[Declude.JunkMail] BADHEADERS fix in 2.x too aggressive?
Title: Message I've noticed quite a few spams, possibly from the same outfit, that are including an old date in the header, which is possibly static: Received: from minusplus.com [83.195.193.238] by mail.bentall.com (SMTPD32-8.14) id A3013C2E00CE; Sat, 26 Feb 2005 15:15:13 -0800Date: 1 Dec 2004 10:42:52 -0500Content-type: text/plainFrom: Lisa Stuart [EMAIL PROTECTED]To: mungedMessage-ID: [EMAIL PROTECTED]Subject: R0lex for $200 I'm pretty sure that the old versions of declude triggered BADHEADERS if the date was too far out of alignment with the current date. I checked the Release Notes web page to get the right version of Declude for my subject line, but that page makes no mention of the fix that was released just after the new year when a fix for a hardcoded "2004" was causing a false positive in BADHEADERS. Andrew 8( -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Friday, February 25, 2005 6:41 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Spammed on port 2525 I'd picked 2525 before I really knew about 25. What really irks me is that Imail has made no provisions to accomodate a port 587. It can't be two hard to accomodate another SMTP port... most of the code is that same as the port 25 code... This has been an issue for over a year and no word from Ipswitch. I was very surprised to see spam coming in on the port 2525. It looked to be from Zombie proxies at least 15 different. So somebody out there is trying different port numbers. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 7:22 PM Subject: Re: [Declude.JunkMail] Spammed on port 2525 SMTP AUTH on port 587 isn't required by the RFC...it just simply makes a whole ton of sense in most setups. Considering that this is a standard port, and it will most likely find its way through broadband provider's blocks since it is reserved for this use and likely to be restricted to authenticated E-mail in most cases in the near future, it is advisable to use it all other things being equal. Considering that Scott is already promoting port 2525 and having configured some of his clients for that, there is no harm in continuing the practice in lieu of support for SMTP AUTH-only connections on this port in his mail server. I am guessing that in the future we will also see E-mail clients fail over from port 25 to 587 automatically, making support for this transparent and hands-free. That is not likely at all to happen with port 2525, and it would seem that port 2525 is more likely to be blocked as a security measure.The choice is really about what you already have and how far into the future you wish to plan for/speculate about.MattJohn Tolmachoff (Lists) wrote: See my thoughts on the Imail forum on 587. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Friday, February 25, 2005 4:50 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Spammed on port 2525 Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-aliasI assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up.MattScott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language... -- =MailPure custom filters for Declude JunkMail
RE: [Declude.JunkMail] casino spam
Title: Message True, dat. Most of the high-tech business is in Vancouver and Victoria, which are the biggest cities in BC. The Vancouver Stock Exchange was scrapped after a decade of scams perpetrated on it; in a nutshell, investors were not protected and disclosure rules were far more lax than they are now. Most stocks that were listed were venture and speculative, so folks should have known better. The VSE was succeeded by the Canadian Venture Exchange, which hasn't had any scandals in, oh, the 5 years or so that's it's been around. Bandwidth is relatively cheap in Vancouver, and there was an explosion of dot-com activity in the boom years, particular with colo-hosting. It was a very attractive market and competition was fierce, but the margins were too thin for many companies. I'm disappointed when I find that spammers are so easily hosted at some of these "desperate" colo firms in my own backyard, but it's the market conditions. They value the spammers' dollars more than the dollars of their more traditional clients. At least one in Kelowna (about a 2 hour drive from Vancouver). Telus and Shaw are the big DSL and Cable providers, respectively, and both do a lame job of preventing security issues on those networks and their own email servers. Sympatico is Telus in the west, and Bell in Eastern Canada. Rogers was consumed by Shaw, but you still find Rogers Cable subscribers, which are mostly business customers. When I started to get spam that was from overseas but spamvertised porn at my own corporate provider, I complained to my sales guy and went up the chain. They rapped the other customer on the knuckles, he changed his IP addresses and the text of his message but not his modus operandi; in less than a a week or ten days, they "fired that customer". SpamHaus and others had briefly blacklisted large chunks of that provider (was Group Telecom (and 360 Networks before that) which is now owned by Bell). As far as strip clubs and triple X webhosting goes, we're pretty liberal. Not as liberal as Nevada mind you, but the government would rather make tax dollars from those businesses than make them illegal. And folks from Amsterdam would laugh themselves silly at the three or four blocks of downtown that constitute our "naughty district". Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, February 25, 2005 4:56 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] casino spamYou can solve this problem by simply blacklisting British Columbia.Seriously though, it's strange how much of this stuff comes from there. In the penny stock world, this province also gained quite the reputation for fraud in the past. I won't mention the strip clubs. Andrew might be able to shed some light on that one...or maybe even all of those things :)MattPaul Navarre wrote: Ive actually noticed an increase specifically in gambling site spam myself. Paul Navarre Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
