David,
It should have. Do you also have an entry in the $default$.junkmail
file as well? I would bump your logs up to debug for a quick couple of
seconds to verify indeed the test is being called.
The other thing is if 66.135.209.210 did not resolve on your system you
would not get a hit
Are being caught as spam ... I have in file I call REVDNSFILE
REVDNS -99 ENDSWITH .ebay.com
In addition to what Darrell suggested about putting the log into debug, make
sure there is no space after .com in your filter.
John T
---
This E-mail came from the Declude.JunkMail mailing list.
, September 06, 2007 6:41 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting Spam
Well, the easy part is answering your question about the domains.
Each of the payload domains was registered today, so whatever service
you're using to look up the registrations is probably
Only SPFFAIL is recommended, as spammers may have SPF records. Also, since
many organizations are not using SPF, SPFUNKNOWN is not useful.
Here's how you declare it in your GLOBAL.CFG
SPFFAILspffailxput your test weight here0
I find that SPF is very useful, if for no other
PROTECTED] On Behalf Of Darin
Cox
Sent: Thursday, September 06, 2007 6:58 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Interesting Spam
I use a command line tool from www.whoisview.com that works well for both
domains and IP blocks.
Occasionally I run into a domain
Fixed . tools are now located at http://tools.declude.com
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy
Schmidt
Sent: Thursday, September 06, 2007 12:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Knowledgebase Article has broken link
Well, the easy part is answering your question about the domains.
Each of the payload domains was registered today, so whatever service
you're using to look up the registrations is probably using a database
at least a day behind.
I use (for example) this site to my satisfaction:
.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Thursday, September 06, 2007 7:40 PM
Subject: RE: [Declude.JunkMail] Interesting Spam
Well, the easy part is answering your question about the domains.
Each of the payload domains
Rename the hijack.cfg to hijack.cfg.txt. You will then need to stop and
restart the decludeproc service.
John T
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gufler Markus
Sent: Tuesday, September 04, 2007 6:50 AM
To: declude.junkmail@declude.com
FYI, both SORBS and UCEPROTECT stopped mirroring APEWS due to the low
quality of the list.
Also, the SANS ISC recently diarized an issue with the APEWS using one
of their sources in a manner they do not recommend:
http://isc.sans.org/diary.html?storyid=3189
Andrew.
I'm interested in finding this out too - we had a few legit emails get caught
the last 2 days primarily due to the SPAMDOMAINS test coming from a
bellsouth.net address that went thru an ATT server
Randy A.
From: John T \(lists\) [EMAIL PROTECTED]
Sent:
1. The test in the global.cfg are ALWAYS run. The $default$.junkmail is just
the ACTION. WARN means to write additional information to the headers.
2. No.
3. The test will run but no specific action will take place as it will use
the per domain $default$.junkmail if the email recipient is of
Hi David,
Thanks for the quick reply. So basically, unless an action is
specified; either on a global, per domain, or per user basis; a test
will be run and whatever weight it has will be applied to the overall
weight of the email. Then, the only way that this test will have any
bearing is if I
7007 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Lawrence
Sent: Monday, August 27, 2007 11:01 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Process Flow
Hi David,
Thanks
:01 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Process Flow
Hi David,
Thanks for the quick reply. So basically, unless an action is
specified; either on a global, per domain, or per user basis; a test
will be run and whatever weight it has will be applied
@declude.com
Subject: Re: [Declude.JunkMail] Process Flow
Hi David,
Thanks for the quick reply. So basically, unless an action is
specified; either on a global, per domain, or per user basis; a test
will be run and whatever weight it has will be applied to the overall
weight of the email
Yes it would be logged the minimum setting for the logging would be LOW.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Lawrence
Sent: Monday, August 27, 2007 12:43 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Process Flow
Hi
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Lawrence
Sent: Monday, August 27, 2007 12:43 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Process Flow
Hi Dave,
One last question regarding this; if no action is specified and an
email fails that particular test
Of John
Olden
Sent: Tuesday, August 21, 2007 3:39 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] ED Spam
My bad. When I pasted the expression into a tester I have, it failed because
of the line wrap after the d. Putting it all on one line works. Duh.
Thanks again,
John
$500? That's a steal. Website answered my questions.
--SJ
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc
Catuogno
Sent: Wednesday, August 22, 2007 10:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] F-Prot 6?
Don't know
; 5000-5999
nbsp; US$ 4499
Marc Catuogno
MIS Director
Prudential Rand Realty
845-825-8025
-Original Message-
From: SJ.Stanaitis lt;[EMAIL PROTECTED]gt;
Sent 8/23/2007 9:04:42 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] F-Prot 6?
v
Your powers of observation boggle the mind.
--SJ
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc
Catuogno
Sent: Thursday, August 23, 2007 9:37 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] F-Prot 6?
So you have 100 users?
http
Apologies, long morning, no coffee yet.
Actually have about half that, but I like to keep things scalable.
Cheers,
--SJ
_
From: SJ.Stanaitis [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 9:53 AM
To: 'declude.junkmail@declude.com'
Subject: RE: [Declude.JunkMail] F
] On Behalf Of
SJ.Stanaitis
Sent: Thursday, August 23, 2007 9:53 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] F-Prot 6?
Your powers of observation boggle the mind.
--SJ
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc
Catuogno
Sent
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] F-Prot 6?
$500? That’s a steal. Website answered my questions.
--SJ
**From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] **On Behalf
Of **Marc
])
Sent: Thursday, August 23, 2007 10:29 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] F-Prot 6?
SJ,
Marc was only trying to help by pointing out that F-Prot has a different
licensing scheme for mail servers than client machines. At one time
F-Prot did not differentiate the two
Don't know - but it has a hefty price for legit use on a mail server unless
they have changed with the new version
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, August 22, 2007 8:39 AM
To: declude.junkmail@declude.com
Subject:
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Thanks :) Much appreciated.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Tuesday, August 21, 2007 9:57 AM
To: declude.junkmail@declude.com
Subject: RE
: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Wednesday, August 22, 2007 8:54 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Updated filter line to:
(?i:(Click|login|link).{0,50} http://((?:25
http
Thanks :) Much appreciated.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Tuesday, August 21, 2007 9:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Just something I've been meaning to say for a bit
Version 4.x has built in AVG which is an additional virus scanner depending
on your previous virus configuration this would be a good place to start.
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Stanford
Sent: Tuesday, August 21, 2007
What are your settings in your declude.cfg file. Are you still using
the same setting in that file from Version 3? Has your mail volume
increased?
Darrell
Kevin Stanford wrote:
Hi all,
Since upgrading to Declude Version 4 (from version 3) my processor has
really taken a hit (runs about
Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, August 21, 2007 10:30 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Upgrade to version 4 causes processor to
skyrocket
What are your settings in your
Try this ...
(?i:\b(?!dick?)(m(\W?|_){0,3}e(\W?|_){0,3}g(\W?|_){0,[EMAIL
PROTECTED])?(\W?|_){0,3}d(\
W?|_){0,3}[|li1í!](\W?|_){0,3}[ck]{1,2}\b)
Will match on obfuscated dick (ie. D!ck) but NOT dick, can include mega
obfuscated.
David
-Original Message-
From: [EMAIL PROTECTED]
-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John
Olden
Sent: Tuesday, August 21, 2007 2:34 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] ED Spam
Better but it didn't take long for me to get another that won't pass
this test:
M eg ad ik
John Olden
David Ba
Which tester do you use?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John
Olden
Sent: Tuesday, August 21, 2007 3:39 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] ED Spam
My bad. When I pasted the expression into a tester I have, it failed because
Expresso by Ultrapico.
http://www.ultrapico.com/Expresso.htm
I found an old copy of version 1 online and it's kind of old and a
little clunky but it does what I need it to do. Maybe I'll try v3
someday.
Another online tester I found today is located at
http://www.fileformat.info/tool/regex.htm
Looks right to me -
I use
WEIGHT-TAG-RVW1 COPYFILE X:\Review\
WEIGHT-TAG-RVW2 COPYFILE X:\Review\Low
Darrell
--
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF. IMail/Declude Overflow Queue
: 1-866.332.5833 x7008
Fax: 978.334.0700
Email: [EMAIL PROTECTED]
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Friday, August 17, 2007 11:48 AM
Subject: RE: [Declude.JunkMail] Activate Declude
Email your smartermail key and host name so
Thanks for your kind compliment, Ruben!
If you have any further questions, please do not hesitate to contact me
either by email or call Toll free 1-866-332-5833 Ext.7008
Linda Pagillo
Technical Support Engineer | Declude
Your Email Security is our business
Office: 978.499.2933 x7008
Toll
Email your smartermail key and host name so [EMAIL PROTECTED] and we will
get you activated.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
Hi Michael. To answer your questions...
If my BlackFilter.txt file is composed of lines like:
SUBJECT STOPALLTESTS CONTAINS China Business Directory
BODY STOPALLTESTS CONTAINS Evil Spammer
will the test return 500 points on a match and HOLD the email without
further processing of filters or
That's good news, David.
Thank you for supplying updates proactively.
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, August 16, 2007 11:52 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail]
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
Andrew
Sent: Thursday, August 16, 2007 3:14 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New All_list.dat 16 Aug 07
That's good news, David.
Thank you for supplying updates proactively.
Andrew.
-Original
Any more revisions to this filter?
Tuesday, August 7, 2007, 9:34:43 PM, David Barker [EMAIL PROTECTED] wrote:
1. Can you send the one that did not trigger?
2. If it did trigger the idea is to give the filter a base value ie.
SPAM-PDF filter path\SPAM-PDF.txtx 8
: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
David -
I sent you about 10 off-list.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm
Thanks. I'll give it a try.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
this.
There are liable to be FPs, so I would weight this enough to hold, but not to
delete.
Darin.
- Original Message -
From: Todd Richards
To: declude.junkmail@declude.com
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did
: Tuesday, August 07, 2007 9:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have
to be careful that you don't stop
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL
No, didn't trigger at all.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 9:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto
Thanks Darin. I have adjusted for me, and will see what happens.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] New PDF worm?
I whipped this up
Post a log snippet showing the errors or send off list.
John T
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Todd Richards
Sent: Sunday, August 05, 2007 2:19 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] FW: Problems
I
Todd,
If this is not resolved yet please contact [EMAIL PROTECTED]
Thanks
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Sunday, August 05, 2007 5:19 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] FW: Problems
: 978.499.2933 x7008
Toll Free: 1-866.332.5833 x7008
Fax: 978.334.0700
Email: [EMAIL PROTECTED]
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Monday, August 06, 2007 11:28 AM
Subject: RE: [Declude.JunkMail] FW: Problems
Todd
OK, please ignore. This strange message was the result of our issues that
we had over the weekend.
Thanks to Linda at Declude, we are pretty much back to normal (or as close
as we can get)!
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Kevin, i received your ticket and i will get to it asap. :-)
If you have any further questions, please do not hesitate to contact me
either by email or call Toll free 1-866-332-5833 Ext.7008
Linda Pagillo
Technical Support Engineer | Declude
Your Email Security is our business
Office:
Content Filters
which must be some of the PCRE that David Barker has been posting.
Gary
Original Message
From: Dave Beckstrom [EMAIL PROTECTED]
Sent: Saturday, August 04, 2007 8:45 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Spam Increase?
Sorry guys
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Friday, August 03, 2007 10:25 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Spam Increase?
I think we started seeing it last Saturday... pretty constant since then.
Fortunately it's almost entirely being
My polities to be rudefat fingers hitted SEND before the
pay for the service.
Thanks in advance
Andres
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Ing.
Andrés E. Gallo
Enviado el: Viernes, 03 de Agosto de 2007 16:27
Para:
I actually saw it ramping up since last weekend and every day there have
been a change or 2 in the spam to keep it from being caught.
John T
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Todd Richards
Sent: Friday, August 03, 2007 2:35 PM
To:
, 2007 6:19 PM
Subject: RE: [Declude.JunkMail] Spam Increase?
I actually saw it ramping up since last weekend and every day there have
been a change or 2 in the spam to keep it from being caught.
John T
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Todd
Darin,
The CPU increase was due to the high volume of ZIP and XLS viruses,
something that has been pretty rare until recently. The Storm botnet
started sending these out on Saturday in numbers that average about one
attached virus per day per user on our system (which was a change from
To: declude.junkmail@declude.com
Sent: Saturday, August 04, 2007 12:09 AM
Subject: Re: [Declude.JunkMail] Spam Increase?
Darin,
The CPU increase was due to the high volume of ZIP and XLS viruses, something
that has been pretty rare until recently. The Storm botnet started sending
these out on Saturday
])
To: declude.junkmail@declude.com
Sent: Wednesday, August 01, 2007 4:48 PM
Subject: Re: [Declude.JunkMail] ZEN test
Bonno,
Due to your HOP setting you are checking multiple hops. Since you use a
multihop setting you should score the hops differently or run into
problems like you
Hop 0 is the MTA delivering to your MTA - Hop 0 is NOT your MTA, i.e.
(sender-MUA)--(sender MTA)--(Your MTA)--(Your MUA)
(Hop 1)---(Hop 0)---(No HOP)(No Hop)
The reason to use Hop 0 and HopHigh 1 is to pick up a spammer MUA or MTA which is sending
or relaying through a clean MTA.
Sure. You could create a Declude combo filter like that. Put a size test
before the custom filter in your global.cfg, add the tests the message fails
to incoming message headers, and in the custom combo filter look for the
size test failure warning in the headers, and look for the zip file in
Bonno,
Due to your HOP setting you are checking multiple hops. Since you use a
multihop setting you should score the hops differently or run into
problems like you identified. I would suggest reducing it to 1. This
will score the last two hops.
Than you can modify your tests like the
Hi,
After consolidating servers I have an Imail Unlimited User License (normal
cost $2,995) available. One would have to upgrade it from 8.2 to 2006.21 -
for $995 to make it current.
If anyone's interest, feel free to contact me off-list.
Best Regards,
Andy
---
This E-mail came
Chuck, it probably only means that your Declude configuration is
effectively blocking the major spammers, and that the cases you are
chasing are fresh zombies on networks whose registrations are handled by
RIPE or APNIC, and that you need to refer to them for the specific
information.
If a zombie
I run my logs at high and they are 400 MB.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno
Bloksma
Sent: Tuesday, July 31, 2007 5:18 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] logsize
Hi,
Lately more spam is
-UNSPEC-HIGH IP4Rlist.dnswl.org 127.0.10.3
-10 0
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Saturday, July 28, 2007 11:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] whitelisting
/(there is another one too I think) in the test name.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 30, 2007 7:53 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] whitelisting/negative weights
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] whitelisting/negative weights with DNSWL.org
-David
I think you messed up on all the ones with a 0 in the third octet.
I also chose to run it only on the last header. I wouldn't whitelist/credit
on any information on any previous headers
Ewww. Look at all the return codes!
I'd be interested in seeing some rates. Does it hit enough to work?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Friday, July 27, 2007 6:42 PM
To: declude.junkmail@declude.com
Subject:
I'll give it a try. Here's what I will use/
DNSWL-FINANCIAL-NONEdnsbl %IP4R%.list.dnswl.org
127.0.2.0 0 0
DNSWL-FINANCIAL-LOW dnsbl %IP4R%.list.dnswl.org
127.0.2.1 0 0
DNSWL-FINANCIAL-MEDIUM dnsbl %IP4R%.list.dnswl.org
127.0.2.2
John,
It's just another one of the viruses from the Storm botnet. Same guys
as the ones sending fake greeting card viruses and PDF stock spam among
other things.
Matt
John T (lists) wrote:
I am not sure what is the purpose yet, but I am catching a lot of
emails this morning with a
@declude.com
Subject: Re: [Declude.JunkMail] Excel files in zip files spreading
John,
It's just another one of the viruses from the Storm botnet. Same guys as
the ones sending fake greeting card viruses and PDF stock spam among other
things.
Matt
John T (lists) wrote:
I am not sure what
Yeah, I started seeing these today too. Anyone have anything set up to
catch them?
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
(lists)
Sent: Saturday, July 28, 2007 11:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Excel files
Why not just base it on a REVDNS test for .fedex.com and assign a large
negative weight?
--
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG
, July 27, 2007 1:31 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] How to whitelist this
Why not just base it on a REVDNS test for .fedex.com and assign a large
negative weight?
--
Check out http://www.invariantsystems.com for utilities
.
Thanks,
Dermot
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, July 25, 2007 2:41 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] BADHEADER lookup tool
http://tools.declude.com/ Declude Header Code
Thanks for pointing this out. This has been updated.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dermot
Keenan
Sent: Thursday, July 26, 2007 11:48 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] BADHEADER lookup tool
So, that's
http://tools.declude.com/ Declude Header Code Test
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D.
Hilton
Sent: Wednesday, July 25, 2007 2:19 PM
To: Declude Junkmail Forum
Subject: [Declude.JunkMail] BADHEADER lookup tool
Does Declude still support their BADHEADER
percent gets through to mailboxes.
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Uwe
Degenhardt
Sent: Wednesday, July 18, 2007 10:46 PM
To: Craig Edmonds (123marbella.com)
Subject: Re: [Declude.JunkMail] frustration
Hi Craig
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Bilbee
Sent: Thursday, July 19, 2007 1:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] frustration
We are on SmarterMail 3.x and run invURIBL and Commtouch ZEROHOUR. We do not
run
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] frustration
We are running Declude, invURIBL, and Sniffer. We are not using Commtouch.
For those of you running the first three, how much impact did you see by
adding Commtouch? Our management is very happy with the current set up,
esp
Check your tests in the global for negative weights which bring the value
down, the negative weights are defined in the last column of your tests.
Most common are IPNOTINMX or NOLEGITCONTENT or FROMNOMATCH which are hidden
from the headers. The last column either adds or subtracts weight if the
PROTECTED] En nombre de David
Barker
Enviado el: Jueves, 19 de Julio de 2007 12:41
Para: declude.junkmail@declude.com
Asunto: RE: [Declude.JunkMail] why not adding to X-Declude-Scan?
Check your tests in the global for negative weights which bring the value
down, the negative weights are defined
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ing.
Andrés E. Gallo
Sent: Thursday, July 19, 2007 2:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] why not adding to X-Declude-Scan?
Hi David, I have:
From global.cfg
Gnabasik
Sent: Thursday, July 19, 2007 9:15 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] frustration
I'm going to third (or fourth) everyone's comments related to Declude, the
company, their people (David Barker in particular) and the product.
We're running Imail v8.22 (tried 2006
We're running pretty well... catching somewhere between 99.7% and 99.9% of
incoming spam. Declude 2.0.6 (waiting on Imail 2006 to stabilize before
upgrading to the latest version) on IMail 8.22, along with Sniffer and
invURIBL.
Darin.
- Original Message -
From: Uwe Degenhardt
1201 - 1300 of 21924 matches
Mail list logo
