Awesome Scott! Does this feature work with "PREWHITELIST ON" so that we can conserve
some resources for Auth'd users?
Thanks,
Bill
-Original Message-
From: "R. Scott Perry"
Sent: Tue, 16 Sep 2003 20:05:40 -0400
Subject: Re: [Declude.JunkMail] Next release
>Scott could you give us an
Same with me. This is from one of my
customers:
"Just a quick note to let you know how happy
I am with your company's email virus scanning and spam filtering service. It
really works awesome! It's not that I'm not capable, but I haven't even opened
the McAfee Security software I bought
On Sep 16, 2003, at 8:05 PM, R. Scott Perry wrote:
We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will
>> if you are running a version of IMail that supports it, such as 8.x). A
line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that
interim release know to whitelist all E-mail from users who have
authenticated. <<
Uhhh, finally a good reason to upgrade to 8.x.
Until now it seeme
Scott could you give us an idea of what new tests and a possible date of the
next release of declude junkmail.
We do not have an ETA for the next beta release. However:
My remote users are constantly on me about the authentication issue when on
a dial up. I have thoes users whitelisted but they
Scott could you give us an idea of what new tests and a possible date of the
next release of declude junkmail.
My remote users are constantly on me about the authentication issue when on
a dial up. I have thoes users whitelisted but they do not like the side
effect of receiving spam from their own
Before trying this .. would this work?
BODY0CONTAINS%REMOTEIP%
No, that would not work. Variables are not processed in the filter files.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Vir
Title: Message
Kami, I don't think you can use variables in filter
files. This would only flag literal %REMOTE% if found in the message
body, not the remote IP address. I'm sure Scott will correct me if I am
wrong...
Bill
- Original Message -
From:
Kami
Razvan
To: [
Title: Message
Scott..
Before trying this
.. would this work?
BODY 0 CONTAINS
%REMOTEIP%
interesting when
someone refers to the IP address that the email is being sent from. I have
seen some spam that come from the same IP that the email has in its body for the
recipient to
Shouldn't find FPs in any of the examples you
posed, since a query should only be done on a mail-from domain name, and
VeriScam would only respond to a query with the 64.94.110.11 IP address if the
domain name ends in .net or .com.
Bill
- Original Message -
From:
Matthew Br
As a Declude JM & AV user I try to post this question here.
We've in use Imail v7.1 with latest patches.
As I've understand we can install the KWM templates also on v7.1.
Imail Antispam and AV is not for our interest.
So remains the queue manager. I've read about some stability problems...
What
Well, can't you have a valid mail domain that only has an MX record (and no
A record), which points to a server in another domain (with an A record)?
Yes. But if the domain exists, Network Solutions won't sent back an A
record. It only does that for domains that do not exist.
Developer Moves to Neutralize Web Helper:
Software Developer Releases Program That Neutralizes Controversial
Navigation Service
http://biz.yahoo.com/ap/030916/internet_typos_2.html
Great! Maybe Microsoft will also release a patch for those that use
their DNS server?
---
[This E-mail was scanne
Well, can't you have a valid mail domain that only has an MX record (and no
A record), which points to a server in another domain (with an A record)?
/Roger
>>If I understand this correctly, the drawback with this work-around,
>>compared with the MAILFROM test, is that it only looks up the A rec
Can specific characters be specified? If so how?
If not a feature request to look for a specified char and the count, just
like the subjectspaces test.
Could be useful for "U*n*i*v*e*r*s*i*t*y d*i*p*l*o*m*a"
Mike
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com
Mike,
Good point, however there is a problem. What you have is HTML encoded
UNICODE, and there are thousands upon thousands of these:
http://www.alanwood.net/unicode/unicode_samples_no.html , and there
might be a good reason for this in multi-lingual mailings. I don't
think though that mail
Mike,
The same thing can happen in the body, so it's worth knowing. Naturally
the filter can easily be modified for use in the subject, and there is
really no reason at all to be HTML encoding subject lines unless it is a
non-Western European language, and still they should be base64 encoded I
If I understand this correctly, the drawback with this work-around,
compared with the MAILFROM test, is that it only looks up the A record and
doesn't check for any MX records.
True. It's designed to work with the MAILFROM test. The MAILFROM test
works properly, and works with most TLDs. The V
Curious on how you have your auto-unsubscribe set.
I have been unsubscribed twice now and each time I usually figure out when
the list seems unusually quiet.
You'll get unsubscribed if there are too many bounces.
This time is probably because of a filter that was a little too aggressive
yesterday
Scott,
If I understand this correctly, the drawback with this work-around,
compared with the MAILFROM test, is that it only looks up the A record and
doesn't check for any MX records. Any idea if this will cause a number of
false positives?
/Roger
>>Scott could yo explain how this works?
>>
>>
Sorry, just noticed, this was in the "subject".
Mike
- Original Message -
From: "Mike K" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 3:32 PM
Subject: Re: [Declude.JunkMail] OBFUSCATION filter
> May want to account for foreign languages also. I just rece
May want to account for foreign languages also. I just received this spam
while I was adding your URL obfuscation filter.
Недорогие
звонки
зарубеж!
Mike
- Original Message -
From: "Matthew Bramble" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 15, 2003 12:40 PM
Sub
Scott:
Curious on how you have your auto-unsubscribe set.
I have been unsubscribed twice now and each time I usually figure out when
the list seems unusually quiet.
This time is probably because of a filter that was a little too aggressive
yesterday that I quickly caught and removed... I rejected
This is a great find! I'm just wondering where the potential FP's
would come from so that I can determine the proper scoring. Obviously
people that misspell their from domain could be tagged, but what
happens when someone uses <> or how about just "John Smith",
would that score on this test?
Scott could yo explain how this works?
> Or, if you have Declude JunkMail, you can just add a line "VERISCAM
rhsbl . 64.94.110.11 8 0"
That line will add a test of the "rhsbl" type named VERISCAM. That test
uses "." as the zone to query, and expects a return IP of
64.94.110.11. RHSBL tests l
Dan,
That would be a valuable test IMO, however I think there might be issues
with load since I am not aware of a standard method of caching whois
lookups. Because whois output also comes in many forms (as opposed to
DNS) it would be process intensive to grab the registration date. Then
last
Scott could yo explain how this works?
> Or, if you have Declude JunkMail, you can just add a line "VERISCAM rhsbl
-Scott
I looked throught the manual and the only description of RHSBL in the manual
it the following line.
The "dnsbl" test type is used to support future DNS-based spam d
I think that I've stumbled onto a large source of false positives in
legitimate bulk mail. Instead of listing individual mailers that offend
in many cases, it turns out that these are often customers of one of a
few companies, CheetahMail and SilverPOP. Each of these companies uses
URL's in t
Title: Message
For those who like to use http://openrbl.org but found it unavailable for
longer than any usual system maintenance, your guess that it was due to a DDOS
is right.
Meanwhile, Declude's own http://www.dnsstuff.com/ and http://moensted.dk/spam/ can get you
the lookup information.
Yes I see that per user but I run it as a per domain service would it work there too ?
Was a little wrong in my mail where I typed per user but meant per domain
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman
Sent: 16. september 2003 19
> ...or make a line in declude.junkmail which goes to a global file
> where u change the settings for all of those having this "profile"
See the REDIRECT keyword.
-Sandy
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integr
We are
running a per user setting on our Declude junkmail, as a paid service on mail.
But everytime there are huge changes there is a lot of works updating the
configs.
Would
it be possible to run this either in a database where u add the domain and just
click in for which filters the cus
> I'm guessing that your local DNS server thinks that it is authoritative for
> reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194.
>
When you say local, you are talking about the internal Private DNS server,
right?
By "local" I mean the DNS server that IMail uses.
Or the d
Mark,
Such E-mail should be tagged in the message header. Even your message
got sent in charset="koi8-r", though I have seen at least one other
Cyrillic characterset. Here's a page full of them:
http://czyborra.com/charsets/cyrillic.html
I would imagine that if you have no customers speaking
I've seen different results than what you are reporting.
Almost all of the hits for GIBBERISH that set off ANTIGIBBERISH are
E-mails containing base64 attachments. When you see a spam trigger
both of these, it's likely because it's sent in base64 and it should
trip Declude's BASE64 test inste
> Is the IMail server in the DMZ?
The IMail server is actually outside of our firewall on the internet side of
things.
>
> I'm guessing that your local DNS server thinks that it is authoritative
for
> reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194.
>
When you say local,
I assume you using all four of these items at one time.
GIBBERISHSUB
ANTIGIBBERISHSUB
GIBBERISH
ANTIGIBBERISH
I have notice that almost all spam that set off GIBBERISHSUB/GIBBERISH will
set off the ANTIGIBBERISHSUB/ANTIGIBBERISH making the test none productive.
Fred
- Original Message
I knew I should have done that. Also, I just realized that this is the wrong
forum for Declude Virus. My bad. Oh, well. I'm sure others are anxiously
anticipaing the outcome of this issue at this point. ;)
Everything in the file looks fine. Are you sure that it is this file
(sender.eml, with the
Title: Action vs weight
IGNORE will Ignore the message but still weight
it.
I have IGNORE set as the action for all of my tests (except
my kill file).
Then I apply bounce/delete, etc actions for the weight
tests.
Mark
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Yes, a test will still count towards the weight even if there is no
action
defined for it.
-Scott
Great..thanks!
Sharyn
We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged "Best in the World" at
>Open your sender.eml with notepad, then copy and paste into a new text
>document.
>Outlook treats this as an attached e-mail and messes with it.
>John Tolmachoff MCSE CSSA
I knew I should have done that. Also, I just realized that this is the wrong
forum for Declude Virus. My bad. Oh, well. I'm
If I have a test in my global.cfg, say the easynet-proxies, and the weight
is 7, but in my default junkmail file, I don't put any action associated
with the test (such as WARN), will the weight still be counted in for the
test, or will it be totally ignored?
The reason I am asking is, I don't
Keith,
One of the lists I use is Tom's from ImageFx. It's pretty good and always
seems to be updated.
http://www.imagefxonline.net/apps/delog/fromfile.txt
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs
I've had this problem for a while, and although I found a way around it, I
want to get it corrected
so that I don't see this warning...anyway...
My work is behind a firewall, this firewall, contains 3 zones:
Our Private network with a 192.168.x.x IP range
Our DMZ
and the Internet Zone
The fir
- Original Message -
From: "EN" <[EMAIL PROTECTED]>
> The firewall does NAT to hide all our machines behind one IP which is
> designated on the firewall.
> When a user sends email while using the web interface of Imail, all is
well.
> When a user sends an email using Outlook Express, the
Perfect, Thank you.
Mike
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 10:11 AM
Subject: Re: [Declude.JunkMail] JM held mail viewer
> Yes, there is a neat little decode app from Funduc Software that supports
> deco
Title: Action vs weight
If I have a test in my global.cfg, say the easynet-proxies, and the weight is 7, but in my default junkmail file, I don't put any action associated with the test (such as WARN), will the weight still be counted in for the test, or will it be totally ignored?
The reaso
Hi all,
I've had this problem for a while, and although I found a way around it, I
want to get it corrected
so that I don't see this warning...anyway...
My work is behind a firewall, this firewall, contains 3 zones:
Our Private network with a 192.168.x.x IP range
Our DMZ
and the Internet Zone
Yes, there is a neat little decode app from Funduc Software that supports
decoding of several encoding types, and it integrates nicely into the
Windows Explorer right-click feature (so if you right-click on a file, one
of your options is "Decode"). You can find it at www.funduc.com under the
"Free
Is there a util that allows viewing/decoding of base64 encoded D*.SMD spool
files thats been held by JM?
Mike
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to
Not to feed the spammers again by asking this, but is there a repository
of blacklists out there somewhere? Anyone willing to share?
I use the pre-made blacklist file (Kill List) from ImageFx as I don't
have a lot of spare time to do my own configurations. Good job, guys, by
the way! :)
http
Not to feed the spammers again by asking this, but is there a repository of
blacklists out there somewhere? Anyone willing to share?
> -Original Message-
> From: Kami Razvan [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 16, 2003 6:57 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Decl
Thanks Kim.
Can you send me a copy of your kill.lst? I think it would help us out a
lot.
Samantha
-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 16, 2003 8:57 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] How do I block this...what
@beefymailer.net has been in our Blacklist since 6/13/2003. We refuse
connection if that address is used in the mail- in other words this is in
our kill list at Imail level.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bridges, Samanth
I have been seeing more and more Junk Mail in the past few weeks.
Here are headers from a junk message I am getting. I am afraid to block
anything individually and I don't feel comfortable using the weighting.
Declude Junk Mail runs great right out of the box, however I know I am
going to have
Filter the body and header for .naturalherbal.biz
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stanley Lyzak
Sent: Tuesday, 16 September, 2003 15:28
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] What do I do about this?
I have to admin, the level
I think Matthew's GIBBERISH test he posted to the list would catch
that. Also the address "naturalherbal.biz" you could add to a URL
filter using filter file. Make sense?
On Sep 16, 2003, at 8:28 AM, Stanley Lyzak wrote:
I have to admin, the level of help I get from this forum is great!
We
I have to admin, the level of help I get from this forum is great!
Well, I have a tough one (for me)
Here is an email that I have no clue how to filter for (with the exception of the
domain name at the end- but these constantly change).
If you ignore what is between the brackets <>, it's an
Is there any way to filter based on character set, code page, etc?
I'm getting swamped with tons of Cirilic spam lately and it's passing my
RBL's recently.
I can't filter by code word or phrase and the MAILFROM field is random.
Any thoughts?
Here's a sample
-0-
ETOpJa8Lj9twl9fIQ
Продам или сда
That could end up being one of the better tests. Thanks.
> -Original Message-
> From: Bill Landry [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 16, 2003 1:09 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate
> RBL's
>
>
> Yep, th
Yep, that's correct, and probably not a good thing. I have been using an
rhsbl test, and it appears to be doing what it should--that is, query DNS
with the return address and if it comes back with 64.94.110.11, add weight
to the message. Here is what I am using:
VERISCAMrhsbl.64.
The result would always be the same: 64.94.110.11 so you would tag every
message as spam. Right?
-Original Message-
From: Joshua Levitsky [mailto:[EMAIL PROTECTED]
Sent: Monday, September 15, 2003 10:47 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Fwd: Verisign's New Change and
62 matches
Mail list logo
