Just cleaning up my declude.cfg file.
Are the PROCESSES and THREADS options still valid
for 3.05.x?
global.cfg:
MAILFROM-IP-BLACKLIST ipfile D:\imail\declude\FPFilters\MailFrom-IP.txt
x 150 0
Mailfrom-ip.txt:
199.232.98.0/24 199.232.98.0/24 insiderbizclub.com added 05-26-06
199.237.50.179 199.237.50.179 greatlaurel.net added 04-16-05
Either and IP address or a IP and CIDR. anythi
Title: Message
Perhaps this would be better asked on the sniffer
forum?
- Original Message -
From:
Markus Gufler
To: Declude.JunkMail@declude.com
Sent: Monday, January 16, 2006 3:00
AM
Subject: RE: [Declude.JunkMail] Combo
Filter
Hi Goran,
I write
There is probably some html coding before that line.
- Original Message -
From: "Dave Beckstrom" <[EMAIL PROTECTED]>
To:
Sent: Monday, January 16, 2006 9:02 AM
Subject: [Declude.JunkMail] Help with filter
I received a spam email, which was an HTML email with only one line. The
line
Does the IPFILE test check just
the last hop or all hops up to your HOPHIGH parameter?
-Scott
FisherDirector of ITFarm Progress Companies191 S Gary AveCarol
Stream, IL 60188630-462-2323
This email message, including any attachments, is fo
If you wanted to whitelist you could
go:
MAILFROM WHITELIST IS [EMAIL PROTECTED]
MAILFROM WHITELIST ENDSWITH
@domain.com
If you wanted to just add negative
weight.
MAILFROM 0 IS [EMAIL PROTECTED]
MAILFROM 0 ENDSWITH @domain.com
The tofile:
ALLRECIPS 0 CONTAINS [EMAIL PROTECTED]
(You can
: <[EMAIL PROTECTED]>Received:
from dbzmail.com (bay10-f23.bay10.dbzmail.com
[205.158.62.141]]
- Original Message -
From:
Scott
Fisher
To: Declude.JunkMail@declude.com
Sent: Monday, January 23, 2006 9:42
AM
Subject: [Declude.JunkMail] ipfile
question
Do
A google search yields:
"SBC Prodigy" refers to Prodigy Communications L.P., part of the SBC family
of Internet Companies.
If you are looking at spamdomains... the SBC family just isn't something
that works well with spamdomains. not enough spamdomain options.
- Original Message -
filters that I had listed there if you wish. They are at least
educational in terms of what you can do with Declude's native filtering.
Scott Fisher also has a page up that lists several good resources for filters
including some plug-ins. I can't recall the link
though.Ma
One difference I know of, is that if you use a
HOPHIGH parameter, IPFILE will search more hops.
Tehrefore with a HOPHIGH and IPFILE an email
with forged headers could trip the test.
REMOTEIP only uses the last hop.
- Original Message -
From:
Goran Jovanovic
To: Declude.Junk
Title: Message
I use this to catch add weight to the gif stock emails.
STOPATFIRSTHIT
TESTSFAILED END CONTAINS your whitelist filters...
BODY END NOTCONTAINS Content-Type:
image/gifTESTSFAILED END NOTCONTAINS CMDSPACE
BODY 75 CONTAINS img
src="">BODY 75 CONTAINS src="">BODY 50 CONTA
Title: Message
Here's my geocities filter. It's a little more
specific so I can weight foreign geocities more than US geocities.
STOPATFIRSTHIT
BODY 100 CONTAINS ar.geocities.comBODY 100 CONTAINS geocities.com.arBODY 100 CONTAINS ar.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.c
Title: Message
I've been applying a filter to Geocities links
since August 2005. It's just too common in spam.
Being a business, I don't get a lot of valid email
with a geocities link. I think ISPs would have more.
I do TESTSFAILED END CONTAIN on some good whitelist
tests.
I also skip for s
Title: Weight
When I started, I ended up with a comfortable
system with the weights subject tag 14, hold 28 delete at 35.
I didn't like oddity of the numbers and sometimes
wanted a finer granuality. So I mutiplied all of my weight by 7.
I ended up with subject tag at 100, hold at
200 and dele
Title: Message
A dk.geocities.com link would trigger on your first line getting 75 points.
In my case I would want it to trigger for 100
points.
- Original Message -
From:
Cris
Porter
To: Declude.JunkMail@declude.com
Sent: Friday, February 03, 2006 11:27
AM
Su
You didn't get the everyone take this Friday off message?
- Original Message -
From: "Bill Green dfn Systems" <[EMAIL PROTECTED]>
To:
Sent: Friday, February 03, 2006 2:41 PM
Subject: [Declude.JunkMail] Ping 2-3-06
I haven't received anything from the Declude or Imail lists since earl
1 hit of comments with the 10 parameter since
10/1/05... If it matters it was spam.
- Original Message -
From:
Goran Jovanovic
To: Declude.JunkMail@declude.com
Sent: Saturday, February 04, 2006 10:24
AM
Subject: [Declude.JunkMail] Comments
Test
Back in
Title: Whitelisting not working for all items
1. I wouldn't advocate whitelisting on a from
address. Too easy to spoof. Can you whitelist regsoft's server IP? or not as
good their revdns?
2. Whitelisting @regsoft.com wouldn't
whitelist any subdomains of regsoft ie (@orders.regsoft.com). Yo
NOTCONTAINS was introduced in 1.79i7.
NOTENDSWITH was introduced in 1.78. Bug with country filters fixed 1.79i6.
Pairs nicely with MAILFROM and REVDNS.
NOTIS was introduced in 179i16.
no NOTSTARTSWITH...
- Original Message -
From: "Erik" <[EMAIL PROTECTED]>
To:
Sent: Thursda
So I thought I'd go web browsing on the Declude
site and see what is up with Declude 4.
I'm a Virus Pro and Junkmail Pro licensee on
Imail.
Going forward Declude 4 is the entire suite (Virus
Pro, Junkmail Pro and Hijaak).
Kevin's post mentions that Declude 3 will be
supported. Although lon
e.
~Ché
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott Fisher
Sent: Friday, February 10, 2006 10:43 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] declude 4 changes ... worried...
So I thought I'd go web browsing on the Declude site an
I'm starting to see the stock spammers coming in
with base64 encoding and jpeg files.
That'll be intesting to try to
block.
-Scott
FisherDirector of ITFarm Progress Companies191 S Gary AveCarol
Stream, IL 60188630-462-2323
This email me
Title: Message
I like to run combos with Sniffer. It's very
effective to combine two high percentage spam tests.
I have 10 combo filters that include
Sniffer:
Sniffer and my internal IP blacklist
Sniffer and SBL
Sniffer and CBL
Sniffer and MailPolice Block
Sniffer and Spamcop
Sniffer and m
Are there any release notes for
3.0.5.26?
I saw it and can't find any mention of the changes
anywhere.
too.
http://it.farmprogress.com/declude\declude.htm
- Original Message -
From:
Darin Cox
To: Declude.JunkMail@declude.com
Sent: Tuesday, February 14, 2006 10:29
AM
Subject: Re: [Declude.JunkMail] large
mail to large number op recips
See Matt's reply.
One other possible issue:
I've seen problems with external tests and very
long command lines. A long (>256) command line could return odd results. I
don't know if that was every fixed.
It is definitely safe to use the bitmask
test.
- Original Message -
From:
Matt
To: Dec
Tuesday, February 14, 2006 10:29 AM
Subject:
Re: [Declude.JunkMail] large mail to large number op recips
See Matt's reply. IIRC, both he and
Scott Fisher had variants on the size test, one was _vbscript_ and the other
was an EXE. You might check&#
Sent:
Tuesday, February 14, 2006 10:29 AM
Subject:
Re: [Declude.JunkMail] large mail to large number op recips
See Matt's reply. IIRC, both he and
Scott Fisher had variants on the size test, one was _vbscript_ and
arge number op recips
See Matt's reply. IIRC, both he
and Scott Fisher had variants on the size test, one was _vbscript_
and the other was an EXE. You might check's Scott's website
Darn enter key. didn' get to finish my
email.
Here are the special coutnry codes:
## Special Codes## *1
Multi-Regional# *2 Europe# *3 North America# *4 Central/South
America# *5 Pacific Rim# *A ARIN Unlisted (North America/South
Africa)# *B Public Data Network# *E RIPE Unlisted (Europe, N
The COUNTRY filter is used for searching
the last country in the country chain. The COUNTRY filter requires the
all_list.dat file. See the end of the document for a link to this
file.
COUNTRY
was introduced in the 1.62.
The COUNTRIES filter is used for searching
all countries in the coun
I do score this way. One of the reasons is I can
track whwere the spam is coming from with the log results.
I'll score 30 points on a hold of 200. Not too
high.
I'll then run those that didn't fail the
Filter-country through Matt's MP_Foreign Test ending those that triggered the
initial co
all_list.dat should be in your declude folder. Mine
is dated 10/29/2005.
If you have JunkMail pro, you can write the
filters.
REMOTEIP 5 CONTAINS . is
a trick that I learned from Matt that essentially is always true. The sender's
ip address (REMOTEIP) should always have a period in it.
If you have Declude Virus, and can afford the CPU time...
The best phish beater I have is Clam AV and PRESCAN ON.
With bank consolodations, the using the reverse dns can be dicey.
- Original Message -
From: "Erik" <[EMAIL PROTECTED]>
To:
Sent: Friday, February 17, 2006 5:32 PM
Subject
could you chain a few
skipifweightfilters?
under10.txt
skipifweight 10
remoteip 0 contains .
filter2.txt
testsfailed end notcontains
under10.txt
- Original Message -
From:
Kami Razvan
To: Declude.JunkMail@declude.com
Sent: Monday, February 20, 2006 1:39
PM
Su
I've long wanted a SKIPIFWEIGHTLESSTHAN
myself.
My thinking is that it would cut down on some CPU
time for filters that wouldn't even effect the email's weight because they were
scoring low enough.
Maybe with version 4 being PRO across the board, we
can expect to see some filter enhancem
No.
The fromfile format is:
@mastercardconfirm.com
This will also not catch [EMAIL PROTECTED],
so sometimes you'll need
.mastercardconfirm.com.
I always preface with a period or @.
- Original Message -
From:
Craig
Edmonds
To: Declude.JunkMail@declude.com
Sent
n can use multiple AV programs? We use the
standard with F-PROT.
Erik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Sunday, February 19, 2006 8:18 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Banks (and Ebay)
Aaarrgg.
Good catch Bill.
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, February 21, 2006 12:03 PM
Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
- Original Message -----
From: "Scott Fisher" <[EMA
TED]>
To:
Sent: Tuesday, February 21, 2006 12:03 PM
Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
- Original Message -
From: "Scott Fisher" <[EMAIL PROTECTED]>
You do need the Pro version to run more than one scanner.
It's the best thing ab
You've got a lot of European DUL space in 86.* and 87.*.
interbusiness.it , chello.pl , chello.fr, versanet.de, wanadoo.fr, ntl.com,
btcentralplus.com.
So anything that target Zombies should help.
- Original Message -
From: "John Carter" <[EMAIL PROTECTED]>
To:
Sent: Monday, Februa
2 other tactics against these:
1. Spamdomain test. A verizon.com from address is unlikely to come from a
wanadoo.fr reverse dns.
Spamdomains will have some false positive consequences...
2. Reverse DNS Filters. I'd consider a reverse dns with a cable or -dsl-
in it to be suspicious and w
Only after I submitted an issue to Tech Support. No release notes for it
either...
I am running it.
- Original Message -
From: "Robert Grosshandler" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, February 28, 2006 4:14 PM
Subject: [Declude.JunkMail] 3.06
I haven't received notification of
Here's what I use to target DUL space:
SORBS-DUHL IP4R dnsbl.sorbs.net 127.0.0.10 0 0
NJABL-DYNABLOCK IP4R dynablock.njabl.org 127.0.0.3 0 0
NJABL-DUL IP4R dnsbl.njabl.org 127.0.0.3 0 0
MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic
FYI:
It looks like around Janurary 26th the
pub.mxrate.com IP4R DNS services were made private. Since then I've had no
response from the DNS lists.
They have discontinued the public service and made
a private service available.
If you are interested the URL is here: http://www.mxrate.com/
MXRATE-BLACK-LAST
dnsbl %IP4R%.sub.mxrate.net 127.0.0.2 30 0MXRATE-SUSPICIOUS-LAST dnsbl %IP4R%.sub.mxrate.net 127.0.0.4 10 0MXRATE-WHITE-LAST dnsbl %IP4R%.sub.mxrate.net 127.0.0.3 -25 0
On a subject tag @ 100, hold @ 200, delete @ 300
scale.
I was hoping to revisit the weights, when I n
It's rare for me to catch business stuff, but it does happen.
I weight it at 75 points for a US link, 100 for a foreign geocities link.
(subject tag at 100, hold at 200, delete at 300).
- Original Message -
From: "John T (Lists)" <[EMAIL PROTECTED]>
To:
Sent: Monday, March 06, 2006 10
One problem with a combo on INVURIBL and SNIFFER is
that they may both be detecting on the same thing the URL links.
I find it best to use combos on different
elements.
- Original Message -
From:
Goran Jovanovic
To: Declude.JunkMail@declude.com
Sent: Monday, March 06,
HELO 1 IS SPAMBAG
- Original Message -
From: "Chuck Schick" <[EMAIL PROTECTED]>
To: "Declude. JunkMail"
Sent: Tuesday, March 07, 2006 9:41 AM
Subject: [Declude.JunkMail] How to filter for this?
In the headers of messages there is this line
Received: from spambag [70.69.167.210] by
-David,
Can you check the download link for the proc only download for 3.0.6.4?
I received a page not found error.
- Original Message -
From: "David Barker" <[EMAIL PROTECTED]>
To: ;
Sent: Monday, March 13, 2006 8:06 AM
Subject: [Declude.JunkMail] Declude Release
Declude Release 3.
You might need WHITELIST from .xx.com
(the smtp sender address looks to be in the fromat [EMAIL PROTECTED])
- Original Message -
From:
Harry Vanderzand
To: Declude.JunkMail@declude.com
Sent: Saturday, March 18, 2006 10:17
AM
Subject: [Declude.JunkMail] Whi
I'd like to see some kind of sliding scale to
expand the MINWEIGHTTOFAIL processing.
I currently use a MINWEIGHTTOFAIL 4 to apply weight to 419 scams.
For me a MINWEIGHTTOFAIL 4 is the bottom end,
and I'd like to not put on an overpowering weight because of false positive
potential.
I'd certa
Yes. As the filter matches more lines, I want more
weight as it is more likely to be a 419 spam.
Now the lines themselves aren't spammy (million
dollars) so I can't weight each line much if at all.
- Original Message -
From:
Nick
Hayer
To: Declude.JunkMail@declude.com
I think externalplus is used with wamcheck:
http://www.wamusa.com/wamtools/wamcheck.htm
A note from Scott about it:
http://www.mail-archive.com/declude.junkmail@declude.com/msg13703.html
I would say externalplus is rarely used.
- Original Message -
From: "David Sullivan" <[EMAIL PROTEC
Many spammers have an SPF record. So the SPFPASS deserves no negative
weight. I have SPFPASS set at zero
Here's my settings:
SPFPASS spf pass x 0 0
SPFUNKNOWN spf unknown x 0 0
SPFFAIL spf fail x 50 0
- Original Message -
From: "Gary Steiner" <[EMAIL PROTECTED]>
There is a switch in declude.cfg for Declude
3.0.5.21 and up that may help:
# Some customers had issues related to Outlook
meeting requests appearing as text only. # The default for this directive is
OFF. INVITEFIX ON
- Original Message -
From:
Howard Smith
(N.O.
A lazy solution would be to whitelist that
company's IP address.
- Original Message -
From:
Chris
To: Declude.JunkMail@declude.com
Sent: Tuesday, April 04, 2006 3:54
PM
Subject: [Declude.JunkMail] OT: Problem
with base64-encoded text messages
Sorry but I ha
I doubt yo
- Original Message -
From: "Dan" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, April 04, 2006 7:40 PM
Subject: Re: [Declude.JunkMail] SPAMHEADERS question - more confusion
David,
Pardon the delayed reply, but I'm curious, how many possible codes
are there and is there a compre
I doubty
- Original Message -
From: "Dan" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, April 04, 2006 7:40 PM
Subject: Re: [Declude.JunkMail] SPAMHEADERS question - more confusion
David,
Pardon the delayed reply, but I'm curious, how many possible codes
are there and is there a comprehe
I doubt you'll get a list. I imagine this is proprietary information for
Declude.
- Original Message -
From: "Dan" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, April 04, 2006 7:40 PM
Subject: Re: [Declude.JunkMail] SPAMHEADERS question - more confusion
David,
Pardon the delayed reply, b
You could use something like Message Sniffer or a URI filter like INVURIBL.
I also add weight for it the reverse dns from a dsl line.
You might also run the reverse dns against the mailpolice dynamic black
list:
MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
You are assigning 30/40 points for the failure of the gibberish filter.
Are you also scoring points within the gibberish filter.
a body 15 contains text would score 15 for that line matching plus the 30
for the filter matching.
- Original Message -
From: "Todd" <[EMAIL PROTECTED]>
T
Anoth
- Original Message -
From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, April 05, 2006 1:02 PM
Subject: RE: [Declude.JunkMail] This doesnt add up
I've been seeing this for weeks. I reported it, and I believe they are
working on a fix.
Sometimes Dec
I like seeing the msgsize addition to Junkmail.
I've used a size test for years and look forward to potentially removing an
external test.
I would like to see the bottom end handled
too.
A msgsize test that would detect where the
message is just a couple of bytes would help combat empty bo
I haven't received anything blatant spammy from
biglist/rm##/ed##/roving/constantcontact in March. Certainly chunks of B2B
email from known companies.
So they are hammy enough that they would be part of my automated ham IP list
and get a -50 applied to them.
If there were spam complaints, I'd
I might suggest something to target the links of
the emails, like Sniffer or INVURIBL as a good attack vector.
Combo that test with a CBL result, since these
often come from CBL lists.
Dealing with all of the combinations would result
in a painfully long filter.
- Original Message --
A value of 0 disables that particular
test.
- Original Message -
From:
Goran Jovanovic
To: Declude.JunkMail@declude.com
Sent: Tuesday, May 02, 2006 1:42 PM
Subject: [Declude.JunkMail] CLAMAV
Command Line Parameters
Hi
Scott,
I am trying to
unde
88.247.84.83 should be Turkey.
I think an update of the all_list.dat file by Declude may be in order. Mine
is dated 10/19/2005.
- Original Message -
From: "Jonas Fornander" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, May 03, 2006 11:16 AM
Subject: RE: [Declude.JunkMail] How can I bloc
I have reported a bug where inbound-email does process using the outbound
headers.
In other words, inbound email is getting the XOUTHEADERs added instead of
the XINHEADERs.
They are probably the same bug.
Ticket#: [1F3-0BB15CAA-04BF].
It started for me with version 3.0.6.4 and continues spora
They seem to have a lot of C-level execs and VPs though:
http://www.declude.com/Articles.asp?ID=156
- Original Message -
From: "Erik" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, June 07, 2006 4:48 PM
Subject: RE: [Declude.JunkMail] No action taken
I have heard a response from them; bu
I believe it does a DNS lookup on everything after the @ in the envelope
mailfrom.
It can false positive for me when the mailfrom uses subdomains.
In general I would term it an effective test, though it doesn't trigger on a
lot of spam.
- Original Message -
From: "Stan Buck" <[EMAIL
Does BANNAME work on file names within a zip
file?
-Scott
FisherDirector of ITFarm Progress Companies191 S Gary AveCarol
Stream, IL 60188630-462-2323
This email message, including any attachments, is for the sole use of the
intended recip
Will there be any more 3.x releases?
- Original Message -
From:
David
Barker
To: declude.junkmail@declude.com
Sent: Tuesday, July 11, 2006 3:07
PM
Subject: RE: [Declude.JunkMail] Has a 3.
version been released with the same fixes as 4.2 build 20
No version
Will there every be improvements to the decoding of
the message body?
I'd really like to see quoted printable
improvements.
Example:
email contains quoted-printable encode
declude=2e.com
filter contains body 50 contains
declude.com
filter does not fire.
I have to manually add body
Yes, you need the all_list.dat in your Declude folder.
You can download it from you Declude Customer page that you log in to.
- Original Message -
From: "Bruce Loughlin" <[EMAIL PROTECTED]>
To:
Sent: Thursday, July 13, 2006 2:21 PM
Subject: RE: [Declude.JunkMail] Country tests
I jus
Clamav with the runclamd service.
Free. Fast. and the Sanesecurity anti-phish
signatures.
- Original Message -
From:
Markus Gufler
To: declude.junkmail@declude.com
Sent: Friday, July 14, 2006 5:33 PM
Subject: RE: [Declude.JunkMail] F-Prot
Licensing
This
Another hand raised. End User (business) here. Apparantly I missed the
Exchange memo.
- Original Message -
From: "Gary Steiner" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 18, 2006 6:20 PM
Subject: RE: [Declude.JunkMail] Declude 4.3
Basically you are telling me to ignore the Add Com
-David,
Just curious is there a free one-month test drive option for CommTouch or
something similiar?
As one of those pesky non-ISP's the $195 a year is pretty reasonable, but
I'd really like to test drive it before I buy it.
Not to be offensive, but I have no belief of the "100% no false pos
Is it a subdomains problem?
Do you need .123-reg.co.uk?
- Original Message -
From:
Craig
Edmonds
To: declude.junkmail@declude.com
Sent: Friday, July 28, 2006 7:28 AM
Subject: RE: [Declude.JunkMail] Max
whitelists hit
Hi David,It kind of works.In
C:\IMAIL\De
Blacklisting by IP address/IP range using the
IPFILE option would be a more preferred way to blacklist.
I haven't found an upper limit in the IPFILE,
as I have 2050 lines in mine. This might not be the most efficient way, and
could be killing CPU cycles. I probably should setup an internal IP
This globa.cfg line works fine for me:
XINHEADER X-FarmProgress: Server Name: %HELO%
- Original Message -
From: "John T (Lists)" <[EMAIL PROTECTED]>
To:
Sent: Saturday, August 19, 2006 3:52 PM
Subject: [Declude.JunkMail] Variable request
%HELO% to be able to add this information t
Title: SKIPIFWEIGHT question
SKIPIFWEIGHT needs to be in each filter that you
want to skip.
- Original Message -
From:
Sharyn
Schmidt
To: declude.junkmail@declude.com
Sent: Thursday, August 24, 2006 11:06
AM
Subject: [Declude.JunkMail] SKIPIFWEIGHT
question
Title: Message
On high level logs you will see this kind of log
line:
08/24/2006 13:43:01.192 qf32001b20052.smd
Filter COMBO-MP-SPAMCOP: Skipping E-mail with a current weight of 691
(>=315)
- Original Message -
From:
Sharyn
Schmidt
To: declude.junkmail@declude.com
Title: Message
I don't know if the message comes in any log level
that is under high.
It's at the top of your filters, I
assume.
SKIPIFWEIGHT 315
- Original Message -
From:
Sharyn
Schmidt
To: declude.junkmail@declude.com
Sent: Friday, August 25, 2006 9:23
AM
S
I ran a query on this looking at my August email results (228889 emails):
Excluding HELOBOGUS
Excluding (timeout) and [No Reverse DNS] and (Private IP)
Looking at last 4 chars of helo <> last 4 chars of revdns
1487 ham:
including gov / us mismatches
a fair amount of .com / .org with DSL / CABLE
I think it displays the header even if it is not enabled.
- Original Message -
From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
To:
Sent: Thursday, September 07, 2006 8:09 PM
Subject: Re: [Declude.JunkMail] X-Declude-RefID Header
If you have CommTouch enabled it will display
Title: Newest version
I don't think there are any significant anti-spam
advances in the new Declude base product.
Declude added the CommTouch addon.
Or look at INVURIBL (cheapest solution) or Message
Sniffer.
- Original Message -
From:
Sharyn
Schmidt
To: declude.junkma
I've forged my own Q files before to force a delivery.
- Original Message -
From: "Dean Lawrence" <[EMAIL PROTECTED]>
To:
Sent: Monday, September 18, 2006 2:32 PM
Subject: [Declude.JunkMail] OT - Re-Deliver IMail D file
I have a message that failed to be delivered due to a server is
I say about 25% more spam yesterday than last Monday (9-11)
- Original Message -
From: "Chris Anton" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, September 19, 2006 11:31 AM
Subject: [Declude.JunkMail] Spam Spike
Hi All,
We have recently gone from processing 30,000 emails daily to 85,000
Also watch out for:
WHITELIST AUTH
- Original Message -
From: "S.J.Stanaitis" <[EMAIL PROTECTED]>
To:
Sent: Friday, September 22, 2006 1:03 PM
Subject: [Declude.JunkMail] Negative weight for local hosts?
I'm trying to add confidentiality footers do outgoing emails. All
arguments
o
Blocking by character sets seems like a pretty dangerous proposition.
The beginning of many of these character sets is ASCII English characters.
So you can have an English message composed with the GB2312 character set.
I have an employee from Russia who regular receives Cyrillic (koi8-r)
email
Does anyone use fiveten-spam in a combination test
they could share?
blackholes.five-ten-sg.com result code
127.0.0.2
For the last 6 months, it's been hitting 60% of the
spam emails here which is real good for an IP test.
Unfortunately it does false positive above 1.5% of
the time here, wh
MAILFROM 1 CONTAINS STOCKNEWS
- Original Message -
From: "Dave Beckstrom" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, October 04, 2006 10:42 PM
Subject: [Declude.JunkMail] Blocking these?
How are you guys blocking something like the spam below?
There is no URL to block on. They keep
There is a lot of flexiblity in the invuribl scoring.
I consider the surbl.org to be a consolidation of separate uribl lists and
use the bitmask scoring option.
So if somebody is listed on more than one list, they'll get higher weights.
I can also score lists such as ws.surbl.org lower because
I combo the graphics hit (jpg, gif or png)
with:
1. bad DNS - None or timeout
2. bad language (eastern European iso-8859-2)
or Cyrillic (koi8-r or iso-8859-5), etc
3. cmdspace
4. good DUL IP lists/tests
5. having forged your local
domain.
I still get 5-10 a day. It is a pain.
Sorbs-DUL and NJABL Dynablock look to be the best.
Although they miss lots.
5-10's has been discontinued.
- Original Message -
From:
Dave Marchette
To: declude.junkmail@declude.com
Sent: Wednesday, October 11, 2006 3:53
PM
Subject: RE: [Declude.JunkMail] picture
MAILFROM 0 IS <>
I wouldn't do it though. Mailfrom the <> generally signifies delivery
failure notices and such.
For me mail from <> is 90% ham, 10% spam this month.
- Original Message -
From: "Frederick Samarelli" <[EMAIL PROTECTED]>
To:
Sent: Thursday, October 12, 2006 11:25 AM
S
more
difficult than it is to manage spam blocking.
Scott Fisher posted his method for adding points to image spam, and if
implemented properly, this is very effective on a plain vanilla Declude
install and won't have a large false positive issue. So if you want an
opinion from someone tha
You really only need a couple of minutes of debug log to check
shut down declude.
rename the decmmdd.log
change to log level debug for 5 minutes.
start declude
run for a couple of minutes
shut down declude
change log level to normal
start declude
A couple of other ideas.
Virus scanner are CPU ho
This filter will work for targeting CMDSPACE with a gif attachment.
You might want to
SKIPIFWEIGHT 315
STOPATFIRSTHIT
BODY END NOTCONTAINS Content-Type: image/gif
TESTSFAILED END NOTCONTAINS CMDSPACE
BODY 100 CONTAINS img src=3Dcid:
BODY 100 CONTAINS src=3D"cid:
BODY 100 CONTAINS src="cid:
1 - 100 of 647 matches
Mail list logo
