Re: [Declude.JunkMail] No one at Declude?
FYI... I spot-checked some of the domains involved in what we were seeing. Many were two or three years old, so the new domain test would not work on them. On the report, there are log parsers that will do that for you, including Grep and Sawmill. We don’t use those, but import our logs into SQL Server for processing and reporting. Darin. From: Dave Beckstrom Sent: Wednesday, April 17, 2013 1:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I put in a request to Darrell at Invariant to see if he could update URIExtract to produce a report of IPs on top of the domain report that it currently produces. What I've been doing is if I receive one spam from say 69.22.136.43 and another spam from 69.22.136.48 then I firewall 69.22.136.0/24 I'd like to see a report of IPs extracted from emails and a count of how many emails were found from a given IP -- reports taken from the INVURIBL log files, that is. I've not heard back from Darrell. I don't have any other tool at my disposal for extracting those IPs. What we really need, is something that would do a whois query and for any domain registered within say the last 24 hours then declude could hold or delete the email. The majority of spam seems to be from spammers who registered a domain using fake credit card and by the time the registrar figures out they didn't get paid then the spammer is on to the next domain. -------- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 12:23 PM To: Declude.JunkMail@declude.com Subject: [SPAM]- Score (19)Re: [Declude.JunkMail] No one at Declude? Not many IPs in that range in use yet according to SenderBase, but those that are are very bad. We’ve been seeing a lot of spam traffic where SenderBase didn’t have any measurements on the IP yet that we were seeing, but had a number of others in the same subnet... all bad. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Here are the headers of an example I received. Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by mail.centric.net with ESMTP (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600 From: "credit line increase" To: Subject: Magnificent News! TransUnion Gave You a Credit Increase Date: Wed, 17 Apr 2013 10:50:56 -0400 Message-ID: <34770215301099823782438a696834a88ab99428fd8da700...@pop.mountainmusicmeltdown.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com [207.223.191.101] X-Declude-Spoolname: D1950001a04b74c7d.smd X-Declude-RefID: X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013 X-Declude-Fail: SORBS-DUL [5], SORBS [4], SPFPASS [-1], SUBCHARS-55 [1] X-Country-Chain: X-RCPT-TO: Status: X-UIDL: 651220478 X-IMail-ThreadID: 1950001a04b74c7d Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 10:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 12:37, Katie La Salle-Lowery wrote: Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I’m getting user complaints. It's possible that your weighting is off due to some parts of Declude not working anymore. If you're experiencing leakage that SNF is not tagging please let us know and we will work aggressively to resolve the problem. http://www.armresearch.com/support/articles/procedures/spamSubmissions.jsp If SNF is tagging the messages that are getting through then be sure to adjust your configuration to weight SNF results more highly. Hope this helps, _M -- Pete McNeil, PresidentMicroNeil Research Corporationwww.microneil.com703.779.4909 x7010twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail ma
Re: [Declude.JunkMail] No one at Declude?
Not many IPs in that range in use yet according to SenderBase, but those that are are very bad. We’ve been seeing a lot of spam traffic where SenderBase didn’t have any measurements on the IP yet that we were seeing, but had a number of others in the same subnet... all bad. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Here are the headers of an example I received. Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by mail.centric.net with ESMTP (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600 From: "credit line increase" To: Subject: Magnificent News! TransUnion Gave You a Credit Increase Date: Wed, 17 Apr 2013 10:50:56 -0400 Message-ID: <34770215301099823782438a696834a88ab99428fd8da700...@pop.mountainmusicmeltdown.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com [207.223.191.101] X-Declude-Spoolname: D1950001a04b74c7d.smd X-Declude-RefID: X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013 X-Declude-Fail: SORBS-DUL [5], SORBS [4], SPFPASS [-1], SUBCHARS-55 [1] X-Country-Chain: X-RCPT-TO: Status: X-UIDL: 651220478 X-IMail-ThreadID: 1950001a04b74c7d Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 10:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 12:37, Katie La Salle-Lowery wrote: Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I’m getting user complaints. It's possible that your weighting is off due to some parts of Declude not working anymore. If you're experiencing leakage that SNF is not tagging please let us know and we will work aggressively to resolve the problem. http://www.armresearch.com/support/articles/procedures/spamSubmissions.jsp If SNF is tagging the messages that are getting through then be sure to adjust your configuration to weight SNF results more highly. Hope this helps, _M -- Pete McNeil, PresidentMicroNeil Research Corporationwww.microneil.com703.779.4909 x7010twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. <>
Re: [Declude.JunkMail] No one at Declude?
We run an older Declude perpetual license, so we weren’t affected by this issue, and don’t use Postini, so it’s just the new spam nets over the past week or so that have affected us. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 12:56 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Declude and Postinin dying in the same period as the Spamhaus battle (assuming that is ongoing) is putting the hurt on, I think. Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 10:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? There are a lot of new spam nets that have just been turned up over the past few days. Volumes more than doubled for us, with a lot slipping through. We’ve added quite a few class Cs to our firewall blocks this week as we see new ones light up that are entirely owned by a spammer. That’s helped cut it down almost to normal levels, and we’ve gotten ahead of them at times by blocking their entire net before they used some of their IPs. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 12:37 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I’m getting user complaints. Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. <>
Re: [Declude.JunkMail] No one at Declude?
There are a lot of new spam nets that have just been turned up over the past few days. Volumes more than doubled for us, with a lot slipping through. We’ve added quite a few class Cs to our firewall blocks this week as we see new ones light up that are entirely owned by a spammer. That’s helped cut it down almost to normal levels, and we’ve gotten ahead of them at times by blocking their entire net before they used some of their IPs. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 12:37 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I’m getting user complaints. Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. <>
Re: [Declude.JunkMail] why have spam scores jumped?
Ben, You may be able to run multiple instances of BIND on different IPs on the same server, or a combination of MS DNS and BIND on different IPs on the same server, but you _really_ don't want to. Downsizing redundancy in your nameserver DNS is just plain the wrong thing to do. The reason you're not finding the answers you want is that you're asking the wrong question. Sorry, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 2:51 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Ahhh, yes, but that’s the answer I don't want. Right now, I could take our existing old authoritative DNS server and make it non-recursive, then put a recursive name server on the mail server itself, but listening only to the internal IP and that would seem to follow your suggestion. Although, when I look at the Interface tab in Properties, I don't see a local or 127.0.0.1 IP. Maybe it's that funny IPv6 string I see? The problem is that we're downsizing and consolidating this stuff, so we'd like to move all the DNS functions over to just the mail server and retire the old DNS server. In that case, of course, we only have one DNS server. I've been looking online to see how others might handle this. It seems that BIND can do this one way or another. You might be able to tell it to listen for recursive requests only on certain IPs or you can disable all recursion for the server but then override it for each of your authoritative zones. Unfortunately, I have yet to find either of those features as part of MS DNS and I'm not about to launch into the world of BIND. The second idea was to consolidate the DNS server onto the mail server, enable recursion, but then block recursive requests from the outside world. For example, use a firewall to block recursive requests (but only those that are recursive) from the outside. I found some online discussion of people trying to do this, possibly using port 53, but no indications that anyone actually succeeded. So for now, I'm still stuck. -Original Message- From: Darin Cox Sent: Friday, March 15, 2013 11:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure. Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open
Re: [Declude.JunkMail] why have spam scores jumped?
Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure. Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion, then won't our name server still be an open resolver? It needs to be that way so that the mail server can resolve its requests against it. In theory, I only need our name server to be recursive on requests from our mail server and to be non-recursive for everyone else. However, I haven't seen any way to configure that. Thanks, Ben -Original Message- From: Sanford Whiteman Sent: Friday, March 15, 2013 6:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, forwarding and recursion are tied together; turn off one > and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). > So if I turn off recursion and forwarding, then all my DNS requests > will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the "root servers" sure won't. > I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. > but I am also under the impression that resolving only through root > servers is bad. It's not "bad," it doesn't exist. > Since MS seems to recommend forwarding I doubt that... > With a stub zone, queries to URIBL.com are resolved directly through > the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMai
Re: [Declude.JunkMail] NJABL Shut Down
Appreciate the heads up, Andy! Darin. From: Andy Schmidt Sent: Tuesday, March 05, 2013 11:09 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] NJABL Shut Down March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After "the Internet" has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff
Hi Ben, Spam only to a server that no longer has MX records pointing to it isn’t really a surprise. Spammers have been known to cache MX records and continue to spam them long after an MX record is changed. The rationale behind that may be to bypass spam filtering gateways that have placed in front of a mail server. Darin. From: SM Admin Sent: Friday, November 30, 2012 7:52 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff Hi Sandy, I forwarded your last reply to Comcast but haven't heard from anyone there since that last message where the tech says he can't help me any further. At this point, I'd sure like to fight with them some more just because of the obnoxious replies by Mr. Jones, but I'm not sure it's worth the time. What I've notice is that while I continue to get a trickle of messages showing up at the old mail server, since last weekend they've only been spam. I'm not sure how, but it seems that some spammers are still latched on to the wrong (out of date) DNS information. Strange, huh? Thanks again for all your help and the same for Shaun. Ben - Original Message - From: Sanford Whiteman To: Declude.JunkMail@declude.com Sent: Wednesday, November 28, 2012 7:24 PM Subject: Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff Ben, Thanks for running your questions by me. Feel free to forward this message to your Comcast rep. Even if he is unwilling to help you further, there is information below that will help him be more accurate in future cases, since he currently lacks sufficient understanding of DNS. Mr. Jones is seemingly unaware of the difference between a delegated subdomain and a hostname. This gap in understanding does call the other conclusions into question, and I would not consider his to be an expert-level response. NOTE: I don't know if Comcast is or is not ultimately at fault for your mail delivery problems, but I would advise you to look for more expert testimony. It's perfectly normal for a hostname to be both the label and the value of an MX record (i.e. to "be its own MX"). In fact, the RFC-specified behavior of SMTP is to connect to the hostname to deliver mail to user@hostname in the absence of an MX record. All you are doing by adding IN MX is specifying that which would already be assumed (and also taking advantage of the MX algorithm). So normal is this configuration that I was able to quickly dig these examples from large, reputable domains: mail.beta.army.mil IN MX 10 mail.beta.army.mil ajax1.rutgers.edu IN MX 10 ajax1.rutgers.edu web.mail.vt.edu IN MX 0 web.mail.vt.edu webmail.uic.edu IN MX 0 webmail.uic.edu mail.messaging.microsoft.com IN MX 10 mail.messaging.microsoft.com webmail.villanova.edu IN MX 0 webmail.villanova.edu smtp01in.umuc.edu IN MX 0 smtp01in.umuc.edu mta4.wiscmail.wisc.edu IN MX 0 mta4.wiscmail.wisc.edu mail.dotster.com IN MX 0 mail.dotster.com Good luck with your continued troubleshooting! -- Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Joe Jobs
Hi Dave, A firm SPF policy generally does help, but it depends on the receiving servers implementing SPF in order to block messages that violate your SPF policy. Aside from that and filtering that blocks any original included message content, there's nothing I know of that can stop bounces and responses that come from clean systems, unless you want to start writing filters specific to this customer that detect typical bounce messages. Darin. -Original Message- From: Dave Beckstrom Sent: Wednesday, November 28, 2012 3:16 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Joe Jobs Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the "FROM" field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] abused whitelist?
Hi Andy, He sent it to the Declude Junkmail list, of which you are a member. However, the list is pretty much defunct. Declude switched to online forums years ago, which effectively killed the list. Darin. -Original Message- From: andyb@thumpernet Sent: Monday, October 22, 2012 6:03 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] abused whitelist? Hi, I think you're sending this to the wrong place. Who/what company are you looking for? Thanks, Andrew Baldwin an...@thumpernet.com an...@thumpernet.com 315-277-0685 Monday, October 22, 2012, 2:54:29 PM, you wrote: IA> IA> IA> IA> IA> IA> Hi, IA> IA> IA> IA> IA> IA> We have a client that is getting bounced spams. When I check IA> the header, it looks like they’re being whitelisted through IA> Declude. I checked the whitelisting settings and only have IA> “whitelist auth” (autowhitelist is off). Does this mean their IA> account is hacked? How else could the spam get whitelisted? IA> IA> IA> IA> IA> IA> Here is the Declude header, although I can’t figure out why the country chain is blank. IA> IA> IA> IA> IA> X-Declude-Sender: off...@somedomain.com [190.0.103.59] IA> X-Declude-Spoolname: D8baa03aac020.smd IA> X-Declude-Note: Scanned by Declude 4.2.20 for spam. IA> "http://www.declude.com/x-note.htm"; IA> X-Declude-Scan: Score [0] at 11:09:02 on 22 Oct 2012 IA> X-Declude-Fail: Whitelisted, ZEROHOUR [0] IA> X-Country-Chain: IA> IA> IA> Thanks, IA> IA> IA> IA> IA> IA> Ben IA> --- This E-mail came from the Declude.JunkMail mailing list. To IA> unsubscribe, just send an E-mail to imail...@declude.com, and type IA> "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Dealing with Joe Jobs?
Ahh... so even the forged FROM addresses are invalid. I see. That's good that it's not forging a valid address, which is what we usually see. On our systems we don't even see the ones bounced back to us to invalid addresses. Darin. - Original Message - From: "Dave Beckstrom" To: Sent: Wednesday, December 07, 2011 3:53 PM Subject: RE: [Declude.JunkMail] Dealing with Joe Jobs? Hi Darin, Thanks for the reply. The mail server seems to handle the bounces okay as we don't have a catchall address set up. The smtp server connects, gets a "no such user here" response and disconnects. No mail is actually delivered. At least that is my interpretation (from the log files) as to what's happening. I suspect this has been going on for months with the one domain. -Original Message- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, December 07, 2011 12:54 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Dealing with Joe Jobs? Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as "Undeliverable" and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: "Dave Beckstrom" To: Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM:<> 17:23:51 [216.127.80.40][30884] rsp: 250 OK <> Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO: 17:23:51 [216.127.80.40][30884] rsp: 550 No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Dealing with Joe Jobs?
Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as "Undeliverable" and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: "Dave Beckstrom" To: Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM:<> 17:23:51 [216.127.80.40][30884] rsp: 250 OK <> Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO: 17:23:51 [216.127.80.40][30884] rsp: 550 No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
No, that's typical. We have a script scheduled to delete them every day. It seems the sniffer script doesn't always delete them... probably Declude still has a lock on the file, so it can be read, but not changed or deleted. We monitor our spool and overflow directories, and when thresholds (by file count) are met we're alerted. Monitoring like this tell you if there is a problem so you can resolve it before your customers notice a problem. Darin. - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Thursday, May 05, 2011 8:49 PM Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe I should add that in looking through my spool folder, I found a *lot* of tmp*.tmp files, all generated by Armresearch for Sniffer and going way back. Does this mean I have something misconfigured that these files are being left over? - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Thursday, May 05, 2011 4:41 PM Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe Hi, I just looked in my declude.cfg and found these as the only non-commented lines: THREADS 15 WAITFORMAIL 5000 INVITEFIXON So it appears I've got 15 threads going. Unless there is some sort of multiplier going? What happens if my thread count is too small? Thanks, Ben - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Thursday, May 05, 2011 1:28 PM Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe Hi, Even though I am running an Imail server for a bachelor level education with about 2500 active mailboxes and about 15.000 mails per day, I still have Declude set to max 150 THREADS. That is plenty to get the mail delivered in time. Declude itself can handle a lot more and using the build in Sniffer helps keeping the max heap problem down, but I have never found a good reason the increase the THREAD count. As a matter of fact I have had it even lower in the past and still mail was delivered quickly enough for users never to notice it. Yours sincerely, Bonno Bloksma senior systeembeheerder tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl Follow us at Twitter / Facebook / Hyves / YouTube Van: IMail Admin [mailto:imailad...@bcwebhost.net] Verzonden: donderdag 5 mei 2011 22:10 Aan: Declude.JunkMail@declude.com Onderwerp: Re: [Declude.JunkMail] error 0xC142 smtp.exe That sounds like me. What’s the cure? Drop the number of threads in declude.cfg? I haven’t looked at it yet to see what I have. From: Andy Schmidt Sent: Thursday, May 05, 2011 1:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe I had encountered the problem when I introduced another Declude add-on to the mix (e.g., another command line program that Declude was launching). Eventually there were too many command line processes using up too much heap… Some of us were using the old command-line sniffer and 2 or 3 anti-virus command line tools, and invURIBL and various other – each one chipping away at the heap. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 2:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what’s happening. What Declude originally called the “mystery heap” is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn’t explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
We've seen this a lot with Inv-URIBL. You can patch it somewhat by putting in a counterweight for Inv-URIBL when it crashes. There is a small set of scores to adjust for. Darin. - Original Message - From: IMail Admin To: Declude.JunkMail@declude.com Sent: Friday, April 08, 2011 1:35 PM Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? Makes sense. Thanks. From: Nick Hayer Sent: Friday, April 08, 2011 10:29 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? It crashed - through an exception and either Declude was unsure of what to do with it or that was the score it returned.I have seen this happen when I was developing my own app. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "IMail Admin" Sent: Friday, April 08, 2011 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? I added in a weight for the grey listings, but it hasn’t had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I’m not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of –1 billion??? I checked and there’s nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn’t process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as "Clean": 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Tota
Re: [Declude.JunkMail] Idea for new Declude add-on
I agree. We see forging attacks like this periodically. While not every day, there's usually one every week, and when they hit, they hit hard. If we whitelisted or even negative-weighted addresses people sent to, when these attacks hit we would let through a ton of spam. We would _never_ consider this technique, though admittedly our filters are doing well and our leak rate is less than 0.5%. In fact, one of our biggest problems is people who put their own address in the webmail address book and effectively whitelist their own email address, letting through anything that forges. Every time over the past 8 years a customer has complained about spam, that has been the cause. Darin. - Original Message - From: "Andy Schmidt" To: Sent: Thursday, February 17, 2011 10:03 AM Subject: RE: [Declude.JunkMail] Idea for new Declude add-on >> I couldn't think of any specific instances where you would not want to >> whitelist a recipient's address. Obviously nobody should be emailing a >> spammer. << In general, that's reasonable - but certainly not bullet-proof. Since spammers always use other people's email addresses (specially phishing, trojan and virus emails), these messages will now be white-listed instead of being caught. This is specially true when people's mailboxes or PC have been infiltrated (millions of them are) and the malware will send it's infected messages (or links to phishing site) to everyone in THAT person's address book - so that their friends trust the email was being from their friend/acquaintance. All these messages will now be trusted by Imail just because they CLAIM to come from the "friend". So - it does open a potentially big garage door for malware link and infected emails to make it past Declude. -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 9:20 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on I couldn't think of any specific instances where you would not want to whitelist a recipient's address. Obviously nobody should be emailing a spammer. I was tryng to cover the bases for those instances that exist but can't be foreseen yet. Pondering it a little more -- one type of an exclusion that would be needed is if you had a forum where users register and your server sends out a confirmation/activation email. Or you send an email as a result of someone submitting a contact form on your site. In those cases, the "from" address for your forum or "from" address from your submission form would be the excluder so that no recipient of email from those automated systems would be given any credit. -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 7:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's "to" address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that "from" addresses can be forged and that perhaps its not a good idea to give credit based on a "from" address. But its not very often at all I ever receive a spam that came from a friend's forged "from" address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---
Re: [Declude.JunkMail] Fine tuning Declude
This is about 1/3 of the process to sync the servers. Then there's the processing of the file on the gateway to add/delete accounts as needed, and the minor Exchange config changes to accept mail from a subdomain. In our implementations, and due to often insufficient access/knowledge on the part of most customers, it's a two-part batch sync. I like the all-in-one process you have by connecting through the firewall, Andy, but it's been hard enough getting access to customer servers to place the extraction script. Trying to get access to LDAP through firewalls for an external process would take a lot longer to coordinate on a per-customer basis. Darin. - Original Message - From: Andy Schmidt To: declude.junkmail@declude.com Sent: Wednesday, May 12, 2010 4:05 PM Subject: RE: [Declude.JunkMail] Fine tuning Declude Not sure that this list supports attachments - but here it is. Here's how I launch it every half hour: cscript //Nologo ExtractLDAP.wsf 70.255.255.84 "ou=Their Staff,dc=TheirCompany,dc=local" logon.u...@theircompany.local mypassword "domainalias1.com domainalias2.com domainalias3.com" TheirCompany I usually use the LDAP Explorer tool to make sure I can connect to their LDAP port through their firewall, that they have set up a valid user/password for me, etc. Then I navigate through their LDAP hierarchy to determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users. Once that succeeds I can simply take that info and use it as the parameters to my script. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, May 12, 2010 3:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Fine tuning Declude That sounds like it would be fun to review, regardless. I can dig up my old script and post it, too. Mine is pretty primitive: spew and parse. Does it reach out to LDAP from the internet side of things, through a properly configured firewall, I imagine? Mine was a local script that uploaded. I like your idea better, if I am reading it right. With your idea, I provide minimum requirements instead of installation steps. Very Respectfully, Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fine tuning Declude
Sorry guys, I meant to send this directly to Michael. Got distracted with other email and phone calls, and didn't check the address before sending. My apologies. Darin. - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Wednesday, May 12, 2010 10:55 AM Subject: Re: [Declude.JunkMail] Fine tuning Declude Hi Michael, I may be able to help with this. You mention doing gateway filtering for Exchange servers. We also do that, but instead of accepting any address with the domain, we have accounts set up on our server and refuse connections that don't go to one of those accounts. Now your next comment is probably that you don't want the extra management of setting up accounts on both servers. Well we've handled that by using a sync process we developed to extract the list of accounts from the Exchange server, ship that up to the gateway server, and check to see what accounts need to be added or deleted. We've been using this process for a couple of years with perfect success. Since it is a batch process, it is scheduled to run every few minutes, so there could be a few minute delay when new accounts are added, but it has worked flawlessly for a couple of years. There are checks in place to make sure incomplete transfers don't result in accounts being deleted or incorrect accounts getting added to the gateway, and notifications are sent every time accounts are added or deleted. Currently it runs as a script on the destination Exchange or IMail server, and a scheduled process on a SQL database on our mail gateway server. Also, our gateway is an IMail server, but we could easily adapt it to use the account creation command line utilities I assume SmarterMail has. One other comment about the implementation. We maintain a hosts file for forwarding to the destination mail server, and use a subdomain to forward the mail for routing purposes, so the destination mail server is configured to accept mail for the subdomain. That's a simple change in Exchange to add an SMTP alias, and can be added to the default policy in Exchange so it is automatically added when an account is created. Anyway, if you have any interest, let me know. I know we wouldn't be able to survive if we were accepting email for any address in a domain, so I feel your pain. Best, Darin Cox 4C Web A division of 4C Design Technology Corp. (813) 413-4883 Tampa Bay, FL (919) 533-5000 Research Triangle, NC - Original Message - From: Michael Cummins To: declude.junkmail@declude.com Sent: Wednesday, May 12, 2010 9:25 AM Subject: [Declude.JunkMail] Fine tuning Declude So this past week has been fairly hellish for me, buried in the thick of Botnet Spam storms. (Quite a number of people seem to be experiencing them, at least as reported over on the [SNIFFER] list) My implementation of Declude seems to be pressed to its limits to handle the volume. 1) Dedicated SmarterMail 6.8 2) Declude, Invaluement RBLs added, running off a SimpleDNSPlus install on another local machine 3) INVURIBL with Invaluement and SpamEatingMonkey added 4) SNIFFER, integrated with Declude This is the root of my volume issues: this box is a dedicated Incoming Gateway for several dozen Exchange servers for SMBs, which means it accepts ALL mail for those domains. It's not like my other mail server that rejects bad addresses right off the bat. When the spam storms hit, it's like a hurricane. My usual Sniffer-measured rate of about 150-200k messages per day kick up as high as 850k. I don't really handle that much mail, but that's the rate when it storms. My regular SmarterMail server that dishes out POP/IMAP handles a more appropriate level of 50k messages per day. 1) If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to the top of THREADS and crash when the storms hit. I currently find that 45 is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER running, but in a bad storm, even that is too low, and sometimes I have to drop it back to 60 or 65; but then it's just keeping up with things, and it's difficult to reduce the backlog that swelled during the crash. 2) If I keep WAITBETWEENTHREADS too high, like around 100, Declude is stable as a rock, but can't keep up with the mail load when times get tough. 3) When things get bad, I go into GLOBAL.CFG and comment out INVURIBL and/or the many SNIFFER tests. Does anyone have any useful advice for beefing up or streamlining this process? What hardware choices have the biggest impact on Declude? As an aside, I imagine that you could prevent a lot of Declude crashes if WAITBETWEENTRHEADS was a dynamic setting, derived from the mail rate. Yes? No? On a related note, I've been building a Declude Management interface in ColdFusion that makes exc
Re: [Declude.JunkMail] Fine tuning Declude
Hi Michael, I may be able to help with this. You mention doing gateway filtering for Exchange servers. We also do that, but instead of accepting any address with the domain, we have accounts set up on our server and refuse connections that don't go to one of those accounts. Now your next comment is probably that you don't want the extra management of setting up accounts on both servers. Well we've handled that by using a sync process we developed to extract the list of accounts from the Exchange server, ship that up to the gateway server, and check to see what accounts need to be added or deleted. We've been using this process for a couple of years with perfect success. Since it is a batch process, it is scheduled to run every few minutes, so there could be a few minute delay when new accounts are added, but it has worked flawlessly for a couple of years. There are checks in place to make sure incomplete transfers don't result in accounts being deleted or incorrect accounts getting added to the gateway, and notifications are sent every time accounts are added or deleted. Currently it runs as a script on the destination Exchange or IMail server, and a scheduled process on a SQL database on our mail gateway server. Also, our gateway is an IMail server, but we could easily adapt it to use the account creation command line utilities I assume SmarterMail has. One other comment about the implementation. We maintain a hosts file for forwarding to the destination mail server, and use a subdomain to forward the mail for routing purposes, so the destination mail server is configured to accept mail for the subdomain. That's a simple change in Exchange to add an SMTP alias, and can be added to the default policy in Exchange so it is automatically added when an account is created. Anyway, if you have any interest, let me know. I know we wouldn't be able to survive if we were accepting email for any address in a domain, so I feel your pain. Best, Darin Cox 4C Web A division of 4C Design Technology Corp. (813) 413-4883 Tampa Bay, FL (919) 533-5000 Research Triangle, NC - Original Message - From: Michael Cummins To: declude.junkmail@declude.com Sent: Wednesday, May 12, 2010 9:25 AM Subject: [Declude.JunkMail] Fine tuning Declude So this past week has been fairly hellish for me, buried in the thick of Botnet Spam storms. (Quite a number of people seem to be experiencing them, at least as reported over on the [SNIFFER] list) My implementation of Declude seems to be pressed to its limits to handle the volume. 1) Dedicated SmarterMail 6.8 2) Declude, Invaluement RBLs added, running off a SimpleDNSPlus install on another local machine 3) INVURIBL with Invaluement and SpamEatingMonkey added 4) SNIFFER, integrated with Declude This is the root of my volume issues: this box is a dedicated Incoming Gateway for several dozen Exchange servers for SMBs, which means it accepts ALL mail for those domains. It's not like my other mail server that rejects bad addresses right off the bat. When the spam storms hit, it's like a hurricane. My usual Sniffer-measured rate of about 150-200k messages per day kick up as high as 850k. I don't really handle that much mail, but that's the rate when it storms. My regular SmarterMail server that dishes out POP/IMAP handles a more appropriate level of 50k messages per day. 1) If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to the top of THREADS and crash when the storms hit. I currently find that 45 is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER running, but in a bad storm, even that is too low, and sometimes I have to drop it back to 60 or 65; but then it's just keeping up with things, and it's difficult to reduce the backlog that swelled during the crash. 2) If I keep WAITBETWEENTHREADS too high, like around 100, Declude is stable as a rock, but can't keep up with the mail load when times get tough. 3) When things get bad, I go into GLOBAL.CFG and comment out INVURIBL and/or the many SNIFFER tests. Does anyone have any useful advice for beefing up or streamlining this process? What hardware choices have the biggest impact on Declude? As an aside, I imagine that you could prevent a lot of Declude crashes if WAITBETWEENTRHEADS was a dynamic setting, derived from the mail rate. Yes? No? On a related note, I've been building a Declude Management interface in ColdFusion that makes excellent use of Mark Russinovich's Sysinternals suite of tools, most specifically PsList and PsKill, so I can keep a careful eye on DecludeProc on my two machines, and using the Microsoft FSO to keep an eye on file counts. Sysinternals http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx FSO http://msdn.microsoft.com/en-us
Re: [Declude.JunkMail] stop scanning after x points
Hi Bonno, You can alter the InvURIBL and Sniffer test definitions in your config to use Pete McNeil's WeightGate utility to conditionally run those tests. An example InvURIBL line is INV-URIBL external weight "C:\IMail\Declude\WeightGate\WeightGate.exe -100 %WEIGHT% 500 F:\IMail\Declude\INVURIBL\invURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 It checks to see if the weight of the email is between -100 and 500. If not it doesn't run InvURIBL You can get it from Pete's website: http://www.armresearch.com/tools/arm/weightGate.jsp Hope this helps, Darin. - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Wednesday, February 10, 2010 7:14 AM Subject: [Declude.JunkMail] stop scanning after x points Hi, I use Declude with build-in Sniffer and InvURIbl. Other then that mostly the default tests. Using the new 4.10.42 version. I would like Declude to examine the points scored so far before launching Sniffer or InvURIbl as those are body tests and need more cpu. I hold at 20 and delete at 30. I want Sniiffer and InvURI not called if standard dns tests have allready scored 60+ points. Is that possible? I know I can do something like that in tests I create myself but I have no such tests. If there is not yet a way to tell Delcude to evaluate tests that can score negative weights first maybe that would be a good idea as well to combine with the conditional calling of more tests. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.JunkMail] Cutting down on DNS
Hi Michael, I'm using Windows 2003 DNS server as well, and have had no trouble with it at all. There are some advantages to Simple DNS when it comes to integration and replication of an entire server, but I've made up those deficiencies with scripting around the DNSCMD utility in the Windows Server Resource Kit.. As for what server to use, the mail systems seem to perform better with a local DNS server for lookup, and we do DNSBL replication onto those servers as well. Darin. - Original Message - From: "Michael Cummins" To: Sent: Friday, July 10, 2009 4:37 PM Subject: RE: Re[6]: [Declude.JunkMail] Cutting down on DNS > Note that the resulting downoaded file is in RBLDNS format. So you > would convert it to a standard zone file. What DNS server do you use? I'm using The MS DNS that comes on 2003 Server. I have it installed on both of the SmarterMail/Declude/Sniffer/INVURIBL boxes. Is that a bad, or a good idea? > UCEPROTECT is free to replicate locally (HTTP or RSYNC) > http://www.uceprotect.net/en/index.php?m=6&s=0 Thanks, I'll look into that! It seems a few people here already do this. What DNS servers do you use to do this? Do you use separate dedicated servers to do this, or do you do it on your Declude server? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting Bug?
Hi Mark, Are you certain the user does not have their own address in their webmail address book? This looks like a typical problem where users have their own email address in the address book. Removing their email address and explaining to them why they should avoid putting in their own address (i.e. forging spam often forges the address being sent to as the FROM address as well) usually fixes it. Darin. - Original Message - From: "Mark Strother" To: Cc: "Mark Strother" Sent: Monday, July 06, 2009 7:13 PM Subject: [Declude.JunkMail] Whitelisting Bug? In the past week I've seen a lot of mail whitelisted that shouldn't be. We have autowhitelist and whitelist - auth enabled. I understand that should white list mail that is sent using SMTP auth or if the sender is in the users SmarterMail address book. In every case I've seen SMTP auth was not used and the sender is not listed in the recipient's address book. Can anyone help out? Below is a sample header. We've had several complaints, all from different domains, and in each case the headers look similar. The from and to address are the same and in every case the emails have a X-Rcpt-To field pointing to another user within the domain. -- Return-Path: Received: from 189104007058.user.veloxzone.com.br [189.104.7.58] by mx2.pacificonline.com with SMTP; Sun, 28 Jun 2009 12:06:38 -0700 Message-ID: From: "Medicines" Reply-To: "Medicines" To: k...@domainremoved.com Subject: Useful potions, approved pilules Date: Mon, 29 Jun 2009 02:05:33 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-=549_9341_6L951C50.68SC114N" X-Priority: 3 X-MSMail-Priority: Normal X-RBL-Warning: IPNOTINMX: X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=189.104.7.58"; X-RBL-Warning: SPAMCOP: "Blocked - see http://www.spamcop.net/bl.shtml?189.104.7.58"; X-RBL-Warning: UCEPROTECT-1: "IP 189.104.7.58 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-2: "Net 189.104.0.0/19 is UCEPROTECT-Level2 listed because 552 abusers are hosted by Telecomunicacoes da Bahia S.A./AS7738 there. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-3: "Your ISP Telecomunicacoes da Bahia S.A./AS7738 is UCEPROTECT-Level3 listed for hosting a total of 100857 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: BCC: 13 Bcc:'s detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-Declude-Sender: k...@domainremoved.com [189.104.7.58] X-Declude-RefID: str=0001.0A010204.4A47BD36.0135,ss=4,sh,fgs=0 X-Declude-Note: Incoming Msg Scanned by Declude 4.6.35 X-Declude-Score: [0] X-Declude-Fail: Whitelisted X-Country-Chain: BRAZIL->destination X-Rcpt-To: X-SmarterMail-Spam: DK_None, Declude: 0 X-SmarterMail-TotalSpamWeight: 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Enforce spf record for one domain
Setting and SPF policy will do what you want. If you set up the SPF TEXT record in DNS for your domain to specify that mail sent from your domain should only come from your servers, and set the weight of SPFFAIL in Declude to at least your hold weight, then you should be able to filter. The only exception to this is if you have users with their own address in their webmail address book, and have Declude configured to whitelist addresses in the user's webmail address book. Since most spam that forges your domain forges the email address of the user to which the spam is being sent, and there is really no need for the user to have their own address in their webmail address book, then removing it should not be a problem. Hope this helps, Darin. - Original Message - From: "Richard Lyon" To: Sent: Friday, June 26, 2009 8:03 AM Subject: [Declude.JunkMail] Enforce spf record for one domain Greetings all, We are getting lots of spam that has faked our "from" addresses. I would like to move all from "@piolaxusa.com" email that doesn't originate from our mail server to a central account. I'm pretty sure none of employees go through anything else, even when using their laptops from home. I would prefer to do this via spf records, since we will be changing ips soon. I am not, however, figuring out how to do this. Can anyone point me in the right direction? Thanks! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BackScatter
Hi Todd, No, I was intending to set up a notification process to automatically let us know when our rating/score changed on these sites. Darin. - Original Message - From: Todd Richards To: declude.junkmail@declude.com Sent: Saturday, May 16, 2009 1:34 PM Subject: RE: [Declude.JunkMail] BackScatter Thanks Darin - good suggestions. I checked with SenderBase and we are "good". With SenderScore, on the other hand, I can't tell whether we are good or bad. Our sender score is a 96, but our risk is high. When you say you are going to monitor them, do you mean just manually checking them? Todd Results for 8.7.193.82 Sender Score: 96 IP Address Information Hostname mail.nnepa.com Other IPs with same hostname None Blacklists None Sender Score Certified No Safelist No Deliverability This represents whether email from 8.7.193.82 is being accepted for delivery in the Sender Score reporting network. Return Path offers a variety of detailed reporting tools to monitor delivery performance. Accepted Rate: 31.79% Risk: High Reputation Measures These are individual measures of the reputation for 8.7.193.82. Measure Type Value Complaints Score (0-100) 100 Volume Score (0-100) 0 External Reputation Score (0-100) 67 Unknown Users Score (0-100) 12 Spam Trap Hits Count 1 Last Spam Trap Date Date 04/18/2009 Sending Domains We've seen 8.7.193.82 sending email for these domains. Domain Authenticated mail.nnepa.com Yes - A Record, Reverse DNS Match From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Saturday, May 16, 2009 7:33 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] BackScatter Todd, you might want to check SenderBase. We had a similar issue a month ago. SenderBase had recorded a number of backscatter messages from a private list we host that often gets attacked by spammers. The unauthorized access notices that were sent back were seen as backscatter by SenderBase and they reduced our rating from Good to Poor. IronPort filtering devices use the SenderBase rating as one of their blocking criteria, so we were blocked from sending to mail servers protected by IronPort. Fortunately there were only a handful of our customers affected, we rerouted mail temporarily, and we were upgraded in SenderBase two days later after adding filtering to that hosting account. Matt Bramble pointed out to me another site, SenderScore.org, that you might want to watch as well. I'm planning to set up monitoring on these sites as an additional detection of delivery problems. Darin. - Original Message - From: Michael Graveen To: declude.junkmail@declude.com Sent: Saturday, May 16, 2009 7:54 AM Subject: re: [Declude.JunkMail] BackScatter I think Greylisting reduces backscatter. Greylisting stops the majority of the SPAM from ever reaching our mail server, so it never has a chance to get bounced back because of a non existent user, etc. Mike Hi Everyone - We've been having a few issues with mail servers refusing our mail. Today I ran a test on DNSStuff and found that our IP is on BackScatter.org. They are referencing an event on 4/27, and supposedly we will be removed after 4 weeks if they haven't had any other issues. Of course we can pay to have it removed sooner. I'm not sure if being listed in their DB is the main culprit to the server refusals that I've seen? We switched over to SmarterMail in mid-April. Since 4/27, we have implemented grey listing. Is grey listing a good first line of defense? Is there anything else I should be doing to prevent back scatter? Thanks for your thoughts on this. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an
Re: [Declude.JunkMail] BackScatter
Todd, you might want to check SenderBase. We had a similar issue a month ago. SenderBase had recorded a number of backscatter messages from a private list we host that often gets attacked by spammers. The unauthorized access notices that were sent back were seen as backscatter by SenderBase and they reduced our rating from Good to Poor. IronPort filtering devices use the SenderBase rating as one of their blocking criteria, so we were blocked from sending to mail servers protected by IronPort. Fortunately there were only a handful of our customers affected, we rerouted mail temporarily, and we were upgraded in SenderBase two days later after adding filtering to that hosting account. Matt Bramble pointed out to me another site, SenderScore.org, that you might want to watch as well. I'm planning to set up monitoring on these sites as an additional detection of delivery problems. Darin. - Original Message - From: Michael Graveen To: declude.junkmail@declude.com Sent: Saturday, May 16, 2009 7:54 AM Subject: re: [Declude.JunkMail] BackScatter I think Greylisting reduces backscatter. Greylisting stops the majority of the SPAM from ever reaching our mail server, so it never has a chance to get bounced back because of a non existent user, etc. Mike Hi Everyone - We've been having a few issues with mail servers refusing our mail. Today I ran a test on DNSStuff and found that our IP is on BackScatter.org. They are referencing an event on 4/27, and supposedly we will be removed after 4 weeks if they haven't had any other issues. Of course we can pay to have it removed sooner. I'm not sure if being listed in their DB is the main culprit to the server refusals that I've seen? We switched over to SmarterMail in mid-April. Since 4/27, we have implemented grey listing. Is grey listing a good first line of defense? Is there anything else I should be doing to prevent back scatter? Thanks for your thoughts on this. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] website design service spam emails
Sample headers would help in determining a way to filter these. Also, do you use Message Sniffer? Darin. - Original Message - From: "Craig Edmonds" To: Sent: Thursday, February 19, 2009 3:16 AM Subject: [Declude.JunkMail] website design service spam emails Okay. I am starting to get seriously annoyed with the spam email below that keeps hitting my own inbox a couple of times a day. Does anyone know a simple way for me to pick up on these mails in declude and add weight without affecting normal mails? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com E : cr...@123marbella.com -Original Message- From: Don [mailto:zhuazhujih2...@msn.com] Sent: 19 February 2009 08:57 To: webmaster Subject: **Spam? [WEIGHT: 18]**website design service (CA) You are receiving this email because we wish you to use our web design service. We are web design studio from China. We are specialized in web page design, website development, graphics & multi-media design, flash website design and other relevant services. We pride ourselves with our technical strength, professional vision, unique style, and most of all, our highly devoted professional designers. We are in position to offer website solution, graphics design, e-commerce solution, online promotion and other medium and small business oriented services. Core offerings Business website design Business website redesign Flash website design Flash website redesign Ecommerce website design Ecommerce website redesign Company website design Company catalog design Company logo design Graphic design Google search engine optimization ERP Solutions Pls check our website to see portfolio. Best regards, Don V.DASK Information Technologies Website team Contact: ittechrespo...@gmail.com Send address to ittechun...@gmail.com for unsubscribe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What about a TOFILE
It's possible to accomplish this now using per address configs, though that would be configured in the $default$.junkmail instead of a separate test definition as you would normally do. To outline this process: - Add a redirect line to the $default$.junkmail for each address you want to handle like a TOFILE test, perhaps naming the TOFILE config file $tofile$.junkmail - Configure the $tofile$.junkmail with the test weights as needed - Add a filter that always hits and adds weight to the Global.CFG, setting the positive or negative weight as desired in the test definition. - Set the $default$.junkmail to IGNORE for the new test - Adjust the $tofile$.junkmail to WARN for the new test While a TOFILE test would be an easier and cleaner way of implementing this, I believe it is functionally equivalent to the above. Darin. - Original Message - From: John T To: declude.junkmail Sent: Wednesday, December 17, 2008 3:38 AM Subject: [Declude.JunkMail] What about a TOFILE The recent discussion about TODOMAIN got me thinking about a issue I have to deal with on one server I maintain. Is it possible to have a TOFILE which would be like FROMFILE except that it would check the recipient address rather than the from address? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] create a TODOMAIN file
Hi Craig, While it's not a whitelist, you could use the fromfile test with a high negative weight to achieve your goal. We have a tiered set of tests that work similar to this: FROMWHITELIST_LOWfromfile\fromwhitelist_low.txt-100 0 FROMWHITELIST_MEDfromfile\fromwhitelist_med.txt-200 0 FROMWHITELIST_HIGHfromfile\fromwhitelist_high.txt-500 0 For reference, we have all test scaled to a hold weight of 100 for granularity and easy calculations. As for the TODOMAIN test, you might instead simply set up a different .junkmail file for that domain or domains. That way you can effectively turn off filtering for it/them. We have some customers who don't want any filtering, so we have the following lines in our $default$.junkmail file to point to separate configs for those domains: REDIRECT [EMAIL PROTECTED] \$postmaster$.junkmail REDIRECT [EMAIL PROTECTED] \$postmaster$.junkmail REDIRECT @example.com \$nofilter$.junkmail We monitor the abuse@ and postmaster@ addresses for all domains. Both the $postmaster$.junkmail and $nofilter$.junkmail are set to WARN on all tests, but we separated them in case we made changes in the future. Hope this helps, Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Tuesday, December 09, 2008 7:43 AM Subject: [Declude.JunkMail] create a TODOMAIN file Hi All, Currently in the global.cfg file there is a section like this... # - IP TODOMAIN Example - WHITELISTTODOMAIN @example.com WHITELISTTODOMAIN @ adomain.com WHITELISTTODOMAIN @ hello.com However I would like to add a skip-spam-filtering.txt file so the above would look something like this... WHITELISTfromfile C:\IMail\Declude\Filters\skip-spam-filtering.txt Or WHITELISTTODOMAIN C:\IMail\Declude\Filters\skip-spam-filtering.txt Is this possible? And if so what format should the skip-spam-filtering.txt be? Like this? WHITELISTTODOMAIN @example.com WHITELISTTODOMAIN @ adomain.com WHITELISTTODOMAIN @ hello.com or just a list of addresses or domains like this ? @example.com @adomain.com @hello.com Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com E : [EMAIL PROTECTED] Craig Edmonds - PGP Public Key To obtain a copy of my PGP Public Key, please go to the following URL: http://www.123marbella.com/pgp/ Craig Edmonds - LinkedIN Information To view my LinkedIn Profile, please go to the following URL http://www.linkedin.com/in/craigedmonds Craig Edmonds - BLOG To view my personal blog go to the url below http://www.craig-edmonds.com LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam
Sorry for mentioning the wrong setting. I'm under the weather this week. I did mean AUTOWHITELIST ON. I would still request an option to use AUTOWHITELIST ON but exempting the user's own email address if found in their address book. We occasionally experience a problem with using this feature due to forging spam that forges the user's email address. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Wednesday, December 03, 2008 3:17 PM Subject: RE: [Declude.JunkMail] Spam AUTOWHITELIST ON is the address book check. WHITELIST AUTH is used for user authentication. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, December 03, 2008 2:58 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam WHITELIST AUTH can whitelist such spam if the user has their own address in their webmail address book. This is the one drawback with WHITELIST AUTH. It would be nice to be able to use this but exempt the user's address from the whitelist. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Monday, December 01, 2008 9:29 AM Subject: [Declude.JunkMail] Spam Hi Everyone - Over the past few days, I've been seeing spam come in with the "from" and "to" the same address. The address exists on our server only as an alias (an old IT person) and I am the recipient. Today I got an irate email from one of our customers who is getting the same thing (from her, to her). Unfortunately, she went and tried to unsubscribe on the links.. My settings in my global.cfg file are: PREWHITELIST ON WHITELIST AUTH Any thoughts on what we could do differently? Thanks for any suggestions! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam
WHITELIST AUTH can whitelist such spam if the user has their own address in their webmail address book. This is the one drawback with WHITELIST AUTH. It would be nice to be able to use this but exempt the user's address from the whitelist. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Monday, December 01, 2008 9:29 AM Subject: [Declude.JunkMail] Spam Hi Everyone - Over the past few days, I've been seeing spam come in with the "from" and "to" the same address. The address exists on our server only as an alias (an old IT person) and I am the recipient. Today I got an irate email from one of our customers who is getting the same thing (from her, to her). Unfortunately, she went and tried to unsubscribe on the links.. My settings in my global.cfg file are: PREWHITELIST ON WHITELIST AUTH Any thoughts on what we could do differently? Thanks for any suggestions! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist Based on TO Address?
There are no TO, CC, or BCC variables available, so you have to use ALLRECIPS for that. In your filter example, x is a placeholder, y is the weight to add if the test triggers/matches, and z is the weight to add if the test does not trigger/match. In most cases, z is set to zero. Also note that y can be a positive or negative number. If positive it adds to the aggregate weight for the message, if negative it subtracts (i.e. counterweight). The latter is what I was recommending to you for your TO/SUBJECT test. The list of test types for filters is a table in the documentation. There's a section called "Tests" that is dedicated to this. End means end the test, passing the weight back to be added to the aggregate weight for the message. Darin. - Original Message - From: "William Stillwell" <[EMAIL PROTECTED]> To: Sent: Thursday, October 30, 2008 9:58 AM Subject: RE: [Declude.JunkMail] Blacklist Based on TO Address? I don't see where you can do [TO] in the filters.. I will probably just filter by this header: X-Originating-IP: [98.130.1.155] , and add negative weight., I also have to remove whitelist from my gateway mail scanner, and create a rule, as IPBYPASS doesn't support Subnets. I must of forgot something, because I can't seem to understand any of the doc's on decludes website. Ie, In global.cfg: FILTER-MYFILTER filter d:\imail\declude\filters\myfilter.txt x y z What does column "x", "y", and "z" signify? and I assume in "myfilter.txt" Column #1 is Test Type? Where is a list of available Tests? Column #2 is Wieght to add / delete? So, END = Cancel Test? Column #3/4 is obvouse.. REVDNS END PCRE (?i:\(timeout\)) BODY 10 PCRE (http://.*\.doc\.exe) William Stillwell Systems Architect Professional Staffing-ABTS,Inc d/b/a Able Body Labor ph. 727.724.2610 fx. 727.724.2680 cl. 727.638.6208 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, October 30, 2008 9:43 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blacklist Based on TO Address? Instead of blacklisting, why not just create a TO/SUBJECT filter that adds a large weight. That would serve the same purpose as blacklisting. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, October 30, 2008 9:02 AM Subject: RE: [Declude.JunkMail] Blacklist Based on TO Address? No there is not. If you want to blacklist I would suggest using your mail server functionality to do this as the earlier you can stop a message the better. Secondly if you really want Declude to do this you can see the section "Your own sender blacklists" in the online manual http://www.declude.com/searchresults.asp?Cat=109 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, October 30, 2008 8:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blacklist Based on TO Address? Is there a way to Blacklist based on TO/SUBJECT (Just like WHITELIST) William Stillwell Systems Architect --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist Based on TO Address?
Instead of blacklisting, why not just create a TO/SUBJECT filter that adds a large weight. That would serve the same purpose as blacklisting. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, October 30, 2008 9:02 AM Subject: RE: [Declude.JunkMail] Blacklist Based on TO Address? No there is not. If you want to blacklist I would suggest using your mail server functionality to do this as the earlier you can stop a message the better. Secondly if you really want Declude to do this you can see the section "Your own sender blacklists" in the online manual http://www.declude.com/searchresults.asp?Cat=109 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, October 30, 2008 8:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blacklist Based on TO Address? Is there a way to Blacklist based on TO/SUBJECT (Just like WHITELIST) William Stillwell Systems Architect --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Negative Weight an IP
Any server sending mail should have REVDNS. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Thursday, October 23, 2008 3:30 PM Subject: RE: [Declude.JunkMail] Negative Weight an IP Sandy, I guess that was a question that was on my mind. We've never had anything set up for the web server before - only the REVDNS for the mail server itself. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Thursday, October 23, 2008 1:23 PM To: Todd Richards Subject: Re: [Declude.JunkMail] Negative Weight an IP > Thanks for your suggestions! Um, fix the PTR? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Negative Weight an IP
You can either fix your DNS so the web server doesn't fail the REVDNS check, or add WHITELIST IP without the <> to your Declude config, or both. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Thursday, October 23, 2008 1:49 PM Subject: [Declude.JunkMail] Negative Weight an IP Hello - After our move, email from our web server forms (sent via IIS SMTP) and server alerts is being caught. One of the things that it is failing on is the REVDNS. My thought was to counter the REVDNS with a negative weight on the IP address, but I'm not sure of the syntax to add to my "allow" filter. I would probably prefer not to whitelist the server, as bogus emails that come through tend to get caught. Thanks for your suggestions! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.JunkMail] DNS Changes
I have to say I also agree with Sandy. While recommending a free external DNS solution like OpenDNS is an easy fix for many less technical customers, as Sandy has pointed out it is not the best solution. 1. The customer has no control over its availability. With a free external DNS solution there is no guarantee it will be available in the future. This is why an internal or pay-for solution is generally a better choice, especially for something as critical as business mail services. 2. There is a performance hit from using external DNS for mail processing. So again, while recommending it may be an easy fix, and may get you many thanks, the above points should always be discussed so the customer understands the implications of using a solution like OpenDNS. While there is a full range of customer knowledge levels and desired depth/control of a technical solution, I would have to agree that running mail servers and use of a technical solution like Declude should require a background knowledge in DNS and SMTP. I would think that being halfway up-to-speed with the technical background necessary is a much worse and dangerous place to be in running these services than either outsourcing or having a deep enough understanding to do something as simple as set up multiple internal DNS servers with recursion turned on. My $0.01. (decreased due to inflation and other financial considerations, plus being mostly a reiteration of points already made) Darin. - Original Message - From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "Linda Pagillo" Sent: Thursday, October 09, 2008 4:52 AM Subject: Re[6]: [Declude.JunkMail] DNS Changes > In a perfect world this would be correct, but as you already know > from working in the IT profession, no server, DNS or otherwise has > an uptime of 100%. A single physical "DNS server" may go down, sure, whatever. The DNS config (redundant DNS servers or load-balanced on a virtual IP) used by a mail infrastructure _must_ be 100% as available as the mailservers themselves. I'm certain that everybody on this list who runs a hosting provider or supports a large company completely agrees and has built their infrastructure accordingly. My clients always have DNS resolution -- yes, _100% of the time that they are connected to the internet_ -- as is commonplace in enterprise-class IT (if not in all "enterprise" IT). It is not so in SMB IT, to be sure, but for your (presumably) SMB clients, we are likelytalkingaboutmakingDNS _as available as a single-point-of-failure MX_. That can mean running caching DNS on the same box. If an admin can't keep a modern DNS daemon running on the mailserver, then their mail should be outsourced. Period. > Yes, things may be slowed down a bit by using a DNS server over a > WAN, Will certainly be slowed down, no "may", let's please be clear about this. > but in my experience, it's more reliable to use the OpenDNS servers > with Declude because they are configured properly for use of the RBL > tests. An OpenDNS server is not "more reliable" for RBL lookups than local recursive DNS servers. It is "more reliable" than overloaded ISP DNS servers. That is not the same statement. > You'd be suprised how many people i talk to in a week who have very > little understanding about the role DNS plays in having these tests > work properly. I wouldn't be surprised at all... and I wouldn't be surprised if, nnn months after they magically switch to OpenDNS, they _still_ have very little understanding of DNS and how to troubleshoot SMTP sending and receiving problems. Because you've patched the problem, but you haven't educated them one bit by telling them that DNS -- rather than being the mail-critical, distributed, scaleable, high-performance, learnable, fairly brilliant protocol that it is -- is something they should get from a free provider over the WAN. By the way, I completely support shops that outsource their anti-spam/anti-virus + their mailboxes (and just about everything else) using OpenDNS for web browsing, since otherwise they would have to support their first reliable, recursive DNS server(s). But if you are capable of supporting your own anti-abuse and mailbox servers, _you are capable of supporting a recursive DNS server_. Or you lied about the first part. > I don't consider the questions that are asked by our customers as > "stupid stuff that is not our fault", especially the questions about > how DNS plays an important role in our product. But you know very well what I mean by "stupid stuff...". These are the issues you have to deal with that cause collateral damage to the reputation of your product or service, even though you have no direct control over the problem area. In my password example, people with bad memories or unstuck post-it notes are not your fault. But you don't
Re: [Declude.JunkMail] Re:Declude vs Perry (ES)
We all know the second example is the timeline... Darin. - Original Message - From: Andy Schmidt To: declude.junkmail@declude.com Sent: Tuesday, September 09, 2008 2:59 PM Subject: RE: [Declude.JunkMail] Re:Declude vs Perry (ES) Well, Darin - it may be relevant to look at the timeline. Example: 1. Declude is developed 2. Declude is purchased 3. Developer keeps source code and NOW starts to reuse it to develop DNSstuff.com vs. 1. Declude is developed 2. DNSstuff is developed 3. Declude is purchased from Developer 4. DNSstuff is also purchased from Developer I would see how concerns may be raised in the FIRST case. But in the SECOND case, there are no hidden surprises. Over time, they purchased two different applications that had previously been developed by the same developer, and obviously would share some common generic functions. If I sold you a "one of a kind" car and then sold you a "one of a kind" motorcycle - you can't act surprised years later when you "find out" that I was using the same hex-nuts and headlight bulbs, where appropriate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, September 09, 2008 2:03 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Re:Declude vs Perry (ES) Did he keep a copy of the code, or did he just use libraries he developed through the years, as all programmers do, that he used for all of his programming? It's not possible to tell that without an in-depth review of source code for both products. Also, bear in mind that programmers tend to do the same tasks the same way, so two completely separate development projects can have very similar looking code just due to the way a particular programmer solves problems and writes his/her code. Also, as someone on another list pointed out, you typically aren't buying the soure code, per se, when you buy all rights to a product. What you typically buy are the rights to all marketing for the product (names/trademarks, domain names, etc.), the customer base and any other data specific to the product, and a non-compete from the seller. While source code is necessary to continue development of the product, and is included in the sale, copyrights on the source code are often meaningless due to the above points. In this case, the additional product is not a competing product. I don't know the terms of the sale, however, so it is possible that the source code was central to the purchase. However, the above two points still apply. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Tuesday, September 09, 2008 1:42 PM Subject: RE: [Declude.JunkMail] Re:Declude vs Perry (ES) I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com E : [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: 09 September 2008 16:16 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as "Declude Virus", "Declude Junkmail", and "Declude Hijack". The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase
Re: [Declude.JunkMail] Re:Declude vs Perry (ES)
Did he keep a copy of the code, or did he just use libraries he developed through the years, as all programmers do, that he used for all of his programming? It's not possible to tell that without an in-depth review of source code for both products. Also, bear in mind that programmers tend to do the same tasks the same way, so two completely separate development projects can have very similar looking code just due to the way a particular programmer solves problems and writes his/her code. Also, as someone on another list pointed out, you typically aren't buying the soure code, per se, when you buy all rights to a product. What you typically buy are the rights to all marketing for the product (names/trademarks, domain names, etc.), the customer base and any other data specific to the product, and a non-compete from the seller. While source code is necessary to continue development of the product, and is included in the sale, copyrights on the source code are often meaningless due to the above points. In this case, the additional product is not a competing product. I don't know the terms of the sale, however, so it is possible that the source code was central to the purchase. However, the above two points still apply. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Tuesday, September 09, 2008 1:42 PM Subject: RE: [Declude.JunkMail] Re:Declude vs Perry (ES) I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com E : [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: 09 September 2008 16:16 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as "Declude Virus", "Declude Junkmail", and "Declude Hijack". The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. Dozier Internet Law Cross-Reference Number 1190. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Command Line Scanner - Help!
Hi Kathy, Here is what I posted a week ago. Works for us...with no excessive CPU load. However, it sounds like your problems are a deeper configuration issue since you mention multiple scanners allowing viruses through. Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. Darin. - Original Message - From: Kathy Leonard To: declude.junkmail@declude.com Sent: Thursday, June 12, 2008 6:03 PM Subject: [Declude.JunkMail] Command Line Scanner - Help! I noticed that F-Prot version 3 was no longer updating virus defs so I upgraded to version 6. The command line scanner fpscan.exe does not appear to work (even with all the parameters posted in another entry on the forum) and chews up 70 to 100% CPU in the process. It appears that the Declude "included" scanner is also not working because I have sent myself the eicar virus twice and it was delivered. I am now desparate for a command line virus scanner that will work and will not be such a CPU hog. I know people use AVG and CLAMAV, but are they talking about the paid or free version? Just a little help please to point me in the right direction. I have no anti-virus on my IMAIL 2006 server now. Kathy Leonard --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
gh to create some sort of multi-factor hurdle that is just too custom for a generic form submission program to get right. CAPTCHA's on the other hand are a burden for legitimate users, and their utility will likely disappear in time, whereas these other methods are neither a burden, nor are they likely to cease being effective. That's my take on it. Matt Darin Cox wrote: Hmmm... good idea. Though the testing/form filler tools I've seen aren't using pasting. They are generating keystrokes and targeting them into the appropriate fields. With the tools I've seen, the ability exists to put pauses in, but that would effectively restrict volume submissions for a spammer, and therefore cut down significantly on traffic. The only drawback is for forms that a user accesses multiple times and may use previously submitted data. In those cases, they might resubmit the form as-is, thus invalidating the timer. Also, note that the confirmation page is CAPTCHA. Darin. - Original Message - From: Marc Catuogno To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 12:22 PM Subject: RE: [Declude.JunkMail] form spam filter One thing we did on our domain is to ban "pasting" so that the scripts couldn't paste their info into our fields. Also I just had an idea and asked the webmaster if he could program the form to perform a different action if the form page was opened for too short of a time period. Like shoot to a second page that would ask for a confirmation click or word to be typed in. This assumes that a person would take significantly more time to fill a form than a program, even if it is a keystroke generator From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, April 09, 2008 11:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Matt, I did understand. What I'm saying is that it doesn't always work. To clarify, in addition to less sophisticated automated form fillers that would fill out all fields, there are also more sophisticated ones that use keystroke generators to fill out forms. I just saw one in the public domain last month. CAPTCHA doesn't have this problem, would defeat those automated form fillers, and is therefore more reliable with similarly very little effort to implement. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 11:45 AM Subject: Re: [Declude.JunkMail] form spam filter No, I understood completely. I've seen forms with fields hidden by DIVs still filled out. Some of the less sophisticated spam form fillers I've seen used simply filled out every field. They were not looking to see what was "visible" and what wasn't. Actually this is the part that you misunderstood. The DIV's with visibility hidden will never be filled out by real people, but they will get filled out by form spam sending robots. So if they get filled out, you pretend the submission was successful, but you don't generate the E-mail. It's a simple trick, and it works. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
Hmmm... good idea. Though the testing/form filler tools I've seen aren't using pasting. They are generating keystrokes and targeting them into the appropriate fields. With the tools I've seen, the ability exists to put pauses in, but that would effectively restrict volume submissions for a spammer, and therefore cut down significantly on traffic. The only drawback is for forms that a user accesses multiple times and may use previously submitted data. In those cases, they might resubmit the form as-is, thus invalidating the timer. Also, note that the confirmation page is CAPTCHA. Darin. - Original Message - From: Marc Catuogno To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 12:22 PM Subject: RE: [Declude.JunkMail] form spam filter One thing we did on our domain is to ban "pasting" so that the scripts couldn't paste their info into our fields. Also I just had an idea and asked the webmaster if he could program the form to perform a different action if the form page was opened for too short of a time period. Like shoot to a second page that would ask for a confirmation click or word to be typed in. This assumes that a person would take significantly more time to fill a form than a program, even if it is a keystroke generator From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, April 09, 2008 11:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Matt, I did understand. What I'm saying is that it doesn't always work. To clarify, in addition to less sophisticated automated form fillers that would fill out all fields, there are also more sophisticated ones that use keystroke generators to fill out forms. I just saw one in the public domain last month. CAPTCHA doesn't have this problem, would defeat those automated form fillers, and is therefore more reliable with similarly very little effort to implement. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 11:45 AM Subject: Re: [Declude.JunkMail] form spam filter No, I understood completely. I've seen forms with fields hidden by DIVs still filled out. Some of the less sophisticated spam form fillers I've seen used simply filled out every field. They were not looking to see what was "visible" and what wasn't. Actually this is the part that you misunderstood. The DIV's with visibility hidden will never be filled out by real people, but they will get filled out by form spam sending robots. So if they get filled out, you pretend the submission was successful, but you don't generate the E-mail. It's a simple trick, and it works. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
Matt, I did understand. What I'm saying is that it doesn't always work. To clarify, in addition to less sophisticated automated form fillers that would fill out all fields, there are also more sophisticated ones that use keystroke generators to fill out forms. I just saw one in the public domain last month. CAPTCHA doesn't have this problem, would defeat those automated form fillers, and is therefore more reliable with similarly very little effort to implement. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 11:45 AM Subject: Re: [Declude.JunkMail] form spam filter No, I understood completely. I've seen forms with fields hidden by DIVs still filled out. Some of the less sophisticated spam form fillers I've seen used simply filled out every field. They were not looking to see what was "visible" and what wasn't. Actually this is the part that you misunderstood. The DIV's with visibility hidden will never be filled out by real people, but they will get filled out by form spam sending robots. So if they get filled out, you pretend the submission was successful, but you don't generate the E-mail. It's a simple trick, and it works. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
Hi Markus, Good points. However, we haven't had much trouble filtering outside spam from web forms, so I wasn't thinking of it from that perspective. The main trouble we've had is filtering spammy form submissions to customers from their own websites. Those sites are using our internal servers, so they deliver directly, bypassing our filtering. For this CAPTCHA has been the answer, though checking the referring URL has been a 2-second fix that has been good enough in some cases where customers didn't want CAPTCHA or didn't want to pay us the minimal fee to implement it. Darin. - Original Message - From: Gufler Markus | Limitis To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 10:53 AM Subject: RE: [Declude.JunkMail] form spam filter Matt, Darin would it possible that you both forget, that 99,9+% of all incomming formmail spam is send from millions of webservers all around the world and you have no control of it. Darin: It wouldn't be virtual impossible to keep a list af all this webservers. Some IP-Blacklists try to do this for years now. Also don't forget that great part of websites are hosted on shared web hosting servers and also if you would catch some spamy messages by flagging some IP you could never be sure that some legit message from the same server isntt catched as FP Markus -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 09, 2008 4:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Darin, I think you missed what I was saying exactly. If the form spammer fills out the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer script and it would pretend to have been successful. Spammers use programs to do this stuff, and although they are intelligent programs, they almost definitely will target fields named "Name" and "E-mail", and if on their first try they fill these fields in and they get a positive response from the script, their program will stop trying to fix issues. I won't claim that this method is 100% effective, but I have used it in some cases and no one ever said that it didn't do the trick for them. If they got through that trick, I would ban URL's with a JavaScript alert and then silently with the mailer script (figuring that no real people would get a URL to the mailer script). This is the easiest of all methods to implement. It takes 5 to 10 minutes to fix a form and you don't hinder your visitors with CAPTCHAs. It's not like there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, though I suspect that the current form spammers are not doing that right now. Matt Darin Cox wrote: Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like "ignore-old-data1" and "ignore-old-data2" and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL
Re: [Declude.JunkMail] form spam filter
Hi Matt, No, I understood completely. I've seen forms with fields hidden by DIVs still filled out. Some of the less sophisticated spam form fillers I've seen used simply filled out every field. They were not looking to see what was "visible" and what wasn't. CAPTCHA is easy as well... takes similarly just a few minutes to add since there is so much code in the public domain... and it is much more difficult to bypass than a hidden DIV is. I'm not saying it's perfect since it is possible that OCR could be developed to be smart enough to bypass CAPTCHA (though it has not to date), and it does require an extra step by the website visitor, but it certainly appears to be the best method currently, and no more difficult to implement than others that I've seen. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 10:24 AM Subject: Re: [Declude.JunkMail] form spam filter Darin, I think you missed what I was saying exactly. If the form spammer fills out the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer script and it would pretend to have been successful. Spammers use programs to do this stuff, and although they are intelligent programs, they almost definitely will target fields named "Name" and "E-mail", and if on their first try they fill these fields in and they get a positive response from the script, their program will stop trying to fix issues. I won't claim that this method is 100% effective, but I have used it in some cases and no one ever said that it didn't do the trick for them. If they got through that trick, I would ban URL's with a JavaScript alert and then silently with the mailer script (figuring that no real people would get a URL to the mailer script). This is the easiest of all methods to implement. It takes 5 to 10 minutes to fix a form and you don't hinder your visitors with CAPTCHAs. It's not like there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, though I suspect that the current form spammers are not doing that right now. Matt Darin Cox wrote: Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like "ignore-old-data1" and "ignore-old-data2" and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the
Re: [Declude.JunkMail] form spam filter
Hi Craig, There's really nothing Declude can currently do with this. The headers will all be different, and the format and content of the messages are all different, based on what the web form handler does. That only leaves the actually values in the form fields for filtering purposes. To filter that, you need to use SURBL and REGEX phrase filtering. These are not Declude's purview. Declude is an enabler for you to script your own filters, or use those from third parties like SURBL lookups or content filtering engines. It sounds like what you're asking for is for Declude to get into the business of providing an SURBL lookup function, keeping an SURBL database updated, and implementing something like Message Sniffer's content filtering engine. Is that correct? Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 9:22 AM Subject: RE: [Declude.JunkMail] form spam filter Thanks people for the comments. I will stick with captchas for now but it would be great if declude could figure a nice filter to deal with it, at the end of the day its still incoming spam. Kindest Regards Craig Edmonds 123 Marbella Web Design in Spain W: www.123marbella.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: 09 April 2008 15:09 To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like "ignore-old-data1" and "ignore-old-data2" and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 3:16 AM Subject: [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com
Re: [Declude.JunkMail] form spam filter
Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like "ignore-old-data1" and "ignore-old-data2" and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 3:16 AM Subject: [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "
Re: [Declude.JunkMail] form spam filter
Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 3:16 AM Subject: [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Forged-Spam Backscatter
Hi Kevin, This doesn't have anything to do with incoming mail servers, only outgoing. Also, there should be just one SPF record per domain. So assuming you send mail for myriadnetwork.com as well, and either domain can send outbound mail through any of the servers listed in the MX records for both domains, then you would want exactly two SPF DNS TXT records: SPF record for rogersbenefit.com rogersbenefit.com. IN TXT "v=spf1 mx:rogersbenefit.com mx:myriadnetwork.com ~all" SPF record for myriadnetwork.com myriadnetwork.com. IN TXT "v=spf1 mx:rogersbenefit.com mx:myriadnetwork.com ~all" Note that if your outbound mail servers are different from your MX records, then the above records are incorrect. You can restrict this further if you have only one server that sends outbound mail, as you mentioned, but this gives you the flexibility to use any of the servers listed as the MX for outbound mail for the two domains. Note that the SPF records are specified as soft fail. If you are certain that no other server will send mail for those domains, then you can change soft fail (~all) to hard fail (-all). Hope this helps, Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Thursday, April 03, 2008 8:51 PM Subject: Re: [Declude.JunkMail] Forged-Spam Backscatter I'm looking for a little help creating SPF records. I'm trying to use the tools at openspf.org. We only have one server that sends out mail for our domain. We have a secondary server that accepts email sent to our domain if our primary server is down (myriadnetwork.com). After going through the creation tool, it generated: To be put in our zone file: rogersbenefit.com. IN TXT "v=spf1 a mx mx:rogersbenefit.com ~all" To be put in our DNS records: mail.rogersbenefit.com. IN TXT "v=spf1 a -all" mx2.myriadnetwork.com. IN TXT "v=spf1 a -all" We host our DNS records at Network Solutions. If anyone else uses NetSol for the DNS records, how do we go about adding these lines to our DNS records? And also, is it recommended to use the "all" modifier or not? Kevin Jim Comerford wrote: > > ... but I noticed the domains that we were seeing this with did not > have any SPF records in place. So when I saw this sudden increase > come through, I added a strict SPF policy for that domain. The > backscatter for that domain all but stopped. ... > > > > Good thing to check... the latest domain to get hit did NOT have an > SPF record (and this seems to have been the worst so far)... BUT MOST > of the ones that did get hit - did have an SPF record and we still get > backscatter. > > > > We typically add SPF on all domains.. but in reviewing we had missed a > couple of them. > > > > Hopefully the Filter that David is referring to will help. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why isn't this message deleted
Create a domain-specific config, and set it in there. There are examples of domain-specific configs in the Junkmail manual. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Tuesday, February 26, 2008 8:01 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted So, how do I add a mod to the subject line for all messages for a specific domain? I mean, it would obviously be a setting in the junkmail file for that domain name, but I'm used to using weights to trigger such things, while for this case, I want it on all messages. Thanks, Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Tuesday, February 26, 2008 1:19 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted I don't believe it will work that way for you. Forwarded messages are not scanned twice, so I believe they are only processed as incoming. As for changing the subject, that again would be done on the inbound filter for forwarded messages. As to the CPU question, the cost is the same for the same tests, inbound or outbound doesn't matter. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 8:59 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Hi, Thanks, Darin. We were putting the filter on outbound because we charge a little more for filtering on inbound service and they aren't paying for it. Is there a cost in terms of CPU utilization if we filter on outbound? In general, I don't expect to hit legit messages on outbound. We'll set the threshold pretty high and if the messages are coming from our clients (which should be the case except for forwarding), then they should never come close to the threshold. One question: is it possible to change the subject line for forwarded messages? That would give our clients a heads-up where the messages are coming from. Thanks, Ben ----- Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 3:34 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Yes, it will work. However, I think you'll want the delete setting put on inbound messages rather than outbound. In other words, do the scanning and actions on the inbound message to that account, before it is forwarded to the other account. You'll also want to be careful that you're not deleting legit messages, so don't change a filter to delete unless you are sure. Lastly, you'll want to get on AOL's postmaster feedback loop, if you aren't already. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 6:14 PM Subject: [Declude.JunkMail] why isn't this message deleted Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to "warn." Is it just a matter of setting one of the triggers to "delete"? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why isn't this message deleted
I don't believe it will work that way for you. Forwarded messages are not scanned twice, so I believe they are only processed as incoming. As for changing the subject, that again would be done on the inbound filter for forwarded messages. As to the CPU question, the cost is the same for the same tests, inbound or outbound doesn't matter. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 8:59 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Hi, Thanks, Darin. We were putting the filter on outbound because we charge a little more for filtering on inbound service and they aren't paying for it. Is there a cost in terms of CPU utilization if we filter on outbound? In general, I don't expect to hit legit messages on outbound. We'll set the threshold pretty high and if the messages are coming from our clients (which should be the case except for forwarding), then they should never come close to the threshold. One question: is it possible to change the subject line for forwarded messages? That would give our clients a heads-up where the messages are coming from. Thanks, Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 3:34 PM Subject: Re: [Declude.JunkMail] why isn't this message deleted Yes, it will work. However, I think you'll want the delete setting put on inbound messages rather than outbound. In other words, do the scanning and actions on the inbound message to that account, before it is forwarded to the other account. You'll also want to be careful that you're not deleting legit messages, so don't change a filter to delete unless you are sure. Lastly, you'll want to get on AOL's postmaster feedback loop, if you aren't already. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 6:14 PM Subject: [Declude.JunkMail] why isn't this message deleted Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to "warn." Is it just a matter of setting one of the triggers to "delete"? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why isn't this message deleted
Yes, it will work. However, I think you'll want the delete setting put on inbound messages rather than outbound. In other words, do the scanning and actions on the inbound message to that account, before it is forwarded to the other account. You'll also want to be careful that you're not deleting legit messages, so don't change a filter to delete unless you are sure. Lastly, you'll want to get on AOL's postmaster feedback loop, if you aren't already. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Monday, February 25, 2008 6:14 PM Subject: [Declude.JunkMail] why isn't this message deleted Hi, We have Declude running with IMail 2006.23. One of our clients has their mail box setup to forward to their AOL account. The problem we have is that if they receive a message and mark it as spam, then AOL thinks the spam came from us and we risk being blocked. I thought we were configured to scan and stop outgoing messages, but one of them got through today. When I checked our global.cfg file, I found that all the triggers were set to "warn." Is it just a matter of setting one of the triggers to "delete"? And will this work with forwarded messages? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted
Hmmm... well, if externals do run, then a message rewriter (to insert the header line) could be launched an a Declude test. Darin. - Original Message - From: "John T (lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, January 24, 2008 12:58 PM Subject: RE: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted > If the user authenticates then all tests are bypassed if WHITELIST AUTH is > set ON in the global.cfg Not quite true. This is only true if "PREWHITELIST ON" is set in the global.cfg file. Otherwise, externals do run, but no action is taken by Declude. > Since Declude's whitelisting bypasses any tests, an external test won't work. So, it appears you would need to write a plug-in that is called by IMail, and then chains to Declude after rewriting the message. Externals do run as stated above. > Slammed... Badumbumb ;-)> --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted
Slammed... I did have your message saved to reply, just hadn't had time. Since Declude's whitelisting bypasses any tests, an external test won't work. So, it appears you would need to write a plug-in that is called by IMail, and then chains to Declude after rewriting the message. It might also be nice to have a test in Declude that determines whether the user is authenticated, instead of, or in addition to, a whitelist. That way we could assign a large negative weight, and run other tests as desired. Darin. - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Thursday, January 24, 2008 11:35 AM Subject: RE: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted 2 years ago, I would have had a dozen replies by now and even possible a nice discussion going on. Where is everybody? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, January 21, 2008 1:05 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted I am trying to figure out how to add a line in the header of a message to indicate it is over xKB in size with that incoming message being whitelisted via authenticated sender. Example, user1 on the local Imail server sends a message to user2 on the local Imail server, hence the email is whitelisted since user1 authenticated. But the message is over 2 MB and user2 is currently traveling and using a slow broadband card. The desired action is to have a test that "fails" on the over 1 MB size and an inbound rule on user2 that will then move that message to a submail box called LargeFiles. This way, user2 when he connects via his Outlook does not try to download that email, instead he will be responsible for checking that folder via webmail and then if he needs it right away he can either download the attachment via webmail or move it to his normal inbox. Thoughts, Ideas, cookies? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Per-User Blacklist
Hi Dean, We do limited per domain configs (from a set of choices, so it is not completely custom per domain), but not per user, and have never seen a need to go to the user level. Maintenance of that would be a nightmare as any change to the master list of tests run or weights involved would require you to change every per-user config. In my mind, preset filtering levels is the only way to go for a provider, unless control over the configs is given to the end customer/user. Darin. - Original Message - From: "Dean Lawrence" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 02, 2008 9:55 AM Subject: Re: [Declude.JunkMail] Per-User Blacklist Thanks Darrell, That was what I was afraid of. How are others dealing with per user black lists? Are they using IMail rules to accomplish this? Right now I manage all domain configurations for my clients and typically do not allow per user options. However, I would like to build-out a web based user admin area for them to choose between preset spam levels and to administer their own white/black lists. I don't mind building it myself, but I would be interested in knowing how others deal with this. Thanks again, Dean On Jan 1, 2008 9:21 PM, Darrell ([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote: > Dean, > > What you read in the manual is correct. The only way to do this would > be to setup junkmail via per user and have a test for each user as their > own blacklist. For a *small* group of users this could be done, but on > any level of scale it would be impractical not only from a management > aspect but from the resources it would require to run. > > Darrell > -- > Check out http://www.invariantsystems.com for utilities for Declude, > Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, > SURBL/URI integration, MRTG Integration, and Log Parsers. > > > Dean Lawrence wrote: > > Is it possible to create a per-user blacklist? From what I have seen > > in the manual and in the knowledge base, I have to define a test in > > the global config file. I could do this for a per domain basis, but to > > do it for every single user would be excruciating. > > > > Thanks > > > > -- > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Postmaster Spoofed Returns
The filters we have in place usually detect them. If you're not using Sniffer, I highly recommend you add it. Darin. - Original Message - From: "Kevin Stanford" <[EMAIL PROTECTED]> To: Sent: Thursday, September 27, 2007 10:55 AM Subject: RE: [Declude.JunkMail] Postmaster Spoofed Returns I suppose the detection of "any remnants of the original spam" is going to be a manual process...correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, September 27, 2007 9:08 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Postmaster Spoofed Returns SPF can help a bit, if the receiver of the spoofed emails uses SPF for filtering and does not bounce on SPF violation. We've been able to limit the bounces that get through so far to just a few, mostly through detection of any remnants of the original spam in the bounce. Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Postmaster Spoofed Returns
SPF can help a bit, if the receiver of the spoofed emails uses SPF for filtering and does not bounce on SPF violation. We've been able to limit the bounces that get through so far to just a few, mostly through detection of any remnants of the original spam in the bounce. Darin. - Original Message - From: "Kevin Stanford" <[EMAIL PROTECTED]> To: Sent: Thursday, September 27, 2007 9:49 AM Subject: [Declude.JunkMail] Postmaster Spoofed Returns Does anyone have any suggestions on how to stop returned email on spoofed email addresses for our domain. I was going to setup a rule but it would catch good and bad alike... Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Per User config redirecting
Hi Bill, No gotchas that I can think of. We've been using that kind of config for a couple of years now. You can redirect for an email address by specifying the email address on the REDIRECT line You can redirect for a domain by specifying "@example.com" (replace example.com with your domain name) on the REDIRECT line We have generally have three configs per domain, one for abuse@, postmaster@, and then the rest of the domain. None of our customers need user specific filtering. Darin. - Original Message - From: Bill Green dfn Systems To: declude.junkmail@declude.com Sent: Thursday, September 13, 2007 2:00 PM Subject: [Declude.JunkMail] Per User config redirecting I'm asking for your experience, and any gotcha's I may be missing. Our main domain accounts for 95% + of our email clients. On this domain, I have been using Per-User configuration files for clients who need something different from the $default$.config. I set up domain folders, and have a config file for each "special needs" user inside the domain folder. Almost all of these fall into one of three settings groups that are identical. Today, I have been looking into the Redirect command. It would let me set up three config files (say nofilter.config, permissive.config, and aggressive.config), and then have a redirect command in my default.config for each special needs user pointing to the appropriate config file. This way, when I need to make a change, say add a new test, I only need to change three or four config files instead of dozens. This would add substantially to the size of my default config. Any performance hits or other worries I need to know about? Bill Green dfn Systems 505-622-7853 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF (Fail or Pass)
Only SPFFAIL is recommended, as spammers may have SPF records. Also, since many organizations are not using SPF, SPFUNKNOWN is not useful. Here's how you declare it in your GLOBAL.CFG SPFFAILspffailx0 I find that SPF is very useful, if for no other reason than to block spam sent to our customers that forges their domain when sending to them. To create your own SPF records, try http://www.openspf.org/ Darin. - Original Message - From: "Kevin Stanford" <[EMAIL PROTECTED]> To: Sent: Friday, September 07, 2007 9:05 AM Subject: [Declude.JunkMail] SPF (Fail or Pass) I am not really sure how to set this up but I would like to make sure that if a domain has an spf record that it is checked and if it is not legit it is immediately marked as spam. Also, is it possible to do this on my domain as I get a lot of spoofed email to my domain using my domain as a return address. Thanks for any help offered! Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting Spam
I use a command line tool from www.whoisview.com that works well for both domains and IP blocks. Occasionally I run into a domain that doesn't resolve, but when that happens I also have trouble from registrar sites like netsol and godaddy. www.freewho.com generally works well, though. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Thursday, September 06, 2007 7:40 PM Subject: RE: [Declude.JunkMail] Interesting Spam Well, the easy part is answering your question about the domains. Each of the payload domains was registered today, so whatever service you're using to look up the registrations is probably using a database at least a day behind. I use (for example) this site to my satisfaction: http://whois.domaintools.com/sdsdm.com Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dave Beckstrom > Sent: Thursday, September 06, 2007 3:07 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Interesting Spam > > We're getting a rash of spam that doesn't score high enough > to be blocked. > In the past I've looked up the domain owner of the site > listed in the spam > and been able to identify sometimes dozens of domains owned > by the spammer, > then I've put that list into a filter and blocked the domains > before they > were all used in new spam sent to us. > > I did a whois on some of the domains and they all show as > available and > unregistered. Yet when I go to the domain, it does take me > to the spammers > site. How can these domains be functional and show as available to be > registered at the same time? > > Below is a paste of one of the spams. I added 3 additional > domains that > have appeared in this same asshole's spam so that you can see > the pattern of > domains he is using. > > How do I block these? > > Dave > > > > X-Note: > X-Note: Spam Score: [18] > X-Note: Scan Time: 16:47:18 on 06 Sep 2007 > X-Note: Spool File: 35111367.eml > X-Note: Server Name: dsl88-233-31730.ttnet.net.tr > X-Note: SMTP Sender: [EMAIL PROTECTED] > X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr > [88.233.123.242] > X-Note: Country Chain: TURKEY->destination > X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5], > SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14] > X-Note: > > > -Original Message- > From: Tam Genois [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 06, 2007 1:15 PM > Subject: [SPAM]- Score (12)tuile > > How it is going Genois > Do you want to have an average to small penis all of your > life? No, you > don't > > dae Hays > http://soltepec.com/ > http://selenan.com/ > http://www.seriia.com/ > http://www.sdsdm.com/ > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
I whipped this up mid afternoon, and it's catching them for us. An earlier
version this morning didn't catch the entire campaign.
-
MINWEIGHTTOFAIL 23
SKIPIFWEIGHT 250
REVDNS END ENDSWITH .smarsh.com
HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138
BODY 1 CONTAINS
BODY 1 CONTAINS
BODY 1 CONTAINS
BODY 1 CONTAINS
BODY 1 CONTAINS
BODY 10 CONTAINS Content-Type: application/pdf;
-
My delete weight is 250, so I skip if it has already reached that weight.
Smarsh sends one of our customers a lot of PDFs, so I made sure their emails
wouldn't trigger this.
There are liable to be FPs, so I would weight this enough to hold, but not to
delete.
Darin.
- Original Message -
From: Todd Richards
To: declude.junkmail@declude.com
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have to
be careful that you don't stop legitimate PDF files. Kind of a tough one...
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
>From reports today looks like the filter needs to be updated. Can you send me
>some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type:
application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings are
you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis
Sent: Wednesday, June 27,
Re: [Declude.JunkMail] Spam Increase?
Hi Matt, Yep. I'm afraid we're already running AVAFTERJM. However, since there are some domains we only scan for virus content and not spam, at the customer's request, then we probably have a CPU hit there due to virus scanning that isn't buffered by spam filtering. We definitely see a lot to these domains showing up in the Virus Hold queue. We needed to migrate anyway, this just pushed up the schedule. The hardware was purchased earlier this year for an IMail 2006 upgrade that we're still holding off of. Unfortunately this storm hit in a week with a couple of larger development projects due, and surgery planned for an immediate family member (it was this afternoon and went well). In any case, the load is being handled well by the new hardware for now. Time to get to planning for future increases. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Saturday, August 04, 2007 12:09 AM Subject: Re: [Declude.JunkMail] Spam Increase? Darin, The CPU increase was due to the high volume of ZIP and XLS viruses, something that has been pretty rare until recently. The Storm botnet started sending these out on Saturday in numbers that average about one attached virus per day per user on our system (which was a change from sending out the fake greeting cards which did not attach the viruses). That's a lot of virus scanning going on, and it is also more bandwidth than before. There's nothing worse for CPU on the average Declude system than to do virus scanning, especially with multiple scanners. The good news is that the virus traffic should drop back down soon, but the bad news is that the Storm botnet is generating now about 4 times the number of messages (spam and viruses) as it did just one month ago on my system, and it accounts for about 40% of all spam and virus traffic that survives greylisting, and the overall percentage increase in traffic that you are seeing is exclusively coming from the Storm botnet. If you aren't doing this already, you might try running Declude Virus after Declude JunkMail, that way if you run DELETE or HOLD on a message, it will avoid having Declude Virus run on it, and that can save significantly on CPU during times like this. Any other action will still result in virus scanning, so don't worry about things being skipped if you do COPYTO, ROUTETO, SUBJECT or WARN. This might well be old news to you, but it's worth mentioning. Despite the change in volume and in using attachments, I have not seen a large uptick in CPU on my system because I use the above method, and on a weekly basis, 99.4% of the Storm botnet messages are reaching our DELETE weight and not needing to be virus scanned. I attribute the relative 10% increase over last week to the change in volume. The following chart shows the effect on an 8 core server: Matt Darin Cox wrote: We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "John T (lists)" Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl> I actually saw it ramping up since last weekend and every day there have JTl> been a change or 2 in the spam to keep it from being caught. JTl> John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. JTl> --- JTl> This E-mail came from the Declude.JunkMail mailing list. To JTl> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl> type "unsubscribe Declude.JunkMail". The archives can be found JTl> at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send
Re: [Declude.JunkMail] Spam Increase?
I think we started seeing it last Saturday... pretty constant since then. Fortunately it's almost entirely being caught so our customers are not seeing it. Darin. - Original Message - From: "John T (lists)" <[EMAIL PROTECTED]> To: Sent: Friday, August 03, 2007 6:19 PM Subject: RE: [Declude.JunkMail] Spam Increase? I actually saw it ramping up since last weekend and every day there have been a change or 2 in the spam to keep it from being caught. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Todd Richards > Sent: Friday, August 03, 2007 2:35 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Spam Increase? > > Anyone else noticing an increase in spam today? It seems like stuff > that > was normally being caught before is showing up in my Inbox. > > Todd > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Spam Increase?
We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "John T (lists)" Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl> I actually saw it ramping up since last weekend and every day there have JTl> been a change or 2 in the spam to keep it from being caught. JTl> John T >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >> Todd Richards >> Sent: Friday, August 03, 2007 2:35 PM >> To: declude.junkmail@declude.com >> Subject: [Declude.JunkMail] Spam Increase? >> >> Anyone else noticing an increase in spam today? It seems like stuff >> that >> was normally being caught before is showing up in my Inbox. >> >> Todd >> >> >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. JTl> --- JTl> This E-mail came from the Declude.JunkMail mailing list. To JTl> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl> type "unsubscribe Declude.JunkMail". The archives can be found JTl> at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Zip files
Sure. You could create a Declude combo filter like that. Put a size test before the custom filter in your global.cfg, add the tests the message fails to incoming message headers, and in the custom combo filter look for the size test failure warning in the headers, and look for the zip file in the body, failing the combo test only if both conditions hit. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Thursday, August 02, 2007 2:24 PM Subject: [Declude.JunkMail] Zip files Hi Everyone - It's hit and miss, but today I received several of the small zip files. A quick glance and they were either txt files or .exe files. All were between 5-25K in size. How is everyone else handling these? I was almost wondering if there is a way to say (in general terms) "IF file = zip, then -5, and if size < 30K, then minus 10". Some way to deduct for the small zip file if that makes sense. Anyway, if anyone has any suggestions, I'm all ears! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fidelity Independent Adviser
We had one that was definitely an FP last week. Submitted and received a response that the rule had already been removed. Darin. - Original Message - From: "John T (lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 18, 2007 9:03 PM Subject: [Declude.JunkMail] Fidelity Independent Adviser First time I am seeing this one, caught by Sniffer. Any one have experience with their newsletters? Legit? Ham? Spam? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] frustration
We're running pretty well... catching somewhere between 99.7% and 99.9% of incoming spam. Declude 2.0.6 (waiting on Imail 2006 to stabilize before upgrading to the latest version) on IMail 8.22, along with Sniffer and invURIBL. Darin. - Original Message - From: "Uwe Degenhardt" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 18, 2007 5:33 PM Subject: [Declude.JunkMail] frustration Hi everybody on the list, please excuse me, but I would like to share my frustration with you. I am poured with SPAM the last two-to-three weeks. It gets worse every day. Am I the only one who is seeing this ? I am in a good contact with David of Declude. He is doing a fantastic job, but sometimes I loose my faith and my trust, that we can win the SPAM-fight. It appeals to me, as it is like the old principle: If you put water on the fire at one place, you have to run to the next place to delete it there too. And the SPAMMERs will get cleverer everyday. What do you guys think ? Are you frustrated as well ? Uwe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re: PDF spam detection
I was thinking Regex wasn't available since I'm still using 2.0.6, but forgot I
could use an external test and the regex available in the windows Findstr
command.
Darin.
- Original Message -
From: Matt
To: declude.junkmail@declude.com
Sent: Thursday, June 28, 2007 12:37 PM
Subject: Re: [Declude.JunkMail] Re: PDF spam detection
Here's a piece of RegEx code that should work for blank bodies with a PDF and
this particular spammer so long as he is forging Thunderbird:
-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;
Note that I have not tested this, but the code is in fact fairly simple and it
should work.
Matt
Darin Cox wrote:
So far all that I've seen have a blank body with the pdf attachment.
Anyone have any ideas as to how to test for a blank body, or one with only
whitespace characters? The new PCRE function can do it, but we're still on
2.0.6 at the moment, waiting until IMail 2006.21 comes out and passes testing.
I'm thinking a blank body test with PDF attachment detection should result in
very few FPs. Still possible, but hopefully enough to hold on until a better
detection method can be found.
Darin.
_
Test footer
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] Re: PDF spam detection
So far all that I've seen have a blank body with the pdf attachment. Anyone have any ideas as to how to test for a blank body, or one with only whitespace characters? The new PCRE function can do it, but we're still on 2.0.6 at the moment, waiting until IMail 2006.21 comes out and passes testing. I'm thinking a blank body test with PDF attachment detection should result in very few FPs. Still possible, but hopefully enough to hold on until a better detection method can be found. Darin. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[4]: [Declude.JunkMail] Using Footer32 in per domain configuration
Excellent practice. I should have thought to look. Appreciate it, Sandy! Darin. - Original Message - From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "Darin Cox" Sent: Wednesday, June 27, 2007 4:29 PM Subject: Re[4]: [Declude.JunkMail] Using Footer32 in per domain configuration > I never thought to check that since it was a Declude external test, > but thanks for that info. I was referring to your announcement notes > that detailed the switches. Gotcha. I always implement command-line help switches for my command-line apps, FTR, even if they are meant to be forked "silently" from another process. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Hi David, What's the CB-ATTACH.txt filter? Darin. - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:24 AM Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Yep. Darin. - Original Message - From: SJ.Stanaitis To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:17 AM Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Using Footer32 in per domain configuration
Hi Sandy, I never thought to check that since it was a Declude external test, but thanks for that info. I was referring to your announcement notes that detailed the switches. I was hoping you'd chime in Darin. - Original Message - From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "Darin Cox" Sent: Tuesday, June 26, 2007 11:03 PM Subject: Re[2]: [Declude.JunkMail] Using Footer32 in per domain configuration > I found the problem. It seems there is an additional undocumented > command line switch that needs to be added to the end of the line > for it to work. I think it's documented -- considering that the /? is the only documentation, and it's in there. :) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using Footer32 in per domain configuration
I found the problem. It seems there is an additional undocumented command line switch that needs to be added to the end of the line for it to work. So, instead of ADDFOOTER external nonzero "f:\imail\declude\footer32.exe -oo %INOROUT% -yf f:\imail\declude\footer_%LOCALHOST%.txt" 0 0 use this ADDFOOTER external nonzero "f:\imail\declude\footer32.exe -oo %INOROUT% -yf f:\imail\declude\footer_%LOCALHOST%.txt -f" 0 0 and it works fine, where footer_example.com.txt is the text file containing the footer for the domain example.com. Darin. - Original Message ----- From: Darin Cox To: declude.junkmail@declude.com Sent: Tuesday, June 26, 2007 5:15 PM Subject: Re: [Declude.JunkMail] Using Footer32 in per domain configuration Hi Jay, We're not using either DOMAINWHITELISTS or PREWHITELIST, so those aren't affecting it. Anyone have any other ideas? Darin. - Original Message - From: System Administrator To: declude.junkmail@declude.com Sent: Tuesday, June 26, 2007 4:45 PM Subject: Re: [Declude.JunkMail] Using Footer32 in per domain configuration Darin- I had to #DOMAINWHITELISTSOFF # turned off prewhitelist for footer32 5/12/7 #PREWHITELIST ON Maybe a couple of other Global settings as well I can't quite remember. Jay -Original Message- From: "Darin Cox" <[EMAIL PROTECTED]> Sent 6/26/2007 1:19:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Using Footer32 in per domain configuration Anyone using Sandy's footer32 in a per domain configuration? I tried a few variations and haven't been able to get it to work. Here's the GLOBAL.CFG line I'm using: ADDFOOTER external nonzero "f:\imail\declude\footer32.exe -oo %INOROUT% -yf f:\imail\declude\footer_%LOCALHOST%.txt" 0 0 However, I also noticed none of my outgoing custom header lines were being added by Declude 2.0.6, so there may be a deeper problem. Thinking SMTP AUTH whitelisting might be a problem, I tried it without, but no difference. Any ideas? Darin. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. Warning: All e-mail sent to or from this address will be received or otherwise recorded by the Corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using Footer32 in per domain configuration
Hi Jay, We're not using either DOMAINWHITELISTS or PREWHITELIST, so those aren't affecting it. Anyone have any other ideas? Darin. - Original Message - From: System Administrator To: declude.junkmail@declude.com Sent: Tuesday, June 26, 2007 4:45 PM Subject: Re: [Declude.JunkMail] Using Footer32 in per domain configuration Darin- I had to #DOMAINWHITELISTSOFF # turned off prewhitelist for footer32 5/12/7 #PREWHITELIST ON Maybe a couple of other Global settings as well I can't quite remember. Jay -Original Message----- From: "Darin Cox" <[EMAIL PROTECTED]> Sent 6/26/2007 1:19:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Using Footer32 in per domain configuration Anyone using Sandy's footer32 in a per domain configuration? I tried a few variations and haven't been able to get it to work. Here's the GLOBAL.CFG line I'm using: ADDFOOTER external nonzero "f:\imail\declude\footer32.exe -oo %INOROUT% -yf f:\imail\declude\footer_%LOCALHOST%.txt" 0 0 However, I also noticed none of my outgoing custom header lines were being added by Declude 2.0.6, so there may be a deeper problem. Thinking SMTP AUTH whitelisting might be a problem, I tried it without, but no difference. Any ideas? Darin. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. Warning: All e-mail sent to or from this address will be received or otherwise recorded by the Corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Using Footer32 in per domain configuration
Anyone using Sandy's footer32 in a per domain configuration? I tried a few variations and haven't been able to get it to work. Here's the GLOBAL.CFG line I'm using: ADDFOOTER external nonzero "f:\imail\declude\footer32.exe -oo %INOROUT% -yf f:\imail\declude\footer_%LOCALHOST%.txt" 0 0 However, I also noticed none of my outgoing custom header lines were being added by Declude 2.0.6, so there may be a deeper problem. Thinking SMTP AUTH whitelisting might be a problem, I tried it without, but no difference. Any ideas? Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE and REVDNS
How about adding it to the downloads section? That seems easier than dealing with a lot of individual requests. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 19, 2007 10:42 AM Subject: RE: [Declude.JunkMail] PCRE and REVDNS Email me directly [EMAIL PROTECTED] as to keep the lists relevant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, June 19, 2007 10:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS David, I would like a copy. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 19, 2007 9:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH .bigfootinteractive.com REVDNS -5 ENDSWITH .bluehornet.com REVDNS -5 ENDSWITH .constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More accidental whitelisting
There is a conversion tool that comes with IMail 2006 to convert address books. The new address books are stored in an access database. Darin. - Original Message - From: J Porter To: declude.junkmail@declude.com Sent: Tuesday, June 05, 2007 10:46 AM Subject: Re: [Declude.JunkMail] More accidental whitelisting welll... I ain't so sure that Declude tries to use an old aliases.txt file. I just made the leap last week from IMail 8.13 to 2006.2 and updated Declude to the lastest as well. For whatever reason, the address books did not convert with the IMail upgrade. I had copied the entire mailbox folders to the new server, so the aliases.txt files are there, but Declude isn't using them for whitelisting. I've had to copy the aliases.txt files manually and send them to clients. And like someone else here, it's not worth having a huge, detailed log file just to track down this one issue t this time. BTW... I don't really mean to hijack this thread, but where is the address book now stored since it's not done with aliases.txt .. main.xml? - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Tuesday, May 29, 2007 1:11 AM Subject: RE: [Declude.JunkMail] More accidental whitelisting The point you have missed is that just because YOU are using Imail 2006.2 does not mean every one else is. Declude is doing exactly as it should, checking to see if an aliases.txt file exists and if so use it. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More accidental whitelisting
Hi Ben, I agree that Declude should detect the IMail version, but I can imagine an argument for continuing to process the aliases.txt, where a recent conversion has taken place, and address book conversion has not fully been completed. So, I guess I see this as more of an IMail conversion issue, which should have a thorough process to convert and removed the aliases.txt file, than a Declude issue. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Tuesday, May 29, 2007 9:16 AM Subject: Re: [Declude.JunkMail] More accidental whitelisting Hi John, You sound grumpy. Yes, it was stupid of me to talk about controlling the feature that uses the web address book for whitelisting when AUTOWHITELIST already does that. I knew about that, since I talked about it in the original thread on this subject. It was late and I was just thinking (or, perhaps, not thinking) that more control over this feature would have been nice. Obviously, the best improvement is the same one everyone else has asked for: don't auto-whitelist your own address. I do disagree with your first statement. I expect Declude to know what version of IMail is running, which would tell it whether to bother processing certain files, such as aliases.txt. Anyway, thanks again to both you and Matt for your help. Ben - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Monday, May 28, 2007 11:11 PM Subject: RE: [Declude.JunkMail] More accidental whitelisting The point you have missed is that just because YOU are using Imail 2006.2 does not mean every one else is. Declude is doing exactly as it should, checking to see if an aliases.txt file exists and if so use it. As for the option of turning whitelisting based on the address book on or off, uh, ah, golly gee, that is what AUTOWHITELIST is for. As for not knowing that 2006.2 no longer uses the aliases.txt files… John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Monday, May 28, 2007 10:22 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] More accidental whitelisting Hi Matt, I understood the discussion about AUTOWHITELIST ON and the web address book issue. Where I got caught was that this server doesn't use aliases.txt, but the file is just there by accidental legacy. We're in the process of replacing our old 7.15 server with a new 2006.2 server by moving to a new machine. So far, the only domain we've moved over (until we get the bugs like this worked out) is our own domain. As part of that process, I copied over our old user folders (just for our domain) to the new server. The aliases.txt file must have been in the old users folder on the old server. Where I got fooled was because apparently 2006.2 doesn't use that file any more, so when I logged into the web interface, it told me the address book was empty. And, truthfully, I (and most of our users) used IMAP access via Outlook or something similar, rather than the web interface, so I wasn't even familiar with the file. I do agree with the discussion on this point: first, the whitelisting should never apply to your own address, and, I think the whole idea of whitelisting the address book should be an option that can be turned on/off from the config file. Anyway, thank you very much for clearing up this mystery for me. Thanks! Ben - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Monday, May 28, 2007 8:50 PM Subject: Re: [Declude.JunkMail] More accidental whitelisting Ben, This was covered early in the thread. You have "AUTOWHITELIST ON" in your global.cfg, and that causes Declude to whitelist whatever is in the recipient's address book (aliases.txt in all IMail versions prior to 2006). You have your own E-mail address listed in your address book, and a spammer forged your address as the Mail From. This is commonly seen by those that use AUTOWHITELIST. There is no way to stop this unless you remove your address from your address book, and this is also likely happening to your other users where they have themselves listed in their address book, as well as others on your hosted domains in the event that there are multiple recipient forging spam. There is a limited workaround for some of this using a test called BYPASSWHITELIST. You can search the archives or manual about this. The best solution if you want to keep the ability to whitelist from the address book would be for Declude to make a change to automatically exclude any recipient of the E-mail from triggering AUTOWHITELIST. This has been requested repeatedly for over 3 years and even came up again in this thread. The fact that people were quick to point out that this was likely the reason f
Re: [Declude.JunkMail] accidental whitelisting
You'll need to check the logs then. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 9:54 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Well, it's spam from outside, so I'm not sure that I would ever see or know about BCC recipients. The headers just show the message addressed to me, with the from line from me, but with someone else's IP address. It's probably the oldest spam trick in the book to just forge the >From line. Ben - Original Message - From: Darin Cox To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 6:32 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Anyone on the BCC line? If there's an address there that is being whitelisted, then the entire email gets whitelisted to all recipients. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 9:01 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 5:46 AM Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came fr
Re: [Declude.JunkMail] accidental whitelisting
Anyone on the BCC line? If there's an address there that is being whitelisted, then the entire email gets whitelisted to all recipients. Darin. - Original Message - From: Imail Admin To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 9:01 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 5:46 AM Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] accidental whitelisting
I've always thought that was silly. I would think your own address should always be excluded from whitelisting. When would email from yourself to yourself be filtered such that it would need whitelisting? Darin. - Original Message - From: Scott Fisher To: declude.junkmail@declude.com Sent: Friday, May 25, 2007 9:19 AM Subject: Re: [Declude.JunkMail] accidental whitelisting Any thoughts on an option to excluding your own address from the address book whitelisting. It continually comes up here. It's definitely a spam leakage issue. This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -Original Message- From: "David Barker" <[EMAIL PROTECTED]> Sent 5/25/2007 7:46:29 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Thursday, May 24, 2007 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] accidental whitelisting Hi All, We're in the process of tesing JM 4.x as an upgrade and I ran into what I am sure is a minor mis-configuration. I find that I occassionally get messages that are clearly spam, but are whitelisted. The common characteristic is that they are sent with a from line that is my own email address, such as the following: X-Declude-Sender: [EMAIL PROTECTED] [77.85.117.187] X-Declude-Spoolname: D29db019e2105.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [0] at 17:12:28 on 24 May 2007 X-Declude-Fail: Whitelisted, ZEROHOUR [0] Now, I checked and I don't see why this is being whitelisted. We only whitelist a handful of IP addresses, and this isn't one of them. The whitelist settings in the global.cfg file are: #=WHITELISTS === #WHITELIST HABEAS #DOMAINWHITELISTS OFF PREWHITELIST ON WHITELIST AUTH AUTOWHITELIST ON # - Domain Example - #WHITELIST FROM @declude.com # - User Example - #WHITELIST FROM [EMAIL PROTECTED] # - IP Example - WHITELIST IP 63.246.31.248 # - REVDNS Example - WHITELIST REVDNS .declude.com These are pretty much the defaults. The Autowhitelist ON command uses addresses in the web address book, so I checked those and found nothing (no addresses at all). I'm sure this is something really obvious, but could someone point it out to me? Thanks, Ben BC Web --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: server monitoring
We monitor from multiple locations... from within the datacenter and from the office. While we get double the notifications in the event of a failure, the complete redundancy avoids any common failure points. As a side benefit, monitoring from the office tells us when our office internet connection goes down/comes back up, which it does about twice a year. Darin. - Original Message - From: John T (lists) To: declude.junkmail@declude.com Sent: Tuesday, May 22, 2007 10:23 AM Subject: RE: [Declude.JunkMail] OT: server monitoring That is also why in my monitoring server I have a modem connected to an analog phone line. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Tuesday, May 22, 2007 5:29 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: server monitoring One thing to think about... If you set up your own in-house monitoring, you probably will not get an alert if your Internet feed fails or you have a massive power problem. Outsourcing the monitoring function would eliminate these problems. -d - Original Message - From: Kevin Bilbee To: declude.junkmail@declude.com Sent: Monday, May 21, 2007 6:05 PM Subject: [Declude.JunkMail] OT: server monitoring I am doing research on purchasing/open source server monitoring and would like to know what Declude administrators recommend. Survey sais? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] all_list.dat ?
This is too tempting... Darin. - Original Message - From: "John T (lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, May 17, 2007 3:31 PM Subject: RE: [Declude.JunkMail] all_list.dat ? I think we all fully understand that now Andrew. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Thursday, May 17, 2007 9:54 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] all_list.dat ? > > Thanks, David. > > It's working fine here! > > > Andrw 8) > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of David Barker > > Sent: Thursday, May 17, 2007 9:29 AM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] all_list.dat ? > > > > New all_list.dat available from the My Account page on > > Declude website. > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of David Barker > > Sent: Thursday, May 17, 2007 9:52 AM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] all_list.dat ? > > > > Sure, I will see what I can do for early next week. > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Colbeck, Andrew > > Sent: Wednesday, May 16, 2007 7:42 PM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] all_list.dat ? > > > > Hey, David. > > > > Any chance of seeing a refresh of all_list.dat ... It's been > > just about > > 4 months since the last one. Three or four times a year > > doesn't sound bad. > > > > Andrew 8) > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Colbeck, Andrew > > > Sent: Thursday, January 18, 2007 9:08 AM > > > To: declude.junkmail@declude.com > > > Subject: RE: [Declude.JunkMail] all_list.dat ? > > > > > > Thanks, David. > > > > > > The early report is that it's working for me. > > > > > > Andrew 8) > > > > > > > > > > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of > > > > David Barker > > > > Sent: Thursday, January 18, 2007 7:37 AM > > > > To: declude.junkmail@declude.com > > > > Subject: RE: [Declude.JunkMail] all_list.dat ? > > > > > > > > New all_list.dat available on the My Account home page of > > > Declude. 18 > > > > Jan 07 344kB > > > > > > > > David Barker > > > > Director of Product Management > > > > Your Email security is our business > > > > 978.499.2933 office > > > > 978.988.1311 fax > > > > [EMAIL PROTECTED] > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of > > > > Gary Steiner > > > > Sent: Tuesday, January 09, 2007 4:30 PM > > > > To: declude.junkmail@declude.com > > > > Subject: [Declude.JunkMail] all_list.dat ? > > > > > > > > David (or any Declude people that may be reading), > > > > > > > > Any chance of seeing a new all_list.dat any time soon, > > > considering the > > > > current one has a date of 6 Jul 06, and considering the > > additional > > > > input from this recent thread? > > > > > > > > I'm starting to see false positives caused by weights I > > previously > > > > gave to "IANA Reserved" and "RIPE Unlisted". > > > > > > > > Gary > > > > > > > > > > > > > > > > Original Message > > > > > From: "Jay Sudowski - Handy Networks LLC" > > <[EMAIL PROTECTED]> > > > > > Sent: Thursday, January 04, 2007 5:57 PM > > > > > To: declude.junkmail@declude.com > > > > > Subject: RE: [Declude.JunkMail] [IANA Reserved] ? > > > > > > > > > > Indeed. When we obtained our own IP space from ARIN, > > it was from > > > > > 72/8, which had been released only about 6 months prior > > > to it being > > > > > assigned to us. You wouldn't believe the number of > > > > networks that were > > > > > running with 72/8 in their bogons list and were > > entirely blocking > > > > > traffic from our network... > > > > > > > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of > > > > > Darrell ([EMAIL PROTECTED]) > > > > > Sent: Thursday, January 04, 2007 3:47 PM > > > > > To: declude.junkmail@declude.com > > > > > Subject: Re: [Declude.JunkMail] [IANA Reserved] ? > > > > > > > > > > > > > > > I would be very careful with this. IANA just released (I > > > believe in > > > > > October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat > > not being > > > > > updated frequently I would tred very lightly in this > > > area
Re: [Declude.JunkMail] Header Information Util...
Ahh, so you only want stats after your manual filtering process. What do you do in your manual filtering process? Due to the manual process, I understand now why you were saying parsing the individual messages was your only option. To make parsing easier, you might consider adding some Declude custom header lines. That way your parsing process can look for your unique tokens to find the data you want. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 10:22 PM Subject: RE: [Declude.JunkMail] Header Information Util... Message tracking won't tell me what specific email in an exchange email box is the one I am interested in. Maybe I'm not explaining myself. After my Declude box filters over 23,000 emails, I have 1245 emails from Friday night until Monday AM on my exchange server. I manually sort these emails, winding up with roughly 118 left over verified SPAM emails. I'd like a tool I can run against these emails, in an Outlook mailbox, that will pull the info from the individual message headers. I don't believe the server logs, on either server, are going to do a thing, since I'd need to know which message I was looking for, one of the 118 out of 1200 or 23000. Out of the emails that came in during the time period I am sampling, I'd need the SMTP ID, and I'd have to basically do what I am doing now, manually open each email header. I want to bypass this, and pull the data directly. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 8:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Looks to me that if you turn on Message Tracking, you get a log file with the info you need all on one line. I'm not certain about REVDNS, but you certainly have from address, to address, and IPs. You could run a script over this to get the REVDNS if it isn't there. The stats you want could then be compiled in Excel, a database, etc. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 6:13 PM Subject: RE: [Declude.JunkMail] Header Information Util... Because the emails I have left are from a range of times/dates, and they're on an Exchange server. I'd have to know what SMTP ID's I was looking for in the logs, which I'd need from the email header information, etc etc... Karl Drugge -----Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 6:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type &
Re: [Declude.JunkMail] Header Information Util...
Looks to me that if you turn on Message Tracking, you get a log file with the info you need all on one line. I'm not certain about REVDNS, but you certainly have from address, to address, and IPs. You could run a script over this to get the REVDNS if it isn't there. The stats you want could then be compiled in Excel, a database, etc. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 6:13 PM Subject: RE: [Declude.JunkMail] Header Information Util... Because the emails I have left are from a range of times/dates, and they're on an Exchange server. I'd have to know what SMTP ID's I was looking for in the logs, which I'd need from the email header information, etc etc... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 6:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Information Util...
Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
Don't take it the wrong way. While we're a bit frustrated at having to wait so long for a stable product that doesn't have any loss of functionality, Kevin Gillis has done a very good job of righting the product management ship at Ipswitch, and is treating customers well. If we can get a stable product soon, we'll be very happy despite the wait. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 3:05 PM Subject: RE: [Declude.JunkMail] PCRE Phew! For a moment there I thought Declude was the only software company in the world to have issues and then make customers wait a year and a half for a solution, I guess one consolation is we don't charge you as much to do so :) David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, May 10, 2007 2:59 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] PCRE For those on IMail, the focus right now is probably on getting a stable and fully functional mail server again. IMail 2006.21 preview 1 was just released to hopefully address most, if not all, of the problems with 2006, but it was just posted that those with virtual domains should wait for preview 2 due to a problem with preview 1. Still waiting after a year and a half. Hope there's a light at the end of the tunnel soon. But that's probably at least part of what's making it quieter here... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:28 PM Subject: [Declude.JunkMail] PCRE Ok, either everyone has left or everyone is very happy because it is kind of quite. So I thought I would post something: Using PCRE here is an expression that will only match a valid IP address. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ 0-9]?) I guess this is useful for several reasons, currently I am just using it see if there is an IP in the REVDNS entry. Any thoughts on how this could be effectivley used ? David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
For those on IMail, the focus right now is probably on getting a stable and fully functional mail server again. IMail 2006.21 preview 1 was just released to hopefully address most, if not all, of the problems with 2006, but it was just posted that those with virtual domains should wait for preview 2 due to a problem with preview 1. Still waiting after a year and a half. Hope there's a light at the end of the tunnel soon. But that's probably at least part of what's making it quieter here... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:28 PM Subject: [Declude.JunkMail] PCRE Ok, either everyone has left or everyone is very happy because it is kind of quite. So I thought I would post something: Using PCRE here is an expression that will only match a valid IP address. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ 0-9]?) I guess this is useful for several reasons, currently I am just using it see if there is an IP in the REVDNS entry. Any thoughts on how this could be effectivley used ? David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases
Yeah, UCEPROTECT in particular seems to have added a lot of major ISPs recently. We started counterweighting ISPs by REVDNS, but we were spending too much time doing that, so we reduced the weight of the UCEPROTECT1 and UCEPROTECT2 tests. Darin. - Original Message - From: Bonno Bloksma To: Declude.JunkMail@declude.com Sent: Thursday, April 19, 2007 6:57 AM Subject: [Declude.JunkMail] lot's of legit mailservsr in spamdatabases Hi, How do you guys deal with it, LOTS of legit mailservers are listed in what used to be reliable spamsender databases. X-RBL-Warning: SPAMBAG: 109.176.216.212.blacklist.spambag.org. X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=212.216.176.109"; X-RBL-Warning: UCEPROTECT-1: "Sorry 212.216.176.109 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; X-RBL-Warning: UCEPROTECT-2: "Sorry 212.216.176.109 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; But 212.216.176.109 is a normail mailserver vsmtp21.tin.it and is trying to deliver mail from a "customer" to us. Have spammers won this race, can we no longer trust these databases? Is there a ip list with "all" legitimate mailservers for most ISP that I can use to reduce points? For the hotmail mailservers it was easy to reduce the points, it's a lot harder to do for all the other "real" mailservers. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] hotmail mailservers in several spamdatabases
We have counterweight filter files for all of our higher weight tests. For example, if hotmail ifs failing SORBS-SPAM across the board and we decide to exempt them from that test, then we'll add a REVDNS test to the counterweight file for SORBS-SPAM. This way we can effectively turn tests on or off selectively for certain senders. We primarily use REVDNS (preferred) and MAILFROM (when REVDNS isn't practical or specific enough) in our counterweight tests. Darin. - Original Message - From: Bonno Bloksma To: [EMAIL PROTECTED] Sent: Thursday, April 12, 2007 4:01 AM Subject: [Declude.JunkMail] hotmail mailservers in several spamdatabases Hi, Ik had to put an extra ip file in place to reduce the points on the hotmail mailservers. Several hundred ip numbers for hotmail mailservers are listed in several spam databases. I just added an ipfile with: 65.54.244.0/24 hotmail.com mailservers 65.54.245.0/24 hotmail.com mailservers 65.54.246.0/24 hotmail.com mailservers Which will subtrack 25% of my hold weight to make sure these get through. How are you guys/gals dealing with this? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AUTOWHITELIST Question....
Just the individual's account. One thing that does sometimes happen, though, is that the user puts their own address in their webmail address book. So, anything that forges that person's address when sending to them gets through. Something for the user FAQ... Darin. - Original Message - From: "Chuck Schick" <[EMAIL PROTECTED]> To: "Declude. JunkMail" Sent: Tuesday, April 10, 2007 11:35 AM Subject: [Declude.JunkMail] AUTOWHITELIST Question I have not turned on autowhitelist but am considering doing so. I a have question regarding this - does declude only look at the web messaging address book? If [EMAIL PROTECTED] has [EMAIL PROTECTED] in his web messaging address book does the whitelisting only apply to joeblows account or does it apply to everyones account? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist weirdness
We see that a lot... where the user has their own email address in their webmail contacts, which results in any spam sent to them that forges their email address coming through. Darin. - Original Message - From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: Sent: Friday, March 09, 2007 12:22 AM Subject: [Declude.JunkMail] Whitelist weirdness Hi We're getting certain e-mails whitelisted, and I'm not able to find where we've done that to ourselves. Here's a line from a whitelist entry I CAN find: Skipping3 E-mail from IP 208.100.26.91; whitelisted [208.100.26.91] Here's a line from the whitelist entry I CANNOT find: Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] We have the directive AUTOWHITELIST ON -- could that be it? Thanks Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: SPF record question
Yes, it does. Message come in from your mail client and is whitelisted by SMTP AUTH. Now your server sends it to the destination. Receiving server sees the message coming from your server, and that your server is a valid sender for the domain in question according to your SPF policy. The last hop seen by the destination is your server, not your mail client. Your server satisfies your SPF policy, therefore the receiving server checks and records an SPF PASS. Forget about the client, as long as they send through your server, and you don't filter them out... either because they AUTH and you whitelist on AUTH, or any other way you avoid filtering your connecting users. Its all about your server sending to the destination server. This has been working for us for the past year and a half or so. Darin. - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Saturday, February 17, 2007 11:22 PM Subject: Re: [Declude.JunkMail] OT: SPF record question My question still isn't coming across. In setting up SPF, I don't want any outgoing messages from my server to be bounced by others because of a bad SPF string. I can whitelist SMTP auth on my server, but that does't help the SPF problem because potentially when one of my users sends a message to someone, say on hotmail.com, it could get bounced because of bad SPF. For example, say my SPF string for my domain is "v=spf1 mx mx:smtp.mydomain.com -all". This allows any email sent via my SmarterMail webmail to pass SPF. Now, if one of my users connects to the server with Outlook and SMTP Auth, and uses this to send an email, then the IP address that shows up in the last hop is the one he used to connect to my sever, not the IP address of my server. So the email message he sends would fail SPF. For it to pass, I would have to change my SPF string to "v=spf1 mx mx:smtp.mydomain.com ip4:67.189.34.6 -all", and additionally add a ip4: entry for every instance that a user might connect to my server with Outlook . So does this mean that SPF is impractical for anyone not strictly using webmail? To me it implies that to cover all bases you would have to have in your SPF string "?all" and there would be no way to make it stricter than that, other than to force all your users to use webmail and not Outlook. Gary Original Message > From: "Darin Cox" <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2007 4:33 PM > To: declude.junkmail@declude.com > Subject: Re: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > Whitelisting SMTP Auth is the key here. Since you connect with a userID/PW > to your mail server, Whitelisting connections done through SMTP AUTH > bypasses Declude filtering. > > Darin. > > > - Original Message - > From: "Gary Steiner" <[EMAIL PROTECTED]> > To: > Sent: Friday, February 16, 2007 4:10 PM > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > Let me give you my case. For this example I used my home Comcast connection > to send an email using Outlook and authentication. My server uses Declude > and SmarterMail. The header of the received message shows one IP address in > a single Received line: > > Received: from c-67-189-34-6.hsd1.or.comcast.net [67.189.34.6] by > mail.plusultraweb.com with SMTP; >Fri, 16 Feb 2007 15:43:21 -0500 > > Michael's message via Declude's mailing list had three Received lines: > > Received: from smtp.declude.com [63.246.31.248] by mail.plusultraweb.com > with SMTP; >Fri, 16 Feb 2007 15:46:48 -0500 > Received: from mail.mathbox.com [63.150.236.14] by smtp.declude.com with > SMTP; >Fri, 16 Feb 2007 15:31:18 -0500 > Received: from mikesplace [63.150.236.3] by mail.mathbox.com with ESMTP > (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 > > In both messages Declude made checks versus the last hop only (67.189.34.6 > in my test message and 63.246.31.248 in the message from Declude's mailing > list. > > Since my Comcast IP address is not listed in my SPF string, it failed > Declude's SPF test. > > So what is the problem here? Is this a flaw in how SmarterMail lists its > hops? Should it be showing the Comcast IP address as the final hop, or > should it be showing my mail server? > > Since it is showing the Comcast address, SPF fails. The only way to get > around this is to end the SPF string with "?all", but if I'm going to do > that, I might as well not use SPF at all. > > Gary > > > Original Message > > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > > Sent: Friday, February 16, 2007 3:47 PM > > To: declude.junkmail@declude.com > > Subje
Re: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question
Whitelisting SMTP Auth is the key here. Since you connect with a userID/PW to your mail server, Whitelisting connections done through SMTP AUTH bypasses Declude filtering. Darin. - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Friday, February 16, 2007 4:10 PM Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question Let me give you my case. For this example I used my home Comcast connection to send an email using Outlook and authentication. My server uses Declude and SmarterMail. The header of the received message shows one IP address in a single Received line: Received: from c-67-189-34-6.hsd1.or.comcast.net [67.189.34.6] by mail.plusultraweb.com with SMTP; Fri, 16 Feb 2007 15:43:21 -0500 Michael's message via Declude's mailing list had three Received lines: Received: from smtp.declude.com [63.246.31.248] by mail.plusultraweb.com with SMTP; Fri, 16 Feb 2007 15:46:48 -0500 Received: from mail.mathbox.com [63.150.236.14] by smtp.declude.com with SMTP; Fri, 16 Feb 2007 15:31:18 -0500 Received: from mikesplace [63.150.236.3] by mail.mathbox.com with ESMTP (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 In both messages Declude made checks versus the last hop only (67.189.34.6 in my test message and 63.246.31.248 in the message from Declude's mailing list. Since my Comcast IP address is not listed in my SPF string, it failed Declude's SPF test. So what is the problem here? Is this a flaw in how SmarterMail lists its hops? Should it be showing the Comcast IP address as the final hop, or should it be showing my mail server? Since it is showing the Comcast address, SPF fails. The only way to get around this is to end the SPF string with "?all", but if I'm going to do that, I might as well not use SPF at all. Gary Original Message > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2007 3:47 PM > To: declude.junkmail@declude.com > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > Gary, > > Your logic is incorrect. SPF is a check made by the destination mail server > (possibly my mail server) against the sending mail server (your mail > server). Your users authenticate to your mail server, then submit a message > to your mail server for delivery by your mail server to the remote mail > server. So, the remote mail server (possibly my mail server) would check the > SPF to determine if your mail server was listed as a source for the domain > of the sending email address. > > Michael Thomas > Mathbox > 978-683-6718 > 1-877-MATHBOX (Toll Free) > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Gary Steiner > > Sent: Friday, February 16, 2007 2:56 PM > > To: declude.junkmail@declude.com > > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > I have a question to follow this subject. If users have > > Outlook and they are sending email fromm home or whereever > > using authentication, then the IP that shows up in the header > > will be their home connection. That being the case, unless > > your users are strictly using webmail, your SPF record should > > show no enforcement otherwise all the non-webmail messages > > will get blocked. To me this indicates that SPF doesn't help > > you if your users are not using webmail. Is this correct? > > > > Gary > > > > > > > > Original Message > > > From: "Darin Cox" <[EMAIL PROTECTED]> > > > Sent: Wednesday, February 07, 2007 4:33 PM > > > To: declude.junkmail@declude.com > > > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > > > > If your MX and A records are also in the 216.15.92.0/25 > > network, then you > > > don't need to specify the "a" and "mx" parameters, so you > > could simplify to > > > > > > No enforcement, other hosts may send mail for the domain > > > "v=spf1 ip4:216.15.92.0/25 ?all" > > > > > > Soft fail if policy violated. Filters may or may not block > > on soft fail. > > > "v=spf1 ip4:216.15.92.0/25 ~all" > > > > > > > > > Hard fail if policy violated. Filters should block on hard fail. > > > "v=spf1 ip4:216.15.92.0/25 -all" > > > > > > However, if you send from an MX or A record (web server) > > that is not in the > > > 216.15.92.0/25 subnet then you may need those. > > > > > > If you use a soft or hard fail policy, it's very important &
Re: [Declude.JunkMail] disable subject line warning on one email account
Not a rule, but either a domain-level or user-level config to change the WARN action to IGNORE. Darin. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Friday, February 16, 2007 6:33 AM Subject: [Declude.JunkMail] disable subject line warning on one email account I would like to disable the subject line warning that gets placed in the subject line for one particular email account on a domain. He is complaining that he sees too many emails with a subject warning. Kind of like this. "if the email address = [EMAIL PROTECTED] then don't put subject line warning" Any rule I can place in the config file to do this? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re: Documentation
David replied offline, so I thought I would share the links he sent. http://shopping.declude.com/Version/Manuals/JunkMail/JM_4.0.8.asp http://shopping.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp I found that 2.0.6 documentation is also available this way at http://shopping.declude.com/Version/Manuals/JunkMail/JM_2.0.6.asp http://shopping.declude.com/Version/Manuals/EVA/EVA_2.0.6.asp These can be saved offline. Note that there are errors in the documentation. The bitmask test is not listed in 2.0.6, but it supported, and the subtests must enclose the master test name in quotes, so instead of this ESPAM bitmask 0 "[drive]\[path]\execfile.exe" 0 0 ESPAM-URIBL bitmask 1 ESPAM 8 0 ESPAM-PHISH bitmask 2 ESPAM 4 0 ESPAM-BULK bitmask 4 ESPAM 6 0 use this ESPAM bitmask 0 "[drive]\[path]\execfile.exe" 0 0 ESPAM-URIBL bitmask 1 "ESPAM" 8 0 ESPAM-PHISH bitmask 2 "ESPAM" 4 0 ESPAM-BULK bitmask 4 "ESPAM" 6 0 Darin. - Original Message - From: Darin Cox To: Darin Cox ; [EMAIL PROTECTED] ; Declude.JunkMail@declude.com Sent: Thursday, February 15, 2007 4:37 PM Subject: [Declude.JunkMail] Re: Documentation Hi David, Any progress on the documentation? Darin. - Original Message - From: Darin Cox To: [EMAIL PROTECTED] ; Declude.JunkMail@declude.com Sent: Tuesday, February 13, 2007 2:54 PM Subject: Re: Documentation Hi David, Any progress on revising the documentation? I noticed I still see the incorrect info in the documentation. Also, any progress on creating PDF for the newer versions so we're not in a bind should the documentation not be on the website, or our office or home network connections be down? Much appreciated. Darin. - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Friday, December 01, 2006 6:53 PM Subject: DSS 2.06 and bitmask test docs Hi David, I noticed a couple of problems with the online docs. 2.06.16 does not list bitmask as a valid test type, but it is coded into 2.06.16. Also, the bitmask test type docs for 3.x and 4.x have an error that could cause some trouble with implementation. They do not show that quotes are required around the master test name in the subtest definitions. However, the test does not work without quotes. Could you make sure these get corrected? Also, would you consider making PDFs of the documentation available? I'm concerned that 2.06.16 documentation could be removed from the website, leaving us without any documentation on the version. We were in that exact predicament with 1.82, so I was forced to refer to 2.06.16 documentation. If you happen to have 1.82 documentation, I would certainly appreciate it in case we find a need to move back to it. Thanks, and have a great weekend! Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re: Documentation
Hi David, Any progress on the documentation? Darin. - Original Message - From: Darin Cox To: [EMAIL PROTECTED] ; Declude.JunkMail@declude.com Sent: Tuesday, February 13, 2007 2:54 PM Subject: Re: Documentation Hi David, Any progress on revising the documentation? I noticed I still see the incorrect info in the documentation. Also, any progress on creating PDF for the newer versions so we're not in a bind should the documentation not be on the website, or our office or home network connections be down? Much appreciated. Darin. - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Friday, December 01, 2006 6:53 PM Subject: DSS 2.06 and bitmask test docs Hi David, I noticed a couple of problems with the online docs. 2.06.16 does not list bitmask as a valid test type, but it is coded into 2.06.16. Also, the bitmask test type docs for 3.x and 4.x have an error that could cause some trouble with implementation. They do not show that quotes are required around the master test name in the subtest definitions. However, the test does not work without quotes. Could you make sure these get corrected? Also, would you consider making PDFs of the documentation available? I'm concerned that 2.06.16 documentation could be removed from the website, leaving us without any documentation on the version. We were in that exact predicament with 1.82, so I was forced to refer to 2.06.16 documentation. If you happen to have 1.82 documentation, I would certainly appreciate it in case we find a need to move back to it. Thanks, and have a great weekend! Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dns attacks today
Hmmm.. I thought I remembered Scott saying he was keeping DNSStuff to himself when he sold Declude. I guess he changed his mind. I would guess it's good news that there's a larger organization behind DNSStuff now... to keep it going should any one person no longer be part of it. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Monday, February 12, 2007 4:33 PM Subject: RE: [Declude.JunkMail] dns attacks today FWIW, Paul Parisi is not only the CTO of DNSStuff.com but is also the CTO of Declude.com ... Which helped me frame David's reply! http://www.declude.com/site/news1017.htm http://www.boston.com/business/whoswhat/2006/12/declude_newbury.html Andrew. p.s. I ran a whois on a few typo variations on DNSStuff.com out of curiousity and got a few different domain squatters. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Thursday, February 08, 2007 5:55 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] dns attacks today > > Don't panic Darin, Scott is still involved with DNSStuff, > just not in a PR role. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Darin Cox > Sent: Wednesday, February 07, 2007 5:59 PM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] dns attacks today > > So where's Scott in this picture? And who's Paul Parisi, > other than CTO of DNSstuff.com? Is Scott selling DNSstuff > and DNSreport as well? > > Darin. > > > - Original Message - > From: "Nick Hayer" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, February 07, 2007 5:06 PM > Subject: [Declude.JunkMail] dns attacks today > > > fyi - > http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news2_1 > > -Nick > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manuals
Thanks, Nick! David, would it be possible to get similar PDFs for 2.x and 4.x? Darin. - Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]> To: Sent: Friday, February 09, 2007 10:02 AM Subject: Re: [Declude.JunkMail] Manuals I had these that may suffice for now - -Nick Darin Cox wrote: > Ugh. David B., can we get manuals back ASAP? PDFs that we can download and > save would be great so we can keep a reference in case something like this > happens again, our internet connection is down, etc. > > Darin. > > > - Original Message - > From: "Dean Lawrence" <[EMAIL PROTECTED]> > To: > Sent: Friday, February 09, 2007 9:25 AM > Subject: [Declude.JunkMail] Manuals > > > Does anyone know where the manuals went? If you click on the manuals > link on the Declude support page, you download a PDF for Interceptor > administration, but not Junkmail, Virus, or Hijack. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manuals
Ugh. David B., can we get manuals back ASAP? PDFs that we can download and save would be great so we can keep a reference in case something like this happens again, our internet connection is down, etc. Darin. - Original Message - From: "Dean Lawrence" <[EMAIL PROTECTED]> To: Sent: Friday, February 09, 2007 9:25 AM Subject: [Declude.JunkMail] Manuals Does anyone know where the manuals went? If you click on the manuals link on the Declude support page, you download a PDF for Interceptor administration, but not Junkmail, Virus, or Hijack. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist questions
Whitelist questionsI would suggest negative/counter weights instead of whitelists, but yes, you can have several lists for whitelisting or counterweighting purposes. Here's the general syntax for ip-based or from-address counterweighting. Adjust the file paths from these generic examples IPBLACKLIST ipfile C:\IMail\Declude\ipwhitelist.txt x 100 0 IPWHITELIST ipfile C:\IMail\Declude\ipwhitelist.txt x -100 0 FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 100 0 FROMWHITELIST fromfile C:\IMail\Declude\fromwhitelist.txt x -100 0 Darin. - Original Message - From: Sharyn Schmidt To: declude.junkmail@declude.com Sent: Friday, February 09, 2007 8:12 AM Subject: [Declude.JunkMail] Whitelist questions Hi, I understand that you can have whitelist entries in your global config file, or you can have a text file with all your whitelist entries. What happens if you have some entries in your global config and others in a text file? Will Declude look at all of them? Can you have several whitelist text files? Thanks, Sharyn --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dns attacks today
Not panicking... just curious as to what's going on over there... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, February 08, 2007 8:54 AM Subject: RE: [Declude.JunkMail] dns attacks today Don't panic Darin, Scott is still involved with DNSStuff, just not in a PR role. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, February 07, 2007 5:59 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] dns attacks today So where's Scott in this picture? And who's Paul Parisi, other than CTO of DNSstuff.com? Is Scott selling DNSstuff and DNSreport as well? Darin. - Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 07, 2007 5:06 PM Subject: [Declude.JunkMail] dns attacks today fyi - http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news2_1 -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
