RE: [Declude.JunkMail] Spamcop blocked message but not blocked
Yes, an IP could be delisted within a few hours. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, September 19, 2006 8:20 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spamcop blocked message but not blocked Today I found this in a message (declude logs) Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?216.9.248.51; I verified why was this address blocked and found out that Spamcop site says 216.9.248.51 not listed in bl.spamcop.net Verification was done 5 hours after the blocked message was received. IP belongs to one of the Blackberry's smtp servers. Any ideas? Could an address be removed within few hours?. Any ideas? Is Spamcop failing or this is common? Luis --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamcop blocked message but not blocked
Yes, servers can be removed from Spamcop pretty quick depending on various factors. FWIW IMO Spamcop tends to list known legit mailservers fairly often (gmail, aol, earthlink, etc). I use it, but I also counter weight revdns for some of those big providers mailservers to counter spamcop hits. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 19, 2006 11:20 PM Subject: [Declude.JunkMail] Spamcop blocked message but not blocked Today I found this in a message (declude logs) Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?216.9.248.51; I verified why was this address blocked and found out that Spamcop site says 216.9.248.51 not listed in bl.spamcop.net Verification was done 5 hours after the blocked message was received. IP belongs to one of the Blackberry's smtp servers. Any ideas? Could an address be removed within few hours?. Any ideas? Is Spamcop failing or this is common? Luis --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ASSP
Darrel, Because, we now have control of the SMTP we are able to do things like drop the connection on bad IP' instead of processing the entire email. We have a feature called block list which essentially tracks the weights of emails from an IP and then adds them to a block list this helps reduce a large amount of unwanted traffic to the email server. Eg. 1. Set the weight for this test 40 2. Set the number of offences 3 3. Set the expire 14 This means that if Declude recieves 3 emails over a weight of 40 it will automatically be added to the blocklist (ie. Drop on smtp connect) if no further emails are recived from that IP it will expire in 14 days. Also the GUI add's the ability to automate the creation of per-user and per-domain configurations, giving the user or domain admin the ability to set their spam thresholds. Another nice feature is that users can view their quarantine and release any false positives to themselves removing a lot of the burden form the Admin. Together with Graphical reporting and the easy to use interface this adds a lot for new customers to Declude. But you are correct, the back end is all of DSS so that experienced users can still continue to use Declude as they always have. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, September 19, 2006 5:27 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] ASSP To the best of my knowledge Declude Interceptor is really no different than the regular version of Declude packaged into a gateway. The real benefit of Interceptor is that you are no longer coupled to Imail/Smartermail in the gateway environment. From my testing you had all of the same files under the Declude folder (global.cfg, virus.cfg, declude.cfg, etc). They have a very nice web interface for managing the product. Having the option to have Declude not bundled with Imail or Smartermail is nice. However, I did not see any real difference with the products. David - What is new in Interceptor that I may have missed compared to the version of Declude we run under Imail\Smartermail. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. xx-xx- --x--x writes: Maybe you should run your assp gateway against the Declude interceptor On 9/19/06, Harry Vanderzand [EMAIL PROTECTED] wrote: I am interested in this also. Maybe it can be on list? Harry Vanderzand inTown Internet Computer Services 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Tuesday, September 19, 2006 3:03 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ASSP There were a couple of recent posts from folks who had recently implemented ASSP. We have to do the same due to the vulnerability in Imail 8.22. I'd appreciate any comments, suggestions, etc. OFF LIST, from those who have already fell in the holes, etc. Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Help - Best Practices
Hi Everyone - First of all, I am running iMail 8.22 on a Windows 2000 server, with Declude 4.09 and invURIBL 2.7. I have a new server on order and will be upgrading to Windows 2003 Server, iMail 2006, and Declude 4.xx in about a month. In the meantime (and probably very much unrelated to the above information)... I'm seeing a lot of spam coming through that I don't think should be making it. I have all the updates that I can find for my current versions of the above. I have not spent much time tweaking so I'm guessing that will be the first place I should start (assuming I figure out exactly what to tweak). When purchased, the above worked fairly well out of the box with some minor adjustments. However, just as times change, so does spam. I have a feeling that is where I am at now. My questions are: - are others also seeing an increase in spam, and if so, what are you doing about it? - is there something else I should be running in addition to the above? We had the trial version of MessageSniffer but did not purchase when it quit updating. I don't know if that was the key to our initial success or not. - Last night, for instance, I was seeing a lot of a particular email come in that contained obvious spam in the first line (STOCK A LERT). So I added another line to my filter-spam.txt file to basically fail these messages. I have not seen any more like it sense. Was that the right move, and is this what it takes to stay on top of it? - Last night I was on Declude's website and ran a BADHEADERS spam test, which made it to my Inbox. I think I need help. I guess I am really wanting to get a better understanding of what practices you are using to combat the day-to-day? Like many on the list I'm sure, I'm a one-man team trying to manage several things at once. I don't expect things to just work but they sometimes get pushed aside while they are working. Basically, this is not any more and I want to get back on top of it. I apologize if some of these questions seem obvious but would very much appreciate any feedback or suggestions you have to offer. Thanks! Todd __ Todd Richards [EMAIL PROTECTED] 402.778.7903 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamcop blocked message but not blocked
John and Darrel. Thank you for your answers. I will be extremely careful then with Spamcop, the revdns is a very good suggestion. Regards Luis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Miércoles, 20 de Septiembre de 2006 07:45 a.m. To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spamcop blocked message but not blocked Yes, servers can be removed from Spamcop pretty quick depending on various factors. FWIW IMO Spamcop tends to list known legit mailservers fairly often (gmail, aol, earthlink, etc). I use it, but I also counter weight revdns for some of those big providers mailservers to counter spamcop hits. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 19, 2006 11:20 PM Subject: [Declude.JunkMail] Spamcop blocked message but not blocked Today I found this in a message (declude logs) Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?216.9.248.51; I verified why was this address blocked and found out that Spamcop site says 216.9.248.51 not listed in bl.spamcop.net Verification was done 5 hours after the blocked message was received. IP belongs to one of the Blackberry's smtp servers. Any ideas? Could an address be removed within few hours?. Any ideas? Is Spamcop failing or this is common? Luis --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamcop blocked message but not blocked
You can follow the link in the text that the SpamCop RBL returns, and then follow a link there for further information: http://www.spamcop.net/w3m?action=blcheckip=216.9.248.51 Which shows that this Blackberry server is listed again and will be for the next 16 hours. It also shows the recent history of this IP address with SpamCop: Listing History In the past 9.8 days, it has been listed 5 times for a total of 2.7 days What I've noticed is that service providers like Blackberry run afoul of SpamCop and other lists due to their clients' autoresponders which reply to every virus and forged MAILFROM, so the provider gets listed as sending to spamtraps or listed for sending viruses. The advice to use REVDNS or other counterweight tests to smooth out blacklists sounds good to me, too. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, September 19, 2006 8:20 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spamcop blocked message but not blocked Today I found this in a message (declude logs) Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?216.9.248.51; I verified why was this address blocked and found out that Spamcop site says 216.9.248.51 not listed in bl.spamcop.net Verification was done 5 hours after the blocked message was received. IP belongs to one of the Blackberry's smtp servers. Any ideas? Could an address be removed within few hours?. Any ideas? Is Spamcop failing or this is common? Luis --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
A large spike hit here Monday. Spool processing lagged about 1.5 hours, then got worse late in the night to over 9,000 files in spool and a 5-hr delay. Had to stop SMTP and clear the spool. I've noticed numerous D/T pairs that appear in \spool and hang there for a long time (10-15 mins), locked while SMTP is running. Right now it's 2:15 PM and there's a locked 1K T/D pair time-stamped 1:57 PM. Toggling SMTP leaves them as orphans. A typical D is 1 KB in size and contains something like this Received: from acce.org [82.250.149.205] by wcnet.net (SMTPD32-7.15) id A7977430256; Wed, 20 Sep 2006 12:17:11 -0500 The T is QD:\IMAIL\spool\D7797074302566850.SMD Hwcnet.net WD:\IMAIL E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] The NRCPT TO is a valid hosted mail domain but not a valid user. A few may be to one or more valid users, and a few may have message content in the D whether the user is valid or not. Is this a dictionary probe? What can be done to defend against it? G.Z. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
These harvesting attacks need to be blocked at the smtp level, do not continue to let your server deplete it's resources on this bogus mail. If your server doesn't support SMTP blocking, a user on the list recently mentioned that he runs Black Ice Servertry that. chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 3:17 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike A large spike hit here Monday. Spool processing lagged about 1.5 hours, then got worse late in the night to over 9,000 files in spool and a 5-hr delay. Had to stop SMTP and clear the spool. I've noticed numerous D/T pairs that appear in \spool and hang there for a long time (10-15 mins), locked while SMTP is running. Right now it's 2:15 PM and there's a locked 1K T/D pair time-stamped 1:57 PM. Toggling SMTP leaves them as orphans. A typical D is 1 KB in size and contains something like this Received: from acce.org [82.250.149.205] by wcnet.net (SMTPD32-7.15) id A7977430256; Wed, 20 Sep 2006 12:17:11 -0500 The T is QD:\IMAIL\spool\D7797074302566850.SMD Hwcnet.net WD:\IMAIL E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] The NRCPT TO is a valid hosted mail domain but not a valid user. A few may be to one or more valid users, and a few may have message content in the D whether the user is valid or not. Is this a dictionary probe? What can be done to defend against it? G.Z. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Analyzing junkmail log files
Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
I just bought it and installed it one of my mail servers and its pretty good. Worth 300 bucks. Easy install easy to configure. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 10:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Analyzing junkmail log files
I've been using my own, written in VB.net . Quick and dirty, but it gets the job done. Been thinking of porting it to run under a web page and selling it for cheap if there was an interest. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel Sent: Wednesday, September 20, 2006 4:22 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Analyzing junkmail log files Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blackice Server (was] Spam Spike)
It is a little tricky from the standpoint that it does not automatically block the IPs and Blackice does not document how to enable this feature. I actually got it working some years ago when I found a guy who had written their software manual. He and I corresponded and he helped me get it figured out. Out-of-the-box it reports on email harvesting but does not block the IPs. There is an Excel document that needs some parameter changes and there is an .INI file that also needs a change added to it. If anyone buys the software and needs help configuring it, I can post the necessary changes to the list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 3:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Analyzing junkmail log files
Karl, I would recommend DLAnalyzer - (since its our product). It can process both virus and junkmail logs, process multiple days, process multiple servers, email capability, as well as providing all types of reports. It is compatible with past and current versions of Declude. Here is a link to all the reports. http://www.invariantsystems.com/dlanalyzer/reportsamples.htm We also have a free version that covers the basic features you were used to with Delog. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Karl Hentschel writes: Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Analyzing junkmail log files
Try here: http://www.invariantsystems.com/ Karl Hentschel wrote: Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Analyzing junkmail log files
Yeah I have the DLAnalyser on two mail servers and its also a decent product. It automatically emails me a nice html report each day showing all spam and virus activity for the previous day. Nice one Darrell. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, September 20, 2006 11:33 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Analyzing junkmail log files Karl, I would recommend DLAnalyzer - (since its our product). It can process both virus and junkmail logs, process multiple days, process multiple servers, email capability, as well as providing all types of reports. It is compatible with past and current versions of Declude. Here is a link to all the reports. http://www.invariantsystems.com/dlanalyzer/reportsamples.htm We also have a free version that covers the basic features you were used to with Delog. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Karl Hentschel writes: Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Analyzing junkmail log files
I also use baretailpro from baremetalsoft.com to look at log files. When the server is getting peaky its excellent for looking at logs on the fly because you can tell it to highlight certain keyword. They do a couple of versions. A free version and a pro version. The free version is okay but the paid version is better as you can quickly filter the log files based on keywords and its very quick even with my 100MB + log files. Soneone on this forum put me onto it. You can analyse any kind of log file with it btw. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, September 20, 2006 11:33 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Analyzing junkmail log files Karl, I would recommend DLAnalyzer - (since its our product). It can process both virus and junkmail logs, process multiple days, process multiple servers, email capability, as well as providing all types of reports. It is compatible with past and current versions of Declude. Here is a link to all the reports. http://www.invariantsystems.com/dlanalyzer/reportsamples.htm We also have a free version that covers the basic features you were used to with Delog. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Karl Hentschel writes: Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] iMail Sys Log Files are growing out of control
I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] iMail Sys Log Files are growing out of control
Title: Message 1. Check your logging level. Make sure it is not at a debug level. M -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf TombeSent: Wednesday, September 20, 2006 4:35 PMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] iMail Sys Log Files are growing out of control I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] iMail Sys Log Files are growing out of control
Yes, happened a month or so ago, for several days. I think during a particularly heavy dictionary attack. Spammers don't make sense, attacking a server so hard as to effectively crash it. They're cutting their own throats. G.Z. - Original Message - From: Wolf Tombe To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 6:34 PM Subject: [Declude.JunkMail] iMail Sys Log Files are growing out of control I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] iMail Sys Log Files are growing out of control
If you have it set up for the "log server", it is in fact a syslog server and you might have another app that is sending packets to it. If you can't open the logs, then delete the current day's log and then open it after it starts to grow again. It is likely that the data being recorded will expose the issue. Matt Wolf Tombe wrote: I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] iMail Sys Log Files are growing out of control
Under your domain name (based on your email), I performed several tests to make sure you are not an open relay, and it seems you aren't . with that said, only thing I can think of is that you are suffering a huge dictionary attack and that infor is -of course- beinglogged. Probably "Verbose Logging" is on and for sure that increases the amount of logs. but to grow from 4 Mb to 1.5 gig is amazing.. if this is growing by the minute, rename de log file and wait for the log to create it self again for the current day.. wait a few minutes and open de log to see the log and study it.. It will sure give you hints about what is causing such growth. Another possibility is that you have users with viruses and they are using your smtp server -big time- probably the virus is not going any where if you have an internal antivirus (Imail) but the information is logged anywayh . just my two cents. -Luis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf TombeSent: Miércoles, 20 de Septiembre de 2006 06:35 p.m.To: declude.junkmail@declude.comSubject: [Declude.JunkMail] iMail Sys Log Files are growing out of control I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] IMail Sys Log Files are growing out of control
1. You are probably experiencing Dictionary attacks which could account for sudden jump in log files. 2. Your server may be hijacked and is relaying spam. 3. Possible that one or more computers (man would I like to say users, he he) is infected with a virus and is sending out large amounts of emails. 4. It could that logging started working right. Log file of 4 MB is extremely small. Of course, you have not stated how much email passes through your server so these are only guesses. Many of us disable the Imail syslog service and use a full fledged syslog such as Kiwi which allows for a lot of flexibility including where to log to file. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Wednesday, September 20, 2006 4:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] iMail Sys Log Files are growing out of control I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] IMail Sys Log Files are growing out of control
I want to thank everyone who responded so quickly to my post! Following the advice of several of you I was able to get a small logfile (seconds after I restarted the logging) and found that Im being hammered by a dictionary attack coming from 89.138.31.75. Im looking to block the IP address right now. Thanks again everyone! Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, September 20, 2006 8:12 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] IMail Sys Log Files are growing out of control 1. You are probably experiencing Dictionary attacks which could account for sudden jump in log files. 2. Your server may be hijacked and is relaying spam. 3. Possible that one or more computers (man would I like to say users, he he) is infected with a virus and is sending out large amounts of emails. 4. It could that logging started working right. Log file of 4 MB is extremely small. Of course, you have not stated how much email passes through your server so these are only guesses. Many of us disable the Imail syslog service and use a full fledged syslog such as Kiwi which allows for a lot of flexibility including where to log to file. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Wednesday, September 20, 2006 4:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] iMail Sys Log Files are growing out of control I apologize if this is OT; but this is the best support group I know of for emergency situations, and I have one. Starting one week ago today (slept 13th), my iMail Sysxxx.txt log files began to grow out of control. Files, that for several years have averaged around 4Mb in size, suddenly jumped to about 1.5 Gig per day and have remained there. I found out about this when my server reported running out of Volume space on the log file partition (which has 15Gig assigned to it) this morning! These files are so large that I cant even open them! Nothing has changed on the server that I am aware of. Has anyone seen this behavior before or have any suggestion? Thanks in advance for any help anyone might be able to provide. Wolf ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
