Here are the headers... How this can be caught with Declude ??
12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
FROM) mail.fanosa.com FAILED to validate MAIL FROM address
[EMAIL PROTECTED]
12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
FROM)
In a filter file:
HEADERS (weight)CONTAINSX-IMAIL-SPAM-INVALIDFROM
Imail is checking to see if the sender exists and places that into the
header. (If you have Imail configured to add headers.)
HOWEVER, this does not work for @yahoo.com addresses.
John Tolmachoff
BTW,
I forwarded this issue to a colleague, Sue Moser of Slipstick Systems
http://www.slipstick.com and Windows magazine contributor.
Mark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R.
Scott Perry
Sent: Thursday, December 04, 2003 2:19 PM
To:
I'm assuming that this only happens with Outlook 2003 used with a
non-Exchange (POP3/IMAP/SMTP mode)?
Here are two headers from Outlook 2003 installed by Office 2003 Pro
Microsoft Volume Licensing (not OEM)
From Outlook/MAPI via Exchange 2003
-0-
Received: from us-inboundmx.blank.com
Hi;
I am still a little shaky on what END does.
If we have a filter file and have the following line - lets say on line 1:
HEADERS END CONTAINS X-IMAIL-SPAM-VALREVDNS
If this condition is met then the filter will exit? So anytime an END
condition is satisfied the
Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED]
since hotmail.com is a valid Domain, then the message pass the test
Is there a test like the Mailfrom of Imail that test that the
user really exists on the
I am still a little shaky on what END does.
If we have a filter file and have the following line - lets say on line 1:
HEADERS END CONTAINS X-IMAIL-SPAM-VALREVDNS
If this condition is met then the filter will exit?
Correct.
So anytime an END condition is satisfied
I installed a full retail copy of Office 2003 Professional and I have the
same issue. Missing headers.
Tyler
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mark Smith
Sent: Friday, December 05, 2003 5:48 AM
To: [EMAIL PROTECTED]
Subject: RE:
- Original Message -
From: Jeff Pereira [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:26 AM
Subject: Re: [IMail Forum] November 2003 Spam Statistics
Scott -
Is it possible to post the configuration files for Declude Junkmail that
were used to produce the
Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others. Does anyone think it's possible that
What can we do
when the likes of Amazon don't have reverse DNS?
==
X-Declude-Sender:
[EMAIL PROTECTED]
[12.32.32.130]X-Declude-Spoolname: D938c00b8023227dd.SMDX-Note: This
E-mail was scanned filtered by Declude [1.77] for SPAM
virus.X-Weight: 57X-Note: Sent from
Dan:
We made a decision a long time ago to whitelist REVDNS of all the folks you
had listed.
We now have two REVDNS negative files.
1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves
these entries to their own files).
2: Negative reverseDNS files that adds negative
Kami:
I've been taking a look at your configuration files every few weeks and
based on what I saw there a couple of months ago, I also started
WHITELISTing based on Reverse DNS and HELO a few months back. So there's
probably many I'm not seeing as flagged by SPAMCOP because of the whitelist.
It
Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway
to go past that limit and/or else offload those into a separate file?
Actually, it's a limit of 200.
The WHITELIST FROM entries can be offloaded
Yes...
Like a filter file:
REVDNS -20 ENDSWITH .amazon.com
I put the period before Amazon to just make sure no funky domain like
.spamamazon.com can get through.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Hi Dan,
I've only seen one FP from SpamCop in the last week. I routinely see email
sent by legitimate firms get tagged as spam, but usually
these firms are using third party mailers to send information.
Burzin
At 09:10 AM 12/5/2003, you wrote:
Hello, All,
Has anyone noticed in the last few
Do what I do I have
a rule defined that subtracts the points my REVDNS rule adds, and put the
domains I ned to get through in that list. Kind of clunky and mna-power
intensive, but it works for me. I couldnt imagine doing it for hundreds
of domains
Karl Drugge
Hi, Scott,
If I am using...
WHITELIST REVDNS .ebay.com
or
WHITELIST HELO .mail.yahoo.com
entries in my GLOBAL.CFG can those also be offloaded into a separate file?
Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?
Thanks,
Dan
- Original Message -
From: R.
Ok, I didn't noticed how easy could spam pass this test.
Thanks Scott.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 6:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test..
Yes...
Like a filter file:
REVDNS -20 ENDSWITH .amazon.com
I put the period before Amazon to just make sure no funky
domain like .spamamazon.com can get through.
Hmmpfff
I hoped already that that could be a reason for unlimited IPBYPASS
entries... ;-)
Markus
I want to use Sniffer to whitelist messages that would fail other
Declude tests, not just Sniffer alone AND I want to retain the
original Sniffer failure code if the message did fail Sniffer.
Sohere's where I'm headed.
Keep my single Sniffer weighted test for spam detection and add this
Hello, All,
I am trying to learn a little bit about the ROUTETO action and I can't seem
to get it to work as expected. I am using DJM Pro.
My current DELETE weight is 40. In the per-domain $default$.junkmail
files for two of my highest spam volume domains I changed the action from
DELETE to
Kami,
What is the name of the filter file that you have entries of those type in?
Thanks,
Dan
- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:51 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Scott,
Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?
Thanks,
Dan
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:07 AM
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
I'm not sure if everyone has heard, but IronPort bought SpamCop. It's
likely that they're fiddling with it. There's an article on Slashdot from
Wednesday about it.
http://yro.slashdot.org/article.pl?sid=03/12/03/2016218mode=threadtid=111tid=126tid=137tid=187
Personally, After seeing so many
Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?
Not at this time, simply because we can't envision there being a need for
200 such entries. :)
However, the WHITELIST limit is something that comes up frequently, so it
is quite possible that more changes will be
As a test I switched the address listed after the ROUTTEO action from
myuser@hotmail.com to one of the e-mail addresses I have on the local
IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing
up immediately.
What version of Declude JunkMail are you running (\IMail\Declude -diag
Hello, Scott,
We are running Declude v1.75.
Any ideas?
Thanks,
Dan
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 12:25 PM
Subject: Re: [Declude.JunkMail] ROUTETO Not Working
As a test I switched the address listed
Dan:
FILTER-REVDNS filterC:\IMail\Declude\Filters\IMail_Filter_REVDNS.txt
x 0 0
This is our Global entry for the file.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 12:00 PM
To: [EMAIL
I must have missed something along the way. What is externalplus?
Bill
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:06 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
Based on my reading
I must have missed something along the way. What is externalplus?
It's a test type that lets you run an external test that is can do more
than a standard test. Instead of returning an exit code that designates
pass/fail or a weight to use, it can return codes to tell Declude JunkMail
to do
Nevermind, guess I should have checked the manual before sending... ;-)
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:48 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
I must have missed
We are running Declude v1.75.
Any ideas?
The next step would be to check the IMail SMTP log file to see what it says.
If that doesn't provide enough information, the debug mode would be the
next step.
-Scott
---
Declude JunkMail: The advanced
This mystery turned out to be postmaster error. We had white listed our own domain
name (I know some
people don't think that's a good idea), and neglected to include the @ symbol. So
incoming mail
appeared to be white listed because a spammer was sending us garbage from
[EMAIL PROTECTED]. I'm
v1.75
~Brad
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 04, 2003 5:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Help with 'fromfile'
And this in junkmail_blockedsendrs.cfg:
sweet-n-sour.com
And this in junkmail_blockedsendrs.cfg:
sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam
I do see BLOCKEDSENDERS firing for other things, but not for this. I'm
assuming my error is in junkmail_blockedsenders.cfg, right? Should I
change it to @cooldude.sweet-n-sour.com and
Hello David,
Friday, December 5, 2003, 11:44:41 AM, you wrote:
DS 3. Anyone see any problems with this scenario?
Ok, I'll answer my own question. In thinking about this more, this
isn't going to work.
If I recode my rule base to return a 1 instead of 0 on whitelist, then
the original sniffer
Hello,
Is anyone familiar with a product called Spam Lion. It's too pricey for my
organization, but it seems to do the following:
Upon receipt of incoming email it checks to see if the sender is
authorized. If the sender is authorized, the message is passed along to
the intended
I read through the new Junkmail manual (I know, shocking).
This line in the manual prompted this question:
Note the file you use with the WHITELISTFILE option does NOT use the same
format as the WHITELIST entries in the global.cfg file.
Does the WHITELISTFILE option support subdomains? i.e.
Is anyone familiar with a product called Spam Lion. It's too pricey for
my organization, but it seems to do the following:
Upon receipt of incoming email it checks to see if the sender is
authorized. If the sender is authorized, the message is passed along to
the intended reciepients. If
Actually what Chris was *supposed* to say was that the gateway version of
Alligate does a much better job than the Declude version, not Declude itself.
The Declude version is now outdated and had not been updated for several
months. The Declude version was not dumped however it is not currently
Brian wrote -
The new test platforms will allow us to move some domains out of the normal
loop and we will be able to update the
Declude version again (shortly we hope).
For those of us who use the Declude version of Alligate (alongside Sniffer)
we hope that's soon! It is great having two
Upon receipt of incoming email it checks to see if the sender is
authorized. If the sender is authorized, the message is passed along
to the intended reciepients.
PLEASE RECONSIDER..
Challenge response systems are killing us ..
Your users will lose a lot of email specially if they shop
Hi;
We just got the
following: - a Phishing attempt.
Actually quite
interesting.. I clicked on the link to see where it goes. It goes to the
actual Visa site but a small window pops up and asks for your visa and various
other info for verification.
If only they could
use their talents
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics
snip
our gateway now handles all incoming mail and there is no
Combined with a weighting scheme it IS a worthwhile option.
Currently, our option are BOUNCE (or now that ridiculous renamed version
of the same action) - which means a FALSE positive will receive a notice and
now has to contact us manually to address the false positive status.
Or we DELETE -
Sorry - I really don't see why this is not a highly desirable feature and
how this would create spam that the WARN or BOUNCE action don't
generate already!?
It doesn't create more spam than BOUNCE -- it creates the exact same
amount. But that's the problem. Instead of 1,000 E-mails to you
I'm not sure I'm following you... but I think what you might need is an
additional license. Suppose you create one rulebase that will contain only
your white rules. Then leave the normal sniffer rulebase alone. The small
rulebase with the white rules will be so small as to require nearly no
Kami,
I noticed that the [EMAIL PROTECTED] filter got tripped without the @LINKED
filter. Please download a more recent copy from my site. This
obviously shouldn't be happening.
Matt
Kami Razvan wrote:
Hi;
We just got the following: - a Phishing attempt.
Actually quite interesting..
I didn't know that concept was patented. It seems pretty old to me-- halt
who goes there?
Anyway I did some research, and here's what I found:
Here are some links... read if you are interested:
http://www.cleanmymailbox.com/mailblocks.html-- links to patent
infringement issue
Patent Number?
Many patents exists and seem to be broad. But often, upon close
examination, the claims may be much narrower) than the casual reader
appreciates. Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication
FYI, I have filters set to look for those challenge/response messages and
add a high weight. :)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
Sent:
Patent Number?
6,199,102. To view it, you can go to
http://patft.uspto.gov/netahtml/srchnum.htm and enter 6,199,102 there.
For a bit of background, you can go to
http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5565050.htm
ms may be much narrower) than the casual
This just needs to be tested in court I would imagine. The patent
office has been known to issue patents recently on things such as
swinging on a swing and peanut butter and jelly sandwiches. This
doesn't sound like it is revolutionary in any way shape or form and it
is quite easy to develop
Actually what Chris was *supposed* to say was that the gateway version of
Alligate does a much better job than the Declude version, not Declude
itself.
Thanks for the clarification Brian.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by
This is great news, Brian! Thanks for continuing to support the Declude
version of Alligate.
Bill
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:18 AM
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics
Actually what
Scott,
In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE
Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account? If so, can you
Hi,
I guess it's worthwhile to see how Earthlink's prior art defense (e.g.,
http://news.com.com/2010-1032_3-1003921.html) will hold up. I wouldn't
write off this concept, yet. I've seen these kind of thing pop up and
eventually die more than once (but, certainly, sometimes sofware patents
turn
Oh forgot to add:
http://www.spamwolf.com/patents/prior_art.html -- prior work on c/r.
Burzin
At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent. That means that it would
require either [1] paying royalties to the guy that bought the patent, or
[2] challenging the
Here are the stats for Tuesday. Wednesday and Thursday we were testing some
things the stats were skewed. This was for our main solidoak.com domain mail
server (general business, not tech support). Our tech support server lets more
spam through, however we can only do limited header type spam
In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE
Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account? If so, can you tell why
Scott:
it would require either [1] paying royalties to the guy that bought the
patent, or [2] challenging the patent.
Actually - NO.
The preferred (3rd) option is to obtain a limited, but FREE license (or a
$1.00 or other minimal fee) license to use the patented methods. The terms
of the
Hi Scott:
I understand - no sense getting involved until EarthLink has invalidated
most of the claims.
I think this is a key quote:
Mailblocks' Goldman admits that there were prior publications, but argues
that at least some portions of his patents remain valid. The patents have
very specific
sarcasm
I love challenge-response systems. They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between
Check out these received lines:
Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by
mail.bentall.com
(SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800
Received: from ebay.com (lore.ebay.com [66.135.195.181])
by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP
Your users will lose a lot of email specially if they shop online.
Again - with a weight-based system, they would not lose any email - as long
as the online shop manages to stay off black-lists, has a valid RDNS, has a
valid Hostname, etc. Assuming it's tied to a weight-based system, I see
Andrew,
I think you have a very good idea, in fact, all negative weight tests
should probably be limited to just the last hop since they are typically
designed to only apply to the last hop.
It might be a good idea for Scott to limit BONDEDSENDER to the last hop
by default, and maybe give us
Didn't think of that one. I guess this goes to the design of the system
though, and the fact that some clearly haven't considered the looping
potential.
Matt
Keith Anderson wrote:
sarcasm
I love challenge-response systems. They create revenue opportunities for
knowledgable IT professionals,
Aha! Another one hasn't been sent yet, but I think I see it already:
12/05/2003 14:17:34.980 Q03fd3cc fromfile: Starting BLOCKEDSENDERS
12/05/2003 14:17:34.980 Q03fd3cc fromfile: Done with BLOCKEDSENDERS [2 lines
processed]
I had three lines, but only two cariage return line feeds. I think I've
Negative weights on last hop only?
How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the
I also think that one needs to examine the purpose of the email system
before using this or any other anti-spam technique.
I think it works well for specific organizations. For example, I found out
about the product because I tried to contact one of
my vendors and was presented with the need
I meant negative weights on last hop for the RBL's. There are only a
few popular ones out there. Gateways should be IPBYPASsed.
Matt
Robert Grosshandler wrote:
Negative weights on last hop only?
How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob
---
Rob,
Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG.
The BONDEDSENDER should be the originating Server and that should be what's
used for this test.
I discontinued use within a few days since was letting spam through with it
and there were other ways to handle the
I have a client that insists on trying these silly challenge-response tricks
and gets caught into that trap all the time. I don't know why, but he'll
wake up one morning and decide to install one of those utilities on all of
his company's workstations. He forgets that his mail server is setup
-To: [EMAIL PROTECTED]
Subject: At No Cost to you - Let our online advisors help you
X-MimeOLE: Prodigy Compatibility V 4.f416b237 or later
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 363570087
--- IMail Log ---
20031205 184256
George,
The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would
definitely prevent it from scanning prior hops. I find this test to be
useful as it is IP based and helps some very important E-mail that tends
to have issues with several major RBL's. I haven't started to scan on
Matt,
I do scan multiple hops.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Friday, December 05, 2003 7:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER
didn't work for me
Scott:
Would it be possible to indicate why a email is whitelisted the headers?
Like:
Whitelisted(Auth)
Whitelisted(Auto)
Whitelisted(CFG)
Whitelisted(File)
This would make easier to determine why an email is whitelisted.
Sincerely,
J.D. Springer
---
[This E-mail scanned for viruses by
to 1.76i28-30. Unlike
some others that I have noted in the past, I am using IMail 7.15
Hotfix 2, so it doesn't seem related to IMail 8.
This is getting scary. It looks like there is a serious bug in IMail
v7 and v8 that is just starting to be discovered:
--- IMail Log ---
20031205 184256
That's why you should name it BONDEDSENDER-DYNA and why it doesn't
matter on my system.
The trick here is that Declude will skip over the DNS-based tests on
anything beyond the first hop if the name has DUL or DYNA in it.
Someone else is using CBL-DYNA in order to keep that test from throwing
80 matches
Mail list logo
