Hi;
The FTP address is not bogus :)
I asked that you replace XYZ with the domain in my email:
ClickandPledge.com
We had this problem before where the search engines picked up our previous
location and our company was getting indexed with some interesting words.
Then we started getting complaint
We have monitored the results for this test for a long time. We have not
seen a single FP.
We now hold on that test.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
Sent: Sunday, June 15, 2003 8:51 PM
To: [EMAIL PROTECTED]
Subject: [D
Hi all,
Over the weekend I've configured the following ip4r-tests from Bill.B's
config file that we haven't used until now.
This are the results after 10 hours (4 hours business time) In this time
we've catched around 300 spam messages.
BLITZEDALL ip4r opm.blitzed.org * 3 0
95 positive test
We give for this test a weight of 55 points and hold on 100.
FP's occur if a client uses a sender-domain listed in the
spamdomains-file but uses another smtp-server (from his ISP) to send out
legit messages.
Another case: A message send from a web form with the sender-adress
inserted by the visit
Rifat,
What software are you using to do the tarpitting? Are you running it on the same
server as IMail, or on a separate box?
Bill
-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 02:01:45 +0300
Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration
Hi Bill ,
I wrote a small VB program .
--
Here is more details about the system.
I am using the KIWI syslog server software to send the logs to the SQL
You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the
same machine ,you have to stop IMAIL
Thanks for the valuable info
are all the test below free and can be used by all of us ?
and, if yes, why weren't they included in the default global.cfg ?
EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0
BLITZEDALLip4r opm.blitzed.org
Sorry to burst your bubble, but that's not a tarpit.
You have a dynamic IP blocker. Tarpitting doesn't block, it slows the
attack down, consuming more of their resources, and making their connection
seem like it is stuck in a pit of tar (hence the name)
Jason
- Original Message -
From
Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy
by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have
alot of promise. It allows you to hook into each stage of the SMTP session and apply
incremental delays or drop the connecti
I got this one in the JM hold batch from over the weekend. I think I'm going
to print it out and post it on my tackboard to remind me that resistance is
futile.
Received: from ms3.hihosting.hinet.net [210.71.181.143] by mail.mydomain.com
with ESMTP
(SMTPD32-6.05) id A2A1570B00FA; Fri, 13 Jun 2
Tarpitting can't be integrated with Declude because Declude does not answer
the client SMTP connection, IMail does (SMTPD). Only after IMail has
received the message does it get delivered to Declude. So, any tarpitting
would have to be integrated with IMail, not Declude (or be run on a mail
gatew
Monday, June 16, 2003 you wrote:
BB> Cool. We've been playing around with a few methods of
BB> tarpitting. Check out TarProxy by Marty Lamb
BB> (http://www.martiansoftware.com/tarproxy/)... this tool seems
BB> to have alot of promise. It allows you to hook into each
BB> stage of the SMTP session
> (or be run on a mail gateway that sits in front of the IMail/Declude server).
Thats what TarProxy sort of does. TarProxy accepts the inbound SMTP connections and
relays them to a backend SMTP host (imail's smtpd). What I'm saying would be great,
is if TarProxy could call "Declude-like" test
At the moment we've running hourly a scheduled vb-script that filters
out any error lines of the imail logfile and send it via email to the
postmaster
For example:
==
FROMTO
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PRO
Bill,
Monday, June 16, 2003 you wrote:
BB> Thats what TarProxy sort of does. TarProxy accepts the
BB> inbound SMTP connections and relays them to a backend SMTP
BB> host (imail's smtpd). What I'm saying would be great, is if
BB> TarProxy could call "Declude-like" tests during the SMTP
BB> sessio
I think Scott only included some of the more reliable ip4r tests in the
default JunkMail config file. You can find a listing of lots of available
tests on the Declude web site (www.declude.com/Junkmail/support/ip4r.htm),
and you will see in the test descriptions that most are freely available to
e
i am trying to explain what i did in a simple way.
İn fact
On my firewall i am not really blocking but reducing the bandwith for the
specified ip address
to 33.6 Kb /sec like a dial-up connection speed .
So my Server spend more cpu time to real user than spammers.
This is a tarpitting.
I have a
Markus ,
I started already doing this ,but the problem here is that when you have a
dynamic IP list
You can not change it on IMAIL on the fly
You have to stop and restart The smtp services
Thats Why i am using a firewall here.
Rifat
- Original Message -
From: "Markus Gufler" <[EMAIL P
If I end up with a negative wait, how do I configure to ignore and pass
e-mail along. Is the following correct?
Global.cfg
NEGWEIGHT weightrange x x 0 -100
Default.JunkMail
NEGWEIGHT IGNORE
Thanks.
-Don
---
[This E-mail was scanned for viruses by Declude Vi
This approach is a bit different than IMGate because it creates a dynamic tarpit,
based on the "spamminess" of the email. The more tests it fails, the slower the
connection gets...IN REAL TIME! Thats that cool part. From what I understand, IMGate
can only drop the connection...it cannot slow
Bill,
Monday, June 16, 2003 you wrote:
BB> The more tests it fails, the
BB> slower the connection gets...IN REAL TIME!
I see now, thanks for the reply.
XMAIL has a setting like this with its CustMapsList and its
SMTP-RDNSCheck. I've used both but I didn't find it very useful.
In CustMapsList
If I end up with a negative wait, how do I configure to ignore and pass
e-mail along.
You don't need to do anything.
The way the weighting system works, you decide what weight ranges to use to
detect spam. For example, some people have it set up to HOLD E-mail based
on the WEIGHT10 test (a wei
All of those tests are free. The ones you list have just been added to the
default configuration files, except for IPWHOIS (which has a lot of false
positives in our testing) and SORBS (which we do not have enough
information about yet).
-Scott
At 08:50 AM 6/16/2003
Scott, FWIW, I have had very good success with the ip4r test:
ipwhois.rfc-ignorant.org
but found lots of FP with the domain based test:
whois.rfc-ignorant.org
So I don't use that whois test any more. However, this has not been your
experience?
Bill
- Original Message -
From:
Thanks for reply and yes this is how I use weights, but what I failed to mention is
that I end up with a negative value often (i.e. -7, -1, etc.) depending on certain
mail and it gets held. You are saying it should not get held. OK I must have a hold on
a certain test that is failing even though
I was thinking of doing something similar to this using a local black
list and a gateway server capable of 550'ing on RBLs (I use XMail as a
gateway). My DNS server can be dynamically updated through several
means. I can also use XMail to slow down server responses to addresses
in response to a RB
As the subject states, is DNSstuff still having problems? Seems every time I
try a lookup I get a "Page cannot be displayed" error. Once in a while it
works, super-fast in fact, but seems more often than not it's down.
Just seeing what's going on.
Paul
---
[This E-mail scanned for viruses by De
Charles,
Monday, June 16, 2003 you wrote:
CF> I can also use XMail to slow down server responses to addresses
CF> in response to a RBL
Are you using the RDNS test in XMAIL?
I felt like the time to check delayed the dialogue too long.
Terry Fritts
---
[This E-mail was scanned for
I'm really not using any of it's blocking features right now. I have it
set up as an outgoing gateway to take the delivery woes away from Imail.
But I have been investigating the different features, just been time
cruched lately (still need badly to revisit my Declude settings, getting
way out of d
It looks like these headers tell me to add:
attbi..comcomcast.net
to the sd.txt file.
Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with
ESMTP
(SMTPD32-7.15) id A15AE91F00FC; Mon, 16 Jun 2003 10:41:46 -0700
Received: from sccrmhc13.attbi.com (unknown [204.127.202.
Is there a way to put a copy of the string that matched the filter test into
the headers?
thanks
Harry Vanderzand
inTown Internet & Computer Services
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail c
As the subject states, is DNSstuff still having problems? Seems every time I
try a lookup I get a "Page cannot be displayed" error. Once in a while it
works, super-fast in fact, but seems more often than not it's down.
If you try re-loading the page it should work.
There is an issue with the new
Is there a way to put a copy of the string that matched the filter test into
the headers?
Unfortunately, there isn't right now, but that is something we hope to add
to a future release.
-Scott
---
Declude JunkMail: The advanced anti-spam solutio
Yep, it does indeed look that way. I believe customer are being required to
change their e-mail address from @attbi.com to @comcast.com, but until the
migration is complete, I think you are correct to set it up this way in your
SD file.
Bill
- Original Message -
From: "Sheldon Koehler"
Is there any way for us to be able to use the X-Spam-Prob tag as weighting? As
I understand it, the only to use this field today is to add an IMail rule to
separate / delete the mail?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from t
Is there any way for us to be able to use the X-Spam-Prob tag as
weighting? As
I understand it, the only to use this field today is to add an IMail rule to
separate / delete the mail?
That's correct -- we are planning to add a test that will be based on the
information in that header.
No, the X-Spam-Prob tag is a header added by Declude JunkMail and is an
experimental feature that Declude is working on.
You are probably talking about the statistical content filtering supported
by the latest release of IMail (v8.0), which can add the following header if
spam is detected:
X-
I am noticing that often the messages I send to the Declude lists are
pending in our Exchange server queue. They are easy to spot because they
are the only messages in the queue. If I force several retrys, they will
eventually get delivered, but it can take many attempts at times.
Is anyone else
Hi all,
Sorry about the subject being so generic but I was not sure how to call the
following. I have been seeing the following in the headers of some email:
Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com
The first IP is the IP of the mail server. I am not sure how to
You can set up a filter to add a weight for that IP speciffically:
HELO 10 CONTAINS 216.220.106.24
Or you could set up a filter to add a weight to any email that uses an IP as its HELO:
HELO 10 ENDSWITH 0
HELO 10 ENDSWITH 1
HELO 10 ENDSWITH 2
HELO 10 ENDSWITH 3
HELO 10 ENDSWITH
> I started already doing this ,but the problem here is that
> when you have a dynamic IP list You can not change it on
> IMAIL on the fly You have to stop and restart The smtp
> services Thats Why i am using a firewall here.
:-|
Hmmm, I understand.
Far from be realtime-friendly...
Markus
Note, that for internal email, the IP address used in SPAMDOMAINS is the
email address of the sender. So, for us, that gets translated to our ISP's
name, as only the mail server has rDNS set up (we trap on our own mail
server address in spamdomains, as that was being faked by quite a bit of
email
Markus ,
Do you have a firewall or a similar device in front of your mail server .
While i am preparing delude weights and firewall blocking , i can have a
look for information
about your device also .
Let me Know
I am really sorry for my BAD English ,
This is my 3rd language ,
It can lead to lot
> Mike,
> Bill B. & Sheldon both posted their lists earlier thei week (5/13), if
you
> don't have them let me know and I'll post a link so you can download them.
As soon as I have the time, I will be setting up a web page that everyone
could then use. Even use it in a batch file to obtain weekly
Scott, FWIW, I have had very good success with the ip4r test:
ipwhois.rfc-ignorant.org
but found lots of FP with the domain based test:
whois.rfc-ignorant.org
So I don't use that whois test any more. However, this has not been your
experience?
I just ran the calculations here, and the
But, this would also subtract weight from emails that didn't fail
spamdomains. FWIW, we ADD a small amount of weight to most of these, rather
than subtract.
Karen
> -Original Message-
> From: Bill Landry
>
> A better way to do this is to setup a RDNS Filter and add a
> negative weight
> f
> I posted both of their lists here.
>
> http://downloads.wpa.net/billb_sd.zip
> http://downloads.wpa.net/sheldons_sd.zip
>
> Both lists current as of 6/13/2003
Of course, I see this after I just responded to the other post. Frederick,
if you are going to maintain this, then I need not bother, c
> I decided against notifying the recipient for Vulnerabilities.
Apparently,
> vulnerabilities are essentially spam - and notifying the recipient would
> mean that they end up getting an unwanted message after all.
In my experience, that is true 98% of the time. That 2% percent though can
cause pr
Note, that for internal email, the IP address used in SPAMDOMAINS is the
email address of the sender. So, for us, that gets translated to our ISP's
name, as only the mail server has rDNS set up (we trap on our own mail
server address in spamdomains, as that was being faked by quite a bit of
email
> ... While i am preparing delude weights and
> firewall blocking , i can have a look for information about
> your device also .
Looks like there is a command line interface. I will ask the support and
you will hear from me.
> I am really sorry for my BAD English ,
> This is my 3rd language ,
Hello, All,
One of our techs put in a new server last week running Exchange 2000 and did
not secure it from being an open relay. Today I discovered about 18,000
messages on our outgoing message queue. Apparently someone found the relay
on Sunday morning. I removed the messages and then disabled
What is the IP address?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Monday, June 16, 2003 4:57 PM
> To: Declude JunkMai
Has anyone else built a front end for JM, so the end user (in our case our
ISP customers) can configure certain aspects of Declude JM?
What we have in mind is to charge each subscriber for using JM, and also to
give some control over the actions, i.e. let them choose between IGNORE,
WARN, SUBJECT,
There has been some discussion on this issue, both for admin and end user.
There is/are some project(s) under way to address this.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMa
54 matches
Mail list logo