RE: [Declude.JunkMail] Block on HELO
I've seen a few spams that use the IP address of my server (the receiving server) as their HELO: Received: from 194.164.103.70 [219.128.180.36] by mail.uksubnet.net (SMTPD32-6.06) id AB451525028C; Wed, 17 Mar 2004 04:59:49 + 194.164.103.70 is my IP address, they use it, but are really in this case 219.128.180.36. Is there any way I can use Declude to block this? Thanks! Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Block on HELO
Hi Lyndon, i have setup a test for this in my global.cfg and give them a high weight: HELOTEST filter E:\DECLUDE\helotest.txt x 0 0 HELO 35 IS my.ip.ad.dr Heinrich - Original Message - From: Lyndon Eaton [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 9:39 AM Subject: RE: [Declude.JunkMail] Block on HELO I've seen a few spams that use the IP address of my server (the receiving server) as their HELO: Received: from 194.164.103.70 [219.128.180.36] by mail.uksubnet.net (SMTPD32-6.06) id AB451525028C; Wed, 17 Mar 2004 04:59:49 + 194.164.103.70 is my IP address, they use it, but are really in this case 219.128.180.36. Is there any way I can use Declude to block this? Thanks! Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. - [This E-mail was scanned for viruses by Declude Virus/F-Prot] - [This E-mail was scanned for viruses by Declude Virus/F-Prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Heinrich Richter Sent: Wednesday, March 17, 2004 1:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Block on HELO Hi Lyndon, i have setup a test for this in my global.cfg and give them a high weight: HELOTEST filter E:\DECLUDE\helotest.txt x 0 0 HELO 35 IS my.ip.ad.dr Heinrich - Original Message - From: Lyndon Eaton [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 9:39 AM Subject: RE: [Declude.JunkMail] Block on HELO I've seen a few spams that use the IP address of my server (the receiving server) as their HELO: Received: from 194.164.103.70 [219.128.180.36] by mail.uksubnet.net (SMTPD32-6.06) id AB451525028C; Wed, 17 Mar 2004 04:59:49 + 194.164.103.70 is my IP address, they use it, but are really in this case 219.128.180.36. Is there any way I can use Declude to block this? Thanks! Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. - [This E-mail was scanned for viruses by Declude Virus/F-Prot] - [This E-mail was scanned for viruses by Declude Virus/F-Prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Force resend and rescan of a message that was held?
We made a mistake with our junkmail configuration that resulted in too many false positives. We don't delete anything, but HOLD at weight15. What we'd like to do is take everything from the past few days in the spam/ folder, drop it back into the imail queue, and have it rescanned according to our corrected rules, then resent if it passes (and re-held if it fails). From testing so far, it appears Declude won't rescan a message. I've tried deleting the headers from the D* file before putting it back in the queue to no avail. If I set the declude log level to HIGH I see Passing to SMTP1 for that message ID, so it at least appears that declude sees the message again. How can I have messages rescanned? -- Scott McCool Systems Administrator Darden Information Services -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Force resend and rescan of a message that was held?
From testing so far, it appears Declude won't rescan a message. I've tried deleting the headers from the D* file before putting it back in the queue to no avail. If I set the declude log level to HIGH I see Passing to SMTP1 for that message ID, so it at least appears that declude sees the message again. How can I have messages rescanned? Declude JunkMail will automatically skip over E-mails that are in the spool, since they have already been scanned. If you want to have Declude scan them again, it would get a bit tricky. You would need to call Declude for each E-mail, but do so before IMail delivered it. So you might try copying batches of perhaps 10-20 E-mails back to the spool, call Declude for each one (C:\IMail\Declude.exe C:\IMail\spool\Q1234567.SMD), wait until they are processed, and repeat. I'm not sure of an easy automated way to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Force resend and rescan of a message that was held?
Scott (and anyone else who might have to do this in the future), Thank you for the quick response. What we ended up doing was the following: -Move the last couple days of possibly affected messages back to d:\imail\spool from d:\imail\spool\spam -Create a short batch script, whose main line was: @for %%? in (d:\imail\spool\q*.smd) do call d:\imail\declude.exe %%? rescan_spam.txt -Run this script, observe that messages which no longer fail WEIGHT15 are sent out properly and messages which fail WEIGHT15 still are moved back to d:\imail\spool\spam. This has seemed to work well on a small batch of test messages, so we'll likely rescan the bulk of the mail shortly (I want to do a little more testing) Thank you again for the prompt helpful response! -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 17, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Force resend and rescan of a message that was held? From testing so far, it appears Declude won't rescan a message. I've tried deleting the headers from the D* file before putting it back in the queue to no avail. If I set the declude log level to HIGH I see Passing to SMTP1 for that message ID, so it at least appears that declude sees the message again. How can I have messages rescanned? Declude JunkMail will automatically skip over E-mails that are in the spool, since they have already been scanned. If you want to have Declude scan them again, it would get a bit tricky. You would need to call Declude for each E-mail, but do so before IMail delivered it. So you might try copying batches of perhaps 10-20 E-mails back to the spool, call Declude for each one (C:\IMail\Declude.exe C:\IMail\spool\Q1234567.SMD), wait until they are processed, and repeat. I'm not sure of an easy automated way to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comcast Update
Dave Doherty wrote: Hi Matt- click... click... click... So here we go again. The old broken record. IfComcast and RoadRunnerblocked port 25, they would be down many millions of messages per day. I've said this before, and I'll say it again. Blocking port 25 will not stop zombies. 1) There are hundreds of thousands zombies out there that can be used at any time, some of them servers. Blocking port 25 will only limit the number of potential relays, but there are more than enough to go around. I would much rather prefer to score a DUL hit on a Comcast zombie than face a legitimate mail server that had been compromised. 2) Spammers are now increasingly relaying from zombies through their ISP's mail server in order to avoid DNSBL hits. The net result is that legitimate servers are now getting SpamCopped all over the place, and this spam is scoring much lower or even getting through many filtering systems. If you block port 25, you will only compel the rate of relaying through legitimate mail servers to increase. In order for this to go undetected, they will also relay in smaller numbers, making them less likely to be found out by the ISP, and tagged by a DNSBL. I truly believe that not only would blocking port 25 be limiting to third-party mail providers like myself, and in effect trying to hit a nail with a sledgehammer, it also has the potential of making the problem much worse. These are valid points that I have brought up about three times now and I think you should consider them just like I have considered your stance on this issue. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Block on HELO
If you do this, you must exclude Netscape/Mozilla clients from this check. Those clients will use the domain name of the sender as the HELO. Matt Lyndon Eaton wrote: While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Block on HELO
Use WHITELIST AUTH on IMail 8.x but you are correct if you are on an earlier IMail version. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Wednesday, March 17, 2004 11:12 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Block on HELOIf you do this, you must exclude Netscape/Mozilla clients from this check. Those clients will use the domain name of the sender as the HELO.MattLyndon Eaton wrote: While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Comcast Update
On Wed, 17 Mar 2004 14:09:56 -0500 Matt said something about Re: [Declude.JunkMail] Comcast Update: Dave Doherty wrote: Hi Matt- click... click... click... So here we go again. The old broken record. If Comcast and RoadRunner blocked port 25, they would be down many millions of messages per day. I've said this before, and I'll say it again. Blocking port 25 will not stop zombies. 1) There are hundreds of thousands zombies out there that can be used at any time, some of them servers. Blocking port 25 will only limit the number of potential relays, but there are more than enough to go around. I would much rather prefer to score a DUL hit on a Comcast zombie than face a legitimate mail server that had been compromised. 2) Spammers are now increasingly relaying from zombies through their ISP's mail server in order to avoid DNSBL hits. The net result is that legitimate servers are now getting SpamCopped all over the place, and this spam is scoring much lower or even getting through many filtering systems. If you block port 25, you will only compel the rate of relaying through legitimate mail servers to increase. In order for this to go undetected, they will also relay in smaller numbers, making them less likely to be found out by the ISP, and tagged by a DNSBL. I truly believe that not only would blocking port 25 be limiting to third-party mail providers like myself, and in effect trying to hit a nail with a sledgehammer, it also has the potential of making the problem much worse. These are valid points that I have brought up about three times now and I think you should consider them just like I have considered your stance on this issue. Matt Block port 25 *AND* *REQUIRE* SMTP AUTH. Zombies using their own SMTP engines won't have the AUTH credentials to successfully relay through the ISP SMTP server. Those that use the clients SMTP delivery agent to relay will allow very fast tracking of the infected machine based on AUTH entries. That's the way we're set up and the only problem is that our customers can spread viruses to other users in our domain because IMail doesn't require AUTH to deliver from one local address to another. My logs are full of auth error ... - not in database errors. Worms and zombies using their own SMTP engines trying to send outside our domain with no AUTH info. As soon as our radius geek cleans up the reports I'll be able to start tracking by IP/login time and informing those customers (after setting up some non-official sounding address to do it with because the latest Bagle outbreak ahs jaded my customers to the standard support addresses). Right now I have to dig in the database by hand and as the resident mail geek I have too much on my plate to be trying to generate clean SQL Queries to figure out who IP xx.xx.xx.xx at 17:23 two sundays ago. And we HAVE cut service to zombie infected users when we get reports on them. We turn them off to prompt them to call in. We tell them their account has been flagged as having sent spam and if they aren't doing it intentionally they are probably zombie infected and should have their machine checked out. When they assure us they've had that done we turn them back on -- and watch them for a few days. If it starts again we close the account permanently and explain that they need to find a local user-group or computer professional to assist them with protecting their system -- and they need to find another ISP. Yes, for third party mail providers it's going to be a pain in the rear. If there's some reason your customers absolutely must be able to send mail out through your SMTP server rather than through that of their ISP then you'll have to set up a gateway SMTP daemon for them using an unpriveledged port. I'd suggest using something other than the ever popular 2525 because worm writers are gonna catch on to that some day. A very low end machine (old pentium with a small drive) ahould be able to handle thousands of users if it's only doing accept and forward work. Yes, it's a lot of work. But we, as mail administrators, can stop most of the virus/worm proliferation if we institute policies that require TRACKABLE authentication for every smtp transaction from an end user. It has to be done at the ISP---USER point to allow continued free flow of SMTP traffic from ISP---ISP. If all legitimate ISP's were to institute such policies then the only spam/worms being proliferated would be from those who wanted to allow such activity. Pretty easy to block that using DNSBL. Gerald -- Gerald V. Livingston II Configure your Email to send TEXT ONLY -- See the following page: http://expita.com/nomime.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
Re: [Declude.JunkMail] Block on HELO
That doesn't cover it all. If you have a client that say for instance is being blocked on port 25, they may have Netscape configured with their E-mail address from your server, but they would be using the SMTP server of their ISP. The HELO is often passed intact from the client to the destination. Search the archives for FORGEDHELO-FQDN for this filter. http://www.mail-archive.com/cgi-bin/htsearch?config=declude_junkmail_declude_comrestrict=exclude=words=FORGEDHELO-FQDN Matt Kevin Bilbee wrote: Use WHITELIST AUTH on IMail 8.x but you are correct if you are on an earlier IMail version. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Wednesday, March 17, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Block on HELO If you do this, you must exclude Netscape/Mozilla clients from this check. Those clients will use the domain name of the sender as the HELO. Matt Lyndon Eaton wrote: While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Block on HELO
If you have a client that say for instance is being blocked on port 25, they may have Netscape configured with their E-mail address from your server, but they would be using the SMTP server of their ISP. The HELO is often passed intact from the client to the destination. Really? I didn't know that. I thought the HELO represented the FQDN of the sending server - didn't think it was passed along the chain from the client. What a pain! Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
If an ISP SMTP server is dynamically changing their HELOto what it receives from the cleint thenthe ISPhas the issue. The hello from an ISP should be a valid host name with an IP address or the ISP's domain name with an MX record. I have been running the HELO test since DECLUDE started supporting IMail auth and have 0 reported incidents of a false positive. All the articles I read all say the same thing use SMTP auth when filtering the HELO on local domain names. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Wednesday, March 17, 2004 12:31 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Block on HELOThat doesn't cover it all.If you have a client that say for instance is being blocked on port 25, they may have Netscape configured with their E-mail address from your server, but they would be using the SMTP server of their ISP. The HELO is often passed intact from the client to the destination.Search the archives for FORGEDHELO-FQDN for this filter.http://www.mail-archive.com/cgi-bin/htsearch?config=declude_junkmail_declude_comrestrict=exclude=words=FORGEDHELO-FQDNMattKevin Bilbee wrote: Use WHITELIST AUTH on IMail 8.x but you are correct if you are on an earlier IMail version. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of MattSent: Wednesday, March 17, 2004 11:12 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Block on HELOIf you do this, you must exclude Netscape/Mozilla clients from this check. Those clients will use the domain name of the sender as the HELO.MattLyndon Eaton wrote: While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Comcast Update
Gerald, I don't think you read or maybe understood my points. You are reiterating much of the same that has been said time after time again. I don't mean to suggest that your points aren't valid, especially concerning virus proliferation, but you have to understand that there is more than one way to skin a cat, and if you raise the bar on spammers, they will seek out new methods of getting over it. I prefer where the bar is set now because it's easy to catch those who exploit it. I consider broadband ISP's to be honeypots, and I would prefer that as much zombie spam be kept to their networks rather than have these guys increase SMTP AUTH hacking activities and the like. I reiterate with confidence...ISP's blocking port 25 will not stop spam from zombies, it may in fact make it harder to catch. Matt Gerald V. Livingston II wrote: On Wed, 17 Mar 2004 14:09:56 -0500 Matt said something about Re: [Declude.JunkMail] Comcast Update: Dave Doherty wrote: Hi Matt- click... click... click... So here we go again. The old broken record. If Comcast and RoadRunner blocked port 25, they would be down many millions of messages per day. I've said this before, and I'll say it again. Blocking port 25 will not stop zombies. 1) There are hundreds of thousands zombies out there that can be used at any time, some of them servers. Blocking port 25 will only limit the number of potential relays, but there are more than enough to go around. I would much rather prefer to score a DUL hit on a Comcast zombie than face a legitimate mail server that had been compromised. 2) Spammers are now increasingly relaying from zombies through their ISP's mail server in order to avoid DNSBL hits. The net result is that legitimate servers are now getting SpamCopped all over the place, and this spam is scoring much lower or even getting through many filtering systems. If you block port 25, you will only compel the rate of relaying through legitimate mail servers to increase. In order for this to go undetected, they will also relay in smaller numbers, making them less likely to be found out by the ISP, and tagged by a DNSBL. I truly believe that not only would blocking port 25 be limiting to third-party mail providers like myself, and in effect trying to hit a nail with a sledgehammer, it also has the potential of making the problem much worse. These are valid points that I have brought up about three times now and I think you should consider them just like I have considered your stance on this issue. Matt Block port 25 *AND* *REQUIRE* SMTP AUTH. Zombies using their own SMTP engines won't have the AUTH credentials to successfully relay through the ISP SMTP server. Those that use the clients SMTP delivery agent to relay will allow very fast tracking of the infected machine based on AUTH entries. That's the way we're set up and the only problem is that our customers can spread viruses to other users in our domain because IMail doesn't require AUTH to deliver from one local address to another. My logs are full of "auth error" ... "- not in database" errors. Worms and zombies using their own SMTP engines trying to send outside our domain with no AUTH info. As soon as our radius geek cleans up the reports I'll be able to start tracking by IP/login time and informing those customers (after setting up some non-official sounding address to do it with because the latest Bagle outbreak ahs jaded my customers to the "standard" support addresses). Right now I have to dig in the database by hand and as the resident mail geek I have too much on my plate to be trying to generate clean SQL Queries to figure out who IP xx.xx.xx.xx at 17:23 two sundays ago. And we HAVE cut service to zombie infected users when we get reports on them. We turn them off to prompt them to call in. We tell them their account has been flagged as having sent spam and if they aren't doing it intentionally they are probably zombie infected and should have their machine checked out. When they assure us they've had that done we turn them back on -- and watch them for a few days. If it starts again we close the account permanently and explain that they need to find a local user-group or computer professional to assist them with protecting their system -- and they need to find another ISP. Yes, for third party mail providers it's going to be a pain in the rear. If there's some reason your customers absolutely must be able to send mail out through your SMTP server rather than through that of their ISP then you'll have to set up a gateway SMTP daemon for them using an unpriveledged port. I'd suggest using something other than the ever popular 2525 because worm writers are gonna catch on to that some day. A very low end machine (old pentium with a small drive) ahould be able to handle thousands of users if it's only doing accept and forward
RE: [Declude.JunkMail] Block on HELO
Yes Kevin I think you would be right. A Netscape/Mozilla user sending mail through another ISP for a domain on my server may pass the 'sending' domain in its HELO to the server, but that server should then not pass the same onto my server - if it did I guess that ISP would have big problems. And if a local user was using Netscape, there would be no reason for them not to SMTP AUTH, meaning they'd be whitelisted. Mat would you agree? Kevin, as I whitelist my IP range anyway, would I need the WHITELIST AUTH? If the 'Netscape/Mozilla' user were in that range? -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: 17 March 2004 20:55 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Block on HELO If an ISP SMTP server is dynamically changing their HELO to what it receives from the cleint then the ISP has the issue. The hello from an ISP should be a valid host name with an IP address or the ISP's domain name with an MX record. I have been running the HELO test since DECLUDE started supporting IMail auth and have 0 reported incidents of a false positive. All the articles I read all say the same thing use SMTP auth when filtering the HELO on local domain names. Kevin Bilbee Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Block on HELO
Netscape mail clients are somewhat rare. I believe that I caught a false positive from one of my customers relayed through an Adelphia mail server early on in testing. A discussion about that might be archived on this list also. I could of course be mistaken too since I haven't had need to monitor this for a very long time. Maybe someone else could verify if they have knowledge of this. Matt Kevin Bilbee wrote: If an ISP SMTP server is dynamically changing their HELOto what it receives from the cleint thenthe ISPhas the issue. The hello from an ISP should be a valid host name with an IP address or the ISP's domain name with an MX record. I have been running the HELO test since DECLUDE started supporting IMail auth and have 0 reported incidents of a false positive. All the articles I read all say the same thing use SMTP auth when filtering the HELO on local domain names. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Wednesday, March 17, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Block on HELO That doesn't cover it all. If you have a client that say for instance is being blocked on port 25, they may have Netscape configured with their E-mail address from your server, but they would be using the SMTP server of their ISP. The HELO is often passed intact from the client to the destination. Search the archives for FORGEDHELO-FQDN for this filter. http://www.mail-archive.com/cgi-bin/htsearch?config=declude_junkmail_declude_comrestrict=exclude=words=FORGEDHELO-FQDN Matt Kevin Bilbee wrote: Use WHITELIST AUTH on IMail 8.x but you are correct if you are on an earlier IMail version. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Wednesday, March 17, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Block on HELO If you do this, you must exclude Netscape/Mozilla clients from this check. Those clients will use the domain name of the sender as the HELO. Matt Lyndon Eaton wrote: While you are att it you will also see many spoofs of you domain name I would also suggest adding HELO xx IS mydomainname Kevin Bilbee Good thinking, thanks. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Block on HELO
Who is to blame is moot when I'm the one blocking the E-mail :) This may or may not be the case though, this was something from back in September that was first prompted by John and Bill, and I coded it up before I had access to WHITELIST AUTH. I think the important lesson is to understand that there are often exceptions. This filter has hit some of my customers who have boxes doing automated notifications with their own SMTP engine (such as Windows 2003), and if you gateway for customers, you either need to whitelist their server or exclude them from this list. I use an IS match to limit the potential of false positives. Matt Lyndon Eaton wrote: Yes Kevin I think you would be right. A Netscape/Mozilla user sending mail through another ISP for a domain on my server may pass the 'sending' domain in its HELO to the server, but that server should then not pass the same onto my server - if it did I guess that ISP would have big problems. And if a local user was using Netscape, there would be no reason for them not to SMTP AUTH, meaning they'd be whitelisted. Mat would you agree? Kevin, as I whitelist my IP range anyway, would I need the WHITELIST AUTH? If the 'Netscape/Mozilla' user were in that range? -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: 17 March 2004 20:55 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Block on HELO If an ISP SMTP server is dynamically changing their HELO to what it receives from the cleint then the ISP has the issue. The hello from an ISP should be a valid host name with an IP address or the ISP's domain name with an MX record. I have been running the HELO test since DECLUDE started supporting IMail auth and have 0 reported incidents of a false positive. All the articles I read all say the same thing use SMTP auth when filtering the HELO on local domain names. Kevin Bilbee Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
-Original Message- From: Matt [mailto:[EMAIL PROTECTED] I think the important lesson is to understand that there are often exceptions. This filter has hit some of my customers who have boxes doing automated notifications with their own SMTP engine (such as Windows 2003), and if you gateway for customers, you either need to whitelist their server or exclude them from this list. I use an IS match to limit the potential of false positives. So would the WHITELIST for my IP range (that my clients use) do the trick or would I explicitly need WHITELIST AUTH and have my clients use SASL? Cheers Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fprot
If you switch to fpcmd.exe (changing F-Prot.exe to fpcmd.exe in the SCANFILE line in your \IMail\Declude\virus.cfg file, and removing /NOFLOPPY from that line), it will take care of the problem. F-Prot.exe is a 16-bit process, which needs to use NTVDM, whereas fpcmd.exe is a 32-bit process that doesn't require NTVDM. Plus, some servers have a hard time dealing with 16-bit processes, so the switch to fpcmd.exe may also show a noticeable performance improvement. I have been having this problem as well ... if I make the change do I have to reboot or stop and start anything ??? No -- just making the changes in the virus.cfg file is all you need to do. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
Yes, it would do the trick. As long as they never travel, dial another ISP, and use your server. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lyndon Eaton Sent: Wednesday, March 17, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Block on HELO -Original Message- From: Matt [mailto:[EMAIL PROTECTED] I think the important lesson is to understand that there are often exceptions. This filter has hit some of my customers who have boxes doing automated notifications with their own SMTP engine (such as Windows 2003), and if you gateway for customers, you either need to whitelist their server or exclude them from this list. I use an IS match to limit the potential of false positives. So would the WHITELIST for my IP range (that my clients use) do the trick or would I explicitly need WHITELIST AUTH and have my clients use SASL? Cheers Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fprot
I have been having this problem as well ... if I make the change do I have to reboot or stop and start anything ??? TIA Doris - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 1:22 PM Subject: Re: [Declude.JunkMail] Fprot I get this error very frequently. Any Help on how to fix it. Fprot site had no information I could find. Running windows 2000 server Application popup: 16 bit MS-DOS Subsystem : C:\scanner\FSI\F-prot\F-Prot.exe X#=0D, CS=01CF IP=5703. The NTVDM CPU has encountered an unhandled exception. Choose 'Close' to terminate the application. If you switch to fpcmd.exe (changing F-Prot.exe to fpcmd.exe in the SCANFILE line in your \IMail\Declude\virus.cfg file, and removing /NOFLOPPY from that line), it will take care of the problem. F-Prot.exe is a 16-bit process, which needs to use NTVDM, whereas fpcmd.exe is a 32-bit process that doesn't require NTVDM. Plus, some servers have a hard time dealing with 16-bit processes, so the switch to fpcmd.exe may also show a noticeable performance improvement. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Force resend and rescan of a message that was held?
So we've run into one big problem with this process: It takes a long time to process one message. The process doesn't seem to work from any directory except the imail spool directory (held spam gets moved to a spam/ subdirectory of wherever the message was originally, but legitimate email that passes WEIGHT15 (where we'd hold) doesn't end up getting sent; Imail bounces it with a status of 2. If I run the script from the imail\spool directory, all is well and legit mail goes out and spam gets held in spool\spam. The problem is that anything in imail\spool is susceptible to being sent out by the queue manager whenever it re-processes the spool... So I had to abort the process after a few hundred messages to keep the queue manager from just delivering all the mail (some largish percentage of which is legitimate spam and shouldn't go out). Any ideas about why the process takes so long (~20-30 seconds per message)? Obviously in the normal course of things we don't see any huge delay, but we only process a few thousand messages per day (I tried to move ~2000 Q* and D* files, presumably ~1000 messages back to imail\spool and process them with the batch file). Any insight? Anyone else tried to rescan messages this way? -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCool, Scott Sent: Wednesday, March 17, 2004 2:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Force resend and rescan of a message that was held? Scott (and anyone else who might have to do this in the future), Thank you for the quick response. What we ended up doing was the following: -Move the last couple days of possibly affected messages back to d:\imail\spool from d:\imail\spool\spam -Create a short batch script, whose main line was: @for %%? in (d:\imail\spool\q*.smd) do call d:\imail\declude.exe %%? rescan_spam.txt -Run this script, observe that messages which no longer fail WEIGHT15 are sent out properly and messages which fail WEIGHT15 still are moved back to d:\imail\spool\spam. This has seemed to work well on a small batch of test messages, so we'll likely rescan the bulk of the mail shortly (I want to do a little more testing) Thank you again for the prompt helpful response! -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 17, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Force resend and rescan of a message that was held? From testing so far, it appears Declude won't rescan a message. I've tried deleting the headers from the D* file before putting it back in the queue to no avail. If I set the declude log level to HIGH I see Passing to SMTP1 for that message ID, so it at least appears that declude sees the message again. How can I have messages rescanned? Declude JunkMail will automatically skip over E-mails that are in the spool, since they have already been scanned. If you want to have Declude scan them again, it would get a bit tricky. You would need to call Declude for each E-mail, but do so before IMail delivered it. So you might try copying batches of perhaps 10-20 E-mails back to the spool, call Declude for each one (C:\IMail\Declude.exe C:\IMail\spool\Q1234567.SMD), wait until they are processed, and repeat. I'm not sure of an easy automated way to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Block on HELO
I think the important lesson is to understand that there are often exceptions. This filter has hit some of my customers who have boxes doing automated notifications with their own SMTP engine (such as Windows 2003), and if you gateway for customers, you either need to whitelist their server or exclude them from this list. Agreed, restated, In the case of an exception you adjust your whitelist/filter to accomidate. I use an IS match to limit the potential of false positives. And I agree with using IS. I mostly use IS. But there are a few cases I use ENDSWITH and I would never use CONTAINS with this test. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Force resend and rescan of a message that was held?
Any ideas about why the process takes so long (~20-30 seconds per message)? Is your DNS server (the first one listed in the IMail SMTP settings) working properly? That would be the normal cause of delays (assuming the CPU isn't maxed out). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Windows 2000 Performance Monitor
I've never bothered to run monitoring before, but I need to do so now so that I can make more informed decisions. Does anyone have a good config/setup that they want to share which is most effective at tracking usage primarily related to an IMail/Declude/Sniffer setup? Should I be storing this data in SQL Server? Etc. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Windows 2000 Performance Monitor
Matt, I monitor a bunch of counters (memory, cpu, process, disk, network, etc) on our servers. I roll the perf logs on a daily basis. The hard thing in tracking this stuff is that when you add process counters there is no way to track all of the individual processes for declude/imail/sniffer. What you will see is each Declude process will show like Declude#1, Declude#2, etc, etc. What I ended up doing is setting the process counters up at a busy time on my server to capture as many of the ...#1 processes. Darrell Matt writes: I've never bothered to run monitoring before, but I need to do so now so that I can make more informed decisions. Does anyone have a good config/setup that they want to share which is most effective at tracking usage primarily related to an IMail/Declude/Sniffer setup? Should I be storing this data in SQL Server? Etc. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
