Re: [Declude.JunkMail] Declude Gone Wild

2003-01-23 Thread R. Scott Perry 


Today I had an instance where all my mail started being held as SPAM.  99% 
of it was legit mail.

Fortunately, this is usually easy to diagnose.


I am running Declude 1.63


FYI, 1.63 is an old beta version, so I would recommend upgrading to 1.65.


01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was 
last confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 
1007947419). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail 
was sent from a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was 
sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed 
SNIFFER: 63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 
reaches or exceeds the limit of 10.). Action=BOUNCE.

This shows that the E-mail failed a *lot* of tests.  This E-mail will be 
treated as spam by most servers running anti-spam software.  202.105.130.36 
is apparently a serious source of spam.  It's also an IP address in China, 
so I'm guessing this probably isn't legitimate mail.

So the question here would just be whether or not the E-mail actually came 
from that IP.  If it did, this is just a standard false positive, and would 
need to be handled appropriately (perhaps whitelisting it).  If it did not, 
then there is a serious problem somewhere along the line -- but I'll be 
that the E-mail really did come from that IP.

//Later On During Day
01/22/2003 20:28:12 Q4527514f0150ab35 Msg failed HELOBOGUS (Domain 
scanner2 has no MX or A records.). Action=WARN.

This, too, is a case of Declude JunkMail working properly (again, with the 
assumption that it is finding the correct information, and that the 
computer that sent the mail to IMail claimed to be "scanner2").  "scanner2" 
isn't a valid host name (and I'd guess it is coming from an open relay 
scanner, which wouldn't be legitimate mail either).

What you need to do here is find some log file entries for legitimate mail 
that is getting caught -- from those, we can figure out if it should be 
getting caught (in which case tweaking your settings would likely be 
necessary, if such a high rate of legitimate mail is caught), or if it 
should not due to some problem.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude Gone Wild

2003-01-22 Thread Darrell LaRock 
Today I had an instance where all my mail started being held as SPAM.  99% of it was 
legit mail.  At first I thought it may be a sniffer problem as that was installed 
within the last week.

Attached is a snippet of logs that shows declude over and over testing a peice of mail

I disabled Sniffer at approximatly 2:30pm today.  Reviewing the logs now seems to show 
that declude is still repeating the behavior below *substantially* less though.

I am running Declude 1.63

Any thoughts?

//INITIAL PROBLEM
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [804f].). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a 
MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 
63.). Action=HOLD.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or 
exceeds the limit of 10.). Action=BOUNCE.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last 
confirmed open on 1/4/2003). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL 
(http://dsbl.org/listing.php?202.105.130.36). Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). 
Action=WARN.
01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from 
a broken mail cli