Re: [Declude.JunkMail] BADHEADERS code 8400000a
Very much appreciated. Back when I did a review of hits for this, I think it was over 95% FP's. Even if that isn't accurate, it's problematic enough to allow us to turn it off. Thanks, Matt R. Scott Perry wrote: I'm using i20 currently. Note that IE and probably Exchange as well, will allow a CC field with no To and it would previously produce the same results, I mention this because you didn't mention the exception , only the BCC exception. People do of course send out to lists using the CC field, especially since IE doesn't show the BCC field by default. It does seem odd the way that RFCs allow the lone Bcc: header, but not a lone Cc: header. I definitely got an FP this morning on this using a BCC to multiple addresses: The problem here is that Microsoft forgot to add a Bcc: header. It's one of those weird things, that a Bcc: header is required even though one would think that a Bcc: header shouldn't be present (since it won't be completely "b" or "blind" if the header is there). But if there is to "To:" header, the "Bcc:" header should be there. However, it seems that little spam actually has this problem, so we will consider removing it from the BADHEADERS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I'm using i20 currently. Note that IE and probably Exchange as well, will allow a CC field with no To and it would previously produce the same results, I mention this because you didn't mention the exception , only the BCC exception. People do of course send out to lists using the CC field, especially since IE doesn't show the BCC field by default. It does seem odd the way that RFCs allow the lone Bcc: header, but not a lone Cc: header. I definitely got an FP this morning on this using a BCC to multiple addresses: The problem here is that Microsoft forgot to add a Bcc: header. It's one of those weird things, that a Bcc: header is required even though one would think that a Bcc: header shouldn't be present (since it won't be completely "b" or "blind" if the header is there). But if there is to "To:" header, the "Bcc:" header should be there. However, it seems that little spam actually has this problem, so we will consider removing it from the BADHEADERS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I'm using i20 currently. Note that IE and probably Exchange as well,
will allow a CC field with no To and it would previously produce the
same results, I mention this because you didn't mention the exception ,
only the BCC exception. People do of course send out to lists using the
CC field, especially since IE doesn't show the BCC field by default.
I definitely got an FP this morning on this using a BCC to multiple
addresses:
From <[EMAIL PROTECTED]> Thu Jan 22 11:09:35 2004
Received: from *.*.*.org [209.105.181.131] by *.com with
ESMTP
(SMTPD32-8.05) id A5BB61017C; Thu, 22 Jan 2004 11:09:31 -0500
X-Exclaimer-OnMessagePostCategorize-{71daf94f-e3fe-4bbf-865a-6309cc88575e}:
C:\Program Files\eXclaimer\eXclaimer.dll - 2.0.4.67
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_NextPart_001_01C3E102.1D744C46"
Subject: [11] Moms
Date: Thu, 22 Jan 2004 11:09:29 -0500
Message-ID:
<[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Moms
thread-index: AcPg93uCfg9mp7t5Qme9dmWnmlCzmgACj/+A
From: "Patti Tripoli" <[EMAIL PROTECTED]>
X-MailPure:
==
X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected
(weight 0).
X-MailPure: HELOBOGUS: Failed, bogus connecting server name (weight 4).
X-MailPure: BASE64: Failed, base64 encoded plain text or HTML (weight 3).
X-MailPure: CONCEALED: Failed, concealed message (weight 1).
X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a]
(weight 4).
X-MailPure: SNIFFER-WHITE: Failed, listed in the White Rules category
(weight 0).
X-MailPure: WORDFILTER-BODY: Message failed WORDFILTER-BODY test (line
43, weight 1).
X-MailPure: RECIPIENTS - <[EMAIL PROTECTED]>
X-MailPure:
==
X-MailPure: Spam Score: 11
X-MailPure: Scan Time: 11:09:35 on 01/22/2004
X-MailPure: Spool File: Df5bb0061017ca15e.SMD
X-MailPure: Server Name: *.*.*.org
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: *-*-*-*.*.*.net
[*.*.*.*]
X-MailPure:
==
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
==
X-Declude-Date: 01/22/2004 16:09:29 [0]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: R
X-UIDL: 372977713
R. Scott Perry wrote:
I've been laying low on this one for a while, but BADHEADERS hits for
not having a proper To address is commonly producing false positives
on my system with personal E-mail, some of which will cause the
messages to be held. The issue here (just in case it was forgotten)
is that Microsoft allows seemingly all of their mail clients to send
without specifying a To address, in which case this test gets
tripped. This
happens mostly on newsletters or BCC blasts, but it also happens on
personal E-mail on occasion, and it is very highly associated with
legit E-mail instead of spam (at least on my system). When sending
from an Exchange Web mail client, the BASE64 test also gets tripped,
so this can be problematic based on associations as well.
Would you please remove this from hitting, or at least give us an
entry to turn it off?
What version of Declude JunkMail are you using? The latest interim
release will not trigger the BADHEADERS test if there is a Bcc: header
but no To: header (whereas previous versions would), since it is
technically OK to have no To: header if there is a Bcc: header.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I've been laying low on this one for a while, but BADHEADERS hits for not having a proper To address is commonly producing false positives on my system with personal E-mail, some of which will cause the messages to be held. The issue here (just in case it was forgotten) is that Microsoft allows seemingly all of their mail clients to send without specifying a To address, in which case this test gets tripped. This happens mostly on newsletters or BCC blasts, but it also happens on personal E-mail on occasion, and it is very highly associated with legit E-mail instead of spam (at least on my system). When sending from an Exchange Web mail client, the BASE64 test also gets tripped, so this can be problematic based on associations as well. Would you please remove this from hitting, or at least give us an entry to turn it off? What version of Declude JunkMail are you using? The latest interim release will not trigger the BADHEADERS test if there is a Bcc: header but no To: header (whereas previous versions would), since it is technically OK to have no To: header if there is a Bcc: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BADHEADERS code 8400000a
Scott, I've been laying low on this one for a while, but BADHEADERS hits for not having a proper To address is commonly producing false positives on my system with personal E-mail, some of which will cause the messages to be held. The issue here (just in case it was forgotten) is that Microsoft allows seemingly all of their mail clients to send without specifying a To address, in which case this test gets tripped. This happens mostly on newsletters or BCC blasts, but it also happens on personal E-mail on occasion, and it is very highly associated with legit E-mail instead of spam (at least on my system). When sending from an Exchange Web mail client, the BASE64 test also gets tripped, so this can be problematic based on associations as well. Would you please remove this from hitting, or at least give us an entry to turn it off? Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
