817 127.0.0.1   SMTP (1812) ldeliver wfmy.com
2wantstoknow-main (1) [EMAIL PROTECTED] 4166
20030324 220817 127.0.0.1   SMTP (1812) forwarded message to
[EMAIL PROTECTED],[EMAIL PROTECTED]
20030324 220817 127.0.0.1   SMTP (1812) finished
e:\imail\spool\Qc816661e001c6824.SMD status=1 


Any thoughts?
Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] How can I do this?

2003-03-25 Thread Darrell LaRock 
I am sure many people have noticed a lot of spam that is like this.
Consider a users email address like this [EMAIL PROTECTED]

Then the subject of the email is

bsmith, have you seen this blah blah

Any thoughts on how to check to see if the right hand side of the email
address is contained in the subject?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Headers Changing On Outbound Attached Message

2003-03-21 Thread Darrell LaRock 
I am using the copyto function to route a copy of any message that fails
the sniffer test to my email box.

If the message is a false positive I then insert the false positive
message into another email and send it off to the folks at sniffer.
What we found today is that for some reason headers are being inserted
into the false positive attached message from Outlook? Also, it is
inserting several other headers like altering the message id.

Example of headers in message before forwarding it out as attached
message

Received: from sender0012.lodo.exactis.com [64.208.135.32] by
mail1.gannett-tv.com with ESMTP
  (SMTPD32-7.12) id A91A577000EA; Fri, 21 Mar 2003 13:25:30 -0500
Received: by sender0012.lodo.exactis.com
  (queueup version 6.2: Copyright 2000 Experian, Inc. All rights
reserved.)
  with stdio id KARE11_AAAJL29299; Fri, 21 Mar 2003 11:23:50 MST
Date: Fri, 21 Mar 2003 18:17:12 UT
From: Tribune Alerts
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: Tribune Alerts
[EMAIL PROTECTED]
Errors-To:
[EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED]
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Subject: [POTENTIAL SPAM]'Shock and awe'
X-Mailer: Experian ContactMail Build v1.89  (Using MIME::Lite v2.117 )
X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed
[EMAIL PROTECTED] Was: 64.208.135.177 from
bog0007.lodo.exactis.com (bog0007.lodo.exactis.com [64.208.135.177]) by
relays.osirusoft.com
X-Declude-Sender:
[EMAIL PROTECTED]
[64.208.135.32]
X-Declude-Spoolname: D591a577000eadda1.SMD
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 348193479

Example of headers When they receive it and view the attached message

Reply-To: Tribune Alerts
[EMAIL PROTECTED]
From: Tribune Alerts
[EMAIL PROTECTED]
To: Daly, Mark [EMAIL PROTECTED]
Subject: [POTENTIAL SPAM]'Shock and awe'
Date: Fri, 21 Mar 2003 13:17:12 -0500
Message-ID:
[EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_016D_01C2EFD4.31C710F0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-Declude-Sender:
[EMAIL PROTECTED]
[64.208.135.32]
X-Declude-Spoolname: D591a577000eadda1.SMD
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 348193479
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed
[EMAIL PROTECTED] Was: 64.208.135.177 from
bog0007.lodo.exactis.com (bog0007.lodo.exactis.com
[64.208.135.177]) by relays.osirusoft.com
Importance: Normal

Why would Outlook be altering an attached message?

Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude Gone Wild

2003-01-22 Thread Darrell LaRock 
Today I had an instance where all my mail started being held as SPAM.  99% of it was 
legit mail.  At first I thought it may be a sniffer problem as that was installed 
within the last week.

Attached is a snippet of logs that shows declude over and over testing a peice of mail

I disabled Sniffer at approximatly 2:30pm today.  Reviewing the logs now seems to show 
that declude is still repeating the behavior below *substantially* less though.

I am running Declude 1.63

Any thoughts?

//INITIAL PROBLEM
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail

RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer

2002-07-29 Thread Darrell LaRock 

I find that interesting that the major ISP's fail those kinds of tests.
Anyone have any idea's on why they wouldn't have those addresses setup?

Dl

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker |
Netsmith Inc
Sent: Friday, July 26, 2002 4:27 PM
To: '[EMAIL PROTECTED]'
Subject: RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer

That is about average, over 50% of our inbound mail fails at least one
test
(more like 70%)...
This is where the weighing system comes into play.
Tests like no postmaster and no abuse fail every message from
systems
like aol.com, msn.com, earhtlink.net, etc,etc... So they will appear as
SPAM
in your logfiles.

You need to use the weighing system / edit your $default$.junkmail and
your
global.cfg to meet your needs.

There is no cut/dry solution to spam, I have definitely learned
monitoring
this list that everybody has a different solution that fits their setup.

The great thing about declude/sniffer is their flexibility, great
mailing
lists and frequent updates.

(ex: we completely disabled the no postmaster/no abuse tests in our
system,
they are just too inefficient for our setup, but in other setups they
are
very useful )


-Original Message-
From: Jim Rooth [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 3:18 PM
To: [EMAIL PROTECTED]
Subject: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer


I must be doing something wrong!  I looked at the confirm log and I have
caught almost half of the 20,000 emails as spam.  I have poured through
the
logs though and have only found four obviously legitimate emails that
should
not have been caught.  I fixed that with the myfilter file. Either I am
doing it wrong or the program is great.  I suspect the latter...


Jim Rooth
Klotron, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Kratka
Sent: Friday, July 26, 2002 3:08 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude and Sniffer

Just curious. How many people are using both Declude Junk Mail and the
sniffer add-on and has it made a difference if yes. I have been
completely
pummeled with Spam and am looking for more options.

Thanks.

Jeff

*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
*


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  You can E-mail [EMAIL PROTECTED] for assistance.
You
can visit our web site at http://www.declude.com .
---


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  You can E-mail [EMAIL PROTECTED] for assistance.
You
can visit our web site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] 1.56 Stablility

2002-07-24 Thread Darrell LaRock 

Any idea when 1.56 will move from the beta state.  We are bringing up a
new mail server and I wanted to know if it is stable enough to go live
with it.  I know a couple weeks back there were some posts about
problems that were corrected with an interim release.

Thanks In Advance
dl

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] 1.56 Stablility

2002-07-24 Thread Darrell LaRock 

Not to beat a dead horse, are we thinking anytime in the next 2 weeks or
should I plan on just moving with 1.55.

Darrell


Darrell LaRock
Information Systems Analyst
Gannett Television
716-849-2272

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Wednesday, July 24, 2002 5:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] 1.56 Stablility


Any idea when 1.56 will move from the beta state.  We are bringing up a
new mail server and I wanted to know if it is stable enough to go live
with it.  I know a couple weeks back there were some posts about
problems that were corrected with an interim release.

We should have a 1.57 shortly that addresses the issues from 1.56.  We 
expect that 1.57 should be quite stable.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] Console

2002-07-12 Thread Darrell LaRock 


Someone mentioned earlier that there was a way to invoke declude to
spawn a console in order to see what's happening in real time.  Is this
correct and how do you invoke this?

Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: BLARSBL:RE: [Declude.JunkMail] Get a load of this . . .

2002-07-03 Thread Darrell LaRock 
Title: Message









Anyone wonder if they intended to send
that message thinking that everyone would automatically block those
sites? Nice little tactic. 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
Sent: Wednesday, July
 03, 2002 4:07 PM
To: [EMAIL PROTECTED]
Subject: RE: BLARSBL:RE:
[Declude.JunkMail] Get a load of this . . .





Hi;





I also randomly checked the
domains and I have a hard time believing some of those sites are in any sort of
mass e-marketing.











216.234.252.98 home.faithmail.com





216.234.252.91 home.brownsmail.net
216.234.252.92 home.bazaar.com





216.234.252.97 home.esife.org











are some that just don't appear to
be e-spammers.











this is the most peculiar message.











Kami















-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Schick
Sent: Wednesday, July 03, 2002
2:50 PM
To: [EMAIL PROTECTED]
Subject: BLARSBL:RE:
[Declude.JunkMail] Get a load of this . . .



I randomly checked some of those IPs
and non of them showed up on any blacklist. Right now his mail would get
through to us since he would not fail any tests. I wonder what his
concern is. He should send the message to AOL and Earthlink to see if he
gets any response.











Chuck Schick 
Warp
8, Inc. 
303-421-5140

www.warp8.com


















-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Glenn \ WCNet
Sent: Wednesday, July 03, 2002
12:24 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Get a
load of this . . .



Here are some to add to your Kill
file or BlackList!

















--






Hello Administrators for wcnet.net,

Please check to verify that messages being sent to our Opt-in customers that
are using your services are not being blocked by any of wcnet.net's
servers. If there currently are blocks on any of our IP's, please contact
me directly so that we may find a resolution to this.

Relevant Marketing Technologies is a leading permission marketing and affinity-based
email marketing company. The current client roster is primarily made up of four
industries: Music, Sports, Broadcast, and Entertainment. Relevant Marketing
Technologies is the leading online opt-in permission based newsletter services
provider in each of these industries. Relevant Marketing Technologies has
attained this leadership position primarily through the growth and evolution of
ENewsNotifier (ENN).

The ENN system is opt-in, and permission based, and provides direct live links
to the URL to de-active the users individual account automatically imbedded
into each and every message sent through our servers. We have modified all of
our servers to prohibit open relay access, and have been cleared by MAPS
through www.mail-abuse.org on all or
our IP addresses. We are not spam.

Currently, the servers we use to distribute email messages are:

216.234.252.24 ellis1.popmail.com
216.234.252.26 campbell1.popmail.com
216.234.252.35 feist1.popmail.com
216.234.252.36 leguin1.popmail.com
216.234.252.40 pohl1.popmail.com
216.234.252.44 herbert1.popmail.com
216.234.252.45 lucas1.popmail.com
216.234.252.46 verne1.popmail.com
216.234.252.47 trout1.popmail.com
216.234.252.48 simak1.popmail.com
216.234.252.49 mail.goglobal.net
216.234.252.50 niven1.popmail.com
216.234.252.51 wells1.popmail.com
216.234.252.52 bova1.popmail.com
216.234.252.53 orwell1.popmail.com
216.234.252.59 home.popmail.com
216.234.252.70 corporate.popmail.com
216.234.252.91 home.brownsmail.net
216.234.252.92 home.bazaar.com
216.234.252.93 home.ennmail.com
216.234.252.94 home.broadcastimagemail.com
216.234.252.95 home.mykswomail.com
216.234.252.96 home.countrystarsmail.com
216.234.252.97 home.esife.org
216.234.252.98 home.faithmail.com
216.234.253.20 mail4.roiinteractive.com
216.234.253.214 mail5.roiinteractive.com

Our DNS Lookup information is as follows:

Administrative Contact, Technical Contact:
 Host (HO9039-ORG) [EMAIL PROTECTED]
 Relevant Marketing Technologies Inc.
 Relevant Marketing Technologies, Inc.
 6688 N. Central Expressway, Suite 150
 Dallas, Tx 75026
 US
 469-385-2000 Fax- 469-385-2001 Fax- -
469-385-2001

If I can be of any assistance in the expeditious modification of our records
with you, please do not hesitate contacting me.


Sincerely,

Bethann Lesnick
Senior Client Consultant
Strategic Development  Marketing

Relevant Marketing Technologies
6688 N. Central Expressway, Suite 150
Dallas, TX 75206

Main - 469.385.2000
Direct - 469.385.2022
Fax - 469.385.2001

[EMAIL PROTECTED]
www.RelevantMarketingTechnologies.com

email marketing and communication solutions

RE: [Declude.JunkMail] maybe a dumb question

2002-07-01 Thread Darrell LaRock 

The WARN action only generates a line in the header of the message.
Are you trying to send an alert to the user that sent it?  

Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Stanley Lyzak
Sent: Monday, July 01, 2002 12:34 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] maybe a dumb question

Ok,

If this is too easy a question, cut me a break...we have been using
declude for 4 days (and are LOVING it!) (hitting about 65% - 75% catch
rate- trying to improve).

We have an IMail 6.x mailbag server (no actual mailboxes or domains
exist). It uses relay for IP and a hosts file per IMail recommendation.


Using declude, we are seeing two odd behaviors:

1) No setting for inbound mail in $default$.junkmail can be made to
generate a warning (we are testing with a piece of software that can be
made to violate the rules enough to cause a warning). Outbound warnings
in the global.cfg work like a champ. Is this because we have no actual
domains/mailboxes hosted on this server???

2) (Possibly related to above?): Although we are running the Pro version
of Declude, we cannot get a per-domain variation in the rule set. The
only warnings that are effective, are from the global.cfg file in the
imail/declude folder. We have tried creating a subfolder under declude
with the same name as our domain name, but it ignores any global.cfg or
$default$.junkmail file setting in that folder (yes I restarted the
IMail SMTP service after the changes).


Any ideas?


Thanks

BTW, the manual doesn't seem to be very inclusive in how everything can
be set. I have done some searches on the Internet and found a few nice
tools (and this forum has been helping a lot). But is there a good
repository of hints and specs (settings) that I could get my hands on???
I am very technically literate.

Thanks again!

Stan Lyzak, BSEE, CISSP, MCSE², CCNA, A+
Network Security Engineer
ASysTech, Inc.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .