[Declude.JunkMail] Move Interceptor Spool dir to RAM drive?
Hi Guys, This is aimed at Interceptor users I am battling some disk latency issues (exceeding max achievable IOPS for system), I am trying to move my spool folder to a RAM disk. I updated the paths in Alligate to point to the RAM drive but Declude doesn't know to look there, any ideas aside from reinstalling Interceptor on the RAM disk? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex Greed Issue
The character limits do work, that is how I originally tested it, looking for
a better solution I consulted our lead programming nerd, he hipped me to the ?,
if it actually does work it will be a great help in other regex rules
do you have an answer on whether the ? should be working?
I will send the log entries and sample messages directly to support
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Friday, November 04, 2011 6:33 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
You could try restricting the number of characters for the actual domain. I
would suggest something like this:
http\:\/\/www.+\.com\..{4,15}\.com
Also in many cases the www will not be present and the real domain will not be
a .com so you would need to use something like this:
http\:\/\/.+\.com\..{4,15}\.(net|com|info|biz|co|cn)
There are also many TLD you want to check and I would think in most cases it
would point to some URL add the extra /
http\:\/\/.+\.com\..{4,15}\..{2,4}/
Run this as a test let's see if we get any false positives and we can take a
look at it again to tweak.
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 10:38 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
well based on your response I guessed you couldn't reproduce it with the
example I sent, I confirmed that, and I am unable to trick that regex, however
it does catch messages it shouldnt.
here is the log entry for the example message
11/03/2011 15:14:07.489 008080891 Triggered body PCRE filter TEST :
http://www.facebook.com/n/?permalink.phpid=3D1209018066story_fbid=3D2337=
84096686420mid=3D51cf32eG5af347a420ebGae7c0bG52bcode=3Dln1Ayh0an_m=3Dsc=
ollins%40nat.com You can now tag your friends in your status or post. Type @
and then type = the friend's name. For example: Had lunch with @John Smith.
Thanks, The Facebook Team
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This message was sent to
scoll...@nat.com. If you don't want to receive = these emails from Facebook in
the future, please follow the link below to = unsubscribe.
http://www.facebook.com [weight - 0]
I will try to get a few more examples with the original message
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, November 03, 2011 9:00 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
Hi Rick,
Are you sure your regex catches the long URL how did you test it ?
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 6:38 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Regex Greed Issue
I am trying to use the following regex to catch phishing URLs like
http://www.usps.com.scam.com
http\:\/\/www.*?\.com\..*?\.com
The issue is the question marks do not stop the greediness of the *
it will catch
http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com
it seems that it is not supported in PCRE is there a work around?
--
Rick
CONFIDENTIALITY NOTICE
This e-mail message and any attachments contain confidential and/or privileged
information for the sole use of the intended recipient. If you are not the
intended recipient, you may not read, disseminate, distribute or copy this
e-mail message or any attachments. Please notify the sender immediately by
reply e-mail if you received this e-mail message by mistake and delete this
e-mail message and any attachments from your system. E-mail transmission
cannot be guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain
viruses. The sender, therefore, does not accept liability for any errors or
omissions in the contents of this e-mail message or any attachments, which
arise as a result of e-mail transmission. If verification is required, please
request a hard-copy version.
-. .- -
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments affecting
your industry. If you wish to unsubscribe from any future general information
mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the
subject of your response.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
send an E-mail to imail...@declude.com, and type unsubscribe
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can
[Declude.JunkMail] Regex Greed Issue
I am trying to use the following regex to catch phishing URLs like http://www.usps.com.scam.com http\:\/\/www.*?\.com\..*?\.com The issue is the question marks do not stop the greediness of the * it will catch http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com it seems that it is not supported in PCRE is there a work around? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex Greed Issue
well based on your response I guessed you couldn't reproduce it with the example I sent, I confirmed that, and I am unable to trick that regex, however it does catch messages it shouldnt. here is the log entry for the example message 11/03/2011 15:14:07.489 008080891 Triggered body PCRE filter TEST : http://www.facebook.com/n/?permalink.phpid=3D1209018066story_fbid=3D2337= 84096686420mid=3D51cf32eG5af347a420ebGae7c0bG52bcode=3Dln1Ayh0an_m=3Dsc= ollins%40nat.com You can now tag your friends in your status or post. Type @ and then type = the friend's name. For example: Had lunch with @John Smith. Thanks, The Facebook Team =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This message was sent to scoll...@nat.com. If you don't want to receive = these emails from Facebook in the future, please follow the link below to = unsubscribe. http://www.facebook.com [weight - 0] I will try to get a few more examples with the original message -- Rick -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, November 03, 2011 9:00 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Regex Greed Issue Hi Rick, Are you sure your regex catches the long URL how did you test it ? David -Original Message- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Thursday, November 03, 2011 6:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Regex Greed Issue I am trying to use the following regex to catch phishing URLs like http://www.usps.com.scam.com http\:\/\/www.*?\.com\..*?\.com The issue is the question marks do not stop the greediness of the * it will catch http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com it seems that it is not supported in PCRE is there a work around? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter help
have you tried just adding BALCOMLAWHOLD f:\Balcomlawhold to the default.junkmail file in the declude root? -- Rick -Original Message- From: Heimir Eidskrem [mailto:decl...@i360.net] Sent: Wednesday, October 12, 2011 5:41 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter help We wash incoming email for a client and send it to their mail server. The server is down and will be down for some time. I want to filter all incoming email to this domain and send it to a hold directory. Line in global.cfg balcomlawfilter d:\smartermail\declude\filters\balcomlaw.txtx00 filter name: balcomlaw.txt content of the filter: HEADERS CONTAINS @balcomlaw.com also tried ALLRECIPS CONTAINS @balcomlaw.com I created a directory named balcomlaw.com in the declude directory and copied $default$.junkmail default.junkmail has this line: BALCOMLAWHOLD f:\Balcomlawhold I see the test being called but no action taken. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitlist receiving address
in the global.cfg you can use WHITELIST TO some...@domain.com in a filter you can use something like this ALLRECIPS WHITELIST CONTAINS some...@domain.com -- Rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Tuesday, September 27, 2011 4:25 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] whitlist receiving address A client has asked if I can exclude one of his addresses from being filtered. He wants his whole domain filtered for spam except for one address. How is that done? Excuse me if the question has an obvious answer Thank you harry --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blank TO Test?
How would one go about triggering on a message with a blank or missing TO field? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AOL Header Test
You were correct Andrew, I added an additional rule without the space and started hitting them the odd thing is that I copied and pasted that header line to my rule and when looking at it there is a space, weird. -- Rick From: Colbeck, Andrew [mailto:acolb...@bentallkennedy.com] Sent: Tuesday, September 06, 2011 5:42 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] AOL Header Test Rick, you have a space between the colon and the YES and, if I remember correctly, AOL does not put a space there. #Email from AOL which they believe is spam HEADERS 0 CONTAINS X-SPAM-FLAG:YES On the other hand, there is a case-sensitive flavour that comes out of SpamAssassin, and AOL provides this format at their Postmaster FAQ page for mail that people send to AOL accounts: #Email from a SpamAssassin implementation that belives the outbound mail was spam HEADERS 0 CONTAINS X-Spam-Flag: YES http://postmaster.aol.com/Postmaster.FAQ.php Andrew. From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Tuesday, September 06, 2011 3:06 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] AOL Header Test Hello, I have a combo test for scrutinizing AOL and the large webmail providers, I am trying to trigger on an AOL X header with this HEADERS 0 CONTAINS X-SPAM-FLAG: YES any idea why this wouldn't hit? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AOL Header Test
Hello, I have a combo test for scrutinizing AOL and the large webmail providers, I am trying to trigger on an AOL X header with this HEADERS 0 CONTAINS X-SPAM-FLAG: YES any idea why this wouldn't hit? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] regular expressions and IS
I am working on a combo filter to catch the aol/hotmail/yahoo url spam is there a way to use a regular expression with IS body 0 IS/PCRE (?i:^http\:\/\/.*\.(html|htm|php)$) any suggestions welcome -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] regular expressions and IS
just looking for text emails with nothing more than a url in the body David answered my question, I was over thinking it, by leading with the ^ and ending with the $ that makes the RegEx an IS statement body 0 PCRE (?i:^http\:\/\/.*\.(html|htm|php)$) its working -- Rick -Original Message- From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Tuesday, August 09, 2011 6:12 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] regular expressions and IS BODY. CONTAINS. Bla bla Is that what you are looking for? -Nick On Aug 9, 2011, at 3:26 PM, David Barker dbar...@declude.com wrote: The expression is the IS Can you post a few examples of what you trying to catch ? -Original Message- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Tuesday, August 09, 2011 2:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] regular expressions and IS I am working on a combo filter to catch the aol/hotmail/yahoo url spam is there a way to use a regular expression with IS body 0 IS/PCRE (?i:^http\:\/\/.*\.(html|htm|php)$) any suggestions welcome -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] white list or positive weight for a specific To address?
Thanks Sandy, interesting response, it got me thinking a bit wouldnt the spammer/attacker need to have delegated authority over the source ip address space and control of DNS infrastructure to forge a PTR record? I have been doing this a while and I dont recall ever seeing a message whitelisted due to forged revdns, I use revdns for whitelisting heavily. Also to the point of Ben's query, your solution is a good one, didnt pick up on that one... I guess I didnt consider the possibility of a targeted attack on an email admin list from the hosting anti-spam/virus vendor's domain when I suggested using the revdns, although it would be kinda funny. lol -- Rick -Original Message- From: Sanford Whiteman [mailto:sa...@cypressintegrated.com] Sent: Sunday, June 19, 2011 2:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? Why not use the HELO or REVDNS? REVDNS is going to be the safest because of the difficulty in forging it Not always... if the domain has a hard-fail SPF record that isn't *itself* dependent on forgeable records (only uses IPs and forward DNS entries), then the MAILFROM can't successfully impersonate the protected domain (the envelope sender can still be trivially crafted, of course, but the mail will be rejected). However, in the case under discussion, declude.com's SPF record depends on the forgeable PTR, so in this case the SPF isn't any stronger protection than REVDNS itself. I would hesitate to say that there's any difficulty forging the PTR as part of a targeted attack. @ Ben, the MAILFROM for list messages uses the format declude.junkmail-your_verp...@declude.com, so there is a consistent SMTP (RFC 821) emvelope sender to filter on. -- Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response.--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] white list or positive weight for a specific To address?
Why not use the HELO or REVDNS? REVDNS is going to be the safest because of the difficulty in forging it HELO -10 CONTAINS smtp.declude.com or HELO WHITELIST CONTAINS smtp.declude.com REVDNS -10 CONTAINS smtp.declude.com or REVDNS WHITELIST CONTAINS smtp.declude.com or even blanket the headers with HEADERS -10 CONTAINS smtp.declude.com or HEADERS WHITELIST CONTAINS smtp.declude.com MAILFROM would be my 4th choice if the helo or revdns was broken -- Rick From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Sunday, June 19, 2011 1:02 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? “It is just our way.” That has such a Zen sound to it, like you must find your own path to enlightenment. I am still confused by both your suggestion and Randy’s. They both seem to be based on the From line, which would not be declude.com. Here are the first few header lines from one of Randy’s emails in this discussion: Received: from smtp.declude.com [216.144.195.81] by mail2.bcwebhost.net with ESMTP (SMTPD-9.23) id A94001FC; Sat, 18 Jun 2011 11:06:56 -0700 Received: from smail.globalweb.net (smail.globalweb.net [208.74.80.105]) by smtp.declude.com with SMTP; Sat, 18 Jun 2011 13:05:28 -0500 Received: from HRADellDTPC (173-163-199-121-richmond.hfc.comcastbusiness.net [173.163.199.121]) by smail.globalweb.net with SMTP; Sat, 18 Jun 2011 14:05:05 -0400 From: Randy A ra...@globalweb.us To: Declude.JunkMail@declude.com References: -291971859_45532...@smtp.declude.com -170080375_45540...@smtp.declude.com 242286454_45562...@smtp.declude.com 251212219_45563...@smtp.declude.com 258933297_45563...@smtp.declude.com 317249079_45567...@smtp.declude.com 51015843_49160...@smtp.declude.com 82729453_49162...@smtp.declude.com 119798468_49164...@smtp.declude.com In-Reply-To: 119798468_49164...@smtp.declude.com Subject: RE: [Declude.JunkMail] white list or positive weight for a specific To address? Date: Sat, 18 Jun 2011 14:06:08 -0400 I would expect both your whitelist technique and Randy’s counter-weighting to apply to the From line, which shows ra...@globalweb.usmailto:ra...@globalweb.us, not Declude.com. So am I misunderstanding how these tests work? Do they use the In-Reply-To line instead? Or search the whole header? Thanks, Ben From: Nick Hayermailto:n...@madriveraccess.com Sent: Saturday, June 18, 2011 12:12 PM To: Declude.JunkMail@declude.commailto:Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] white list or positive weight for a specific To address? yup there is some sort of cap in global.cfg the around that is with a whitelist file that would contain entries like: MAILFROMWHITELISTCONTAINS@declude.com and clearly implementation technique is a personal thing :) We use compensatory filters to add/subtract weights as needed, and whitelist filters for whitelisting - which I am not suggesting is a better way. Its just our way.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Randy A ra...@globalweb.us Sent: Saturday, June 18, 2011 2:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] white list or positive weight for a specific To address? Yes but if I remember correctly there is a limit on the number of whitelist entries you can have in the cfg file (200 I think – please correct me if I am wrong) so depending on the number of domains you are hosting email for, this could fill up at some point. We use the whitelist technique for our company needs, and the text file format for customer needs so everything is in one location for easier management. Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 option 1 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Saturday, June 18, 2011 2:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? An easy way to whitelist these in your global.cfg WHITELISTFROM@declude.com -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.netmailto:supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent:
RE: [Declude.JunkMail] email being delivered with blank body. What happened to body?
Login to the interim area Go to interceptor There is a dir called 3.4.10.59 Swap out the decludeproc.exe files I am running it this morning and indeed that issue does not exist, however the diags.txt says it is 3.4.10.49 -- rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Tuesday, April 05, 2011 8:05 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Where did you get 4.10.59? I do not see it available for download. I have even turned of spam scanning for the domain yet it still occurs. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 From: Bonno Bloksma [b.blok...@tio.nl] Sent: April-05-11 1:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Hi, Which version of Declude are you running? I remember chasing a wierd bug that was sometimes truncating a message to 1k, which mostly affected html mail. After declude found the cause for that issue they released interim version Declude 4.10.59 which is what I am running now. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nlmailto:b.blok...@tio.nl / www.tio.nlhttp://www.tio.nl/ Volg ons op Twitterhttp://twitter.com/#!/hogeschooltio / Facebookhttp://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610 / Hyveshttp://cognatio.hyves.nl/ / YouTubehttp://www.youtube.com/user/hogeschooltio Van: Harry Vanderzand [mailto:ha...@intown.net] Verzonden: dinsdag 5 april 2011 0:54 Aan: Declude.JunkMail@declude.com Onderwerp: [Declude.JunkMail] email being delivered with blank body. What happened to body? This is occurring to one of my domains. No others that I can figure. I see no pattern as to why the mail gets delivered but the body is missing. Any help is sure appreciated. I run imail with an Alligate front end. And of course Declude. Thank you in advance for your assistance. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] email being delivered with blank body. What happened to body?
So running the 3.4.10.59 (or .49 what ever it is supposed to be) resulted in a bit of chaos for me So there were no more blank email bodies but instead it randomly started mixing up the Q and D files and delivering message bodies to unintended recipients (yea no kidding) The headers look normal, exactly like they are supposed to be, however the message is delivered to the wrong recipient Received: from nateet1.nat.com (64.143.180.230) by mail.nat.com (10.101.226.10) with Microsoft SMTP Server (TLS) id 8.3.137.0; Tue, 5 Apr 2011 11:53:48 -0500 Received: from mx1.nat.com (64.143.180.231) by nateet1.nat.com (64.143.180.231) with Microsoft SMTP Server id 8.3.137.0; Tue, 5 Apr 2011 11:53:42 -0500 Received: from fnbtc.net [209.149.254.11] by mx1.nat.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id b5ebbfc2087eab34.8d3a4a8f6d574...@mx1.nat.com for some...@nat.com; Tue, 05 Apr 2011 11:53:23 -0500 Received: from ([192.168.3.1]) by mail.fnbtc.net with ESMTP id J3NF5H1.30523111;Tue, 05 Apr 2011 12:16:50 -0400 Received: by fnb_tc_02.fnb_tc with Internet Mail Service (5.5.2657.72) id 2KAZYZJ7; Tue, 5 Apr 2011 12:37:54 -0400 Message-ID: 4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc From: Mrs Someone some...@seacoastnational.com To: 'Mr Someone' some...@nat.com Subject: chairs Date: Tue, 5 Apr 2011 12:37:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/alternative; boundary=_=_NextPart_001_01CBF3AF.CF9AC848 X-MXRate-Prob: 0 X-MXRate-Country: US X-MXRate-Action: NONE X-Alligate-ReceivingIP: [64.143.180.230] X-Alligate-Country-Chain: United States-Destination X-Alligate-Tarpit: NOSUBD;GREY (20secs) X-Alligate-Grey: Passed X-Alligate-REVDNS: mail.fnbtc.net X-Alligate-HELO: fnbtc.net X-Alligate-Spam: NOSUBD;TARPIT; X-Alligate-MsgScan: (10) NOTGOODSNDR[10]; X-Alligate-ID: 245564 X-Originating-IP: 209.149.254.11 X-Alligate-RcptTo: some...@nat.com Return-Path: some...@seacoastnational.com X-RBL-Warning: WEIGHTER: Message failed WEIGHTER test (line 29, weight 1) X-Declude-Sender: some...@seacoastnational.com [209.149.254.11] X-Declude-Spoolname: D005433486.smd X-Declude-RefID: str=0001.0A020202.4D9B4913.0045:SCFSTAT2058654,ss=1,fgs=0 X-SendingHost: seacoastnational.com X-Country-Chain: UNITED STATES-destination X-Recipients: some...@nat.com X-Declude-Fail: BACKSCATTER [4], COMMENTS [7], WEIGHTER [1] X-Declude-Score: 12 Alligate 11:53:07.578 - (245564) Cmd recd: MAIL FROM:some...@seacoastnational.com size=5349 11:53:07.734 - (245564) Cmd recd: RCPT TO:some...@nat.com Declude Junkmail 04/05/2011 11:53:39.156 Q005433486.smd From: some...@seacoastnational.com To: some...@nat.com IP: 209.xxx.xxx.xx ID: J3NF5H1.30523111 Here is where it goes bad, the handoff from Declude to Exchange, there are two new recipients and an additional sender address 2011-04-05T16:53:42.453Z,64.143.180.231,,64.143.180.231,mx1,08CDBFF5751E827C;2011-04-05T16:53:42.296Z;0,mx1\Inbound From Internet,SMTP,RECEIVE,31471,4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc,someo...@nat.com;someo...@nat.com,,9626,2,,,chairs,some...@seacoastnational.com,some...@msn.com,10I: the message above was delivered to someo...@nat.commailto:someo...@nat.com and someo...@nat.commailto:someo...@nat.com from some...@msn.commailto:some...@msn.com instead of what was contained in the headers Rolled back to previous version… -- Rick From: Rick Davidson Sent: Tuesday, April 05, 2011 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Login to the interim area Go to interceptor There is a dir called 3.4.10.59 Swap out the decludeproc.exe files I am running it this morning and indeed that issue does not exist, however the diags.txt says it is 3.4.10.49 -- rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Tuesday, April 05, 2011 8:05 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Where did you get 4.10.59? I do not see it available for download. I have even turned of spam scanning for the domain yet it still occurs. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 From: Bonno Bloksma [b.blok...@tio.nl] Sent: April-05-11 1:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Hi, Which version of Declude are you running? I remember chasing a wierd bug that was sometimes truncating a message to 1k, which mostly affected html mail. After declude found the cause for that issue they released interim version Declude 4.10.59 which is what I am running now. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el
[Declude.JunkMail] RE: email being delivered with blank body. What happened to body?
Look for these messages in your log files WARNING: EOF in multipart processing I had that problem when I upgraded to Interceptor 3.4.10.48 back in Feb, I had to roll back to the previous version I was running which is 3.4.42 I have yet to hear back on that one, if anyone has a fix I’d like to hear it -- Rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Monday, April 04, 2011 5:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] email being delivered with blank body. What happened to body? This is occurring to one of my domains. No others that I can figure. I see no pattern as to why the mail gets delivered but the body is missing. Any help is sure appreciated. I run imail with an Alligate front end. And of course Declude. Thank you in advance for your assistance. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body?
I was seeing the blank emails in the spam hold queue (which I review with fpReview), the bodies in the D files were indeed blank so they wouldn’t have shown ok in any client. I didn’t realize it was a problem until the helpdesk started opening tickets for blank emails (outlook Exchange 07) It appeared to be an issue with html email only, didn’t take any time to do detective work, I quickly rolled back since it was only day two into an upgrade -- Rick From: Richard Lyon [mailto:rl...@piolaxusa.com] Sent: Monday, April 04, 2011 7:53 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body? I've seen it with lotus notes delivering to an Outlook client. The emails show fine in imails web mail. I've never found a fix. Its related to Lotus Notes replies - not the original email. -Original Message- From: Rick Davidson rdavid...@nat.com Sent 4/4/2011 8:33:10 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body? Look for these messages in your log files WARNING: EOF in multipart processing I had that problem when I upgraded to Interceptor 3.4.10.48 back in Feb, I had to roll back to the previous version I was running which is 3.4.42 I have yet to hear back on that one, if anyone has a fix I’d like to hear it -- Rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Monday, April 04, 2011 5:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] email being delivered with blank body. What happened to body? This is occurring to one of my domains. No others that I can figure. I see no pattern as to why the mail gets delivered but the body is missing. Any help is sure appreciated. I run imail with an Alligate front end. And of course Declude. Thank you in advance for your assistance. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click heremailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude as a Gateway
I used Imail and Declude as a gateway and will continue to do so when we convert our users to exchange Rick Davidson North American Title Group National Systems Manager 4667 MacArthur Blvd. Suite 240 Newport Beach, CA 92660 Phone: 951-233-6342 Fax: 949-251-9283 Email: [EMAIL PROTECTED] - - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, April 11, 2006 11:55 AM Subject: [Declude.JunkMail] Declude as a Gateway If anyone is using Declude with SmarterMail or IMail as a Gateway could you get in touch with me off the list [EMAIL PROTECTED] Thanks Barry --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Imail Aliases
Just setup the new domain on your gateways and script them the same way, my company grows through aquisition, I have 5 domains on my gateways and use the aliases trick. Rick DavidsonNational Systems ManagerNorth American Title Group- - Original Message - From: Mark Smith To: Declude.JunkMail@declude.com Sent: Wednesday, January 18, 2006 9:31 AM Subject: [Declude.JunkMail] OT: Imail Aliases Sorry about the Off-Topic question...I use Imail/Declude as a gateway system only for a large Exchange org.To avoid the dictionary attacks, we do some scripting magic to put theExchange SMTP addresses in the Imail Alias setup.Here's the problem. Our Exchange org has two domains associated with it dueto a merger -- let's say @apple.com and @orange.comWe've run into a problem with a generic mailbox for each of these domains --info. There has always been an [EMAIL PROTECTED] and [EMAIL PROTECTED]Since the Imail Alias only contains the mailbox name (info) we have no wayto email directly into both domains through this gateway server.Any ideas on how to get around this?---[This E-mail was scanned for viruses by Declude EVA www.declude.com]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Paranoia
let me know if you get the BANEXT .snow working, we got 24 inches yesterday and last night, good ol Lake Erie lake effect snow... sigh Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, December 03, 2005 3:49 AM Subject: RE: [Declude.JunkMail] Paranoia What's even funnier is by the time I am ready to get in bed, Europe is going to work. yawning mmmh, what? ... ... Ah, hi guys, good morning from Europe! We've around 12 inches of snow here over night. Where's the snowshovel? Maybe I will add BANEXT .snow to my config file ;-) /yawning Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IMail 8.21 Update
I installed the 8.21 patch, the main improvement is the ability to limit the amount of SMTP connections. I opened a case with Ipswitch yesterday due to a problem with SMTPD32 that would cause the RAM usage to skyrocket until the SMTP service failed. It turns out that when a blacklist is unreachable Imail chokes and the SMTP service fails due to being overrun with SMTP connections. The timing of the problem and patch release allowed me to apply the fix and recreate the problem. The patch definately throttled the SMTP connection overrun problem but now a steady overuse of the CPU occurrs, which is far better than the total SMTP service failure. They simply need to timeout the DNS based RBLs more efficiently. I was told that was added to the request database. In my opinion, anyone experiencing the SMTP service failure due to RAM/Buffer overflow issues should apply this patch. Rick Davidson National Systems Manager North American Title Group - Original Message - From: William Stillwell [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, July 28, 2005 1:10 PM Subject: [Declude.JunkMail] IMail 8.21 Update Anybody install this yet? Any Issues (Besides the known 8.20 Issue) I am currently running Declude 1.82 with iMail 8.20HF1 --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Insufficient system resources error
8.2 hf2 Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, June 10, 2005 1:13 PM Subject: RE: [Declude.JunkMail] Insufficient system resources error Hey Rick, What version of IMAIL and Declude are you running? Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Thursday, June 09, 2005 10:16 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Insufficient system resources error That is the same symptom or lack of symptom I see, however I completely disabled declude and restored SMTPD as the delivery app and still had the same problem. I only run declude virus on the box in question, I still have smtp logging disabled and still have not had a failure since Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, June 09, 2005 9:50 AM Subject: RE: [Declude.JunkMail] Insufficient system resources error I have been having the same issue or incidents would be better phrasing. I have a busy server, 4000 + boxes plus many off-site scrubbing services. I have had three incidents in the past month, the first two were directly related to smtp crashing and not restarting. I have not had the smtp issue since installing HF2 for 8.2 . Since that point I have had one incident that was very different than the first two. There have been no SMTP warnings in event log, no SMTP error 1455 (out of memory) in logs since the HF2. The only thing I could trace this one to is in the Declude logs. The logs indicated it could not move spam to hold directory. This incident required a hard boot of the server, external access was cut off. Declude support has indicated they are seeing this as a possible issue. Normally, I would not quote tech support on a list and I am not blaming Declude for this issue. But this may be very helpful towards resolution of this issue: Chris, We are currently looking into an issue where the HOLD directive does not work properly. My first suspicion, since you have mentioned HOLD, is that it is related to this same issue. It is possible that the hold directory is not being created correctly or that the name being passed to that routine is invalid. David Franco-Rocha Declude Technical Support Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice Sent: Wednesday, June 08, 2005 2:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Insufficient system resources error This is very interesting - Can you verify in the task manager that when it hangs that the memory in use by SMTPd is 'normal'? (7 to 20 Megabytes) I wouldn't be surprised by some type of logging problem. I occasionally see truncated/incomplete log lines in the file. This would certainly seem to be some sort of bug related to logging. - Original Message - From: Rick Davidson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, June 08, 2005 1:36 PM Subject: Re: [Declude.JunkMail] Insufficient system resources error I have been watching this thread and have been the victim of the SMTP service failures (hangs really) but I do not get a Insufficient system resources error. I believe I have the problem traced to the SMTP logging, if I turn the SMTP logging off (yea I know... :) I no longer have SMTP failures. I installed Kiwi syslogger and still had the same SMTP service failures until I disabled the SMTP logging so it seems to be the SMTPD itself and not the built in logging services. would be interested to see if others could verify this, in the mean time I am opening a ticket with Ipswitch this definately is not a declude issue Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, June 03, 2005 3:13 PM Subject: RE: [Declude.JunkMail] Insufficient system resources error I had the same problem with SMTP not being able to restart due to virtual memory according to the event log. I had to reboot to gain SMTP services. I have had another instance since applying HF2, but the SMTP portion of the issue was not the same. The event log did not indicate SMTP failures. I opened a ticket with Ipswitch but they blamed it on Declude, as usual. Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, June 03, 2005 2:13
Re: [Declude.JunkMail] Insufficient system resources error
That is the same symptom or lack of symptom I see, however I completely disabled declude and restored SMTPD as the delivery app and still had the same problem. I only run declude virus on the box in question, I still have smtp logging disabled and still have not had a failure since Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, June 09, 2005 9:50 AM Subject: RE: [Declude.JunkMail] Insufficient system resources error I have been having the same issue or incidents would be better phrasing. I have a busy server, 4000 + boxes plus many off-site scrubbing services. I have had three incidents in the past month, the first two were directly related to smtp crashing and not restarting. I have not had the smtp issue since installing HF2 for 8.2 . Since that point I have had one incident that was very different than the first two. There have been no SMTP warnings in event log, no SMTP error 1455 (out of memory) in logs since the HF2. The only thing I could trace this one to is in the Declude logs. The logs indicated it could not move spam to hold directory. This incident required a hard boot of the server, external access was cut off. Declude support has indicated they are seeing this as a possible issue. Normally, I would not quote tech support on a list and I am not blaming Declude for this issue. But this may be very helpful towards resolution of this issue: Chris, We are currently looking into an issue where the HOLD directive does not work properly. My first suspicion, since you have mentioned HOLD, is that it is related to this same issue. It is possible that the hold directory is not being created correctly or that the name being passed to that routine is invalid. David Franco-Rocha Declude Technical Support Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice Sent: Wednesday, June 08, 2005 2:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Insufficient system resources error This is very interesting - Can you verify in the task manager that when it hangs that the memory in use by SMTPd is 'normal'? (7 to 20 Megabytes) I wouldn't be surprised by some type of logging problem. I occasionally see truncated/incomplete log lines in the file. This would certainly seem to be some sort of bug related to logging. - Original Message - From: Rick Davidson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, June 08, 2005 1:36 PM Subject: Re: [Declude.JunkMail] Insufficient system resources error I have been watching this thread and have been the victim of the SMTP service failures (hangs really) but I do not get a Insufficient system resources error. I believe I have the problem traced to the SMTP logging, if I turn the SMTP logging off (yea I know... :) I no longer have SMTP failures. I installed Kiwi syslogger and still had the same SMTP service failures until I disabled the SMTP logging so it seems to be the SMTPD itself and not the built in logging services. would be interested to see if others could verify this, in the mean time I am opening a ticket with Ipswitch this definately is not a declude issue Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, June 03, 2005 3:13 PM Subject: RE: [Declude.JunkMail] Insufficient system resources error I had the same problem with SMTP not being able to restart due to virtual memory according to the event log. I had to reboot to gain SMTP services. I have had another instance since applying HF2, but the SMTP portion of the issue was not the same. The event log did not indicate SMTP failures. I opened a ticket with Ipswitch but they blamed it on Declude, as usual. Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, June 03, 2005 2:13 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Insufficient system resources error Update: Since installing Imail 8.20 HF2 last Saturday, the problem so far has not reoccurred. Any one else still having this problem? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
Re: [Declude.JunkMail] Insufficient system resources error
I have been watching this thread and have been the victim of the SMTP service failures (hangs really) but I do not get a Insufficient system resources error. I believe I have the problem traced to the SMTP logging, if I turn the SMTP logging off (yea I know... :) I no longer have SMTP failures. I installed Kiwi syslogger and still had the same SMTP service failures until I disabled the SMTP logging so it seems to be the SMTPD itself and not the built in logging services. would be interested to see if others could verify this, in the mean time I am opening a ticket with Ipswitch this definately is not a declude issue Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, June 03, 2005 3:13 PM Subject: RE: [Declude.JunkMail] Insufficient system resources error I had the same problem with SMTP not being able to restart due to virtual memory according to the event log. I had to reboot to gain SMTP services. I have had another instance since applying HF2, but the SMTP portion of the issue was not the same. The event log did not indicate SMTP failures. I opened a ticket with Ipswitch but they blamed it on Declude, as usual. Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, June 03, 2005 2:13 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Insufficient system resources error Update: Since installing Imail 8.20 HF2 last Saturday, the problem so far has not reoccurred. Any one else still having this problem? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Insufficient system resources error
yes, indeed the task manager shows normal operation, nothing in the event logs and nothing coincidental in the last lines of the SMTP logs before the service hangs no time consistant time interval between failures, sometimes it was minutes, sometime hours, sometimes days Neither Windows nor the Imail monitor service are able to restart the service after failure detection (does that ever work? :) odd thing is that I have two filtering gateways running the exact software revisions of windows and Imail/Declude and I can run the logging without incident, its just this one host behind the gateways Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Mike Nice [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, June 08, 2005 2:15 PM Subject: Re: [Declude.JunkMail] Insufficient system resources error This is very interesting - Can you verify in the task manager that when it hangs that the memory in use by SMTPd is 'normal'? (7 to 20 Megabytes) I wouldn't be surprised by some type of logging problem. I occasionally see truncated/incomplete log lines in the file. This would certainly seem to be some sort of bug related to logging. - Original Message - From: Rick Davidson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, June 08, 2005 1:36 PM Subject: Re: [Declude.JunkMail] Insufficient system resources error I have been watching this thread and have been the victim of the SMTP service failures (hangs really) but I do not get a Insufficient system resources error. I believe I have the problem traced to the SMTP logging, if I turn the SMTP logging off (yea I know... :) I no longer have SMTP failures. I installed Kiwi syslogger and still had the same SMTP service failures until I disabled the SMTP logging so it seems to be the SMTPD itself and not the built in logging services. would be interested to see if others could verify this, in the mean time I am opening a ticket with Ipswitch this definately is not a declude issue Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, June 03, 2005 3:13 PM Subject: RE: [Declude.JunkMail] Insufficient system resources error I had the same problem with SMTP not being able to restart due to virtual memory according to the event log. I had to reboot to gain SMTP services. I have had another instance since applying HF2, but the SMTP portion of the issue was not the same. The event log did not indicate SMTP failures. I opened a ticket with Ipswitch but they blamed it on Declude, as usual. Thanks, Chris Patterson, CCNA Network Engineer/Support Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, June 03, 2005 2:13 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Insufficient system resources error Update: Since installing Imail 8.20 HF2 last Saturday, the problem so far has not reoccurred. Any one else still having this problem? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Off Topic.
Have you looked at Plesk? http://www.sw-soft.com/ Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Richard Lanard [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, March 18, 2005 11:53 AM Subject: Re: [Declude.JunkMail] Off Topic. I use http://www.dotnetnuke.com/ for our intranet, not exactly your intended use, but yours is what it was designed for. The forum is at http://asp.net/Forums/ShowForumGroup.aspx?tabindex=1ForumGroupID=2 under DotNetNuke and the related sub-forums... Frederick Samarelli wrote: I am looking for recommendations of software that allows users to manage there own web domain. We host websites for many people and we are looking to give them more control. Some sort of Portal/Control Panel. We are a windows shop. Thanks. Fred Samarelli --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] -- Richard Lanard Information Technology Support University of Georgia Business Outreach Services /SBDC 1180 East Broad Street - Chicopee Complex Athens, Ga 30602-5412 phone: (706) 542-6774 fax: (706) 542-6776 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Internet Usage - Monitoring and Filtering Apps
www.astaro.com has a fantastic solution, firewall, IPS, Content filtering, transparent DNS, HTTP and SMTP proxies, anti-virus and anti-spyware for the HTTP SMTP streams. some of the features are ala carte and can get pricy but it is one very nice all in one solution Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Patrick Childers [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 15, 2005 2:00 PM Subject: [Declude.JunkMail] OT: Internet Usage - Monitoring and Filtering Apps Sorry for the OT but... It seems we have a lot of goofing off during the work day around here! Therefore, I am looking for recommendations for software (or hardware) based solutions for internet monitoring/filtering in a corporate setting of less than 150 users. Any suggestions? Thanks, ~Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBYPASS Question
Can a CIDR range be used with the IPBYPASS option We just acquired a company who has Postini in the loop and I need to skip their IPs IPBYPASS 64.18.0.0/20 Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New info in Yahoo HELO string?
I have started to notice alot of headers lately with @x.x.x.x with login included in them from yahoo SMTP servers (including mail from sbcglobal.net customers). Maybe it isn't new but looks like something decent to key in on when looking for legit mail. What is the likeliness of spam coming from an authed account? Coincidentally the header I grabbed for the sample in this post contained a funny HELO :-) Received: from unknown (HELO ASS) ([EMAIL PROTECTED]@4.41.173.154 with login) Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Fw: [Declude.JunkMail] New info in Yahoo HELO string?
Hey who ever this is on this list can you turn this off please, its a tad bit inapropriate for a public list don't you think? I started getting these today each time I posted to the junkmail list. From: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Inc [EMAIL PROTECTED] Rick Davidson National Systems Manager North American Title Group - - Original Message - From: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Inc [EMAIL PROTECTED] To: Rick Davidson [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 4:30 PM Subject: Re: [Declude.JunkMail] New info in Yahoo HELO string? Rick Davidson, This is Joseph Trimboli, System Administrator, Cyberlink, Inc. I am running Spam Interceptor to get rid of junk email. Please follow this link to verify that the message you sent me isn't junk email. http://si20.com/auth?uid=2600mid=4sid=rdavidson%40nat.com Your email was intercepted because it got a spam rating of 2.9 and I set Spam Interceptor to ask everyone who sends me a message rated over 2 to authenticate. When you authenticate I'll receive your email and you'll never have to authenticate for me again, no matter what spam rating your emails get. Thanks, Joseph Trimboli, System Administrator, Cyberlink, Inc ___ For more information on Spam Interceptor go to http://si20.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS Question
LOL Andrew, thats why I call them Postweenie Here is what I need to bypass: Received: from equal.iaxs.net (localhost [127.0.0.1]) by equal.iaxs.net (8.12.11/8.12.11) with ESMTP id iBGHrg1m020919 for AddressRemoved; Thu, 16 Dec 2004 11:53:42 -0600 (CST) Received: (from [EMAIL PROTECTED]) by equal.iaxs.net (8.12.11/8.12.11/Submit) id iBGHrQfe020609 for AddressRemoved; Thu, 16 Dec 2004 11:53:26 -0600 (CST) Received: from psmtp.com (exprod5mx126.postini.com [64.18.0.40]) by equal.iaxs.net (8.12.11/8.12.11) with SMTP id iBGHrPC5020578 for AddressRemoved; Thu, 16 Dec 2004 11:53:25 -0600 (CST) Received: from source ([210.105.115.179]) by exprod5mx126.postini.com ([64.18.4.10]) with SMTP; Thu, 16 Dec 2004 12:53:23 EST equal.iaxs.net (localhost [127.0.0.1]) is triggering country test for ARIN Resevered Space I added the ip address for equal.iaxs.net but it isnt helping The IPs of the Postini systems keep changing so using the CIDR range is my only option until I can get their email moved entirely. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 12:17 PM Subject: RE: [Declude.JunkMail] IPBYPASS Question But, Rick, Postini does a fabulous job of spam and virus control. Just ask them! You won't need to IPBYPASS them at all. Andrew (tongue firmly in cheek) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Thursday, December 16, 2004 7:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] IPBYPASS Question Can a CIDR range be used with the IPBYPASS option We just acquired a company who has Postini in the loop and I need to skip their IPs IPBYPASS 64.18.0.0/20 Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WAY OT: Syslog entries from Cisco ACL question
Does anyone know what traffic uses a destination and source port of 0? Or what else I should look for? This is a Novell/windows network I have something odd going on at a large branch office so I added an acl to log the inbound and outbound traffic permit ip any any log permitted tcp 10.10.0.72(0) - 10.10.9.18(0), 1 packet permitted udp 10.10.0.98(0) - 10.10.9.10(0), 1 packet I have ALOT of lines with many source and destination addresses, the IPs are valid for the network Thanks for any help Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamhaus
Yes, it nails alot of spam Rick DavidsonNational Systems ManagerNorth American Title Group- - Original Message - From: Doug Anderson To: [EMAIL PROTECTED] Sent: Tuesday, November 30, 2004 3:11 PM Subject: [Declude.JunkMail] Spamhaus Anyone use the xbl db from spamhaus? Good, bad, otherwise?
[Declude.JunkMail] FYI: TESTFAILED Syntax Gotcha
Its not a bug but its definately a gotcha that will bug you if you arent careful :) I recently created a filter test called HEADERS that checks for spoofing of my own systems as well as for defunct domains and a few other header specific tests, it catches alot of junk with little overhead so I run it as the first filter test so of course I went and included TESTSFAILED END CONTAINS HEADERS in all my other filter files... Guess what happened when a message failed BADHEADERS or SPAMHEADERS? yup, the rest of my filters were cancelled because TESTSFAILED END CONTAINS HEADERS sigh. :) Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Using Real E-Mail Address on Web Site
Pull them from a database dynamicly so the page actually has to be visited to display the addys Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 11:26 AM Subject: [Declude.JunkMail] OT: Using Real E-Mail Address on Web Site Hello, All, We have a new web site and we would like to put links on the contact page which allow people to click on the links and send us an e-mail but we don't want those addresses to be scanned and added to the latest spammers mailing list. Are there any common practices for obfuscating the links so they are recognizable as valid html mailto links by an e-mail client but they would be less than likely to be picked up by the spammers of the world? Right now our webmaster replaced the e-mail addresses with images of the e-mail addresses and the images look horrible. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Using Real E-Mail Address on Web Site
hey thats pretty cool! :-) Rick Davidson National Systems Manager North American Title Group - script language=Javascript !-- emailname = EmailRecipient emailserver = server.example.com document.write(font face='Verdana' size=2); document.write(a href='mailto:; + emailname + @ + emailserver + '); document.write(font color='00'); document.write(emailname + @ + emailserver); document.write(/a); document.write(/font); //-- /script -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
I implemented Scott Fishers spamdomains filters yesterday afternoon and caught all the paypal mydoom variants with the SD-PHISH filter Thanks Scott! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Nick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 10:15 AM Subject: Re: [Declude.JunkMail] anyone know how to stop this? On 8 Nov 2004 at 14:31, Scott Fisher wrote: Scott, If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). Neat. I was unaware that the virus programs also did some content filtering If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm Good stuff - -Nick - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question on Dell Poweredge 1750
I use the same systems for my two Imail/Declude mail gateways Don't use the Broadcomm Nics! They will intermittently quit working! Like Dan said, install Imail on the D drive, there is more than enough disk space and horse power to deal with the other things you want to do. Each of mine get around 70K messages a day, I run extensive filtering files and barely push the CPUs Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 10:31 AM Subject: [Declude.JunkMail] Question on Dell Poweredge 1750 I've to set up Imail/Declude on a Dell Poweredge 1750 with Dual 3 GHz Xeon CPUs and 4 Ethernet Ports. 2 x Intel NICs 2 x Broadcom NetXtreme Gbit NICs Now I have two questions: 1.) Anyone has had the known Imail-NIC problems with this Ethernet ports? 2.) The system is preconfigured with Win2003 Server on 2 x 80 GB RAID 1 SCSI drives. There are two preconfigured partitions: C: with 8 GB D: with the resting 69 GB As I can understand this configuration should work fine for the Imail/Declude server. This server should be a SMTP-gateway only, no Pop3, Imap, webmail. So I plan to install Imail and the spool path on C: The second partition will be used to regulary move out fragmented files (hold-folder, virus-folder, logfiles) from the first partition and keep them for further elaboration (requeing, logfile analisis...) Any suggestions about the setup? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Suggestion: Most stringent test
Try this in your global config file, it will cause an email to be unwhitelisted and go through the testing process BYPASSWHITELIST bypasswhitelist x y 0 0 where x is the weight you want to assign where y is the amount of recipients required to skip the whitelist no setting is required in $default$.junkmail works wonders for me Rick Davidson National Systems Manager North American Title Group - - Original Message - From: marc catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 06, 2004 5:38 PM Subject: [Declude.JunkMail] Suggestion: Most stringent test Or some other name if it is possible - I'd like to stop e-mails from being whitelisted because my users have their own name in their address book and someone sends to multiple people as one of my users. Also I'd like to stop e-mails being delivered to multiple recipients because one person has the sender in their address book. SO maybe if there are multiple recipients maybe there could be a test in Declude that causes the most restrictive action (hold, delete, etc) instead of the least restrictive (whitelist) action. This way the user can still get e-mails from [EMAIL PROTECTED] if it is sent directly, but if some idiot tries to use this to get around blocks by sending to a list of address it will be deleted. Is this possible? Is there something like this? Thanks - Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Pete McNiel's Product Proposal
Great discussion here guys, the SOX guidelines for retention are very open ended, bottom line is that if a company is mandated to produce documents they better produce those documents and they better produce them in a reasonable amount of time. Body searching is essential to being able to do a thorough retrieval. Pete, I think you have a good idea there and I would certainly be interested in looking at your product. I have spent the past two weeks looking for a reasonably priced canned solution and have yet to find one. The coolest product I found was made by iLumin but it was $150,000, many out sourced archiving companies are built around this technology and are very high priced as well. There is certainly a market out there for a reasonably priced archiving solution for small to medium sized businesses. Not only would a solution for SEC and SOX compliance be useful but any company that wanted to protect themselves against or help in employee litigation cases would find it useful. Another simple use would be to retrieve lost email or accidentally deleted email in POP3 environments. A basic archive to start with would be great and then maybe in the future add the ability to index and search attachment content :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Matt [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:42 PM Subject: Re[2]: [Declude.JunkMail] Determining a BCC Recipient On Thursday, October 28, 2004, 10:44:32 PM, Matt wrote: M Patrick Childers wrote: Hi Pete, I think your gut is right. I'm pretty sure that I have 2 clients that would be quite interested in SOXsniffer. g M Not to debate the applicability of the technology, but you shouldn't M proceed under the assumption that government regulators are out there M giving IT staff lists of words to be used in full-text search of M E-mail archives. That is not the law, and it is not how subpoenas are M issued. snip/ All really appreciated Matt. I think the point is that the basic requirements can easily be met, and the search capability, which can be very useful in mundane and even positive circumstances, can be provided without a significant additional effort. So, for a very low cost, those who might not otherwise be able to afford the high-end systems you allude to can have the core of a fairly robust capability. I'm sure that core capability can and will be extended as needed if I do the job right. No assumptions here about marketability or suitability - only a raw capability that has a high potential for a low cost... and, based on my own experiences, having this kind of thing in your back pocket can be very powerful. I can recall times when a mechanism like this would not only have saved me days - even weeks of work, but also would have provided a significant competitive advantage. Consider auditing an engineering (or any large) project near completion or after initial deployment. The ability to extract all correspondence on the project in an inexpensive and orderly fashion is mind-bendingly powerful. -- Dump the results into a searchable mail archive system and you have a searchable, threaded reference that you didn't know you would need until now. Or... when the boss comes down and says: I need you to tell me _exactly_ what happened here... in that uncomfortable way that only pointy-haired fellows can really achieve... Been there, done that, got the t-shirt and the bumper sticker. It just makes you shiver. (Where would we be without Dilbert?) Anyway - I recognize your point about setting an appropriate policy. I just make hammers... I'll let other folks drive the nails where they are needed ;-) This is now decidedly off topic for Declude. Sorry for the extra bandwidth. Best all, _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
have you looked at the headers and body source to determine why they are getting through and what you need to add to your filters to stop them? There is usually some type of common finger print you can filter on. If it is not failing those other tests its likely they havent seen the messages, its up to you to keep adjusting your filters. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Sheldon Koehler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 1:29 PM Subject: Re: [Declude.JunkMail] Spam getting through We have been experiencing the same thing. The spammers seem to be getting better at passing filters and probably changing IPs and domains as fast as they can be listed in the spam databases. We have some really hard core coming to a few users and passing all tests including Sniffer. Most of it is porno and they are not failing mailpolice-porn on top of sniffer-porn. John, the logs are fine, they just do not seem to fail ANY tests. They look like a normal email. Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
I have seen an increase in volume the past week but have had very little make it to the users Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 1:49 PM Subject: RE: [Declude.JunkMail] Spam getting through No, I haven't seen this. But I have meant to ask if others on the list are seeing that their spam volumes are up in the last week. I have, by a 10% increase. What I'm seeing is not more spam getting to mailboxes, just more spam volume. Viral activity has been constant. Andrew 8) -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude and Ipswitch ICS
Great article! Ipswitch wouldnt be the first company destroyed by an MBA, they seem to be so enamoured with their MBA status that they overlook the reason the company was succesful in the first place... I bet the MBAs and Marketing people at Ipswitch ride to and from work in a short bus Rick Davidson National Systems Manager North American Title Group - Copy of Original Message(s): - sl So... I saw this link on the Ipswitch forums and it's a good read - I sl don't think it's been posted here yet. sl http://www.joelonsoftware.com/items/2004/10/26.html sl -jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam?
That is correct, declude virus processes before junkmail I did look at quite a few zip viruses and didnt see any of them using the Content-Type: application/x-zip-compressed in the mime info Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Mark E. Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 1:03 PM Subject: RE: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? Rick, I was looking at your filter -- great idea. One question (which falls under the processing order) If you have: BODY STOPALLTESTS CONTAINS Content-Type: application/x-zip-compressed I think Declude Virus will still grab this correct? Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Tuesday, October 26, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? 1 in 500,000? That's fantastic. I think that qualifies for the anti-spam guru of the week award! heh, that is no exageration either, it is mainly due to spending alot of time in looking at false positives and finding ways to prevent them. For example use filtering to look for legit mail, the attached filter file runs before all other filters, it contains things that I found in false positives. This file is my number one false positive eliminator, my second method is test the hell out of any significant changes first. I do have the luxury of having to only filter for one company and I can be fairly restrictive I will see if I can get my configs somewhere for download, I am willing to share my work because I hate spam and spammers so much... man do i hate them. Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Determining a BCC Recipient
ok thanks Matt, we do have some programmers on staff here but I will sure conscript your help if we brick wall. Regardless of where it is stored its going to be a massive amount of data, my initial samplings show 1.5 to 2GB per day. Yikes! You wouldnt happen to know how to parse mime types and remove attachments would you? :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 2:58 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient That's going to be one massive database :) I've become quite the VBScripter as of late (if that's something to brag about), so let me know if you need any help. Matt Rick Davidson wrote: Thanks Matt, COPYFILE is working perfectly, now its just a matter of writing the program to parse and insert it into the SQL database. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 5:15 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient Rick, This information is in the Q* file. If you use the COPYFILE action, it will keep both the D* and the Q* file. The only issue is that the Declude headers are lost and each message is kept separately and not viewable without a special application like spamreview. IMO, this is appropriate for archiving due to legal requirement, but not for doing review. If you want to handle this in a different way by just sending to a mailbox, you can use a WARN action with the %ALLRECIPS% variable which will contain the BCC addresses as well. For instance, you could do the following: TESTNAMEWARN X-RECIPIENTS: %ALLRECIPS% This of course exposes the BCC info to all that might view the headers. Matt Rick Davidson wrote: I am looking at creating our own email archiving solution using sql, the main hurdle is how to handle and email sent to a user using BCC. Is there a way to use Declude to include that info in a recipient x-header? If I send myself using only the BCC field the header contains only this From: Rick Davidson [EMAIL PROTECTED] To: Undisclosed-Recipient:; Subject: test I assume the BCC info is lost once the message hits the senders SMTP server correct? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Determining a BCC Recipient
Thanks Sandy, I will look into those, the boss wants me to do this on the cheap, the sql idea was first so we could at least say we were archiving the email. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Rick Davidson [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 3:21 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient Rick, I am looking at creating our own email archiving solution using sql This, as Matt notes, could be monstrous. It certainly is not best-practice to store this many CLOBs (or BLOBs, if you're decoding MIME) in a generic DB. That's why the only RDBMS message stores worth their salt are Exchange, Notes (sort of), and the archiving vendors' back ends, as they are purpose-built on both client and server ends. If you do go the RDBMS route, you should definitely consider auto-splitting by date into separate tables and/or separate databases to enable scaling out. However, I'd suggest instead that you use a well-known format such as MBOX and an MBOX-aware, high-capacity indexing/search product like dtSearch. We've used dtSearch Web as a message archive-and-search mechanism and have been very happy with the speed (though, admittedly, the display needs a lot of tweaks). --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Determining a BCC Recipient
Essentially the good folks at Enron and WorldComm brought us the Sarbanes-Oxley Act or SOX for short. Public companies have to keep a record of all communications, the details of this are vague but mostly apply to the money people and decision makers. Since we cant selectively catch that specific traffic we have to grab it all. Basicly all mail must be archived including the attachments and all mail must be retrievable in a reasonable amount of time, thats about it. We were considering stripping the attachments and storing them in a directory structure and storing the email text data in the sql database. Separate fields for the date, to, from, subject, the entire D file and the attachment names and their location. We figure we can get decent compression and searchabiltiy with the text info but the biggest hurdle is the attachments and being a Title company we have alot of large attachments to deal with. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 3:53 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient That's funny that you should ask. I just coded that one up in VBScript this last weekend. I even managed to decode base64 text attachments, remove quoted-printable encoding, and strip out all of the HTML code. If this is for archiving according to legal requirement, the attachments would probably be necessary however. Sandy had some good recommendations on how to archive. Maybe if you shared your requirements with the list, someone would have some recommendations as to how to approach this a better way. Matt Rick Davidson wrote: ok thanks Matt, we do have some programmers on staff here but I will sure conscript your help if we brick wall. Regardless of where it is stored its going to be a massive amount of data, my initial samplings show 1.5 to 2GB per day. Yikes! You wouldnt happen to know how to parse mime types and remove attachments would you? :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 2:58 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient That's going to be one massive database :) I've become quite the VBScripter as of late (if that's something to brag about), so let me know if you need any help. Matt Rick Davidson wrote: Thanks Matt, COPYFILE is working perfectly, now its just a matter of writing the program to parse and insert it into the SQL database. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 5:15 PM Subject: Re: [Declude.JunkMail] Determining a BCC Recipient Rick, This information is in the Q* file. If you use the COPYFILE action, it will keep both the D* and the Q* file. The only issue is that the Declude headers are lost and each message is kept separately and not viewable without a special application like spamreview. IMO, this is appropriate for archiving due to legal requirement, but not for doing review. If you want to handle this in a different way by just sending to a mailbox, you can use a WARN action with the %ALLRECIPS% variable which will contain the BCC addresses as well. For instance, you could do the following: TESTNAMEWARN X-RECIPIENTS: %ALLRECIPS% This of course exposes the BCC info to all that might view the headers. Matt Rick Davidson wrote: I am looking at creating our own email archiving solution using sql, the main hurdle is how to handle and email sent to a user using BCC. Is there a way to use Declude to include that info in a recipient x-header? If I send myself using only the BCC field the header contains only this From: Rick Davidson [EMAIL PROTECTED] To: Undisclosed-Recipient:; Subject: test I assume the BCC info is lost once the message hits the senders SMTP server correct? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned
Re: Re[2]: [Declude.JunkMail] Determining a BCC Recipient
After all these suggestions I think concatenating the Q and D file and maintaining a text file is a much better way to go, dtsearch definately looks attractive. Thanks again for the suggestions. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Rick Davidson [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 4:46 PM Subject: Re[2]: [Declude.JunkMail] Determining a BCC Recipient I will look into those, the boss wants me to do this on the cheap, the sql idea was first so we could at least say we were archiving the email. If you just want archiving for independent audit and to show good faith, concatenate the Q and D into an envelope-preserving MBOX for each day. However, you have to plan for a real investigation, and retrievability and simple envelope and body searching requirements will not be met on the cheap--since maintaining terabyte databases with _any_ data isn't cheap. Full-text indexing of such dbs also not a small project no matter what the driver. FTR, dtSearch web costs, I believe, 1000 bucks ( + server + storage + labor ). --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Solution to death of IMail
I have downloaded and installed the ICS on a test machine and everything installs separately and adds separate menu folders for Imail, IM and Workgroupshare The Imail component is just Imail 8.13 I couldnt find one thing that was different in it. I do not see any component integration aside from a utility to import Imail users into workgroupshare, smells like marketing people to me. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Mark E. Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:46 AM Subject: RE: [Declude.JunkMail] Solution to death of IMail What makes everyone think that Declude won't work with Ipswitch ICS? I'll bet that the core MTA in ICS is identical to Imail -- probably 99% of the same SMTP code. Unless the Spool folder, file name structure and ability to call your own SMTP32D transport is removed, I'll bet that it works. Has anyone downloaded a version and tested? If I get a chance I'll DL and test in Virtual PC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of decjunkmail Sent: Tuesday, October 26, 2004 4:21 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Solution to death of IMail Here's some food for thought for Scott: Several on the list have suggested that Declude adapt to run with other mail servers in addition to Imail. Of course, as Imail servers start getting replaced, it is very unlikely everyone will choose the same replacement MTA. More than likely, the Imail user base will fractionalize and probably choose from among 5 to 10 solutions (or more!). That means the target market only gets smaller and more fragmented. Declude would probably have to support multiple replacement email servers in order to keep most customers and that involves a lot of effort - development, testing, support. Here's a thought - what about a Declude mail server? It might actually be less work and a better solution to simply provide a replacement mail server that all declude customers can use. Afterall, the quality of a declude server, if done right, would be equal to or better than the hodge-podge of other mail servers out there today! I would certainly rather stay with Declude than play the lottery picking another vendor and possibly end-up with another Ipswitch with simply a different name. Webmail could come later or not at all (there's enough pureplay Webmail stuff that grafting something in using imap or pop only would be decent at least for a while). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam?
1 in 500,000? That's fantastic. I think that qualifies for the anti-spam guru of the week award! heh, that is no exageration either, it is mainly due to spending alot of time in looking at false positives and finding ways to prevent them. For example use filtering to look for legit mail, the attached filter file runs before all other filters, it contains things that I found in false positives. This file is my number one false positive eliminator, my second method is test the hell out of any significant changes first. I do have the luxury of having to only filter for one company and I can be fairly restrictive I will see if I can get my configs somewhere for download, I am willing to share my work because I hate spam and spammers so much... man do i hate them. Rick Davidson National Systems Manager North American Title Group - # Anti Anti-Spam # # This file is used to identify things in messages that don't # normally appear in spam to stop filtering processes. # TESTSFAILED END CONTAINS SENDERDB TESTSFAILED END CONTAINS ORDB TESTSFAILED END CONTAINS KUNDEN BODY STOPALLTESTS CONTAINS .csv BODY STOPALLTESTS CONTAINS .doc BODY STOPALLTESTS CONTAINS .EDS BODY STOPALLTESTS CONTAINS .PDF HEADERS STOPALLTESTS CONTAINS .PDF BODY STOPALLTESTS CONTAINS .dtx BODY STOPALLTESTS CONTAINS .dwg BODY STOPALLTESTS CONTAINS .GMD BODY STOPALLTESTS CONTAINS .LSD BODY STOPALLTESTS CONTAINS .MRF BODY STOPALLTESTS CONTAINS .rtf BODY STOPALLTESTS CONTAINS .TIF BODY STOPALLTESTS CONTAINS .UP BODY STOPALLTESTS CONTAINS Content-Type: application/applefile BODY STOPALLTESTS CONTAINS Content-Type: application/mol BODY STOPALLTESTS CONTAINS Content-Type: application/msword BODY STOPALLTESTS CONTAINS Content-Type: application/octet-stream; BODY STOPALLTESTS CONTAINS Content-Type: application/pdf BODY STOPALLTESTS CONTAINS Content-Type: application/rtf ANYWHERE STOPALLTESTS CONTAINS Content-Type: image/tiff BODY STOPALLTESTS CONTAINS Content-Type: application/vnd.ms-excel BODY STOPALLTESTS CONTAINS Content-Type: application/vnd.ms-powerpoint BODY STOPALLTESTS CONTAINS Content-Type: application/x-zip-compressed BODY STOPALLTESTS CONTAINS X-MS-Attachment: # SUBJECT STOPALLTESTS CONTAINS [Declude SUBJECT STOPALLTESTS CONTAINS [Imail SUBJECT STOPALLTESTS CONTAINS [ciblist SUBJECT STOPALLTESTS CONTAINS Closing Docu SUBJECT STOPALLTESTS CONTAINS Commence sync data SUBJECT STOPALLTESTS CONTAINS Documents For BODY STOPALLTESTS CONTAINS digitaldocs BODY STOPALLTESTS CONTAINS E-TICKET BODY STOPALLTESTS CONTAINS Note: forwarded message attached BODY STOPALLTESTS CONTAINS Orbitz Travel Document BODY STOPALLTESTS CONTAINS marriott.com/property BODY STOPALLTESTS CONTAINS marriott.com/reservation BODY STOPALLTESTS CONTAINS Your files are attached and ready to send with this message # HEADERS STOPALLTESTS CONTAINS CareerBuilder.com MAILFROM STOPALLTESTS CONTAINS @Dell.com MAILFROM STOPALLTESTS CONTAINS @LENNAR.COM MAILFROM STOPALLTESTS CONTAINS @UAMC.COM BODY STOPALLTESTS CONTAINS www.natreach.com HEADERS STOPALLTESTS CONTAINS KODAK EasyShare HEADERS STOPALLTESTS CONTAINS reacheach1.com # # Psuedo whitelist # ANYWHERE STOPALLTESTS CONTAINS smtp.expedia.com ANYWHERE STOPALLTESTS CONTAINS @aa.globalnotifications.com ANYWHERE STOPALLTESTS CONTAINS datascope.com.ph ANYWHERE STOPALLTESTS CONTAINS DeltaElectronicTicketReceipt HEADERS STOPALLTESTS CONTAINS .homes.com BODY STOPALLTESTS CONTAINS isellfortcollins.biz BODY STOPALLTESTS CONTAINS Travelocity Reservation ANYWHERE STOPALLTESTS CONTAINS .united.com ANYWHERE STOPALLTESTS CONTAINS .us.dell.com ALLRECIPS STOPALLTESTS CONTAINS @iwon.com
[Declude.JunkMail] Determining a BCC Recipient
I am looking at creating our own email archiving solution using sql, the main hurdle is how to handle and email sent to a user using BCC. Is there a way to use Declude to include that info in a recipient x-header? If I send myself using only the BCC field the header contains only this From: Rick Davidson [EMAIL PROTECTED] To: Undisclosed-Recipient:; Subject: test I assume the BCC info is lost once the message hits the senders SMTP server correct? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam?
For reviewing held mail I use a win2003 box and outlook express, outlook express allows easy access to the header information unlike Outlook. Win2003 allows you to connect to the console session so you can always leave outlook express open and running so your hold mailboxes dont get over filled. If remote management isnt a requirement then the win2003 remote console doesnt matter... On your filtering server, create a mailbox for each test that holds mail, create accounts and message rules to download and sort the mail by test. As you review the mail you can determine why a false positive occured and then adjust your filtering accordingly. Once you are certain a test is not generating false positives you can safely switch it to delete mail. My false positive rate is near 1 in 500k-700k we do about 115K messages a day, we hold over 100K of those as spam. I am constantly readjusting for better catch rate and fewer false positives This is how I do it. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Ulrich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 25, 2004 10:37 AM Subject: [Declude.JunkMail] Best Practices for handing legit email flagged as spam? Hi all. We've been struggling a bit with this issue. We have a variety of tests in place, and basically have just changed our settings to: WEIGHT10 WARN WEIGHT20 BOUNCEONLYIFYOUMUST WEIGHT40 DELETE The hope is that it will bounce some of the false positives back to the senders so we don't get complaints from people that they are not receiving their emails (which previously were getting deleted) and that if it is so offending (it hits 40) that we delete it. I know there is a HOLD option where we could review it, but: 1. How time consuming is it to go in and review these messages? Do you waste a lot of time doing it? 2. How exactly do you review these and, if it looks legit, flag it as OK to go? Are there any tools where you can basically browse through the subjects, senders, etc., like you would with Eudora or Outlook? Or do you have to manually look at each? Any thoughts would be appreciated! Thanks Chris --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPSwitch ICS
- Original Message - From: Kevin Bilbee We could also use MSSMTP as our gateway and what ever backend we want. That would be a great option! Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DOW test and Spam on specific days
is it actually necessary to use two tests? Wouldnt DOW dow 6 0 2 0 work? Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 5:25 PM Subject: Re: [Declude.JunkMail] DOW test and Spam on specific days I believe Sunday is day zero, so you would need two tests. For example... DOW_SUN dow 0 0 2 0 DOW_SAT dow 6 6 2 0 I don't have statistics to show you, but I can say more spam comes in on a weekday than on weekends, and more on Saturday than Sunday. We weight Sunday a little higher due to much less legit mail on Sunday. Darin. - Original Message - From: Mark Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 5:02 PM Subject: [Declude.JunkMail] DOW test and Spam on specific days Assuming we wanted to setup a Sat-Sun DOW test with a weight of 2 for the message hitting on the weekend, I guess we would use: DOW dow 6 7 2 0 Correct? Having said that, does anyone have any metrics on what days more spam comes in? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] *very* much off topic
I live in Cleveland so I am no stranger to baseball heart breaks, but one thing Indians and Red Sox fans agree on is that we hate the Yankees! I heard music to my ears on NPR this morning... The Yankees are the only team in history to lose a 7 game series after winning the first three games LOL! - - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 9:46 AM Subject: Re: [Declude.JunkMail] *very* much off topic For those that follow baseball... the RedSox gave the Yankees an 'ATOMIC' WEDGIE' :) -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WordFilter BODY
Yes, including the html tags themselves Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Danny K [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 5:47 PM Subject: [Declude.JunkMail] WordFilter BODY Will a wordfilter BODY pick up text in an email that is in html format? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] STOPALLTESTS in Global config?
Can STOPALLTESTS be used in place of the weight in the global config? For example: SENDERDB ip4r pub.senderdb.net 127.0.0.2 STOPALLTESTS 0 Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Stopatfirsthit and stopalltests
A few questions on these new options, the manual states that it will stop processing the filter or remaining filters but it doesnt say whether or not it will fail the test that triggers it. For example if I use BODY STOPALLTESTS CONTAINS spam verbiage does the match fail the test triggering whatever action in the junk.mail file? I tried this and spam started slipping through that would have failed prior to using that keyword If I add STOPATFIRSTHIT to the top of my holding filters will it fail the test on the first hit? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SENDERDB oddity
not so odd ServPath is large hosting company that would send alot of legit mail but also allows bulk mailing outfits, mostly legit lists but with bad databases. I block their IP assignments outright, nothing but advertisement and junk email comes from these addresses. Have not seen any false positives from blacklisting these ranges but I admin a private company. You would be surprised how much junk comes from these two ranges. REMOTEIP 0 CIDR 64.151.64.0/19 REMOTEIP 0 CIDR 69.59.128.0/18 Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 01, 2004 1:05 PM Subject: [Declude.JunkMail] SENDERDB oddity Found on the same message: X-RBL-Warning: SENDERDB-BLOCK: Blocked - Please see http://www.senderdb.com/lookup/lookupResults.asp?ipAddress=69.59.150.150; X-RBL-Warning: SENDERDB-ALLOW: Blocked - Please see http://www.senderdb.com/lookup/lookupResults.asp?ipAddress=69.59.150.150; -d --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bypassing mime segments revisit
I know this has been discussed before several times but is there any plan to allow body filters to bypass mime segments except if it is text/html? The majority of my false positives are words (mainly porn related) found in the encoding of jpegs and gifs, especially on commonly misspelled variations. I was able to work around the problem with PDFs and MS Office documents by ending the tests based on those content types but obviously that is not an option with images. Aside from helping to limit false positives it would be a good way to reclaim some cpu cycles as well. Anyone have a way to counter this problem? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Outlook 2003
I pulled this from your header, X-Mailer: Microsoft Office Outlook, Build 11.0.6353 I am not sure what the build number is for Outlook 2003 but that is what you would want to look for, for example: HEADERS -X CONTAINS Outlook, Build 11.0. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Kris McElroy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 20, 2004 10:51 AM Subject: [Declude.JunkMail] Outlook 2003 Has anyone found a way to add a negative weight to Outlook 2003 clients for the spamheaders test? I am running into a problem where it is failing the spamheaders test which is causing the weight to go over the and hold the emails? Thanks, Kris McElroy [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increase in porn?
I have seen an increase in graphic porn that only fails minor tests as well hard to stop that stuff with the crazy misspellings they use Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Glenn Brooks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 12:19 PM Subject: Re: [Declude.JunkMail] Increase in porn? yes a large amount...thought it might just be my config... gb At 11:27 AM 7/21/2004 -0400, you wrote: Are any of you seeing an increase in explicit porn getting past Declude and Sniffer in the past few days. We are seeing a disturbing increase that will only fail some minor weighted test such as bad routing and often fail no test. They are almost dynamically changing the spelling of the obvious words we are adding to subject and content filtering. Any suggestions on how to get ahead of these guys and reduce such emails? Woody Fussell Wilbur Smith Associates Columbia SC [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-682-7111 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Types of Filters
Its HEADERS Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 19, 2004 12:05 PM Subject: [Declude.JunkMail] Types of Filters I have a myfilter test that has been working quite well but is growing too large. I want to break these down into body, subject and header filters so it narrows down where to look (as opposed to logs). Any ideas which other filter tests are recognized by declude? I tried a HEADERCONTAINS but that didn't work, didn't think it would. Thanks, Chris Patterson, CCNA Network Engineer Rapid Systems --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPACE character
I messed around with this and found you can do the following HEADERS 0 CONTAINS Subject: -- with two spaces after it The header formating is Subject: with one space after it so theoreticly add a second space in your filter rule and it will do what you want. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 12:11 PM Subject: Re: [Declude.JunkMail] SPACE character I see a small amount of valid e-mail that starts with a space. Perhaps SUBJECT 15 ISSPACE Similiar to the ISBLANK option? Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 07/06/04 10:59AM I have been seeing more spam where the subject line is a single space. Feature request, add something like this; SUBJECT 15 STARTSWITHSPACE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPACE character
yea it works, but I have been running a test with that today and havent caught a single spam message but have caught over 30 legit messages... Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 1:52 PM Subject: RE: [Declude.JunkMail] SPACE character AH, interesting work around. Thanks, I will try that. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Tuesday, July 06, 2004 10:11 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPACE character I messed around with this and found you can do the following HEADERS 0 CONTAINS Subject: -- with two spaces after it The header formating is Subject: with one space after it so theoreticly add a second space in your filter rule and it will do what you want. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 12:11 PM Subject: Re: [Declude.JunkMail] SPACE character I see a small amount of valid e-mail that starts with a space. Perhaps SUBJECT 15 ISSPACE Similiar to the ISBLANK option? Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 07/06/04 10:59AM I have been seeing more spam where the subject line is a single space. Feature request, add something like this; SUBJECT 15 STARTSWITHSPACE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPACE character
most of them look like web mailers or automated systems that have the subject coded incorrectly with an extra leading space. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 3:46 PM Subject: RE: [Declude.JunkMail] SPACE character I would be interested to know why the legit messages have a subject line that starts with a space. One of the servers I maintain is for a real estate company. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Tuesday, July 06, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPACE character yea it works, but I have been running a test with that today and havent caught a single spam message but have caught over 30 legit messages... Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 1:52 PM Subject: RE: [Declude.JunkMail] SPACE character AH, interesting work around. Thanks, I will try that. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Tuesday, July 06, 2004 10:11 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPACE character I messed around with this and found you can do the following HEADERS 0 CONTAINS Subject: -- with two spaces after it The header formating is Subject: with one space after it so theoreticly add a second space in your filter rule and it will do what you want. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 12:11 PM Subject: Re: [Declude.JunkMail] SPACE character I see a small amount of valid e-mail that starts with a space. Perhaps SUBJECT 15 ISSPACE Similiar to the ISBLANK option? Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 07/06/04 10:59AM I have been seeing more spam where the subject line is a single space. Feature request, add something like this; SUBJECT 15 STARTSWITHSPACE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fake IP Test
I hold mail if the HELO matches my servers IP address, is there a situation I am overlooking where this would be a bad idea? Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 2:42 PM Subject: RE: [Declude.JunkMail] Fake IP Test HELO 4STARTSWITH [ You do not want to apply weight if the HELO string is an IP address the helo string being in the format of [xxx.xxx.xxx.xxx] is a vaild helo as long as it is the ip address of the sending server. HELO 8STARTSWITH 65.16.167. I would definitly suggest doing this one for all of your IP addresses except I would place each one individually and use CONTAINS or IS if you are not allocated the whole /24 block. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist to a local user
I got nailed by that to i use BYPASSWHITELIST bypasswhitelist 30 4 0 0 first number is the weight and the second number is the number of recipients, leave the other numbers 0 so if the message reached a weight of 30 and had four or more recipients the whitelist would be bypassed. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Jay Calvert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 4:38 PM Subject: [Declude.JunkMail] Whitelist to a local user Hi all, I added WHITELIST TO in my Global.cfg but it seems to have backfired on me. I have a couple of users that want all emails to come to them unfiltered. I added them in the Global.cfg as mentioned. However we just had a message that was bcc'd to several others and it got through to all because one of the non-filtered users was in the list. What is the proper way to whitelist for one user but avoid the above situation --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Error allowed message through
What happened here, this message failed miserably and was still delivered to the user. I hold at 30 this weighed in at 81, it says last action IGNORE but I dont have any ignore lines in my junkmail file. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 Msg failed WEIGHT30 (Weight of 81 reaches or exceeds the limit of 30.). Action=ROUTETO. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 L1 Message OK 06/18/2004 09:39:31 Qf08d0038022e15b0 Subject: snipped 06/18/2004 09:39:31 Qf08d0038022e15b0 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.124.183.82 ID: mz199JIWbN93D0AF 06/18/2004 09:39:31 Qf08d0038022e15b0 Tests failed [weight=81]: SORBS-HTTP=WARN SORBS-SOCKS=WARN SORBS-MISC=WARN SORBS-SPAM=IGNORE SPAMCOP=WARN SXBL=WARN HELOBOGUS=WARN REVDNS=WARN IPNOTINMX=WARN GRABBER=ROUTETO WEIGHT30=ROUTETO 06/18/2004 09:39:31 Qf08d0038022e15b0 Last action = IGNORE. 06/18/2004 09:39:31 Qf08d0038022e15b0 WARNING: Could not unlock D:\IMail\spool\_f08d0038022e15b0.~MD; it has been deleted. version 1.79i6 Ideas? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and attachments
I use a filter that searches for attachments and causes the email to bypass further filter tests. For example my filter is called BYPASS and contains lines like these: BODY 0 CONTAINS .PDF BODY 0 CONTAINS Content-type: application/msword BODY 0 CONTAINS Content-Type: application/pdf BODY 0 CONTAINS Content-Type: application/rtf BODY 0 CONTAINS Content-Type: application/vnd.ms-excel BODY 0 CONTAINS X-MS-Attachment: Then I have this line at the top of all my filters: TESTSFAILED END CONTAINS BYPASS Run the bypass filter before any other filter tests run, this has eliminated alot of false positives for me especially with PDF files. You can recover alot of CPU processing time by running your tests in a logical order, run all your filters that hold or delete mail first and then use the TESTSFAILED END to stop the filtering process on any messages that are already flagged for holding or deletion Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 8:18 AM Subject: [Declude.JunkMail] Declude and attachments Hi- Many of my users are personnel agencies that send and receive a lot of resumes as attachments. Some of these attachments are fairly large. I'm having a growing problem with processor usage. Does Declude scan attachments? Is there a way to turn that off? -Dave Doherty Skywaves, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and attachments
I am not sure which Imail release included the log anylizer, 8.1 I think, if you have that version you can run the anylizer on your declude log files and just select unknown log lines It is a dirty way to do it but it gives you the info you are looking for Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 1:19 PM Subject: Re: [Declude.JunkMail] Declude and attachments I haven't found any easy way to tell. The information is in the logs at high level. But I can chime in that SKIPIFWEIGHT bypasses about 80% of my e-mail that is obviously spam. TESTSFAILED ENDS for friendly domains/revdns drop off about 8% of e-mail that is most likely not spam, leaving about 12% of the e-mail that I run body filters on. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 12:03PM Matt- My body filters only catch about 4% of messages, but I don't know how often they are run. Is htere a convenient way to tell? -d - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:40 PM Subject: Re: [Declude.JunkMail] Declude and attachments Scott, I've got a lot more BODY filters than Dave has, though I don't feel that they are excessive. I probably have about 1,500 BODY searches, but with SKIPIFWEIGHT they only run about 25% of the time. If Dave is using Declude Virus, I would also look there for the issue. Anything besides F-Prot and ClamAV in daemon mode will chug a server on a large attachment and it will use up far more processing than Declude JunkMail, but it will keep the Declude instance alive for longer. On about 65,000 messages a day currently, we generally see from 2 to 10 Declude processes running at one time with both F-Prot and AVG enabled (much less with just F-Prot). Disabling AVG results in our average processor utilization dropping by 1/3 to 1/2 on heavy load hours. Matt R. Scott Perry wrote: One instance of Declude, then two, then three, all in the 25%+ range. As soon as it dropped to two Decludes, Queue Manager came right in at 30-40%, then the cycles dropped as QueueManager dropped down. It does sound like it is the large files that are causing the problem. One option would be to temporarily disable the BODY filter with the 200 lines in it, to see if that prevents the problem with the high CPU usage in Declude JunkMail. That could indeed be causing the problem. The other would be to use the debug mode (LOGLEVEL DEBUG in the \IMail\Declude\global.cfg file) and waiting for one of these files to be sent. We can look at the debug log file entries to get a better idea of where the high CPU usage is occurring. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] American Specialties, Atlantic Continuum, etc.
Why not just create a filter file that searches for those specific strings you listed and use the delete action on them. Trying to gather IPs on those types of spam runs is futile, they are probly using spam zombies and there are probly 100s of thousands of those out there. You can even use Imail message rules to search those strings. You still have to recieve the mail but you can decisively delete it or hold it. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John Moore (by way of R. Scott Perry [EMAIL PROTECTED]) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 9:53 AM Subject: [Declude.JunkMail] American Specialties, Atlantic Continuum, etc. We keep getting swamped with mail from: American Specialties First Advanced Altantic Continuum Pacific Alternative Gamma Coalition Alliance Advanced American Loan Gateway Crown Specialists Crown Aggregate United Coalition Commonwealth Commercial and so on all from the same source per that mail period. Lots of emails with each mailing.. These are the only Declude tests (that we have setup) that they fail X-Spam-Tests-Failed: SBL, CATCHALLMAILS [7] We ve been adding the IP s to our kill file (Imail 7.x) but of course they change with every mailing. Anybody have success in staying ahead of these varmints? TIA, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist one Country for one Domain
heh i learned the hard way with specialist as well dont forget that declude will honor the space at the end of a filtering string, .czspace should have been used... learned the hard way on that to :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 10:40 AM Subject: Re: [Declude.JunkMail] Blacklist one Country for one Domain agreed about the body but chances are that and end user is going to base their filtering request on what they see in the body and in the case of .cz the chances of something matching that other than an email address or url are slim This is concerning order number 213.97.czae.42 Daddy, i learnedto typetheis toy.czyou today Dear Client - We have blocked everything with a country domain of .cz You never can tell what will happen. I didn't realize that the popular male drug name was in the word speCIALISt until we advertised a Security Specialist position. :) Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi Markus! Getting your messages now, for me the solution was as simple as allowing email through with [declude in the subject, I don't like blocking by IP unless its a legit email marketing company who doesn't change IP addresses and with the nifty new remoteip 0 cidr filtering capability its easy to bypass the ip blocking. Odd thing is I was nailing some of your email with interbusiness.it and I don't see that anywhere in the headers of your current messages I do punish dot info and dot biz quite severely with weight, aside from your dot info domain the other 799,999 are suspect to me :-) your English is great its alot better than quite a few groups of people here in the US Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Gufler Markus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 5:45 PM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hopefully it's not because my email-address is an info domain. Over 2 years ago (march 2002) there was registered already over 80 info domains around the world. As I know on the IPSwitch website you can't subscribe to the newsletter because .info is not a valid top level domain Looks like internet is old enough now to have also some conservative people inside ;-) I assume that most of my messages will be filtered because the dynamic IP addresses of our DSL-connection is listed in more or less IP-Blacklists. This not because we're an open relay but because this are dynamic IP's and the entire class B range seems to be blacklisted (at least temporary). I can understand that most people in oversea can see more spam then legit messages comming from this IPs. And I can understand if someone decides to punish them. We also assign a small weight to any message comming from the USA because from the 26% of all messages comming from the USA only 3% are legit messages. This should not be a punishment for a country, but it's simple mathematic logic to improve our spam filters detection rate. Maybe you can see this message only because I send them - for this time - trough the webmail interface and so from a clean IP address. What I would suggest is that anyone reading messages in this list should try to whitelist declude list messages. There are several cases that declude list messages contains suspicious content: spam examples, filter definitions, or simple help request from an admin that has an IP blacklisted mailserver. If you don't whitelist declude list messages very probably you're missing some important information. As I can understand, the best way to whitelist declude messages is to whitelist the IP of the declude list server: Simply put WHITELIST IP 68.162.218.198 in your global.cfg line. Hope this helps, and you can understand my english --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Test Idea
Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Test Idea
I downloaded the surbl code but have not implemented it yet cause of all the monkey business associated with it, I am working on getting it going thanks for that batch file! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:03 PM Subject: Re: [Declude.JunkMail] New Test Idea This was kind of suggested when the SURBL came out. Do you use the SURBL code. I don't know if anyone is interested but I've got a batch file that goes through last month's logs (it works on log level high) and pulls out all matches for a Body URL filter. It can help trim the deadwood. I've attached it renamed as a .txt file. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/11/04 01:12PM Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Many Thanks! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Franco Celli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 11:18 AM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Rick, I think it's easyer for you to download them from the author Markus Gufler: http://www.zcom.it/decludeupdater/polit_filter.zip I just used his filters. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Thanks again, Can you send me the headers from Markus's email so I can figure out whats grabbing his email, over the years he has been a useful contributor here so I would like to see his posts thanks for your time Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Franco Celli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 12:30 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails I think it's easyer for you to download them from the author Markus Gufler: http://www.zcom.it/decludeupdater/polit_filter.zip Please forward him also the part he need's for the global.cfg file POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 Markus --- Extract from the first message from Markus (Someone could have missed it) --- POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains .qmail@ in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german umlaut and special characters (ä, ö, ü, ß) # in any case 0 points # should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) -- Franco Celli --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist one Country for one Domain
I would focus on the mailfrom test, chances are the spam your client is complaining about did actually come from the country cz but definately nail it with the country test if thats what they want. you could even add a filter like anywhere 50 contains .cz (with a space after the .cz) anywhere 50 contains .cz Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:01 AM Subject: [Declude.JunkMail] Blacklist one Country for one Domain Hi, I have a client who sent this to me today Please blacklist anything that has a .cz in the address line So the way that I see doing this is a filter with the following. ALLRECIPS END NOTCONTAINS @domain.com COUNTRIES 50 CONTAINS CZ MAILFROM50ENDSWITH .cz My questions: Is this the best way? COUNTRIES and not COUNTRY will check every mail hop? And the biggest question will this do what the client wants? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Verify sender
You can do that in Imail on the SMTP Security tab be careful doing that cause it will affect alot of legit mail where gateways are used for example my mail domian is nat.com but the mx records point to my gateways which use the domain nat-mail.com Rick Davidson National Systems Manager North American Title Group - - Original Message - From: geneh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 1:19 PM Subject: [Declude.JunkMail] Verify sender Is it possible, either through Declude JM or Imail, to verify the return address of an email is valid and came from the mail server that hosts the domain based on the MX record? Gene Sent via the WebMail system at accram.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Testfailed in ipfile
Cool, can you specify CIDR ranges like IP 0 IS x.x.x.x/x? Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 3:08 PM Subject: Re: [Declude.JunkMail] Testfailed in ipfile Does TESTSFAILED END CONTIANS work in an ipfile? No, that is a line that goes in filter files. However, you could use that line in a filter file that acts the same as an ipfile (IP 0 IS 192.0.2.25). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Where is ARIN?
Is it me or did ARIN drop of the face of the Internet today? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Where is ARIN?
That is odd, I am getting destination net unreachable from qwest on a server in Arizona, traceroutes over Alegience in California and Cleveland timeout DNSstuff IPWHOIS returns this Sorry, I could not connect to whois.arin.net (10051). whois.arin.net (192.149.252.43) times out is there anywhere else IP whois info is available? Rick Davidson National Systems Manager North American Title Group - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 12:36 PM Subject: Re: [Declude.JunkMail] Where is ARIN? Is it me or did ARIN drop of the face of the Internet today? It might be you -- http://www.dnsstuff.com/tools/traversal.ch?domain=104.161.233.64.in-addr.arpatype=PTR shows that all their DNS servers are responding, and in a very reasonable time. And http://www.arin.net is reachable from here with no problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Where is ARIN?
ARIN is alive again! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Glenn \\ WCNet [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:43 PM Subject: Re[2]: [Declude.JunkMail] Where is ARIN? No problem getting there from here. multi-homed through Savvis and Sprint on a pair of T1s. _M On Wednesday, June 2, 2004, 1:03:16 PM, Glenn wrote: GW SBC T3, can't get ARIN. GW - Original Message - GW From: Rick Davidson [EMAIL PROTECTED] GW To: [EMAIL PROTECTED] GW Sent: Wednesday, June 02, 2004 11:54 AM GW Subject: Re: [Declude.JunkMail] Where is ARIN? That is odd, I am getting destination net unreachable from qwest on a GW server in Arizona, traceroutes over Alegience in California and Cleveland timeout DNSstuff IPWHOIS returns this Sorry, I could not connect to whois.arin.net (10051). whois.arin.net (192.149.252.43) times out is there anywhere else IP whois info is available? Rick Davidson National Systems Manager North American Title Group - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 12:36 PM Subject: Re: [Declude.JunkMail] Where is ARIN? Is it me or did ARIN drop of the face of the Internet today? It might be you -- GW http://www.dnsstuff.com/tools/traversal.ch?domain=104.161.233.64.in-addr.arpatype=PTR shows that all their DNS servers are responding, and in a very GW reasonable time. And http://www.arin.net is reachable from here with no problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailserve rs since 2000. Declude Virus: Ultra reliable virus detection and the leader in GW mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus GW (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. GW --- GW [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] GW --- GW This E-mail came from the Declude.JunkMail mailing list. To GW unsubscribe, just send an E-mail to [EMAIL PROTECTED], and GW type unsubscribe Declude.JunkMail. The archives can be found GW at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNS tests in separate file?
Is it possible to run the DNS RBL tests in a file other than the global config file? For example have them all in separate filter file that I can abort with TESTFAILED END CONTAINS Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS tests in separate file?
o the simplicity of it all :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:21 AM Subject: Re: [Declude.JunkMail] DNS tests in separate file? You could have them assigned with a 0 weight in the global.cfg. You can then use your filters to assign weights as described below. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/28/04 10:05AM Is it possible to run the DNS RBL tests in a file other than the global config file? For example have them all in separate filter file that I can abort with TESTFAILED END CONTAINS Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help - Gateway Question
Make sure the system you are gatewaying for allows relay from the gateway host. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:27 PM Subject: [Declude.JunkMail] Help - Gateway Question Hello All - I have started providing gateway services to a new host. I see the messages reach the spool and start to be processed. However the SMTP log says that the message keeps requeing and giving me a status of 3 Please help. Any ideas of what to look at would be appreciated. Samantha Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] PDF counter balance
Can anybody point out reasons why it would be a bad idea for me to use this line to stop filtering messages with file attachments? This is mainly for PDF files which seem to get caught for strange reasons. BODY END CONTAINS Content-Type: application/octet-stream Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spamdomains question
I just had an email fail spamdomains for [EMAIL PROTECTED] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'swbell.net' found: Address of [EMAIL PROTECTED] sent from invalid mta7.pltn13.pbi.net. pbi.net is registered to SBC and is valid (pacific bell internet) In my spam domains file I have this: swbell.net .prodigy.net would I just add another line like this? swbell.net .pbi.net or can they be placed on the same line like this? swbell.net .prodigy.net .pbi.net Question 2: Is there a way to turn the headers off in the mail archive so everyones declude header messages arent the bulk of the search results? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hotmail not accept inbound mail?
Yep hotmail is not accepting from us either, I am seeing connection resets from them Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 2:44 PM Subject: [Declude.JunkMail] Hotmail not accept inbound mail? Anybody else with this trouble? I've got 300+ messages queued to hotmail.com addresses. Both my cached and a fresh DNS query look fine. I have a ton of: MX connect fail 65.54.190.50 messages in my Imail log (lots of different IP addresses whose reverse DNS ends with hotmail.com) Andrew. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
OT- Re: [Declude.JunkMail] Country Code for Palestine?
Interesting, IANA recognizes them as a country, sure would be nice if Israel and the rest of the non cyber world did to. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 10:33 AM Subject: Re: [Declude.JunkMail] Country Code for Palestine? Does anyone know what the Country Code for Palestine is? I just received an e-mail which Declude's X-COUNTRY-CHAIN identified as Palestine yet the official country code list, http://www.iana.org/cctld/cctld-whois.htmhttp://www.iana.org/cctld/cctld- whois.htm, makes no mention of Palestine. It's ps. Note that there may be some countries that do not have their own ccTLD, but that may have Internet access available to them (so they would not appear at the IANA URL). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Words found in encoded file atachments
Yea I understand that but I am catching words like p*nis and c*nt that should have a heavy weight and for some reason it seems to be only PDF file attachments. Just thought it would be possible to skip that portion of the body due to the formating. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 12, 2004 2:05 PM Subject: RE: [Declude.JunkMail] Words found in encoded file atachments Rick, no, the BODY text filtering searches everywhere, including inside binary attachments. Your best bet is to assign those nasty words with very little weight, don't use very short words, and/or try to match a phrase instead, or use trailing punctuation. For example, I've found that although they are darn common in spam, I can't use these with a weight any higher than 1: tit t1t mlm m1m hgh because of their false positives in binary attachments and BASE64 encodings of attachments. Andrew 8) -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Words found in encoded file atachments Is it possible to exclude the filters from being triggered when finding words in the file attachment encoding in the message body? I have been getting some false positives on some nasty words that were arbitrarily formed in the encoding segments Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Words found in encoded file atachments
Thanks Matt, the trailing space trick will do... I have the luxury of being tough on specific words so I am :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 12, 2004 2:21 PM Subject: Re: [Declude.JunkMail] Words found in encoded file atachments ...or a trailing space. Base64 encoding doesn't use punctuation or spaces. Your list would never hit base64 if all you did was add a space, and that would probably hit more often than with punctuation. Staying away from words 5 characters or less also helps because for each additional character, you are about 28 times less likely to see that pattern in base64 code. Needlesstosay, I'm not big on word filtering, though I do have several filters, all scored very low. Matt Colbeck, Andrew wrote: Rick, no, the BODY text filtering searches everywhere, including inside binary attachments. Your best bet is to assign those nasty words with very little weight, don't use very short words, and/or try to match a phrase instead, or use trailing punctuation. For example, I've found that although they are darn common in spam, I can't use these with a weight any higher than 1: tit t1t mlm m1m hgh because of their false positives in binary attachments and BASE64 encodings of attachments. Andrew 8) -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Words found in encoded file atachments Is it possible to exclude the filters from being triggered when finding words in the file attachment encoding in the message body? I have been getting some false positives on some nasty words that were arbitrarily formed in the encoding segments Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Proper Place To Download all_list.dat From?
properly, and doesn't seem to be as widely used was originally expected. Wow! I find the countries test to be extremely effective, not to good for ISP folks but for any company that does localized business this test rocks. I assign half my hold weight for any mail outside the US with a few exceptions and then heavily penalize common relay countries such as korea, china and poland and then assign full hold weight to countries that should never be sending us mail. My spam dropped off significantly once I got it tweaked right. Sure would hate to loose the countries test Rick Davidson National Systems Manager North American Title Group - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 12:02 PM Subject: Re: [Declude.JunkMail] Proper Place To Download all_list.dat From? Now that 1.79 beta has been released are we supposed to download any updates to all_list.dat from http://www.declude.com/release/179/all_list.dathttp://www.declude.com/rel ease/179/all_list.dat This is the correct location. Is the current version in the path always the place to get the new version of all_list.dat? It could change, as this is still considered an experimental feature. How often on average is all_list.dat updated? As needed. Typically every few months. If I come to rely on the experimental functionality which all_list.dat is part of, what are the changes that this functionality is going to go away? It is unlikely that it will go away completely; the biggest risk would be that the all_list.dat file can no longer be updated (this could happen, for example, if one of the IP registrars decides to stop providing the information). What are the changes that this experimental functionality is going to stay permanently, i.e. no longer be experimental? Right now, I can't say for certain. Part of the problem is that while this is definitely a useful feature, is requires extra work to get set up properly, and doesn't seem to be as widely used was originally expected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist To problem
sweet! that will work perfectly thanks man! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 2:17 PM Subject: Re: [Declude.JunkMail] Whitelist To problem on 4/9/04 1:32 PM, Rick Davidson wrote: Is it possible to make it so that if a whitelisted TO address is included with many recipients that only that one particular address is whitelisted and not everyone in the To field? Whitelist To [EMAIL PROTECTED] recieve an email to [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Not quite what you want but you can add BYPASSWHITELIST bypasswhitelist xx y 0 0 to your global.cfg file. If a message weight exceeds xx and the message was sent to y or more addresses the assigned action will take place. We use delete and have a line in our $default$.JunkMail file(s) that is BYPASSWHITELIST DELETE Basically, this command lets the administrator have the final word as to what should happen with a message. We use 40 and 2 for the values. If tom wants everything whitelisted but dick, harry and joe don't then tom causes the others to get spam (not good). The bypasswhitelist command, which isn't listed on the junkmail page, but is on the release page, let's the admin overrule tom, and depending upon the settings, causes none of them to get the message. Tom won't miss his spam message and the others will never get to see it. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Gateway and log file questions
I am using declude junkmail on two mail gateways for 5 domains, shouldnt Declude always see mail as outgoing mail? I am seeing this in my logs. Using [incoming] CFG file D:\IMail\Declude\nat.com\$default$.junkmail. I am having trouble with some tests being skipped, how does declude know what is incoming and what is outgoing in the config and junkmail file? I only have one set of tests defined in each file assuming it will just go with the outgoing, does it look for duplicates or line breaks to determine which is incoming or outgoing? Running current interim 30 and running imail8.05 Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [Declude Junkmail] Antispam to block file extensions....
You can use the Imail message rules to do that, search the ipswitch knowledge base for how to Rick Davidson National Systems Manager North American Title Company - - Original Message - From: Brent Brashear [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:42 PM Subject: [Declude.JunkMail] [Declude Junkmail] Antispam to block file extensions Is there a way for AntiSpam to block e-mails by file attachments? A lot of viruses are going around with the .pif attachment I'd like to set the AntiSpam up to block these from even coming in. Best Regards, Brent --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AOL
Disabling the SMTP Fixup Protocol at the firewall disables ESMTP and allows only SMTP Anyone using Imail peering will not be able to disable ESMTP Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:48 PM Subject: RE: [Declude.JunkMail] AOL According to you guys its not the mail server it is the Firewallright? Correct. What needs to be changed on the Firewall I believe someone said it is the SMTP Fixup Protocol that needs to be turned off. and why is the current setup so bad? Two reasons: [1] It makes your server non-RFC-compliant [2] The security feature is broken (specifically, it is leaking information it was designed to hide) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AOL
Correct. It will disable SMTP AUTH as well The fixup was added to IOS to allow ESMTP its quite a pickle Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 2:14 PM Subject: Re: [Declude.JunkMail] AOL Disabling the SMTP Fixup Protocol at the firewall disables ESMTP and allows only SMTP Anyone using Imail peering will not be able to disable ESMTP Does that mean that Cisco firewalls can't be set up not to interfere with SMTP transactions? If enabling the fixup protocol breaks RFC-compliance and doesn't do all that it is supposed to, and disabling it disables SMTP AUTH, those firewalls need to be thrown out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Serveral RBL Tests reading from same database
Here is something I just noticed. This spam message failed 3 blacklist tests however two of them are reading from spamhaus.org so basicly it held the message based on SBLs info alone (each test weighted 5, i hold at 14) X-RBL-Warning: OSSOFT: http://spamhaus.org/SBL/sbl.lasso?query=SBL8887 X-RBL-Warning: EASYNET-DNSBL: Included from Spamhaus SBL: http://spamhaus.org/SBL/sbl.lasso?query=SBL8887 X-RBL-Warning: SBL: Listed on SBL: http://spamhaus.org/SBL/sbl.lasso?query=SBL8887 So I pose the question is SBL accurate enough to allow a message to be held on its info alone? Whats the point of these other DNS tests if they are pulling from a RBL we are already querying? its like repeating the same test. Would it make sense to have Declude check for this situation? Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
