RE: [Declude.JunkMail] CBL Blocks
Actually I have been lurking mostly for several years. I jump in from time to time. Most of the junkmail records are set to either warn or dump the suspected spam into a spam folder MAILBOX SPAM The users have been instructed to visit their spam mail box from time to time to verify that no good mail is there and clear it out. Of course some don't bother. I have not set any of the blacklists on weighted tests. Nothing is deleted except in my own account where I feel confident anything that is tagged by certain tests is indeed spam. Like I said all 251 messages held in my spam box were indeed spam. We don't just give the users a heading telling them it is suspected spam. They don't even want to see the stuff. Personally, I don't either. This does not seem to be a problem for them so far. Once in a while something like this IP address causes some concern. But most users are in systems with firewalls with trusted IP addresses and have not been subjected to this sort of thing. Some of the tests are being totally ignored. For example I finally stopped using SORBS-SPAM and SORBS-DUHL because they became so unreliable tagging just about everything that came along. But, we updated the Declude to 2.61 (or whatever version) recently and I have not gone in to read the latest documentation and apply the new features. A problem with time. Don't run for a political office, it is all consuming. At 12:32 AM 8/3/2005, Colbeck, Andrew wrote: That is easy. The CBL failure is set to go to the user Spam mailbox. I just reviewed mine (spam box) and found 251 e-mails there for the past 30 days. Every one of them was spam. Ok Orin, so you're using the SUBJECT action with CBL? I'm sorry to belabour it if you already know this, but I haven't seen many postings from you here... The prevailing wisdom in this birds of a feather mailing list is to use actions with weights and weightranges instead of individual tests. In this way, a single false positive doesn't hurt as much, and you won't have to pre-determine which specific tests are trustworthy; instead, you work out which ranges merit various actions. Do you HOLD or DELETE messages at all, or do you mark up the subject lines for your clients and let them bear the responsibility of deleting their spam? I'm not for or against either method, I'm just curious where you have drawn your lines. Andrew 8) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CBL Blocks
That is easy. The CBL failure is set to go to the user Spam mailbox. I just reviewed mine (spam box) and found 251 e-mails there for the past 30 days. Every one of them was spam. Ok Orin, so you're using the SUBJECT action with CBL? I'm sorry to belabour it if you already know this, but I haven't seen many postings from you here... The prevailing wisdom in this birds of a feather mailing list is to use actions with weights and weightranges instead of individual tests. In this way, a single false positive doesn't hurt as much, and you won't have to pre-determine which specific tests are trustworthy; instead, you work out which ranges merit various actions. Do you HOLD or DELETE messages at all, or do you mark up the subject lines for your clients and let them bear the responsibility of deleting their spam? I'm not for or against either method, I'm just curious where you have drawn your lines. Andrew 8) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CBL Blocks
At 04:42 PM 8/1/2005, Colbeck, Andrew wrote: So having said that, a good question is why this particular CBL listing on your system ended up HOLDing a message! That is easy. The CBL failure is set to go to the user Spam mailbox. I just reviewed mine (spam box) and found 251 e-mails there for the past 30 days. Every one of them was spam. Of course I received a lot more that were not trapped. Something I have to work on again. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CBL Blocks
Orin, all three listings are actually the same. The last one you mention, SB-XBL shows that the IP is listed in XBL because XBL is a composite list of blacklists, include CBL. CBL is one of the few blacklists that expire listings (somewhat more say they expire listings, but don't). Blocking mail from servers that connect from a dynamic address is reasonable. Blocking mail from a client is not reasonable; this is why the IMail fans here like the option to whitelist authenticated senders. Also, blocking on one blacklist hit is a setup for a lot of false positives. For example, large email providers like HotMail and Yahoo! have certainly found themselves listed because of a bad customer or by bouncing a virus they didn't detect as such. So having said that, a good question is why this particular CBL listing on your system ended up HOLDing a message! Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Orin WellsSent: Monday, August 01, 2005 3:26 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] CBL Blocks I received a contact from one of our customers who discovered an e-mail from within his own domain had been stuck into the spam box. When I investigated I found out that it had been tagged by the CBL test. Looking further if found the email address was on three different black lists. OK, but the problem is this is a dynamic address belonging to T-Mobile I suspect. This implies that some dynamic customer had connected while infected by a piece of spam software and got the IP logged. Now anyone connecting and receiving the address will be blacklisted.How do you handle this sort of thing?The IP address, in case anyone is curious, is 208.54.14.65. The CBL probe says it was de-listed on 6/23/2005 but re-listed on 7/30/2005 (yesterday). There are two other services where it is listed - DNSBLNETAUTI (DNSBLNET Australia pointing back to cbl_abuseat.org) and SBL-XBL pointing back to Spamhaus.org.Is anyone using such services (T-Mobile - may be assigned to Blackberry communications) where dynamic IP assignment is the rule just at the mercy of whoever got it earlier? Is it even worth the effort to attempt to get the addresses de-listed? Should the ISP service be advised when one of their IP addresses is discovered as listed? I suppose it is too much to expect the black lists to be able to recognize dynamic addresses and just not bother to list them or at least set them on some timer to release after a bit.--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CBL Blocks
T-Mobile forces you to relay through their own SMTP servers, and they leak a lot of spam. CBL will only list things that look like dynamic IP's or have no reverse DNS entry. The T-Mobile servers give a bogus HELO of mailrelay.t-mobile.com but their actual reverse DNS entries show up as something like m6f095e42.tmodns.net. That particular server is currently SpamCopped and has been for a total of 34 full days out of the last 116: http://www.senderbase.org/search?searchString=66.94.9.111 I don't believe that CBL wants to tag their servers as they are generally not in favor of listing real mail servers/relays, but T-Mobile has done a really bad job of managing their network and the spam problem. The end result is that CBL, SpamCop, PSBL and others will regularly tag their servers. I am afraid that the only solution here would be to give credit to the T-Mobile IP's. CBL might consider excluding their IP's if you contacted them, but SpamCop seems to think that it is a good thing to regularly list AOL's own servers for a smattering of spam out of tens of millions of messages a day. In fact I did contact SpamCop about this issue last year and the reply was that AOL's server was listed because it sent spam (almost a quote). PSBL and SENDERDB have terrible issues with this sort of thing as well. Matt Orin Wells wrote: I received a contact from one of our customers who discovered an e-mail from within his own domain had been stuck into the spam box. When I investigated I found out that it had been tagged by the CBL test. Looking further if found the email address was on three different black lists. OK, but the problem is this is a dynamic address belonging to T-Mobile I suspect. This implies that some dynamic customer had connected while infected by a piece of spam software and got the IP logged. Now anyone connecting and receiving the address will be blacklisted. How do you handle this sort of thing? The IP address, in case anyone is curious, is 208.54.14.65. The CBL probe says it was de-listed on 6/23/2005 but re-listed on 7/30/2005 (yesterday). There are two other services where it is listed - DNSBLNETAUTI (DNSBLNET Australia pointing back to cbl_abuseat.org) and SBL-XBL pointing back to Spamhaus.org. Is anyone using such services (T-Mobile - may be assigned to Blackberry communications) where dynamic IP assignment is the rule just at the mercy of whoever got it earlier? Is it even worth the effort to attempt to get the addresses de-listed? Should the ISP service be advised when one of their IP addresses is discovered as listed? I suppose it is too much to expect the black lists to be able to recognize dynamic addresses and just not bother to list them or at least set them on some timer to release after a bit. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =