RE: [Declude.JunkMail] Declude Processes & Server Load
I see the same (with a very small domain and very light usage). The mail server is nowhere near the strongest, but is sometmies stressed with 1.70 (and was the same with 1.69b) but not 1.65. > -Original Message- > From: Frederick > I have noticed that using the v1.65 I never see Declude use more the 45% > CPU. > > Using 1.70 Beta I see Declude Max the CPU's 100% --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] imail spam....
some addressed changed to protect the innnocent some addressed changed to protect the innnocent Received: : from newman.ipswitch.com [156.21.1.4] by domain.com with ESMTP (SMTPD32-7.15) id AF85B3800F8; Thu, 29 May 2003 13:12:37 -0400 Received: from CAMPAIGN [156.21.1.4] by newman.ipswitch.com (SMTPD32-8.00) id AED75303016C; Thu, 29 May 2003 13:09:43 -0400 From: "Ipswitch, Inc." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: IMail Server Training Date: THU, 29 MAY 2003 13:09:43 -0400 Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset="ISO-8859-1" Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?156.21.1.4 X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.4] X-Declude-Spoolname: D3f850b3800f81a4f.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Declude: Version 1.69i18; D3f850b3800f81a4f.SMD X-Declude: Failed SPAMCOP, SPAMHEADERS, NOLEGITCONTENT, WEIGHTSCAN [15] X-Note: This E-mail was sent from cs.ipswitch.com ([156.21.1.4]). X-Countries: UNITED STATES->destination Return-Path: <[EMAIL PROTECTED]> X-Note: - Total spam weight of this E-mail is 15. X-Spam-Prob: 0.925289 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
> From: R. Scott Perry > Perhaps the reason spam is so widespread now is because people aren't > bothering to listen to the abuse complaints. :) True. Oddly, we get ZERO emails sent to abuse (other than a flurry of virus attempts a while back). But, postmaster has become one of the most popular email accounts here, along with two business email lists (for sales, etc) that have been grabbed off a company web page (since no-one here can send from those group addresses). Karen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
YES. This would solve the problem we are having (although not perhaps everyone's problems ). None of these messsages were only to the postmaster. They all came either with two names in the TO line or with a CC that included the postmaster. Karen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Madscientist > Sent: Thursday, May 29, 2003 8:49 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] whitelist and mult rcpt > > > In the interim, a less complex method might be to have a setting which > will ignore a white list entry for an address if more than one recipient > is specified. This might take the form of a special kind of whitelist > entry. Most valid messages to postmaster, for example, only have > postmaster as the recipient. I know this would be less complicated than > splitting up the messages. > > I wonder if there is a clean way to intercept message retreival or final > delivery (better) with a program like a "second pass" of Declude or > another utility like Message Sniffer. I'm not close enough to the guts > of IMail to know if this is practical, but it might significantly > simplify this problem. > > Any ideas Scott? > > _M > > ]-Original Message- > ]From: [EMAIL PROTECTED] > ][mailto:[EMAIL PROTECTED] Behalf Of Karen Oland > ]Sent: Thursday, May 29, 2003 12:57 AM > ]To: [EMAIL PROTECTED] > ]Subject: [Declude.JunkMail] whitelist and mult rcpt > ] > ] > ]We've been getting a lot of spam in the last week or so that > ]bypasses all > ]our spam filters -- they are all copied to the postmaster@ > ]account for our > ]domain. Apparently, they are taking advantage of the common > ]practice of > ]whitelisting the postmaster and the inability of spam > ]filtering programs to > ]separate actions on messages sent to multiple users. No > ]doubt, it won't be > ]long before most messages do the same, rendering both your postmaster > ]account and spam filters useless. > ] > ]I know it has been asked for before and said to be > ]"impossible" (programmer > ]speak, for don't want to do it -- I know, being one), but > ]PLEASE consider > ]creating multiple copies of messages that arrive for multiple > ]recipients, so > ]that the spam filters can operate (yes, this means some > ]complications, but a > ]little trickery could reduce problems -- for example, only > ]making a copy for > ]the recipient(s) that are whitelisted). > ] > ]--- > ][This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
True, but these all come to TWO people: one real address and copy to the postmaster. Aproximately 1/2 of all message skipping our filters has done this lately. We've taken postmaster off the whitelist for now. Karen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff > (Lists) > Sent: Thursday, May 29, 2003 3:41 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] whitelist and mult rcpt > > > > I know it has been asked for before and said to be "impossible" > (programmer > > speak, for don't want to do it -- I know, being one), but > PLEASE consider > > creating multiple copies of messages that arrive for multiple > recipients, > so > > that the spam filters can operate (yes, this means some > complications, but > a > > little trickery could reduce problems -- for example, only making a copy > for > > the recipient(s) that are whitelisted). > > Some one will surely correct me, but it seems that there is an option some > where in Imail V 8.0 to configure the amount of recipients per message on > incoming. Any one know if this is right or wrong? I will look > into it myself > later. > > John Tolmachoff MCSE CSSA > Engineer/Consultant > eServices For You > www.eservicesforyou.com > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] whitelist and mult rcpt
We've been getting a lot of spam in the last week or so that bypasses all our spam filters -- they are all copied to the postmaster@ account for our domain. Apparently, they are taking advantage of the common practice of whitelisting the postmaster and the inability of spam filtering programs to separate actions on messages sent to multiple users. No doubt, it won't be long before most messages do the same, rendering both your postmaster account and spam filters useless. I know it has been asked for before and said to be "impossible" (programmer speak, for don't want to do it -- I know, being one), but PLEASE consider creating multiple copies of messages that arrive for multiple recipients, so that the spam filters can operate (yes, this means some complications, but a little trickery could reduce problems -- for example, only making a copy for the recipient(s) that are whitelisted). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[2]: DSN:Re: Re[2]: [Declude.JunkMail] A Question of Ethics
> In a corporate setting a company may or may not have an > Internet/email/conduct policy. If not, it may be very dificult to fire > someone for conduct that they didn't agree to abide by and if it came to > a lawsuit they would probably loose. In fact, in TN, a long-haul trucker won a worker's comp lawsuit against his employer for injuries suffered while having sex in his cab, driving down the road and he was hit by a train (the female "passenger", having no seat belt and not being seated in a passenger seat anyway, was thrown from the truck and killed). The first court ruled against the trucker (holding the belief that such behavior was outside the bounds of reasonable on-the-job behavior and as such, not a compensible accident). Higher courts ruled for the trucker - there was no written policy prohibiting such behavior and this person was used to doing this on a routine basis while performing his job (doesn't this make you feel safe, driving the freeway when it is full of trucks?). So, yes, without a written policy prohibiting certain behavior, you will probably lose in a suit. However, in any case, using porn email as "proof" of violating a written policy would probably also result in losing such a suit -- all it would take is having one person on a jury that has an email account of their own -- eventually, everyone gets porn email, it seems, and once on the list, the amount seems to keep adding up (we even get it on email accounts that were set up as a mailing list for internal distribution, that have never sent any emails out to the world). And much porn email can look as though it was asked for, substituting first names (gathered using many techniques) into long messages, using subject lines that look as tho you asked for the information (lures to get the email opened), etc. A better use of Declude would be to offer porn filtering (delete on detection) and spam forwarding (for retrieval of misclassified messages when necessary). Better proof would be simply browsing someones workstation and web surfing history (few delete such things and one of the worst cases I ever worked on was an attorney several years back that had installed compression onto his drives in order to make room for all the pornographic games, pictures, movies that had been downloaded and stored all over his official company computer). K. Oland --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EXE files, again!
Unfortunately, failure to run AV programs at the client side (as well as at the mail server) has crippled the legitimate sending of .EXE files through email (which we commonly used to do -- our users are unsophisticated and have trouble extracting updates out of their email if zipped first). We violate absolutely zero licenses in our distributions (licensed zip program for creating self-extracting emails). Instead, we have to resort to posting the exe, sending out an email, then walking the user through the download and execution on the phone (sure, we had to talk to them before, but AFTER they downloaded the EXE across their crappy dial-up connection). Trying to explain ZIP files -- forget it, you have to walk them through finding a freeware ZIP program, installing it, possibly rebooting, then unzipping the download and extracting it -- this is why we started using EXE files long ago. I guess the next step in the progress of email is we'll go back to mailing out diskettes (which had the benefit of not having to explain that the EXE and the unzipped files did not BOTH fit on a diskette). Set up an area that your "old lady" customer can upload her cute EXE files (or document how to use one of the free sites) and set up clear documentation that any 50 year old can follow (not that a kid can follow) on how to link the file in an email. Explain the benefit of not worrying if the receiver's mailbox is full or having to wait when sending the cute file to all her friends for it to be uploaded once per receiver. K Oland > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Sheldon Koehler > Sent: Wednesday, January 08, 2003 11:44 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] EXE files, again! > > > > >Anyone have good links? > > > > >From http://www.sophos.com/virusinfo/whitepapers/prevention.html > > >From http://www.sophos.com/virusinfo/articles/safehex.html > > > Thanks Bill. I plan on making another web page to go along with this one: > http://www.tenforward.com/support/viruspage.php > > > Sheldon > > > Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com > Ten Forward Communications 360-457-9023 > Nationwide access, neighborhood support! > > "Whenever you find yourself on the side of the majority, it's time > to pause and reflect." Mark Twain > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
Also, filters only work with the Pro version of Declude, I believe. > -Original Message- > From: R. Scott Perry > > >... that I could do a filter to block all messages using that opt-in > >statement by: > >1. putting "While visiting a partner website, you opted-in to receive > >special online offers." in a text file called optin.txt > > It would need to be set up as a filter, using a line such as "BODY 10 > CONTAINS While visiting a partner website, you opted-in to > receive special > online offers.", rather than just the text by itself. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
ARRGGHHH spaces after the 6!!! and the same on all but one of the rules. All found and fixed (and several more rules later on with spaces. (but, yes, there was an http://6 in the raw source). Thanks for the help, Karen > -Original Message- > From:R. Scott Perry > >I also cut and pasted the raw html sourc into a program to count > >characters -- a total of 2438, including all spaces. > > Did you check the raw HTML source to see if it had "http://6"; in it? > > Are there any spaces after the "http://6"; in the > c:\imail\declude\spamtext.txt file (which would require the > space(s) in the > E-mail)? > -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
Yes, we know. that is why we wanted to use a weighted rule in Declude, rather than an absolute rule in IMAIL. The problem with specific addresses (and we have a few (ok, a lot) of those, is that the spammers simply move every so often, but we keep blocking the old IP addresses forever. And they can get new addresses faster than we can add them to the list. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Madscientist > Sent: Wednesday, October 16, 2002 2:55 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Filter Help > > > An Asside - > > Watch out for false positives with this one. > We tried a rule that captured all numeric-only web links as they are a > favorite for porn spammers and mortgage folks. > > Unfortunately we discovered that a number of legitimate news services > also do this sometimes so we were forced to begin entering specific > numbered web links. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
The test appears to be set up correctly. I checked my declude log - there are entries for the spamtext.txt file (which contains the below) triggering on line 12 (one line below this particular block) and entries for the base64 test being triggered. I pulled a random message out of my delete box that should have been flagged and checked the headers. This is what I got: Received: from mx3.finehost.net [66.205.220.31] by staffingtech.com (SMTPD32-7.13) id AB80F410120; Wed, 16 Oct 2002 01:39:12 -0400 X-Priority: 3 Return-Path: [EMAIL PROTECTED] From: "Cash Online" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Received: from mx3.finehost.net by 2ER93A05EK4L1M.mx3.finehost.net with SMTP for [EMAIL PROTECTED]; Tue, 15 Oct 2002 13:40:42 -0500 Date: Tue, 15 Oct 2002 13:40:42 -0500 Subject: Get up to $500 today! Message-Id: <5CU72GH.BCTT9X79."Cash Online" <[EMAIL PROTECTED]>> X-Mailer: YDH_optin_v1.2 X-Encoding: MIME MIME-Version: 1.0 X-MSMail-Priority: Normal Content-Type: multipart/alternative; boundary="=_NextPart_24_30472442" X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?66.205.220.31 X-Declude-Sender: [EMAIL PROTECTED] [66.205.220.31] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SPAMCOP X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 300488074 So, the message does not appear to be base64. It does contain some html code, but in the clear portion at the bottom, there is the usual unsubscribe junk: While visiting a partner website, you opted-in to receive special online offers. To end your membership, click reply and send this email or click http://66.163.246.29/unsubscribe.php?[EMAIL PROTECTED] This is the same as what appears if you open the message (which also then displays their ad in living color). This is the entry in the global.cfg: SPAMTEXTfilter c:\imail\declude\spamtext.txt x 0 0 and the entry for the above msg and one that did fail the spamtext rule in the declog: 10/16/2002 01:39:16 Qfb800f410120c136 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?66.205.220.31). 10/16/2002 14:27:18 Qaf8311c10120f2ab Msg failed SPAMTEXT (Message failed SPAMTEXT test (12)). I also cut and pasted the raw html sourc into a program to count characters -- a total of 2438, including all spaces. Karen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Wednesday, October 16, 2002 2:26 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Filter Help > > > > >I included the rules below, but they never seem to trigger: > > > >BODY 10 CONTAINS http://1 > >BODY 10 CONTAINS http://2 > >BODY 10 CONTAINS http://3 > >BODY 10 CONTAINS http://4 > >BODY 10 CONTAINS http://5 > >BODY 10 CONTAINS http://6 > >BODY 10 CONTAINS http://7 > >BODY 10 CONTAINS http://8 > >BODY 10 CONTAINS http://9 > >BODY 10 CONTAINS http://0 > > Are you sure that the filter is set up properly (are other > filters working > properly)? That's the most likely problem. > > The other possibility would be if the E-mail is base64 encoded, in which > case filtering won't work (but the E-mail will fail the BASE64 test). > -Scott > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Help
Is there any way to check for references to web sites that only have domain names? I included the rules below, but they never seem to trigger: BODY 10 CONTAINS http://1 BODY 10 CONTAINS http://2 BODY 10 CONTAINS http://3 BODY 10 CONTAINS http://4 BODY 10 CONTAINS http://5 BODY 10 CONTAINS http://6 BODY 10 CONTAINS http://7 BODY 10 CONTAINS http://8 BODY 10 CONTAINS http://9 BODY 10 CONTAINS http://0 I don't want to block using IMAIL, as we have a vendor that sends us email that has a web site with a real name that starts with a "101". However, we do want to have enough weight to this type of a rule, that any other violation will result in the message being sorted into our spam box. Karen Oland --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Kill list criteria- Image`fx
Tom, You should remove .m0.net ID-20021011-000189 from the list. It is used by many legitimate mailing lists, from bookstores (Border's) to computer vendors (Palm to customers, HP to it's vendors) to brokers (Ameritrade to its customers). While you might be getting some junkmail from a list, it would be a specific list, rather than the entire domain that should be blacklisted (another reason I only use your list as a trap, rather than a true blacklist). I've had to remove several others from th list for the same reason, but that one was causing several problems. Kare Oland > -Original Message- > From: Tom > The full list can be downloaded from the following url: > http://www.imagefxonline.net/apps/delog/fromfile.txt > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.