Re: [Declude.JunkMail] IPBYPASS and WHITELIST IP

[Matt]

John, I think you misunderstood my suggestion.  I was suggesting that you run MS SMTP as well as IMail/JunkMail on the gateway. Actually, I can tell you that running IMail/JunkMail as the actual gateway is a pretty bad idea at the moment.  You really need some other product to do the address validation for the recipients on the gateway and drop the bad stuff before scanning it.  You could be going along just fine for months and then all of a sudden get blasted out of nowhere with a distributed dictionary attack.  I have found from researching the worst of the worst of these guys that his zombie network is so large that he doesn't hit you twice in the same day with the same IP, he uses an IP for about 30 seconds and then moves on to another one and continues (sometimes simultaneously).  It is 100% impossible to block this guy with anything but address validation or some sort of real-time dictionary attack detection system. I would strongly recommend that on your gateway, you consider first how to do address validation and then piece together the rest.  If this is just a single domain, you might chance it and have a backup strategy in place to switch to the primary server for scanning in the event that address validation is necessary.  These attacks can create over 200,000 bogus messages a day.  I also have a feeling that they aren't even dictionary attacks, I think that this one spammers is just so lazy and has so many machines available to him that he figures that he can spam 200,000 messages and only hit 2 real addresses and it will be worth his time, and his sociopathic nature will get the stimulation it needs.  There is no good reason for doing what this guy does. Matt John Tolmachoff (Lists) wrote: The gateway server will be Imail/Declude as that will be doing all the Junkmail scanning.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, July 08, 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBYPASS and WHITELIST IP   John, In this case, you would actually want to whitelist the primary and not use IPBYPASS. Another suggestion would be to put MS SMTP on some different port on the gateway and configure IMail on the primary to send all E-mail through MS SMTP and that special port.  MS SMTP is leaner and more configurable than IMail when it comes to delivering E-mail, and Declude won't need to be called.  I believe that all locally addressed E-mail should remain on the primary despite the gateway configuration so don't worry about that.  I think you have to modify a registry setting to get IMail to hand off to a different port like this, and that can be found in the IMail KB.  If you configure MS SMTP to listed on say 2525, you can restrict the IP's that can connect quite easily, and it will deliver E-mail on port 25 unless you specify differently. Matt John Tolmachoff (Lists) wrote: Thanks Scott and Andrew for the responses.   What I am doing is configuring a gateway server for an primary Imail server. The Primary will be doing all mailboxes, Declude Virus, Declude Hijack, Web mail, POP3 and so farth.   The gateway server will be doing all Junkmail filtering and receive and send all to the Internet.   So, on the Gateway server, I want to use IPBYPASS then, listing the IPs on the main server.   John Tolmachoff Engineer/Consultant/Owner eServices For You       -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Thursday, July 08, 2004 6:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] IPBYPASS and WHITELIST IP   John, let's say that you have a Postfix gateway in front of your IMail+Declude server.   If you whitelist the gateway, then all mail from that server or passed through that server will be whitelisted.  That would be *bad*.  You would instead use IPBYPASS, so that all the IP based tests are not against your gateway, but rather against the host that sent the message to your     gateway.   Now let's say that there is no server in front of your IMail+Declude     server,   but you do have one customer whose mail is being redirected to you by     their   old server.   You would still want to IPBYPASS that server if all it ever sends is from the one domain.  If you WHITELIST it instead, then once again, you get all the spam that comes from it or through it.   If you try to WHITELIST and IPBYPASS, the IPBYPASS will win, and no IP     based   tests will run against that host.  Messages that passed through that host will have IP based tests run on the hop before that host.  Messages     directly   from that host will have no IP based tests run against it.   If you WHITELIST an internal server, then following the logic from the previous example, you would then run IP based tests against your internal workstations.  If it's a private IP address space, probably none of the IP tests would trigger (unless you test for Bogons).  If it's not a private space, or you NAT-hide what would be a public space, you would expect that DUHL tests would trigger on all of the internal mail clients.  This is why my ancient global.cfg has a note in it to tell you to whitelist your own client space or don't use the DUHL tests!   Does that help?   Andrew 8)   -----Original Message----- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 08, 2004 4:11 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] IPBYPASS and WHITELIST IP     If you have a WHITELIST IP line for an IP address, does it make sense or     is   it redundant to have a IPBYPASS line for that IP?   John Tolmachoff Engineer/Consultant/Owner eServices For You       --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]   --- This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail".  The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus     (http://www.declude.com)]   --- This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.       --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]   --- This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.       -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================