If someone demands they not get listed then they deserve to get
blacklisted because OBVIOUSLY they have something to hide.
.6 is List of hosts that have been noted as sending
spam/UCE/UBE to the admins of SORBS. This
zone also contains netblocks of spam supporting
service
Cox cable I'll bet.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glen Harvy
Sent: Monday, September 01, 2003 6:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] SORBS-SPAM
Who's Cox?
-Original Message-
From: [EMAIL
Would you post your configuration that works for you? and anyone else
that's willing to do so? I'd like to see some examples of successful
configurations to learn from.
Thanks
Either way with declude there is not reason to directly block anything
just use a weighted system where each test
.8 is one of those F-U blacklists that punishes every user on a system
because a network administrator saw fit to complain. I would think that
most of these organizations are bandwidth providers with some sort of
firewall that got tripped by the testing. Spammers don't rely on open
relays in
Keith wrote:
Would you post your configuration that works for you? and anyone else
that's willing to do so? I'd like to see some examples of successful
configurations to learn from.
Here's mine. Weights 0-12 are OK, weights 13-19 get bounced and 20+
gets deleted. Neither bounces nor deletes
Mathew,
Correction there..
.8 is no longer used and is basically empty.
.6 has a higher # of false positives than the rest. Not many, but if you
want to play it safe, do not use .6.
And that is correct:
Cox = Cox Cable
It is my home connection and since SBC is obviously not an ethical
Don't get me wrong, I will use .6 (and will configure it probably
tonight since I finished some other testing), but I will score it fairly
low because anything that tags something like Cox is problematic. Same
goes for FIVETEN, they are tagging Yahoo/SBC.
It's good to know when a particular
Absolutely agreed.
pbh
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Monday, September 01, 2003 9:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SORBS-SPAM
Don't get me wrong, I will use .6 (and will
Hello,
I want to have the name of the Test in the Subject of the mails so I can see
which test it failed. (something like [SPAM - ORDB] in the subject).
I know I can see it in the Header, but to tell the users how they can find
it is hard.
And I do not want to modify all tests, something dynamic
and since SBC is obviously not an ethical
alternative,
Whets using SBC as a provider got to do with ethics?
Todd
- Original Message -
From: Phillip B. Holmes [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, September 01, 2003 8:47 PM
Subject: RE: [Declude.JunkMail] SORBS-SPAM
I want to have the name of the Test in the Subject of the mails so I can see
which test it failed. (something like [SPAM - ORDB] in the subject).
I know I can see it in the Header, but to tell the users how they can find
it is hard.
And I do not want to modify all tests, something dynamic would
Spam we caught yesterday was down by about 30% -
40%. Anyone else notice this?
Todd Hunter
Progressive Systems
No, we
recv'd roughly the usual amount. I'm waiting for them to take a longer
holiday in prison preferably.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Todd - Smart
MailSent: Tuesday, September 02, 2003 7:33 AMTo:
[EMAIL
Is it just me or have spammers found other ways to get past scanners? I've
been getting slammed lately with more and more spam that is getting past
declude without a single hit.
Greg Foulks
NewFound Technologies, Inc.
[EMAIL PROTECTED]
http://www.nfti.com
614.318.5036
attachment: winmail.dat
Two words: pink contracts
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd
- Smart Mail
Sent: Tuesday, September 02, 2003 7:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SORBS-SPAM
and since SBC is obviously not an ethical
Title: RE: [Declude.JunkMail] More and more email getting past Declude
Theyve cleaned up their acts. I am seeing a lot of stuff come straight through with a single hit. It ALMOST seems like if mail fails a few tests, its legit !
Karl Drugge
-Original Message-
From:
I had a
funny thing happen over the weekend, I had more items in spool/virus than in
spool/spam at one point. I'm speechless.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Todd - Smart
MailSent: Tuesday, 02 September 2003 8:33 AMTo:
[EMAIL
think of sobig.f. it generates a large amount of virus mails. some of my
customers think that i spam them with virusnotifications!
mfg
i.a.
gez. guhl
***
lds nrw
dez. 235
tel.: 0211 9449 2578
fax.: 0211 9449 8344
mailto:[EMAIL PROTECTED]
Is it just me or have spammers found other ways to get past scanners? I've
been getting slammed lately with more and more spam that is getting past
declude without a single hit.
The two most common reasons for this are [1] A setup issue (a
gateway/backup that Declude doesn't know about, bad DNS
They're not getting past everything - we show a rejection rate of greater
than 75% almost consistently... not to say that the problem isn't getting
worse though.
http://www.sortmonster.com/MessageSniffer/Performance/FlowRates.jsp
We have seen a significant and apparently consistent rise in the
Scott,
I doubt it's a setup issue because I'm using the same setup that I've used
for a year now. Also I am not the only one receiving more spam.. All of my
users are as well...
Anyway here is a piece of spam recently received (I've already blacklisted
the sender) but it seems as soon as I
I have a customer who only wants to get email to a list of valid
employees, no one else (i.e. ex-employees). However, the list of
ex-employees is too long for him to come up with, thus he gave me the
list of valids. I looked, but I don't think Declude has a HEADER tag
called DOESNOT CONTAIN,
The following ipblacklist entry with a high enough weight to reject will
kill their stuff:
64.119.218.192/27 advertisingbymail.com
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks
Sent: Tuesday, September 02, 2003 10:16 AM
Greg,
After checking my ipblacklist, I have the entire Class C blocked due to
multiple spammers. The entry is:
64.119.218.0/24 Assorted SPAM
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks
Sent: Tuesday, September 02, 2003
I doubt it's a setup issue because I'm using the same setup that I've used
for a year now. Also I am not the only one receiving more spam.. All of my
users are as well...
So in the past year, you haven't added/removed any gateways or backup
mailservers, haven't changed IPs for DNS servers,
I have a customer who only wants to get email to a list of valid
employees, no one else (i.e. ex-employees). However, the list of
ex-employees is too long for him to come up with, thus he gave me the
list of valids. I looked, but I don't think Declude has a HEADER tag
called DOESNOT CONTAIN,
Scott,
Correct I have not added/removed any gateways or backup mailservers, changed
any IP's for DNS or changed a DNS responsibility.
What I'm seeing in spam lately is that it looks more legit than in the past.
Usually a piece of spam will fail at least one of our tests. like a RFC
problem, a bad
Scott,
The problem with using the CONTAINS is that I would have to have
a list of the ex-employees and the only list he can put together is the
good employees. Thus if I used the CONTAINS I would be hitting good
employee email. Any other suggestions, thanks for your time.
Keith
What
Greg,
Did you add any replacements for OSIRUSOFT? Or just comment them out?
Karen
-Original Message-
From: Greg Foulks
Correct I have not added/removed any gateways or backup
mailservers, changed
any IP's for DNS or changed a DNS responsibility.
---
[This E-mail scanned for
Karen,
My bad, I failed to mention this is a Store and Forward
domain...
Keith
-Original Message-
From: Karen D. Oland [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 02, 2003 12:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Need aid on Declude Header rule
Greg,
I doubt it's a setup issue because I'm using the same setup that I've used
for a year now.
This probably goes without saying but you have removed the osirusoft.com
tests and replaced them with something appropriate?
I have email accounts that I monitor that get Huge amounts of spam. We
Delete the nobody alias. Then, only valid email in his domain will be
accepted. Delete all old employees not on the list of valid names you just
received from the domain.
-Original Message-
From: Keith Johnson
The problem with using the CONTAINS is that I would have to have
a
Does anybody know if *.osirusoft.com is back up yet? Anybody have a
solid alternative configuration to be used in the mean time?
James R. Skivers
Network Administrator
Web One Inc.
[EMAIL PROTECTED]
http://astra1.com
---
[This E-mail was scanned for viruses by Declude Virus
Keith,
What about at the client end? Could he not filter at his mail server to
refuse mail for non-local users?
It sounds like you need a to version of MAILFROM -- then you could delete
all those that failed the test. Perhaps a domain rule that tests for each
of his vlalid user names and adds
Scott:
We are having a bit of a problem with the per user whitelist and would like
to confirm the format for setting up the file in the user's user.junkmail
file. Is this the correct format?
WHITELISTFILE E:\IMail\Declude\domain.com\user-whitelist.txt
Also, is there any chance of
I have not replaced any of the asirusfot.com tests but have added a few
others.
Here is my current configuration
DSBLip4r list.dsbl.org * 30
0
MONKEYFORMMAIL ip4rformmail.relays.monkeys.com * 30 0
It just seems like that recently the spam we've been getting is clean. Which
makes it hard for declude to block it when it passes all of the rules.
That's because companies that feel that they are legitimate E-mailers (ones
that technically *do* have your permission to send the mail!) are the
CONTAINS *would* work in this way. For example:
HEADERS -1000 CONTAINS [EMAIL PROTECTED]
HEADERS -1000 CONTAINS [EMAIL PROTECTED]
...
In this case, an E-mail with [EMAIL PROTECTED] in the headers
would always receive a weight less than 0. You can then create a
Phillip wrote:
Two words: pink contracts
9 syllables: what the heck are you talking about?
I've had nightmares setting up PacBell/SBC DSL that would fill a book,
but that was incompetent tech installation and support. Once the
service is up its always been just great; for years running.
And
Scott,
SWEET, that is a great idea, I'll give it a go, you are the man.
Keith Johnson
CONTAINS *would* work in this way. For example:
HEADERS -1000 CONTAINS [EMAIL PROTECTED]
HEADERS -1000 CONTAINS [EMAIL PROTECTED]
...
In this case, an E-mail with
Scott,
What is your opinion of Spamchk? How well does it work with Declude and have
you seen any issues with using?
Greg
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Tuesday, September 02, 2003 1:17 PM
To: [EMAIL PROTECTED]
Subject:
We are having a bit of a problem with the per user whitelist and would like
to confirm the format for setting up the file in the user's user.junkmail
file. Is this the correct format?
WHITELISTFILE E:\IMail\Declude\domain.com\user-whitelist.txt
That will work fine.
Also, is there any
I plugged pink contracts into Google and here's the first link that came up...
http://mail.spamcon.org/pipermail/suespammers/2001-February/000837.html
Keith Purtell, Web/Network Administrator
VantageMed Operations (Kansas City)
Email: [EMAIL PROTECTED]
CONFIDENTIALITY NOTICE: This email
Thanks Scott.
I'll chase the problem a bit more.
With respect to the manual: yes, I am aware that the archives are a great
help, but they are occasionally down and, in at least one case, the
declude.junkmail archive has a major hole in it taking out several days
worth of messages and can
Greg,
It looks like you have a good list of tests. You may want to
evaluate the scores for some of your tests. We also use Weight 100 and we
give Spamcop a Much higher score. In addition the tests we had for
oriusoft.com we scored pretty high 35 - 50 so when we added replacements we
Scott:
It would appear that when using the FROM function in the per user
whitelistfile, we cannot use the straight E-mail address, but must copy the
FROM information out of the header of a received E-mail. That would mean
that unless a user has actually already received an e-mail from someone,
It would appear that when using the FROM function in the per user
whitelistfile, we cannot use the straight E-mail address, but must copy the
FROM information out of the header of a received E-mail. That would mean
that unless a user has actually already received an e-mail from someone,
he/she
No.
They're not coming back.
Read the mail archives.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
James R. Skivers
Sent: Tuesday, September 02, 2003 12:25 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OSRELAY
Does anybody know if
Keith wrote:
I plugged pink contracts into Google and here's the first link that
came up...
Well, doesn't that just suck? Hopefully the 2001 date on that post is
indicative of a changed landscape, otherwise they're pretty much *all*
in league with the devil.
Sandy, can you repost the login information for the Spamanager demo account
you setup? I stumbled across it in the archives a few weeks back, but the
archives replaced the username email address with [EMAIL PROTECTED]
Thanks,
John Weiner
---
[This E-mail was scanned for viruses by Declude
If a test is listed in the Global.cfg file and in the domain file will the
process be run twice?
Thanks,
Doug
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to
If a test is listed in the Global.cfg file and in the domain file will the
process be run twice?
If a test definition appears once in the global.cfg file, it will only be
run once. If it appears two or more times in the global.cfg file, it may
or may not be run more than once, depending on the
Scott:
Well, maybe that is why we are having problems. We are working with the
WHITELISTFILE option, not the global WHITELIST option. Perhaps we are
working under the wrong assumptions but we rather expected that the syntax
in the WHITELISTFILE would be the same as that for the WHITELIST option.
Sorry about the incomplete nature of the question.
If a test is in the global.cfg and listed in BOTH the
declude\$default$.JunkMail file
and in the declude\domain\$default$.JunkMail file as well, will the test be
run twice?
I am just wondering if that would have an effect on the processor time.
Well, maybe that is why we are having problems. We are working with the
WHITELISTFILE option, not the global WHITELIST option. Perhaps we are
working under the wrong assumptions but we rather expected that the syntax
in the WHITELISTFILE would be the same as that for the WHITELIST option.
The
Scott,
I spoke to soon. If I use the weighting method, it hurts my ability to use
the Weight system to guard them against Spam. Your thoughts...
Keith
-Original Message-
From: Keith Johnson
Sent: Tue 9/2/2003 1:27 PM
To: [EMAIL PROTECTED]
If a test is in the global.cfg and listed in BOTH the
declude\$default$.JunkMail file
and in the declude\domain\$default$.JunkMail file as well, will the test be
run twice?
No, it will not. With per-user and per-domain settings, the tests will
only be run once.
I spoke to soon. If I use the weighting method, it hurts my
ability to use the Weight system to guard them against Spam. Your thoughts...
Ah, I see.
In that case, you can have the same filter, but instead of having it
defined as MYFILTER filter C:\IMail\Declude\myfilter.txt x -1000
Hello,
We get a lot of false postives from sites that fail two of three simple
tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just
enough weight (10 to12 ), to get tagged as spam. I have been whitelisting
as I learn about them, which seems to be approx one to three
We only white list after emailing the user and the mail admin. It is in
their best interest to fix the RDNS and HELO bogus issues.
Attached is the email I send to them.
Why should I slow the processing of email on our server for a few ignorant
admins. I also send an automated email to all users
Matt - Yes. I worked for SBC for 10 years.
Keith-
Plug in sbc pink contracts.
http://groups.google.com/groups?q=sbc+pink+contractsie=UTF-8oe=UTF-8hl=en
Best Regards,
Sr.Consultant /
Phillip B. Holmes
Media Resolutions Inc.
Macromedia Alliance Partner
http://www.mediares.com
[EMAIL PROTECTED]
I reduced the scores of those test's. Messages that fail BAHDEADERS
seem to often fail HELOBOGUS in my experience. It would be good to know
the error code returned by the BADHEADERS test because this shouldn't be
failed by most mailing applications (even automated ones). If you look
in your
Greg,
we have been using SpamCheck for about 1 1/2 months now and have had No
problems with it.
Pros
1. Easy to Install
2. Support has been good
3. Highly flexible
4. Catches a lot of spam that passes DNS and RFC tests
5. Allows you to give emails + or - weights
6. Cost $0
Cons
1. Config
Scott,
Since we house mulitple domains (using spam filtering) and this filter test is
used in the Global file it seems it would fail every other domain email (i.e. 1000
weight) that we house on the same box?! Is there a way to only define it for use in
the default config file for that
I brought this up last
week.Anyone see the benefit beside me? The idea of being able to
stop testing once a given Weight has been reached seems to have multiple
benefits to me.My numbers indicate that about 45% of my spam would
benefitfrom stopping testing at 4X my Hold Weight.
I know
Sandy, can you repost the login information for the Spamanager demo account
you setup? I stumbled across it in the archives a few weeks back, but the
archives replaced the username email address with [EMAIL PROTECTED]
http://webmail.cypressintegrated.com:8383
Username: demo
Password: blue
66 matches
Mail list logo
