Re: [Declude.JunkMail] More accidental whitelisting

Mon, 28 May 2007 22:55:14 -0700 

Ben,
After you run the task that converts the address books into 2006 format (Access database), then you can delete all of the alias.txt files. There are also other files that aren't used after the conversion. If you move everything over, convert the address books, and then you can delete everything in the user's directory except for the MBX files and possibly IMA files. The summaries are kept in a different format in 2006. 

Matt



Imail Admin wrote:

Hi Matt,

 
I understood the discussion about AUTOWHITELIST ON and the web address 
book issue.  Where I got caught was that this server doesn't use 
aliases.txt, but the file is just there by accidental legacy.
 
We're in the process of replacing our old 7.15 server with a new 
2006.2 server by moving to a new machine.  So far, the only domain 
we've moved over (until we get the bugs like this worked out) is our 
own domain.  As part of that process, I copied over our old user 
folders (just for our domain) to the new server.  The aliases.txt file 
must have been in the old users folder on the old server.
 
Where I got fooled was because apparently 2006.2 doesn't use that file 
any more, so when I logged into the web interface, it told me the 
address book was empty.  And, truthfully, I (and most of our users) 
used IMAP access via Outlook or something similar, rather than the web 
interface, so I wasn't even familiar with the file.
 
I do agree with the discussion on this point: first, the whitelisting 
should never apply to your own address, and, I think the whole idea of 
whitelisting the address book should be an option that can be turned 
on/off from the config file.
 
Anyway, thank you very much for clearing up this mystery for me. 
 
Thanks!
 
Ben
 


    ----- Original Message -----
    *From:* Matt <mailto:[EMAIL PROTECTED]>
    *To:* declude.junkmail@declude.com
    <mailto:declude.junkmail@declude.com>
    *Sent:* Monday, May 28, 2007 8:50 PM
    *Subject:* Re: [Declude.JunkMail] More accidental whitelisting

    Ben,

    This was covered early in the thread.  You have "AUTOWHITELIST ON"
    in your global.cfg, and that causes Declude to whitelist whatever
    is in the recipient's address book (aliases.txt in all IMail
    versions prior to 2006).  You have your own E-mail address listed
    in your address book, and a spammer forged your address as the
    Mail From.  This is commonly seen by those that use AUTOWHITELIST.

    There is no way to stop this unless you remove your address from
    your address book, and this is also likely happening to your other
    users where they have themselves listed in their address book, as
    well as others on your hosted domains in the event that there are
    multiple recipient forging spam.

    There is a limited workaround for some of this using a test called
    BYPASSWHITELIST.  You can search the archives or manual about this.

    The best solution if you want to keep the ability to whitelist
    from the address book would be for Declude to make a change to
    automatically exclude any recipient of the E-mail from triggering
    AUTOWHITELIST.  This has been requested repeatedly for over 3
    years and even came up again in this thread.  The fact that people
    were quick to point out that this was likely the reason for your
    issue is testament to the fact that it affects a lot of people
    that use this functionality.

    Matt



    Imail Admin wrote:

    Hi All,

     
    Last week I was struggling with this mysterious "accidental

    whitelisting."  Emails addressed to me were whitelisted, even
    though I had (to the best of my knowledge) no whitelisting turned
    on for my own address.  After setting the JM logging to high, I
    came up with the following lines:

     
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Past whitelisting

    05/28/2007 17:39:47.568 q764101a6000064c1.smd Looping #0 [flags=1]
    05/28/2007 17:39:47.568 q764101a6000064c1.smd
    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
    [EMAIL PROTECTED]@mail2.bcwebhost.net] *local*
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Opening
    HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains for
    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [0]
    05/28/2007 17:39:47.568 q764101a6000064c1.smd
    D:\IMail\Users\ben\aliases.txt
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Doing whitelist
    file D:\IMail\Users\ben\aliases.txt
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Using whitelist
    file D:\IMail\Users\ben\aliases.txt.
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Skipping4 E-mail
    from [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>   ; whitelisted
    [EMAIL PROTECTED]   ].
    05/28/2007 17:39:47.568 q764101a6000064c1.smd Domain name =
    mail2.bcwebhost.net,  User name = ben.
    So, for reasons I don't understand, Declude is looking at my
    aliases.txt file for whitelisting.  I couldn't find anywhere in
    the configuration files for this to happen, but there it is.  I
    don't even know how aliases.txt is created, but when I looked
    inside it, I found the email addresses for various random people,

    and also my own address. 
     
    My question is: why is Declude using this file for whitelisting? 
    And why do I have this file anyway?
     
    Thanks,
     
    Ben
     


        ----- Original Message -----
        *From:* Imail Admin <mailto:[EMAIL PROTECTED]>
        *To:* declude.junkmail@declude.com
        <mailto:declude.junkmail@declude.com>
        *Sent:* Friday, May 25, 2007 6:01 AM
        *Subject:* Re: [Declude.JunkMail] accidental whitelisting

        Hi David,

         
        Yup, that was my first check.  The address book in question

        is the web address book, which you access from the web
        interface, right?  I checked it and it was empty -- not
        surprising because I mainly use Outlook Express in IMAP
        mode.  I did try turning it off briefly anyway, but then
        decided it couldn't be the cause of the problem and turned it
        back on.

         
        Someone else suggested putting Declude in Debug mode, and I

        could try that next.  Thing is, I'm not getting a lot of
        these types of spam, just a handful in the last couple of
        days.  So I'm concerned about how big the log files will grow
        while I wait for another occurrence.

         
        Thanks,
         
        Ben
         


            ----- Original Message -----
            *From:* David Barker <mailto:[EMAIL PROTECTED]>
            *To:* declude.junkmail@declude.com
            <mailto:declude.junkmail@declude.com>
            *Sent:* Friday, May 25, 2007 5:46 AM
            *Subject:* RE: [Declude.JunkMail] accidental whitelisting

            AUTOWHITELIST  ON checks your user address book make sure
            you don’t have your own address in your address book.

            David Barker
            Director of Product Management
            Your Email security is our business
            978.499.2933 office
            978.988.1311 fax
            [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

            *From:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
            [mailto:[EMAIL PROTECTED] *On Behalf Of *Imail Admin
            *Sent:* Thursday, May 24, 2007 8:42 PM
            *To:* declude.junkmail@declude.com
            *Subject:* [Declude.JunkMail] accidental whitelisting

            Hi All,

            We're in the process of tesing JM 4.x as an upgrade and I
            ran into what I am sure is a minor mis-configuration.

            I find that I occassionally get messages that are clearly
            spam, but are whitelisted.  The common characteristic is
            that they are sent with a from line that is my own email
            address, such as the following:

            X-Declude-Sender: [EMAIL PROTECTED]
            <mailto:[EMAIL PROTECTED]> [77.85.117.187]
            X-Declude-Spoolname: D29db019e00002105.smd
            X-Declude-Note: Scanned by Declude 4.2.20 for spam.
            "http://www.declude.com/x-note.htm";
            X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007
            X-Declude-Fail: Whitelisted, ZEROHOUR [0]

            Now, I checked and I don't see why this is being
            whitelisted.  We only whitelist a handful of IP
            addresses, and this isn't one of them.  The whitelist
            settings in the global.cfg file are:


            #=========================================   
            WHITELISTS   =======================================

            #WHITELIST  HABEAS
            #DOMAINWHITELISTS OFF
            PREWHITELIST   ON
            WHITELIST  AUTH
            AUTOWHITELIST  ON

            # ----- Domain Example -----
            #WHITELIST FROM @declude.com

            # ----- User Example -----
            #WHITELIST FROM [EMAIL PROTECTED]
            <mailto:[EMAIL PROTECTED]>

            # ----- IP Example -----
            WHITELIST IP 63.246.31.248

            # ----- REVDNS Example -----
            WHITELIST  REVDNS  .declude.com

            These are pretty much the defaults.  The Autowhitelist ON
            command uses addresses in the web address book, so I

            checked those and found nothing (no addresses at all). 
            I'm sure this is something really obvious, but could

            someone point it out to me?

            Thanks,

            Ben

            BC Web


            ---
            This E-mail came from the Declude.JunkMail mailing list. To
            unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
            type "unsubscribe Declude.JunkMail". The archives can be
            found
            at http://www.mail-archive.com.


            ---
            This E-mail came from the Declude.JunkMail mailing list. To
            unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
            type "unsubscribe Declude.JunkMail". The archives can be
            found

            at http://www.mail-archive.com. 



        ---
        This E-mail came from the Declude.JunkMail mailing list. To
        unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
        type "unsubscribe Declude.JunkMail". The archives can be found

        at http://www.mail-archive.com. 



    ---
    This E-mail came from the Declude.JunkMail mailing list. To
    unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
    type "unsubscribe Declude.JunkMail". The archives can be found

    at http://www.mail-archive.com. 


    ---
    This E-mail came from the Declude.JunkMail mailing list. To
    unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
    type "unsubscribe Declude.JunkMail". The archives can be found
    at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found

at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
























					Reply via email to