RE: [Declude.JunkMail] Header Information Util...

2007-05-15 Thread IS - Systems Eng. \(Karl Drugge\)
Andy,

I may take you up on that. I'll fire up my .NET environment tonight and
poke around a bit. 

I wonder if it would be easier to attack if I dropped it all to a PST
file and rummaged around there, rather then pull through Outlook itself
? I could go straight at the file instead of having to use outlook
commands... avoid the API's and just build an array. Hmmm.

If I get something accomplished, I'll post it back here. Seems it's a
tool we could all use.

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy
Schmidt
Sent: Tuesday, May 15, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Header Information Util...

Hi Karl:

It sounds as if you are looking for a way to read messages items in your
Outlook folders. You can accomplish this relatively easily by writing a
small Visual Basic for Appliations "Outlook Macro". If you move the
suspect
messages (at least temporarily) into some "work" subfolder in Outlook,
then
it isn't too hard to iterate through that folder, open each message item
and
then process its various properties.

Once you identify specific messages you can easily delete them, move
them,
flag them or extract whatever information you need to a regular text
file -
just to state a few examples.

I'd be happy to share some basic code snippets if you need a head start.

Best Regards,
Andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Monday, May 14, 2007 10:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Header Information Util...

Message tracking won't tell me what specific email in an exchange email
box is the one I am interested in.

Maybe I'm not explaining myself.

After my Declude box filters over 23,000 emails, I have 1245 emails from
Friday night until Monday AM on my exchange server. I manually sort
these emails, winding up with roughly 118 left over verified SPAM
emails. I'd like a tool I can run against these emails, in an Outlook
mailbox, that will pull the info from the individual message headers.

I don't believe the server logs, on either server, are going to do a
thing, since I'd need to know which message I was looking for, one of
the 118 out of 1200 or 23000. Out of the emails that came in during the
time period I am sampling, I'd need the SMTP ID, and I'd have to
basically do what I am doing now, manually open each email header. I
want to bypass this, and pull the data directly.


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Monday, May 14, 2007 8:15 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Header Information Util...

Looks to me that if you turn on Message Tracking, you get a log file
with
the info you need all on one line.  I'm not certain about REVDNS, but
you
certainly have from address, to address, and IPs.  You could run a
script
over this to get the REVDNS if it isn't there.  The stats you want could
then be compiled in Excel, a database, etc.

Darin.


- Original Message - 
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 14, 2007 6:13 PM
Subject: RE: [Declude.JunkMail] Header Information Util...


Because the emails I have left are from a range of times/dates, and
they're on an Exchange server.

I'd have to know what SMTP ID's I was looking for in the logs, which I'd
need from the email header information, etc etc...


Karl Drugge







-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Monday, May 14, 2007 6:04 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Header Information Util...

Why don't you use the mail server log files instead.  Much easier to
parse,
and tools like Grep and Sawmill can be used to do it.

Darin.


- Original Message - 
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 14, 2007 5:45 PM
Subject: [Declude.JunkMail] Header Information Util...


I am hoping the people here can help me. It's not Declude specific, but
I consider the experts here as the most knowledgeable on SMTP and Email.

I am looking for a script/utility to pull the header information out of
every email in an Outlook/Exchange inbox. I want to be able to pull the
sending IP's, reverse DNS, and sender names out of the headers directly.
I'd like to point the script/util at an inbox, and have it yank this
info out, so I can, for instance, sort it and see that 12 out of the 130
messages came from free2way.com, and the address ranges were all the
same class C.

Every few days, I pull every email that has made it's way to my inside
server and ma

RE: [Declude.JunkMail] Header Information Util...

2007-05-14 Thread IS - Systems Eng. \(Karl Drugge\)
Message tracking won't tell me what specific email in an exchange email
box is the one I am interested in.

Maybe I'm not explaining myself.

After my Declude box filters over 23,000 emails, I have 1245 emails from
Friday night until Monday AM on my exchange server. I manually sort
these emails, winding up with roughly 118 left over verified SPAM
emails. I'd like a tool I can run against these emails, in an Outlook
mailbox, that will pull the info from the individual message headers.

I don't believe the server logs, on either server, are going to do a
thing, since I'd need to know which message I was looking for, one of
the 118 out of 1200 or 23000. Out of the emails that came in during the
time period I am sampling, I'd need the SMTP ID, and I'd have to
basically do what I am doing now, manually open each email header. I
want to bypass this, and pull the data directly.


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Monday, May 14, 2007 8:15 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Header Information Util...

Looks to me that if you turn on Message Tracking, you get a log file
with
the info you need all on one line.  I'm not certain about REVDNS, but
you
certainly have from address, to address, and IPs.  You could run a
script
over this to get the REVDNS if it isn't there.  The stats you want could
then be compiled in Excel, a database, etc.

Darin.


- Original Message - 
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 14, 2007 6:13 PM
Subject: RE: [Declude.JunkMail] Header Information Util...


Because the emails I have left are from a range of times/dates, and
they're on an Exchange server.

I'd have to know what SMTP ID's I was looking for in the logs, which I'd
need from the email header information, etc etc...


Karl Drugge







-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Monday, May 14, 2007 6:04 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Header Information Util...

Why don't you use the mail server log files instead.  Much easier to
parse,
and tools like Grep and Sawmill can be used to do it.

Darin.


- Original Message - 
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 14, 2007 5:45 PM
Subject: [Declude.JunkMail] Header Information Util...


I am hoping the people here can help me. It's not Declude specific, but
I consider the experts here as the most knowledgeable on SMTP and Email.

I am looking for a script/utility to pull the header information out of
every email in an Outlook/Exchange inbox. I want to be able to pull the
sending IP's, reverse DNS, and sender names out of the headers directly.
I'd like to point the script/util at an inbox, and have it yank this
info out, so I can, for instance, sort it and see that 12 out of the 130
messages came from free2way.com, and the address ranges were all the
same class C.

Every few days, I pull every email that has made it's way to my inside
server and manually sort out all legit emails ( we archive all emails on
our Exchange box ). What's left is pure SPAM, but it takes a few good
hours to sort the header information. More often then not, I end up
deleting most of it because I lack the time to properly utilize it.

Does anyone know of anything before I break down and write it myself ?
I'd rather not make a go-cart from scratch if someone has a used chevy
pickup.

PLEASE NOTE : Florida has a very broad public records law. Most written
communications to or from City officials regarding City business are
public
records available to the public and media upon request. Your E-mail
communications may be subject to public disclosure.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

PLEASE NOTE : Florida has a very broad public records law. Most written
communications to or from City officials regarding City business are
public
records available to the public and media upon request. Your E-mail
communications may be subject to public disclosure.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at

RE: [Declude.JunkMail] Header Information Util...

2007-05-14 Thread IS - Systems Eng. \(Karl Drugge\)
Because the emails I have left are from a range of times/dates, and
they're on an Exchange server. 

I'd have to know what SMTP ID's I was looking for in the logs, which I'd
need from the email header information, etc etc...


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Monday, May 14, 2007 6:04 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Header Information Util...

Why don't you use the mail server log files instead.  Much easier to
parse,
and tools like Grep and Sawmill can be used to do it.

Darin.


- Original Message ----- 
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 14, 2007 5:45 PM
Subject: [Declude.JunkMail] Header Information Util...


I am hoping the people here can help me. It's not Declude specific, but
I consider the experts here as the most knowledgeable on SMTP and Email.

I am looking for a script/utility to pull the header information out of
every email in an Outlook/Exchange inbox. I want to be able to pull the
sending IP's, reverse DNS, and sender names out of the headers directly.
I'd like to point the script/util at an inbox, and have it yank this
info out, so I can, for instance, sort it and see that 12 out of the 130
messages came from free2way.com, and the address ranges were all the
same class C.

Every few days, I pull every email that has made it's way to my inside
server and manually sort out all legit emails ( we archive all emails on
our Exchange box ). What's left is pure SPAM, but it takes a few good
hours to sort the header information. More often then not, I end up
deleting most of it because I lack the time to properly utilize it.

Does anyone know of anything before I break down and write it myself ?
I'd rather not make a go-cart from scratch if someone has a used chevy
pickup.

PLEASE NOTE : Florida has a very broad public records law. Most written
communications to or from City officials regarding City business are
public
records available to the public and media upon request. Your E-mail
communications may be subject to public disclosure.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

PLEASE NOTE : Florida has a very broad public records law. Most written 
communications to or from City officials regarding City business are public 
records available to the public and media upon request. Your E-mail 
communications may be subject to public disclosure.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Header Information Util...

2007-05-14 Thread IS - Systems Eng. \(Karl Drugge\)
I am hoping the people here can help me. It's not Declude specific, but
I consider the experts here as the most knowledgeable on SMTP and Email.

I am looking for a script/utility to pull the header information out of
every email in an Outlook/Exchange inbox. I want to be able to pull the
sending IP's, reverse DNS, and sender names out of the headers directly.
I'd like to point the script/util at an inbox, and have it yank this
info out, so I can, for instance, sort it and see that 12 out of the 130
messages came from free2way.com, and the address ranges were all the
same class C.

Every few days, I pull every email that has made it's way to my inside
server and manually sort out all legit emails ( we archive all emails on
our Exchange box ). What's left is pure SPAM, but it takes a few good
hours to sort the header information. More often then not, I end up
deleting most of it because I lack the time to properly utilize it.

Does anyone know of anything before I break down and write it myself ?
I'd rather not make a go-cart from scratch if someone has a used chevy
pickup.

PLEASE NOTE : Florida has a very broad public records law. Most written 
communications to or from City officials regarding City business are public 
records available to the public and media upon request. Your E-mail 
communications may be subject to public disclosure.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Spam reduction ?

2007-05-04 Thread IS - Systems Eng. \(Karl Drugge\)
Anyone else seeing a major reduction is spam the past week ?

 

I usually see about 14-15k messages daily, but since Monday have dropped
off to about 8k... Did the recent arrests and law suits have a result
this early ?

 

Karl Drugge 
B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003
), C.C.N.A., Network+, A+ 
I dream of the day when I will learn to stop asking questions to which I
will regret learning the answers ( Roy Greenhilt, Order of the Stick  ) 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

2007-04-13 Thread IS - Systems Eng. \(Karl Drugge\)
This shouldn't be an issue for most of us. My DMZ boxes are already as
hardened as I can get them, with the firewall ( ingress and egress ),
patches, and IP filtering. I would think that most ISP's and corporate
networks would be using the same techniques. We gave up relying on M$
and other vendor patches keeping us safe.

Our solution is to block all traffic except that which is explicitly
needed by any server. Our DNS/SmarterMail/FTP server only has those
ports exposed to the Internet that are absolutely needed. Management
from inside to our DMZ is limited to a few workstations by the firewall.
If someone needs to work from home, they have to VPN inside, hit a
registered workstation/server, and THEN hit our DMZ boxes. Convoluted,
yes. PITA at times, sure. But it's pretty damn secure.

5 years and we haven't had a break yet ( crossing fingers ).

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Reimer
Sent: Friday, April 13, 2007 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS
Server Could Allow Remote Code Execution

While we are on the topic of vulnerabilities I just saw 2 new
vulnerabilities found in clamav.

Mark Reimer
IT System Admin
American CareSource
972-308-6887
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Reimer
Sent: Friday, April 13, 2007 12:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS
Server
Could Allow Remote Code Execution

You could do Microsoft's registry workaround if you are not using the
remote
management.

Mark Reimer
IT System Admin
American CareSource
972-308-6887
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Friday, April 13, 2007 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS
Server
Could Allow Remote Code Execution


> However, for ISP's that use MS DNS servers and do remote management 
> from the inside - their customers could potentially exploit them.
> I have worked with folks who run services other than mail on their DNS

> servers.  One example is FTP.  With passive ftp high ports 1024+ need 
> to be open both ways.  So if they are using standard ACL's and not a 
> firewall this could lead to some trouble as well.
Stateful firewalls don't need to open these ports for passive FTP.  The 
FTP connection is established on the standard port after which the 
passive port is shared with the client and the firewall tracks this and 
allows the connection.

As a rule of thumb, RPC should never be exposed to untrusted IP space.  
It is also odd and possibly grossly incompetent of Microsoft to choose 
to use ports 1024+ for such purposes, but I'm thinking that they have 
some weakly justifiable reason to do this as a "feature".

Matt


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Filtering question

2007-03-22 Thread IS - Systems Eng. \(Karl Drugge\)
Yes I did. Nice program, very complete. It did just about anything you
could imagine. 

But I found for what I needed, it did a bit too much. I ended up writing
my own in VB, and then porting it to a web page ( in ASP ) with all the
util's I run against the log files. Pretty much what my PERL scripts do
that I release here occasionally.

I even have a beta web site that allows adjusting the declude configs. 

Send me an email and we can discuss off-line if you want.


Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Wednesday, March 21, 2007 2:27 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Filtering question

Have you tried DLanalyzer?

http://www.invariantsystems.com/dlanalyzer/

There is a free version that you can use for evaluation.



 Original Message 
> From: "IS - Systems Eng. \(Karl Drugge\)"
<[EMAIL PROTECTED]>
> Sent: Wednesday, March 21, 2007 9:35 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filtering question
> 
> Oh well, didn't think there was. I just wanted to get a statistical
> sampling of what I was deleting. 
> 
> Karl Drugge
>  
>  
>  
>  
>  
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> David Barker
> Sent: Wednesday, March 21, 2007 9:01 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filtering question
> 
> Hi Karl,
> 
> Unfortunately not, we don't count emails other than in the console.txt
> file
> 
> David 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS
-
> Systems Eng. (Karl Drugge)
> Sent: Wednesday, March 21, 2007 8:57 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Filtering question
> 
> I am trying to get some stats off of my Declude. It would help if I
> could
> set Declude to send me every fifth, or tenth, or one hundredth email
> that I
> have set to delete, or route-to.
> 
> Is there a way to do this ?
> 
> Karl Drugge
>  
> 
> 
> 
> 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Filtering question

2007-03-21 Thread IS - Systems Eng. \(Karl Drugge\)
Oh well, didn't think there was. I just wanted to get a statistical
sampling of what I was deleting. 

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barker
Sent: Wednesday, March 21, 2007 9:01 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Filtering question

Hi Karl,

Unfortunately not, we don't count emails other than in the console.txt
file

David 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Wednesday, March 21, 2007 8:57 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Filtering question

I am trying to get some stats off of my Declude. It would help if I
could
set Declude to send me every fifth, or tenth, or one hundredth email
that I
have set to delete, or route-to.

Is there a way to do this ?

Karl Drugge
 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Filtering question

2007-03-21 Thread IS - Systems Eng. \(Karl Drugge\)
I am trying to get some stats off of my Declude. It would help if I
could set Declude to send me every fifth, or tenth, or one hundredth
email that I have set to delete, or route-to.

Is there a way to do this ?

Karl Drugge
 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] dns attacks today

2007-02-07 Thread IS - Systems Eng. \(Karl Drugge\)
Those are not the only DNS attacks...

TWC had one as well, I believe. One of their servers was knocked off the
net two days ago. I was monitoring my DNS changes at network solutions,
waiting for propagation and I kept getting random packet loss on it.

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick
Hayer
Sent: Wednesday, February 07, 2007 5:07 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] dns attacks today

fyi -
http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news2_1

-Nick


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] SPAM reductions ?

2007-01-31 Thread IS - Systems Eng. \(Karl Drugge\)
Haven't used them in years. The SPAM reduction is a lot more recent.

 

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Wednesday, January 31, 2007 11:55 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] SPAM reductions ?

 

Karl, maybe your spam slowdown is because of the lame delegation of two
out of three of your DNS servers listed in your WHOIS.

 

http://www.dnsreport.com/tools/dnsreport.ch?domain=casselberry.org

 

How long have you not been using the DNS servers at twtelecom.net ?

 

Andrew.

 

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of IS - Systems Eng. (Karl Drugge)
Sent: Wednesday, January 31, 2007 5:23 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] SPAM reductions ?

Anyone seeing a reduction in incoming SPAM ? I've been looking
at my morning reports, and my incoming mail is off by 30 percent or so
for the past two weeks.

 

Typically, I'll see 12-15k messages a day, but lately it's been
9-12k. I can't believe I'm the only lucky one...

 

 

Karl Drugge

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] SPAM reductions ?

2007-01-31 Thread IS - Systems Eng. \(Karl Drugge\)
Anyone seeing a reduction in incoming SPAM ? I've been looking at my
morning reports, and my incoming mail is off by 30 percent or so for the
past two weeks.

 

Typically, I'll see 12-15k messages a day, but lately it's been 9-12k. I
can't believe I'm the only lucky one...

 

 

Karl Drugge

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] 20+ percent jump in SPAM

2007-01-16 Thread IS - Systems Eng. \(Karl Drugge\)
Guess they got the issues fixed in Asia that was keeping the spammers
offline

 

Karl Drugge

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Anyone know of a tool....

2007-01-10 Thread IS - Systems Eng. \(Karl Drugge\)
Looking for a tool that works with Outlook/Exchange..

I'd like to be able to pull all the header info out of any messages in a
particular folder.. like last-hop IP, domain name, that kind of stuff.
Once a week, I copy all messages sent/rev'd in the past few days into a
sort folder, and then manually check them all, deleting legit emails, to
see what got through my filters. What I'm left with is 100% SPAM that
made it into my Exchange box. I'd like a quick way to pull out the
header info from all these messages and parse it for reverse DNS,
sending domains, etc... 

Anyone know of something out there before I write my own ?

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Chris Asaro
Sent: Tuesday, January 09, 2007 5:13 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?

It has been requested of Engineering that a new all_list.dat be build
ASAP.
You should have this in your hands soon.

 
Chris A.

 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Tuesday, January 09, 2007 4:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] all_list.dat ?

David (or any Declude people that may be reading),

Any chance of seeing a new all_list.dat any time soon, considering the
current one has a date of 6 Jul 06, and considering the additional input
from this recent thread?

I'm starting to see false positives caused by weights I previously gave
to
"IANA Reserved" and "RIPE Unlisted".

Gary



 Original Message 
> From: "Jay Sudowski - Handy Networks LLC" <[EMAIL PROTECTED]>
> Sent: Thursday, January 04, 2007 5:57 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
> 
> Indeed.  When we obtained our own IP space from ARIN, it was from
72/8,
> which had been released only about 6 months prior to it being assigned
> to us.  You wouldn't believe the number of networks that were running
> with 72/8 in their bogons list and were entirely blocking traffic from
> our network...
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Darrell ([EMAIL PROTECTED])
> Sent: Thursday, January 04, 2007 3:47 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
> 
> 
> I would be very careful with this.  IANA just released (I believe in 
> October) 96/8, 97/8, 98/8, 99/8.  With the all_list.dat not being
> updated 
> frequently I would tred very lightly in this area.  Part of 96/8 has
> been 
> handed out.
> 
> Darrell
>

> Check out http://www.invariantsystems.com for utilities for Declude
And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration,
> MRTG 
> Integration, and Log Parsers.
> 
> - Original Message - 
> From: "S.J.Stanaitis" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, January 04, 2007 3:29 PM
> Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
> 
> 
> Nice.
> 
> Thanks,
> Sam
> 
> SJ.Stanaitis - Network Administrator
> Decorative Product Source E-commerce Network
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Scott
> Fisher
> Sent: Thursday, January 04, 2007 3:16 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
> 
> sending hop only: COUNTRY 0 IS *R
> 
> or
> 
> all hops: COUNTRIES 0 CONTAINS *R
> 
> - Original Message - 
> From: "S.J.Stanaitis" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, January 04, 2007 1:55 PM
> Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
> 
> 
> > Holy [EMAIL PROTECTED], that answers one question!
> >
> > Any idea how to incorporate the "IANA Reserved" thing into Declude?
> >
> > Thanks,
> > Sam
> >
> > SJ.Stanaitis - Network Administrator
> > Decorative Product Source E-commerce Network
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Scott
> > Fisher
> > Sent: Thursday, January 04, 2007 2:37 PM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
> >
> > Here are my december totals for the odd-balls (COUNTRY IS test)
> >
> >  Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK
> >  APNIC Unlisted 97 97 0 0 0
> >  ARIN Unlisted 1426 1395 12 1 18
> >  Central/South America 89 89 0 0 0
> >  European Union 1804 1674 8 1 121
> >  IANA Reserved 11677 11428 91 118 39
> >  Multi-Regional 23 19 1 1 2
> >  RIPE Unlisted 1332 1330 1 1 0
> >  Unknown 4018 3938 13 3 64
> >
> >
> > #
> > #  Special Codes
> > #
> > #*1 Multi-Regional
> > #*2 Europe
> > #*3 North America
> > #*4 Central/South America
> > #*5 Pacific Rim
> > #*A ARIN Unlisted (North America/South Africa)
> > #*B Public Data Network
> > #*E RIPE Unlisted (Europe, North Africa, Middle East)
> > #*I Priv

RE: [Declude.JunkMail] OT: "Message" Storage

2006-12-18 Thread IS - Systems Eng. \(Karl Drugge\)
Gotta love that picture Keeping it for my personal laptop back
ground.

 

I'll agree with you 99%.. I hate lawyers with a passion, and excepting
the miniature French poodle and HR personnel, they are loathed beyond
all else. 

 

But, in doing a risk assessment, factors like the possible cost of a
possible law suit is something that should be considered. A hospital is
a good example. Regardless of what the I.T. team is doing ( for good or
ill ), it's a good idea to get the advice of a legal professional. Just
one suit will offset the cost of hundreds of consultations. It's not
always possible, especially in the smaller firms, to CYA in this
fashion, but a sign off from above works just as well.

 

As IT management, I stress that we offer the company technical
solutions. What we CAN do is very different in most cases, from what we
SHOULD do. The SHOULD do part comes from written company policy.
Written company policy needs impartial review, from as many perspectives
as possible. Medical/Legal/Financial records all have different
retention requirements. This includes emails which pertain to these
records ( or even have them imbedded ). So, how do you handle your
archives then ? Keeping ALL the emails will get you fried if you have
expunged records in your archives ( if you're an attorney ). Who sorts
these emails for relevant information to determine if they even should
be stored ? SOX doesn't require I keep emailed pictures of my 5 year old
nieces B'day party.. So do you check each one individually ?! Yargh !
Leave it up to the end users ? Oh boy...

 

So, why do ( or don't ) you have these records ? Company policy will be
the only thing that keeps you as the email admin from getting thrown
under the bus. Easy, company policy dictates it. You're off the hook.
Remember, when the witch hunt ends, you don't want to be the one wearing
the pointy hat.

 

Apologies for the hijacked thread...

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, December 18, 2006 2:36 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] OT: "Message" Storage

 

Karl,

The problem is assuming that keeping it 'legal' involves lawyers for
instance.  The Sarbanes-Oxley Act of 2002 was enacted by Congress and
the responsibility for clarifying the law into workable practices was
assigned to PCAOB (The Public Company Accounting Oversight Board,
created by Sarbanes-Oxley), and signed off on by the SEC.  It is the
responsibility of independent auditors to verify compliance and report
it's findings to the board of directors, who are ultimately responsible
for the companies in question.
.

.

        < Lots of good stuff >

.

.

.

Matt




IS - Systems Eng. (Karl Drugge) wrote: 

True, I'm covered by different laws..
 
But in regards to keeping 'legal', in all senses of the word, especially
when you are discussing 'home grown' versus 'off the shelf' solutions,
it would be best to consult legal advisors before implementing anything.
If you aren't sure, get advice. If you are sure, get it in writing.
 
I was private sector long before I converted to government, and still
keep some of those clients. Most of my clients would much rather have a
lawyers sign off, especially if it's going to help them avoid a lawsuit
later.
 
Karl Drugge
 
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, December 18, 2006 12:48 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] OT: "Message" Storage
 
Karl,
 
We were specifically talking about SOX (Sarbanes-Oxley) compliance, 
which have no legal applicability to your own needs.  Your needs are 
governed by Florida's "Government-in-the-Sunshine" laws which allow for 
public inspection of most records.
 
Matt
 
 
 
IS - Systems Eng. (Karl Drugge) wrote:
  

EXACTLY why we have the city attorney and another legal
specialist
helping to formulate our own new policy. Best to invest some
real $$$
now, before we get sued for our ignorance ( and
 )
later.
 
 
Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
Sanford Whiteman
Sent: Sunday, December 17, 2006 1:46 PM
To: Matt
Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage
 

 
In  summary: you still don't know about e-mail archival for
compliance
purposes.
 
Thanks for sharing.
 
--Sandy
 
 
 
---
This E-mail came from the Declude.JunkMail mailin

RE: [Declude.JunkMail] OT: "Message" Storage

2006-12-18 Thread IS - Systems Eng. \(Karl Drugge\)
True, I'm covered by different laws..

But in regards to keeping 'legal', in all senses of the word, especially
when you are discussing 'home grown' versus 'off the shelf' solutions,
it would be best to consult legal advisors before implementing anything.
If you aren't sure, get advice. If you are sure, get it in writing.

I was private sector long before I converted to government, and still
keep some of those clients. Most of my clients would much rather have a
lawyers sign off, especially if it's going to help them avoid a lawsuit
later.

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, December 18, 2006 12:48 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] OT: "Message" Storage

Karl,

We were specifically talking about SOX (Sarbanes-Oxley) compliance, 
which have no legal applicability to your own needs.  Your needs are 
governed by Florida's "Government-in-the-Sunshine" laws which allow for 
public inspection of most records.

Matt



IS - Systems Eng. (Karl Drugge) wrote:
> EXACTLY why we have the city attorney and another legal specialist
> helping to formulate our own new policy. Best to invest some real $$$
> now, before we get sued for our ignorance ( and  )
> later.
>
>
> Karl Drugge
>  
>  
>  
>  
>  
>  
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Sanford Whiteman
> Sent: Sunday, December 17, 2006 1:46 PM
> To: Matt
> Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage
>
> 
>
> In  summary: you still don't know about e-mail archival for compliance
> purposes.
>
> Thanks for sharing.
>
> --Sandy
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>
>
>   


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re[2]: [Declude.JunkMail] OT: "Message" Storage

2006-12-18 Thread IS - Systems Eng. \(Karl Drugge\)
EXACTLY why we have the city attorney and another legal specialist
helping to formulate our own new policy. Best to invest some real $$$
now, before we get sued for our ignorance ( and  )
later.


Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sanford Whiteman
Sent: Sunday, December 17, 2006 1:46 PM
To: Matt
Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage



In  summary: you still don't know about e-mail archival for compliance
purposes.

Thanks for sharing.

--Sandy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Why are these being whitelisted?

2006-12-14 Thread IS - Systems Eng. \(Karl Drugge\)
We currently have the city attorneys looking into this whole issue with
a legal specialist in records law. But, from the discussions so far, it
turns out that we only have to NOT delete stuff in our possession that
is under investigation. That being said, if we drop our backup tape
retention period to 30 days, re-write our policy to state we use those
tapes are for disaster recovery purposes only, and the end user is
responsible for archiving all relevant material ( on our servers, that
we keep tapes for 30 days, just in case of a disaster ! ), then
technically, WE don't HAVE to keep anything. The end user is
responsible, and I.T. is NOT a records archiving division. Feel free to
subpoena anything we might have had in the past 30 days  !

 

The only other way around this is to archive EVERYTHING, since you have
no way of knowing what's relevant, and what could be asked for at a
future date. Anything from divorce attorneys, civil litigation, and
personnel witch hunts are fair game. Each has a separate retention date,
so you also have to keep it into perpetuity, which also violates any
laws regarding expunging/deleting records. You're damned if you do,
damned if you don't.

 

If we get the legal nod, I'll be shredding 4 years worth of archived
mail on DVD, along with our backup tapes.

 

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Chris Asaro
Sent: Thursday, December 14, 2006 1:49 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Why are these being whitelisted?

 

Question Authority

 

 

Chris 

 

 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sharyn Schmidt
Sent: Thursday, December 14, 2006 1:44 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Why are these being whitelisted?

 



 

IF it is a mistake, then my boss is the one that is making it

 

I just do what I'm told!

 

:)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Darin Cox
Sent: Thursday, December 14, 2006 1:31 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Why are these being whitelisted?

That has to be a mistake.  For example, if a company were to use
an external filtering service, they would have no means of archiving
spam that had been filtered out.

 

Also, with spam currently at 90% of all incoming email, it's
ludicrous to have to archive 10x the actual legitimate email volume in
order to be "compliant".


Darin.

 

 

- Original Message - 

From: Sharyn Schmidt   

To: declude.junkmail@declude.com 

Sent: Thursday, December 14, 2006 12:47 PM

Subject: RE: [Declude.JunkMail] Why are these being whitelisted?

 

We are required to archive ALL incoming mail. The Sarbanes-Oxley
Act does not differentiate between legitimate mail and spam :)

 

I did remove the whitelist to.

 

I went back to using the masterbkup.junkmail file and just
setting all actions to ignore.

 

I just wanted to know what had caused this, so in the future it
doesn't happen again.

 

Thanks!

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darin Cox
Sent: Thursday, December 14, 2006 12:20 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Why are these being
whitelisted?

You're required to archive spam?  I can't imagine that.
I would remove the WHITELIST TO.

 

Note that if any of the recipients are whitelisted, then
all will effectively be whitelisted for that message.


Darin.

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.

[Declude.JunkMail] List up ?

2006-12-13 Thread IS - Systems Eng. \(Karl Drugge\)
List up ? Nothing in a day or so

 

Karl Drugge

 

  


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New Reporting Tool

2006-12-12 Thread IS - Systems Eng. \(Karl Drugge\)
Try dragging down the script again. Maybe it didn't copy right to your
HD ?

 

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lists - Declude JunkMail
Sent: Tuesday, December 12, 2006 3:07 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Reporting Tool

 

I've got ActiveState Perl 5.8.8 bld 819 installed and working.  I use
perl for all sorts of other scripts with no issues.

 

I'm not sure what Regex is.  I thought it was part of your code.  I
don't see a perl package install called Regex.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Posted At: Monday, December 11, 2006 4:33 PM
Posted To: Lists - Declude JunkMail
Conversation: [Declude.JunkMail] New Reporting Tool
Subject: RE: [Declude.JunkMail] New Reporting Tool

What's Regex ? Do you have PERL installed ?

 

A 20 meg log file shouldn't matter...

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lists - Declude JunkMail
Sent: Thursday, December 07, 2006 4:29 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Reporting Tool

 

Thanks so much for this!

 

I tried it out and it errors out as follows:

 

 File path : g:/logarchive/
 Processing a single day

 

 Opening File : g:/logarchive/dec1206.log


.

 

 Sorting arrays and cleaning up data
Unmatched [ in regex; marked by <-- HERE in m/[ <-- HERE weight/ at
f:\tools\dis
tro-declog.pl line 443.

 

My log is 20mb if that matters.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Posted At: Thursday, December 07, 2006 1:53 PM
Posted To: Lists - Declude JunkMail
Conversation: New Reporting Tool
Subject: [Declude.JunkMail] New Reporting Tool

 

The newest PERL script. Slices, dices, etc ... Throw it in a directory,
edit a few environment variables at the top of the script, dump in a few
Declude logs, run it, enjoy. Requires PERL, of course.

 

Added two command line switches : 'day' and 'week' . Day does the
previous day, week does the previous week. No command line switch, and
you do all the logs in the directory. This can be memory
intensive... You have been warned ! My own server, with 11-13k log
files, consumes 700+ megs of memory when doing an entire month. Folks
with larger files might want to think about doing this many files at
once.

 

Karl Drugge

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] blklst ON statistics...

2006-12-12 Thread IS - Systems Eng. \(Karl Drugge\)
Interesting.. I ran some scripts against the blklst.txt file, and it
shows I am already blocking the most active connections. About the only
thing I can really see, is that the SPAM is coming from hundreds of
IP's, with only a few from each one. I was kind of shocked by the extent
of it, figuring that I'd see numerous IP's over 100 in a 12 hour period.
But 8300+ IP's, and only 10 or so above 10 connections. Wow. Talk about
distributed !

Script attached, PERL again, edit the top to fit your environment, as
usual.

Output below.. 

Total IP's : 8381
HitsIP Address   HostName

 54   61.50.229.194  61.50.229.194
  ---
 25   70.108.157.156 pool-70-108-157-156.washdc.east.verizon.net
  ---
 23   82.173.173.230 ip230-173-173-82.adsl2.versatel.nl
  ---
 22   151.49.24.185  adsl-ull-185-24.49-151.net24.it
  ---
 22   88.154.136.186 bzq-88-154-136-186.red.bezeqint.net
  ---
 14   202.175.165.198n17z165l198.broadband.ctm.net
  ---
 12   66.151.234.151 ccm14.constantcontact.com
  ---
 11   59.115.100.197 59-115-100-197.dynamic.hinet.net
  ---
 11   66.151.234.153 ccm16.constantcontact.com
  ---
 8   201.9.194.141   201009194141.user.veloxzone.com.br
  ---
 8   213.207.242.147 213.207.242.147
  ---
 8   220.133.25.238  220-133-25-238.hinet-ip.hinet.net
  ---
 8   66.91.4.132 cpe-66-91-4-132.hawaii.res.rr.com
  ---
 7   169.139.180.120 mail.scps.k12.fl.us
  ---
 7   202.175.95.171  z95l171.static.ctm.net
  ---
 7   219.155.156.139 hn.kd.pix
  ---
 7   66.104.31.195   ip66-104-31-195.z31-104-66.customer.algx.net
  ---
 6   125.33.74.167   125.33.74.167
  ---
 6   208.254.21.131  crozier.missingkids.com
  ---
 6   222.217.118.250 222.217.118.250
  ---
 6   59.45.98.25559.45.98.255
  ---



Karl Drugge 
B.S.I.T., A.S., M.C.S.E. (NT 4, 2k, 2k3), M.C.S.A. (2k + 2k3), C.C.N.A.,
Network+, A+ 
I dream of the day when I will learn to stop asking questions to which I
will regret learning the answers ( Roy Greenhilt, Order of the Stick  ) 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


decblklst.pl
Description: decblklst.pl


RE: [Declude.JunkMail] New Reporting Tool

2006-12-11 Thread IS - Systems Eng. \(Karl Drugge\)
What's Regex ? Do you have PERL installed ?

 

A 20 meg log file shouldn't matter...

 

Karl Drugge

 

 

 

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lists - Declude JunkMail
Sent: Thursday, December 07, 2006 4:29 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Reporting Tool

 

Thanks so much for this!

 

I tried it out and it errors out as follows:

 

 File path : g:/logarchive/
 Processing a single day

 

 Opening File : g:/logarchive/dec1206.log


.

 

 Sorting arrays and cleaning up data
Unmatched [ in regex; marked by <-- HERE in m/[ <-- HERE weight/ at
f:\tools\dis
tro-declog.pl line 443.

 

My log is 20mb if that matters.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Posted At: Thursday, December 07, 2006 1:53 PM
Posted To: Lists - Declude JunkMail
Conversation: New Reporting Tool
Subject: [Declude.JunkMail] New Reporting Tool

 

The newest PERL script. Slices, dices, etc ... Throw it in a directory,
edit a few environment variables at the top of the script, dump in a few
Declude logs, run it, enjoy. Requires PERL, of course.

 

Added two command line switches : 'day' and 'week' . Day does the
previous day, week does the previous week. No command line switch, and
you do all the logs in the directory. This can be memory
intensive... You have been warned ! My own server, with 11-13k log
files, consumes 700+ megs of memory when doing an entire month. Folks
with larger files might want to think about doing this many files at
once.

 

Karl Drugge

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] blklst ON

2006-12-11 Thread IS - Systems Eng. \(Karl Drugge\)
This keeps track of all emails processed ?

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barker
Sent: Monday, December 11, 2006 5:12 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] blklst ON

I must have posted the global.cfg sorry, if it is working in the
declude.cfg
then that's where it should go. Hey I said it was undocumented ;)

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Stephen
King
Sent: Monday, December 11, 2006 4:47 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] blklst ON

I just tried entering blklst on in declude.cfg instead of global.cfg and
the
file is now being populated.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott
Fisher
Sent: Monday, December 11, 2006 4:28 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] blklst ON


Yes, I scanned the whole drive for blklst.txt and found none.
 
Declude 4.3.23 on Imail 2006.1

- Original Message - 
From: David Barker   
To: declude.junkmail@declude.com 
Sent: Monday, December 11, 2006 3:03 PM
Subject: RE: [Declude.JunkMail] blklst ON

Did you check your \Spool ?



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
Scott Fisher
Sent: Monday, December 11, 2006 3:15 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] blklst ON


I tried 'blklst on' in the global.cfg and no file was created

-
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
630-462-2323
 
This email message, including any attachments, is for the sole
use
of the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender
by reply email and destroy all copies of the original message. Although
Farm
Progress Companies has taken reasonable precautions to ensure no viruses
are
present in this email, the company cannot accept responsibility for any
loss
or damage arising from the use of this email or attachments.
 
 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] New Reporting Tool

2006-12-07 Thread IS - Systems Eng. \(Karl Drugge\)
 

The newest PERL script. Slices, dices, etc ... Throw it in a directory,
edit a few environment variables at the top of the script, dump in a few
Declude logs, run it, enjoy. Requires PERL, of course.

 

Added two command line switches : 'day' and 'week' . Day does the
previous day, week does the previous week. No command line switch, and
you do all the logs in the directory. This can be memory
intensive... You have been warned ! My own server, with 11-13k log
files, consumes 700+ megs of memory when doing an entire month. Folks
with larger files might want to think about doing this many files at
once.

 

Karl Drugge

 

 

  


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Distro-declog.pl
Description: Distro-declog.pl


[Declude.JunkMail] Suggestion for Junkmail....

2006-12-06 Thread IS - Systems Eng. \(Karl Drugge\)
Just a quick suggestion, may even save programming time...


Please leave the log file formats and entries alone.. It REALLY plays
hell with my automated scripts and programs when keywords, field
lengths, and schema are altered ( seemingly at random ) from version to
version. 

I know I can't be alone on this..


Karl Drugge




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Undocumented Directive 4.x

2006-12-05 Thread IS - Systems Eng. \(Karl Drugge\)
Running the newest, and still nothing... 

Is it in a later, or the current BETA, versions ?

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barker
Sent: Monday, December 04, 2006 2:17 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Undocumented Directive 4.x

Mmm maybe I had them put it in a bit later. I think it is definitely in
4.3.14 ... 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Monday, December 04, 2006 2:11 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Undocumented Directive 4.x

Running v4.3.7 for SmarterMail, and I don't have any blklst.txt file
anywhere on my disk Do I need to upgrade to a newer version ?

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David
Barker
Sent: Monday, December 04, 2006 12:58 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Undocumented Directive 4.x

Just an FYI you may find it useful, in the global.cfg:

BLKLST  ON

Writes a text file to the \spool\blklst.txt containing the IP and weight
of
emails eg.

1.1.1.1 23
2.2.2.2 7

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Undocumented Directive 4.x

2006-12-04 Thread IS - Systems Eng. \(Karl Drugge\)
Running v4.3.7 for SmarterMail, and I don't have any blklst.txt file
anywhere on my disk Do I need to upgrade to a newer version ?

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barker
Sent: Monday, December 04, 2006 12:58 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Undocumented Directive 4.x

Just an FYI you may find it useful, in the global.cfg:

BLKLST  ON

Writes a text file to the \spool\blklst.txt containing the IP and weight
of
emails eg.

1.1.1.1 23
2.2.2.2 7

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



FW: [Declude.JunkMail] Results ! 92.9 percent delete rate...

2006-11-09 Thread IS - Systems Eng. \(Karl Drugge\)
 
Hadn't really thought of selling it myself. Give me a few days to get my
Exchange box 100% functional, and we'll see. I'd need to make a few
changes since I hard coded log file locations and a few other things. 


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: Craig Edmonds [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 02, 2006 3:45 PM
To: IS - Systems Eng. (Karl Drugge)
Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Importance: High

 
Hi Karl,

I have to ask Off List and hope you don't mind.

Would you consider selling me a copy or a license?

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]
 
LEGAL DISCLAIMER - This message may contain confidential, proprietary or
legally privileged information and is intended only for the use of the
addressee named above. If you are not the intended recipient of this
message you are hereby informed that you must not use, disseminate, copy
it in any form or take any action in reliance on it. If you have
received this message in error please delete it and any copies of it and
notify it to the sender. 
 
AVISO LEGAL - Este mensaje puede contener informacion confidencial, en
propiedad o legalmente protegida y esta dirigida unicamente para el uso
de la persona destinataria. Si usted no es la persona destinataria de
este mensaje, por la presente se le comunica que no debe usar, difundir,
copiar de ninguna forma, ni emprender ninguna accion en relacion con
ella.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Thursday, November 02, 2006 9:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...

Wrote it myself !

Kind a 'swiss army knife' for the logs.. Summary report for rules, and
the old "What happened to Aunt Martha's email she sent me from Tibet".
Typical stuff in the daily life of a Declude admin.

It doesn't do everything some of the others do, but more than enough for
me and my friends. 

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Craig Edmonds
Sent: Thursday, November 02, 2006 1:20 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Importance: High

Hi,

Where did you get the declude log reader from? 


Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Thursday, November 02, 2006 7:13 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Results ! 92.9 percent delete rate...

Doing my monthly checkup on how my rules are working, and was blown away
at the actual amount I am getting. 11 thousand a day ? Damn, we only
have 250 employees ! Anyone else seeing this upswing ? Two-three months
ago I was getting 6 thousand a day..

The new version of Declude is rocking..

Check it outhttp://www.casselberry.org/results.bmp


Karl Drugge
 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] SmarterMail Problem...

2006-11-06 Thread IS - Systems Eng. \(Karl Drugge\)
Wow ! FUN weekend ! Internal Exchange server lost two drives
simultaneously on a RAID 5 stripe early Friday... Then on rebuild
started dropping random drives. Needless to say, Dell backplanes are a
little hard to come by on a weekend.

Anyway, after we get the Exchange box back Saturday, it turns out
SmarterMail only mailbags for 2 hours.. anyone know how to fix this
before I attempt a call to smartertools ? I haven't been impressed with
their support line in the past.

Karl Drugge





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...

2006-11-02 Thread IS - Systems Eng. \(Karl Drugge\)
Wrote it myself !

Kind a 'swiss army knife' for the logs.. Summary report for rules, and
the old "What happened to Aunt Martha's email she sent me from Tibet".
Typical stuff in the daily life of a Declude admin.

It doesn't do everything some of the others do, but more than enough for
me and my friends. 

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Craig Edmonds
Sent: Thursday, November 02, 2006 1:20 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Importance: High

Hi,

Where did you get the declude log reader from? 


Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Thursday, November 02, 2006 7:13 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Results ! 92.9 percent delete rate...

Doing my monthly checkup on how my rules are working, and was blown away
at
the actual amount I am getting. 11 thousand a day ? Damn, we only have
250
employees ! Anyone else seeing this upswing ? Two-three months ago I was
getting 6 thousand a day..

The new version of Declude is rocking..

Check it outhttp://www.casselberry.org/results.bmp


Karl Drugge
 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Analyzing junkmail log files

2006-09-21 Thread IS - Systems Eng. \(Karl Drugge\)
I did DL a copy some time ago, and it didn't really fit my needs, hence
writing my own. Not to say DLAnalyzer isn't a good product, but for the
4 or 5 things I need done on a regular basis, mine works better for me
and my site. If I was running multiple servers, or needed some of the
advanced options you offer, it would be a different story.

Mine basically grew out of a PERL script I wrote way back for declude
1.6x.. 5 or 6 quick buttons for the junior admins ( AKA Monkeys ) to
push when they need some info on why email did/didn't get where it was
supposed to.

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Wednesday, September 20, 2006 5:33 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Analyzing junkmail log files

Karl, 

I would recommend DLAnalyzer - (since its our product).  It can process
both 
virus and junkmail logs, process multiple days, process multiple
servers, 
email capability, as well as providing all types of reports.  It is 
compatible with past and current versions of Declude. 

Here is a link to all the reports.
http://www.invariantsystems.com/dlanalyzer/reportsamples.htm 

We also have a "free" version that covers the basic features you were
used 
to with Delog. 

Darrell
 ---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 

 

Karl Hentschel writes: 

> Up until upgrading from Declude 2.06 to 3.11 I had been using delog
1.08b
> from imagefxonline for analyzing my junkmail log files. After the
upgrade it
> no longer works. Delog was a simple tool that emailed me daily and
gave
> statistics for all the tests. From this I could determine which were
the
> most effective. Does anybody have a suggestion for a replacement
program to
> analyze junkmail log files that can email the results automatically.
Which
> program has been the must successful? Or has anyone been successful
using
> delog with declude 3.11?  
> 
> Thanks 
> 
>  
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 
> 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Analyzing junkmail log files

2006-09-20 Thread IS - Systems Eng. \(Karl Drugge\)
I've been using my own, written in VB.net . Quick and dirty, but it gets
the job done.

Been thinking of porting it to run under a web page and selling it for
cheap if there was an interest.

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl
Hentschel
Sent: Wednesday, September 20, 2006 4:22 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Analyzing junkmail log files

Up until upgrading from Declude 2.06 to 3.11 I had been using delog
1.08b
from imagefxonline for analyzing my junkmail log files. After the
upgrade it
no longer works. Delog was a simple tool that emailed me daily and gave
statistics for all the tests. From this I could determine which were the
most effective. Does anybody have a suggestion for a replacement program
to
analyze junkmail log files that can email the results automatically.
Which
program has been the must successful? Or has anyone been successful
using
delog with declude 3.11? 

Thanks



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Spam Spike

2006-09-19 Thread IS - Systems Eng. \(Karl Drugge\)
Getting pelted here... Mostly from cinci.rr.com...

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Fisher
Sent: Tuesday, September 19, 2006 2:29 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Spam Spike

I say about 25% more spam yesterday than last Monday (9-11)

- Original Message - 
From: "Chris Anton" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, September 19, 2006 11:31 AM
Subject: [Declude.JunkMail] Spam Spike


> Hi All,
> We have recently gone from processing 30,000 emails daily to 85,000
daily. 
> 75,000 are getting caught by Declude & Message Sniffer (I love this 
> combo). There are a total of 300,000 attempted RCPT TOs daily.
>
> 1) Has anyone experienced recent spikes like this? How can I
reasonably 
> handle this?
>
> I have run several analytics and found that these emails are not
targeting 
> a specific user or specific domain.  Additionally, there are no blocks
of 
> IPs that are responsible.
>
> 2) What are the realistic limits of Imail / Declude / Message Sniffer
(I 
> KNOW this is platform specific, just looking for ballpark).
>
> 3) What can I do to squeze out more juice from this server?
>
> Software: IMail 8.22 (because we are still scared of 2006), Declude
Virus 
> and Junkmail 2.0.6, and Sniffer most recent version
> Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram.
>
> Thanks for the help! -Chris
>
>
>
> --
> Best Regards,
>
> Chris Anton
> Web Solutions, Inc.
> Tel: 203-235- x25
> [EMAIL PROTECTED]
> www.websolutions.net
> --
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
> 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Way to filter bogus FRMOM domains ?

2006-09-19 Thread IS - Systems Eng. \(Karl Drugge\)
I was using a FROMFILE, subtracting a fairly large amount, and was
getting stuff past it with from the forging domains. Obviously, not the
best way to do it, but it worked well for the past few years.

I've got a two new files using the suggestions from yesterday, one for
GOOD-REVDNS adding a negative value, and one for BAD-REVDNS adding a
good amount of points. Makes for better readability in the headers.

Is there another test that compares the REVDNS and Sender's domain to
check for a match ? Like the SPAMDOMAINS test without having to make a
text file ? Not a killer test, but definitely worth a few points.

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Monday, September 18, 2006 5:18 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Way to filter bogus FRMOM domains ?

You didnt mention exactly on how you are letting in .gov, .us, .edu?
Are 
you just checking via a fromfile or whitelist?  If so I would shift that
to 
negative weighting on reverse dns. 

REVDNS -x  endswith .edu 

If you have to let it in - seem like the revdns might be a better fit. 

Darrell
 ---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 


IS - Systems Eng. (Karl Drugge) writes: 

> I've been trying to filter some SPAM that is using a false FROM
domain.
> Stuff is coming from overseas ( spammachine.spamsite.spammer.pl
> [99.99.99.99] ), but is using a false from domain, such as (
> [EMAIL PROTECTED] ).  
> 
> This stuff would fail, except DECLUDE shows it as coming from a .edu,
> and clears it ( assigns the appropriate negative value, I should say
).
> Now, for reasons I won't go into here, I HAVE to allow all mail from
> .edu domains, as well as .gov, and .us... I can't bounce it, and I
have
> no other way to pre-allow email from some junior college in upper
> southern north Dakota... 
> 
> Any help on this ? 
> 
> Karl Drugge
>  
>  
>  
>  
>  
>  
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Colbeck, Andrew
> Sent: Monday, September 18, 2006 12:33 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files ->
> Microsoft confirms KB920958 bug! 
> 
> And it made its appearance over at the SANS Internet Storm Center
> handler's log: 
> 
> http://isc.sans.org/diary.php?storyid=1711 
> 
> In short, Microsoft has admitted that there is a problem and updated
> their advisory and also provided a hotfix. 
> 
> Andrew. 
> 
> 
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
>> Behalf Of Heimir Eidskrem
>> Sent: Tuesday, September 12, 2006 7:16 AM
>> To: declude.junkmail@declude.com
>> Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in 
>> files -> Microsoft confirms KB920958 bug! 
>> 
>> Andy, 
>> 
>> Not sure if you saw it but this issue was brought up on 
>> Slashdot yesterday, so it got some exposure. 
>> 
>> Heimir 
>> 
>> 
>> Andy Schmidt wrote:
>> >  
>> > Hi,
>> >
>> > I finally was able to get a confirmation from Microsoft Support 
>> > yesterday afternoon (case: SRZ060911001854)
>> >
>> > "We are aware the issue you are experiencing. A 
>> corresponding bugcheck 
>> > request is currently open, and the develop team is working 
>> on this issue.
>> > However, the hotfix for this issue is not ready.
>> >
>> > 0xDF is the data pattern that NTFS returns when it has problem to 
>> > decompress the file (eg. the compression fragments are 
>> corrupted and 
>> > can't be decompressed). Based on my research, the actual 
>> raw data on 
>> > the disk is not changed, it shows as 0xDF because the system cannot

>> > decompress the file and display the data correctly. So the 
>> corrupt is not permanent.
>> >
>> > Further more, the issue only occurs on files which containing 
>> > Hexadecimal codes."
>> >
>> > Apparently, Microsoft decided not to warn people about this 
>> problem - 
>> > no comment has been added to KF920958 warning people which system 
>> > configurations will cause data loss (who cares if it's not 
>> permanent 
>> > if you can't use your data for a few months).
>> >
>> > Best Regards
>> > Andy Schmidt
>> >
>&

[Declude.JunkMail] Way to filter bogus FRMOM domains ?

2006-09-18 Thread IS - Systems Eng. \(Karl Drugge\)
I've been trying to filter some SPAM that is using a false FROM domain.
Stuff is coming from overseas ( spammachine.spamsite.spammer.pl
[99.99.99.99] ), but is using a false from domain, such as (
[EMAIL PROTECTED] ). 

This stuff would fail, except DECLUDE shows it as coming from a .edu,
and clears it ( assigns the appropriate negative value, I should say ).
Now, for reasons I won't go into here, I HAVE to allow all mail from
.edu domains, as well as .gov, and .us... I can't bounce it, and I have
no other way to pre-allow email from some junior college in upper
southern north Dakota...

Any help on this ?

Karl Drugge
 
 
 
 
 
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Monday, September 18, 2006 12:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files ->
Microsoft confirms KB920958 bug!

And it made its appearance over at the SANS Internet Storm Center
handler's log:

http://isc.sans.org/diary.php?storyid=1711

In short, Microsoft has admitted that there is a problem and updated
their advisory and also provided a hotfix.

Andrew.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Heimir Eidskrem
> Sent: Tuesday, September 12, 2006 7:16 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in 
> files -> Microsoft confirms KB920958 bug!
> 
> Andy,
> 
> Not sure if you saw it but this issue was brought up on 
> Slashdot yesterday, so it got some exposure.
> 
> Heimir
> 
> 
> Andy Schmidt wrote:
> >  
> > Hi,
> >
> > I finally was able to get a confirmation from Microsoft Support 
> > yesterday afternoon (case: SRZ060911001854)
> >
> > "We are aware the issue you are experiencing. A 
> corresponding bugcheck 
> > request is currently open, and the develop team is working 
> on this issue.
> > However, the hotfix for this issue is not ready.
> >
> > 0xDF is the data pattern that NTFS returns when it has problem to 
> > decompress the file (eg. the compression fragments are 
> corrupted and 
> > can't be decompressed). Based on my research, the actual 
> raw data on 
> > the disk is not changed, it shows as 0xDF because the system cannot 
> > decompress the file and display the data correctly. So the 
> corrupt is not permanent.
> >
> > Further more, the issue only occurs on files which containing 
> > Hexadecimal codes."
> >
> > Apparently, Microsoft decided not to warn people about this 
> problem - 
> > no comment has been added to KF920958 warning people which system 
> > configurations will cause data loss (who cares if it's not 
> permanent 
> > if you can't use your data for a few months).
> >
> > Best Regards
> > Andy Schmidt
> >
> > Phone:  +1 201 934-3414 x20 (Business)
> > Fax:+1 201 934-9206 
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Heimir Eidskrem
> > Sent: Thursday, August 24, 2006 03:21 PM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files -> 
> > KB920958 may be bad!
> >
> > Answers below.
> >
> > Andy Schmidt wrote:
> >   
> >> Hi Heimir:
> >>
> >> I've been running a number of tests, am in contact with a third 
> >> Microsoft customer and some pattern seems to emerge. I also have a 
> >> "lead" to a questionable Hotfix, but I'm trying to qualify 
> that first.
> >>
> >> Can we first compare your systems to see what's the same 
> (and may be
> >> relevant) and what's different:
> >>
> >> A) Disks are defined as "dynamic" 
> >>   
> >> 
> > Dynamic
> >   
> >> B) Disks are software mirrored using Win2k Disk Administration
> >>   
> >> 
> > no
> >   
> >> C) The folders with the "problem" files have the "compression" 
> >> attribute set!
> >>   
> >> 
> > yes.
> >   
> >> D) Did the problem occur at some point after KB920958 was 
> installed?
> >>   
> >> 
> > yes, I think so.
> >   
> >> E) Do the corrupted files have a content of all 0xDF (it looks a 
> >> little like an uppercase "B", the German special "s", or like the 
> >> Beta
> >> character)
> >>   
> >> 
> > Yes
> >   
> >> F) Does it appear as if only NEW files are effected?
> >>   
> >> 
> > no, old files as well. BUT I think defrag ran this weekend and that 
> > would have moved some files - if that matters.
> >   
> >> G) Does it appear as if only files are effected that are 
> close to a 
> >> multiple of 4K?
> >>   
> >> 
> > Yes.
> >   
> >> I broke the mirrors on my effected two servers and ran 
> ChkDsk /F. On 
> >> one server, ONE disk ChkDsk reported errors (including the 
> files that 
> >> I knew were corrupted) - virtually all of them were image 
> file types.
> >> I reran the ChkDsk and it did NOT find errors. I then tried the 
> >> second disk of the mirror and it found no errors at all. I then 
> >> restablished the mirrors and my client continues to have 
> probl

RE: [Declude.JunkMail] Max whitelists hit

2006-07-28 Thread IS - Systems Eng. \(Karl Drugge\)









Maybe you don’t really want to
whitelist…

 

What we do here is use a FROMFILE, and assign
a large negative point value to all domains or individuals on that list. We
still suffer with forged return addresses, but that’s fairly minimal.

 

It tends to work a little bit better then
whitelists, IMO. This lets you pass the mail, but it still run the tests you
have defined in declude to filter out the really horrendous stuff, or at least
explain WHY stuff did or didn’t get through.



 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig
Edmonds
Sent: Friday, July 28, 2006 11:15
AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Max whitelists hit
Importance: High
Sensitivity: Confidential

 

Thanks
John, but Authentication is not an option right now and I will suffer the few
forged addresses that come through.

 

I
did not realise that there was a limit to the amount of domains I can put in
the whitelist and its worked until now whilst testing it with a  few
domains but with a long list of 500 domains it does not work properly, when
really it should.

 

Without
posting really really confidential information here, I need to be able
whitelist, the same way that I can blacklist. 

 

I
have one guy at domainA.com trying to send to another guy at domainB.com and
both domains are on the same server.

domainB.com is not getting the emails becasue domainA.com's ip address where
they are located is blacklisted quite badly and the email when sent through our
server is given a score of 48, which means any email that domainA.com sends to
domainB.com gets put in the spam hold queue.

Right now I need to be
able to use the whitelisting functionality of declude.

Kindest Regards
Craig Edmonds
123 Marbella
Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]


 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
T (Lists)
Sent: Friday, July 28, 2006 4:52
PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Max whitelists hit
Sensitivity: Confidential

1.
Sorry, your email was not considered confidential and has been included in a
public archive for all to see.

 

2.
As I said before, please stop using the silly white listing of a domain.
Haven’t you heard of forged addresses?

 

3.
Please review your configuration and correct the problem causing your clients
outbound email to be scanned. What you are doing is a workaround, not fixing
the actual problem. You will have to bite the bullet and start forcing your
users to authenticate and in doing so can easily whitelist based upon the fact
that they authenticated.

 



John
T

eServices
For You

 

"Seek,
and ye shall find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig
Edmonds
Sent: Friday, July 28, 2006 5:28
AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Max whitelists hit
Importance: High
Sensitivity: Confidential

 


Hi David,

It kind of works.

In C:\IMAIL\Declude\$default$.junkmail I have placed the following line:

WHITELISTFILEC:\IMAIL\Declude\Filters\whitelist.txt

The file at C:\IMAIL\Declude\Filters\whitelist.txt contains a list of email
addresses in the following format:

@123-reg.co.uk
@tapiz.com.ar
@redhothomes.co.uk
@cloudninemurcia.com
@cloudninemarbella.com

(there is about 500 domains I am whitelisting at the moment)

I am sitting here watching the log file (btw, I am using a programme called
"BareTail" which absolutely rocks when you want to look at live log
files
http://www.baremetalsoft.com) and it
seems that its whitelisting "some"
domains listed in the whitelist.txt file but still passes many of the
domains in the whitelist file through the declude spam filter.

This results in many of my clients emails being held in the spam folder.

Any ideas?

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David
Barker
Sent: Thursday, July 27, 2006 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Max whitelists hit
Sensitivity: Confidential

Yes, in the global.cfg there is a limit. If you need to have unlimited
whitelist entries, or if you need per-user or per-domain whitelisting, you
may find the WHITELISTFILE option helpful. 

To use this option, you need to add a line in the format "WHITELISTFILE
D:\{MAILSERVER}\Declude\mywhitelist.txt" to the appropriate configuration
file (\{MAILSERVER}\Declude\$default$.JunkMail, or the per-user/per-domain
configuration file you wish to use the whitelists with). The
D:\{MAILSERVER}\Declude\mywhitelist.txt file would then contain either one
E-mail address ("[EMAIL PROTECTED]")
or domain ("@example.com") or subdomain
(".example.com") per line. The whitelist files can have unlimited
entries in
them. 

Note that the file you use 

RE: [Declude.JunkMail] 4.3 Upgrade

2006-07-24 Thread IS - Systems Eng. \(Karl Drugge\)









John,

 

I had some of the same issues, and cured
all leakage by disabling Hi-Jack. Give it a shot.

 



 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Doyle
Sent: Monday, July 24, 2006 1:05
PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
4.3 Upgrade

 



Mark





I upgraded last week. I'd
had a leakage issue with 4.2 build 12 and went back to 4.09.





I have had no problems
since going back up to 4.3.





 





I'm running Imail 8.22
hf2 





 





On an unrelated issue. My
AVG virus defs were not getting updated. It took a while to 





troubleshoot, but I got
great support from Linda and David to resolve it. Turns out our 





firewall was blocking the
outgoing/incoming tcp traffic on port 25 to declude servers. 





We allowed traffic to and
from their servers and it started working. We use a watchguard





firewall and it is pretty
locked down.





 





John





 





-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Mark
Reimer
Sent: Monday, July 24, 2006 9:16
AM
To: Declude JunkMail
Subject: [Declude.JunkMail] 4.3
Upgrade

Have many people upgraded to
4.3 yet. I was wondering if anyone had experienced any problems with the new
version.

 

Mark Reimer

IT Project Manager

American CareSource

214-596-2464

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 








---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.


RE: [Declude.JunkMail] Number of times per test

2006-07-14 Thread IS - Systems Eng. \(Karl Drugge\)
Mine always just counts the one hit, regardless of whether I have 1 or
2.



Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Friday, July 14, 2006 3:05 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Number of times per test

I don't have STOPATFIRSTHIT in my body filter, and it always stops the
first time it finds something.


 Original Message 
> From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>
> Sent: Friday, July 14, 2006 2:31 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Number of times per test
> 
> If you do not have StopAtFirstHit enabled, then each hit adds the
specified
> points to the total. So, set the MinWeightToFail to 10 and apply 2
point for
> each hit like:
> 
> #SKIPIFWEIGHT 10
> MINWEIGHTTOFAIL 10
> #MAXWEIGHT 15
> #STOPATFIRSTHIT
> 
> BODY 2 CONTAINS replikas
> 
> Michael Thomas
> Mathbox
> 978-683-6718
> 1-877-MATHBOX (Toll Free)
>   
> 
> > -Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> > Behalf Of IS - Systems Eng. (Karl Drugge)
> > Sent: Friday, July 14, 2006 1:52 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Number of times per test
> > 
> > I looked through the manual, but didn't see this defined...
> > 
> > I want a test that applies 10 points if a certain string 
> > appears in the
> > body of a message a number of times... 
> > 
> > So if, for example, 'replikas' appears 5 times, and I want to 
> > apply ten
> > points only if that string is there 5 times or more, what part of
the
> > test definition string do I modify ? Which variable determines that
?
> > Or, could I assign it 2 points each time it appears ? And 
> > which variable
> > is that ?
> > 
> > Numberoftimes   filter  C:\Declude\sampletest.txt   x
10
> > 0
> > 
> > 
> > Karl Drugge
> >  
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > 
> > 
> > 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Number of times per test

2006-07-14 Thread IS - Systems Eng. \(Karl Drugge\)
I looked through the manual, but didn't see this defined...

I want a test that applies 10 points if a certain string appears in the
body of a message a number of times... 

So if, for example, 'replikas' appears 5 times, and I want to apply ten
points only if that string is there 5 times or more, what part of the
test definition string do I modify ? Which variable determines that ?
Or, could I assign it 2 points each time it appears ? And which variable
is that ?

Numberoftimes   filter  C:\Declude\sampletest.txt   x   10
0


Karl Drugge
 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Over Hold Weight, but Delivered

2006-07-14 Thread IS - Systems Eng. \(Karl Drugge\)
I've been seeing it too. I finally tracked it down to Hi-Jack. Disable
Hi-Jack, and you should be good ( I just renamed the config file, so I
can restart it as soon as this is fixed ). Somehow, Hi-jack grabs the
message before Declude kills it.


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Linda Pagillo
Sent: Friday, July 14, 2006 8:34 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Over Hold Weight, but Delivered

Don:

We are aware of this issue and it has been escalated to our engineering
department.

Linda Pagillo
Technical Support Engineer
Declude - Your Email security is our businessT

- Original Message - 
From: "Don Brown" <[EMAIL PROTECTED]>
To: 
Sent: Friday, July 14, 2006 5:09 AM
Subject: [Declude.JunkMail] Over Hold Weight, but Delivered


> We have been seeing mail being delivered, when it has scored higher
> than our hold weight.
>
> The common denominator with these messages seems to be that it is
> addressed to multiple recipients.  These recipients are sometimes of
> the same domain and other times of different domains.
>
> We are running the latest 4.xx release with Imail 8.xx, but this
> behavior isn't new to this release.  We've noticed it for the last few
> releases, although I'm not sure which release marked the start of it.
>
> Has anyone else been seeing this behavior or are we just lucky?
>
> Thanks,
>
>
> 
> Don Brown - Dallas, Texas USA Internet Concepts, Inc.
> [EMAIL PROTECTED]   http://www.inetconcepts.net
> (972) 788-2364Fax: (972) 788-5049
> 
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] New Version working so far...

2006-07-06 Thread IS - Systems Eng. \(Karl Drugge\)
Installed the new version this afternoon (thanks for the heads-up David
!).

So far, I am doing pretty good. All messages in the error directory are
SPAM, and SPAM that would have dropped through. So, good news there !

I will probably script something that will rename the files to something
with the senders name-domain to aid in sorting out garbage.

Also, after all the beating Declude has taken over the past two months,
a well deserved 'Hell Yeah!' . We all would have liked it sooner, but
I'll take later.

It took a while, but it looks like we're all back on track. I'll know
for myself tomorrow morning. I may even turn Hijack back on


Karl Drugge
 
 
 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Message Syntax...

2006-07-03 Thread IS - Systems Eng. \(Karl Drugge\)
Anyone ?

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS -
Systems Eng. (Karl Drugge)
Sent: Friday, June 30, 2006 10:14 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Message Syntax...

I am getting some of the typical messages through... the ones with just
a linked image in the body.. I am wondering how the syntax for the
linked image works .. I have a line :
src=cid:stuffhere$stuffhere$stuffhere

 
What is the syntax, or what do the sections break down into ? Is it
image$directory$domain ?


Karl Drugge 
B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003
), C.C.N.A., Network+, A+ 
I dream of the day when I will learn to stop asking questions to which I
will regret learning the answers ( Roy Greenhilt, Order of the Stick  ) 






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Message Syntax...

2006-06-30 Thread IS - Systems Eng. \(Karl Drugge\)
I am getting some of the typical messages through... the ones with just
a linked image in the body.. I am wondering how the syntax for the
linked image works .. I have a line :
src=cid:stuffhere$stuffhere$stuffhere

 
What is the syntax, or what do the sections break down into ? Is it
image$directory$domain ?


Karl Drugge 
B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003
), C.C.N.A., Network+, A+ 
I dream of the day when I will learn to stop asking questions to which I
will regret learning the answers ( Roy Greenhilt, Order of the Stick  ) 






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] RE: No action taken -- Broken in Smartermail, too.

2006-06-06 Thread IS - Systems Eng. \(Karl Drugge\)









EXACTLY. For over a month or so now.

 



 

Karl Drugge

 

 

 

 

 

 



-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami
Razvan
Sent: Tuesday, June 06, 2006 12:28
PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] RE: No
action taken -- Broken in Smartermail, too.

 

Hi;

 

We
are seeing the same behavior in IMail 2006 and Declude [4.2.12]

 

I
submitted sample emails and the log file to Declude yesterday and they are to
get back to me with what they find out.

 

Exact
behavior.. one thing that I found in common is the sender is listed as <>
in all these emails.

 

Here
is the header:

 



Received:
from [193.111.144.162] [193.111.144.162] by foroosh.com with ESMTP
  (SMTPD-9.04) id AA1C03A0; Mon, 05 Jun 2006 07:48:44 -0400
Date: Mon, 5 Jun 2006 11:49:03 -0060
From: "Tamra Finn" [EMAIL PROTECTED]
X-Mailer: The Bat! (2.12.00) UNREG / CD5BF9353B3B7091
Reply-To: [EMAIL PROTECTED]
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Under the Radar Stock Alert
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Declude-Sender: <> [193.111.144.162]
X-Declude-Spoolname: D1a1c013d9afd.smd
X-Note: ==
X-Note: Virus check by 4 scanners: F-Prot, ClamAV, McAfee, and AVG
X-Note: All 4 scanners report: Clean
X-Note: ==
X-Note: Spam Score: 205
X-Note: Scan Time: 07:49:00 on 05 Jun 2006
X-Note: Spool File: D1a1c013d9afd.smd
X-Note: SMTP Sender: <>



 

 

The
issue is this email was to be deleted.  At a weight of 205 it is 150
points above deletion.  In every case the email comes through where it is
supposed to be deleted.

 

Actions
are not showing in the header but the log file shows the actions and the last
action somehow changes to ignore.

 

Lets
see what Declude responds.. 

 

Regards,

Kami



 





-
Original Message - 



From: Dave
Beckstrom 





To: declude.junkmail@declude.com






Sent: Tuesday, June 06,
2006 10:37 AM





Subject:
[Declude.JunkMail] RE: No action taken -- Broken in Smartermail, too.







 



It is not an
imail problem.  I am running smartermail 2.6 and I am experiencing the
same problem where special characters in the return-path allow the
“stock” spam to pass through Declude with no action taken on it.

 






---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.


RE: [Declude.JunkMail] This doesnt add up

2006-04-05 Thread IS - Systems Eng. \(Karl Drugge\)
I've been seeing this for weeks. I reported it, and I believe they are
working on a fix.

Sometimes Declude doesn't put ANYTHING in the headers. Kind of hard to
figure out why something got through in the meantime, though..

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Wednesday, April 05, 2006 1:44 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] This doesnt add up

Todd,

I do not see them in the headers ?

X-Spam-Tests-Failed: SUBJECTSPACES7, SUBJECTSPACES10, SPFPASS, SPAMCHK,
GIBBERISH, CATCHALLMAILS [30]

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd
Sent: Wednesday, April 05, 2006 12:56 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] This doesnt add up

Thanks David,  both of these tests are not hidden and show up in the
headers.

Todd


- Original Message -
From: "David Barker" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, April 05, 2006 11:47 AM
Subject: RE: [Declude.JunkMail] This doesnt add up


> To reduce false positives NOLEGITCONTENT and IPNOTINMX are hidden
tests,
> check your global.cfg you should see the -5
>
> David B
> www.declude.com
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Todd
> Sent: Wednesday, April 05, 2006 12:22 PM
> To: Declude.JunkMail@declude.com
> Subject: [Declude.JunkMail] This doesnt add up
>
>
> A lot of spam has been getting through lately and at first I was
thinking 
> my
> Declude needed some tweaking.  I am seeing some funny stuff though.  I

> find
> emails where emails contain items that should have triggered filters
but 
> did
> not.  I am on IMail 8.15 and Declude 2.06.
>
> Here is a header of an email where the numbers dont add to the score.
It
> should have had a score of 5 + 15 + 15 + 30 = 65 but instead shows 30
>
> My global.cfg has the following entries for the tests that were
triggered
>
> SUBJECTSPACES7   subjectspaces 7   x 5 0
> SUBJECTSPACES10 subjectspaces 10 x 15 0
> SPFPASSspf pass   x 0
0
>
>
> X-RBL-Warning: SUBJECTSPACES7: Subject with at least 7 spaces found.
> X-RBL-Warning: SUBJECTSPACES10: Subject with at least 10 spaces found.
> X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
> X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 15.
> X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 463,
weight
> 30)
> X-Declude-Sender: [EMAIL PROTECTED] [69.89.85.90]
> X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com)
for
> spam.
> X-Spam-Tests-Failed: SUBJECTSPACES7, SUBJECTSPACES10, SPFPASS,
SPAMCHK,
> GIBBERISH, CATCHALLMAILS [30]
> X-Note: Total spam weight of this E-mail is 30 .
> X-Country-Chain: UNITED STATES->destination
> X-Note: This E-mail was sent from eveningtrees.com ([69.89.85.90]).
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
--
PLEASE NOTE : Florida has a very broad public records law. Most written
communications to or from City officials regarding City business are
public records available to the public and media upon request. Your
E-mail communications may be subject to public disclosure.
PLEASE NOTE : Florida has a very broad public records law. Most written 
communications to or from City officials regarding City business are public 
records available to the public and media upon request. Your E-mail 
communications may be subject to public disclosure.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Combo Filter

2006-02-10 Thread IS - Systems Eng. \(Karl Drugge\)
Title: Message







Where do I put these lines in my config files
?



 

Karl Drugge

 

 

 

 

 

 



-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler
Sent: Friday, February 10, 2006
1:45 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
Combo Filter

 



You the Man!

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Goran Jovanovic
Sent: Friday, February 10, 2006
11:39 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
Combo Filter

Here you go

 

TESTSFAILED END CONTAINS
BYPASS

 

# Did it Fail CMDSPACE

TESTSFAILED  
END NOTCONTAINS CMDSPACE

 

# It failed CMDSPACE now
check Sniffer

TESTSFAILED  
10
CONTAINS    SNIFFER

 



Goran
Jovanovic

Omega
Network Solutions







--





PLEASE
NOTE : Florida has a very broad public records law. Most written communications
to or from City officials regarding City business are public records available
to the public and media upon request. Your E-mail communications may be subject
to public disclosure.






PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


RE: [Declude.JunkMail] Whitelisting email address

2006-01-17 Thread IS - Systems Eng. \(Karl Drugge\)







Believe me, I’d love to find a way
to do it, but when I HAVE to receive emails from hideously mis-configured
servers, whack-job citizens, and other municipalities with less then stellar
I.T. staff… from any where at any time, not bouncing becomes the worse of
two evils. 

 

As an example, if I DELETE an email from a
citizen because it meets my delete criteria ( let’s say a nut-job,
retired, self declared IT samurai with a shareware SMTP server, on a dial up
account to a local home based ISP run by his best friend ) I can ( and have )
been questioned by the City Manager on exactly WHY he didn’t get this
email, because this nut-job shows up to a city council meeting and has a
foaming at the mouth fit in public. Technical explanations don’t cut it
in the political arena. I have to, at the very least, send something back to
notify the originator that the email was bounced, unless it’s so horribly
mal-formed, or chock full of key words, that it I can absolutely guarantee it’s
spam.   

 

But, if someone wants to take a crack at
it, I’ll be more than happy to post my config files.



 

 

Karl Drugge

 

 

 

 

 

 



-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, January 17, 2006 4:28
PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 



Karl,

Getting blacklisted for bouncing spam back to forged addresses would probably
be a lot worse than missing a stray message that shouldn't have been
blocked.  This certainly can happen, especially if you get a lot of zombie
generated spam.

It is also of course a big pain dealing with servers that bounce this stuff
back to forged addresses.  Today I'm under heavy attack from multiple
sources of backscatter.  Backscatter costs others time, money and
frustration.  It's not fair if it is avoidable.  Please reconsider
your choices.  Maybe we can help you figure out a better way to deal with
this.

Matt



IS - Systems Eng. (Karl Drugge) wrote: 



I hold at 20, bounce at
40, and delete at 60.



 

I realize bouncing is
bad, but we’re government, so I have to be careful about outright
deleting email without notifying someone, somewhere.

 

Karl Drugge

 

 

 

 

 

 



-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian
Sent: Tuesday, January 17, 2006
3:38 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 





What are you using
for a hold weight and delete weight?





 





Brian





 





- Original
Message ----- 



From: IS
- Systems Eng. (Karl Drugge) 





To: Declude.JunkMail@declude.com






Sent: Tuesday,
January 17, 2006 3:17 PM





Subject: RE:
[Declude.JunkMail] Whitelisting email address







 





I can
confirm that.

 

If a
single email address is white listed, then all of them get white listed.

 

The
solution was a line like this : BYPASSWHITELIST 
bypasswhitelist  45
6 
0  0

 

If an
email was over weight 45, AND it also had 6 or more recipients, than it
bypassed the white-listing and checked it normally.

 

I never
tried to do it with individual config files.. But that might work, if it didn't
affect all the recipients.

 



 

Karl
Drugge

 

 

 

 

 

 



-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian
Sent: Tuesday, January 17, 2006
2:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 





I recall that
happening with IMail as well.  That is why I was wondering if I did
something wrong before.





 





Brian





 





- Original
Message - 



From: Shayne
Embry 





To: Declude.JunkMail@declude.com






Sent: Tuesday,
January 17, 2006 1:12 PM





Subject: Re:
[Declude.JunkMail] Whitelisting email address







 



We have found that if one of the addresses is whitelisted,
then every recipient's address gets whitelisted. This may be unique to
SmarterMail/Declude. I don't remember having the problem with IMail, but we
haven't used it in over a year.

Shayne

















Hi Brian,





 





Yes, this can be done
with the Pro version. You can have per-user configurations. You can't not have
Declude scan the mail, but you can set this individual's configuration to
ignore all test results and deliver the mail. As far as I know, this shouldn't
have any affect on other recipients of the email. 





 





Dean

 





On
1/17/06, Brian <[EMAIL PROTECTED]> wrote:


I have a customer who
wants to receive all emails without having declude
check them for spam.

My question, is can this be done? 

And then can it be done so that if a message comes in and it is a message
that contains their email address and several other email address on our
domain, that it can only be sent to their address prior to the spam checks?

RE: [Declude.JunkMail] Whitelisting email address

2006-01-17 Thread IS - Systems Eng. \(Karl Drugge\)







I hold at 20, bounce at 40, and delete at
60.



 

I realize bouncing is bad, but we’re
government, so I have to be careful about outright deleting email without
notifying someone, somewhere.

 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
Sent: Tuesday, January 17, 2006
3:38 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 





What are you using for a hold weight
and delete weight?





 





Brian





 





- Original Message - 



From: IS
- Systems Eng. (Karl Drugge) 





To: Declude.JunkMail@declude.com






Sent: Tuesday,
January 17, 2006 3:17 PM





Subject: RE:
[Declude.JunkMail] Whitelisting email address







 





I can confirm that.

 

If a single email address
is white listed, then all of them get white listed.

 

The solution was a line
like this : BYPASSWHITELIST  bypasswhitelist 
45
6 
0  0

 

If an email was over
weight 45, AND it also had 6 or more recipients, than it bypassed the
white-listing and checked it normally.

 

I never tried to do it
with individual config files.. But that might work, if it didn't affect all the
recipients.

 



 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
Sent: Tuesday, January 17, 2006
2:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 





I recall that happening with
IMail as well.  That is why I was wondering if I did something wrong
before.





 





Brian





 





- Original Message - 



From: Shayne Embry 





To: Declude.JunkMail@declude.com






Sent: Tuesday,
January 17, 2006 1:12 PM





Subject: Re:
[Declude.JunkMail] Whitelisting email address







 



We
have found that if one of the addresses is whitelisted, then every recipient's
address gets whitelisted. This may be unique to SmarterMail/Declude. I don't
remember having the problem with IMail, but we haven't used it in over a year.

Shayne













Hi Brian,





 





Yes, this can be done with the Pro version. You can
have per-user configurations. You can't not have Declude scan the mail, but you
can set this individual's configuration to ignore all test results and deliver
the mail. As far as I know, this shouldn't have any affect on other recipients
of the email. 





 





Dean

 





On 1/17/06, Brian <[EMAIL PROTECTED]>
wrote: 

I have a customer who wants to receive all emails
without having declude
check them for spam.

My question, is can this be done? 

And then can it be done so that if a message comes in and it is a message
that contains their email address and several other email address on our
domain, that it can only be sent to their address prior to the spam checks? 

I hope this makes sense.

Thanks in advance,

Brian T.


---







--





PLEASE NOTE : Florida has a very broad public records
law. Most written communications to or from City officials regarding City
business are public records available to the public and media upon request.
Your E-mail communications may be subject to public disclosure.







PLEASE NOTE : Florida has a
very broad public records law. Most written communications to or from City
officials regarding City business are public records available to the public
and media upon request. Your E-mail communications may be subject to public
disclosure.







--





PLEASE NOTE : Florida has a very broad public records
law. Most written communications to or from City officials regarding City
business are public records available to the public and media upon request.
Your E-mail communications may be subject to public disclosure.






PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


RE: [Declude.JunkMail] Whitelisting email address

2006-01-17 Thread IS - Systems Eng. \(Karl Drugge\)







I can confirm that.

 

If a single email address is white listed,
then all of them get white listed.

 

The
solution was a line like this : BYPASSWHITELIST  bypasswhitelist  45 6  0  0

 

If an
email was over weight 45, AND it also had 6 or more recipients, than it
bypassed the white-listing and checked it normally.

 

I never
tried to do it with individual config files.. But that might work, if it didn’t
affect all the recipients.

 



 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
Sent: Tuesday,
 January 17, 2006 2:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting email address

 





I recall that happening with
IMail as well.  That is why I was wondering if I did something wrong
before.





 





Brian





 





- Original Message - 



From: Shayne
Embry 





To: Declude.JunkMail@declude.com






Sent: Tuesday, January
 17, 2006 1:12 PM





Subject: Re:
[Declude.JunkMail] Whitelisting email address







 



We
have found that if one of the addresses is whitelisted, then every recipient's
address gets whitelisted. This may be unique to SmarterMail/Declude. I don't
remember having the problem with IMail, but we haven't used it in over a year.

Shayne









Hi Brian,





 





Yes, this can be done with the Pro version. You can
have per-user configurations. You can't not have Declude scan the mail, but you
can set this individual's configuration to ignore all test results and deliver
the mail. As far as I know, this shouldn't have any affect on other recipients
of the email. 





 





Dean

 





On 1/17/06, Brian <[EMAIL PROTECTED]>
wrote: 

I have a customer who wants to receive all emails
without having declude
check them for spam.

My question, is can this be done? 

And then can it be done so that if a message comes in and it is a message
that contains their email address and several other email address on our
domain, that it can only be sent to their address prior to the spam checks? 

I hope this makes sense.

Thanks in advance,

Brian T.


---







--





PLEASE NOTE : Florida has a very broad
public records law. Most written communications to or from City officials
regarding City business are public records available to the public and media
upon request. Your E-mail communications may be subject to public disclosure.






PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


[Declude.JunkMail] Speaking of punishment....

2005-12-20 Thread IS - Systems Eng. \(Karl Drugge\)







We’ve been getting a LOT of emails from 9
particular IP’s, I’m talking about 60-70% of incoming. Nothing but
30+ recipient emails, with non-existent email addresses on our domain. The
majority of them don’t even have one valid address on my domain.

 

It’s all getting caught in our
filters and deleted, but it was getting so obscene that I just blocked them on
the firewall. My logs dropped from 23 meg a day to only 5. 

 

Is anyone else seeing this type of traffic
lately ?

 

65.97.165.47

68.59.144.144

67.78.242.210

69.144.163.243

70.151.165.226

71.41.40.68

71.53.128.235 

208.60.45.2

216.116.178.157



Karl
Drugge 
B.S.I.T., A.S.,
M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A., C.C.D.A., Network+, A+ 
I dream of the day when
I will learn to stop asking questions to which I will regret learning the
answers ( Roy Greenhilt, Order of the Stick  ) 

 

 





 






PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


RE: [Declude.JunkMail] does anyone punish email from these folks?

2005-12-20 Thread IS - Systems Eng. \(Karl Drugge\)







I block that entire class A… Nothing
but issues with the entire range. If someone gets blocked, they can call a user
and have them request an exception.

 



 

Karl Drugge

 

 

 

 

 

 



-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike K @ NetDotCom
Sent: Tuesday, December 20, 2005
11:03 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail]
does anyone punish email from these folks?

 





We outright reject
all their mail.





 





We started by just
holding and found lots of 'suspicious' activity like identical emails with
different "from" domains, etc. Normal spam type stuff CC offers,
grant money, etc.





 





The we started
blocked one /24, then they switched to other subnets so we blocked their entire
IP space.





 





No complaints from
users.





 





Mike





 







- Original
Message - 





From: Nick
Hayer 





To: Declude.JunkMail@declude.com






Sent: Tuesday,
December 20, 2005 10:36





Subject:
[Declude.JunkMail] does anyone punish email from these folks?





 



I sure do get allot of spam from this ip space - are they legit and are
lacking in their monitoring or ?
Thanks -

-Nick

OrgName:    WholeSale Internet OrgID:  WHOLE-125Address:    1102 Grand Ave Suite 905City:   Kansas CityStateProv:  MOPostalCode: 64106Country:    US NetRange:   69.30.192.0 - 69.30.239.255 CIDR:   69.30.192.0/19, 69.30.224.0/20 NetName:    WHOLESALEINTERNET

 







No virus found in this
incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005







--





PLEASE NOTE : Florida has
a very broad public records law. Most written communications to or from City
officials regarding City business are public records available to the public
and media upon request. Your E-mail communications may be subject to public disclosure.






PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


[Declude.JunkMail] Free SPAM RBL's ?

2005-12-14 Thread IS - Systems Eng. \(Karl Drugge\)







I am currently using SPAMCOP, and pretty happy with it, but
wouldn’t mind adding another.

 

What is everyone else using for an external RBL ?

 

Karl Drugge 
B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A.,
C.C.D.A., Network+, A+ 
I dream of the day when
I will learn to stop asking questions to which I will regret learning the
answers ( Roy Greenhilt, Order of the Stick  ) 

 




PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


[Declude.JunkMail] SPF PASS/FAIL test format

2005-12-08 Thread IS - Systems Eng. \(Karl Drugge\)







Quick question on the global.cfg file…

 

I upgraded to 3.0.5 yesterday. Working great so far. I want
to add the SPFPASS and SPFFAIL tests.. what is the format ? I want to subtract
7 points for a pass, and add 7 points for a fail…( if they’re too
stupid to have an SPF by now… )

 

I have this, but it is obviously wrong…

 

SPFFAIL  
spffail  
x x 7 0

SPFPASS  
spfpass  
x x -7    0

 

 

Karl Drugge 
B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A.,
C.C.D.A., Network+, A+ 
I dream of the day when
I will learn to stop asking questions to which I will regret learning the
answers ( Roy Greenhilt, Order of the Stick  ) 

 




PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.


RE: [Declude.JunkMail] Per user tests....

2003-12-11 Thread IS - Systems Eng. (Karl Drugge)
Scott,
I am still having issues with this. I have the REDIRECT
[EMAIL PROTECTED] c:\dir\dir\filename in both the global.cfg and the
$junkmail file. I also have the renamed copy of the $junkmail file with
the custom actions in the Imail directory. It is not processing the
users settings...

Can you look at the global.cfg and $junkmail files or give me another
thing to test for ?


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 09, 2003 6:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Per user tests


>Ahh. OK. I am getting it now. So, to whitelist for that particular
users
>fromfile, I would set the test to assign weight 0 in my global.cfg, and
>then in the users config file ( a renamed copy of the $junkmail file ),
>I would use a ROUTETO statement ?
>
>Is this correct ?

That should work fine.  That way, E-mail failing the test that is sent
to 
the one user to get caught, but if it is sent to other users, it will
not 
get caught (although it would appear in the X-Spam-Tests-Failed:
header).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Per user tests....

2003-12-09 Thread IS - Systems Eng. (Karl Drugge)
Ahh. OK. I am getting it now. So, to whitelist for that particular users
fromfile, I would set the test to assign weight 0 in my global.cfg, and
then in the users config file ( a renamed copy of the $junkmail file ),
I would use a ROUTETO statement ?

Is this correct ?


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 09, 2003 5:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Per user tests


> > Tests in Declude JunkMail are global.  The best you can do for a
per-user
> > test is one that runs for everyone, but actions are only taken on
the test
> > for specific user(s).

>If I define the tests ( ie: a fromfile ) in the global.cfg, how do I
>make it apply for only one person in the $junkmail file ?

By having the default file not take any action ("TESTNAME IGNORE"), and 
having the per-use config file take an action ("TESTNAME HOLD", for
example).

>I thought points were assigned in the global.cfg, and the $junkmail
file 
>just told
>declude what to do with the final point value ?

Close.

The weight is determined by the global.cfg file.  The $default$.JunkMail

file is used to determine the actions to take on tests.

I would recommend not assigning any weight to the per-user test, as that

weight would be applied to all users.  Instead, you can have the weight
set 
to 0, and use "TESTNAME HOLD" (or "TESTNAME DELETE" or whatever).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Per user tests....

2003-12-09 Thread IS - Systems Eng. (Karl Drugge)
OK, I guess I can deal with that. A bit processor intensive for one PITA
user, but if that's the way it is... 

If I define the tests ( ie: a fromfile ) in the global.cfg, how do I
make it apply for only one person in the $junkmail file ? I thought
points were assigned in the global.cfg, and the $junkmail file just told
declude what to do with the final point value ? Even if I assign the
user there own $junkmail file, I still have to play with the points in
the tests given in the global.cfg, yes ? 

Karl Drugge
 
 
 
 
 
 

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 09, 2003 5:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Per user tests


>Where do I define per user tests ?

Tests in Declude JunkMail are global.  The best you can do for a
per-user 
test is one that runs for everyone, but actions are only taken on the
test 
for specific user(s).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Per user tests....

2003-12-09 Thread IS - Systems Eng. (Karl Drugge)
Argh. I know this has been covered buy I can't find it in my own
archives from the group..

Where do I define per user tests ? I am trying to use the REDIRECT (
REDIRECT [EMAIL PROTECTED] c:\dir\dir\username.txt ) statement to point at
a username.txt with their own configs in it. Particularly their own word
and fromfile filters. Do I copy and rename the $junkmail file ? Where do
their own tests get defined ? Do I copy and rename the global.cfg ?

I am looking in the dec.log files and not finding any errors or
something that tells me that the user is using their own tests or cfg
file ...


Karl Drugge
 
 
 
 
 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Reverse DNS...

2003-12-05 Thread IS - Systems Eng. (Karl Drugge)











Do what I do… I have
a rule defined that subtracts the points my REVDNS rule adds, and put the
domains I ned to get through in that list. Kind of clunky and mna-power
intensive, but it works for me. I couldn’t imagine doing it for hundreds
of domains…

 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: Kami Razvan
[mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 05, 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Reverse DNS...

 



What can we do when the likes of
Amazon don't have reverse DNS?





 





==





X-Declude-Sender: [EMAIL PROTECTED]
[12.32.32.130]
X-Declude-Spoolname: D938c00b8023227dd.SMD
X-Note: This E-mail was scanned & filtered by Declude [1.77] for SPAM &
virus.
X-Weight: 57
X-Note: Sent
from Reverse DNS:  [No Reverse DNS]
X-Hello: boi1-app-101.amazon.com
X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL,
FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH,
SPAMDOMAINS, WEIGHT20s, WEIGHT20r
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Country-Chain: UNITED STATES->destination
X-RCPT-TO: <[EMAIL PROTECTED]>





 





Incredible...











 





Regards,





Kami










RE: [Declude.JunkMail] How good does it get?

2003-11-20 Thread IS - Systems Eng. (Karl Drugge)
I don't care how much you monitor, you are NOT going to get a 100%
capture rate with no false positives. If there was a way to do that,
Scott would be a millionaire by now, and have twenty or thirty death
threats from spammers. You can get close, like maybe a 90% or 95% if
you're super particular, but that is really pushing it.

Unfortunately, there isn't a perfect template you can use. The default
will get you close, but then you have to tune. It's different for each
site and situation. It took me about 3 or 4 months to get it pretty
close with daily checks. Now I check once a week and make a few tweaks.
I get about an 90%-95% capture rate with very few false positives.

My technique is to delete everything outrageously bad ( 40+ on my scale
with my custom weights). If it's over 40 it is seriously warped. If it's
over 20 but below 40, I route it to a holding bin where I can personally
check it out. Under 20 is good enough to slip through, and a few do now
and then, but my users will forward it to me so I can tune Declude a bit
more. Obviously, if you're getting over half a million messages a month,
this won't work for you. I only get about 18k or so, with maybe 10-20
needing personal attention per day. 

Personally, I'd rather a few got through, rather than having it delete
some of the real stuff, but you can make your own calls.


Karl Drugge
 
 
 
 
 
 

-Original Message-
From: T. Bradley Dean [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 20, 2003 4:07 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] How good does it get?

I just installed the demo (Tuesday I believe) and I have it set to warn
only. My plan is to move everything with a weight of 20 or above to a
'spam'
folder in each users webmail. I may be able to do 15, so far the highest
legitimate mail we've seen was 14.

Looking at what's coming in, I'm getting about 80% of all spam. Another
user
I have watching the headers (Outlook rule) is getting about 40%.

I'm going to go through the manual and see how smoothly I can get this
running, but of course management wants 100% of spam captured with no
legitimate mail blocked. How close can I expect to get? What levels of
spam
are you guys capturing and what levels of legitimate mail is being
blocked?

Any tips on what default settings I should mess with first? Any good
threads
in the archives that I should read through?

Thanks in advance,

~Brad 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Comments on this ?

2003-11-07 Thread IS - Systems Eng. (Karl Drugge)









I have a client that is getting HAMMERED
by mass SPAM emailings. In excess of 500,000 emails a
month are getting deleted on an 80 user network. His Internet connection is
totally flooded.  I’ve been
working with him over the past 9 months or so and have been trying to track things
down to a single spammer or set of spammers. 

 

First, he is the target of the ‘reflected
email” attack/delivery system. He was getting loads of these. He still
gets these, but only about 100-150,000 a month. The rest are pure garbage items,
at a much heavier than normal load of SPAM for a site of his size. What’s
curious is that I have been attempting to run MID level logging in order to get
the connecting IP’s, reasoning that if I could find the IP ranges, I
could blow them off at the firewall and spare DECLUDE from having to process
the emails. But, to my surprise, after running a few PERL scripts on the logs, the
number of offending IP’s, even listing those with over 50 deletes, is something
on the order of over 2,000 ! There are no real ranges
that I can find. If I include servers sending 10 emails that DECLUDE deletes, I
have over 5 thousand for the month. It’s a massive deluge from thousands
of servers sending 4 or 5 emails a day. It’s beginning to look that
whoever is sending the mail has hundreds of zombie ‘bots out on the
internet and can direct them at will.

 

Short of telling him he needs to just dump
his domain name and get a new one, or co-locate a server upstream at an ISP for
Declude, I am out of answers.

 

Is anyone else seeing this type of attack ? Are Spammers now using zombie ‘bots ?

 



 

Karl Drugge

 

 








---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Holy Bandwidth Hog, Batman !

2003-10-08 Thread IS - Systems Eng. (Karl Drugge)
Looking at some logs for a client, and was slightly horrified. This guy
runs DECLUDE on a P-3 333mhz machine with 256 meg of RAM, off of half a
T-1. He WAS running about 2/3's of this level last month. Keep in mind,
he only has 80+/- users. He is getting about 95% kill ratio on his SPAM.

He has been seeing the new 'reflected email DDOS' attack for the last 9
months, and it's getting worse by the week. Email comes in addressed to
bogus internal users with a spoofed return address, which SMTP
faithfully attempts to 'return' when it finds no such person on the
internal network. The emails originate on literally hundreds of remote
boxes, so an IP filter is going to be hard to put together. If it wasn't
for Declude nuking the email, his Exchange box would be dead by now.

Any suggestions I can give him ? About all I have left is to change his
Domain name or co-locate his declude box upstream.









Log file dates from : 09/01/2003 to 09/30/2003
 Lines Processed   : 2856302
 My Mail Server IP : [192.168.254.1]
 Whitelisted from Internal Server: 8257


 CAUTION : You have 3263 WARNINGS/ERRORS in your log file
 CAUTION : You have 2208 corrupt lines in your log file


 Total Messages Logged   : 493894
 Unique SMTP ID's Logged : 237236

* ACTIONS LOGGED  * COUNT  PERCENTAGE **

  White Listed  : 115352.3
  2REALLYBADMAIL:  80741.6
  DELETETHEMAIL : 432363   87.5
  HOLDTHEMAIL   : 185363.8
  PASSTHEMAIL   : 212824.3
  REALLYBADMAIL :  80731.6

* TESTS LOGGED  *** COUNT  PERCENTAGE **

  2REVDNS   : 16923334.3
  BADHEADERS: 31171563.1
  BADTO : 16783934.0
  BADTO2: 11517023.3
  BADTO3: 11104522.5
  BASE64: 46344 9.4
  BLACKLIST : 23354 4.7
  BLACKLIST2:  2690 0.5
  DELETEWORDS   : 31476 6.4
  DELETEWORDS2  : 11753 2.4
  FILTERWORDS   : 26111852.9
  IPBLACKLIST   :  1241 0.3
  MAILFROM  :  9903 2.0
  NOABUSE   : 16755933.9
  NOPOSTMASTER  : 17889236.2
  PERCENT   : 7 0.0
  REVDNS: 16925334.3
  ROUTING   : 16887634.2
  SPAMCOP   : 36072973.0
  SPAMHEADERS   : 36439 7.4
  WHITELST  :  4122 0.8


**

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] JM log analyzer

2003-09-09 Thread IS - Systems Eng. (Karl Drugge)
Title: JM log analyzer









If
you need something that is configurable on the fly, the DLAnalyzer
is about your best bet. Damn good tool, and it gets
the job done.

 

If you just need to know basic
ins-n-outs, you can try my PERL script.. I posted it a
few weeks back. Reply and I can email it back to you if you want.

 



 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: Sharyn Schmidt
[mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 09, 2003 8:07 AM
To: Declude Junkmail List
Subject: [Declude.JunkMail] JM log
analyzer

 

Good morning, 

I know a lot of you use some of the JM log analyzer
tools that are listed on the Declude site. 

I am unsure which one is best suited to our needs.


I am looking for something which will parse the JM
logs, tell me how many emails have been processed and provide me a percentage
of how many of those got flagged as spam. At this point, I do not need to know
which individual tests they have failed, although that would be nice.

Suggestions? 

Thanks, 
Sharyn









RE: [Declude.JunkMail] More and more email getting past Declude

2003-09-02 Thread IS - Systems Eng. (Karl Drugge)
Title: RE: [Declude.JunkMail] More and more email getting past Declude






They’ve cleaned up their acts. I am seeing a lot of stuff come straight through with a single hit. It ALMOST seems like if mail fails a few tests, it’s legit !

 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Foulks
Sent: Tuesday, September 02, 2003 9:21 AM
To: Declude JunkMail (E-mail)
Subject: [Declude.JunkMail] More and more email getting past Declude

Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit.

Greg Foulks

NewFound Technologies, Inc.

[EMAIL PROTECTED]

http://www.nfti.com

614.318.5036




[Declude.JunkMail] Reporting Software, script attached

2003-08-19 Thread IS - Systems Eng. (Karl Drugge)
For anyone who wants this, here's a new script that will sort your
delude log files and gives a simple easy to read report. This ones been
cleaned up since the last one, and takes into account garbled and
corrupt log files. Much easier to use, and no file renaming required.
The only thing you have to do is edit your IP for your internal mail
server, if you want.

Written in PERL. Just put it in a directory with the log files you want
checked, and it will do the rest, assuming you have PERL installed. 

Enjoy !


Sample output below :

 Log file dates from : 08/02/2003 to 08/19/2003
 Lines Processed   : 30763
 My Mail Server IP : [X.x.x.x]
 Whitelisted from Internal Server: 2539


 CAUTION : You have 83 WARNINGS/ERRORS in your log file
 CAUTION : You have 2 corrupt lines in your log file


 Total Messages Logged   : 11715
 Unique SMTP ID's Logged : 8

* ACTIONS LOGGED  * COUNT  PERCENTAGE **

  White Listed:  339028.9
  WEIGHT10:  473440.4
  WEIGHT20:   5734.9
  WEIGHT202   :   5734.9
  WEIGHT40:  298625.5

* TESTS LOGGED  *** COUNT  PERCENTAGE **

  BADHEADERS  :  1987 17.0
  BASE64  :   119 1.0
  BLACKLIST   :   493 4.2
  FILTERWORDS :  3794 32.4
  HELOBOGUS   :  2718 23.2
  IPBlacklist :   283 2.4
  KILLERWORDS :   445 3.8
  MAILFROM:44 0.4
  NOABUSE :  1183 10.1
  NOPOSTMASTER:  1074 9.2
  REVDNS  :   675 5.8
  REVDNSPROBLEM   :  1630 13.9
  ROUTING :   144 1.2
  SPAMCOP :   493 4.2
  SPAMHEADERS :  2214 18.9
  VirusKill   :  1125 9.6


**






declog3.pl
Description: declog3.pl


[Declude.JunkMail] Blocking attachments

2003-08-19 Thread IS - Systems Eng. (Karl Drugge)
Just double checking, but we do NOT have a way to block specific
attachments in Declude JM Pro, correct ?


Karl Drugge, Systems Network Engineer
 
 
 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Best Practices question

2003-07-17 Thread IS - Systems Eng. (Karl Drugge)
Not to bash Scott, who is the freaking GOD of SMTP traffic.. but EEWWW..
yuck. FIND will work, but I'd have to wash my hands afterwards. My
computer is supposed to do my work FOR me, on a daily basis, and mail me
my checks at home ! ( I wish ! )...

Just write up a quick PERL/WSH/Shell script to parse the info, then
schedule it with AT to run whenever you want. I wrote mine up a few
weeks ago. If people want I'll post it. It's in PERL, so you'll need
active PERL installed, and you might need to tweak it for your local
settings. It's not as clean as Scott or another professional programmer
might make it, but it's quick, dirty, and gets the job done.

 Here's a sample of what mine does ( on a pretty slow day for SPAM ):


  Total number of messages 665
  Total Passed, including whitelisted,   523,percentage : 78.6
  Total HELD 21, percentage : 3.2
  Total BOUNCED  121,percentage : 18.2

Total of Whitelisted 218
Total of SPAMCOP 25
Total of NOABUSE 66
Total of NOPOSTMASTER58
Total of BADHEADERS  38
Total of BASE64  1
Total of HELOBOGUS   99
Total of MAILFROM1
Total of PERCENT 0
Total of REVDNS2 34
Total of ROUTING 13
Total of SPAMHEADERS 40
Total of FILTERWORDS 248
Total of BLACKLIST   34
Total of REVDNSPROBLEM   77
Total of IPBlacklist 31


Karl Drugge, Systems Network Engineer
 
 
 

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 17, 2003 10:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Best Practices question


>How can I determine the amount of caught/received emails with JunkMail?
>It would take me an eternity to go through each log file.

There are several ways that you can do this.  For example, you can do a 
directory of the \IMail\spool\spam directory, where the held E-mails 
are.  To find out how many are to you, you can use "find" with the /C
switch.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Spam Attack

2003-07-10 Thread IS - Systems Eng. (Karl Drugge)
While I haven't seen this particular type of attack, I do have one
client that is seeing something very similar. He is getting mail-bombed
from numerous spam sites/IP's.. he is rejecting over 300 an hour, and
this is for a site with only a 512k connection and 50 users... It's been
happening for over 3 months now. 

Karl Drugge, Systems Network Engineer
 
 
 

-Original Message-
From: Adrian Hauri [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 09, 2003 11:51 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Spam Attack

These IP addresses are blacklisted as an open relay in ORDB etc.
Check http://www.dnsstuff.com/tools/ip4r.ch?ip=217.16.118.12


Cheers

Adrian


-
- Original Message -
From: "Jeff Kratka " <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 10, 2003 12:43 PM
Subject: RE: [Declude.JunkMail] Spam Attack


> I first thought that but there are different messages, just bad jokes
each
message.
>
>  There were also some viruses atteched which were caught.
>
> Jeff
>
> -- Original Message --
> From: "Kevin Bilbee" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Wed, 9 Jul 2003 17:39:39 -0700
>
> >
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka
> >> Sent: Wednesday, July 09, 2003 5:29 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: [Declude.JunkMail] Spam Attack
> >>
> >>
> >> Just to let everyone know so others don't get hit with it, I just
> >> had a Spam
> >> attack/Bomb from one particular location. As soon as I found out I
blocked
> >> everything possible and things are working. It was so bad that it
> >> killed the
> >> server. It came from:
> >>
> >> [217.16.118.12] MAIL From:<[EMAIL PROTECTED]>
> >>
> >> Every single e-mail was to the same address and from the same
address
and
> >> IP, there were a couple of thousand that attempted this.
> >
> >My guess is there spam software is stuck in a loop and sending the
the
same
> >address over and over?
> >
> >
> >>
> >> Just thought some others would like to know.
> >>
> >> Jeff Kratka
> >>
> >> *
> >> TymeWyse Internet
> >> P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
> >> tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
> >> *
> >>
> >> ---
> >> [This E-mail was scanned for viruses by Declude Virus
> >> (http://www.declude.com)]
> >>
> >> ---
> >> This E-mail came from the Declude.JunkMail mailing list.  To
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.JunkMail".  The archives can be found
> >> at http://www.mail-archive.com.
> >>
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >
>
> --
> **
> TymeWyse Internet
> P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
> tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
> **
> --
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Wish list reminder... :-)

2003-05-29 Thread IS - Systems Eng. (Karl Drugge)
This is precisely what we do, although not to the tune of 150k messages
a day. Imail and Declude make an AWESOME gateway mail server. Only when
external contact is required ( in or out ) do we actually have to touch
the Imail/declude box. Our internal Exchange server isn't bothered with
all the external contact and I don't have to worry about filters on
internal memo's and email. Security is better as well since nothing now
has direct contact to an interal server.

I've set up several business clients ( I should be getting a commission
from Scott ! ) and this works very well. Two clients are running their
systems on Pentium III 450's with 256 megs of RAM ! Also, since nothing
is actually stored on the Imaial/Declude box, if it gets burned to the
ground, it only takes an hour or so to reload from our backups and
images. Hell, it even runs on an old license of NT 4.0 !

Karl Drugge, Systems Network Engineer
 
 
 
-Original Message-
From: David Sullivan [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 28, 2003 9:22 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Wish list reminder... :-)

Does anyone that doesn't agree with Bill have any suggestions?

We've got an Imail server on a Dell box (2650 2.2 Xeon, RAID 1/5, etc)
doing
about 150,000 messages a day at roughly 45% utilization and climbing.
Looking at all the headaches of managing another box along with
duplicate
purchases of Imail Unl., Declude JM Pro/Virus Pro, Hijack, Sniffer,
Win2k
Server, etc is just not a prospect we want to consider.

I believe that the Sniffer guys have now offered an OEM version of their
product that would allow us to load the rulebase in memory and
drastically
cut down on the content scanning cycles needed.  Any thoughts at better
optimizing Declude products?

Bill's point is very valid.  He wants to get more productivity out of
his
system and knows that he doesn't need to scan all of his interally
generated
messages.

Here's my suggestion:

Bill, what if you setup the new free Imail version on another box
somewhere
that's not doing much, keep it's port 25 closed to the outside and send
all
your internal notices, etc to that domain?

-David



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.