RE: [Declude.JunkMail] No one at Declude?
Todd It appears that there is no one at Declude The server that handles this apparently is down and has been for a week or so. Go to mail list archive using the link below Go to the spam version of declude and sort the messages by date Go back a week or so and read the threads There is some contact info for getting help You also should go to message sniffer and email them for help on getting message sniffer to run standalone. John -Original Message- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 16, 2013 11:43 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947 [BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ***DECLUDE NO-AUTHENTICATION KEY***
Matt I've been told if you have sniffer running and you block SNF RETURN CODE 049 AND 055 you block most virus's. I ended up putting different weights for the return codes years ago. I score them high enough to delete on weight only and as well delete on the names Here is my setup from global config # NAMETEST CODE FILE LOCATION WEIGHT SNIFFER-SUREexternal020 D:\IMail\declude\Sniffer3.0\SNFClient.exe 30 0 SNIFFER-SUSPECT external040 D:\IMail\declude\Sniffer3.0\SNFClient.exe 8 0 SNIFFER-TRAVEL external047 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-INSURANCE external 048 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-AV-PUSH external 049 D:\IMail\declude\Sniffer3.0\SNFClient.exe 40 0 SNIFFER-WAREZ external050 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-SPAMWARE external 051 D:\IMail\declude\Sniffer3.0\SNFClient.exe 20 0 SNIFFER-SNAKEOIL external 052 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-SCAMS external053 D:\IMail\declude\Sniffer3.0\SNFClient.exe 20 0 SNIFFER-PORNexternal054 D:\IMail\declude\Sniffer3.0\SNFClient.exe 20 0 SNIFFER-MALWARE external 055 D:\IMail\declude\Sniffer3.0\SNFClient.exe 40 0 SNIFFER-ADVERTISING external056 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-SCHEME external057 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-CREDIT external058 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-GAMBLING external 059 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-GREYMAIL external 060 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-EXPERIMENTALexternal061 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-OBFUSCATION external062 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 SNIFFER-IP-RULES external 063 D:\IMail\declude\Sniffer3.0\SNFClient.exe 18 0 Here is a simple version of the above (it does not address the virus issue) but it's easy to get going FROM PETE MCNEAL ON 3/14/2013 # SNIFFER externalnonzero D:\IMail\declude\Sniffer3.0\SNFClient.exe 20 0 SNFTruncate external20 D:\IMail\declude\Sniffer3.0\SNFClient.exe 5 0 SNFCaution external40 D:\IMail\declude\Sniffer3.0\SNFClient.exe-10 0 I installed clamwin and added this to my virus config file After installing change the file locations to yours and give it a try. There are 2 lines (in case this wraps) the second line begins VIRUSCODE 1 #CLAMSCAM USED BY US SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=D:\IMail\Declude\Scanners\ClamAV\db --tempdir=D:\IMail\spool\proc\work --no-summary -l report.txt VIRUSCODE 1 I have not had a single hit as I scan after after sniffer using AVAFTERJM ON in virus config. Hope this helps John -Original Message- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Wednesday, April 17, 2013 12:05 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] ***DECLUDE NO-AUTHENTICATION KEY*** So what needs to be done with ClamAV? -Original Message- From: Matt Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] ***DECLUDE NO-AUTHENTICATION KEY*** It seems clear at this point that the failure of Declude's licensing system is causing widespread havoc for their customers, and they are not responding to support issues, or any issues at all, and that they are in fact out of business. Therefore I am going to share the key that allows Declude to operate without authentication. This key will not allow either AVG nor Commtouch Zero Hour to work, but it will allow Declude to process email with filters and other add-ons. The key goes in your Declude.cfg file and it requires a restart. This is the same key that was shared, but I am changing the subject in order to highlight that the code is in here: CODE28607230-BF21-4CDE-A59B-A451CC7C9CA0 My recommendation is to configure both Sniffer (convert your license with Pete if it was bound to Declude) and ClamAV so that you have virus protection. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at
[Declude.JunkMail] No one at Declude?
Web site is indeed back up mail list seems to be back too. I was able to log on to my customer account. My account number however in diag.txt returns as not valid. I have reverted to a system that works. I'll try in the morning to see if they have the validation server running. As of now, I'm running w/o AVG, and Comm-touch. I'm running sniffer stand alone. John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.JunkMail] No one at Declude?
Did the mail list just come alive ??? -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 10, 2013 3:17 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-10 16:21, John Dobbin wrote: With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? I don't recall where, but I heard a rumor that there was a forever license code somewhere for Declude. Anybody know anything about that? If Declude just evaporates without saying another word that would be a good thing to have. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Randy the web site is now down. AVG has not been updating since last month. Commtouch will begin to fail soon. Sounds like they went upside down. You may never hear another word from them. once bills don't get taken care things will stop. Search for David's email a few days ago and get the latest interim version and last AVG DB if you still can. I did the update and it fixed the growing diag.txt issue see if you can get CLAM going for virus Call Pete over at ARM Research to have Declude call sniffer directly is you use it. I have now clue if at some point Declude simply stops if there is no one home at Declude. David is a good resource, Pete may have other programs to call his product. Dig out your wallet and call Ipswitch and turn on virus and premium spam. it's a mess From: ra...@globalweb.us [mailto:ra...@globalweb.us] Sent: Wednesday, April 10, 2013 1:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? I would like to get an official notice from Declude on what is going on and how it will affect us, like your example of the license server. Sincerely, Randy A. John Dobbin wrote:So it would seem. With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? What are people looking at to migrate to? Has there been any actual confirmation aside from postings from former employees and people's perceptions? (no offence David) -Original Message- From: Herb Guenther [mailto:h...@lanex.com] Sent: Wednesday, April 10, 2013 3:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Robert look in the declude log file, for CT-BULK or CT-SPAM (depending on how you set it up in your global.cfg file AT 2:18 Pacific time today mine was still working Use the links below and download the data. John From: Robert Grosshandler [mailto:r...@igive.com] Sent: Wednesday, April 10, 2013 2:00 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? How are you determining that commtouch isn't working? From: Rick [mailto:redbara...@qwest.net] Sent: Wednesday, April 10, 2013 3:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Well their site has been down for at least 8hr so far and from what I can tell our Commtouch subscription has stopped working since then. SPAM increased 4x since this morning starting around 3AM. Thought it was a config issue after I got a email from Declude that I needed to upgrade to avoid issues after 3/30/2013. This is not looking good. From: ra...@globalweb.us [mailto:ra...@globalweb.us] Sent: Wednesday, April 10, 2013 1:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? I would like to get an official notice from Declude on what is going on and how it will affect us, like your example of the license server. Sincerely, Randy A. John Dobbin wrote:So it would seem. With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? What are people looking at to migrate to? Has there been any actual confirmation aside from postings from former employees and people's perceptions? (no offence David) -Original Message- From: Herb Guenther [mailto:h...@lanex.com] Sent: Wednesday, April 10, 2013 3:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to send notices about email held by HiJack
John T I took an old copy from a backup, renamed it, and stuck it in an obscure folder. If I get hacked, and they get to my Declude scripts, I'm screwed, but most likely it'll be the least of my worries. My recollection is that the worry is that that program can be fired off via an Ipswitch issue. My thought is whatever that vulnerability is, it won't be able to find my copy and execute. John D From: John T [mailto:johnl...@eservicesforyou.com] Sent: Saturday, March 26, 2011 9:09 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to send notices about email held by HiJack With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we have been using to check the HiJack hold folders and send emails when email is found hold no longer work. What options are avilable now to be able to send automated email through scripts? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] We have opened up truncate.gbudb.net
While we're at it what is the difference between the two results below SNIFIP4R=WARN[5] SNIFIP4R=IGNORE[5] Thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question about Declude
Are you running the Declude AVG or other virus scanner and you are getting leakage? Or do you not have any anti-virus running? John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Tuesday, August 19, 2008 11:06 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Question about Declude We are seeing some viruses that are getting thru IMail/Declude and wonder if anyone might have suggestions for a way for Declude to catch/delete them. Trojan Horse Backdoor.Paproxy Trojan.Wsnpoem Backdoor.Trojan Downloader.Diliv Thanks very much Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question on mailbox action...
Chuck I recall for that for Declude to move the message to a spam folder for the user based on weight, You need to use the declude MAILBOX action. So something like WEIGHT20 MAILBOX Spam, as you have below. (this may only work for Imail?) However, I think you need to, for each domain, check the box Create in the Sub mail Box section under Domain Properties. If not done, it will get dropped into the main folder regardless of what Declude does. This is not the same action as ROUTETO. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, April 29, 2008 2:36 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Question on mailbox action... If I institute a mailbox action like WEIGHT10 MAILBOX spam Will Imail automatically create the folder spam for the user if it does not already exist? Thanks Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Attachments
Good morning Our Imail server is behind a Watchguard firebox firewall. It is very good about stripping off nasty attachments. When it does, it blocks the message and creates one sent to the recipient with an attachment, always the same name, and always the same single line of text in the attachment. Most times the body has the same text as the attachment, and we trap those quite well. If however there is nothing put into the body, I can't currently flag them. Does anyone have a means of flagging attachments with the same name, or same attachment contents. thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] frustration
Uwe If you are running declude alone (without ZEROHOUR) you will find yourself pretty busy tweaking. I've added decludes zerohour, as well as invURIBL, and Sniffer. With basically the stock global config, and those 3 additional tests, we see very little get through. If you are strapped for cash invURIBL is a great value. If you are not an ISP, try ZEROHOUR, it's a simple to start, and affordable email declude to try it out. Sniffer costs a bit more, but works very well, however it takes a bit of setup, but it's pretty easy to do. You are correct about spam, plug one hole, they find another. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Uwe Degenhardt Sent: Wednesday, July 18, 2007 2:34 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] frustration Hi everybody on the list, please excuse me, but I would like to share my frustration with you. I am poured with SPAM the last two-to-three weeks. It gets worse every day. Am I the only one who is seeing this ? I am in a good contact with David of Declude. He is doing a fantastic job, but sometimes I loose my faith and my trust, that we can win the SPAM-fight. It appeals to me, as it is like the old principle: If you put water on the fire at one place, you have to run to the next place to delete it there too. And the SPAMMERs will get cleverer everyday. What do you guys think ? Are you frustrated as well ? Uwe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AntiVirus Recommendations
Gary A couple more questions does runclamscan.exe call clamd? does clamd run as a service, and if so how do you start it? I tried this weekend with clamd in my virus.cfg file and it flagged all attchments as having an unknown virus, so i turned it back off. I was not aware of runclamscan. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Saturday, July 14, 2007 3:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Following are my virus.cfg lines using runclamscan runclamd for the SOSDG version of ClamAV: SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Original Message From: John Doyle [EMAIL PROTECTED] Sent: Saturday, July 14, 2007 9:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Gary Could you post the lines in your virus.cfg file relating to this version of clam. I'm not sure what the entry should look like. The one below slams my cpu. it is not from sosdg, it's from clamwin. my old one is: #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=D:\IMail\Declude\Scanners\ClamAV\db --tempdir=D:\IMail\spool\proc\work --no-summary -l report.txt #VIRUSCODE 1 thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Friday, July 13, 2007 10:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations My situation is similar to yours. I started with F-Prot, then later added ClamAV. After Declude added AVG and F-Prot changed their pricing, I dropped F-Prot. I've been using the SOSDG port of ClamAV together with runclamd and runclamscan to take advantage of Clamd, and I've never had a problem with CPU usage. http://www.sosdg.org/clamav-win32 The latest version of SmarterMail now incorporates ClamAV (much like Declude and AVG), and they are using the SOSDG port. Gary Original Message From: John Doyle [EMAIL PROTECTED] Sent: Friday, July 13, 2007 8:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Don I ran F-Prot and Clam for years. Then when Declude added built in AV we turned that on and I dropped F-Prot when the licensing changed,So I ran Declude and Clam for about a year. I noticed at some point ClamAV was slamming the cpu and timing out. I had to turn it off. I'm not sure at what point ClamAV changed and have not had the time to look at running Clamd version to see if it has the same problem. So we are now running only the Declude scanner and I have the same nervousness as you do about only running one scanner John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Don Schreiner Sent: Thursday, July 05, 2007 6:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AntiVirus Recommendations We have been using F-Prot for several years with great success. Their new mail server licensing change is too expensive. We tried the free Clam AV, but with heavy volume CPU was reaching 100%. I know Declude has built-in Virus Scanner, but we have always run F-Prot in addition. It seems necessary for extra protection, but perhaps now overkill? What are others using or recommend? What is best Virus scanner to keep the CPU cycles reasonable? We are running IMail 8.22, Declude 4.X, Message Sniffer, and invURI. Thanks. -Don Sent via CompBiz.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail
RE: [Declude.JunkMail] AntiVirus Recommendations
I found I did not do a full install of all the components, I chose the default. I did a reinstall using all options and can now see the programs and will give it another shot. thank you for your help. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Monday, July 16, 2007 9:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations You need to use both runclamscan runclamd. runclamscan.exe calls clamdscan.exe. There should be a file with it called runclamscan_readme.txt that explains this and other things about the program. runclamd.exe runs clamd.exe as a service. Look for a file included with it called runclamd_readme.txt that explains how this program works. Make sure you install ClamAV from the Administrator account, and not from another account with administator priviledge. I experienced some strange problems with permissions after I made this error. Original Message From: John Doyle [EMAIL PROTECTED] Sent: Monday, July 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Gary A couple more questions does runclamscan.exe call clamd? does clamd run as a service, and if so how do you start it? I tried this weekend with clamd in my virus.cfg file and it flagged all attchments as having an unknown virus, so i turned it back off. I was not aware of runclamscan. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Saturday, July 14, 2007 3:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Following are my virus.cfg lines using runclamscan runclamd for the SOSDG version of ClamAV: SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Original Message From: John Doyle [EMAIL PROTECTED] Sent: Saturday, July 14, 2007 9:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Gary Could you post the lines in your virus.cfg file relating to this version of clam. I'm not sure what the entry should look like. The one below slams my cpu. it is not from sosdg, it's from clamwin. my old one is: #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=D:\IMail\Declude\Scanners\ClamAV\db --tempdir=D:\IMail\spool\proc\work --no-summary -l report.txt #VIRUSCODE 1 thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Friday, July 13, 2007 10:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations My situation is similar to yours. I started with F-Prot, then later added ClamAV. After Declude added AVG and F-Prot changed their pricing, I dropped F-Prot. I've been using the SOSDG port of ClamAV together with runclamd and runclamscan to take advantage of Clamd, and I've never had a problem with CPU usage. http://www.sosdg.org/clamav-win32 The latest version of SmarterMail now incorporates ClamAV (much like Declude and AVG), and they are using the SOSDG port. Gary Original Message From: John Doyle [EMAIL PROTECTED] Sent: Friday, July 13, 2007 8:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Don I ran F-Prot and Clam for years. Then when Declude added built in AV we turned that on and I dropped F-Prot when the licensing changed,So I ran Declude and Clam for about a year. I noticed at some point ClamAV was slamming the cpu and timing out. I had to turn it off. I'm not sure at what point ClamAV changed and have not had the time to look at running Clamd version to see if it has the same problem. So we are now running only the Declude scanner and I have the same nervousness as you do about only running one scanner John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Don Schreiner Sent: Thursday, July 05, 2007 6:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AntiVirus Recommendations We have been using F-Prot for several years with great success. Their new mail server licensing change is too expensive. We tried the free Clam AV, but with heavy volume CPU was reaching 100%. I know Declude has built-in Virus Scanner, but we have always run F-Prot in addition. It seems necessary for extra protection, but perhaps now overkill? What are others using or recommend? What is best Virus scanner to keep the CPU cycles reasonable? We are running IMail 8.22
RE: [Declude.JunkMail] AntiVirus Recommendations
Gary Could you post the lines in your virus.cfg file relating to this version of clam. I'm not sure what the entry should look like. The one below slams my cpu. it is not from sosdg, it's from clamwin. my old one is: #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=D:\IMail\Declude\Scanners\ClamAV\db --tempdir=D:\IMail\spool\proc\work --no-summary -l report.txt #VIRUSCODE 1 thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Steiner Sent: Friday, July 13, 2007 10:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations My situation is similar to yours. I started with F-Prot, then later added ClamAV. After Declude added AVG and F-Prot changed their pricing, I dropped F-Prot. I've been using the SOSDG port of ClamAV together with runclamd and runclamscan to take advantage of Clamd, and I've never had a problem with CPU usage. http://www.sosdg.org/clamav-win32 The latest version of SmarterMail now incorporates ClamAV (much like Declude and AVG), and they are using the SOSDG port. Gary Original Message From: John Doyle [EMAIL PROTECTED] Sent: Friday, July 13, 2007 8:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AntiVirus Recommendations Don I ran F-Prot and Clam for years. Then when Declude added built in AV we turned that on and I dropped F-Prot when the licensing changed,So I ran Declude and Clam for about a year. I noticed at some point ClamAV was slamming the cpu and timing out. I had to turn it off. I'm not sure at what point ClamAV changed and have not had the time to look at running Clamd version to see if it has the same problem. So we are now running only the Declude scanner and I have the same nervousness as you do about only running one scanner John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Don Schreiner Sent: Thursday, July 05, 2007 6:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AntiVirus Recommendations We have been using F-Prot for several years with great success. Their new mail server licensing change is too expensive. We tried the free Clam AV, but with heavy volume CPU was reaching 100%. I know Declude has built-in Virus Scanner, but we have always run F-Prot in addition. It seems necessary for extra protection, but perhaps now overkill? What are others using or recommend? What is best Virus scanner to keep the CPU cycles reasonable? We are running IMail 8.22, Declude 4.X, Message Sniffer, and invURI. Thanks. -Don Sent via CompBiz.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AntiVirus Recommendations
Don I ran F-Prot and Clam for years. Then when Declude added built in AV we turned that on and I dropped F-Prot when the licensing changed,So I ran Declude and Clam for about a year. I noticed at some point ClamAV was slamming the cpu and timing out. I had to turn it off. I'm not sure at what point ClamAV changed and have not had the time to look at running Clamd version to see if it has the same problem. So we are now running only the Declude scanner and I have the same nervousness as you do about only running one scanner John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Don Schreiner Sent: Thursday, July 05, 2007 6:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AntiVirus Recommendations We have been using F-Prot for several years with great success. Their new mail server licensing change is too expensive. We tried the free Clam AV, but with heavy volume CPU was reaching 100%. I know Declude has built-in Virus Scanner, but we have always run F-Prot in addition. It seems necessary for extra protection, but perhaps now overkill? What are others using or recommend? What is best Virus scanner to keep the CPU cycles reasonable? We are running IMail 8.22, Declude 4.X, Message Sniffer, and invURI. Thanks. -Don Sent via CompBiz.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Version and hardware move
Andy - Mike So I would move the registery entry for the $virtualnnn and the corresponding domain entry under Imail. Then the folder (drives and installation paths are the same) for the domain. Update the persissions, Then run the wgscvt program to update contacts. It seems too simple. Which is fine with me. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Tuesday, May 29, 2007 7:50 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal Hi, I didn't encounter any problems when I upgraded two servers from 8.x to 2006.x just by moving the registry and folders. Mailbox and address book formats have changed. Mailboxes are upgraded on the fly upon first use under the new version, address books have to be manually upgraded. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Tuesday, May 29, 2007 6:34 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal Andy If the old box is 8.22 and the new one is 2006.2, is it safe to move the registery and folders? are the formats the same? and all i have to do is run the conversion on the contact/address book? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Tuesday, May 29, 2007 2:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal The user and alias information is in the registry. Mailing lists, address books and mailbox content is in the \Imail\[domain name]\ folder on your server. I would start by updating the DNS MX record(s) to a very low refresh ahead of time. You export the appropriate Registry section for that domain. See if the $virtual... is available on the new server, if not, adjust it by using Notepad in the exported file. Stop the old Imail server (to prevent more mail from piling up). Copy the domain folders from the old to the new server's disk. Import the registry section to the new server. Use the Imail Admin to confirm that you can see the domain and users on the new server. Try logging into webmail to confirm that you can see the mailbox content. Switch the MX record to the new server. Update the TTL to a normal value. Delete (or rename the registry section of) the domain on the OLD server and then start the old Imail again. Confirm on the old Imail that the domain no longer shows. Run the contact/address book conversion tool on the new server. Obviously, it's easier if you do an entire server with all domains (because then you don't have to worry about cleaning up each domain on the old server, you simply don't restart it) - but the other steps are essentially the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Tuesday, May 29, 2007 12:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal Sorry guys, It was a long weekend and I meant this for the Ipswitch forum. John Morning all I spent the weekend firing up a new W 2003 server and installing Imail 2006.21 on it. I think I've delt with most of the installation issues. I would like to move clients over a domain at a time w/o doing using the technique of upgrading the old 8.22 machine and copying over the registery and Imail folder, as I want to go slow on this process. I've looked in the archives and I havent been able to find a best practices approach. With more history now, does anyone feel there is a best approach to moving a domain with all the clients? And if so what would the steps be. Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing
[Declude.JunkMail] Version and hardware move
Morning all I spent the weekend firing up a new W 2003 server and installing Imail 2006.21 on it. I think I've delt with most of the installation issues. I would like to move clients over a domain at a time w/o doing using the technique of upgrading the old 8.22 machine and copying over the registery and Imail folder, as I want to go slow on this process. I've looked in the archives and I havent been able to find a best practices approach. With more history now, does anyone feel there is a best approach to moving a domain with all the clients? And if so what would the steps be. Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Version and hardware move
Sorry guys, It was a long weekend and I meant this for the Ipswitch forum. John Morning all I spent the weekend firing up a new W 2003 server and installing Imail 2006.21 on it. I think I've delt with most of the installation issues. I would like to move clients over a domain at a time w/o doing using the technique of upgrading the old 8.22 machine and copying over the registery and Imail folder, as I want to go slow on this process. I've looked in the archives and I havent been able to find a best practices approach. With more history now, does anyone feel there is a best approach to moving a domain with all the clients? And if so what would the steps be. Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Version and hardware move
Andy If the old box is 8.22 and the new one is 2006.2, is it safe to move the registery and folders? are the formats the same? and all i have to do is run the conversion on the contact/address book? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Tuesday, May 29, 2007 2:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal The user and alias information is in the registry. Mailing lists, address books and mailbox content is in the \Imail\[domain name]\ folder on your server. I would start by updating the DNS MX record(s) to a very low refresh ahead of time. You export the appropriate Registry section for that domain. See if the $virtual... is available on the new server, if not, adjust it by using Notepad in the exported file. Stop the old Imail server (to prevent more mail from piling up). Copy the domain folders from the old to the new server's disk. Import the registry section to the new server. Use the Imail Admin to confirm that you can see the domain and users on the new server. Try logging into webmail to confirm that you can see the mailbox content. Switch the MX record to the new server. Update the TTL to a normal value. Delete (or rename the registry section of) the domain on the OLD server and then start the old Imail again. Confirm on the old Imail that the domain no longer shows. Run the contact/address book conversion tool on the new server. Obviously, it's easier if you do an entire server with all domains (because then you don't have to worry about cleaning up each domain on the old server, you simply don't restart it) - but the other steps are essentially the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Tuesday, May 29, 2007 12:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Version and hardware move Sensitivity: Personal Sorry guys, It was a long weekend and I meant this for the Ipswitch forum. John Morning all I spent the weekend firing up a new W 2003 server and installing Imail 2006.21 on it. I think I've delt with most of the installation issues. I would like to move clients over a domain at a time w/o doing using the technique of upgrading the old 8.22 machine and copying over the registery and Imail folder, as I want to go slow on this process. I've looked in the archives and I havent been able to find a best practices approach. With more history now, does anyone feel there is a best approach to moving a domain with all the clients? And if so what would the steps be. Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail Anti-spam
Chuck We've been running declude with Sniffer and invURIBL for a couple of years. We recently added ZEROHOUR and have been very happy with the results. I have not done an analysis of how we'd be with only Sniffer or ZEROHOUR or the various combinations of the three. We also run a pretty much delivered version of the stock Declude test sets. With our current setup, spam has been reduced to the point where I rarely even think about it. Not like the old days with tweeking filters and tests at each new outbreak almost every day. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chuck Schick Sent: Wednesday, April 11, 2007 9:33 AM To: Declude. JunkMail Subject: [Declude.JunkMail] Imail Anti-spam We are running IMAIL 8.22 and I am looking at the Anti-spam features. We are also running declude. Which Anti-spam features do people find good to turn on in Imail versus Declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email
Howard What version of Declude? Do you have Hijack? If so turn it on. Do your delcude logs show anything? Are you scanning all outgoing mail as well? If you are behind a firewall, ( you better be) shut down imail and check the firewall logs for outgoing smtp traffic. Perhaps even disallow outgoing smtp to see if you are blocking traffic in the firewall log. Or try to put a port sniffer on to see if somethings still going out. If Imail is off and you are getting traffic, you have to find the bugger and kill it. That can be a chore! John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Howard Smith (N.O.R.A.D.) Sent: Wednesday, February 07, 2007 2:24 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports email Running imail 8.15,sniffer and declude - starting on 2/6/7 my mail server start sending out the stock reports email , even when I stop the imail smtp process , nothing is in the Imail logs indicating problems . I have ran full scans with frprot and Symantec . Need help please , I have already made the spamcop blacklist Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.gif Description: GIF image
RE: [Declude.JunkMail] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Michael Can you share your RFC violations filter with us to block this type of attack? Thanks for the heads up and the testing you did. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Thomas - Mathbox Sent: Thursday, October 19, 2006 7:52 PM To: declude.junkmail@declude.com; declude.virus@declude.com Subject: [Declude.JunkMail] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, Well, when responding on declude.junkmail@declude.com to Will about RFC violations, I said I would test this and I did. While writing this message, I happened to think about attachments. It would appear to me, that there is an implied possibility for attachments and therefore viruses to pass through undetected. All that should be required is that the lines that make up the entire email, including the attachment section, be terminated with line feeds instead of carriage return/line feed pairs. Under such condition, Declude would see only one line and not find the relevant sections. I will test this possibility. Tested: Declude v3.1.1 for IMail As it happens, my suspicions were accurate. I wrote a script that could be modified to remove either the carriage-returns or the line-feeds from a message file. I then created a message in Outlook Express, added an executable file (uptime.exe) as an attachment and saved it in my Draft folder. I then dragged that message to the same location as the script and renamed it to match the file name in the script (Rfc.eml) I ran the script, which stripped the carriage-returns and produced Rfc2.eml. I renamed Rfc2.eml to RfcNoCr.eml. In the script, I then changed vbCr to vbLf and ran it again, which stripped the line-feeds and produced Rfc2.eml. I renamed Rfc2.eml to RfcNoLf.eml. Now, to get IIS SMTP to actually process the file, you must edit each file and remove the single Cr or Lf and press the Enter Key, producing a CrLf pair after the To field and the From field. I also added the string No Cr to the end of the subject of RfcNoCr.eml and added No Lf to the subject of RfcNoLf.eml. So for example change: From: Michael Thomas - Mathbox [EMAIL PROTECTED][Cr]To: [EMAIL PROTECTED][Cr]Subject: Test Attachment Pass-Through on RFC Violation[Cr]line continues Change To From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Test Attachment Pass-Through on RFC Violation No Cr[Cr]line continues Now it so happens, a long time ago, I wrote a couple of tests to detect these RFC violations, so first I had to disable them in my GLOBAL.CFG, which I did by commenting them out. Note that I also BAN the .EXE extension and I left that enabled. Now copy and paste the two files into the pickup directory of your favorite IIS SMTP pickup directory. Viola, you just passed an executable through Declude and through your mail server. That executable could very well have been a virus. Note that Declude detected RfcNoLf.eml as [Outlook 'CR' Vulnerability]. Ok good. But Declude let RfcNoCr.eml pass straight through without calling the virus scanners, because Declude did NOT see an attachment. Also, because Declude did not see an attachment, Declude did not ban the .EXE extension. Here are the log entries from RfcNoLf.eml 10/19/2006 20:41:23.471 q1b2101b783ba.smd Scanning Time: 218ms [kernel=31 user=187] 10/19/2006 20:41:23.471 q1b2101b783ba.smd Virus scanner 1 reports exit code of 0 10/19/2006 20:41:23.471 q1b2101b783ba.smd Virus detected. Not continuing with remaining scanners. 10/19/2006 20:41:23.471 q1b2101b783ba.smd 0: 10/19/2006 20:41:23.471 q1b2101b783ba.smd Starting EXT check . 10/19/2006 20:41:23.471 q1b2101b783ba.smd C:\IMAIL\spool\proc\work\D1b2101b783ba.vir\*.* 10/19/2006 20:41:23.471 q1b2101b783ba.smd 0 10/19/2006 20:41:23.471 q1b2101b783ba.smd Deleted C:\IMAIL\spool\proc\work\D1b2101b783ba.vir\0. 10/19/2006 20:41:23.471 q1b2101b783ba.smd report.txt 10/19/2006 20:41:23.471 q1b2101b783ba.smd Deleted C:\IMAIL\spool\proc\work\D1b2101b783ba.vir\report.txt. 10/19/2006 20:41:23.471 q1b2101b783ba.smd han=13e9c0 b=False 10/19/2006 20:41:23.471 q1b2101b783ba.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 10/19/2006 20:41:23.471 q1b2101b783ba.smd High code=23. 10/19/2006 20:41:23.471 q1b2101b783ba.smd AV returned 23 10/19/2006 20:41:23.471 q1b2101b783ba.smd Scanned: CONTAINS A VIRUS 10/19/2006 20:41:23.471 q1b2101b783ba.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from XX.XXX.XXX.X] 10/19/2006 20:41:23.471 q1b2101b783ba.smd Subject: Test Attachment Pass-Through on RFC Violation No Lf 10/19/2006 20:41:23.471 q1b2101b783ba.smd Skipping non-AV E-mail BANnotify.eml 10/19/2006 20:41:23.471 q1b2101b783ba.smd
RE: [Declude.JunkMail] Blocking these?
Dave For goodness sake, call sniffer up, they offer a monthy subscription for I think less than 30 dollars. Put it on your credit card and get your company to reimburse you next month and send them a check for the 12 months and it's done. I'd hate to think what's getting though without some sort of added filter like sniffer. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Beckstrom Sent: Wednesday, October 04, 2006 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking these? How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability of coal bed methane deposits, which may be developed and sold as natural gas. CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist with problem waste from oil gas companies, and provide undergro und storage. ADD THIS GE M TO YOUR PORTFOLIO AND WATCH IT TRADE ON THURSDAY, October 05, 2006 !! TR ADE SM ART AND W I N WITH CRSVF!!! Start to buy at 10:30 AM , October 05 2006 It will blow up --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Gateway question
Good morning Can anyone recommend a program to strip user and password data to assist in loading a gateway. username, domain and password. I know this has come up in the past several times, but I'm looking for a recommendation by someone who has actually used it. Thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Gateway question
I'm sorry I forgot that. I'm running Imail 8.22 with the users in the registry. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Dobbin Sent: Wednesday, August 23, 2006 9:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Gateway question For what mail server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Wednesday, August 23, 2006 11:07 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Gateway question Good morning Can anyone recommend a program to strip user and password data to assist in loading a gateway. username, domain and password. I know this has come up in the past several times, but I'm looking for a recommendation by someone who has actually used it. Thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Gateway question
Sandy I'm looking for something to extract to a file, will this do it? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman Sent: Wednesday, August 23, 2006 12:04 PM To: John Doyle Subject: Re: [Declude.JunkMail] Gateway question I know this has come up in the past several times, but I'm looking for a recommendation by someone who has actually used it. Well, I've used it. Though I did write it. :) The free ldap2aliases script in my sig is designed to sync IMail users and aliases on one server into corresponding aliases on an upstream (IMail) MX. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ping
pong -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Barker Sent: Friday, August 11, 2006 8:31 AM To: declude.virus@declude.com; declude.junkmail@declude.com Subject: [Declude.JunkMail] Ping Ping --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fw: New ClamAV scam database
Bill Thank you for the heads up. In the process of reviewing this, I discovered I'd not updated my download scripts to reflect the .gz extension and my last update had occurred last month. I vaguely recall someone pointing this out some time ago. I rewrote my script to download asnd unzip the phish.ndb.gz and all is once again well. I've had no problems with the phishing db and have come to rely on it. I look forward to the scam results. I'm pretty happy with my setup now. Declude (latest build) Sniffer AGV, f-prot (soon to be gone) and clamAV invURIBL John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry Sent: Monday, August 07, 2006 1:40 PM To: declude.junkmail@declude.com; declude.virus@declude.com Subject: [Declude.JunkMail] Fw: New ClamAV scam database For anyone that is possibly running ClamAV for virus scanning, and is already taking advantage of the added phish detection provided by Steve Basford's phish.ndb, he has put together another database geared to tagging scam e-mails, including those pesky image spams. The new scam database is working great here, lots of catches so far and no FPs yet. If you want to give it a run, please do heed Steve's request at the end of this message about scripting the downloads for the new scam.ndb, at least for now... Thanks, Bill - Original Message - From: Steve Basford [EMAIL PROTECTED] To: Bill Landry [EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:51 PM Subject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well! Nice work. Do you mind if I let others know about the availability of this new scam database? That's great! It's working too, for me at work... and two other brave test sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when I see a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.3 Upgrade
Mark I upgraded last week. I'd had a leakage issue with 4.2 build 12 and went back to 4.09. I have had no problems since going back upto 4.3. I'm running Imail 8.22 hf2 On an unrelated issue. My AVG virus defs were not getting updated. It took a while to troubleshoot, but I got great support from Linda and David to resolve it. Turns out our firewall was blocking the outgoing/incoming tcp traffic on port 25 to declude servers. We allowed traffic to and fromtheir servers and it started working. We use a watchguard firewall and it is pretty locked down. John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mark ReimerSent: Monday, July 24, 2006 9:16 AMTo: Declude JunkMailSubject: [Declude.JunkMail] 4.3 Upgrade Have many people upgraded to 4.3 yet. I was wondering if anyone had experienced any problems with the new version. Mark Reimer IT Project Manager American CareSource 214-596-2464 ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack: Blocklist feature request
Check the archives for an old solution for hold notification. There is a vbs script that will do what your looking for. I have scheduled every 15 min. If there are any files in hold2, it emails me. I use something similar for the outgoing queue in case of a backup. The issue of outgoing mail has gotten much more serious over the years. It's getting to the point that it almost rates as much scrutiny and incoming mail. I've gotten burned from lists, bulk mailings and hijacked machinges. It takes days to get unlisted. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 20, 2006 10:19 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Hijack: Blocklist feature request Also it would be nice for it to optionally send an email to the postmaster (or whoever) when hold1 level reached and especially when hold2 level reached. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, July 20, 2006 12:49 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Hijack: Blocklist feature request Mike, The operation of Hijack is under review, thank you for your suggestions. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike N Sent: Thursday, July 20, 2006 12:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Hijack: Blocklist feature request Product: Declude Security Suite 4.x Function: Hijack Hijack is critical to ISPs today because viruses can show up at any time and get your server on a blacklist before you can detect and react. Problem #1 - After a customer has cleaned out their PC and removed the virus, there must be a method to allow them to send mail again but keep watching for a new virus infection. Currently the only solution is A to restart the Declude service or B put them in an allow section of the HIJACK.CFG file. Neither method is acceptable because A clears out other Hijack'd customers who you haven't yet been able to contact but are still spewing spam. B Allows them to resume sending real mail, but disables monitoring for future infections. Problem #2 - If the DecludeProc service crashes, or it is necessary to reboot, all Hijack entries are cleared. This is not acceptable because it clears out Hijack'd customer(s) still spewing spam. Some spams can get out before they reblacklist themselves. Suggestions- The Hijack function should periodically save out the blacklist state to a file - on IP address addition / change? Add a method of informing DecludeProc to remove an IP address from the blacklist entry. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Speaking of Decludes AVG scanner
Chris Thanks for swerving back to the subject at hand. I tried this last night and found yes indeed the firewall was blocking the outgoing request. I added the new IP address and it returned the 1.1.1.1. However I neglected to allow incoming traffic and as of this morning it had not updated the db files. This morning I opened up the firewall to incoming traffic and am waiting for something to happen. I now understand it takes 24 hours for the system to fire up the first time. Not sure why. But I'm waiting for this to happen to see if it all works. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Asaro Sent: Tuesday, July 18, 2006 5:39 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Speaking of Decludes AVG scanner John Try opening the diags.txt file in your \mailserver\declude directory. Check to see if you are receiving an invalid key code error. If not try this: http://support.declude.com/Customer/KBArticle.aspx?articleid=57 Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Monday, July 17, 2006 5:38 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Speaking of Decludes AVG scanner None of the db files have ever updated. Does anyone know what ports, protocols, whatever is used to do the update. Either Declude is not requesting the db update, or our firewall is blocking either the request or the subsequent update file. So far I haven't been able to find anything in the firewall logs. thanks for any help John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/390 - Release Date: 7/17/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/390 - Release Date: 7/17/2006 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Speaking of Decludes AVG scanner
Nick Good catch, at the bottom of my diags.txt file I see 2 INVALID KEY entries. My firewall does not allow domain names to be entered as source or destination addresses, only IP addresses. I had an old entry for 63.246.13.84 entered on march 06, doing an nslookup for keys.declude.com I now get 63.246.31.246. I've added the new address and allow incoming and outgoing traffic, but am not sure what to do next. Not sure if I should restart the decludeproc or what. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer Sent: Tuesday, July 18, 2006 5:59 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Speaking of Decludes AVG scanner Chris Asaro wrote: Try opening the diags.txt file in your \mailserver\declude directory. Check to see if you are receiving an invalid key code error. When I went to 4.20 I had no such error code however the evidently there was a one hence Declude ceased to function without warning. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Speaking of Decludes AVG scanner
None of the db files have ever updated. Does anyone know what ports, protocols, whatever is used to do the update. Either Declude is not requesting the db update, or our firewall is blocking either the request or the subsequent update file. So far I haven't been able to find anything in the firewall logs. thanks for any help John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Speaking of Declude's AVG scanner
John T Mine are Avi7.avg 2/21/2006 Miniavi.avg 5/22/2006 Microavi.avg 5/18/2006 Icavi.avm5/22/2006 Pretty out of date! I'm running 4.2 build 20 John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) Sent: Monday, July 17, 2006 2:49 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Speaking of Declude's AVG scanner The 4 files I have are as such: Avi7.avg02/16/06 Miniavi.avg 07/13/06 Microavi.avg07/14/06 Incavi.avm 07/17/06 John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Monday, July 17, 2006 2:38 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Speaking of Decludes AVG scanner None of the db files have ever updated. Does anyone know what ports, protocols, whatever is used to do the update. Either Declude is not requesting the db update, or our firewall is blocking either the request or the subsequent update file. So far I haven't been able to find anything in the firewall logs. thanks for any help John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.2 build 20 Released 6 July 2006
We are running Imail 8.22. I did the upgrade on Saturday, so far no problems. I backed down from 4.2 b12 to 4.09 as I was getting email without declude adding header information, and I was not able to find any record in any declude log of the message being processed. So far I have not seen a similar situation with build 20. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Barker Sent: Friday, July 07, 2006 7:42 AM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 4.2 build 20 Released 6 July 2006 EVA ADD New NONSTANDARDHDR vulnerability test. Messages found to have broken headers are moved to the \virus folder EVA FIX ALLOWVULNERABILITIESFROM (for user) EVA FIX BANEXT buffer overflow SM ADD When an error is found in the envelope (.hdr) file the message is moved to the \error folder SM ADD Decludeproc will not start without a valid domainlist.xml SM FIX QUEUEFILE_SAVEFILE the log is showing the correct directory path SM FIX Allows admin to set VIRDIR to any directory path in the virus.cfg David Barker Product Manager Your Email security is our businessT 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Verizon Issues
Morning all Last week, I found I was unable to send to a Verizon customer. I was getting 550 You are not allowed to send mail:sv5pub.verizon.net I submitted our mail server IP address to see if we were blacklised and got a reply back that we were not. I then switched to using a Charter SMPT server and got a similar response. I next tried using remote access, web mail on the our Imail server so there would be no record of a dynamic IP address in the header, and sent another message. It timed out this morning with 421 SMTP service not available, closing transmission channel and terminating after the Imail max tries timed out. Does anyone have any thoughts, as we speak, none of our customers are now able to email anyone at Verizon. Thanks for any help. John Ive gotten the following from various attempts to send mail 550 You are not allowed to send mail:sv5pub.verizon.net 550 You are not allowed to send mail:sv15pub.verizon.net 550 You are not allowed to send mail:sv22pub.verizon.net 550 You are not allowed to send mail:sv28pub.verizon.netlog entry shown below 550 You are not allowed to send mail:sv1pub.verizon.net 550 You are not allowed to send mail:sv27pub.verizon.net 550 You are not allowed to send mail:sv3pub.verizon.net here is a typical Imail log 999.999.999.999 is our imail server 555.555.555.555 is my Charter Dynamic IP address at my home. 07:04 17:55 SMTPD(0df50189eaa5) [999.999.999.999] connect 555.555.555.555 port 10863 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] EHLO Johnsm480n 07:04 17:55 SMTPD(0df50189eaa5) Authenticated [EMAIL PROTECTED], session treated as local. 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] MAIL FROM: [EMAIL PROTECTED] 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] RCPT TO: [EMAIL PROTECTED] 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] D:\IMail\spool\D0df50189eaa5.SMD 4082 07:04 17:55 SMTP-(0df50189eaa5) processing D:\IMail\spool\q0df50189eaa5.smd 07:04 17:55 SMTP-(0df50189eaa5) Trying verizon.net (0) 07:04 17:55 SMTP-(0df50189eaa5) Connect verizon.net [206.46.232.11:25] (1) 07:04 17:55 SMTP-(0df50189eaa5) 220 sv15pub.verizon.net MailPass SMTP server v1.2.0 - 112105154401JY+PrW ready Tue, 4 Jul 2006 19:58:31 -0500 07:04 17:55 SMTP-(0df50189eaa5) EHLO mail.web-partners.com 07:04 17:55 SMTP-(0df50189eaa5) 250-Requested mail action okay, completed 07:04 17:55 SMTP-(0df50189eaa5) 250-8BITMIME 07:04 17:55 SMTP-(0df50189eaa5) 250 SIZE 2048 07:04 17:55 SMTP-(0df50189eaa5) MAIL FROM:[EMAIL PROTECTED] 07:04 17:55 SMTP-(0df50189eaa5) 550 You are not allowed to send mail:sv15pub.verizon.net 07:04 17:55 SMTP-(0df50189eaa5) ERR undeliverable 550 You are not allowed to send mail:sv15pub.verizon.net 07:04 17:55 SMTP-(0df50189eaa5) SMTP_DELIV_FAILED 07:04 17:55 SMTP-(0df50189eaa5) QUIT 07:04 17:55 SMTP-(0df50189eaa5) 221 sv15pub.verizon.net closing connection 07:04 17:55 SMTP-(0df50189eaa5) Creating message from Postmaster 07:04 17:55 SMTP-(0df50189eaa5) Delivery process now using new file: 0df904484f09 07:04 17:55 SMTP-(0df50189eaa5) finished D:\IMail\spool\q0df50189eaa5.smd status=2 Morning all Last week, I found I was unable to send to a Verizon customer. I was getting 550 You are not allowed to send mail:sv5pub.verizon.net I submitted our mail server IP address to see if we were blacklised and got a reply back that we were not. I then switched to using a Charter SMPT server and got a similar response. I next tried using remote access, web mail on the our Imail server so there would be no record of a dynamic IP address in the header and sent another message. It timed out this morning with 421 SMTP service not available, closing transmission channel and terminating after the Imail max tries timed out. Does anyone have any thoughts, as we speak, none of our customers are now able to email anyone at Verizon. Thanks for any help. John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Version working so far...
David I tried to post a message earler today and I havent seen it yet. Are there some unprocessed posting? Thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Barker Sent: Thursday, July 06, 2006 2:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New Version working so far... I don't want to get too excited just yet. I just want to get it right. Let me know so if there is something else going on with this I can push to get it resolved. Let me know. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, July 06, 2006 5:04 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New Version working so far... Installed the new version this afternoon (thanks for the heads-up David !). So far, I am doing pretty good. All messages in the error directory are SPAM, and SPAM that would have dropped through. So, good news there ! I will probably script something that will rename the files to something with the senders name-domain to aid in sorting out garbage. Also, after all the beating Declude has taken over the past two months, a well deserved 'Hell Yeah!' . We all would have liked it sooner, but I'll take later. It took a while, but it looks like we're all back on track. I'll know for myself tomorrow morning. I may even turn Hijack back on Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Verizon Issues
Yes, and the same results. I've run out of ideas. This has been going on for a week. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Thursday, July 06, 2006 2:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Verizon Issues Hi John, I assume you tried sending FROM a different domain name - just in case they have blacklisted the domain name, but not the IP (however unlikely that might sound.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Thursday, July 06, 2006 05:28 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Verizon Issues Morning all Last week, I found I was unable to send to a Verizon customer. I was getting 550 You are not allowed to send mail:sv5pub.verizon.net I submitted our mail server IP address to see if we were blacklised and got a reply back that we were not. I then switched to using a Charter SMPT server and got a similar response. I next tried using remote access, web mail on the our Imail server so there would be no record of a dynamic IP address in the header, and sent another message. It timed out this morning with 421 SMTP service not available, closing transmission channel and terminating after the Imail max tries timed out. Does anyone have any thoughts, as we speak, none of our customers are now able to email anyone at Verizon. Thanks for any help. John Ive gotten the following from various attempts to send mail 550 You are not allowed to send mail:sv5pub.verizon.net 550 You are not allowed to send mail:sv15pub.verizon.net 550 You are not allowed to send mail:sv22pub.verizon.net 550 You are not allowed to send mail:sv28pub.verizon.netlog entry shown below 550 You are not allowed to send mail:sv1pub.verizon.net 550 You are not allowed to send mail:sv27pub.verizon.net 550 You are not allowed to send mail:sv3pub.verizon.net here is a typical Imail log 999.999.999.999 is our imail server 555.555.555.555 is my Charter Dynamic IP address at my home. 07:04 17:55 SMTPD(0df50189eaa5) [999.999.999.999] connect 555.555.555.555 port 10863 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] EHLO Johnsm480n 07:04 17:55 SMTPD(0df50189eaa5) Authenticated [EMAIL PROTECTED], session treated as local. 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] MAIL FROM: [EMAIL PROTECTED] 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] RCPT TO: [EMAIL PROTECTED] 07:04 17:55 SMTPD(0df50189eaa5) [555.555.555.555] D:\IMail\spool\D0df50189eaa5.SMD 4082 07:04 17:55 SMTP-(0df50189eaa5) processing D:\IMail\spool\q0df50189eaa5.smd 07:04 17:55 SMTP-(0df50189eaa5) Trying verizon.net (0) 07:04 17:55 SMTP-(0df50189eaa5) Connect verizon.net [206.46.232.11:25] (1) 07:04 17:55 SMTP-(0df50189eaa5) 220 sv15pub.verizon.net MailPass SMTP server v1.2.0 - 112105154401JY+PrW ready Tue, 4 Jul 2006 19:58:31 -0500 07:04 17:55 SMTP-(0df50189eaa5) EHLO mail.web-partners.com 07:04 17:55 SMTP-(0df50189eaa5) 250-Requested mail action okay, completed 07:04 17:55 SMTP-(0df50189eaa5) 250-8BITMIME 07:04 17:55 SMTP-(0df50189eaa5) 250 SIZE 2048 07:04 17:55 SMTP-(0df50189eaa5) MAIL FROM:[EMAIL PROTECTED] 07:04 17:55 SMTP-(0df50189eaa5) 550 You are not allowed to send mail:sv15pub.verizon.net 07:04 17:55 SMTP-(0df50189eaa5) ERR undeliverable 550 You are not allowed to send mail:sv15pub.verizon.net 07:04 17:55 SMTP-(0df50189eaa5) SMTP_DELIV_FAILED 07:04 17:55 SMTP-(0df50189eaa5) QUIT 07:04 17:55 SMTP-(0df50189eaa5) 221 sv15pub.verizon.net closing connection 07:04 17:55 SMTP-(0df50189eaa5) Creating message from Postmaster 07:04 17:55 SMTP-(0df50189eaa5) Delivery process now using new file: 0df904484f09 07:04 17:55 SMTP-(0df50189eaa5) finished D:\IMail\spool\q0df50189eaa5.smd status=2 Morning all Last week, I found I was unable to send to a Verizon customer. I was getting 550 You are not allowed to send mail:sv5pub.verizon.net I submitted our mail server IP address to see if we were blacklised and got a reply back that we were not. I then switched to using a Charter SMPT server and got a similar response. I next tried using remote access, web mail on the our Imail server so there would be no record of a dynamic IP address in the header and sent another message. It timed out this morning with 421 SMTP service not available, closing transmission channel and terminating after the Imail max tries timed out. Does anyone have any thoughts, as we speak, none of our customers are now able to email anyone at Verizon. Thanks for any help. John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: [Declude.JunkMail] compatibility question
Robert I"m running 8.22 hf2 and Declude 4.1. I would not suggest going to 4.2 as I was getting some "leakage" of mail that seemingly had not been scanned by declude. I could not find any record in either the declude, or the virus log files. I found that the headers had no declude entries. That was version 4.2 Build 12. I reverted back to 4.09 and the problem resolved itself, I later moved back to 4.1 and things still are working well. I'd stay away from 4.2 until there is a fix. This was reported as not being an Imail problem, only smartermail, but I had the same thing happen with Ipswitch. (this is my opinion, I could be wrong) I have a firewall blocking "broken" and non compliant addresses, but still got maybe 4 or 5 per day out of 200 for my address. So I'm not sure of the root cause. I was most worried about no record of the email in the virus log. I still can't figure out how they got delivered if Declude didn't process the mail. John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Robert ShubertSent: Monday, June 19, 2006 8:45 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] compatibility question Sorry if this is waste of time, but I want to be absolutely sure before I do anything to my server. Is Declude 4.2 fully compatible with iMail 8.22? Thanks, Robert---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Mail Backlogging
Will Check your memory useage in Task Manager and be sure you don't have memory creep. I had winsockcleanup on for an issue I had. Once resolved I turned it off. It seem to not allow new messages into the procdirectory untill it empties to allow for the cleanup. So, if you watch cpu usage it'll taper off and if you have onevery largeemailbeing examinedbyanti virus it goes way low andjust sits there until that one message is finished. I use: THREADS 40 WAITFORMAIL 500 WAITFORTHREADS 10 WAITBETWEENTHREADS 50 WINSOCKCLEANUP OFF Slowly run up the threads if your cpu usage is low. Also halt tests if a max weight is reached, that'll save processor time. There is no point in simply running up the score if you hold or delete at say 30 or 40. John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of WillSent: Wednesday, May 31, 2006 5:46 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Mail Backlogging Matt, Thank you for the suggestions, I will try these settings and keep an eye on it. I had turned winsockcleanup on due to an issue where I was no longer able to perform dns queries until the decludeproc was restarted. Ive turned it off again per your suggestion, which I hope is now fixed. Im still trying to understand the country filter however. I see two methods for this, one is the sample filter already in the global.cfg, which uses the filter-country.txt to add weight based what appears to be domain extension. The other is a command called COUNTRY, which uses the all_list.dat file. The filter-country.txt file doesnt seem like it will be accurate enough. Does anyone have an example of how to use the COUNTRY filter to delete mail from specific countries or at least add an action to like warn? I have only been able to find the following example, but the syntax doesnt make sense as all the other filters have weights. COUNTRY END IS US COUNTRY END IS CA REMOTEIP 5 CONTAINS . If I were to add these three lines to my global.cfg, Im not sure what that would do. Will -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 30, 2006 7:05 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Mail Backlogging Will,You should change the following settings:WAITFORMAIL 1000WAITFORTHREADS 100WINSOCKCLEANUP OFFIf you have two virus scanners configured and external tests like Sniffer, Eradispam, invURIBL, etc. configured, I would recommend dropping the threads down to 40. If you have less than a total of 5 Ghz of physical processors, I would drop that number (either 75 or 40) by another 1/3. This isn't that important though, it's just about not pounding on your server too hard, especially when you are recovering from a big backup of E-mail.The WAITFORTHREDS setting is the most important. Essentially it waits 1.5 seconds between each E-mail with your default settings. A server can only process 57,600 messages a day with that much wait. Declude should change this default setting to something much lower. You would need no more than 500 ms in order to keep up with your 140,000 volume (if that is what Declude processes), and you would likely be backing up during the busier hours. Setting it to 100 ms allows your system to max out at 10 messages per second if it were able to handle that load.WINSOCKCLEANUP likely lowers your ability to process E-mail even further. Unless you had issues and were told to turn this on, you definitely should turn it off on a busy server, otherwise you will be delaying E-mail processing further. Even if you had this on before, you might want to test it with a more recent Declude release and it turned off just to see if it is stable again. My read on this is that it was introduced to clean up a leak of some sort that is no longer happening because either the code is fixed, or the trigger is no longer occurring in the wild.Opinions may vary, but you have mine now, and based on my experience so far, I would say that this should do it.MattWill wrote: Here is my declude.cfg file: #THREADS 15 THREADS 75 #WAITFORMAIL Defined in milliseconds eg. 5000 = 5 seconds this can be changed to set the #wait time that decludeproc will wait before checking the \proc directory once empty for new messages. WAITFORMAIL 5000 #INVITEFIX Some customers had issues related to Outlook meeting requests appearing as text only. INVITEFIX ON #ADVANCED CONFIGURATIONS # #WAITFORTHREADS Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum #threads are in use this time specifics the wait before
RE: [Declude.JunkMail] Experience with 4.x
Andrew I had this problme last year, decludeproc will suffer memory creep, slowly building over time. You can see if it's happening by opening taskmanager and checking the memory used by decludeproc. For us it would run for about 4 hours before a problem arose. I can't remember what finally fixed the problem for us. I have used the dnsoverride function to direct it to a less used dns server. But I can't recall if that was the fix or not. We might have had a firewall port issue. I'd turn the winsockcleanup off and monitor your memory usage. If it keeps creeping up turn it back on. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew Sent: Tuesday, May 23, 2006 3:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Thanks, David. I've read all of the support forum emails that have been posted on the WINSOCKCLEANUP and even reviewed them again via the mail archive website before my own implementation. What I haven't been able to tell is whether I can diagnose this issue if I have it before it becomes an outage. Can it only be detected by it's side-effect of filling up the proc folder? If I have a mechanism on my IMail server that does DNS queries... Will they fail when the WinSock needs being cleaned up? I think not, as at least one posting specifically mentioned that IMail IP4R tests worked when DecludeProc IP4R tests timed out. Your official description for WINSOCKCLEANUP ON says ...network stack causing loss of functionality for basic network operations; is this deliberately generic so that you don't have to explain what a DNS test is, or does it imply that other IP communications will also fail, e.g. SMTP and (critically for me) RDP? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 23, 2006 3:12 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Andrew, In certain cases we found that Imail would stop resolving, it seemed that stop/starting the decludeproc or smtp service fixed the problem by resetting the winsock. So we added WINSOCKCLEANUP to deal with this specific Imail issue. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 23, 2006 3:45 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x David, is there a proactive way to detect if an installation would benefit from the WINSOCKCLEANUP ON directive in declude.cfg? I would rather be able to detect this while it's happening than to react when I find that spam is leaking or that the proc folder is continually growing. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 23, 2006 7:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Mike, 1. The WINSOCKCLEANUPON activates when the \Proc reaches 0 2. If Decludeproc stops unexpectedly files it is busy with are move to the \review 3. You can use AUTOREVIEW ON to have these move back to the \proc 4. Be aware though if there is a real problem message you may find that the message gets looped 5. Make sure you have the latest version of decludeproc ... There should be a release later today or tommorow. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike N Sent: Tuesday, May 23, 2006 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Experience with 4.x I found that WINSOCKCLEANUP ON would force a reset if the \proc directory never hits 0. In this case, files build up in the \review subfolder which require manual processing. - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, May 23, 2006 7:34 AM Subject: RE: [Declude.JunkMail] Experience with 4.x The purpose of WINSOCKCLEANUPON is to reset the winsock, what happens when using this setting is that when the \proc directory hit 0 decludeproc will finish processing all the messages in the \work before checking the \proc again. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
RE: [Declude.JunkMail] Experience with 4.x
This sounds like me. I found some notes from my issue back in December. When upgrading to v 3 from v 2x we would loose connectivity every 3 or 4 hours. We finally figured out Decludeproc needs to get out on port 53 for some dns function. We allowed outbound port 53 for dns and the problem went away. This apparently is for the initial authorization of the software. I think this is a one time event. Upgrading from V3 to V4 we had the same problem. It was resolved with a phone call to Declude and the discovery that that the initial authorization had been moved from port 53 to port 25. After making that change to the firewall V4 runs fine. Good luck John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew Sent: Tuesday, May 23, 2006 3:36 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x David, that sounds like the case I saw that noted that his firewall wasn't allowing outbound DNS and also noted that implementing WINSOCKCLEANUP ON worked for him. I wasn't at all sure that the winsock fix was relevant for him! I'll keep watching my folders. Perhaps I'll get lucky enough to need to the fix and may offer some further insight here. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 23, 2006 3:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x The only way that we have detected this was with Imail and mail being stuck in the spool. ...network stack causing loss of functionality for basic network operations is generic but if I remember correctly when this happened the admin was not even able to ping an outside server, which would suggest to me other IP communications fail as well. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 23, 2006 6:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Thanks, David. I've read all of the support forum emails that have been posted on the WINSOCKCLEANUP and even reviewed them again via the mail archive website before my own implementation. What I haven't been able to tell is whether I can diagnose this issue if I have it before it becomes an outage. Can it only be detected by it's side-effect of filling up the proc folder? If I have a mechanism on my IMail server that does DNS queries... Will they fail when the WinSock needs being cleaned up? I think not, as at least one posting specifically mentioned that IMail IP4R tests worked when DecludeProc IP4R tests timed out. Your official description for WINSOCKCLEANUP ON says ...network stack causing loss of functionality for basic network operations; is this deliberately generic so that you don't have to explain what a DNS test is, or does it imply that other IP communications will also fail, e.g. SMTP and (critically for me) RDP? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 23, 2006 3:12 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Andrew, In certain cases we found that Imail would stop resolving, it seemed that stop/starting the decludeproc or smtp service fixed the problem by resetting the winsock. So we added WINSOCKCLEANUP to deal with this specific Imail issue. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 23, 2006 3:45 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x David, is there a proactive way to detect if an installation would benefit from the WINSOCKCLEANUP ON directive in declude.cfg? I would rather be able to detect this while it's happening than to react when I find that spam is leaking or that the proc folder is continually growing. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 23, 2006 7:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Experience with 4.x Mike, 1. The WINSOCKCLEANUPON activates when the \Proc reaches 0 2. If Decludeproc stops unexpectedly files it is busy with are move to the \review 3. You can use AUTOREVIEW ON to have these move back to the \proc 4. Be aware though if there is a real problem message you may find that the message gets looped 5. Make sure you have the latest version of decludeproc ... There should be a release later today or tommorow. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
[Declude.JunkMail] Filter question
I've just started using Sniffer and am wondering if I can create a test for the following condition and take an action. Say: if the declude score is greater than 20 and Sniffer has not been triggered, copy the message to a spam account. So something like header contains WEIGHT20 and doesn't contain SNIFFER would trigger a COPYTO. But do it with a declude test, not a Imail Domain incoming rule. I'd like to get all spam not caught by Sniffer and forward the messages back to Sniffer. Thanks John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] invURIBL
Todd I added invURBL a couple of months ago. Other than pointing it to a specific Dns, I did not change the config file. They have a good section in the manual about how to config it for use with declude. I raised my domain weight scores for a bit to be sure we were not adding the new invurlb weight to potential false positives, but found few and set them back down to what they were. I think you could add it, as is, without any tweaking and do pretty well. It has worked well for me and I'm happy with the product. Affordable and works as advertised, can't get much better than that. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, April 07, 2006 7:18 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] invURIBL Per suggestions from others, I am looking to implement invURIBL on our mail server (Imail 8.2x with Declude 4.0.9). I wanted to give it a trial run first, but because of it's low cost and recommendations from others, I will probably just implement it. I'm not much of a tweaker so I'm curious if anyone has any must tweaks after installation, or any other recommendations for settings. Thanks for any tips. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 3.1 and 4.1 Release Notes
Love the link in the release notes to the examples in the KB. It makes it easy to evaluate and if desired adopt. Thanks! John Declude 3.1 and 4.1 Release Notes http://www.declude.com/Articles.asp?ID=122 available. David B www.declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Virus?
Goran Can you give me some information on installing the sane security phishing filters with CLAM. I found and went to the sane web site, and can see how to download, But Im not sure how clamwin is set up to use the file. Any help would be appreciated. Thanks John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, April 06, 2006 2:20 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Virus? Richard, I implemented CLAM AV with the Sane Security phishing filters. This is from the thread that Andrew included. I run F-Prot then McAfee then CLAM AV with the ExitOnFirstDetect (or whatever that directive is). Clam is the scanner that catches pretty much all phishing attempts. The other two dont do much in that department. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, April 06, 2006 2:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Virus? Richard, you might want to check this thread from the archives. Goran can clarify, but I'm pretty sure that this is the source of the Sane Security detection string. For what it's worth, Message Sniffer catches the email message body you supplied with the MALWARE category. The hosting provider, 0catch.com are not bad guys but their express hosting model makes them a frequently used hoster of malware and pharmacy sales/scams. The link was still active, so I downloaded and ran it through various antivirus engines out of curiousity. Trend Micro didn't detect it, but F-Prot, McAfee and CLAM-AV all did. Here are the results from VirusTotal.com : Results of a file scan This is a report processed by VirusTotal on 04/06/2006 at 19:19:19 (CET) after scanning the file postcard.gif.exe file. Antivirus Version Update Result AntiVir 6.34.0.24 04.06.2006 TR/Zapchas.F Avast 4.6.695.0 04.03.2006 Win32:Parite AVG 386 04.06.2006 IRC/BackDoor.Flood Avira 6.34.0.56 04.06.2006 TR/Zapchas.F BitDefender 7.2 04.06.2006 Backdoor.IRC.Zapchast.AY CAT-QuickHeal 8.00 04.06.2006 no virus found ClamAV devel-20060202 04.06.2006 W32.Parite.B DrWeb 4.33 04.06.2006 no virus found eTrust-InoculateIT 23.71.121 04.06.2006 no virus found eTrust-Vet 12.4.2151 04.06.2006 no virus found Ewido 3.5 04.06.2006 no virus found Fortinet 2.71.0.0 04.06.2006 BAT/Zapchast.S-tr F-Prot 3.16c 04.06.2006 security risk or a backdoor program Ikarus 0.2.59.0 04.06.2006 no virus found Kaspersky 4.0.2.24 04.06.2006 Backdoor.IRC.Zapchast McAfee 4734 04.05.2006 IRC/Flood.ev NOD32v2 1.1474 04.05.2006 IRC/Zapchast.L Norman 5.90.15 04.06.2006 Smalldrp.IYU Panda 9.0.0.4 04.05.2006 no virus found Sophos 4.04.0 04.06.2006 W32/Parite-B Symantec 8.0 04.06.2006 Trojan.Dropper TheHacker 5.9.7.125 04.05.2006 no virus found UNA 1.83 04.05.2006 no virus found VBA32 3.10.5 04.06.2006 Backdoor.IRC.Zapchast Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 10:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Virus? Which virus scanner do you use? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 10:47 AM Subject: RE: [Declude.JunkMail] Virus? I had to manually release your message from the virus queue because it got tagged as Virus: Html.Phishing.Card.Sanesecurity.06022100 Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 9:04 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Virus? I just received about 10 of these at 7:30 this morning...any ideas what is going on.. Richard Farris Ethixs Online 1.270.247. Office
RE: [Declude.JunkMail] Hijack Notification
Thank you for the input. I'll give it a try this week. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig Edmonds Sent: Sunday, April 02, 2006 7:42 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Hijack Notification Importance: High Hi John, Not sure if this is any help but I found a basic way to handle this as I had problems with clients ringing up saying I sent out some mails and they have not gone...etc etc etc, and of course when I check the hold2 directory there are 500 emails in there. What I do is have a basic setup that checks for me every 30 minutes if there are some .smd files in the C:\IMAIL\spool\spam\hold2 folder and if it finds any, it emails me a simple email telling me how many *smd files there are which then goes to my blackberry letting me know. I am pretty sure there is an easier way but this is my 10 minute solution and it works for me. 1) I installed the following object on the mail server http://www.xs4all.nl/~jarit/asp/filefunc/download.html 2) made a .vbs file called check4files.vbs and put it in the C:\IMAIL\spool\spam\hold2 dir. The code in the .vbs file is like this.. === filepath=C:\IMAIL\spool\spam\hold2\*.smd emailfrom=[EMAIL PROTECTED] emailto=[EMAIL PROTECTED] Set FFunc = CreateObject(FileFunctions.files) if FFunc.Exists(filepath) then FFunc.GetFileList(filepath) Set objMessage = CreateObject(CDO.Message) objMessage.Subject = (Alert) FFunc.Count Messages in The Hold Queue objMessage.From = emailfrom objMessage.To = emailto strBody = strBody There are currently FFunc.Count files in the Hold Queue vbCRLF strBody = strBodyvbCRLF strBody = strBody Date:FormatDateTime(Date, 1) - FormatDateTime(Now, 4) objMessage.TextBody = strBody objMessage.Send end if 3) Then I set up a scheduled task in the windows schduled tasks to run the file every 30 minutes. I hope that helps you. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Wednesday, March 29, 2006 9:25 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Hijack Notification Does anyone have a utility to email a notification when hijack holds an ip address permanently? Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Notification
this guy suggested this. I'm not sure exactly how. looks like if a count is some value send the mail. john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer Sent: Sunday, April 02, 2006 7:59 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Hijack Notification Hi Craig, Although you may already do this figured I mention it anyway - this technique works well to monitor spool traffic eg when a threshold is reached I get an email - so for example in your code below IF FFunc.Count 100 [altered path for the spool dir] send me an email... -Nick Craig Edmonds wrote: Hi John, Not sure if this is any help but I found a basic way to handle this as I had problems with clients ringing up saying I sent out some mails and they have not gone...etc etc etc, and of course when I check the hold2 directory there are 500 emails in there. What I do is have a basic setup that checks for me every 30 minutes if there are some .smd files in the C:\IMAIL\spool\spam\hold2 folder and if it finds any, it emails me a simple email telling me how many *smd files there are which then goes to my blackberry letting me know. I am pretty sure there is an easier way but this is my 10 minute solution and it works for me. 1) I installed the following object on the mail server http://www.xs4all.nl/~jarit/asp/filefunc/download.html 2) made a .vbs file called check4files.vbs and put it in the C:\IMAIL\spool\spam\hold2 dir. The code in the .vbs file is like this.. === filepath=C:\IMAIL\spool\spam\hold2\*.smd emailfrom=[EMAIL PROTECTED] emailto=[EMAIL PROTECTED] Set FFunc = CreateObject(FileFunctions.files) if FFunc.Exists(filepath) then FFunc.GetFileList(filepath) Set objMessage = CreateObject(CDO.Message) objMessage.Subject = (Alert) FFunc.Count Messages in The Hold Queue objMessage.From = emailfrom objMessage.To = emailto strBody = strBody There are currently FFunc.Count files in the Hold Queue vbCRLF strBody = strBodyvbCRLF strBody = strBody Date:FormatDateTime(Date, 1) - FormatDateTime(Now, 4) objMessage.TextBody = strBody objMessage.Send end if 3) Then I set up a scheduled task in the windows schduled tasks to run the file every 30 minutes. I hope that helps you. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Wednesday, March 29, 2006 9:25 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Hijack Notification Does anyone have a utility to email a notification when hijack holds an ip address permanently? Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Notification
I think I understand, Im not a programmer and its semi Greek to me. I like the idea of getting notified if the spool file begins to fill up, I check it now and then and if would be nice To simply be notified if it begins to back up for whatever reason. John . From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, April 03, 2006 11:03 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Hijack Notification Hi John, John Doyle wrote: this guy suggested this.I'm not sure exactly how. looks like if a count is some value send themail. I was just suggesting that the number of files in the spool dir exceed some number [100?] then send an email. I got the idea from the hijack vbs code [Thanks!] on the declude website which I kludged to work to notify for the spool overflows.. -Nick # spool_mon.vbs fSpool = e:\imaillogs\spool aMail = e:\imail\imail1.exe mFrom = -u '[EMAIL PROTECTED]' mTo1 = -t '[EMAIL PROTECTED],[EMAIL PROTECTED]' if GetFileCount(fSpool) 100 then MailNotice Spool, GetFileCount(fSpool), mTo1 end if Function GetFileCount(folderspec) Dim fso, f, f1, fc Set fso = CreateObject(Scripting.FileSystemObject) Set f = fso.GetFolder(folderspec) Set fc = f.Files GetFileCount = fc.count End Function Function MailNotice(fname, fcount, mTo) Dim mCmd, mSubj, WshShell set WshShell = WScript.CreateObject(WScript.Shell) mSubj = -s 'Mail held in fname : fcount ' mCmd = aMail mFrom mTo mSubj -f placeholder.txt Return = WshShell.Run(mCmd , 1, TRUE) End Function -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Nick HayerSent: Sunday, April 02, 2006 7:59 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Hijack NotificationHi Craig,Although you may already do this figured I mention it anyway - thistechnique works well to monitor spool traffic eg when a threshold isreached I get an email - so for example in your code below IFFFunc.Count 100 [altered path for the spool dir] send me an email...-NickCraig Edmonds wrote: Hi John,Not sure if this is any help but I found a basic way to handle this as I had problems with clients ringing up saying I sent out some mails and they have not gone...etc etc etc, and of course when I check the hold2 directorythere are 500 emails in there.What I do is have a basic setup that checks for me every 30 minutes if there are some .smd files in the C:\IMAIL\spool\spam\hold2 folder and if it findsany, it emails me a simple email telling me how many *smd files there arewhich then goes to my blackberry letting me know.I am pretty sure there is an easier way but this is my 10 minute solutionand it works for me.1) I installed the following object on the mail serverhttp://www.xs4all.nl/~jarit/asp/filefunc/download.html2) made a .vbs file called check4files.vbs and put it in theC:\IMAIL\spool\spam\hold2 dir.The code in the .vbs file is like this..===filepath=C:\IMAIL\spool\spam\hold2\*.smdemailfrom=[EMAIL PROTECTED]emailto=[EMAIL PROTECTED]Set FFunc = CreateObject(FileFunctions.files)if FFunc.Exists(filepath) thenFFunc.GetFileList(filepath) Set objMessage = CreateObject(CDO.Message) objMessage.Subject = (Alert) FFunc.Count Messages in The HoldQueue objMessage.From = emailfrom objMessage.To = emailto strBody = strBody There are currently FFunc.Count files in the Hold Queue vbCRLF strBody = strBodyvbCRLF strBody = strBody Date: FormatDateTime(Date, 1) - FormatDateTime(Now, 4) objMessage.TextBody = strBody objMessage.Sendend if3) Then I set up a scheduled task in the windows schduled tasks to run thefile every 30 minutes.I hope that helps you.Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]=-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of John DoyleSent: Wednesday, March 29, 2006 9:25 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Hijack NotificationDoes anyone have a utility to email a notification when hijack holds an ipaddress permanently?Thanks in advanceJohn---This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,just send an E-mail to [EMAIL PROTECTED], and type unsubscribeDeclude.JunkMail. The archives can be found athttp://www.mail-archive.com.[ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ][ This E-mail has been scanned for Spam and Viruses by Declude ][ Thank You For Using 123 Marbella Internet ]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.JunkMail. The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED
[Declude.JunkMail] Hijack Notification
Does anyone have a utility to email a notification when hijack holds an ip address permanently? Thanks in advance John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User
I have a vague recollection of this being first available on 8.20. A search of the ipswitch imail forum might produce an accurate version number. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig Edmonds Sent: Monday, March 27, 2006 8:16 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User Importance: High Does anyone know if this actually works on IMAIL 8.11? I notice Greg said it didn't work for him but I was just wondering. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] Marbella Guide Web Portal W: www.marbellaguide.com E: [EMAIL PROTECTED] = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JR Tatum Sent: Monday, March 27, 2006 5:46 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User Marc, You have to add the DWORD key (MaxInvalidRCPTsPerSession) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPD32\Parameters We use a value of 2. JR -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Monday, March 27, 2006 10:36 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User I don't have the key referred to in the KB article. I even did a search through my reg for MaxInvalid in case I was looking in the wrong place and got nothing. I am running 8.22 with Declude. Does the addition of Declude make a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Evanitsky Sent: Monday, March 27, 2006 9:00 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] [OT] Drop Connection On First Invalid User On Mar 26, 2006, at 2:22 PM, Goran Jovanovic wrote: How are you going to drop the SMTP connection on the first or second invalid recipient? In Imail. http://support.ipswitch.com/kb/IM-20050831-DM01.htm BTW, the support page says it works in 8.1+ but didn't for me. Upgraded to 8.22, works perfectly. Thanks, Greg Evanitsky ACS, Inc. (717) 248-2720 ext. 5113 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] [ This E-mail has been scanned for Spam and Viruses by Declude ] [ Thank You For Using 123 Marbella Internet ] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Version 4
Good afternoon. I just resolved an issue with the upgrade from V3 to V4, and thought I'd pass it along. Our mail server is behind a pretty locked down firewall. When upgrading from V2 to V3 we had an issue with the new version firing up and then stopping. It was resolved when we allowed access through port 53 to a declude server. This apparently is for the initial authorization of the software. I think this is a one time event. Upgrading from V3 to V4 we had the same problem. It was resolved with a phone call and the discovery that that the initial authorization had been moved from port 53 to port 25. After making that change to the firewall V4 runs fine. So if upgrading from V2 to V3 behind a firewall check the firewall logs and if blocked allow it access to declude via port 53, and port 25 for version 4 . I allowed both tcp and udp in and out, but only to the single specific ip address. John --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrading to Version 3 and then 4....
Me too. I saw on the lists the topic, and got a email from Declude. I called, got informed, felt well treated and went with the program. Upgraded to V 4. It's nice to be able to talk to real people who listen and are responsive. John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Wolf TombeSent: Monday, February 27, 2006 4:37 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Upgrading to Version 3 and then 4 As the owner of a small web/email hosting business I own both JunkMail Lite and Virus Lite. Due to a very slow year I had let my SA for both products expire! Given these circumstances, Ive been reading with great interest the various threads regarding Decludes plan for moving from Version 3 to Version 4 and potentially changing the SA model to a subscription model for new customers. There has been much speculation as to how this might affect current Declude customers. Needless to say, any unduly large and unanticipated expense could be very hard for me to handle right now. So, last Friday I decided to take the bull by the horns and sent a message to Declude enquiring what the move from v3 to v4 meant to me in actual dollars and cents (both today and in terms of future year funding). I was happily surprised when Barry called me later that afternoon to discuss the situation. Ive got to say that Barry not only relived me of any fears I had but also reinforced why I like using Declude products! Not only did Declude offer me a VERY fair price for renewing my service agreement but they also offered an excellent deal allowing me to move to version 4 while still maintaining my Service Agreement mode of licensing going forward! Bottom line, I now have upgraded my software to the pro versions of both JunkMail and Virus and added Hijack to my Mail Server (something I have wanted to do for a very long time). I have also renewed my SA and very much look forward to continuing a long business relationship with Declude. In my opinion, the way Declude has handled this change clearly demonstrates to me that Declude is a company that very much respects and values its customer base. And, that I something I feel is worthy of my loyalty as a customer. I wanted to post this for anyone else reading these lists that may still be concerned about what Decludes moving from an SA to Subscription licensing might mean for them as a current customer. My advice, CALL Declude today and ask them for information about your specific situation. My bet is that you will be VERY pleased with the outcome. I certainly was! Wolf Tombe CyberWolves Internet e-Mail hosting
RE: [Declude.JunkMail] decludeproc causing dns queries to fail
Will I had the same problem a month or so ago. My issue turned out to be my firewall was preventing the mail server from going out. I have my DNS servers behind the firewall also. When this happens declude seems to hang on to some memory and it slowly consumes resourses. I allowed the mail server to get out and the problem went away. Check your firewall logs foryour mailservers ip address and see if you're getting blocked. I tried the winsockcleanup and that did not solve the problem. This problem came up with the upgrade to declude 3.X, the mail server and firewall have been running with the same settings for years with no problems. Sadly my logs were deleted before I realized this had solved my problem and I did not get the port blocked nor the destination ip address. John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of WillSent: Tuesday, January 17, 2006 6:22 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] decludeproc causing dns queries to fail For the second time in a month I have come to work to find over 500,000 messages in my proc folder. The cause is decludes inability to perform dns queries, thus mail backlogs. The reason declude cannot perform DNS queries is that no outgoing traffic is being permitted on port 53. The reason no outgoing traffic is being permitted on port 53 is that decludeproc has consumed the resources allocated to my network interface. The fix for this is relatively simple. I stop the decludeproc service and restart it and all is well. After the first occurrence, it was suggested that I enable winsockcleanup documented as the following at declude.com: WINSOCKCLEANUP ONLocated in Declude.cfg. Some customers had issues related to their network stack causing loss of functionality for basic network operations. The default for this directive is OFF Now Ive been fooled twice, so I guess shame on me. Does anyone have a suggestion that would help resolve this? In the meantime I will be writing a script to monitor the number of message in the proc folder and if it reaches a certain threshold, will restart the decludeproc service. I really dont care for workarounds such as this, but Ive gained a bad image over these two occurrences and I cannot allow it to happen again. Declude.cfg: THREADS 100 WAITFORMAIL 5000 WINSOCKCLEANUP ON
RE: [Declude.JunkMail] License Downgraded [was All I wan't for Christmas is not to be paged!)
Darrell I had a similar problem a few months ago. I found our firewall was not allowing our mail server to query (I think) a declude site. For us it resulted in a memory leak as well as periodic declude failure for spam. It would take anywhere from 4 to 18 hours to fail. It was fixed once I allowed the outgoing query throught the firewall. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, December 26, 2005 8:30 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] License Downgraded [was All I wan't for Christmas is not to be paged!) The one thing I want to be careful on is us speculating - we have no idea what happened and I am sure there is a good explanation behind what happened. I can only hope so as I leaked a TON of spam this weekend that I will have to explain why to my customers etc. Just keep an eye on your upgraded 3.0.5.22 - as I only got about 24 hours before mine went south again. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Don Brown [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 26, 2005 11:18 AM Subject: Re: [Declude.JunkMail] License Downgraded [was All I wan't for Christmas is not to be paged!) There was no human intervention here. Perhaps there was on the Declude side of the equation. I have never liked the 'ET call home' method of license validation. It is a security risk on its face - nothing personal to Declude and it is something else that can break. A new license key upon each renewal would be better IMHO. Monday, December 26, 2005, 10:05:20 AM, Andy Schmidt [EMAIL PROTECTED] wrote: AS Hi Darrell: AS I had been assured by the highest authority that it would require HUMAN AS intervention if there was ever going to be a licensing mismatch detected, AS before the remote deactivation of a license. AS We will need to watch for their explanation to see whether that policy has AS now changed for the worse -- with the very obvious result everyone had been AS fearful of (that any automatic process WILL fail at SOME point.) AS I cannot afford to run mission critical applications 24x365, if I have to AS blindly rely on the availability of third party resources that I know AS nothing about. AS Best Regards AS Andy Schmidt AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: [EMAIL PROTECTED] AS [mailto:[EMAIL PROTECTED] On Behalf Of Darrell AS ([EMAIL PROTECTED]) AS Sent: Monday, December 26, 2005 10:49 AM AS To: Declude.JunkMail@declude.com AS Subject: Re: [Declude.JunkMail] License Downgraded [was All I wan't for AS Christmas is not to be paged!) AS I sent an email back into support last night as I started having slow AS processing again. I have reverted back to 2.0.6 and all is running well. From what I can tell (AND I COULD BE WRONG) it appears that the licensing AS process is broke at the Declude end. I *think* one of the name servers they AS run (ns.decludekey.us ) for a domain cphzkey.com is/was down over the AS weekend. I am still waiting for support to respond. AS I am not going to go into speculation about the licensing process, because I AS don't want to feed any bad info because I have no idea how it works. AS However, from what I troubleshoot on my system coupled with reviewing a AS user.dmp/dr. watson from the decludeproc during the issue I feel comfortable AS in saying my problems that I seen on my system over the weekend are caused AS by a failure to validate its license. AS Darrell AS AS Check out http://www.invariantsystems.com for utilities for Declude And AS Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG AS Integration, and Log Parsers. AS - Original Message - AS From: Dave Doherty [EMAIL PROTECTED] AS To: Declude.JunkMail@declude.com AS Sent: Monday, December 26, 2005 10:27 AM AS Subject: Re: [Declude.JunkMail] License Downgraded [was All I wan't for AS Christmas is not to be paged!) FWIW, We are not seeing this problem. -d - Original Message - From: Don Brown [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; [EMAIL PROTECTED] Sent: Monday, December 26, 2005 10:10 AM Subject: Re: [Declude.JunkMail] License Downgraded [was All I wan't for Christmas is not to be paged!) Our install of Junkmail Pro is also running as standard. We've rebooted several times and can't get it to restore to Pro. Saturday, December 24, 2005, 10:36:37 PM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic So here it is the night
RE: [Declude.JunkMail] SPF PASS/FAIL test format
I have quick question re. 3.0 version of Declude. I installed both the .20 and the .21 version on a windows 2003 enterprise server with Imail 8.15 hf2 and discovered a memory leak. I've not heard back from Declude as to a fix. I'd like to go to 8.22 to address a few issues but am worried about 3.0.5.21 having the memory leak. I can only run about 2 to 4 hours before we seem to lose the ability to access dns. and run low on memory. Does 8.22 require 3.0 or can I run my 2.x version? Does anyone have any experiance with this and would share any thoughts. thanks John -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Scott FisherSent: Thursday, December 08, 2005 10:55 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] SPF PASS/FAIL test format Also make sure you have at least version 3.0.5.20 Previous 3.0.5. versions had an error with SPF Original Message - From: IS - Systems Eng. (Karl Drugge) To: declude.junkmail@declude.com Sent: Thursday, December 08, 2005 12:08 PM Subject: [Declude.JunkMail] SPF PASS/FAIL test format Quick question on the global.cfg file I upgraded to 3.0.5 yesterday. Working great so far. I want to add the SPFPASS and SPFFAIL tests.. what is the format ? I want to subtract 7 points for a pass, and add 7 points for a fail ( if theyre too stupid to have an SPF by now ) I have this, but it is obviously wrong SPFFAIL spffail x x 7 0 SPFPASS spfpass x x -7 0 Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A., C.C.D.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
RE: [Declude.JunkMail] OT - At wits end
Dave I've tried this, and when I point imail to 127.0.0.1 the spam log shows that I'm not able to connect to the external spam databases. As soon as I point imail back to our dns server, the spam filter begins to work again. I've got our two DNS servers, and one other all set up in the tcp properties on the imail box. Any thoughts? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Doherty Sent: Tuesday, November 29, 2005 11:03 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT - At wits end Hi, Orin- A couple of suggestions First, look at your HOSTS file in c:\winnt\system32\drivers\etc to see if 64.62.134.10 is listed there. Delete the entry if you find it there. Next, add DNS service to your IMail server. Set the DNS servers in Network Properties to known-good upstream DNS resolvers. Set the DNS address in IMail to 127.0.0.1. This has the effect of providing mulitple DNS servers to IMail. -d - Original Message - From: Orin Wells [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, November 30, 2005 1:35 AM Subject: [Declude.JunkMail] OT - At wits end We have a bit of a puzzler with one our clients in trying to communicate with another domain. What happens is they get 20 attempts failure to deliver. What is REALLY happening is that the DNS servers that service our environment do not see the target domain for some unknown reason and thus iMail is unable to resolve the domain to an ip address for delivery. And since our imail server is pointing to one of these DNS servers as our primary server I have been unable to find a way around the problem. It seems to have started on or about November 9th when the firewall at the target site received the last message from our server. We think something changed but no one will admit to anything changing. The sending environment is running under iMail 7.07 and is cado-oregon.org (IP 64.85.18.53). There are two dns servers providing our DNS: ns1.dnswizards.com and ns1.dnswizards.com (IP 64.85.13.6 and 64.85.14.6). The first is what iMail has as the designated DNS server. No domain on our server can send email to the domain ucancap.org (ip 64.62.134.10) - this actually ends up going to a domain called altrue.he.net which apparently hosts their website. This is odd, but they are happy with it and it is not the problem. Their mail is hosted on their own exchange server and the mx record at the destination hosting company shows it going to mail.ucancap.org (IP 216.110.199.124). The remote hosting DNS server is ns1.douglasfast.net (IP 216.110.195.3) I thought out of desperation that if I added an outside DNS server to the list used by our mail server that iMail would trip down to it and find the target. I first tried a qwest.net DNS server and I thought it was going to work until I got back a message saying the destination email address was not valid (no relaying). I thought that odd so I replaced the server with the douglasfast.net dns server. I was right back to where I started wondering why anything different happened when the Qwest sever was in place because it appears iMail only knows about a single DNS server. The one entered in iMail itself. I am not about to make the douglasfast.net server our primary dns server to solve this for a single client. Now it appears our DNS servers see every known domain in the world except any behind this service (douglasfast.net - which is an electric company offering network services in Roseburg, OR). And apparently every DNS server in the world can see their domains except ours. The two ISPs are apparently not eager to talk to each other to help resolve the problem so we have the usual the problem has to be on their end finger pointing. And I don't have the experience to try to figure out why the DNS servers at our server farm can not talk to the DNS servers at the destination site or even to spot the real problem. It does not appear to be an issue of IP blocking as such because I can telnet into the destination mail server from within our server (behind the 64.85... ) using their ip address. Both ends have verified that there is no IP blocking going on at fire walls, routers or in the Exchange server - or they have claimed to have checked this. I can also see their domain from my workstation that is connected to qwest.net. Why do the qwest DNS servers work OK and the DNSWizards do not? The folks at our server farm have tried a variety of tests, cache flushes and re-acquisitions along with a lot of other things and have not figured out what is going on nor made any headway. If you use dnsstuff.com on the douglasfast.net DNS servers the results are sometimes odd. There are some FAIL issues indicating there are some timing problems on the server (using DNSReport.com). Checking for the MX records seems to correctly identify the mail server (DNS
[Declude.JunkMail] FW: Memory leak
Hi all I'm suffering with a connectivity issue. After about 4 to 6 hours I lose the ability to query spam databases. If I restart decludeproc I can again connect to the databases. I also have a slow memory creep. It will slowly climb and I don't know if this is the cause of the loss of connectivity or not. I've added winsockcleanup on to my declude.cfg file, but still have the memmory creep. This problem started after upgrading declude from 2.x to 3.0.5.20 Any thoughts. Imail 8.15 hf2 windows server 2003 declude 3.0.5.20 Thanks John --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
