RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
I don't want to knock Alligate, it has some nice functionality, especially when used without Declude (auto whitelisting and digest notification), and it does what it says, but it has a relatively high false positive rate in the default configuration and therefore it can't be scored higher than it is on my scale. If they could get the auto whitelisting and digest notification to work with Declude, that might make me a buyer. I'm still looking for more information on Message Sniffer within this context. As Brian stated, and I alluded to, there is more functionality in the full version, as opposed to the Declude only version. The Declude only version costs less, but requires more hands on to get it to fit your situation. On that same note, I will help as much as I can on the list. If you feel you could use more hands on help, at least to help on the learning curve, I and others are available on a time basis. I've looked at AutoWhite and will probably give it a try, but I can't find any information on Match. Would you care to share a link? Match never made it out of beta stage, primarly do to time and loss of the programmer working on it. It is scheduled to be rebuilt in the future. Basically what it does is it looks for 2 matches. If first checks the from file to see if the from address is listed. It then checks the to file to see if the recipient is listed. If it finds a match in both files, it returns a fail to Declude. You can then weight or action based on that. It was developed for a major client I have that gets a lot of e-mail that tends to fail a good number of tests, but is legit. What I do is list the from domains in the from file and the clients specific addresses in the to file. This way, I can Whitelist e-mail from a specific domain or user to a specific domain or user. Yes, there is some overlap with functions in other programs, but if fits a need. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
Hi, Message sniffer is not so bad as I tested it but have a big problem with News letter it has a bif False positive rate with them. Regards Mehdi Blagui -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : [EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions? John, I just joined the list today, but I found your configuration file from back in June and it was very helpful in understanding how to fine tune Alligate. I'm going to study it's logs more closely before I start that phase though, looking for false positives. I've turned that test down to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of failure in order to accommodate it (BADHEADERS for instance). It seems to get most of it's scoring from technical-type stuff instead of the heuristics, and if this is the case, I don't think that a scaled test would be that much more useful to me. If I could score the content and obfuscation, and just those things, I wouldn't be double counting the technicals, and that should reduce some false positives. I don't want to knock Alligate, it has some nice functionality, especially when used without Declude (auto whitelisting and digest notification), and it does what it says, but it has a relatively high false positive rate in the default configuration and therefore it can't be scored higher than it is on my scale. If they could get the auto whitelisting and digest notification to work with Declude, that might make me a buyer. I'm still looking for more information on Message Sniffer within this context. I've looked at AutoWhite and will probably give it a try, but I can't find any information on Match. Would you care to share a link? Thanks, Matt John Tolmachoff (Lists) wrote: As one of the earlier testers and helped develop the variable scale of Alligate, I can understand your position. I have a client that gets a lot of e-mail from the Far East and a lot of bcc broadcasts and lists. Many of these show elements of spam, but are legit. That is what makes it hard. There are a number of adjustments available in Alligate. You might want to look over my config file I posted earlier today. One thing I do for this specific issue is I use 2 programs. One is Match, which is very simple but does need to be revised. The other is AutoWhite. A 30 demo of AutoWhite is available at www.eservicesforyou.com/products/autowhite.html. Match is free. While everyone can have a unique setup, please let me know if you would like to spend some time going over the possible configurations in Alligate. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Multi Server Configs
I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Does this exist in junkmail
Hi, I'm trying actually to trigger some action in case of combination of failed test not only on Weight. For example if Weight 15 and the test fail Filter.txt test wich is done against keyword or a test like sniffer, we want then to delete the email of hold it! In other case the delete action should not be done below Weight 25 because there is an important risc of False positive! IT's far more intersting to react for a specific combination because this help reduce false positive. Imagine a message failed some declude test and has a black listed keyword even with a Weight of 3 you may delete it or reject it in 99.99 % with having to worry. Any idea or this may be integrated ? It may be intersting to have comination with logical test ( AND, OR, AND NOT, OR NOT ). Regards Mehdi Blagui --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Multi Server Configs
Dan, Declude does not have that kind of power as it is the IMAIL SMTP Daemon which accepts the mail and places it into the spool. After it is in the spool declude queue moves it to the overflow for faster processing if there are more messages in the spool than imail can run smtp-delivery processes for (MaxQueProc). See http://www.declude.com/dq.htm for more information on how exactly the overflow works. If you want to reject messages before the SMTP envelope is over let me suggest you take a look at 'IMGate' http://imgate.meiway.com/ IMGate is basically a set of configurations for a free Unix OS(Linux or FreeBSD www.freebsd.org) with the (free) Postfix MTA (www.postfix.org). Postfix does have the ability for its SMTP Daemon to reject messages during the first SMTP session based on header and body rules. Many of the people running declude also have one of these servers running in front of our Imail/Declude server to reject such floods. During the start of the SoBig flood I modified my body checks to reject any message with a .pif attachment, and modified my header checks to reject any message containing subject lines of those that the sobig worm uses. Yesterday I rejected over 10,000 messages based on these rules.. Thats 10,000 messages declude never had to process because they were rejected with a 550 code at the SMTP level. There may be some other suggestions on this list, but I think this is something worth at least taking a look at. -Tom -Original Message- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 2:30 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Multi Server Configs I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Does this exist in junkmail
That is not possible at this time with Declude, and has been discussed. Some other tests maybe be looking at the ability to do that. However, while the concept is interesting, your example has the potential to delete legits. The reason is taking action based on blacklisted keywords can be dangerous. Many keywords that we would like to black list can be found in other words. Another example is the owner of your client sends a message to his brother explaining that he finally told his son about the birds and the bees. The body contains a black listed word, and the message failed BASE64 because it came through OWA and had no subject line. You know just deleted the owners legit message. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 4:58 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Does this exist in junkmail Hi, I'm trying actually to trigger some action in case of combination of failed test not only on Weight. For example if Weight 15 and the test fail Filter.txt test wich is done against keyword or a test like sniffer, we want then to delete the email of hold it! In other case the delete action should not be done below Weight 25 because there is an important risc of False positive! IT's far more intersting to react for a specific combination because this help reduce false positive. Imagine a message failed some declude test and has a black listed keyword even with a Weight of 3 you may delete it or reject it in 99.99 % with having to worry. Any idea or this may be integrated ? It may be intersting to have comination with logical test ( AND, OR, AND NOT, OR NOT ). Regards Mehdi Blagui --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Daily humor...
Check-out this obfuscation technique: ;-) -E---y---P---G -n---o---e---u -l---u---n---a -a---r---i---r -r---s---a -g---n -e---t -e -e -d Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
LOL! that's peanuts.. try 70,000 ...yes 70,000 per hour and then tell me about being nailed ... and i didn't have a powerhouse like you...only a 400mhz p2 in otherwords 2.5 million in 24 hours. Sheldon - Original Message - From: Tom Baker|Netsmith Inc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 6:15 AM Subject: RE: [Declude.JunkMail] Multi Server Configs Dan, Declude does not have that kind of power as it is the IMAIL SMTP Daemon which accepts the mail and places it into the spool. After it is in the spool declude queue moves it to the overflow for faster processing if there are more messages in the spool than imail can run smtp-delivery processes for (MaxQueProc). See http://www.declude.com/dq.htm for more information on how exactly the overflow works. If you want to reject messages before the SMTP envelope is over let me suggest you take a look at 'IMGate' http://imgate.meiway.com/ IMGate is basically a set of configurations for a free Unix OS(Linux or FreeBSD www.freebsd.org) with the (free) Postfix MTA (www.postfix.org). Postfix does have the ability for its SMTP Daemon to reject messages during the first SMTP session based on header and body rules. Many of the people running declude also have one of these servers running in front of our Imail/Declude server to reject such floods. During the start of the SoBig flood I modified my body checks to reject any message with a .pif attachment, and modified my header checks to reject any message containing subject lines of those that the sobig worm uses. Yesterday I rejected over 10,000 messages based on these rules.. Thats 10,000 messages declude never had to process because they were rejected with a 550 code at the SMTP level. There may be some other suggestions on this list, but I think this is something worth at least taking a look at. -Tom -Original Message- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 2:30 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Multi Server Configs I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
Message sniffer is not so bad as I tested it but have a big problem with News letter it has a bif False positive rate with them. On the home page for MessageSniffer you'll find a Help (QA) section which is worth your time to read if it's worth your time to implement. Submit false positives to: [EMAIL PROTECTED] Submit novel spam to: [EMAIL PROTECTED] Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
Please forward a copy of the newsletter to me ([EMAIL PROTECTED]) as an attachment and I will adjust the rule base (if appropriate). This is a service we provide by default to each subscriber, but we also - in general - code the core rule base to avoid false positives whenever we hear about them and the choice is widely applicable. Your assistance is greatly appreciated. Thanks, _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |[EMAIL PROTECTED] |Sent: Thursday, August 21, 2003 7:38 AM |To: [EMAIL PROTECTED] |Subject: RE : [Declude.JunkMail] Alligate vs. Message |Sniffer...opinions? | | |Hi, | |Message sniffer is not so bad as I tested it but have a big |problem with News letter it has a bif False positive rate with them. | |Regards |Mehdi Blagui | |-Message d'origine- |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : |[EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] |Alligate vs. Message Sniffer...opinions? | | |John, | |I just joined the list today, but I found your configuration file from |back in June and it was very helpful in understanding how to fine tune |Alligate. I'm going to study it's logs more closely before I |start that | |phase though, looking for false positives. I've turned that test down |to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of |failure in order to accommodate it (BADHEADERS for instance). |It seems |to get most of it's scoring from technical-type stuff instead of the |heuristics, and if this is the case, I don't think that a scaled test |would be that much more useful to me. If I could score the |content and |obfuscation, and just those things, I wouldn't be double counting the |technicals, and that should reduce some false positives. | |I don't want to knock Alligate, it has some nice functionality, |especially when used without Declude (auto whitelisting and digest |notification), and it does what it says, but it has a relatively high |false positive rate in the default configuration and therefore |it can't |be scored higher than it is on my scale. If they could get the auto |whitelisting and digest notification to work with Declude, that might |make me a buyer. I'm still looking for more information on Message |Sniffer within this context. | |I've looked at AutoWhite and will probably give it a try, but I can't |find any information on Match. Would you care to share a link? | |Thanks, | |Matt | | | | |John Tolmachoff (Lists) wrote: | |As one of the earlier testers and helped develop the variable |scale of |Alligate, I can understand your position. I have a client that gets a |lot of |e-mail from the Far East and a lot of bcc broadcasts and |lists. Many of |these show elements of spam, but are legit. That is what |makes it hard. | |There are a number of adjustments available in Alligate. You |might want |to |look over my config file I posted earlier today. | |One thing I do for this specific issue is I use 2 programs. One is |Match, |which is very simple but does need to be revised. The other is |AutoWhite. A |30 demo of AutoWhite is available at |www.eservicesforyou.com/products/autowhite.html. Match is free. | |While everyone can have a unique setup, please let me know if |you would |like |to spend some time going over the possible configurations in Alligate. | |John Tolmachoff MCSE CSSA |Engineer/Consultant |eServices For You |www.eservicesforyou.com | | | | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Multi Server Configs
Wow, I thought my increase in messages from 5,800 messages inbound to 10,000 was a lot. BTW, my old mail server (PII @ 333 MHz, data on a SCSI2 mirror) with the same volume would regularly run mid-morning (my peak volume) with a 30 to 100 messages in the overflow folder. The new server (PIII @ 1.266, data on a SCSI3 mirror) had zero messages in the overflow with exactly the same configuration (well, not true; I also put in a body text filter to hold some of those annoyingly but misguided messages from mailservers that are warning us of a virus we didn't send - caught 1,300 of them by 10pm). So last night I updated the Declude config to bring up our configuration from 1.65 to 1.75i2 with most of the tests like PREWHITELIST ON, SPAMDOMAINS, COMMENTS, SUBJECTSPACES, LONGSUBJECT, NONENGLISH. I used as my guide, advice on the list and the page: http://www.declude.com/relnotes.htm Andrew 8) p.s. Of everything that was new and/or discussed since the previous release, SPAMDOMAINS was certainly the toughest nut. -Original Message- From: Webmaster Oilfield Directory [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Multi Server Configs LOL! that's peanuts.. try 70,000 ...yes 70,000 per hour and then tell me about being nailed ... and i didn't have a powerhouse like you...only a 400mhz p2 in otherwords 2.5 million in 24 hours. Sheldon - Original Message - From: Tom Baker|Netsmith Inc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 6:15 AM Subject: RE: [Declude.JunkMail] Multi Server Configs Dan, Declude does not have that kind of power as it is the IMAIL SMTP Daemon which accepts the mail and places it into the spool. After it is in the spool declude queue moves it to the overflow for faster processing if there are more messages in the spool than imail can run smtp-delivery processes for (MaxQueProc). See http://www.declude.com/dq.htm for more information on how exactly the overflow works. If you want to reject messages before the SMTP envelope is over let me suggest you take a look at 'IMGate' http://imgate.meiway.com/ IMGate is basically a set of configurations for a free Unix OS(Linux or FreeBSD www.freebsd.org) with the (free) Postfix MTA (www.postfix.org). Postfix does have the ability for its SMTP Daemon to reject messages during the first SMTP session based on header and body rules. Many of the people running declude also have one of these servers running in front of our Imail/Declude server to reject such floods. During the start of the SoBig flood I modified my body checks to reject any message with a .pif attachment, and modified my header checks to reject any message containing subject lines of those that the sobig worm uses. Yesterday I rejected over 10,000 messages based on these rules.. Thats 10,000 messages declude never had to process because they were rejected with a 550 code at the SMTP level. There may be some other suggestions on this list, but I think this is something worth at least taking a look at. -Tom -Original Message- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 2:30 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Multi Server Configs I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail.
[Declude.JunkMail] Sobig Assault
Hi, Many of our users are getting plowed by Sobig, Declude and Fprot do there job well, but the users mailbox is getting clogged with the notices of detection. Is there a way to turn off notices for a particular virus? For now I've removed the mail templates. Any ideas? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sobig Assault
Many of our users are getting plowed by Sobig, Declude and Fprot do there job well, but the users mailbox is getting clogged with the notices of detection. Is there a way to turn off notices for a particular virus? For now I've removed the mail templates. Add a line SKIPIFVIRUSNAMEHAS Sobig to the \IMail\Declude\*.eml files, and the notifications will not get sent out for the Sobig virus. Just make sure to add *just* that line (don't add any blank lines, and make sure there is only one space (or tab) in there). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sobig Assault
I've removed my notice .eml template to users... I've found that they really don't want to see them at all. As far as they are concerned if it's been blocked why should they care. Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Malcolm Kynoch Sent: Thursday, August 21, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Sobig Assault Hi, Many of our users are getting plowed by Sobig, Declude and Fprot do there job well, but the users mailbox is getting clogged with the notices of detection. Is there a way to turn off notices for a particular virus? For now I've removed the mail templates. Any ideas? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
We have a little less volume than you do, but it's amazing how concentrated the messages can be. My personal account which has many domains pointed at it has not received a single copy of the virus, but one account on our server has been hit over 500 times in the last 48 hours. We run Declude Virus, but it's only available to about half of the accounts, JunkMail though has caught everything that gets there. Here's an important suggestion, although this is virus related (I'm not on that list). I use the FProt engine, which is nice because most clients use McAfee or Norton on the desktop, however this virus was getting blocked by extension exceptions (scr, bat, pif, com and vbs) for over 36 hours before the virus definitions were updated (checked every 6 hours). This isn't the first time that has happened either. The antivirus companies are too slow IMO in getting their updates out as this has happened repeatedly in the last year. I would therefore refuse a customer's request to allow any of these extensions through...but never has a customer refused such a thing, so I even turned notifications off for banned extensions. This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted). The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power. I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work. Any file intensive operations though benefit greatly from a spanned array, and RAID 5 can be a better investment than processing power in my experience, and a simple mirror actually steals a good deal of processing from your server. We run about 80 Web sites, 50 E-mail domains with virus and spam blocking, a SQL server with many connected sites, and DNS, but dual PIII 1 Ghz processors, a gig of memory and a 5 disk array keeps the average processor utilization at around 2% even during this outbreak, with peaks lower than 50% utilization. I think I overbuilt the box :) Matt Colbeck, Andrew wrote: Wow, I thought my increase in messages from 5,800 messages inbound to 10,000 was a lot. BTW, my old mail server (PII @ 333 MHz, data on a SCSI2 mirror) with the same volume would regularly run mid-morning (my peak volume) with a 30 to 100 messages in the overflow folder. The new server (PIII @ 1.266, data on a SCSI3 mirror) had zero messages in the overflow with exactly the same configuration (well, not true; I also put in a body text filter to hold some of those annoyingly but misguided messages from mailservers that are warning us of a virus we didn't send - caught 1,300 of them by 10pm). So last night I updated the Declude config to bring up our configuration from 1.65 to 1.75i2 with most of the tests like PREWHITELIST ON, SPAMDOMAINS, COMMENTS, SUBJECTSPACES, LONGSUBJECT, NONENGLISH. I used as my guide, advice on the list and the page: http://www.declude.com/relnotes.htm Andrew 8) p.s. Of everything that was new and/or discussed since the previous release, SPAMDOMAINS was certainly the toughest nut. -Original Message- From: Webmaster Oilfield Directory [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 21, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Multi Server Configs LOL! that's peanuts.. try 70,000 ...yes 70,000 per hour and then tell me about being nailed ... and i didn't have a powerhouse like you...only a 400mhz p2 in otherwords 2.5 million in 24 hours. Sheldon - Original Message - From: "Tom Baker|Netsmith Inc" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 6:15 AM Subject: RE: [Declude.JunkMail] Multi Server Configs Dan, Declude does not have that kind of power as it is the IMAIL SMTP Daemon which accepts the mail and places it into the spool. After it is in the spool declude queue moves it to the overflow for faster processing if there are more messages in the spool than imail can run smtp-delivery processes for (MaxQueProc). See http://www.declude.com/dq.htm for more information on how exactly the overflow works. If you want to reject messages before the SMTP envelope is over let me suggest you take a look at 'IMGate' http://imgate.meiway.com/ IMGate is basically a set of configurations for a free Unix OS(Linux or FreeBSD www.freebsd.org) with the (free) Postfix MTA (www.postfix.org). Postfix does have the ability for its SMTP Daemon to reject messages during the first SMTP session based on header and body rules. Many of the people running declude also have one of these servers running in front of our Imail/Declude server to reject such floods. During the start of the
Re: [Declude.JunkMail] Multi Server Configs
We have a little less volume than you do, but it's amazing how concentrated the messages can be. My personal account which has many domains pointed at it has not received a single copy of the virus, but one account on our server has been hit over 500 times in the last 48 hours. We run Declude Virus, but it's only available to about half of the accounts, JunkMail though has caught everything that gets there. FWIW, we see the most hits on E-mail addresses that appear on web sites. It seems that is the primary source of E-mail addresses for Sobig. It also explains why msnbc.com's mailservers were down for about 12 hours yesterday (tons of people go there, and have E-mail addresses in their caches). And, Sobig.F seems to send out many copies of itself to the same addresses (I'm sure there are people that are smart enough not to open that wicked cool screensaver the first 20 times, but figure it must be safe the 21st time...). We've seen 100s or 1000s of copies sent from one computer to one E-mail address. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Delete based on specified content
Hi All, Can I use Junkmail to delete incoming emails that are bounces from Postmaster, etc? THANKS Peter --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Delete based on specified content
Well, you shouldn't... here is a cleaned up version of the JunkMail Pro filter file I started using last night. My global.cfg has: BADNOTIFY filter D:\IMail\Declude\BadNotify.txt x 0 0 and BADNOTIFY HOLD If you want BADNOTIFY to show up in your Total weight = lines in your decMMDD.log file, don't make the triggered weight equal zero. Andrew 8) -Original Message- From: Peter Lent [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 11:25 AM To: '[EMAIL PROTECTED]' Subject: [Declude.JunkMail] Delete based on specified content Hi All, Can I use Junkmail to delete incoming emails that are bounces from Postmaster, etc? THANKS Peter --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. #Use this file to hold any messages that contain VIRAL text you know you want to #filter on regardless of the other tests or weights. The weight is 0 #because our action is going to be HOLD, not WARN. # #Each line begins with a comment like this or is in the format: # #location weight filtertype filtertext # #location can be: BODY HEADERS HELO MAILFROM REMOTEIP REVDNS or SUBJECT # #weight can be a positive or negative number to add to the total weight # #filtertype can be: CONTAINS STARTSWITH ENDSWITH or IS # #filtertext is the case insensitive text you want to match # #e.g. # #HELO 8 CONTAINS $domain #SUBJECT 3 CONTAINS enlarge #MAILFROM 3 STARTSWITH $success$@ #Aug-20-2003 AC Dumn ass Internet virus scanners that believe the spoofed sender # in viral e-mails. We don't need their bogus warnings. SUBJECT 0 STARTSWITH Antigen found VIRUS= SUBJECT 0 STARTSWITH ScanMail Message: To SUBJECT 0 STARTSWITH Disallowed attachment type found in sent message SUBJECT 0 IS Mail status report BODY 0 CONTAINS destination server said: Message rejected due to possible virus BODY 0 CONTAINS Our virus detector has just been triggered by a message you sent: BODY 0 CONTAINS The virus detector said this about the message: BODY 0 CONTAINS Antigen for Exchange removed BODY 0 CONTAINS was found to match the FILE FILTER= *.pif file filter BODY 0 CONTAINS was found to match the FILE FILTER= *.exe file filter
RE: [Declude.JunkMail] Sobig Assault
Greg wrote I've found that they really don't want to see them at all. I get that a lot myself. However the notices also tell them my value-added service is diligently doing its job. If I don't remind them why they're paying me, they might forget :D With that said, enough is enough. Skipifvirusnamehas went in for sobig midday yesterday. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks Sent: Thursday, August 21, 2003 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Sobig Assault I've removed my notice .eml template to users... Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Malcolm Kynoch Sent: Thursday, August 21, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Sobig Assault Hi, Many of our users are getting plowed by Sobig, Declude and Fprot do there job well, but the users mailbox is getting clogged with the notices of detection. Is there a way to turn off notices for a particular virus? For now I've removed the mail templates. Any ideas? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Delete based on specified content
Can I use Junkmail to delete incoming emails that are bounces from Postmaster, etc? Actually, to do that, you can use the IMail SMTP Refuse NULL Senders option (which has the added benefit that it will not use up bandwidth for the bounce message). But it is not recommended -- doing so will make your mailserver non-RFC-compliant, and will prevent you from receiving any bounce messages, delivery status notifications, etc. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Delete based on specified content
Here's what I do. I send outside notifications by way of [EMAIL PROTECTED], and then I use IMail rules to delete any replies. The text of the message says to reply to our postmaster address and that replies to bouncer will be automatically deleted. The rule.ima file takes care of it with the following line: [EMAIL PROTECTED]:NUL E-mail administrators seem to figure this out, and it keeps me honest to the RFC. Peter Lent wrote: Hi All, Can I use Junkmail to delete incoming emails that are bounces from Postmaster, etc? THANKS Peter --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Daily humor.../ obfuscation techniques
Rusty, Since they're all trying to get your money, they always have a URL or phone number, possibly obfuscated, which you can block with a filter if you have the PRO Version. I think that this is my fastest growing filter file. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rusty Sent: Thursday, August 21, 2003 7:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Daily humor.../ obfuscation techniques How about this: W!--9355qlucdaaj1r--e ca!--f82i0s3gi8--n he!--bq9mouyeg00--lp! W!--xw2caw20blq--e c!--ayad78v6wy622--an conso!--n9yzt03rfbczu--lidate The entire message was coded like this as HTML, so when the user received it, all the comment tags were not shown. rusty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, August 21, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Daily humor... Check-out this obfuscation technique: ;-) -E---y---P---G -n---o---e---u -l---u---n---a -a---r---i---r -r---s---a -g---n -e---t -e -e -d Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
