RE: [Declude.JunkMail] Hijack Not Working ?
I've made the changes, but did not make the registry change. I'll let you guys know what happens. In regards to the web messaging possible trap, Do I really need to up the limits for hijack? It's always been my understanding that web messaging shouldn't send out as much email as frequently than an email client (Outlook, etc.) Thoughts? Thanks. b -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Hijack Not Working ? Importance: High Wait, the DAISYCHAIN option has a big effect on any one hosting lots of users using Web Mail. Anyone thinking about this needs to consider the following: If you have 1000 users using web mail, it is very likely that just normal usage of those users will trigger the hold values. If you are going to do this, you will have to adjust the values upwards significantly so as not to trap normal usage. Correct, or am I off my rocker? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
I've made the changes below, but the SMTP service on Imail wouldn't start back up. b -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 2:06 AM To: Brian Cunningham Subject: Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ? I made these changes and restarted services. But then I stopped receiving emails. Try implementing the DAISYCHAIN function as follows: (a) COPY SMTP32.EXE to SMTP32.EXB (this step just for backup) (b) RENAME SMTP32.EXE to IPSMTP32.EXE (c) COPY DECLUDE.EXE to SMTP32.EXE (d) Add the DAISYCHAIN directive as described earlier In other words, do *not* make the Registry change, nor rename DECLUDE.EXE. I do not believe these steps were part of the standard procedure (and I was the person who originally suggested DAISYCHAIN, so I do have lots of experience implementing it). -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
Should I be using the SMTP32.exe or the SMTPd32.exe for this process? Thanks. b -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 2:06 AM To: Brian Cunningham Subject: Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ? I made these changes and restarted services. But then I stopped receiving emails. Try implementing the DAISYCHAIN function as follows: (a) COPY SMTP32.EXE to SMTP32.EXB (this step just for backup) (b) RENAME SMTP32.EXE to IPSMTP32.EXE (c) COPY DECLUDE.EXE to SMTP32.EXE (d) Add the DAISYCHAIN directive as described earlier In other words, do *not* make the Registry change, nor rename DECLUDE.EXE. I do not believe these steps were part of the standard procedure (and I was the person who originally suggested DAISYCHAIN, so I do have lots of experience implementing it). -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
Really dumb questions? Is the syntax of renamed files case sensitive? Does the Daisychain call go within the hijack.cfg file or another config file? Does the Daisychain call need quotes or simply just a call out? Sorry for the dumb questions, but these spammers keep creating new accounts (found another one this morning). We're killing their IP's, but they keep coming in from other systems. I would be awesome if I could get hijack to work with web messaging. Sandy, do you have this config working on your Imail system? If so, what version of Imail are you running? Thanks again. b -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 2:06 AM To: Brian Cunningham Subject: Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ? I made these changes and restarted services. But then I stopped receiving emails. Try implementing the DAISYCHAIN function as follows: (a) COPY SMTP32.EXE to SMTP32.EXB (this step just for backup) (b) RENAME SMTP32.EXE to IPSMTP32.EXE (c) COPY DECLUDE.EXE to SMTP32.EXE (d) Add the DAISYCHAIN directive as described earlier In other words, do *not* make the Registry change, nor rename DECLUDE.EXE. I do not believe these steps were part of the standard procedure (and I was the person who originally suggested DAISYCHAIN, so I do have lots of experience implementing it). -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Not Working ?
I gotcha. That could be a problem. We do have about 5000 + web mail users. Could this explain why when I make the changes email stops being delivered? I've checked the hold(s) and there is nothing being held, but maybe the processing is delaying delivery? b -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Hijack Not Working ? In regards to the web messaging possible trap, Do I really need to up the limits for hijack? It's always been my understanding that web messaging shouldn't send out as much email as frequently than an email client (Outlook, etc.) It depends on how many Web Mail users you have. If you are an ISP with 5000 Web Mail users, it is quite possible for 100 of those to send 1 message each with a 30 minute time period, there by tripping hold 2 and effectively black listing the server IP address. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
SPAMCOP:RE: [Declude.JunkMail] HiJack Not Working ?
Gotcha. I've been using SMTP32.exe (not the daemon). I just wanted to check because every time I make the change it stops delivery (even after I roll the SMTP service within Imail, which does start up successfully). b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 27 Mar 2003 12:32:39 -0500 Should I be using the SMTP32.exe or the SMTPd32.exe for this process? It *must* be SMTP32.exe (SMTPd32.exe is the SMTP Daemon, the service which accepts incoming E-mail, as opposed to the process that delivers the E-mail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Not Working ?
I've checked, and the Hijack is registered. The config is set to: RELAYTHRESHOLD1 10 20 RELAYTHRESHOLD2 30 60 And the log files have not held anything today. Everything went through as OK with juat a couple not local users. But I see that [EMAIL PROTECTED] now has about 300 outgoing spam messages in the queue. Help! Thanks. b -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HiJack Not Working ? We've got a locked down public Imail server where anyone can register for a free email, but all users have to authenticate before relaying mail. We've also got Declude with HiJack in order to stop spammers from using our system But somehow we've got registered users sending hundreds of messages through us and bypassing HiJack. Why isn't the email being trapped by HiJack? The first thing to do is make sure that Declude Hijack is running (you can type \IMail\Declude -diag, *without* making any changes, and you should see a line Declude Hijack Status: Registered). Next, you would want to check your \IMail\Declude\hijack.cfg file to make sure that the settings are reasonable (the default settings are RELAYTHRESHOLD1 10 20 and RELAYTHRESHOLD230 80, which allow up to 80 E-mails to be sent within 30 minutes). Finally, you would check the Declude Hijack log file to see what it says about the E-mails. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
SPAMCOP:RE: [Declude.JunkMail] HiJack Not Working ?
Thanks Scott. I've emailed you the file. We do have a few ALLOWIP's, but I they are for IP's we own. I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. How can I make Hijack work with webmessaging? b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 26 Mar 2003 18:10:23 -0500 And the log files have not held anything today. Everything went through as OK with juat a couple not local users. Note that Declude Hijack allows unlimited E-mail to local users, and doesn't count that towards a user's quota. But I see that [EMAIL PROTECTED] now has about 300 outgoing spam messages in the queue. Do you have any ALLOWIP lines in your hijack.cfg file? Is the user sending these E-mails via SMTP, or web messaging (which would not be scanned by default)? Could you E-mail me the log file (off-list to [EMAIL PROTECTED])? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
I've got you up until the DAISYCHAIN ipsmtp.exe point. Do you want me to rename the two files and then add the daisychain line above to the config file of hijack? Thanks. b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 26 Mar 2003 19:19:28 -0500 I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. Ah, that explains what is going on. That's the first time I've seen serious spammers try to send E-mail through web messaging. How can I make Hijack work with webmessaging? It is possible to do this, by having the declude.exe file act as the smtp32.exe file, so that Declude can intercept the web messaging E-mail. This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the hijack.cfg file. Then, you need to use regedit to change the HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point to smtp32.exe instead of declude.com, and finally stop/restart the IMail SMTP service so that IMail will recognize the change -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
Will renaming declude.exe to smtp32.exe cause problems with junkmail or virus? Do I need to rename or make a copy of declude.exe as renamed? b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 26 Mar 2003 19:19:28 -0500 I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. Ah, that explains what is going on. That's the first time I've seen serious spammers try to send E-mail through web messaging. How can I make Hijack work with webmessaging? It is possible to do this, by having the declude.exe file act as the smtp32.exe file, so that Declude can intercept the web messaging E-mail. This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the hijack.cfg file. Then, you need to use regedit to change the HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point to smtp32.exe instead of declude.com, and finally stop/restart the IMail SMTP service so that IMail will recognize the change -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
Scott, I made these changes and restarted services. But then I stopped receiving emails. When I reverted back, I'm now receiving emails again. Any thoughts? Thanks. b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 26 Mar 2003 19:19:28 -0500 I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. Ah, that explains what is going on. That's the first time I've seen serious spammers try to send E-mail through web messaging. How can I make Hijack work with webmessaging? It is possible to do this, by having the declude.exe file act as the smtp32.exe file, so that Declude can intercept the web messaging E-mail. This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the hijack.cfg file. Then, you need to use regedit to change the HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point to smtp32.exe instead of declude.com, and finally stop/restart the IMail SMTP service so that IMail will recognize the change -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?
The reverse dns is because of a nat'ing scheme we have behind two firewalls and a load director (posts in the past have already described our config). The freaking SpamCop is because I apparently have Spammers sending an incredible amount of spam through our web messaging (i.e. bypassing hijack and why I'm posting it as an issue). How is that even possible? b -- Original Message -- From: Eje Gustafsson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 26 Mar 2003 21:27:20 -0600 Not besides that your listed yourself in spamcop and that you need to take a look at the logs to see what's in them and/or show them to us so we can see what is failing. I see a couple of things right of. 1) no reverse DNS for 208.253.112.168 which is your sending ip for you mailserver. 2) your subnet is listed with numerous spam lists. DELINK, SPAMCOP, XBL, HEUR1, REVDNS, SPAMCHK, IPNOTINMX, Reverse-IP - Eje Wednesday, March 26, 2003, 9:15:11 PM, you wrote: BC Scott, BC I made these changes and restarted services. BC But then I stopped receiving emails. BC When I reverted back, I'm now receiving emails again. BC Any thoughts? BC Thanks. BC b BC -- Original Message -- BC From: R. Scott Perry [EMAIL PROTECTED] BC Reply-To: [EMAIL PROTECTED] BC Date: Wed, 26 Mar 2003 19:19:28 -0500 I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. Ah, that explains what is going on. That's the first time I've seen serious spammers try to send E-mail through web messaging. How can I make Hijack work with webmessaging? It is possible to do this, by having the declude.exe file act as the smtp32.exe file, so that Declude can intercept the web messaging E-mail. This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the hijack.cfg file. Then, you need to use regedit to change the HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point to smtp32.exe instead of declude.com, and finally stop/restart the IMail SMTP service so that IMail will recognize the change -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] BC --- BC [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] BC --- BC This E-mail came from the Declude.JunkMail mailing list. To BC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and BC type unsubscribe Declude.JunkMail. The archives can be found BC at http://www.mail-archive.com. BC --- BC [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How did this Spammer get through?
I've got several held emails from a spammer trying to use our system for relay. I've got the box locked down to only accept relay from authenticated users, but somehow this guy got through. Luckily, I've got hijack on the box, which has blocked all of his emails. Here's an example of the email he's trying to relay through: Received: from 208.253.112.160 [169.207.38.237] by richmond.com (SMTPD32-7.07) id A450F9200BE; Wed, 12 Mar 2003 18:35:44 -0500 Received: from 0e.ygr0.net ([143.95.123.108]) by 208.253.112.160 with SMTP; Wed, 12 Mar 2003 22:30:43 -0100 Message-ID: [EMAIL PROTECTED] From: Mervin Crow [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: re: Increase Your Gas Mileage by up to 27% ohvs eex Date: Wed, 12 Mar 03 22:30:43 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: The Bat! (v1.52f) Business MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=15978B3_057.85AE_.850_ This is a multi-part message in MIME format. --15978B3_057.85AE_.850_ Content-Type: text/html Content-Transfer-Encoding: quoted-printable htmlbodyPaul athwartship,a href=3Dhttp://[EMAIL PROTECTED] averpro.com img src=3Dhttp://[EMAIL PROTECTED]/the.jpg width=3D536= height=3D505 /asalute beacon stumpweapon gapbr%RA= NDOM_WORDhum implantation party dish/body/html --15978B3_057.85AE_.850_-- How is he successfully getting through? Also, how can I block him from coming through again? Thanks. Brian -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
Here you go: 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] HELO 208.253.112.160 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] MAIL FROM: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] d:\IMail\spool\Dc4500f9200bec554.SMD 1114 So is he authenticating as a real user? b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
What's strange is that the only thing consistent around all of the spam emails is the IP address 169.207.38.237, which is listed with SpamCop. Should declude pick that up? I've got spamcop listed as an automatic hold, but somehow he keeps getting through. Thanks. b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail]
winmail.dat
[Declude.JunkMail] BlackList Limit ?
Is there a limit on the number of addresses that I can blacklist within a FROMFILE? Thanks. b --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.