Ok, I set up a test using SPAMDOMAINS functionality as was described in
this thread. It just caught two E-mails, however both were not
actually forged, but instead the HELO From address included a long
string for list washing of bounced addresses. One of these is in
Bill's list in fact:
Rece
I have seen a COUNTRY test mentioned on the list. It references the
%countrychain% variable.
How is this test implemented? What does it do? How do I get the countrychain
variable to appear in the header (mine appears blank).
Thanks,
Scot
---
[This E-mail was scanned for viruses by Declude Viru
I actually missed a whole bunch of stuff that also would have FP'd on
this. Cox in many cases and Earthlink among others are blocking
outbound port 25, so customers using these services for access which
are mailing to other customers on my server would FP on both the
SPAMDOMAINS and MAILFROM f
Bill,
It depends on your customer makup. My FP rate with a MAILFROM filter
would be close to 90% if not more because of several sites that are
configured to send form submissions as being an account from the same
domain. SPAMDOMAINS would be a better test because the Web sites and
domain bas
Title: Message
Ditto,
Bill. In my traffic, I see that fakes of my domain name in the mailfrom
are quite common, so a weight towards the message being spam is very useful to
me. In the last week, this mailing list has been consumed by a search for
a perfect test... but there ain't one.
I
We whitelist the IP address of any system we permit
to relay through our IMail server, and all of our customer either use SMTP Auth
or we whitelist their IP address space. So the only time we have see a
problem is with some mailing lists and e-card services, which we accommodate via
filteri
No problems here..
Jeff Kratka
*
TymeWyse Internet
P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417
tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
*
-Original Message-
From: [EMAIL P
It's reachable from here...
Darrell
Kevin Bilbee writes:
I am trying to get to the manual.
Is the declude website down?
Kevin Bilbee
Network Administrator
Standard Abrasives, Inc.
[EMAIL PROTECTED]
(805) 520-5800 x7332
Changing the way industry works.
I am trying to get to the manual.
Is the declude website down?
Kevin Bilbee
Network Administrator
Standard Abrasives, Inc.
[EMAIL PROTECTED]
(805) 520-5800 x7332
Changing the way industry works.
---
[This E-mail was scanned for viruses by Declude Virus (http:
Bill,
It's because it is very rare that you see spam faking your address,
0.1% from a recent test, and much more common that false positives will
be created as was noted. I was able to monitor this behavior because
unfortunately the DYNAMIC filter catches but doesn't score intra-server
domain
- Original Message -
From: Matthew Bramble
> I highly recommend not filtering the fake MAILFROM for your local domains.
Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I
don't see a problem doing it with MAILFROM in a filter file either.
Bill
---
[This E-mail
X-Declude-Note: Domain lists.msnbc.com has no MX or A records.
There is now a new interim release 1.76i1 at
http://www.declude.com/release/176i/declude.exe that takes care of this
issue (which would occur for hosts with no MX record, but that do have an A
record, but that A record is sent with
Scott,
I never ever thought this was a problem with Declude. I assumed it was
something that I honestly had done on my end to cause this. I just want to
know how to fix it as I have a client who is acting like they are maybe 3,
no wait too old, 2.
Thanks Matt,
Darryl
-Original Message--
Does the new Declude poll every time to your box to see what is forging
and what is not or does it keep a cache?
It polls every time a virus is received.
(Just thinking about your bandwidth and also if.. g-d forbid... your
network connection goes down.)
However, if our server can't be reached,
Just to follow-up in case it helps Andy in the event he is unfamiliar
with the setting. I used to get a lot of calls when Microsoft started
blocking all executable attachments by default with Outlook Express 6.
In Microsoft Outlook Express:
Tools > Security > Uncheck: "Do not allow attachments
Hi Scott:
Here is the debug log and the full headers of an effected email. It clearly
shows that the mail fails your "VeriScam" test:
09/19/2003 15:20:15.287 Q56ec00f1016e71bc Test #17: MAILFROM [envfrom] - may
skip
09/19/2003 15:20:15.287 Q56ec00f1016e71bc Doing envfrom type test on
mail.matche
Scott,
Does the new Declude poll every time to your box to see what is
forging and what is not or does it keep a cache? (Just thinking about
your bandwidth and also if.. g-d forbid... your network connection goes
down.)
-Josh
On Sep 19, 2003, at 8:21 AM, System Administrator wrote:
on 9/19/
on 9/19/03 1:55 PM, R. Scott Perry wrote:
o Adds a bypasswhitelisting test type that can be used in rare
>> cases when whitelist bypassing is necessary. <<
>>
>> Used where and how?
>
> Used only as a last resort. :)
Here's how we use it and why.
We're an ISP and we allow users
I have an attachment filter that adds score when something is received
attached but not inline. The problem with this is that it also helps
viruses get through spam blocking (I plan on improving this). The
filter is simple:
BODY-5CONTAINScontent-disposition: attachment
I have occ
I am having a real problem with clients not getting attachments. Is there a
test I can do that will help with this?
There are a lot of reasons for this, but usually it is not caused by
Declude. The first step is to check the log files, to see where the E-mail
was blocked, or whether it was actu
X-Declude-Note: Domain lists.msnbc.com has no MX or A records.
I've reproduced this one here. I'm going to do some research to see why
this is happening.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declud
Hi,
I have XSENDER OFF.
Instead I use:
XINHEADER Return-Path: <%MAILFROM%>
I don't have EnvFromStrict.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
Didn't I read here somewhere that whitelisting one's own IP is a bad thing?
Whitelisting your IPs is fine, *if* untrusted mail won't be coming from
them. So you should not whitelist a backup mailserver (unless it does its
own spam control, and you are happy with it), but you can whitelist clien
Title: Message
MAILFROM 20 ENDSWITH wcnet.net
wouldn't prevent my customers from sending mail to each other?
G.Z.
- Original Message -
From:
Colbeck,
Andrew
To: '[EMAIL PROTECTED]'
Sent: Friday, September 19, 2003 1:09
PM
Subject: RE: [Declude.JunkMail] blo
Title: Message
Didn't I read here somewhere that whitelisting
one's own IP is a bad thing? Is that required in combination with the HELO
filter? And the HELO filters work because my mail server should
never be connecting to itself . . correct?
G.Z.
- Original Message -
Fro
I am having a real problem with clients not getting attachments. Is there a
test I can do that will help with this?
Darryl Koster
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, jus
Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A
record?
Suddenly, I see LOTS of mail being held, because of mailfrom failures:
X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu
[148.100.80.47]
X-Declude: Triggered MAILFROM, IPNOTINMX [-3]
Return-Path
Scott:
X-Declude-Note: Domain lists.msnbc.com has no MX or A records.
Sure does:
> lists.msnbc.com.
>Non-authoritative answer:
>lists.msnbc.com internet address = 207.46.169.42
Yet - Declude fails the MAILFROM test!
X-Declude: Version 1.76; D499f047e01827d13.SMD from lists.msnbc.com
[207.
I get more valid E-mail's faking the from to look like it's from one of
my users than I get in actual spam that is doing this. In a recent
test of 5,530 unique incoming messages, only 6 spammers tried to look
as if it was coming from my server, that's only 0.1%. It all failed as
well.
I high
So, if I use:
BYPASSWHITELIST bypasswhitelisting 20 0 0 0
it will not whitelist any mails if the weight is 20 (our kill weight) or
more and the mail has any number of recipients or no recipients?
That is correct.
-Scott
---
Declude JunkMail: Th
Uh - cool feature.
Currently I have a certain receiving Postmaster account whitelisted (so that
the occasional false positive can alert us after we sent them a BOUNCE or
ALERT) - which means it gets 80% spam.
The "real" false positives are seldomly more than a few points over our
"BOUNCE" or "ALE
Hi Scott:
Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A
record?
Suddenly, I see LOTS of mail being held, because of mailfrom failures:
X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu
[148.100.80.47]
X-Declude: Triggered MAILFROM, IPNOTINMX [-3]
Title: Message
I should
add:
If you want to go
the extra mile and say:
MAILFROM 20
ENDSWITH wcnet.net
Then you'll find
that works great against spammers who fake their mailfrom address so it looks
your own name (or say, [EMAIL PROTECTED] while trying to send
to you!), but:
You'll a
>> o Adds a bypasswhitelisting test type that can be used in rare
cases when whitelist bypassing is necessary. <<
Used where and how?
Used only as a last resort. :)
It can be defined with a line such as "EMERGENCYBYPASS bypasswhitelisting
60 3 0 0". The 60 refers to the weight the E-m
Title: Message
According to
external DNS, you only have one mail host.
For starters, you
can whitelist your own IP. And if that server is the only machine of yours
that is going to identify itself as wcnet.net,
HELO 20
ENDSWITH wcnet.net
should do nicely
until someone called mail.n
>> o Adds a bypasswhitelisting test type that can be used in rare
cases when whitelist bypassing is necessary. <<
Used where and how?
Best Regards
Andy
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail m
How do I reliably block this kind of thing?
Can my own domain be added to the SpamDomains list? I've replaced the
recipient address with [local-user] in the headers below, but it was the
same valid local user account on all parameters. 138.89.104.227 is
not one of my IPs.
Glenn Z.
R
It might be easier to get them to act as a secondary for your reverse
DNS. ISP's don't typically like to delegate control of such things.
It works just as effectively and DNS's auto notification features allow
my changes for instance to be published immediately to the ISP's
authoritative DNS
Filter list for what?
I have 9 different filter lists that are very effective. Each serves a
different function.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROT
We have just released Declude Virus v1.76 (beta). See
http://www.declude.com/junkmail/manual.htm . Notable changes since the
last beta include:
o Adds a bypasswhitelisting test type that can be used in rare
cases when whitelist bypassing is necessary.
o Fixes a rare issue with
I finally got this figured out.
What I needed to do was have my ISP delegate control of my subnet to our
server.
Easy enough but I guess I wasn't fully aware of their settings to see what
was going on in order to
come to this conclusion.
Thanks for the help.
- Original Message -
From: "R
Does anyone have what has proven to be an effective filter list (ie
myfile.txt) that seems to be working? I could really use the help.
Chris Butler
Internal Systems Engineer
Region VI ESC
phone 936.435.8276
fax 936.295.1447
[EMAIL PROTECTED]
---
[This E-mail scanned for viruses by Declude Virus]
I have email coming from sprintpcs that can come from several domains.
I have
sprint.
sprintpcs.com .sprintip.net
So that will take care of sprint matching sprint, and sprintpcs.com
matching mail from .sprintip.net
But need to add a third possible domain of .lightsurf.net
Unfortunately, that i
First of all, I am noticing an increase in the amount of spam getting
through. I blocked weight 10 yesterday but am still receiving spam.
Doesn't seem like blocking weight 10 did much. Here are headers from
one of the many spam messages. How do I go about blocking this? I seem
to be getting a
Question about the spamdomains.txt file
I have email coming from sprintpcs that can come from several domains.
I have
sprint.
sprintpcs.com .sprintip.net
So that will take care of sprint matching sprint, and sprintpcs.com
matching mail from .sprintip.net
But need to add a third possible dom
Will the recipient and postmaster then show the sender as FORGED?
No, but that will likely be added.
Since we had a list of the forged in the virus.cfg.
1: Can we delete all the skipifvirus lines in the .eml files?
2: Can we delete all the forged entries in the virus.cfg?
I would recommend kee
Hello.
First of all, I am noticing an increase in the amount of spam getting
through. I blocked weight 10 yesterday but am still receiving spam.
Doesn't seem like blocking weight 10 did much. Here are headers from
one of the many spam messages. How do I go about blocking this? I seem
to be get
on 9/19/03 7:51 AM, R. Scott Perry wrote:
>> One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in
>> our config or .eml files and if Declude Virus sees a forging virus it would
>> not send the warning messages automatically. That way we wouldn't have to
>> manually update w
"You can add a line "SKIPIFFORGING" to any of the \IMail\Declude\*.eml"
Scott:
Will the recipient and postmaster then show the sender as FORGED?
Since we had a list of the forged in the virus.cfg.
1: Can we delete all the skipifvirus lines in the .eml files?
2: Can we delete all the forged en
One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in
our config or .eml files and if Declude Virus sees a forging virus it would
not send the warning messages automatically. That way we wouldn't have to
manually update what is a forging virus in our files.
Already done. :)
on 9/18/03 9:38 PM, R. Scott Perry wrote:
>> Thanks a bunch for both new features. Are you planning on doing anything
>> in the future with the IP's that you are collecting, i.e. new
>> functionality like creating a blacklist? Or is this just being done to
>> facilitate that test?
>
> We haven'
Interesting points,
There's a name for industries where more than one supplier isn't practical: natural
monopoly. I can't recall a single example where a natural monopoly improved after
privatization. In economics terms, systems for maximizing profit (capitalism) don't
work with systems where
Darryl,
You can run Declude on its own server in front of clients' email servers, as a
gateway. Only external email then gets scanned for spam.
Dan
On Thursday, September 18, 2003 8:01, Darryl Koster <[EMAIL PROTECTED]> wrote:
>
>
>The hosting business I run deals mainly with business and I
53 matches
Mail list logo