Re: [Declude.JunkMail] IPNOTINMX and NOLEGITCONTENT
If the IPNOTINMX and NOLEGITCONTENT tests are displayed in the X-Spam-Tests-Failed: header in a message does that mean the message passed or failed the tests in question? It means that it failed those tests. Which is better for a message to have points subtracted off it's total score? To pass or fail these tests? It's better for E-mails to pass those tests (so that they do not appear in the headers). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX, NOLEGITCONTENT
Both filters will fail above 90% of the time on typical traffic patterns. I give 10% of my hold weight in credit for passing IPNOTINMX and 20% of my hold weight in credit for NOLEGITCONTENT. A fair amount of spam will pass IPNOTINMX, however these will only be static spam sources that are much more likely to be perma-listed in multiple RBL's, so it's generally not a big issue, especially with such a low credit. IPNOTINMX on the other hand, uses magic to determine what passes and what doesn't pass :) It's rare that it will give credit to spam. Many server generated E-mails will also fail both tests (contrary to your suggestion). System notifications are notoriously challenged in a technical sense, especially when coming from Microsoft servers. It's better to fix the server's config instead of adjusting Declude unless it's a special situation and you whitelist the server from private IP space. Naturally, the effectiveness of using these can't be measured in isolation. If you are still relying very heavily on SpamCop that suggests that you probably want to do some more in-depth monitoring (they have very serious problems with false positives, even tagging large ISP mail servers like AOL and Yahoo Groups). I don't think there's any good way to make informed decisions about weight without monitoring, making adjustments, and monitoring some more. Use lots of RBL's, but be choosey about what you use, and make sure you understand what they are testing, and how their hits, and especially the false positives, correspond to the other tests that you are using. The process should take you at least a month of watching to get the basics down, and of course to some extent, the process will never end because both the spammers and RBL's are in constant flux. Matt Robert Shubert wrote: I recently turned on the IPNOTINMX and NOLEGITCONTENT filters to see how they work. They seem to do more harm than good, for instance I weight 10 SPAMCOP since that service works well for me, but these filters lowered the weight so that spamcop (only) spams get through. I do understand that they solve an issue of server generated emails, one email that was getting marked as spam was a system report from a firewalled server, IP 10.1.1.something. This email is now not spam, as it shouldn't be, but I'm not sure about the tradeoff. Are other people using these filters successfully? Is it better to keep them with a low negative weight or disable them altogether and just rely on positive tests? Thanks for your input. Robert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX, NOLEGITCONTENT
Hello, Robert, It sounds like you are not using them as intended. From my readings on this list instead of adding points to an e-mail if a particular e-mail fails this test you are supposed to use these to subtract points from an e-mail if they pass this test. R. Scott, isn't that correct? Dan Geiser [EMAIL PROTECTED] - Original Message - From: Robert Shubert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:09 AM Subject: [Declude.JunkMail] IPNOTINMX, NOLEGITCONTENT I recently turned on the IPNOTINMX and NOLEGITCONTENT filters to see how they work. They seem to do more harm than good, for instance I weight 10 SPAMCOP since that service works well for me, but these filters lowered the weight so that spamcop (only) spams get through. I do understand that they solve an issue of server generated emails, one email that was getting marked as spam was a system report from a firewalled server, IP 10.1.1.something. This email is now not spam, as it shouldn't be, but I'm not sure about the tradeoff. Are other people using these filters successfully? Is it better to keep them with a low negative weight or disable them altogether and just rely on positive tests? Thanks for your input. Robert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX and REVDNS Questions
Most of the mail sent by mail clients within my organization fails the IPNOTINMX and REVDNS. That is quite common. Is there a way for me to setup Declude to skip this test if the mail is sent from a range of IP blocks? No. However: Alternatively is there a way for mail to automatically pass the IPNOTINMX and REVDNS if sent from a range of IP blocks? You could whitelist your IP range if you like. For example, you could add a line WHITELIST IP 192.0.2.0/24 to the \IMail\Declude\global.cfg file, which would whitelist all E-mail in the 192.0.2.0 Class C range. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
It will be triggered when an E-mail is sent from an IP address that is not in its MX record 1-is this the mx record for the domain of the from adress ? if the from is empty the test will fail? Everything in Declude JunkMail uses the return address of the E-mail (MAIL FROM in the SMTP envelope). If it is empty, it will not fail (that would be , which is used for bounce messages and the like). 2-also, declude never uses the reply to adress, correct ? Correct. It also never uses the address from the From: header. is there a variable (declude virus) for the reply to adress ? No. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
I get a ton of spam that is marked with the IPNOTINMX. What is the best way to block this? The best way is NOT to block it. The IPNOTINMX test will indeed catch a lot of spam, but it will also catch a lot of legitimate E-mail. Normally, it should be used to help legitimate E-mail (with the test definition ending in 0 -3 or something similar). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
Why didn't negative weight get added for this piece of mail I received from the IPNOTINMX Test. Global.cfg IPNOTINMX ipnotinmx x x 0 -3 Default.junkmail file IPNOTINMX IGNORE Because you set the action to IGNORE. Change it to WARN and it should work. :) ~Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
Are you sure about that? 03/31/2003 18:24:22 Qce246c0a00a00dbb WORDFILTER:4 nIPNOTINMX:-3 . Total weight = 1 03/31/2003 18:24:22 Qce246c0a00a00dbb L1 Message OK It seems to get triggered for other pieces of mail. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Childers Sent: Wednesday, April 02, 2003 9:26 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] IPNOTINMX Why didn't negative weight get added for this piece of mail I received from the IPNOTINMX Test. Global.cfg IPNOTINMX ipnotinmx x x 0 -3 Default.junkmail file IPNOTINMX IGNORE Because you set the action to IGNORE. Change it to WARN and it should work. :) ~Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
Why didn't negative weight get added for this piece of mail I received from the IPNOTINMX Test. The E-mail definitely should not fail the IPNOTINMX test, as the IP it came from is in the MX record for the domain in the return address. The log file snippet confirms that the E-mail did not fail the IPNOTINMX test. So the question is whether or not the negative weight was used. Global.cfg IPNOTINMX ipnotinmx x x 0 -3 Given this, the E-mail should have had a weight of 3 subtracted from its total weight, since it did not fail the IPNOTINMX test. So, I would need to ask, why do you think that the weight of 3 was not subtracted from the total weight of the E-mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
Scott, My expected behavior would be that this piece of mail *SHOULD* have had -3 subtracted from it. This is the behavior that I am shooting for. Now you asked So, I would need to ask, why do you think that the weight of 3 was not subtracted from the total weight of the E-mail? The log files for Declude show that it wasn't subtracted 03/31/2003 18:24:33 Qce102a4f0086c057 BASE64:5 SNIFFER:8 . Total weight = 13 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=COPYTO. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13 reaches or exceeds the limit of 10.). Action=BOUNCE. 03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice 03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 63.136.220.30 ID: Amy I missing something? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, April 02, 2003 9:56 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPNOTINMX Why didn't negative weight get added for this piece of mail I received from the IPNOTINMX Test. The E-mail definitely should not fail the IPNOTINMX test, as the IP it came from is in the MX record for the domain in the return address. The log file snippet confirms that the E-mail did not fail the IPNOTINMX test. So the question is whether or not the negative weight was used. Global.cfg IPNOTINMX ipnotinmx x x 0 -3 Given this, the E-mail should have had a weight of 3 subtracted from its total weight, since it did not fail the IPNOTINMX test. So, I would need to ask, why do you think that the weight of 3 was not subtracted from the total weight of the E-mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
My expected behavior would be that this piece of mail *SHOULD* have had -3 subtracted from it. This is the behavior that I am shooting for. Correct. The log files for Declude show that it wasn't subtracted 03/31/2003 18:24:33 Qce102a4f0086c057 BASE64:5 SNIFFER:8 . Total weight = 13 Something isn't right. In this case, you should see nIPNOTINMX:-3 in there. Could you E-mail me your global.cfg file (off-list), so that I can test it here? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
IPNOTINMX can someone tell me what to do with : IPNOTINMX ??? All the incoming messages fail the test ... Can't find the line to edit it in $default$.junkmail . What should I do with it ? That is part of the beta version. It is normal for legitimate E-mails to fail that test; you can search the archives of this mailing list for more details about the test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
Before I do this please confirm my logic. Let's say I wanted to get more aggressive catching spam, and was willing to risk a possible increase in false positives. Could I adjust the IPNOTINMX default setting of -4 in the following way? IPNOTINMX ipnotinmx x x 0 -3 Yes, that would work fine. By changing it from -4 to -3, it would end up slightly increasing the weight of E-mail where the MX record of the return address matched the IP the E-mail was sent from. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.