RE: [Declude.JunkMail] Does anyone know of a tool that does this....
Hi Chuck Look at the attached message. Is it something like this what you want? It's in german and at the moment and it works in a mode where the user can request his report by inserting his recipient address on our website. The report for the selected day will be send then to his email-address and the user can also click on the subject to requeue the message and deliver it to his mailbox. By having a list of of all recipients who want this daily reports it could also be automated. Unfortunately this is not a ready click and play solution. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, November 07, 2008 9:51 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Does anyone know of a tool that does this I would like to route spam that people receive to a spam folder on the server. It would be great is there was a program that could periodically (daily) scan the spam folder and send an email to the mailbox owner to tell them what was caught in the spam folder. We are running Imail 8.22. Anyone know of something like this? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.---BeginMessage--- Limitis OHG Am 22.07.2008 wurden die folgenden Nachrichten für [EMAIL PROTECTED] als Spam blockiert: Absender: Betreff:Uhrzeit: _ [EMAIL PROTECTED] Les programmes sont necessaires ? Appuie ici. http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=460-20080722-15d10 08e6ef501:04:07 _ [EMAIL PROTECTED] Ho Pillole per EuroFarmacia, in modo Rapido e Sicuro http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=497-20080722-21810 0a077f701:54:04 _ [EMAIL PROTECTED] Offerta imperdibile: iscrivendoti a Casino Online riceverai 300 euro in regalo! http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=683-20080722-2ba10 0947f0a02:37:08 _ [EMAIL PROTECTED] Healthy life is not a myth anymore! http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=552-20080722-50c00 170935205:15:49 _ [EMAIL PROTECTED] ID:78626 Get all your meds without the need for a prescription http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=436-20080722-52830 17094ac05:23:09 _ [EMAIL PROTECTED] Salut, freine Soft? Le remplacement qualitatif est necessaire ? http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=312-20080722-5b670 08e99f006:01:01 _ [EMAIL PROTECTED] $119.95 50mg x 60 pills price http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=706-20080722-662f0 094a08906:47:07 _ [EMAIL PROTECTED] prestige galery http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=560-20080722-6f810 097a6a107:26:46 _ [EMAIL PROTECTED] Before Mel Gibsonn This Guy Harry Gave http://logfiles.mf.zcom.it:41380/spamcontrol/send.asp?id=326-20080722-7fe10 18400ae 'Em Hell 08:37:14 _ limitis_header_bg.GIFlimitis_header_logo.GIF---End Message---
RE: [Declude.JunkMail] DKIM
interesting, but yes PREWHITELIST is also set to on in my configurations. I just wonder if nobody else expects something like the implementation of such new* functionality, when it gets time to renew the SA's? Markus *new in reference to Declude not as a general new spam fighting tecnique as you can see in the link for the deployment notes. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Saturday, July 19, 2008 12:01 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] DKIM Having WHITELIST AUTH on will not stop externals from running UNLESS you also have PREWHITELIST on. John T eServices For You -Original Message- From: Gufler Markus | Limitis [EMAIL PROTECTED] Sent 7/15/2008 12:11:31 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] DKIM Hi all, Do you have noted that Google's spam filter let only pass paypal and ebay messages with legit DKIM-header? If there is no legit DKIM-line in the header the message is not moved to the spam folder, it's deleted immediately. Paypal and Ebay seems to have done some hard work in order to finaly ensure that every legit message with such a sender adress does have a valdi DKIM-header. See http://www.heise-online.co.uk/news/Google-Mail-automatically-discards-eBay-a nd-PayPal-phishing-emails--/111083 Deplayment notes about DKIM: http://www.dkim.org/deploy/index.htm blocked::http://www.dkim.org/deploy/index.htm What I wonder: Could some of our SA-fees be used to integrate DKIM-support into Declude? My idea was to write an external test for DKIM-headers. But in fact this should be a task for Decludes especialy because I can't use the external test to write my own DKIM-headers for outgoing messages as long as I have WHITELISTAUTH set to ON. Gufler Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DKIM
Hi all, Do you have noted that Google's spam filter let only pass paypal and ebay messages with legit DKIM-header? If there is no legit DKIM-line in the header the message is not moved to the spam folder, it's deleted immediately. Paypal and Ebay seems to have done some hard work in order to finaly ensure that every legit message with such a sender adress does have a valdi DKIM-header. See http://www.heise-online.co.uk/news/Google-Mail-automatically-discards-eBay-a nd-PayPal-phishing-emails--/111083 Deplayment notes about DKIM: http://www.dkim.org/deploy/index.htm blocked::http://www.dkim.org/deploy/index.htm What I wonder: Could some of our SA-fees be used to integrate DKIM-support into Declude? My idea was to write an external test for DKIM-headers. But in fact this should be a task for Decludes especialy because I can't use the external test to write my own DKIM-headers for outgoing messages as long as I have WHITELISTAUTH set to ON. Gufler Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] form spam filter
Matt, Darin would it possible that you both forget, that 99,9+% of all incomming formmail spam is send from millions of webservers all around the world and you have no control of it. Darin: It wouldn't be virtual impossible to keep a list af all this webservers. Some IP-Blacklists try to do this for years now. Also don't forget that great part of websites are hosted on shared web hosting servers and also if you would catch some spamy messages by flagging some IP you could never be sure that some legit message from the same server isntt catched as FP Markus _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 09, 2008 4:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Darin, I think you missed what I was saying exactly. If the form spammer fills out the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer script and it would pretend to have been successful. Spammers use programs to do this stuff, and although they are intelligent programs, they almost definitely will target fields named Name and E-mail, and if on their first try they fill these fields in and they get a positive response from the script, their program will stop trying to fix issues. I won't claim that this method is 100% effective, but I have used it in some cases and no one ever said that it didn't do the trick for them. If they got through that trick, I would ban URL's with a JavaScript alert and then silently with the mailer script (figuring that no real people would get a URL to the mailer script). This is the easiest of all methods to implement. It takes 5 to 10 minutes to fix a form and you don't hinder your visitors with CAPTCHAs. It's not like there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, though I suspect that the current form spammers are not doing that right now. Matt Darin Cox wrote: Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - From: Matt mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like ignore-old-data1 and ignore-old-data2 and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - From: Craig Edmonds mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 3:16 AM
RE: [Declude.JunkMail] 4.4.00 Released
Well, actually the MOST sense would be mmdd, since it would result in SORT order. I agree, and hope that 4.5.00 or 5.0.01 would finaly support MMDDHH It would be a great innovation (at least comparable to the 4.4 enhancements) Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] David, Linda...
..can you please look in your spam hold folder for my yesterdays request (around 24 hours ago) ? Up to now I haven't received any response to my request. Messages are stored in the folder /spool/spam/hold2 but I have no such custom hold folder in my config file and all message file pairs has file names like 80.19.35.130IP.23a4a715.D4ad402465607.smd So I believe it's an issue with Declude please contact me it's urgent! Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] RE: David, Linda...
found a hijack.cfg file even if I hadn't used it anytime before. Could it be that with completely equal config files after upgrading from v3 to v4 hijack functionality was enabled? How could I completely disable this functionality? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CMDSPACE Percent of Weight based on your (DELETE) action
If you're able to whitelist (by IP or AUTH-ed users) all users who connect from inbound to outbound to your server then you can use a very high weight for this test. I give 50% of my hold weight for the test and add additional points if there is a combination with certain other test. For example one of the reliable IP4R-Tests. --- Gufler Markus -- Original Message -- From: Erik [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Mon, 9 Jan 2006 10:01:41 +0100 I would like to ask those that having been using CMDSPACE; what percentage of your weight do you assign to this? TIA, Erik --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FW: Spam in tables
I don't know if it's something new. Today I've seen the attached spam message using table cells to split up suspicious keywords but keep them still readable in the html view. I think it's not a realy big problem as it's still a spam message containing a link. The URIBLs should catch them soon. Markus ---BeginMessage--- Sa p To80 OF Reta ilPri ces With ED-D ve U % F rugs! VI RA, CI S, LE RA, UL AM ,SO AG ALI VIT TR MA $1. $1. $1. $1. $1. 38 65 26 18 74 To Spe :Via 30x100m ls on ly$59. day cial gra g pil 99 C7lick her1e for our pi5ll of the day s3pecial! take out of it, and burning with curiosity, she ran across theline by line, but by the entire page; I tried to lay hold of them;Mr. James took quite uncommonly to the young woman; and was more ---End Message---
RE: [Declude.JunkMail] Imail crashes after declude 2.0.6
Title: Message I haven't upgraded jet to v2 but can see the same problems with imail since installed win2003 SP1 Haven't seen any crash since removing SP1 but this is not 100% sure at the moment.I will report it later this week. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of scott_pownerSent: Tuesday, April 19, 2005 1:48 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Imail crashes after declude 2.0.6 Last Friday I finally upgraded from 1.81 to 2.0.6. We use Declude Pro Anti-Spam and Anti-Virus. On Friday after the install Imail web messaging crashed several times. We let the problem go until Monday. On Monday the problems got worse with numerous crashes of web messaging. I finally recopied 1.81 and have been crash free for 2 hours. What is going on with 2.0.6? Do I need to reconfigure something? Win2003 on a xeon processor with 2gb memory. Thank you, Scott Powner MIU4 [EMAIL PROTECTED]
RE: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
FYI: I've running v1.82 on a Win2003 server and since SP1 is installed I've had problems multiple times with the queue manager and also popup messages for declude.exe. One problem could be the new SP1 application execution protection. This problem appears only some days but can also happen multiple times a day. I've removed SP1 and will watch now if it will solve the problem. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 18, 2005 11:12 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load I submitted a support ticket this morning about problems I seen under 2.0.6 with high load. This weekend while doing some maintenance I ran into some load issues when I brought one of the servers down I maintain. When I bring one of the servers offline I know the other server will start dropping messages into the overflow directory and it did this. However, after a short period of time I started to see application pop up messages Declude.exe - Application error: The application failed to initialize properly (0xc142). I ended up having to reboot the box. I thought this was a fluke, but when I did the maintenance on the other server I seen the same problem again on the other mail server. The odd thing about both situations is that I seen hundreds of declude.exe processes when the max under 2.0.6 by default is 25. Again this could be something unique to my servers. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my workload mix simply was sufficiently different. Since then I have been able to block those distributed dictionary attacks in my IIS gateways, so that this factor has been eliminated altogether. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 18, 2005 04:10 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load This is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial. I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem. I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying Error 183 creating temp directory [path], and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers
RE: [Declude.JunkMail] Campaign for spamheaders filter variable (continues)
If there was a variable to filter on SPAMHEADERS, this would make one effective filter. Sound's easy to implement. At the moment I have 27000 spams in our hold folder. 32 of them has failed the spamheaders test with c040120e 27 of this 32 has reached a weight between 400 and 500% of our hold weight 5 has reached only between 105 and 120% of our hold weight. Can't say how many legit messages has failed SPAMHEADERS with this result code. How do you count them? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hopefully it's not because my email-address is an info domain. Over 2 years ago (march 2002) there was registered already over 80 info domains around the world. As I know on the IPSwitch website you can't subscribe to the newsletter because .info is not a valid top level domain Looks like internet is old enough now to have also some conservative people inside ;-) I assume that most of my messages will be filtered because the dynamic IP addresses of our DSL-connection is listed in more or less IP-Blacklists. This not because we're an open relay but because this are dynamic IP's and the entire class B range seems to be blacklisted (at least temporary). I can understand that most people in oversea can see more spam then legit messages comming from this IPs. And I can understand if someone decides to punish them. We also assign a small weight to any message comming from the USA because from the 26% of all messages comming from the USA only 3% are legit messages. This should not be a punishment for a country, but it's simple mathematic logic to improve our spam filters detection rate. Maybe you can see this message only because I send them - for this time - trough the webmail interface and so from a clean IP address. What I would suggest is that anyone reading messages in this list should try to whitelist declude list messages. There are several cases that declude list messages contains suspicious content: spam examples, filter definitions, or simple help request from an admin that has an IP blacklisted mailserver. If you don't whitelist declude list messages very probably you're missing some important information. As I can understand, the best way to whitelist declude messages is to whitelist the IP of the declude list server: Simply put WHITELIST IP 68.162.218.198 in your global.cfg line. Hope this helps, and you can understand my english --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] spamtrap
If anyone knows a good and fast way to publish a spamtrap address please let me know (off-list) Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Decoding encoded subject lines
How can you decode the encoded subject lines so as to see what it is and then create a filter? http://david.carter-tod.com/base64/ Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Decoding encoded subject lines (note)
=?ISO-8859-1?b?RUVOVCBjaGVjayBzdG9jayBjaGFydA==?= =?ISO-8859-1?b?RUVOVCBQcm9kdWN0aW9uIFByb2dyZXNz?= =?ISO-8859-1?B?SGk=?= The b? in the encoded string means base64-encoded To decode the string just use all after the b? It's not a good idea to filter anything (or to asign a high weight) that is ISO/Base64 encoded. Many international formated legit messages can have such subject lines. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
A friend of mine at Safe-t.net in Mt. Vernon Ohio just called me and said his spool in Imail is loading up and holding all messages..He thinks the Declude has stopped working...Imail tech support not available.. hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) All D*.SMD spoolfiles finished in the spool folder. There was no Q file but a lot of files beginning with _ (instead of Q) When I tried to resend the messages from the IMail queue viewer this _ files disappeared but now I've found all Q-files in decludes overflow folder. I restarted the smtp-service without a result. All incomming messages that should be delivered to local users remained in the spoolfolder. Now I've tried to stop the SMTP-service again and move out all D files from the spool and all Q files from the overflow folder into a temporary folder. I noticed that even with the stopped SMTP service most of the D-files was locked by the OS and not change or moveable. Another observation: There was a lot of new (shortly created) .vir folders in the spool folder. And also both junkmail and virus logfiles showed no new entries. After rebooting the machine all returned to work. I moved the D and Q files from the temporary folder bayk to the queue and nearly all messages was delivered. (some D-files remained without any corresponding Q-file) The only thing I've changed and that I can remember at around 11:30 pm was to add the list of BANNAMES posted from Jeff Kratka. (Nothing against him or his posting! :) I've removed this entries before I've rebooted the server. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) are you running Imail 7.x or 8.x? IMail v7.15 Beside declude's whitelisting for authenticated users working only with v8.x a haven't found any reason to upgrade. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamchk fine tuning?
I just set up spamchk and was wondering if anyone can share some fine-tuning info with me? Updated keyword lists and such? I tried subscribing to their list but all I get back is an Invalid Syntax email from their mail server. hmm... I've tried to un- and the subscribe without any problem. Try to go on www.spamchk.com and click on the subscribe-link in the center of the page. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS limitations
It is not very difficult. But it is difficult (costly, to be more precise, in terms of making very careful changes to the code and determining performance changes) to change it to an unlimited number of entries. So we need to decide how important such a change is, the maximum value we can see our customers using in the near future, and the effect of any extra memory allocation. Ok, I can understand this. What happens here is that if we say OK, this is a good use of the IPBYPASS feature, there are going to be people who use it like whitelisting, and want to enter hundreds or thousands of IPs. What's wrong with it? It's their decision. Or not? Then if you do not use the IPBYPASS option, and an E-mail comes from one of those IPs, Declude JunkMail will still scan the next hop (which is what you are getting with IPBYPASS). ? Doesn't mean HOPHIGH=1 that declude should scan two IPs? The first (connecting) one and -if present- the IP before. So I will accumulate in any case the (in my eyes false positive) points for this two IP blocks. Perhaps a filter that checks the reverse DNS entry, such as REVDNS -10 CONTAINS .example.com? For sure: This will work. But as I understand this will have the same result as with IP counterweights: The counterweight is static and I have to adapt manualy the changing listings of IP blacklists. Today this IP-blocks (or REVDNS names) are listed in only two blacklists. Tomorrow they can be listed in 8 or 10 blacklists and my static counterweight is far too low. This is also the reason why I've asked some weeks ago if it would be possible to query http://www.dnsstuff.com/tools/ip4r.ch by specifiing my own filter-list of IP blacklists (that I currently use in my cfg file). So it would be much much easier to check manualy what's the actual situation and what counterweight I have to assign. Better would be if I can post the ip4r- and rhbl-part of my filter file and the spam database lookup script would calculate and return my personal result. Amazing would be if I'm able to BYPASS certain IP ranges. That give me the possibility to use any external IP blacklist and if I have the opinion that certain IP-ranges in their list are wrong then I can simply bypass them. I know: The problem are the ISPs that are not able to get permanently out of the blacklists. But what should I do? Call them and explain what they should do? I think we all are using declude because we have decided to go in a defensive position and fight spam. If I really want to persuade ignorant mailserver admins (and maybe also spammers) then it would be better to become a preacher... ;-) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBYPASS limitations
Hi Scott Second the manual we can have up to 20 IPBYPASS entries. At the moment I'm already over this limit: IPBYPASS194.242.192.2 # local providers IPBYPASS194.242.192.3 IPBYPASS194.242.196.14 IPBYPASS213.21.176.244 IPBYPASS213.21.176.246 IPBYPASS195.254.224.4 IPBYPASS193.70.192.33 # Virgilio IPBYPASS193.70.192.38 IPBYPASS193.70.192.46 IPBYPASS193.70.192.51 IPBYPASS193.70.192.52 IPBYPASS193.70.192.62 IPBYPASS193.70.192.127 IPBYPASS212.216.176.58 # Tin IPBYPASS212.216.176.185 IPBYPASS212.216.176.187 IPBYPASS212.216.176.206 IPBYPASS212.216.176.221 IPBYPASS212.216.176.222 IPBYPASS212.216.176.223 IPBYPASS212.216.176.224 The first block are MTAs from other local ISPs where we have setup numerous mail forwardings. So we can search for open relays also on this forwarded messages. The seconds and third block are groups of MTAs of two large italian ISPs. All this IPs are listed now for over 3 months in more or less IP blacklists. The problem is, that we receive much more legit messages from this IPs as spam. (usually over 95% is legit). More then 75% of our FPs are FPs because they triggered this IP blacklist tests. Until yesterday I've tried to counterweight this points with an IP filterlist that gives some negative points. The problem is that numerous IP blacklist providers are adding and removing part of this IP ranges daily/weekly. So it's nearly impossible to define an accurate counterweight for the IP filter file. If I substract too much this will let pass more spam messages. Otherwise I will have much more FPs. The problem can be solved by adding this IPs to thy IPBYPASS list, because so all this IPs are ignored and we can try to catch spams with the remaining tests. Would it by possible to specify IPBYPASS-ranges or to use an external IP file? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] improved performance using ramdrive?
Hi all, Anyone has experiences using a ramdrive for all declude exe, config and filter files? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT unixtools help
Thanks to Bernd and Bill The awk-script works fine. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
I've uninstalled and reinstalled the updater. It updates the files in c:\program files\decludeupdater, but it does not update the Declude.exe file under c:\imail. Any ideas? What is in the declude.ini file in the updater program directory? Haven't heard about such a problem sinch the updater is available. Keep in mind that it will download and replace the declude.exe file only if it was not already downloaded. For example if you have already downloaded ver 1.75beta then this file will be saved under /beta/175/declude.exe If this file is already there then it will not be downloaded and replaced in the Imail folder. To redownload the file simply delete the /beta/175 folder and run the updater manualy. Markus PS: I'm out of office for the next 24 hours. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Pexicom - was one more try...
Great work Matthew! Have seen this type of messages from the IP block 207.251.96.201 ... 204 in the last 10 days. So I've added 207.251.96.200/29 [207.251.96.200] - [207.251.96.207] # mckinseyquarterly.com to your pexicom-ipfile. Anyone knows www.mckinseyquarterly.com ? Looks legit... ? Looks like this guy has invested a lot to create a big spam-engine Maybe some Declude Pro users should set up a filter file to identify the X-JLH. So we could create gradually a more complete picture of this distributed spam processing tecnique. PEXICOM-HEADER filter C:\IMail\Declude\filters\pexicom_header.txt x 5 0 And in the pexicom_header.txt file HEADERS 0 CONTAINS X-JLH --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] More encoded spam
[X] I agree. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Helpdesk Gesendet: Mittwoch, 11. September 2002 18:54 An: [EMAIL PROTECTED] Betreff: Re: [Declude.JunkMail] More encoded spam on 9/5/02 9:23 PM, Madscientist wrote: All this is good I guess. Until we come up with some good examples of legitimate messages with text/html base64 then we won't completely settle the issue. It does seem that the evidence so far is strongly in favor of a spam/no-spam test for base64 encoded html. Any news on this front? My subscribers and I are receiving more and more of this type of spam. Even if there are some legitimate messages of this type going around, I'd like a Declude test to identify this type of message. I plan on giving messages that fail this future test a weight of 5 in hopes that when combined with my other tests/weights it will cause these messages to exceed my automatic delete weight. If no one finds any legitimate messages of this type, I would obviously increase the weight of the test but until then I could at least stop some of these messages. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Timed weight?
Hi Scott, Only a suggestion, maybe I'm wrong: Can it be usefull to give a few points for messages delivered in a certain time range?(for example between 10.00 pm and 05.00 am) A great part of the messages delivered in this time range are spam. The problem is that there are also newsletter and other auto-generated mails. But the important thing is that this test should be very easy to implement, it is very ressource friendly and it covers only messages that are not hand written (not important) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Different HOLD locations
My question: Is it possible to configure different directories for different HOLD actions? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] More to check
The first one is an italian university. I'm note sure about this university but normaly any professor and any student can use a mailbox on the uni-mailserver. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Tom Gesendet: Mittwoch, 19. Juni 2002 01:55 An: [EMAIL PROTECTED] Betreff: [Declude.JunkMail] More to check These sites are in a different language or just very questionable, I'd appreciate any help as to what they are or if we should place them on the kill list. uniud.it mailerstobulkit.com.co.uk.co uol.com.co i-france.com mailclub.net telkom.net Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Spam from open relay
Hi, I've a question about the Mail-Header below: Following the Mailservers that passed this mail, I can see, that the first one was a hotmail-Mailserver. The second server (exchsrvr55.nardeen.com.sa) is very strange, because it has absolutely nothing to do with the recipients mailserver. (but it's obviously an OR) So, why a hotmail-server sends a mail to an OR that has nothing to do here? The content of this mail was spam, so I asume that the first hop (hotmail) is a fake and was just added before sending it, to hide the OR. Question: Will have this action any consequence for the tests un junkmail? Markus Received: from relay.seq.it [194.242.192.7] by mail.zcom.it with ESMTP (SMTPD32-6.06) id A4524E900C2; Fri, 14 Jun 2002 03:18:10 +0200 Received: from mbox.seq.it (ns.dnet.it [194.242.192.2]) by relay.seq.it (8.11.2/8.11.2) with ESMTP id g5E0EC528200 for [EMAIL PROTECTED]; Fri, 14 Jun 2002 02:14:12 +0200 Received: from smtp.seq.it (lyskamm.dnet.it [194.242.196.14]) by mbox.seq.it (8.11.0/8.11.0) with ESMTP id g5E1OC104889; Fri, 14 Jun 2002 03:24:12 +0200 (MET DST) Received: from exchsrvr55.nardeen.com.sa ([212.93.162.195]) by smtp.seq.it (8.11.0/8.11.0) with ESMTP id g5E1Yhr15353; Fri, 14 Jun 2002 03:34:44 +0200 (MET DST) Received: from mx14.hotmail.com (209.248.175.2.nw.nuvox.net [209.248.175.2]) by exchsrvr55.nardeen.com.sa with SMTP (Microsoft Exchange Internet Mail Service Version 5.5. 2653.13) id MZCDTKRV; Wed, 12 Jun 2002 19:39:04 -0700 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] HTML-Test?
Hi, I'm currently implementing Junkmail. My question: Is there a test if the mail is in HTML or in TEXT-Format? When I check the spam-mails recieved in the past days over 90% of this mails are HTML-formated. So I think HTML-formated mails should recieve 2-3 points in the weighting system. Any suggestions, arguments, info's...? Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
AW: [Declude.JunkMail] HTML-Test?
I'm not sure, but as I know, neither Imail-WebMail-Messages are HTML-formated nor this messages are scanned by declude. (on the WebMail-Server side) Scott: Yes I know that Outlook has standard-settings to write HTML-Mails. But on the other side a great part of false-positives on my current settings are server-generated messages (reports, status-notifications ...) and 100% of this mails are in standard Text-format. So HTML-Mails can collect some points that allone not trigger any action but helps to raise the recognition-rate. But when you say to me, that this don't make any sense I will believe it. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Mark Smith Gesendet: Mittwoch, 12. Juni 2002 14:39 An: [EMAIL PROTECTED] Betreff: RE: [Declude.JunkMail] HTML-Test? Not to mention that all iMail Web mail is HTML. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, June 12, 2002 8:34 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HTML-Test? I'm currently implementing Junkmail. My question: Is there a test if the mail is in HTML or in TEXT-Format? When I check the spam-mails recieved in the past days over 90% of this mails are HTML-formated. So I think HTML-formated mails should recieve 2-3 points in the weighting system. Any suggestions, arguments, info's...? The problem with this is that most personal E-mail is sent in HTML (you can give a BIG thanks to Microsoft for that one). I believe that the default settings in Outlook will send both text and HTML, even if there is no difference between the text and HTML segments (so even though the E-mail appears to be a plain text E-mail, it has an HTML copy of it). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] DecludeUpdater
Hi all On the Declude Free Tools-Page you can find a download link to the new DecludeUpdater. This tool can be easily configured and run as scheduled task on your Imail-server. It gets a small file from the declude-homepage where are stored information about the latest Declude beta and release. If there is a new version it will be downloaded automaticaly und replaced in the Imail-directory. The tool is completely free. Please read the readme.txt in the downloaded zip-file (and send me a corrected file if you find some grammar errors :) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .