Re: [Declude.JunkMail] Minimum weight of a filter
Nigeria filtering Have a look at the spam assassin files. They have a very good Nigerian spam filter so you should be able to find the search strings in there. Search for Nigerian and you will find it in these files: 20_head_tests.cf 20_meta_tests.cf 20_phrases.cf 50_scores.cf Good Luck Cheers Adrian - - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 23, 2004 1:45 PM Subject: RE: [Declude.JunkMail] Minimum weight of a filter Scott, > > I working on trapping more Nigerian Scams. > What would you do in a filter? Search the body for phrases that are found in these types of e-mails? Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Dangerous img dynsrc tag in body
Just for your information: We received a couple of Spam emails (fake ebay notifications) with the following dangerous tag in the body: http://68.192.132.122_:8067/')> (I added the _ at the end so it doesn't harm anyone) As soon as you open the email, the window will open the url. The website hosts a dangerous ActiveX script that gets executed as soon as you open the website. The Antivirus(F-prot, AVG, McAfee) did not find a virus in the email and let it through because it's just a html tag. I added a body filter that searches for "http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Scripting batch files
Try blat as a win32 command line mailer. It supports attachements and runs very stable: http://sourceforge.net/projects/blat Adrian - - Original Message - From: "Jason" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 19, 2004 5:05 PM Subject: [Declude.JunkMail] OT: Scripting batch files Hello everyone. I have created a batch file that runs Bill's log analyzer that was made available last week. What I would like to do is have the DOS batch file e-mail this each night at midnight using the previous days declude log file. I do not know much about date scripting in DOS batch files so any help would be appreciated. Here is the batch I have (very basic): wamlog c:\imail\spool\dec0418.log > Stats.txt imail1 -s Daily Spam Stats -t [EMAIL PROTECTED] -u Spam -h domain.com -f Stats.txt Thanks, Jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: *****spam*****[11]RE: [Declude.JunkMail] Off topic - iis, web servers and txt files
Title: Message run asp and load the text file into a stream object and send it to the browser. See : http://www.psacake.com/web/if.asp The example has a small code error: Response.AddHeader "Content-Disposition", "attachment; filename= strFileNameshould beResponse.AddHeader "Content-Disposition", "attachment; filename=" & strFileName Add the following line: Case ".txt"ContentType = "text/plain" I hope this helps. Cheers Adrian -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Omar K.Sent: Thursday, February 05, 2004 6:22 AMTo: [EMAIL PROTECTED]Subject: *spam*[11]RE: [Declude.JunkMail] Off topic - iis, web servers and txt files Mess around with the mime maps for your IIS server, define that file extension as anything other than clear-text, I think that will tell the browser to treat it as an attachment and not open it up in the browser. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 9:25 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Off topic - iis, web servers and txt files That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif) in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
Re: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!)
here is also a list of rbl's that we trust and directly bounce: (most of them are spam traps, open relay lists or filters by country so you should be safe) dul.dnsbl.sorbs.net, list.dsbl.org, xbl.spamhaus.org, sbl.spamhaus.org, KR.rbl.cluecentral.net, RU.rbl.cluecentral.net, CN.rbl.cluecentral.net, JP.rbl.cluecentral.net, BR.rbl.cluecentral.net, TW.rbl.cluecentral.net, GE.rbl.cluecentral.net, HU.rbl.cluecentral.net, relays.ordb.org, zombie.dnsbl.sorbs.net, socks.dnsbl.sorbs.net, http.dnsbl.sorbs.net, BG.rbl.cluecentral.net, cbl.abuseat.org, VE.rbl.cluecentral.net, PL.rbl.cluecentral.net, PH.rbl.cluecentral.net, relays.visi.com, UA.rbl.cluecentral.net, CL.rbl.cluecentral.net, TR.rbl.cluecentral.net, AZ.rbl.cluecentral.net, MY.rbl.cluecentral.net, TH.rbl.cluecentral.net Adrian - - Original Message - From: "marc catuogno" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 29, 2004 12:47 PM Subject: RE: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!) This could work for me. I have Whitelist Auth on so my users coming in from RR and so on should get through. If I block these (or at least weight them heavily) I can get spam- and even new viruses - coming in through zombies, blocked or deleted. It may block a few hobbyists running smtp on their home servers, but I basically only have to worry about my agents, I'm not hosting anyone else really.. Thanks - this may make my life a bit less spammy~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Hauri Sent: Sunday, March 28, 2004 9:30 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!) Our company blocks everything with reverse DNS entry from *.client.comcast.net, *.rr.com, *.du.shawcable.net, *.eastlink.ca, *.client.attbi.com, *client2.attbi.com, *cable.wanadoo.nl, *.de.comcast.net, *.md.comcast.net, *.tn.comcast.net, *.va.comcast.net, *.ipt.aol.com, *.east.verizon.net, *.vie.surfer.at, *.sprint-hsd.net, *cable.wanadoo.nl etc. Additionallly we block everything with *-number-* (like -26-), *.number.*, *.cable.*, *.pp.*, *.ip.*, *modem*, *async*, *rback*, *dyn*, *dhcp*, *ppp*, *dial*, *dsl* in the reverse DNS. This blocks a lot of unwanted emails. It is rare that a reverse DNS entry of a legal mailserver has dsl in the name. We just had one reverse DNS entry that we had to whitelist: mailservers for swiftdsl.com.au. But it helped us to minimize the rbl lookup and speed up the mail processing. There were some people who rang us up because they got the bounce message but all of them didn't have a proper reverse DNS entry for their mailserver. It's up to you how strict you are with blocking emails. But because we do not run a mail service for a lot of clients we can apply strict rules. Adrian - ToadShow Pty Ltd phone: 07 3004 7900 fax: 07 3846 1220 email: [EMAIL PROTECTED] http://www.toadshow.com.au - - Original Message - From: marc catuogno To: [EMAIL PROTECTED] Sent: Monday, March 29, 2004 9:32 AM Subject: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!) I just got this e-mail and I just feel like someone is targeting my domain for a spam campaign. When I hit view source, it only said "test". Any suggestions on how to block this?? I'm surprised that DUL or DYNA didn't catch this at all, looks like it came in though a dynamic Comcast IP not one of their SMTP servers. I put "prod-infinitum.com" into the declude header filter with enough weight to hold it, but I don't think that would be enough. Thanks - Marc -Original Message- From: Shella Arrington [mailto:[EMAIL PROTECTED] Sent: Sunday, March 28, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: %RND_SUBJECTS test Headers: Received: from c-24-13-168-241.client.comcast.net [24.13.168.241] by mail.prudentialrand.com (SMTPD32-8.05) id AED14440132; Sun, 28 Mar 2004 17:16:49 -0500 Received: from 18.104.180.255 by 24.13.168.241; Sun, 28 Mar 2004 11:13:22 +0100 Message-ID: <[EMAIL PROTECTED]> From: "Shella Arrington" <[EMAIL PROTECTED]> Reply-To: "Shella Arrington" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: %RND_SUBJECTS Date: Sun, 28 Mar 2004 13:10:22 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--0825904990538747225" X-Mailer: PIPEX NetMail 2.2.0-pre13 X-IP: 221.134.57.232 X-IMAIL-SPAM-VALFROM: (71565618) X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" [2-18-9000] X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" [2-19-9800] X-RBL-Warning: IPNOTINMX: [2-25-c800] X-RBL-Warning: CMDSPACE
Re: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!)
Our company blocks everything with reverse DNS entry from *.client.comcast.net, *.rr.com, *.du.shawcable.net, *.eastlink.ca, *.client.attbi.com, *client2.attbi.com, *cable.wanadoo.nl, *.de.comcast.net, *.md.comcast.net, *.tn.comcast.net, *.va.comcast.net, *.ipt.aol.com, *.east.verizon.net, *.vie.surfer.at, *.sprint-hsd.net, *cable.wanadoo.nl etc. Additionallly we block everything with *-number-* (like -26-), *.number.*, *.cable.*, *.pp.*, *.ip.*, *modem*, *async*, *rback*, *dyn*, *dhcp*, *ppp*, *dial*, *dsl* in the reverse DNS. This blocks a lot of unwanted emails. It is rare that a reverse DNS entry of a legal mailserver has dsl in the name. We just had one reverse DNS entry that we had to whitelist: mailservers for swiftdsl.com.au. But it helped us to minimize the rbl lookup and speed up the mail processing. There were some people who rang us up because they got the bounce message but all of them didn't have a proper reverse DNS entry for their mailserver. It's up to you how strict you are with blocking emails. But because we do not run a mail service for a lot of clients we can apply strict rules. Adrian - ToadShow Pty Ltd phone: 07 3004 7900 fax: 07 3846 1220 email: [EMAIL PROTECTED] http://www.toadshow.com.au - - Original Message - From: marc catuogno To: [EMAIL PROTECTED] Sent: Monday, March 29, 2004 9:32 AM Subject: [Declude.JunkMail] FW: %RND_SUBJECTS (This worries me!) I just got this e-mail and I just feel like someone is targeting my domain for a spam campaign. When I hit view source, it only said "test". Any suggestions on how to block this?? I'm surprised that DUL or DYNA didn't catch this at all, looks like it came in though a dynamic Comcast IP not one of their SMTP servers. I put "prod-infinitum.com" into the declude header filter with enough weight to hold it, but I don't think that would be enough. Thanks - Marc -Original Message- From: Shella Arrington [mailto:[EMAIL PROTECTED] Sent: Sunday, March 28, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: %RND_SUBJECTS test Headers: Received: from c-24-13-168-241.client.comcast.net [24.13.168.241] by mail.prudentialrand.com (SMTPD32-8.05) id AED14440132; Sun, 28 Mar 2004 17:16:49 -0500 Received: from 18.104.180.255 by 24.13.168.241; Sun, 28 Mar 2004 11:13:22 +0100 Message-ID: <[EMAIL PROTECTED]> From: "Shella Arrington" <[EMAIL PROTECTED]> Reply-To: "Shella Arrington" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: %RND_SUBJECTS Date: Sun, 28 Mar 2004 13:10:22 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--0825904990538747225" X-Mailer: PIPEX NetMail 2.2.0-pre13 X-IP: 221.134.57.232 X-IMAIL-SPAM-VALFROM: (71565618) X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" [2-18-9000] X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" [2-19-9800] X-RBL-Warning: IPNOTINMX: [2-25-c800] X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . [2-32-1] X-Declude-Sender: [EMAIL PROTECTED] [24.13.168.241] X-Declude-Spoolname: D4ed1044401323a46.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, CMDSPACE [9] X-Country-Chain: X-Note: This E-mail was sent from c-24-13-168-241.client.comcast.net ([24.13.168.241]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 380366455 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Raid Controller
Just for those who plan to run a high-speed Raid: The todays bottleneck is not only the Raid-Controller, it's more about shared PCI-bus (LAN and RAID Controller) which is normally a PCI-33 Bus: PCI-33 133MB/s burst rate on 32bit/33MHz PCI bus (32bit x 33Mhz=105600bit/s, divided by 8 = 132'000'000B/s) PCI-66 266MB/s burst rate on 32bit/66MHz PCI bus (32bit x 66Mhz=211200bits/s) PCI 64bit 33Mhz 266MB/s burst rate on 64bit/33MHz PCI bus (64bit x 33Mhz=105600bits/s) Requires 64bit OS and expensive chipset (systemworks/special ram because of the chipset etc.) as far as I know. PCI 64bit 66Mhz 266MB/s burst rate on 64bit/33MHz PCI bus (64bit x 33Mhz=105600bits/s) Requires 64bit OS. PCI-X 1.0 (66,100,133Mhz) speed from 133MB-1066MB/s or more A motherboard with pci-x slots downgrades all pci-x slots to the slowest pci card used in one po the pci-x slot. PCI-X 2.0 2132MB/s or 4264MB/s PCI Express 512MB/s - 16GB/s Read more about PCI-X here: http://www.connecttech.com/KnowledgeDatabase/kdb290.htm You can find more pci info's here: http://www.tomshardware.com/motherboard/20040301/alderwood-11.html If you would like to know which intel chipset is supporting which pci bus, look here: http://www.intel.com/design/chipsets/embedded/ Adrian - ToadShow Pty Ltd phone: 07 3004 7900 fax: 07 3846 1220 email: [EMAIL PROTECTED] http://www.toadshow.com.au - - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 10:01 AM Subject: RE: [Declude.JunkMail] Raid Controller Matt, I agree with you. I am now confused, as I though it was better to separate physical Spans/Sets/groups by task, not logical partitions on one span/set/group by task. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, March 25, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Raid Controller Ok, I'll bury this for the sake of everyone else on this list (though I though the full discussion wouldn't hurt since the topic comes up in brief often so I kept it here). Basically you are saying throw 4 disks into a span and mirror the span (8 drives total, one disk seen by the system, and partitioned into logical drives only for personal preference and not performance). I was under the assumption that the logic was to separate spans for different tasks, in other words have multiple RAID 10 arrays instead of dedicating everything to just one. I can see how redundancy isn't really an issue and performance is better than RAID 50 in this case with the only drawback being wasted space, but that is of no consequence here. Please feel free to correct me if I'm wrong, otherwise thanks for the discussion :) Matt Keith Anderson wrote: The harse ain dead yet. Well, first thing is all RAID levels create one single volume that combines the total available drive space. No matter what RAID level you use, all 10 drives become one big volume, just like the 24-drive RAID 10 that I've got here. You can partition it through Windows only if you want to have more than one volume. Raid 10 will always be the fastest redundant RAID. Again, let's examine the process for a 4-disk system: WRITE RAID 10: Write to primary stripe (half of the drives, high-priority CPU cycles) Copy to backup stripe (half of the drives, delayed, idle-time CPU cycles) WRITE RAID 5: Write to primary stripe (high-priority CPU cycles to all drives) READ RAID 10: Read from primary stripe (half the drives) READ RAID 5: Read from the whole stripe (all of the drives) There's also a calculative processor delay in RAID5 that RAID 10 doesn't have to worry about. RAID 10 always knows where the data needs to go, RAID 5 has to figure it out, then create a parity block for every stripe. You need to examine why you are asking this question-- what is your real storage need, performance vs. volume size vs. security? Do you need the extra usable space with RAID 5 more than you need the 30-40% boost in performance that you get with RAID 10? Do you need RAID 10's extra security of surviving a double-drive failure? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, March 25, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Raid Controller Not to beat a dead horse, but... Am I mistaken about on RAID 5 array with 4 disks out performing one RAID 10 array with 4 disks? RAID 10 will do double RAID 0 plus a slight hit for mirroring. I though RAID 5 with 4 disks would out perform two striped drives despite the overhead. There is another issue though. I can only get 10 drive in a packed 3U chassis, so I could only do two RAID 10 arrays, but with RAID 50, drive partitions wouldn't matter if I'm not mistaken
Re: [Declude.JunkMail] Raid Controller
IDE/SATA or SCSI ? >From my experience it seems that the lifespan of IDE/SATA hard drives in Servers that run 24h/day is between 2 to 5 years, SCSI runs for 3-12years. So if you plan to do a HD server refresh every 2-3 years, you should be fine with IDE/SATA drives. I am personally a big fan of Promise raid controllers as Raid1(mirror). They are rock stable. I never had a faulty controller and I worked once for a promise distributor for 2 years. Please do not use raid5 if you don't have to. I had several problems including data loss. It was always a HD fault but it wouldn't have happened in Raid1. Today's HD's are big enough to run them as a mirrored raid1 Here is my configuration(2 years old): Promise Fasttrak66 with 2x30GB HD. Every month I shut down the mailserver, replace 1 HD with the spare and reboot. Within 45 minutes the server is synchronized and I have a working copy on the removed HD in case of a virus/hacking/complete crash disaster. So in case of a total breakdown or fire you will have your system restored and back online with the spare HD and the latest backup from tape within 2 hours ! Also the good thing about promise and RAID1 is that you can have it all hot-swappable with the proper enclosures. I even know a big hosting company who does just HD hotswap as backup. So they can achieve an uptime of nearly 100%. Adrian - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 25, 2004 2:21 PM Subject: Re: [Declude.JunkMail] Raid Controller > Has anyone thought about serial ATA? I don't see any reason why someone > can't build a high quality RAID controller to use these drives, and it > appears that they are building high quality drives for serial ATA. A > friend told me there was at least one such card on the market already, > though I forget what it was. > > If you ask me, SCSI is an overpriced racket. > > Matt > > > > Kevin Bilbee wrote: > > >Reccomendations > > > >I have the oppertunity to add some spindles to our mail server and want to > >know what people are using and reccomend I have been looking at LSI and my > >boss wants me to look at Adaptec. > > > > > >Kevin Bilbee > > > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Cheap router to limit by IP
Another solution would be Snapgear Firewalls. They run a mini-linux as OS, have VPN built in, no user on LAN limit and run stable as hell. We had a Snapgear-Firewall with an uptime of more than 1 year !!! The more expensive ones have 2 Serial-connectors for Dial-in modems or backup internet connection. A great product for a great price. Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Sunday, March 14, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Cheap router to limit by IP 30 minute sutup Sonicwall TZ170 which also supports VPN Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matt > Sent: Saturday, March 13, 2004 3:59 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Cheap router to limit by IP > > > Darrell, > > That's not a bad suggestion. They have only one public server, the SMTP > gateway, but they're using a Linksys for VPN. They could just replace > the Linksys with a real firewall. > > I was initially trying to come up with a 2-hour solution that could also > be integrated just as quickly since they are doing ok with their current > setup, however they had other IP's and we just simply moved the server. > I identified his open relay and gave him instructions on how to close it > when they came on board a month and a half ago, but that was left open. > I'm sure that I sounded a tad alarmist at the time. From what happened > to another customer running a closed 5.5.5 installation, it doesn't seem > that this spammer cares if it relays or not. > > I'll give him the firewall suggestion since we bought ourselves a bit > more time and he's going to be watching the server closely until it gets > completely resolved. > > Thanks, > > Matt > > > > DLAnalyzer Support wrote: > > > Matt, > > I used to put routers in these types of situations, but now I don't. > > I would suggest you/your customer look at some of the low end > > Netscreen firewalls like a 5GT. You can get these under $500 and they > > have way more value than a router.. > > One of the best things about the netscreen devices is they can be > > installed in "transparent" mode. Which means no ip configuration > > required. You just basically put it inline of the server and > > configure the rules on it. > > http://www.netscreen.com/products/at_a_glance/ds_5xt.jsp > > Darrell > > > > Check Out DLAnalyzer a comprehensive reporting tool for > > Declude Junkmail Logs - http://www.dlanalyzer.com > > > > > > Matt writes: > > > >> I have yet another customer that is running GroupWise 5x that is > >> getting attacked by some asian spammer trying to dictionary attack > >> Yahoo.co.jp and other regional sites. Until they can get onto > >> GroupWise 6 (which will reject at the SMTP envelope), my > >> recommendation was for them to install a new router capable of > >> limiting port 25 to just my server's IP, the only problem is that he > >> needs something fast and cheap. > >> Does anyone know of any cheap, chain store stocked routers that are > >> capable of limiting a particular port to a particular IP on inbound > >> only (it still has to deliver by SMTP, just only receive from my > >> IP)? I figure that the following are the best candidates based on > >> the fact that they are readily available. > >>http://www.compusa.com/products/products.asp?N=200158&CusaNe=200139 > >> Note that he only needs to firewall one port. > >> BTW, if you are running GroupWise 5.x (including 5.5.5), this asian > >> spammer will stick a group of zombies on your machine for weeks on > >> end even if in fact your server is not actually relaying the > >> messages. This is the same spammer that is responsible for the > >> majority of the Job-Jobs that my locally hosted domains see right now. > >> Thanks, > >> Matt > >> -- > >> = > >> MailPure custom filters for Declude JunkMail Pro. > >> http://www.mailpure.com/software/ > >> = > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/s
[Declude.JunkMail] Unix services for windows from Microsoft
Has anyone heard about the new Unix services for windows from Microsoft? (posted 15.Jan.04) Interix technology provides a UNIX environment that runs on top the Windows kernel, enabling UNIX application and scripts to run natively on the Windows platform alongside Windows applications http://www.microsoft.com/windows/sfu/productinfo/overview/default.asp I would like to run SPAMD on W2k/XP/2003 instead of Linux in the long run Cheers Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail]
Has anyone heard about the new Unix services for windows from Microsoft? (posted 15.Jan.04) Interix technology provides a UNIX environment that runs on top the Windows kernel, enabling UNIX application and scripts to run natively on the Windows platform alongside Windows applications http://www.microsoft.com/windows/sfu/productinfo/overview/default.asp I would like to run SPAMD on W2k/XP/2003 instead of Linux in the long run Cheers Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EASYNET discontinued starting Dec 1 2003
See the statement here: http://abuse.easynet.nl/proxies.html Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] High Traffic Windows tweaks
For those out there who run a high traffic mailserver I just found this article: http://www.stalker.com/CommuniGatePro/Scalability.html#TimeWait Summary: - It is recommended to change the TCP TIME_WAIT time in the windows registry from 180 seconds to 20-30 seconds . - The Windows system limits the maximum number port number assigned to outgoing connections. By default this value is 5000. You may want to increase that value to 20,000 or more, by adding the MaxUserPort DWORD-type value to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, key. Please let me (and the list) know if you experience a performance increase. Cheers Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this test?
Do you really authenticate with a username and pwd when sending emails ? Please check your smtp server settings in your emails program. Do you use IMail V8.X ? It works with IMail V8.X and Declude >= V1.75. (Your email fails the EASYNET-DYNA test because you are on a dialup-line or Cable/Adsl with a dynamic IP. But with WHITELIST AUTH it should bypass all tests) Adrian - - Original Message - From: "Michael Graveen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 20, 2003 10:55 AM Subject: Re: [Declude.JunkMail] What is this test? > I have enabled WHITELIST AUTH and stoped and started the SMTP service, but > I still can't send mail to internal clients or myself. I fail the > following SPAM tests: > X-Spam-Tests-Failed: EASYNET-DYNA, IPNOTINMX [3] > I've never had this problem in the past. I had recently upgraded to > Declude 1.75. Any ideas? > > Mike > > > At 09:37 PM 10/17/2003 -0700, you wrote: > >- Original Message - > >From: "Michael Graveen" <[EMAIL PROTECTED]> > > > > > > > I have Imail8. What does WHITELIST AUTH do? I don't se it in the > >JunkMail > > > manual. > > > >It allows you to automatically whitelist any message that has been sent by > >an e-mail client that has authenticated via SMTP Authentication, thereby > >bypassing all spam tests. > > > >Bill > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > >[This E-mail scanned for viruses by Declude Virus] > > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this test?
Hi Michael EASYNET-DYNA is the blacklist of dynablock.easynet.nl see: http://www.declude.com/Junkmail/support/ip4r.htm . Use WHITELIST AUTH in your GLOBAL.CFG file if you have Imail V8.X and declude V1.75 so authenticated users will be whitelisted or do not check outgoing emails. Cheers Adrian - - Original Message - From: "Michael Graveen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 17, 2003 12:14 PM Subject: [Declude.JunkMail] What is this test? > I have a client that has a domain that we host. They sent an email through > the mail server and it failed the following tests: > > X-Spam-Tests-Failed: EASYNET-DYNA, IPNOTINMX [3] > > My question is, what is EASYNET-DYNA? I don't see it in the JunkMail manual. > > Thanks, > > Mike > > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam assassin .exe as external filter
I was just wondering if anyone has implemented spamassassin with declude(as external filter) ? There is an easy to use .exe version available from http://www.drbig.co.uk/modules/mydownloads/ . At the moment I use SAproxy which filters a lot with its Bayesian classifier etc. But I would like to implement it directly on the server with declude because some filters are really great. If someone has done the implementation already please let me know. Cheers Adrian
Re: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT
Title: Message This is just a virus hoax: http://www.trendmicro.com/vinfo/hoaxes/hoax5.asp?HName=Got+You+Worm+Hoax Cheers Adrian From: Jeff Maze - Hostmaster To: [EMAIL PROTECTED] Sent: Thursday, September 11, 2003 11:03 AM Subject: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT Anyone else getting messages such as this? I'm getting them delivered into a number or different e-mail accounts. Could this be the next thing thanks to SoBig? -Original Message-From: Aron [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 8:45 AMSubject: URGENT URGENT URGENT Importance: High "GOT YOU"If you were dumb enough to open this email then you will find a WORM has executed itself through your mailbox and by the time you read this into your hard-drive. This is PAYBACK for the Virus you disguised in the email you sent to us recently which destroyed our hard-drive and back-up system. This costs us thousands of dollars and we lost a lot of irreplaceable files on our system. Now it's your turn to have your computer infected. This WORM it is undetectable by AntiVirus software and it will drive your computer crazy because it's always hiding and causing havoc in your system. Using your computer recovery disks will not remove the problem cause it still stays on your computers Motherboard. This will proabably cost you a new computer and I sincerely hope this teaches you a lesson not to send people nasty viruses again.Evocash Administration Inc.Phone: +1 767 4499922Fax: +1 767 4499922 ^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-
Re: [Declude.JunkMail] Help New Install
Probably your registration does not match your server name. If declude was registered for web17.icsandiego.com, it works just on a machine with this hostname in the imail config. Open the DOS command prompt and type in the following: >cd c:\imail (IF you run imail in this directory) >declude.exe -diag It should show something similar to this Diagnostics ON (Declude v1.69i17). Declude JunkMail: Config file found (D:\IMail\Declude\global.CFG). Declude Virus: Config file found (D:\IMail\Declude\Virus.CFG). Declude Hijack:Not installed (no D:\IMail\Declude\Hijack.CFG file). Declude Confirm: Config file found (D:\IMail\Declude\Confirm.CFG). 34 spam tests defined: DSBL MONKEYFORMMAIL MONKEYPROXIES ORDB OSDIPS OSFORM OSLI ST OSPROXY OSRELAY OSSMART OSSOFT SPAMCOP WIREHUB-DNSBL DSN NOPOSTMASTER BONDEDS ENDER BADHEADERS BASE64 HELOBOGUS MAILFROM PERCENT ROUTING SPAMHEADERS FILTER1 F ILTER2 WEIGHT10 WEIGHT12 WEIGHT12a WEIGHT20 WEIGHT20a WEIGHT20b CATCHALLMAILS NO ABUSE REVDNS IMail reports Official Host Name as: "xxx..xxx". IMail's SendName registry seems OK: "D:\IMail\Declude.exe". Declude JunkMail Status: PRO version registered. Declude Virus Status:Pro Version Registered. Declude Hijack Status: Registered. End of diagnostics. -- Cheers Adrian - Original Message - From: "Mike Barnett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 6:02 PM Subject: [Declude.JunkMail] Help New Install > Good morning... > > This was just sent to Scott... > > If someone can help me before he wakes up I would appreciate it... > > Scott, hello again. We (InternetCruade) migrated from our old mail > service, and we think is is running - but we don't see anything > in the header. We initially had the host name the same as the machine > (web17.icsandiego.com) but changed it to match the old machine > (web5.icsandiego.com) > > We've disabled spam notification - is there any way to tell if Declude > is actually running? > > Thx > Curt > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Attack
These IP addresses are blacklisted as an open relay in ORDB etc. Check http://www.dnsstuff.com/tools/ip4r.ch?ip=217.16.118.12 Cheers Adrian - - Original Message - From: "Jeff Kratka " <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 10, 2003 12:43 PM Subject: RE: [Declude.JunkMail] Spam Attack > I first thought that but there are different messages, just bad jokes each message. > > There were also some viruses atteched which were caught. > > Jeff > > -- Original Message -- > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Wed, 9 Jul 2003 17:39:39 -0700 > > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka > >> Sent: Wednesday, July 09, 2003 5:29 PM > >> To: [EMAIL PROTECTED] > >> Subject: [Declude.JunkMail] Spam Attack > >> > >> > >> Just to let everyone know so others don't get hit with it, I just > >> had a Spam > >> attack/Bomb from one particular location. As soon as I found out I blocked > >> everything possible and things are working. It was so bad that it > >> killed the > >> server. It came from: > >> > >> [217.16.118.12] MAIL From:<[EMAIL PROTECTED]> > >> > >> Every single e-mail was to the same address and from the same address and > >> IP, there were a couple of thousand that attempted this. > > > >My guess is there spam software is stuck in a loop and sending the the same > >address over and over? > > > > > >> > >> Just thought some others would like to know. > >> > >> Jeff Kratka > >> > >> * > >> TymeWyse Internet > >> P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 > >> tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > >> * > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > > > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > -- > ** > TymeWyse Internet > P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > ** > -- > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.