RE: [Declude.JunkMail] REVDNS
Well, telling the fake hotmail from the normal hotmail is one thing... And for this specific task, working around REVDNS is not your best best. HotMail publishes SPF records that help you by identifying their blocks of outbound CIDR addresses. All you need to do is check for a mailfrom that ends with hotmail.com and for a SPF PASS. But another cautionary note is that you can *counterweight* hotmail *too* much. I, and others here, regularly see spam from disposable hotmail accounts. The spammers know that they will get the account banned, but they don't care, the payload is either in the HTML, or advertise a contact for phone and fax number (Nigerian or "419" fraud), or pump and dump stock fraud, or a deliberately mangled URL that won't be picked up by URI scanning. In other words, IP4R tests don't work to fight these, and content scanners lag behind at least one wave of this spam. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Serge > Sent: Monday, December 12, 2005 8:36 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > I use tests that were posted long time ago by kami I use them > for aol, hotmail, yahoo, ... > i think they are much more flexible than spamdomains, and > they test mailfrom, revdns and helo (i think spamdomains only > test mailfrom and > revdns) > there was a long discussion at that time, i do not remember > all the details, try checking the archives. > > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 3:14 PM > Subject: RE: [Declude.JunkMail] REVDNS > > > > Thank you Scott, > > > > Serge, why do you use such a filter? A SpamDomain-Test > should do this even > > bether. > > > > Markus > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Scott Fisher > > > Sent: Monday, December 12, 2005 3:58 PM > > > To: Declude.JunkMail@declude.com > > > Subject: Re: [Declude.JunkMail] REVDNS > > > > > > REVDNS 10 IS (Timeout) > > > > > > - Original Message - > > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > > To: > > > Sent: Monday, December 12, 2005 1:42 AM > > > Subject: RE: [Declude.JunkMail] REVDNS > > > > > > > > > > > > > >> I think it may be (timeout). I know Scott > > > >> Fisher posted a filter the other day that had the exact text > > > >> on what it is when rev dns times out. > > > > > > > > It was a message from Scott Fisher on the "cbl"-thread and > > > as I can see he > > > > posted a line > > > > > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > > > > > So it would be interesting know what's exactly in his text > > > filter file > > > > "REVDNS-TIMEOUT" > > > > > > > > Markus > > > > > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
I use tests that were posted long time ago by kami I use them for aol, hotmail, yahoo, ... i think they are much more flexible than spamdomains, and they test mailfrom, revdns and helo (i think spamdomains only test mailfrom and revdns) there was a long discussion at that time, i do not remember all the details, try checking the archives. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 3:14 PM Subject: RE: [Declude.JunkMail] REVDNS > Thank you Scott, > > Serge, why do you use such a filter? A SpamDomain-Test should do this even > bether. > > Markus > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher > > Sent: Monday, December 12, 2005 3:58 PM > > To: Declude.JunkMail@declude.com > > Subject: Re: [Declude.JunkMail] REVDNS > > > > REVDNS 10 IS (Timeout) > > > > - Original Message - > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > To: > > Sent: Monday, December 12, 2005 1:42 AM > > Subject: RE: [Declude.JunkMail] REVDNS > > > > > > > > > >> I think it may be (timeout). I know Scott > > >> Fisher posted a filter the other day that had the exact text > > >> on what it is when rev dns times out. > > > > > > It was a message from Scott Fisher on the "cbl"-thread and > > as I can see he > > > posted a line > > > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > > > So it would be interesting know what's exactly in his text > > filter file > > > "REVDNS-TIMEOUT" > > > > > > Markus > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
Last month I receveived a REVDNS timeout on 4% of all my email. 85% of that was spam. It is certainly an obfuscation technique used by some static spammers. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 9:45 AM Subject: RE: [Declude.JunkMail] REVDNS Is a REVDNS-timeout such a frequent thing? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 12, 2005 4:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS Spamdomains tests do not trigger on a REVDNS Timeout. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 9:14 AM Subject: RE: [Declude.JunkMail] REVDNS > Thank you Scott, > > Serge, why do you use such a filter? A SpamDomain-Test should do this even > bether. > > Markus > > > >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher >> Sent: Monday, December 12, 2005 3:58 PM >> To: Declude.JunkMail@declude.com >> Subject: Re: [Declude.JunkMail] REVDNS >> >> REVDNS 10 IS (Timeout) >> >> - Original Message - >> From: "Markus Gufler" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, December 12, 2005 1:42 AM >> Subject: RE: [Declude.JunkMail] REVDNS >> >> >> > >> >> I think it may be (timeout). I know Scott >> >> Fisher posted a filter the other day that had the exact text >> >> on what it is when rev dns times out. >> > >> > It was a message from Scott Fisher on the "cbl"-thread and >> as I can see he >> > posted a line >> > >> > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT >> > >> > So it would be interesting know what's exactly in his text >> filter file >> > "REVDNS-TIMEOUT" >> > >> > Markus >> > >> > >> > --- >> > [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> > >> > --- >> > This E-mail came from the Declude.JunkMail mailing list. To >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> > type "unsubscribe Declude.JunkMail". The archives can be found >> > at http://www.mail-archive.com. >> > >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Is a REVDNS-timeout such a frequent thing? Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Monday, December 12, 2005 4:31 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > Spamdomains tests do not trigger on a REVDNS Timeout. > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 9:14 AM > Subject: RE: [Declude.JunkMail] REVDNS > > > > Thank you Scott, > > > > Serge, why do you use such a filter? A SpamDomain-Test > should do this even > > bether. > > > > Markus > > > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of > Scott Fisher > >> Sent: Monday, December 12, 2005 3:58 PM > >> To: Declude.JunkMail@declude.com > >> Subject: Re: [Declude.JunkMail] REVDNS > >> > >> REVDNS 10 IS (Timeout) > >> > >> - Original Message - > >> From: "Markus Gufler" <[EMAIL PROTECTED]> > >> To: > >> Sent: Monday, December 12, 2005 1:42 AM > >> Subject: RE: [Declude.JunkMail] REVDNS > >> > >> > >> > > >> >> I think it may be (timeout). I know Scott > >> >> Fisher posted a filter the other day that had the exact text > >> >> on what it is when rev dns times out. > >> > > >> > It was a message from Scott Fisher on the "cbl"-thread and > >> as I can see he > >> > posted a line > >> > > >> > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > >> > > >> > So it would be interesting know what's exactly in his text > >> filter file > >> > "REVDNS-TIMEOUT" > >> > > >> > Markus > >> > > >> > > >> > --- > >> > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > > >> > --- > >> > This E-mail came from the Declude.JunkMail mailing list. To > >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> > at http://www.mail-archive.com. > >> > > >> > >> --- > >> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
Spamdomains tests do not trigger on a REVDNS Timeout. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 9:14 AM Subject: RE: [Declude.JunkMail] REVDNS Thank you Scott, Serge, why do you use such a filter? A SpamDomain-Test should do this even bether. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 12, 2005 3:58 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS REVDNS 10 IS (Timeout) - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS > >> I think it may be (timeout). I know Scott >> Fisher posted a filter the other day that had the exact text >> on what it is when rev dns times out. > > It was a message from Scott Fisher on the "cbl"-thread and as I can see he > posted a line > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > So it would be interesting know what's exactly in his text filter file > "REVDNS-TIMEOUT" > > Markus > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
It is (Timeout), but Declude isn't case sensative. - Original Message - From: "Serge" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 9:14 AM Subject: Re: [Declude.JunkMail] REVDNS should this be (Timeout) or (timeout) ? - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 2:58 PM Subject: Re: [Declude.JunkMail] REVDNS REVDNS 10 IS (Timeout) - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS > >> I think it may be (timeout). I know Scott >> Fisher posted a filter the other day that had the exact text >> on what it is when rev dns times out. > > It was a message from Scott Fisher on the "cbl"-thread and as I can see he > posted a line > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > So it would be interesting know what's exactly in his text filter file > "REVDNS-TIMEOUT" > > Markus > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Filter test are not case sensitive Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Serge > Sent: Monday, December 12, 2005 10:14 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > should this be (Timeout) or (timeout) ? > > > > - Original Message - > From: "Scott Fisher" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 2:58 PM > Subject: Re: [Declude.JunkMail] REVDNS > > > > REVDNS 10 IS (Timeout) > > > > - Original Message - > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > To: > > Sent: Monday, December 12, 2005 1:42 AM > > Subject: RE: [Declude.JunkMail] REVDNS > > > > > > > > > >> I think it may be (timeout). I know Scott > > >> Fisher posted a filter the other day that had the exact text > > >> on what it is when rev dns times out. > > > > > > It was a message from Scott Fisher on the "cbl"-thread and as I can > see > he > > > posted a line > > > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > > > So it would be interesting know what's exactly in his text filter file > > > "REVDNS-TIMEOUT" > > > > > > Markus > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
should this be (Timeout) or (timeout) ? - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 2:58 PM Subject: Re: [Declude.JunkMail] REVDNS > REVDNS 10 IS (Timeout) > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 1:42 AM > Subject: RE: [Declude.JunkMail] REVDNS > > > > > >> I think it may be (timeout). I know Scott > >> Fisher posted a filter the other day that had the exact text > >> on what it is when rev dns times out. > > > > It was a message from Scott Fisher on the "cbl"-thread and as I can see he > > posted a line > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > So it would be interesting know what's exactly in his text filter file > > "REVDNS-TIMEOUT" > > > > Markus > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Thank you Scott, Serge, why do you use such a filter? A SpamDomain-Test should do this even bether. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Monday, December 12, 2005 3:58 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > REVDNS 10 IS (Timeout) > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 1:42 AM > Subject: RE: [Declude.JunkMail] REVDNS > > > > > >> I think it may be (timeout). I know Scott > >> Fisher posted a filter the other day that had the exact text > >> on what it is when rev dns times out. > > > > It was a message from Scott Fisher on the "cbl"-thread and > as I can see he > > posted a line > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > So it would be interesting know what's exactly in his text > filter file > > "REVDNS-TIMEOUT" > > > > Markus > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
> I'm going to try > REVDNS END CONTAINS (timeout) Can you send a message from an IP who will timeout for REVDNS? Declude support? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Here is the exact line for one my log D9786103b008853ab.smd:X-Note: Reverse DNS: Sent from (timeout) ([81.215.38.233]). This is from Version 3.0.5.22 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 New Cell: 416 805-4357 or 416 805-HELP [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Serge > Sent: Monday, December 12, 2005 9:54 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > > So it would be interesting know what's exactly in his text filter file > > "REVDNS-TIMEOUT" > > I'm going to try > REVDNS END CONTAINS (timeout) > > if somebody have a better idea, please post > > > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 12, 2005 7:42 AM > Subject: RE: [Declude.JunkMail] REVDNS > > > > > > > I think it may be (timeout). I know Scott > > > Fisher posted a filter the other day that had the exact text > > > on what it is when rev dns times out. > > > > It was a message from Scott Fisher on the "cbl"-thread and as I can see > he > > posted a line > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > So it would be interesting know what's exactly in his text filter file > > "REVDNS-TIMEOUT" > > > > Markus > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
> So it would be interesting know what's exactly in his text filter file > "REVDNS-TIMEOUT" I'm going to try REVDNS END CONTAINS (timeout) if somebody have a better idea, please post - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 7:42 AM Subject: RE: [Declude.JunkMail] REVDNS > > > I think it may be (timeout). I know Scott > > Fisher posted a filter the other day that had the exact text > > on what it is when rev dns times out. > > It was a message from Scott Fisher on the "cbl"-thread and as I can see he > posted a line > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > So it would be interesting know what's exactly in his text filter file > "REVDNS-TIMEOUT" > > Markus > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
REVDNS 10 IS (Timeout) - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the "cbl"-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file "REVDNS-TIMEOUT" Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
> I think it may be (timeout). I know Scott > Fisher posted a filter the other day that had the exact text > on what it is when rev dns times out. It was a message from Scott Fisher on the "cbl"-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file "REVDNS-TIMEOUT" Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS
For timeout's I beleive the REVDNS string contains text indicating that a timeout occurred. So you need to safeguard against it. I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Serge" <[EMAIL PROTECTED]> To: Sent: Sunday, December 11, 2005 7:15 PM Subject: [Declude.JunkMail] REVDNS I have good homail messages failing the false hotmail test below the reason is REVDNS timeouts the filter should end at the first line, but does not any workarround? REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH hotmail.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS failures
Title: Message Look at then DNS server that declude uses Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ToddSent: Wednesday, August 24, 2005 7:16 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] REVDNS failures I was looking through my reports and found that around the end of June the number of email that failed the REVDNS test went way up. June and earlier it was common to have 20% - 25% of mail trip this test. July on I am seeing 70% - 90% of all email fail. We had not made any changes that I am aware of to our Declude config. It was a very sudden change. Anyone else seen this, I am thinking it is something on our end because of the rapid increase but I am not sure what to look at. Todd
Re: [Declude.JunkMail] REVDNS / ROUTING
Thanks! -d - Original Message - From: Scott Fisher To: Declude.JunkMail@declude.com Sent: Saturday, March 05, 2005 7:05 PM Subject: Re: [Declude.JunkMail] REVDNS / ROUTING The REVDNSEXISTS test won't fail on a timeout. Probably a safety measure in case of a DNS failure. You could add your own filter: REVDNS 1 IS (Timeout) - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 05, 2005 5:23 PM Subject: [Declude.JunkMail] REVDNS / ROUTING Hi, In a message I received today: X-REVDNS: This E-mail was sent from (timeout) ([83.132.120.87]).X-Country-Chain: UNITED STATES->PORTUGAL->destination I would think with Declude info like this in the headers, the message would have failed REVDNS and ROUTING, but it didn't trip either one. Sniffer caught it, but I weight Sniffer a little below my hold weight due to very occasional FPs. From my global.cfg file (I hold at 10): REVDNS revdnsexists x x 5 0ROUTING spamrouting x x 6 0 Can anyone think of an explanation for this? -d
Re: [Declude.JunkMail] REVDNS / ROUTING
The REVDNSEXISTS test won't fail on a timeout. Probably a safety measure in case of a DNS failure. You could add your own filter: REVDNS 1 IS (Timeout) - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 05, 2005 5:23 PM Subject: [Declude.JunkMail] REVDNS / ROUTING Hi, In a message I received today: X-REVDNS: This E-mail was sent from (timeout) ([83.132.120.87]).X-Country-Chain: UNITED STATES->PORTUGAL->destination I would think with Declude info like this in the headers, the message would have failed REVDNS and ROUTING, but it didn't trip either one. Sniffer caught it, but I weight Sniffer a little below my hold weight due to very occasional FPs. From my global.cfg file (I hold at 10): REVDNS revdnsexists x x 5 0ROUTING spamrouting x x 6 0 Can anyone think of an explanation for this? -d
RE: [Declude.JunkMail] REVDNS Failure question
I've solved this problem, thanks; it was related to a mail server config problem. Now, the IPNOTINMX test is failing for precisionx.net and I'm not sure why since the MX record is pointing to 65.110.77.72 (http://dnsstuff.com/tools/lookup.ch?name=precisionx.net&type=MX) X-Declude-Sender: [EMAIL PROTECTED] [65.110.77.72] You'll see the problem if you go to http://www.dnsreport.com/tools/mail.ch?domain=precisionx.net . Specifically, the MX record for precisionx.net needs to be a hostname like mail.precisionx.net, not an IP. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS Failure question
I've solved this problem, thanks; it was related to a mail server config problem. Now, the IPNOTINMX test is failing for precisionx.net and I'm not sure why since the MX record is pointing to 65.110.77.72 (http://dnsstuff.com/tools/lookup.ch?name=precisionx.net&type=MX) Received: from precisionx.net [65.110.77.72] by fpmamail.com with ESMTP (SMTPD32-6.06) id A9088BE0088; Fri, 04 Jun 2004 16:18:16 -0400 From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: test Date: Fri, 4 Jun 2004 13:39:04 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_NextPart_000_1086356344_CFX_iMSMail_4099010171" Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] [65.110.77.72] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, SPAMHEADERS [3] X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 120 Status: U Thanks once again. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jose Gosende Sent: Friday, June 04, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] REVDNS Failure question OK, thanks. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Friday, June 04, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] REVDNS Failure question >I guess I'm confused as to why it's coming from this IP >216.119.112.51 when I've specified the MX record for precisionx.net >to point to 65.110.77.72 That I can't explain -- you would need to check with the documents for the "inFusion email Server" that sent the mail to see how to get it to use a different IP. The mailserver normally won't know the IP address that appears in its MX record, it works with the IP address(es) that the server is set up to handle. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS Failure question
I guess I'm confused as to why it's coming from this IP 216.119.112.51 when I've specified the MX record for precisionx.net to point to 65.110.77.72 That I can't explain -- you would need to check with the documents for the "inFusion email Server" that sent the mail to see how to get it to use a different IP. The mailserver normally won't know the IP address that appears in its MX record, it works with the IP address(es) that the server is set up to handle. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS Failure question
I guess I'm confused as to why it's coming from this IP 216.119.112.51 when I've specified the MX record for precisionx.net to point to 65.110.77.72 Thanks, Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Friday, June 04, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] REVDNS Failure question >Why did this fail the REVDNS test? If I do a reverse DNS >lookup for precisionx.net I get a valid PTR record back. Reverse DNS is different than forward DNS. Reverse DNS takes an IP and returns the host name (using a PTR record); forward DNS usually takes a host name and returns an IP (using an A record). >Received: from precisionx.net [216.119.112.51] by fpmamail.com with ESMTP > (SMTPD32-6.06) id A02C4790076; Fri, 04 Jun 2004 11:07:24 -0400 In this case, the E-mail came from the IP 216.119.112.51. That IP does not have a reverse DNS entry (see http://www.dnsstuff.com/tools/ptr.ch?ip=216.119.112.51 ). Since it does not have a reverse DNS entry, it fails the REVDNS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS Failure question
OK, thanks. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Friday, June 04, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] REVDNS Failure question >I guess I'm confused as to why it's coming from this IP >216.119.112.51 when I've specified the MX record for precisionx.net >to point to 65.110.77.72 That I can't explain -- you would need to check with the documents for the "inFusion email Server" that sent the mail to see how to get it to use a different IP. The mailserver normally won't know the IP address that appears in its MX record, it works with the IP address(es) that the server is set up to handle. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS Failure question
Why did this fail the REVDNS test? If I do a reverse DNS lookup for precisionx.net I get a valid PTR record back. Reverse DNS is different than forward DNS. Reverse DNS takes an IP and returns the host name (using a PTR record); forward DNS usually takes a host name and returns an IP (using an A record). Received: from precisionx.net [216.119.112.51] by fpmamail.com with ESMTP (SMTPD32-6.06) id A02C4790076; Fri, 04 Jun 2004 11:07:24 -0400 In this case, the E-mail came from the IP 216.119.112.51. That IP does not have a reverse DNS entry (see http://www.dnsstuff.com/tools/ptr.ch?ip=216.119.112.51 ). Since it does not have a reverse DNS entry, it fails the REVDNS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] revdns weight question
Greg, 20% of our hold weight on our primary mx 30% of our hold weight on our backup mx Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com System Administrator writes: I'm curious as to what others are doing concerning the weight assigned to the revdns test. How much weight do you assign to your revdns test, as a percentage of your hold or delete limit? Our percentage is currently at 25% (10/40). Thanks, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] revdns weight question
negative rDNS scores 5. No hold or delete. Subject line maker SPAM-VHIGH @ 30+. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: 11 December 2003 13:01 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] revdns weight question I'm curious as to what others are doing concerning the weight assigned to the revdns test. How much weight do you assign to your revdns test, as a percentage of your hold or delete limit? Our percentage is currently at 25% (10/40). Thanks, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS vs BODY
Is it accurate to say that a filter in DECLUDE Pro using REVDNS is more efficient and runs faster than a filter using BODY? Yes, it is (simply because the reverse DNS entry is much shorter than the body of the E-mail, so there is less searching to do). My standard procedure was to add a BODY filter that contains the domain of a link found in the spam messages that make it through other tests. This makes sure that they will be caught next time. I've noticed though that a surprising number of these domains that are found in the body of the spam are also the reverse DNS of the message sender. Am I better off filtering the REVDNS instead of the BODY? The reverse DNS filter would be quite a bit quicker. Choosing which to use, however, would depend a lot on the volume of mail on your system and whether or not you currently are low on resources (or expect to be soon). For example, if you only process 5,000 E-mails/day, a filter with many BODY entries probably wouldn't be a problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] revdns
I've been using this filter with success: REVDNS -100 ENDSWITH .shawcable.net But what happens if : X-Declude-Sender: [EMAIL PROTECTED] [204.209.208.8] Does that test match the ip address to yahoo.com? Not in this specific case (since 204.209.208.8 doesn't have a reverse DNS entry, even though the IP belongs to shawcable.net). Or if the ip addresses reverses to shawcable.net, it will let it through even if the Sender is yahoo.com? The REVDNS filter *only* looks at the reverse DNS entry, and checks to see if it matches what you want it to match to. With the line above, any reverse DNS entry with ".shawcable.net" in it will have 100 points subtracted from its weight; any E-mail without ".shawcable.net" in the reverse DNS entry will be unaffected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
It might be easier to get them to act as a secondary for your reverse DNS. ISP's don't typically like to delegate control of such things. It works just as effectively and DNS's auto notification features allow my changes for instance to be published immediately to the ISP's authoritative DNS server. Matt EN wrote: I finally got this figured out. What I needed to do was have my ISP delegate control of my subnet to our server. Easy enough but I guess I wasn't fully aware of their settings to see what was going on in order to come to this conclusion. Thanks for the help. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 11:45 AM Subject: Re: [Declude.JunkMail] RevDNS I'm guessing that your local DNS server thinks that it is authoritative for reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. When you say local, you are talking about the internal Private DNS server, right? By "local" I mean the DNS server that IMail uses. Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. That will happen if the DNS server that IMail uses reports that 209.7.3.194 has no reverse DNS entry (which would be incorrect, since it does have a reverse DNS entry). -Scott
Re: [Declude.JunkMail] RevDNS
I finally got this figured out. What I needed to do was have my ISP delegate control of my subnet to our server. Easy enough but I guess I wasn't fully aware of their settings to see what was going on in order to come to this conclusion. Thanks for the help. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 11:45 AM Subject: Re: [Declude.JunkMail] RevDNS > > > > I'm guessing that your local DNS server thinks that it is authoritative for > > > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > > > > >When you say local, you are talking about the internal Private DNS server, > >right? > > By "local" I mean the DNS server that IMail uses. > > >Or the dns of imail? I just added a reverse zone on my private DNS server > >for the ip in question, as well as others ( had to be a classless zone too), > >but I am still getting the same warnings. > > That will happen if the DNS server that IMail uses reports that 209.7.3.194 > has no reverse DNS entry (which would be incorrect, since it does have a > reverse DNS entry). > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
> I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > When you say local, you are talking about the internal Private DNS server, right? By "local" I mean the DNS server that IMail uses. Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. That will happen if the DNS server that IMail uses reports that 209.7.3.194 has no reverse DNS entry (which would be incorrect, since it does have a reverse DNS entry). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
> Is the IMail server in the DMZ? The IMail server is actually outside of our firewall on the internet side of things. > > I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > When you say local, you are talking about the internal Private DNS server, right? Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. drats. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 10:06 AM Subject: Re: [Declude.JunkMail] RevDNS > > > I've had this problem for a while, and although I found a way around it, I > >want to get it corrected > >so that I don't see this warning...anyway... > > > > My work is behind a firewall, this firewall, contains 3 zones: > >Our Private network with a 192.168.x.x IP range > >Our DMZ > >and the Internet Zone > > > >The firewall does NAT to hide all our machines behind one IP which is > >designated on the firewall. > > Is the IMail server in the DMZ? > > >X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with > >no reverse DNS entry. > > >But I would like to know why declude is thinking that 209.7.3.194 is > >actually the mail server ( or at least, that's how > >I interpret these warnings to say) > > The E-mail was sent from the IP 209.7.3.194 -- it really, really was. :) > > I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
I've had this problem for a while, and although I found a way around it, I want to get it corrected so that I don't see this warning...anyway... My work is behind a firewall, this firewall, contains 3 zones: Our Private network with a 192.168.x.x IP range Our DMZ and the Internet Zone The firewall does NAT to hide all our machines behind one IP which is designated on the firewall. Is the IMail server in the DMZ? X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with no reverse DNS entry. But I would like to know why declude is thinking that 209.7.3.194 is actually the mail server ( or at least, that's how I interpret these warnings to say) The E-mail was sent from the IP 209.7.3.194 -- it really, really was. :) I'm guessing that your local DNS server thinks that it is authoritative for reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
- Original Message - From: "EN" <[EMAIL PROTECTED]> > The firewall does NAT to hide all our machines behind one IP which is > designated on the firewall. > When a user sends email while using the web interface of Imail, all is well. > When a user sends an email using Outlook Express, then declude starts to > give warnings, e.g. > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with > no reverse DNS entry. > X-Declude-Sender: [EMAIL PROTECTED] [209.7.3.194] > X-Declude-Spoolname: D1cda001201d0db47.SMD > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for > spam. > X-Spam-Tests-Failed: IPNOTINMX, REVDNS [4] > X-Note: This E-mail was sent from [No Reverse DNS] ([209.7.3.194]). Easiest thing to do here is whitelist your internal address space. Otherwise, you would need to setup PTR & MX records for all of you IP addresses, which usually doesn't make sense if your users are behind a firewall that is doing address translation anyway. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS and HELOBOGUS
Thanks for your reply. I was surprised to learn of your success rate with admins. Though I'd never made any attempts to notify admins, I would have expected a lower response rate figuring that most admins that have problems today, are ignorant of how to fix them. Do you find yourself having to talk other admins through the process? Also it seems that alot of the problem senders are bulk subscriptions and replies would go to non-existent accounts. I'll give it a try on a case by case basis. Thanks -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] REVDNS and HELOBOGUS We only white list after emailing the user and the mail admin. It is in their best interest to fix the RDNS and HELO bogus issues. Attached is the email I send to them. Why should I slow the processing of email on our server for a few ignorant admins. I also send an automated email to all users on our server telling them what email has been held and giving them the option to recover the mesages. In sending the automated email I no longer have to go through the held emails, the users do it. I get about 1/3 of the admins thanking me for telling them of their config issues, 1/3 who think they have it configured that way for security reasons, and 1/3 who do not even reply. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Agid, Corby > Sent: Tuesday, September 02, 2003 4:11 PM > To: 'Declude. Junkmail (E-mail) > Subject: [Declude.JunkMail] REVDNS and HELOBOGUS > > > Hello, > > We get a lot of false postives from sites that fail two of three simple > tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just > enough weight (10 to12 ), to get tagged as spam. I have been whitelisting > as I learn about them, which seems to be approx one to three entries per > day. > > Do most people reduce the weight of these tests or increase the > threshold of > what's considered spam, or just whitelist as needed? > > Just curious. > > Corby > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS and HELOBOGUS
I reduced the scores of those test's. Messages that fail BAHDEADERS seem to often fail HELOBOGUS in my experience. It would be good to know the error code returned by the BADHEADERS test because this shouldn't be failed by most mailing applications (even automated ones). If you look in your log for the messages in question, you will find a code for the BAHEADERS failure which can be looked up through the following page: http://www.declude.com/tools/header.php One bug was caught last week that dealt with too many characters on the To: line, which Scott promptly fixed in an interim release. Another issue that I was experiencing with BADHEADERS was related to not having a To: address in an E-mail, which IE and Exchange's Web Mail among others were allowing now despite the RFC's clearly saying it was necessary even if not a valid address (Netscape 7 is compliant). This was an issue with mailing lists and other broadcast messages that make use of the CC or BCC lines and no use of the To line. I believe Scott might be thinking about modifying this test as well, but I'll let him speak for himself. I found these issues on my system with I recently did a capture on the BADHEADERS test. It is a wonderful test though, tagging about half of all spam received, and the false positive rate was ain incredibly low 0.5% (10 false positives out of 1,834 test failures in all). 9 of the 10 false positives though were from errors possible from popular (enough) mail clients. Knowing your error codes would help in determining if you were suffering from similar issues, and possibly there is a fix out now. My only issue with BADHEADERS is that messages that fail it, will almost definitely fail at least one other technical test, especially SPAMHEADERS and HELOBOGUS. If your BADHEADERS failures are the responsibility of bad software on the sender's end, I would reduce the test scores so that both BADHEADERS (I score 3) and HELOBOGUS (I score 5) needs to fail another small test in order to get blocked. The small tests that I see working in this case are NOPOSTMASTER, NOABUSE and DSN, each of which I score as 1, and BASE64 which I score as 3. Regarding your REVDNS test, this is one of the tests that I turned off because it has a very high false positive rate and I perceived it as giving no real value as a result, even my server sat without reverse DNS entries until recently because my co-location provider was slow in delegating responsibility for that class C over to my DNS server, and those with smaller blocks tend to not bother at all. There are many valid mail servers without these lookups. This is of course just my methodology, your mileage may vary. Matt Agid, Corby wrote: Hello, We get a lot of false postives from sites that fail two of three simple tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just enough weight (10 to12 ), to get tagged as spam. I have been whitelisting as I learn about them, which seems to be approx one to three entries per day. Do most people reduce the weight of these tests or increase the threshold of what's considered spam, or just whitelist as needed? Just curious. Corby --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS and HELOBOGUS
We only white list after emailing the user and the mail admin. It is in their best interest to fix the RDNS and HELO bogus issues. Attached is the email I send to them. Why should I slow the processing of email on our server for a few ignorant admins. I also send an automated email to all users on our server telling them what email has been held and giving them the option to recover the mesages. In sending the automated email I no longer have to go through the held emails, the users do it. I get about 1/3 of the admins thanking me for telling them of their config issues, 1/3 who think they have it configured that way for security reasons, and 1/3 who do not even reply. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Agid, Corby > Sent: Tuesday, September 02, 2003 4:11 PM > To: 'Declude. Junkmail (E-mail) > Subject: [Declude.JunkMail] REVDNS and HELOBOGUS > > > Hello, > > We get a lot of false postives from sites that fail two of three simple > tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just > enough weight (10 to12 ), to get tagged as spam. I have been whitelisting > as I learn about them, which seems to be approx one to three entries per > day. > > Do most people reduce the weight of these tests or increase the > threshold of > what's considered spam, or just whitelist as needed? > > Just curious. > > Corby > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain lwtc_nt_1.linweld.com has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.197.31.34 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination without the above fixes, so human intervention is involved to complete delivery to the final recipient. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works.
Re: [Declude.JunkMail] revdns
the dns servers are 208.13.150.92 and 208.13.150.91 set in imail... Those servers seem to be responding properly. In this case, I would suggest using the debug mode. To use the debug mode, you can change the "LOGLEVEL LOW" line in \IMail\Declude\global.cfg to "LOGLEVEL DEBUG". Then, after an E-mail has been processed that failed the REVDNS test, you can then switch back to "LOGLEVEL LOW" (the debug mode adds huge amounts of information to the log file). You can then send me the \IMail\spool\dec.log file (as an attachment), and I can take a look at it to see what is happening. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] revdns
the dns servers are 208.13.150.92 and 208.13.150.91 set in imail... On Sat, 2003-01-11 at 11:45, R. Scott Perry wrote: > > >perhaps it's too early - but I notice these being tagged as revdns > >failed ... > > > >Received: from IMGate.Mailstop7.com [208.13.150.9] by mailstop7.com with > > ESMTP (SMTPD32-7.13) id A93013FE0108; Sun, 05 Jan 2003 18:01:04 -0500 > > This is the only header that has an IP address, so this should be the one > with no reverse DNS entry. However, it does have one. Perhaps your local > DNS server is/was set up to handle the reverse DNS for that IP, but it > doesn't have an entry for it? > > If you let me know the DNS server that you are using with IMail, I can test > to see if it is properly reporting the reverse DNS for that IP. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] revdns
perhaps it's too early - but I notice these being tagged as revdns failed ... Received: from IMGate.Mailstop7.com [208.13.150.9] by mailstop7.com with ESMTP (SMTPD32-7.13) id A93013FE0108; Sun, 05 Jan 2003 18:01:04 -0500 This is the only header that has an IP address, so this should be the one with no reverse DNS entry. However, it does have one. Perhaps your local DNS server is/was set up to handle the reverse DNS for that IP, but it doesn't have an entry for it? If you let me know the DNS server that you are using with IMail, I can test to see if it is properly reporting the reverse DNS for that IP. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
>Scott, I've now been running DECLUDE for two days and from a first look, >I like the product. However, it has been catching a large number of >valid messages and I'm wondering what actions to take with them. The >most common failures are on REVDNS, That one does have a lot of false positives -- between all the lazy admins ("I'll do it tomorrow, I guess it's OK if we lose a bit of mail in the meantime") and the admins that *think* they have a reverse DNS entry but really do not, there are a lot of admins on there. While the first category (the lazy admins) are probably worth blocking (since they are very likely to have their mailserver set up to let spammers use it), the second category probably isn't worth blocking. > HELOBOGUS This is from the latest beta version. Reports in the spam community were VERY wrong when they were saying that E-mails failing this test had about a 99.9% chance of being spam. >and WEIGHT10. That's bad, very bad. That means that the people sending you legitimate mail have mailservers that are poorly set up. You may want to check to see what the weight is for the HELOBOGUS test -- if it is set to 8, it would cause the WEIGHT10 test to be triggered a bit too quickly (a setting of 3 or 4 might be better; I believe we have it set to 3 now). >I remember reading about turning off WEIGHT10 and using WEIGHT20 (I >think), but >what about the others? I would strongly recommend reading a bit about them in the manual, or at http://www.declude.com/junkmail/support/ip4r.htm . If you are going to be blocking mail, it's a very good idea to know why you are blocking it. >Can I send something to the host postmaster to >let them know that their servers are not properly configured? Or is >there more to it than that? One option is to use the BOUNCE action (or the ALERT action, when sends a bounce-like message, but also delivers the original E-mail). By default, these will go to the person who sent the E-mail, which is usually best for two reasons -- first, if the E-mail is spam, it won't end up bothering an innocent postmaster, and second, the sender of the E-mail is more likely to get the problem solved than the postmaster (who make just delete the automated message). >A couple of other questions. Is there any >way to set up two actions for a certain failed test? For instance, if I >want to WARN and then modify the subject line? Multiple actions per test Declude JunkMail does not support multiple actions per test. When it was designed, it was assumed that people would only want to use one of the two actions that other anti-spam products use: WARN or BOUNCE. However, since Declude JunkMail allows so many different actions to be taken on E-mail, a number of people have requested the ability to use multiple actions per test. Although Declude JunkMail does not support this, there is a way to accomplish the same end result. You just need to define two copies of the same test, each with a different name. For example, if you wanted to have the SPAMCOP test use both the WARN and SUBJECT actions, you would change add a new test SPAMCOP2. The \IMail\Declude\global.cfg defines the SPAMCOP test as: SPAMCOP ip4r... You would add another entry that is identical except with a different name, so you would now have: SPAMCOP ip4r... SPAMCOP2 ip4r... Then, in your $default$.JunkMail file, you could have: SPAMCOP SUBJECT Spam: SPAMCOP2 WARN Now, both actions will be used. There are some combinations of actions that will not work together (such as DELETE and HOLD, which logically can't both be used), but most will. Also, if you use the weighting system, you should set the weights of the second test to 0, so that you do not end up with double the weight. >Can I run my >server through these same tests to ensure that messages from our servers >are not flagged as SPAM? Yes -- you can go to http://www.DNSstuff.com and use the "spam database lookup" tool (it's best to enter the IP address there, not the hostname). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] REVDNS
Scott, I've now been running DECLUDE for two days and from a first look, I like the product. However, it has been catching a large number of valid messages and I'm wondering what actions to take with them. The most common failures are on REVDNS, HELOBOGUS and WEIGHT10. I remember reading about turning off WEIGHT10 and using WEIGHT20 (I think), but what about the others? Can I send something to the host postmaster to let them know that their servers are not properly configured? Or is there more to it than that? A couple of other questions. Is there any way to set up two actions for a certain failed test? For instance, if I want to WARN and then modify the subject line? One more. Can I run my server through these same tests to ensure that messages from our servers are not flagged as SPAM? Thanks for your help. David David Frager IntelliMark Associates, Inc. [EMAIL PROTECTED] Phone: (512) 302-9300 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] REVDNS question
>I have a question about the REVDNS test. We are hosting our customers >email on a server at one of our POP's and reverse DNS is being done for the >virtual email server. The reverse DNS states only the domain name and not >does not have 'mail' specfied in the reverse DNS. > >Email Server IP: 207.227.115.83 >reverse DNS: ducts.com > >Should it be 'mail.ducts.com' so the email do not fail the REVDNS test? No -- just so long as a reverse DNS entry exists, there is no problem with Declude. There are a lot of mailservers that have virtual domains that are all using the same IP address, so often the IP address does not match. Note that the reverse DNS entry (ducts.com) should also have an A record pointing back to the same IP (which ducts.com does), but Declude does not check for that. >Here is the error message I get in the declude log file: >06/21/2002 13:51:09 Q759a4a2a0284d95c Msg failed REVDNS (This E-mail was >sent from a mail server 209.224.184.153 with no reverse DNS entry.). > >The IP shown in the log file is the IP of the T1 router at their location: >209.224.184.153 And that's your problem. Declude doesn't know (or care) where you *think* the E-mail is coming from, it just cares where it really is coming from. In this case, the E-mail was sent to IMail by 209.224.184.153. Perhaps their router is set up to "fix up" the SMTP connection, and acts as a mailserver. In any case, that is where the E-mail came from. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] REVDNS test
>Ok, now I'm confused. Are you saying then that even though all the >machines in my >network are assigned IP addresses via DHCP, that I have to have each of those >address resolve to something in the reverse DNS? I think most people >would only >list servers, not workstations in DNS. I don't even have them listed in the >primary. If the IPs are Internet-reachable, they are required to have a reverse DNS entry. If the IPs are internal only (IE 10.x.x.x or 192.168.x.x), they are not required to have a reverse DNS entry. If they are external IPs, and you don't want reverse DNS entries, you can disable the REVDNS test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] REVDNS test
Ok, now I'm confused. Are you saying then that even though all the machines in my network are assigned IP addresses via DHCP, that I have to have each of those address resolve to something in the reverse DNS? I think most people would only list servers, not workstations in DNS. I don't even have them listed in the primary. We are getting the error on every piece of internal mail that originates from a user on our network. "R. Scott Perry" wrote: > A lot of people seem to think that the REVDNS checks to see if *your* mail > server has a reverse DNS entry -- but if that were the case, either all > mail would fail the REVDNS test, or none would. > > It checks the IP address of the remote computer (the one connecting to your > mail server), not the IP address of your mail server. Although it's very > important to have the reverse DNS entry for your mailserver, you also need > reverse DNS entries for your other hosts. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . -- Susan Duncan ([EMAIL PROTECTED]) TEL:(613) 231-SIRC x225 Director of Computer Operations, SIRC FAX:(613) 231-3739 http://www.sportquest.com/ http://www.canadiansport.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] REVDNS test
>Can I get more info on how the REVDNS test is done? It's a standard reverse DNS lookup -- for more details, you'll need to go to the RFCs. >We have half a class C so our upstream provider does our reverse DNS. That's fine. They can either handle it, or delegate your half of the class C to your DNS servers. >I can't tell if they have and I'm still getting all of our internal mail >coming in with the REVDNS message. A lot of people seem to think that the REVDNS checks to see if *your* mail server has a reverse DNS entry -- but if that were the case, either all mail would fail the REVDNS test, or none would. It checks the IP address of the remote computer (the one connecting to your mail server), not the IP address of your mail server. Although it's very important to have the reverse DNS entry for your mailserver, you also need reverse DNS entries for your other hosts. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] REVDNS test
Yep, it's there. http://www.dnsstuff.com/tools/ptr.ch?ip=206.191.24.151 http://www.dnsstuff.com/tools/dnsreport.ch?domain=sirc.ca John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Duncan Sent: Tuesday, March 12, 2002 9:30 AM To: Declude List Subject: [Declude.JunkMail] REVDNS test Can I get more info on how the REVDNS test is done? We have half a class C so our upstream provider does our reverse DNS. Apparently somewhere along the line they dropped the config for us and we didn't have reverse dns set up for mail.sirc.ca. After much email back and forth, yesterday they told me that they'd fixed it. I can't tell if they have and I'm still getting all of our internal mail coming in with the REVDNS message. Are you checking with specific servers and the info just hasn't propagated yet or is there something else? -- Susan Duncan ([EMAIL PROTECTED]) TEL:(613) 231-SIRC x225 Director of Computer Operations, SIRC FAX:(613) 231-3739 http://www.sportquest.com/ http://www.canadiansport.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] REVDNS occasionally returns null value instead of IP address!
SP>> That would happen if there was no IP address to test for the remote server. It could happen if, for example, you have Declude bypass your backup mail server, and that mail server doesn't record the IP address. << Nope - that's not the case here. Look at the header one more time, please. You'll see that the remote host is "mtlmailrouter.cranesupply.com [207.107.10.2]". My backup SMTP server is not involved. Still, the DECLUDE-NOTE header lists a remote host of "null string". Received: from mtlmailrouter.cranesupply.com [207.107.10.2] by mail.webhost.hm-software.com (SMTPD32-6.06) id A3F21CB900A8; Sat, 12 May 2001 11:17:06 -0400 Received: from sdbrn.msn.com [24.216.191.15] by mtlmailrouter.cranesupply.com (SMTPD32-4.03) id A0CB1E4A0218; Sat, 12 May 2001 11:03:39 EST From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Take my hand, and get out of Debt... [hgnvd] Content-Type: text/plain; charset=us-ascii Date: Sat, 12 May 101 11:03:43 EST Message-Id: <[EMAIL PROTECTED]> X-Declude-Note: SMTP headers violate RFCs - bad headers [c0104202] X-RBL-Warning: Suspected SPAM. Failed heuristic test - SPAM [1.00] X-Declude-Sender: [EMAIL PROTECTED] [207.107.10.2] X-Declude-Spoolname: D53f20a8.SMD X-Declude-Note: Processed by Declude 1.21a; remote host . PS: What's the story with your garbled list server subject field. For the last two days, I always see garbled text such as: "RE: X-RBL-Warning: %WARNING%REVDNS:Re: [Declude.JunkMail] 1.21b Improved - but Headers stillbroken!" but my subject was just "Re: 1.21b Improved - but Headers stillbroken!" Best Regards Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .