[Declude.JunkMail] junkmail Actions
Is there any plan or possibility to allow for multiple actions for one test? The WEIGHT feature allows great control via multiple tests ... but ;-) ... different Customers (either domain or user) on a mail server will invariably have different requirements. What I'd find particularly useful would be to allow the WEIGHT10 test to be controlled via action in *.junkmail definitions rather than global.cfg. Going even further, I can make a case for multiple instances of WEIGHT10 for one user or domain something like ... WEIGHT10 DELETE 30 WEIGHT10 WARN 10
Re: [Declude.JunkMail] junkmail Actions
Aha!! That's exactly what I was missing. Thanks! >If you want, you can have two different tests defined in the global.cfg file: > > WEIGHT10weight x x 10 0 > WEIGHT30weight x x 30 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Filter Processing
Scott, I have two questions regarding filter processing. 1. If there are multiple filters listed in the global.cfg are they processed in the order they're listed? 2. If there is a match on an item in a filter list does processing continue against that list? TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Processing
Scott, For the wish list please - An additional filter type (or flag) that would exit after the first match. I've been pretty successful with filtering MAILFROM and, to speed up processing it would be beneficial if the filter processing could end after a match. The same would apply to an IP that I'm blocking. There's no need to do further processing in this filter since the match has been made and I'm going to treat the item as SPAM. This would also enable me to sequence the list with the most expected matches at the top. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, September 17, 2002 10:26 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Processing >I have two questions regarding filter processing. > >1. If there are multiple filters listed in the global.cfg are they >processed in the order they're listed? Yes. >2. If there is a match on an item in a filter list does processing >continue against that list? Yes, so if the weight of each entry in the filter is 1, an E-mail could still end up with a weight higher than 1. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Newbie Question
Being that I am very new to Declude Junkmail what are the steps in order to configure a kill list. I have a kill list so what are the steps in order to activate it. Thanks
Re: [Declude.JunkMail] Newbie Question
Does this BLACKLIST need an entry to both glogal.cfg & the junk_mail configuration file? Thanks. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 20, 2002 11:10 AM Subject: Re: [Declude.JunkMail] Newbie Question > > >Being that I am very new to Declude Junkmail what are the steps in order > >to configure a kill list. I have a kill list so what are the steps in > >order to activate it. > > "Kill List" normally refers to IMail's "kill.lst" file (although some > people also use it to refer to Declude JunkMail's "Sender Blacklists"). > > With Declude JunkMail, you would use a Sender Blacklist to handle this -- > the "Your own sender blacklists" section of the manual covers > it. Basically, you define the test by adding a line such as: > > MYBLACKLIST fromfile C:\IMail\Declude\badaddresses.txt x 5 0 > > This will create a new test MYBLACKLIST, that will work like any other > Declude test (and will count towards the weighting system). The > "badaddresses.txt" file would contain any E-mail addresses (or domains, > such as "@example.com") that you want blacklisted. Note that this only > checks the "return address" of the E-mail (where bounce messages go), not > the "From:" or "Reply-To:" E-mail headers. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spam rec'd using internal return address
Sharyn, Do you have the PRO Version of Junkmail? You can use filters to deal with IP's, MAILFROM, etc if you do. It's explained in the manual http://www.declude.com/junkmail/manual.htm Also the subject of many threads here. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt Sent: Tuesday, September 24, 2002 8:27 AM To: Declude Junkmail List Subject: [Declude.JunkMail] spam rec'd using internal return address Good morning :) One of my users is receiving some really disgusting porn email. The logs show that the sender is actually using HER address as the return address. Here is a snip from the IMAIL log: 09:23 23:13 SMTPD(29B2013E) [200.231.59.131] HELO aleph.inbrac.com.br 09:23 23:13 SMTPD(29B2013E) [200.231.59.131] MAIL FROM:<[EMAIL PROTECTED]> (this is NOT the IP address of my mail server) 09:23 23:13 SMTPD(29B2013E) [200.231.59.131] RCPT TO:<[EMAIL PROTECTED]> 09:23 23:13 SMTPD(29B2013E) [200.231.59.131] D:\IMAIL\spool\Dd85c13e.SMD 1329 09:23 23:13 SMTP-(0A84) processing D:\IMAIL\spool\Qd85c13e.SMD 09:23 23:13 SMTP-(0A84) ldeliver todhunter.com scarbo-main (1) <[EMAIL PROTECTED]> 1598 09:23 23:13 SMTP-(0A84) finished D:\IMAIL\spool\Qd85c13e.SMD status=1 According to the Dec0923.log, the only test this message failed was the reverse DNS and obviously I don't rely solely on that test to block or attach spam. What is the best way to block this? Does Declude blacklist IP addresses or do I have to do this in IMAIL? Should this post go to the IMAIL users list? If so, my apologies! TIA, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spam rec'd using internal return address
Analytically correct George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt Sent: Tuesday, September 24, 2002 10:05 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] spam rec'd using internal return address question on this filtering.. If I add the following line in myfilter.txt.. Body 0 Contains anal This will cause any email with the word "analysis" in it to receive whatever action I've given the test. Correct? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Definition of Spam Cop
Title: Message I really couldn't help laughing at discovering spam this morning through an open relay at: mail.kcpd.org Kansas City, MO Police Department Where's SPAMCOP when you need them. George Kulman Partner Ridge Systems, L.L.C.
RE: [Declude.JunkMail] HOPHIGH
Bill, Every situation is different. I use HOPHIGH 4 and I'm very satisfied. My reasons are: 1. I have a client who has mail processing issues and I end up relaying a lot of their inbound and outbound mail. Since they get about 500 pieces of spam a day I want to get maximum protection and eliminate the handling of the bounces, which I end up with when their server rejects them. On the outbound side I get everything after their server gets it's three tries which means I handle most of their garbage. I also dump all my outbound retries to another mail server after three attempts to keep that load off of the Imail server and to provide deferred messages to the user which IMail doesn't do (one of my gripes with IMail). 2. I also have 2 mail servers which can relay to my IMail server. I've discovered over time that many e-mail systems do not send to the highest priority MX but seem to randomly select an MX record so a portion of my mail comes through the relays even when everything's working just fine. These situations could be handled by IPBYPASS but things then get further complicated by mail being forwarded from other e-mail accounts such as att.net. These come from a variety of mail servers and I don't want to have to continually check all of the valid IP's of all of the forwarders and try to keep that list up to date. One consideration to keep in mind is that you want to use a robust DNS server for IMail in this situation since you're going to pound the s--- out of it. I use a DNS that's dedicated to IMail requests. I also force responses from confirmed authoritative DNS's to avoid spoofing, which means more of a load on my DNS. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B Sent: Thursday, September 26, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HOPHIGH How affective is scanning at multiple Hops? I'm not setting HOPHIGH right now...but I'm currious if the people who are using it are seeing its benefits, or if it is causing them any problems. And what is the recommended HOPHIGH setting (assuming HOP is set to "0")? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MAILTO Filter Request
Scott, There was a question last month (8/28 by Marv Gordon) regarding the availability of a MAILTO filter which you said wasn't an option right now. I'd like to request that you add it to the system as soon as practicable. My situation is as follows. I provide mail relay services for a client. After their 3 unsuccessful attempts to send undeliverable and bounce messages to a spammer I end up with the message. Due to the need to keep my SMTP retries at a relatively high level of 96 (providing for 48 hr. service outages for store & forward clients) the aforementioned relayed undeliverable and bounces sit in my queue and waste resources and time on each queue run and eventually generate a meaningless undeliverable message back to the client I'm relaying for. (What a run-on sentence that was.) It would be a real benefit to kill this stuff with a MAILTO filter. TIA for your consideration of this request. George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IP Blocking Question? for a NewB
Steve, >From the Junkmail Manual: To blacklist a range of IPs, you can use CIDR style IP ranges. For example, "127.0.0.0/8" would blacklist all addresses from 127.0.0.0 through 127.255.255.255. "127.0.0.0/24" would blacklist the Class C range from 127.0.0.0 through 127.0.0.255. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven Cmajdalka Sent: Sunday, September 29, 2002 8:31 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] IP Blocking Question? for a NewB Hello. How do I filter a range of IP addresses. example, this one. 64.49.243.63mail46.thesuperspecialsales.com 64.49.243.115 mail110.thesuperspecialsales.com I block one then they start using 115, do I have to make a entry for each ip? Thanks Steve. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILTO Filter Request
Scott, Thanks very much. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, September 29, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILTO Filter Request >There was a question last month (8/28 by Marv Gordon) regarding the >availability of a MAILTO filter which you said wasn't an option right >now. It will be available in the next beta. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] STOP testing if Blacklist
Scott, When you do get to consider this please think about something like STOP to stop testing further in the individual filter or test, and STOPALL to stop all further testing. Thanks, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, September 30, 2002 8:51 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] STOP testing if Blacklist >It would also be great if you could consider adding a stop test >consideration. This (and stopping when a certain weight is reached) are in the suggestion database. Given that performance is rarely an issue with Declude JunkMail, it isn't a high priority right now, but it is something that we will definitely be considering for future releases (we don't like the idea of wasting resources if it can be avoided). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] h:routeto
Roland, TESTNAMEROUTETO [EMAIL PROTECTED] Example BLACKLIST ROUTETO [EMAIL PROTECTED] George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roland Braun Sent: Wednesday, October 02, 2002 2:17 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] h:routeto Hi, what's the correct syntax for the ROUTETO action in JunkMail Pro? Thanks in advance, Roland --- Dr. Roland Braun Max-Planck-Institut fuer auslaendisches oeffentliches Recht und Voelkerrecht Im Neuenheimer Feld 535 ; D-69120 Heidelberg Phone: ++49-(0)6221-482608; Fax: ++49-(0)6221-482278 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help with directing to specific mail box
Change the WEIGHT20 in the $default$.junkmail file to read WEIGHT16ROUTETO [EMAIL PROTECTED] George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of grb Sent: Monday, October 07, 2002 11:33 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Help with directing to specific mail box I have all mail reaching a weighting of 20 being deletedinstead of deleting the email I want to send it to a specific email account Any help is greatly appreciatedthanks in advance... gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Console Wish List Request
Scott, Could you activate horizontal scroll capability for the window. Even at full screen there's information that's not visible on the right hand side and no scroll capability exists. Thanks, George Kulman Partner Ridge Systems, L.L.C. Cell - 201-647-3250 or 516-582-0019 Office - 201-291-0600 Fax- 201-291-8887 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hop High Testing
I may be missing something regarding this testing but it doesn't seem to be working as I understand the manual. I'm running 1.62 Junkmail Pro. The applicable settings in my GLOBAL.CFG are: HOP 0 HOPHIGH 6 I would expect to see much more reporting if I look at the headers in an email such as the example below if every hop were processed. I realize that this example is still being identified as spam but there are others that have slipped through in the past. This is just meant to examine the multi hop question. Thanks, George Kulman Partner Ridge Systems, L.L.C. Other germane GLOBAL.CFG Settings are: IPBYPASS204.127.131.123 Header follows: Received: from mtiwgwc13.worldnet.att.net [204.127.131.123] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A20336700EE; Sat, 23 Nov 2002 11:51:15 -0500 Received: from [200.204.145.51] ([203.91.134.163]) by mtiwgwc13.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id <20021123165055.KOTW432.mtiwgwc13.worldnet.att.net@[200.204.145.51]> for <[EMAIL PROTECTED]>; Sat, 23 Nov 2002 16:50:55 + Received: from 155.89.28.179 ([155.89.28.179]) by rly-xw05.mx.aol.com with smtp; Nov, 23 2002 8:28:06 AM -0800 Received: from 30.215.79.204 ([30.215.79.204]) by m10.grp.snv.yahoo.com with SMTP; Nov, 23 2002 7:50:07 AM +1200 Received: from 34.57.158.148 ([34.57.158.148]) by rly-xr02.mx.aol.com with local; Nov, 23 2002 6:27:17 AM +0600 Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; Nov, 23 2002 5:49:16 AM +1100 From: qhxvissi <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: Subject: We got a a little dirty but it was all worth rvx Sender: qhxvissi <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Sat, 23 Nov 2002 08:52:30 -0800 X-Mailer: Microsoft Outlook Express 5.00.2615.200 Message-Id: <20021123165055.KOTW432.mtiwgwc13.worldnet.att.net@[200.204.145.51]> X-RBL-Warning: BHOLE-BRAZIL: Brazil blocked by brazil.blackholes.us X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-RBL-Warning: WEIGHT10: Weight of 34 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [200.204.145.51] X-Declude-Spoolname: Db203036700eee698.SMD X-Spam-Tests-Failed: BLACKLIST, BHOLE-BRAZIL, IPNOTINMX, ROUTING, WEIGHT10, WEIGHT16 X-Note: This E-mail was sent from 200-204-145-51.terra.com.br ([200.204.145.51]). X-Country-Chain: [IANA Reserved]->UNITED STATES->[Unknown]->URUGUAY->UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 337918260 The declude log entries for this e-mail follow: (LOGLEVEL HIGH) 11/23/2002 11:52:15 Qb203036700eee698 Triggered filter on uy [weight->20]. 11/23/2002 11:52:15 Qb203036700eee698 BLACKLIST:25 BHOLE-BRAZIL:5 ROUTING:4 . Total weight = 34 11/23/2002 11:52:15 Qb203036700eee698 Using [incoming] CFG file D:\IMail\Declude\$default$.junkmail. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed BLACKLIST (Message failed BLACKLIST test (23)). Action=ROUTETO. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed BHOLE-BRAZIL (Brazil blocked by brazil.blackholes.us). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed WEIGHT10 (Weight of 34 reaches or exceeds the limit of 10.). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed WEIGHT16 (Weight of 34 reaches or exceeds the limit of 16.). Action=ROUTETO. 11/23/2002 11:52:15 Qb203036700eee698 Subject: We got a a little dirty but it was all worth rvx 11/23/2002 11:52:15 Qb203036700eee698 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Unable to get filter to work
David, You'll also have to put a line in your $default$.junkmail (and GLOBAL.CFG for outgoing) if you want to see the test result in the headers. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Lewis-Waller Sent: Thursday, November 28, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Unable to get filter to work Any help appreciated... I have in my global.cfg file the line MYFILTER filter "c:\imail\declude\myfilter.txt" x 0 0 myfilter.txt has the following lines MAILFROM -10 CONTAINS @talk21.com MAILFROM -10 CONTAINS @passport.com MAILFROM -10 CONTAINS @economist.com MAILFROM -10 CONTAINS .ft.com MAILFROM -10 CONTAINS .bbc.co.uk I hold email on a weight of 30. I have a test account with talk21.com which normally fails a number of tests resulting in a total weight of 33. I would have expected the weight to drop to 23 because of myfilter.txt but it doesn't. I tried silly numbers as well e.g. -60 but still end up with a total weight o 33. I'm obviously missing something fundamental. Sent email headers: Received: from wmpmta04-app.mail-store.com [194.73.242.6] by mail.nthost.co.uk with ESMTP (SMTPD32-7.13) id ACAC128E00CC; Thu, 28 Nov 2002 13:39:56 + Received: from wmpmtavirtual ([10.216.84.18]) by wmpmta04-app.mail-store.com with SMTP id <20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual> for <[EMAIL PROTECTED]>; Thu, 28 Nov 2002 13:39:55 + Received: from 62.189.235.109 by t21web08-lrs ([10.216.84.18]); Thu, 28 Nov 02 13:30:20 GMT+00:00 X-Mailer: talk21 v1.26 - http://talk21.btopenworld.com From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Talk21Ref: none Date: Thu, 28 Nov 2002 13:30:20 GMT+00:00 Subject: SPAM: (No Subject) Message-Id: <20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual> X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [804f]. X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 194.73.242.6 with no reverse DNS entry. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 4. X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [194.73.242.6] X-Note: This E-mail was scanned by Declude JunkMail for evidence of spam. X-Note: This E-mail was sent from [No Reverse DNS] ([194.73.242.6]). Thanks in advance. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Patnode Sent: 28 November 2002 08:57 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] BASE64 usage I have John. While Base64 is a great test, a number of newsletters and normal emails have come across using it. I have weakened my system to let these types of messages through and pull my hair out every time a spam gets through because of it. Dan On Wednesday, November 27, 2002 8:02, John Tolmachoff <[EMAIL PROTECTED]> wrote: >Even thought it has been determined that there is no legit REASON to >use BASE64 encoding in the body, I am finding and increasing use of it. > >Most of these are junk, but it has caught a number of legit messages. > >Therefore, I have downgraded BASE64 from 15 to 12. > >Any one experiencing similar? > >John Tolmachoff MCSE, CSSA >IT Manager, Network Engineer >RelianceSoft, Inc. >Fullerton, CA 92835 >www.reliancesoft.com > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Unable to get filter to work
David, It would have been nice if I mentioned that the line to be added is: MYFILTERWARN George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Lewis-Waller Sent: Thursday, November 28, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Unable to get filter to work Any help appreciated... I have in my global.cfg file the line MYFILTER filter "c:\imail\declude\myfilter.txt" x 0 0 myfilter.txt has the following lines MAILFROM -10 CONTAINS @talk21.com MAILFROM -10 CONTAINS @passport.com MAILFROM -10 CONTAINS @economist.com MAILFROM -10 CONTAINS .ft.com MAILFROM -10 CONTAINS .bbc.co.uk I hold email on a weight of 30. I have a test account with talk21.com which normally fails a number of tests resulting in a total weight of 33. I would have expected the weight to drop to 23 because of myfilter.txt but it doesn't. I tried silly numbers as well e.g. -60 but still end up with a total weight o 33. I'm obviously missing something fundamental. Sent email headers: Received: from wmpmta04-app.mail-store.com [194.73.242.6] by mail.nthost.co.uk with ESMTP (SMTPD32-7.13) id ACAC128E00CC; Thu, 28 Nov 2002 13:39:56 + Received: from wmpmtavirtual ([10.216.84.18]) by wmpmta04-app.mail-store.com with SMTP id <20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual> for <[EMAIL PROTECTED]>; Thu, 28 Nov 2002 13:39:55 + Received: from 62.189.235.109 by t21web08-lrs ([10.216.84.18]); Thu, 28 Nov 02 13:30:20 GMT+00:00 X-Mailer: talk21 v1.26 - http://talk21.btopenworld.com From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Talk21Ref: none Date: Thu, 28 Nov 2002 13:30:20 GMT+00:00 Subject: SPAM: (No Subject) Message-Id: <20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual> X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [804f]. X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 194.73.242.6 with no reverse DNS entry. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 4. X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [194.73.242.6] X-Note: This E-mail was scanned by Declude JunkMail for evidence of spam. X-Note: This E-mail was sent from [No Reverse DNS] ([194.73.242.6]). Thanks in advance. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Patnode Sent: 28 November 2002 08:57 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] BASE64 usage I have John. While Base64 is a great test, a number of newsletters and normal emails have come across using it. I have weakened my system to let these types of messages through and pull my hair out every time a spam gets through because of it. Dan On Wednesday, November 27, 2002 8:02, John Tolmachoff <[EMAIL PROTECTED]> wrote: >Even thought it has been determined that there is no legit REASON to >use BASE64 encoding in the body, I am finding and increasing use of it. > >Most of these are junk, but it has caught a number of legit messages. > >Therefore, I have downgraded BASE64 from 15 to 12. > >Any one experiencing similar? > >John Tolmachoff MCSE, CSSA >IT Manager, Network Engineer >RelianceSoft, Inc. >Fullerton, CA 92835 >www.reliancesoft.com > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.65 (release)released
Scott, You said that the existing config files will work but are there any additional options and features available? The biggest issue I have with each release is going through the config, eml, etc. files and looking for additions and changes. Could you possibly put this info in the release notes in the future. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, December 11, 2002 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude JunkMail v1.65 (release)released > With this in mind, do we just replace the Declude.exe file or >do we need to execute it from the command line and stop and restart >SMTP for Imail? All you need to do is replace the \IMail\Declude.exe file; you don't need to do anything else. If you can't copy the new one in, you can rename the old one to Declude.bak, and then you will be able to copy the new Declude.exe file in. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Pots & Kettles in the Clair de Lune
They belong on the same list as Citicorp & its subsidiaries. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sanford Whiteman Sent: Thursday, January 09, 2003 2:54 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Pots & Kettles in the Clair de Lune All, A noteworthy encounter with the officious admin of a combination draconian/broken server. I think my state of mind will be picked up pretty quickly from the following snippet. IPs and hosts changed to protect the not-so-innocent--including us, since I did screw up, too, but STILL... >> ...our firewall does a reverse lookup. mail.clientco.com resolves >> as 1.1.1.1...Since these two IP addresses do not match, our >> firewall rejects the connection... > > This strict constraint is certainly not evident from the 421 message > returned by your server. > > Moreover, your own mail servers do not meet this requirement! Your > mail server at 2.2.2.2 uses EHLO text-- > > EHLO [3.3.3.3] > > --a violation of your own requirement, since the PTR, ptr.draco.com, > does not even have an A record at all. If ClientCo employed your > policy, *they* would reject *your* mail! > > This EHLO is also a violation of RFC 2821, which states that an > address literal is only allowed if a host has no name (3.3.3.3 does > have a PTR record, and therefore does have a name), and a violation > of the common test to see if EHLO and PTR match (since a PTR cannot, > by definition, resolve to an address literal). > > Though I appreciate the anti-spam utility of deeply verifying EHLO > arguments, returning a 4xx code rather than a 5xx undermines any > "educational" utility, wasting everybody's bandwidth and delaying > issue resolution. And if you should have occasion to review this > policy in the future, I do hope you consider that your own systems > violate it. :) > > Sincerely yours, > > Sandy -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Final Action
Scott, I run Junkmail at a log setting of HIGH. After switching to 166i11 I have noticed that the last log entry for every e-mail reads "Final Action = IGNORE". This is the case even though various tests may show Actions of WARN, COPYTO, or ROUTETO. What's the story? Thanks, George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBlacklist CIDR Question
Scott, When JunkMail does a CIDR calculation from an entry in ipblacklist.txt file does it use the actual value of the IP address that is listed or does it calculate what it believes to be the correct range of addresses? For example, how would the following entry be interpreted? 216.162.101.110/27 A. from 216.162.101.110 to 216.162.101.141 or B. from 216.192.101.96 to 216.162.101.127 TIA, George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HiJack Enhancement
Scott, I find that HiJack catches a meaningful amount of SPAM for the store and forward domains and probably also helps out on Dictionary Attacks as well. It seems like some spammers deliberately target secondary MX's with the thought that they can sneak stuff through more easily. It appears that HiJack keeps it records in memory and, if there's a restart on Declude.exe the statistics are reset. If this is a correct interpretation, would it be possible to maintain this data in a editable file which would be loaded by HiJack on a restart? Also to add a "persistence parameter" that would enable us to set a time period for retention of entries in the file, 10 days for example. That would keep the list from growing infinitely. George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBlacklist CIDR Question
Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBlacklist CIDR Question >When JunkMail does a CIDR calculation from an entry in ipblacklist.txt >file does it use the actual value of the IP address that is listed or >does it calculate what it believes to be the correct range of >addresses? It calculates the full range of addresses. So: >For example, how would the following entry be interpreted? > >216.162.101.110/27 > >A. from 216.162.101.110 to 216.162.101.141 or > >B. from 216.192.101.96 to 216.162.101.127 This would be treated as B. That way, if you have an IP, you can enter it and the CIDR range without having to make sure that it is set up properly (so you can enter "192.0.2.25/24" and get the whole 192.0.2.0-192.0.2.255 range without having to change it to "192.0.2.0/24"). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Enhancement
Thanks again Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HiJack Enhancement >I find that HiJack catches a meaningful amount of SPAM for the store >and forward domains and probably also helps out on Dictionary Attacks >as well. It seems like some spammers deliberately target secondary MX's >with the thought that they can sneak stuff through more easily. Yes, many spammers have caught on that sending to secondary MX's makes it more likely that the E-mail will not get caught. >It appears that HiJack keeps it records in memory and, if there's a >restart on Declude.exe the statistics are reset. Correct. >If this is a correct interpretation, would it be possible to maintain >this >data in a editable >file which would be loaded by HiJack on a restart? Also to add a >"persistence parameter" that would enable us to set a time period for >retention of entries in the file, 10 days for example. That would keep the >list from growing infinitely. That's a very good idea -- I'll see if we can incorporate that into Declude Hijack. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question
Hi Scott, Nothing like a quiet Sunday morning to get the questions going. I have a filter question and will use the following header to explain. The e-mail is being handled correctly by JunkMail according to the GLOBAL.CFG settings I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. I realize that this particular piece of SPAM has been identified as such by many other tests, but that's not the question here. As always, thanks for the time. George Kulman Partner Ridge Systems, L.L.C. Example Header follows: *** Received: from mtiwmhc14.worldnet.att.net [204.127.131.114] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A1E0250252; Sun, 02 Feb 2003 09:57:36 -0500 Received: from mtiwmhc14.worldnet.att.net ([127.0.0.1]) by mtiwmhc14.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <[EMAIL PROTECTED] net> for <[EMAIL PROTECTED]>; Sun, 2 Feb 2003 14:56:07 + Received: from data.aebolts.com ([216.171.211.31]) by mtiwmhc14.worldnet.att.net (mtiwmhc14) with ESMTP id <2003020214560611400kmvlje>; Sun, 2 Feb 2003 14:56:06 + Received: from data.aebolts.com (data.aebolts.com [216.171.211.31] (may be forged)) by data.aebolts.com (8.12.6/8.12.6) with ESMTP id h12FSook018111 for <[EMAIL PROTECTED]>; Sun, 2 Feb 2003 07:28:50 -0800 Received: (from root@localhost) by data.aebolts.com (8.12.6/8.12.6/Submit) id h12FSo64018109; Sun, 2 Feb 2003 07:28:50 -0800 Message-Id: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: <[EMAIL PROTECTED]> From: "Rick Wagner" <[EMAIL PROTECTED]> Subject: Date: Sun Feb 2 01:05:00 PST 2003 MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?216.171.211.31 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D31e0002502523542.SMD X-Spam-Tests-Failed: 15 SPAMCOP, BADHEADERS, IPNOTINMX, WEIGHT10 X-Note: This E-mail was sent from (Private IP) ([127.0.0.1]). X-Country-Chain: UNITED STATES->destination X-ALLRECIPS: [EMAIL PROTECTED] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 341851603 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Question
Scott, OK. I'll leave you alone for the rest of today . BTW, HiJack has trapped over 500 pieces of SPAM this weekend for 2 domains whose Primary MX's have been up and running the entire time. JunkMail got another 400+ for 1 of those domains. Just shows how the spammers are going after the secondary MX's. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Question >I would like to be able to filter on the domain names of mailservers in >the chain. In this case I would like to have an entry such as > >WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter >screening criteria for the mailservers in the chain). I know I can use >HEADER for this but is there a parameter I've missed that would let me >have these checked as JunkMail is parsing to do its thing on each of >the hops. I have HOPHIGH 6 in my GLOBAL.CFG. No, there isn't any other parameter aside from HEADERS that you could filter on in this case. Although Declude JunkMail does look at the server names, the only one it cares about is one corresponding to the remote mailserver (the HELO parameter in filtering). In this case, I would recommend using something like: HEADERS 5 CONTAINS .aebolts.com ( Adding the "(" there should prevent virtually all other headers from triggering the filter (for example, you could have "Subject: We have to do something about these .aebolts.com E-mails!" that wouldn't get caught). It's not quite as accurate as it would be if there was a parameter that just searched the server names, but it's pretty close. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tuning Declude
Dan, I feel that this is as much art as science and that there's no simple 'one size fits all' solution. I haven't done any hard statistical testing but here's my setup. I use the JunkMail default weightings and find that a WEIGHT of 16 gives very few false positives, probably less than 1 in a thousand, so I class of that all as SPAM and HOLD IT. I do a cursory manual review once a day before deleting them. I COPYTO an analysis address (similar to your jmillionaire) all with a WEIGHT of 10 to 15 for evaluation. I have an IPBLACKLIST file with approx 330 addresses and ranges that I've developed from the evaluation process. I use the reverse DNS lookup at www.samspade.org as a helpful tool for this. I also have a number of filters for domains and countries (over 600 entries), mailservers, and content. I treat all of these as SPAM when matched. I have found that each of the domains I process for has a different group of spammers. It all depends on what their business is, where they go on the web, etc. I'd strongly recommend that you not rely on your single domain for evaluation but that you use a COPYTO for various tests in all of the domains you process to get a more accurate feel for what's being processed. Even if you add a few at a time so that you're not buried in the deluge. It took me about a month to get to where I was happy with the result and now takes about an hour a day to review & stay on top of it. My volume is a paltry 10K e-mails a day with about 60% SPAM. There are many tools available as well as filter lists that you can use as a starting point - check the Declude web site for Tools. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Thursday, February 13, 2003 12:27 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Tuning Declude Hello, All, I've been running Declude.JunkMail for a few days now. We have about 90 domains on our IMail v6.06 Server. I have setup Declude.JunkMail to ignore all of the domains except for one, our in-house domain NEXUSTECHGROUP.COM. My $default$.junkmail for NEXUSTECHGROUP.COM still has all of the default tests enabled. I have setup a bogus e-mail address, [EMAIL PROTECTED], and for each test my action is COPYTO [EMAIL PROTECTED] so I can see all of the e-mails that Declude.JunkMail sees as possible spam. On my e-mail client I have setup a folder to drop all of the "jmillionaire" mail into. As messages are filtered into this folder I divide them into 2 categories, False Positives and True Positives. For each message I am tracking which Declude.JunkMail tests those messages are failing which has given me a sheet full of data which looks something like this... False Positives === BADHEADERS II BASE64 I DSBL I HELOBOGUS III IPNOTINMX III MAILFROM I MONKEYPROXIES I NOABUSE NOPOSTMASTER II OSSRC REVDNS I ROUTING III SPAMCOP I SPAMHEADERS WEIGHT10 I WEIGHT20 I WIREHUB-DNSBL II True Positives == BADHEADERS I DSBL I HELOBOGUS III IPNOTINMX III MONKEYPROXIES I NOPOSTMASTER I OSPROXY I REVDNS SPAMCOP I WEIGHT10 III WEIGHT20 I WIREHUB-DNSBL I This data sheet allows me to see which tests are catching a lot of False Positives. (Note: From reading the Manual I'm aware that IPNOTINMX will catch a lot of false positives but that it can be used when weighting comes into play) Has anyone else done it this way? So in the above example I can see that IPNOTINMX is catching a heck of a lot of FALSE POSITIVES. If I was trying to minimize the amount of FALSE POSITIVES I could switch that to IGNORE and then I could start tracking message again and see if my True Positive numbers stay up while my False Positive number go down. Anyway, just using the tests themselves without any sort of weighting seems to be a heavy-handed way of doing things so obviously I would like to bring weighting into the picture but I am at sort of an impasse in my knowledge so I'm reaching out to the group. Quandry #1) How to use Declude.JunkMail to weight messages from a technical standpoint I understand the concept of weighting the e-mails from an abstract level but it's not clear to me from a technical level how Declude implements it. There are big holes in my understanding of the purpose of the global.cfg vs. the $default$.junkmail files. Is there a step-by-step breakdown of each line of global.cfg somewhere that I can read? I've been reading the JunkMail Manual and it makes mention of different entries as needed but there doesn't seem to be a comprehensive explanation of the cfg as a whole. Once I understand what each line in the cfg does I
RE: [Declude.JunkMail] Can someone help me get this blocked?
Title: Message Marc, You can use a filter (well documented as far as how to set them up) with an entry of HEADERS 10 CONTAINS which will add a weight of 10. George -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc CatuognoSent: Sunday, February 23, 2003 11:26 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Can someone help me get this blocked? These of e-mails have been flooding my hold folder. I’m running Declude pro. I have a delete weight of 40 and a hold weight of 30. All this spam has been right between. Is there something I can add to either bump up this weight by about 7 or is there something unique in here that I can filter upon that I don’t see? It has been coming from random IPs and the sender has been “salestoday(random crap)@lycos”. I was thinking of bouncing anything from @lycos but this will result in many bounced messages that won’t get delivered. And I’m not sure I just want to delete anything from lycos. Any suggestions would be greatly appreciated. Marc Received: from lycos.com [200.131.216.16] by mail.prudentialrand.com (SMTPD32-7.13) id AD41C450058; Sat, 22 Feb 2003 16:36:01 -0500 Received: from 169.142.51.247 ([169.142.51.247]) by n1.groups.yahoo.com with QMQP; Sat, 22 Feb 2003 05:45:22 - Message-ID: <[EMAIL PROTECTED]> From: "This information will help." <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [SPAM]ADV:Need help with Marketing your Web Site? Date: Sat, 22 Feb 2003 01:49:54 +0800 MiME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_00V8_70Y81A1B.C1122G33" X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?200.131.216.16 X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [a040010f]. X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 200.131.216.16 with no reverse DNS entry. X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [a040010f]. X-RBL-Warning: WEIGHT25: Weight of 33 reaches or exceeds the limit of 25. X-Declude-Sender: [EMAIL PROTECTED] [200.131.216.16] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SPAMCOP, NOPOSTMASTER, BADHEADERS, BASE64, IPNOTINMX, REVDNS, ROUTING, WEIGHT10, WEIGHT20, WEIGHT15, WEIGHT25, WEIGHT30 --=_NextPart_000_00V8_70Y81A1B.C1122G33