[Declude.JunkMail] Major Declude/SPF problem... any ideas?

2004-12-01 Thread Joe Wolf 



I've been receiving reports of non-delivery of messages 
between users on our mail server.  For example if I host abc.com and users 
between abc.com send to each other inside the building on the private IP 
range.
 
I tracked down the problem and all the messages have SPF 
FAIL in the headers and some end up being held for wieght issues (short 
subjects, only an "OK" in the message, etc.).
 
The SPF is failing because the private IP 
range (192.168.1.XXX) is not listed in our SPF DNS records.  I don't 
know if it would be wise to put private IP ranges in the SPF DNS 
record.
 
Is there a way to skip SPF testing on internal messages... 
those that never hit a public IP?
 
Thanks,
Joe

Re: [Declude.JunkMail] New ALL_LIST.DAT File?

2004-07-30 Thread Joe Wolf 
Maybe I'm way behind here, but what is the all_list.dat file?   What does it
do and how do you implement it?  I have no such file in my system.

Thanks,
Joe
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 8:36 AM
Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?


>
> >Has the file been updated?
>
> It has just been updated, and is
> at  http://www.declude.com/version/release/all_list.dat .
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude reporting wrong IP... why?

2004-07-22 Thread Joe Wolf 
Scott...

HOP is "0", no HOPHIGH.  IPBYPASS 192.168.1.50 which is my backup spooler.

Complete "Received:" headers below:

Received: from smtp.fidnet.com [216.229.64.74] by mail.csimo.com
  (SMTPD32-8.12) id AD2B20D0070; Thu, 22 Jul 2004 16:10:03 -0500
Received: (qmail 13061 invoked by uid 20954); 22 Jul 2004 21:09:57 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 13057 invoked from network); 22 Jul 2004 21:09:57 -
Received: from exprod6mx94.postini.com (HELO psmtp.com) (12.158.36.78)
  by smtp.fidnet.com with SMTP; 22 Jul 2004 21:09:57 -
Received: from source ([216.229.87.4]) by exprod6mx94.postini.com
([12.158.35.251]) with SMTP;
 Thu, 22 Jul 2004 16:09:56 CDT
Received: from office [192.168.1.177] by mail.csimo.com
  (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500

I'm not running the current version of Declude (don't have a service
agreement).

Thanks for your help!

-Joe


- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 5:09 PM
Subject: Re: [Declude.JunkMail] Declude reporting wrong IP... why?


>
> >I've had a couple of reports that my messages were failing SPF.  I sent a
> >message to myself via a loop and am totally confused at the message
header.
> >
> >The message was actually sent from my computer on private IP
192.168.1.177
> >to my IMail server at 216.229.87.4.  For some reason Declude reports that
> >I sent the message from 216.229.64.74.  That IP is one of our IP's, but
> >not at this location and the message never touched that subnet.
>
> What are your HOP, HOPHIGH, and IPBYPASS settings?
>
> >Top part of message header shows correct information:
> >
> >Received: from source ([216.229.87.4]) by exprod6mx94.postini.com
> >([12.158.35.251]) with SMTP;
> >  Thu, 22 Jul 2004 16:09:56 CDT
> >Received: from office [192.168.1.177] by mail.csimo.com
> >   (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500
>
> Are there any further Received: headers are there?
>
> >  X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]
> >X-Note: This message was sent from 216-229-64-74-empty.fidnet.com
> >([216.229.64.74]).
>
> Does the IP 216.229.64.74 appear anywhere in the headers?
>
> What version of Declude JunkMail are you running?
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude reporting wrong IP... why?

2004-07-22 Thread Joe Wolf 




I've had a couple of reports that my messages were 
failing SPF.  I sent a message to myself via a loop and am totally confused 
at the message header.  
 
The message was actually sent from my computer on 
private IP 192.168.1.177 to my IMail server at 216.229.87.4.  For some 
reason Declude reports that I sent the message from 216.229.64.74.  That IP 
is one of our IP's, but not at this location and the message never touched that 
subnet.
 
Any ideas?
 
Top part of message header shows correct 
information:
 
Received: from source ([216.229.87.4]) by 
exprod6mx94.postini.com ([12.158.35.251]) with SMTP; Thu, 22 Jul 2004 
16:09:56 CDTReceived: from office [192.168.1.177] by 
mail.csimo.com  (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 
16:10:00 -0500
 
Declude JunkMail reports wrong IP address in bottom 
section.  This causes SPF fail:

X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]X-Note: This 
message was sent from 216-229-64-74-empty.fidnet.com 
([216.229.64.74]).
 
-Joe
 

Re: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail

2004-07-10 Thread Joe Wolf 
Seems that Computerized Horizons should read their own press releases before 
sending them to Business Wire.  If a current Service Agreement is required 
then the following paragraph from the Computerized Horizons pr is a lie:

"Although immediately available at no charge to current Declude 'JunkMail' 
customers the company is open to discussing licensed access by others 
wishing to eradicate this threat."

The test is NOT free to current Declude 'JunkMail' customers if a current 
Service Agreement is required.

Here's the Press Release by Computerized Horizons if interested:
http://www.tmcnet.com/usubmit/2004/Jul/1055222.htm
Hope they issue a correction!
-Joe
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 10, 2004 3:08 PM
Subject: Re: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test 
for Declude JunkMail



does this mean we should stop using the test once our SA expires if we
choose not to renew ?
That is correct.
   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MTLD test -- Relationship between Viruses and Spam

2004-07-10 Thread Joe Wolf 

Most reports are that more than 50% of all spam is now coming from
"zombies", which typically are home computers that were infected by a 
virus that installs a trojan horse that the spammer has control over.

   -Scott
---
I don't know if that's an accurate figure or not, but it seems like a lot of 
work for a spammer that can use any of thousands easier ways to send their 
messages.  Additionally as Microsoft and others continue to lock down their 
products this should not be much of an issue.

This seems like a pet project gone wild or something like that.  Somebody 
came up with an elaborate test for a non-issue.

If Declude would have put as much effort into developing a private, and very 
accurate DNS based SPAM test then I would be singing praises.

Just my opinion.
-Joe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MTLD test -- Relationship between Viruses and Spam

2004-07-10 Thread Joe Wolf 
Jeff, I for one agree with you.  This test seems worse than useless to me. 
To somehow think that an IP address that was previously infected by a virus 
has anything to do with SPAM is beyond me.

Seems like a dangerous test that I want no part of.
-Joe
- Original Message - 
From: "Jeff Pereira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 10, 2004 6:59 PM
Subject: [Declude.JunkMail] MTLD test -- Relationship between Viruses and 
Spam


Forgive me, but I don't really see the rationale that because an IP
address has been flagged as sending viruses that it is also sending
out SPAM.
Can someone enlighten me on this ?
jeff
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] f-prot

2004-05-18 Thread Joe Wolf 
Sure looks like a freebie to me.  http://vil.nai.com/vil/virus-4d.asp

Is scan.exe a 32 bit app?

How do you update the pattern files?

Thanks!

- Original Message - 
From: "Nick Hayer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 18, 2004 4:26 PM
Subject: Re: [Declude.JunkMail] f-prot


> On 18 May 2004 at 13:56, Imail Admin wrote:
>
> > I'd like to second this question.  I remember seeing a couple of
> > discussions here where people couldn't agree on which McAfee product
> > to use as the command line scanner with Declude.  And, of course, the
> > online stores always emphasize the Windows-based products.  So exactly
> > which product is it that's needed?
> scan.exe - Mcafee's commandline scanner.
> Here is a link that I just found that has what appears to be a free
> copy:
> http://vil.nai.com/vil/virus-4d.asp
> DAILYSCAN.ZIP contains the scan.exe file.
> ]
> [We purchased ours but now maybe its a freebe..]
>
> -Nick Hayer
>
>
> > Thanks,
> >
> > Ben
> >
> > - Original Message - 
> > From: "John Carter" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, May 18, 2004 12:56 PM
> > Subject: RE: [Declude.JunkMail] f-prot
> >
> >
> > > Do you have a CDW product number on this?  Called and they took
> > > forever to come back with $20+
> > >
> > > Thanks,
> > > John
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
> > > Sent: Tuesday, May 18, 2004 9:55 AM To: [EMAIL PROTECTED]
> > > Subject: Re: [Declude.JunkMail] f-prot
> > >
> > > On 17 May 2004 at 20:56, Aaron J. Caviglia wrote:
> > >
> > > > Where can we purchase the command line scanner?
> > > Aaron -
> > >
> > > If you are referring to the Mcafee one for $11 - Scott mentioned "My
> > > 1 year McAfee VirusScan Command Line license was $11 through CDW."
> > >
> > > We paid the same thing off of State contract from Insight.
> > >
> > > -Nick Hayer
> > > >
> > > > Thanks,
> > > >
> > > > Aaron Caviglia
> > > >
> > > > On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote:
> > > >
> > > > >> For the latter there is an outstanding request to Scott to kill
> > > > >> additional scanning once a scanner detects a virus..
> > > > >
> > > > > So right now if you use multiple scanners when you scan with
> > > > > ScannerA and it finds a virus Declude will still call ScannerB
> > > > > and have it scan as well?
> > > > >
> > > > > Scott pointed out that his McAfee was only $11.00 for the year
> > > > > so the price barrier is "non-existant" and I see from your and
> > > > > Scott's responses that there are indeed reasons to have more
> > > > > than one scanner.
> > > > >
> > > > > Thank you all
> > > > >
> > > > >  Goran Jovanovic
> > > > >  The LAN Shoppe
> > > > >
> > > > >
> > > > >> -Original Message-
> > > > >> From: [EMAIL PROTECTED]
> > > > >> [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick
> > > > >> Hayer Sent: Monday, May 17, 2004 10:03 AM To:
> > > > >> [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail]
> > > > >> f-prot
> > > > >>
> > > > >> On 17 May 2004 at 9:13, Goran Jovanovic wrote:
> > > > >>
> > > > >>> For the folks using multiple scanners, do you have any stats
> > > > >>> on how often the secondary scanner found a virus that the
> > > > >>> first one missed?
> > > > >> Hi Goran,
> > > > >>
> > > > >> Here are my latest stats:
> > > > >> Virus Totals:
> > > > >> 441 F-Prot
> > > > >> 412 AVG
> > > > >> 446 McAfee
> > > > >> -
> > > > >> Vunerabilities:
> > > > >> 349
> > > > >> -
> > > > >>
> > > > >> I update the defs for all every 4 hrs on a staggered schedule.
> > > > >> Because of possible false positives I have found it hard to
> > > > >> rank one particular scanner over another. For me the advantage
> > > > >> to have more than one is one [varies] company will always come
> > > > >> out with protection for a new outbreak before another. The
> > > > >> downside is cost and cpu overhead. For the latter there is an
> > > > >> outstanding request to Scott to kill additional scanning once a
> > > > >> scanner detects a virus..
> > > > >>
> > > > >> -Nick Hayer
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>>
> > > > >>> I realize that the cost of F-Prot (which I am using) is quite
> > > > >>> low
> > > > > and
> > > > >>> others might be as well, so it is not a cost issue but rather
> > > > >>> a "Do
> > > > > I
> > > > >>> really need it?".
> > > > >>>
> > > > >>> Thanx
> > > > >>>
> > > > >>>
> > > > >>>  Goran Jovanovic
> > > > >>>  The LAN Shoppe
> > > > >>>
> > > > >>>
> > > > >>>
> > > >  -Original Message-
> > > >  From: [EMAIL PROTECTED]
> > > >  [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of
> > > >  Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To:
> > > >  [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail]
> > > >  f-prot
> > > > 
> > > >  I find the Mcafee is the best at de

Re: [Declude.JunkMail] Strange MONKEYFORMMAIL problems

2004-03-23 Thread Joe Wolf 
I try to look at the config files on a regular basis, but I have to print
both of them out and compare them side by side to see if Declude has made
any changes.  It would be of great help to me if they would just put a
comment at the top of the file giving the revision date.  I think many
others would be able to tell if they need an update much easier.

Just my two cents.

-Joe

- Original Message - 
From: "Troy D. Hilton" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 23, 2004 8:31 AM
Subject: RE: [Declude.JunkMail] Strange MONKEYFORMMAIL problems


> Dude, I didn't know it was dead until my Junkmail started catching all
these
> legit emails, and I'm not complaining about it as much as trying to avoid
> this problem in the future. Basically, I just need to do a regular update
to
> my global.cfg file. I'm sure the information about the list dying was
posted
> to the NG but I obviously missed it.
>
> Troy D. Hilton
> SofWerks LLC.
> [EMAIL PROTECTED]
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown
> Sent: Monday, March 22, 2004 8:48 PM
> To: [EMAIL PROTECTED]; Troy D. Hilton
> Cc: Declude Junkmail Forum
> Subject: Re: [Declude.JunkMail] Strange MONKEYFORMMAIL problems
>
> No offense, but when you know the list is a dead soldier, why are you
> still trying to use it -- and when it doesn't work -- why are you
> complaining about it here?  Let's move on to something constructive
> and challenging.  Dead puppies aren't very much fun.
>
> Thanks,
>
>
> Monday, March 22, 2004, 1:34:46 PM, Troy D. Hilton <[EMAIL PROTECTED]>
> wrote:
> TDH> Hello All,
>
>
>
> TDH> I know that the MONKEYFORMMAIL and MONKEYPROXIES list are dead and
> TDH> apparently has been for a while but we had a problem last Monday in
> that
> TDH> hundreds of legitimate emails started getting caught with these
lists.
> I've
> TDH> since disabled the tests in Junkmail. I saw that someone else had a
> problem
> TDH> with these tests and someone mentioned that these lists had been dead
> for a
> TDH> while. Can someone please explain why all of a sudden my Junkmail
> started
> TDH> failing emails with these when these lists had been dead? Also, how
do
> I
> TDH> avoid something like this form happening again?
>
>
>
> TDH> Troy D. Hilton
>
> TDH> SofWerks LLC.
>
> TDH> [EMAIL PROTECTED]
>
> TDH> 302-529-1961
>
>
>
>
>
>
> 
> Don Brown - Dallas, Texas USA Internet Concepts, Inc.
> [EMAIL PROTECTED] http://www.inetconcepts.net
> PGP Key ID: 04C99A55  (972) 788-2364  Fax: (972) 788-5049
> Providing Internet Solutions Worldwide - An eDataWeb Affiliate
> 
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail nul

2004-02-27 Thread Joe Wolf 
Why don't you just create a rule for that user that says something like...
if the header contains "date" delete the message?  You could put any phrase
in there that is in every email message.

-Joe

- Original Message - 
From: "Bennie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 27, 2004 5:01 AM
Subject: Re: [Declude.JunkMail] Imail nul


> Hey Scott,
>
> It was filling up the test mailbox, then it started bouncing again when
the
> mail box was full.
> I guess what I am looking for is a way to delete E-mails addressed to
> non-existing accounts
> rather than having them bounce.
>
> Bennie
>
> - Original Message - 
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, February 26, 2004 7:57 AM
> Subject: Re: [Declude.JunkMail] Imail nul
>
>
> >
> > >I may be beating a dead horse, but I cant seem to find any threads that
> > >talk about this.
> > >
> > >Back when I first got declude and was using it with my imail system I
> > >setup the following in Imail.
> > >
> > >1) Made a user mailbox: test
> > > made all mail forward to: nul
> > >
> > >2) Set up an Aliases: nobody
> > > made it resolve to: test
> > >
> > >all mail that was not sent to a valid user name will be passed to the
> > >alias "nobody". Which will resolve to "test". As the mail arrives in
> "test"
> > >it is deleted.
> > >
> > >but when I iupgraded my Imail.. this test does not seem to work
> > >anymore.  Very confused. Please help
> >
> >  From what you describe, previously E-mail addressed to non-existent
> > accounts would be deleted.  Now, that doesn't work.  So my question
would
> > be where is all that mail going?  Is it going to the test account, but
not
> > deleted?  Or is it going somewhere else?
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> > since 2000.
> > Declude Virus: Catches known viruses and is the leader in mailserver
> > vulnerability detection.
> > Find out what you've been missing: Ask for a free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
>
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail nul

2004-02-26 Thread Joe Wolf 



I've never tried it, but couldn't you just have the 
nobody ailias resolve to NUL?  
 
It's an interesting concept that would present at 
least one solution to the dictionary attacks.  
 
I might give that a try on one of my stable domains 
(no deleted users in years) just to see what it does to the dictionary 
attacks.  They are the biggest problem I have.
 
-Joe
 

  - Original Message - 
  From: 
  Bennie 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, February 26, 2004 5:18 
  AM
  Subject: [Declude.JunkMail] Imail 
  nul
  
   Hello all,
   
  I may be beating a dead horse, but I cant seem to 
  find any threads that talk about this.
   
  Back when I first got declude and was using it 
  with my imail system I setup the following in Imail.
   
  1) Made a user mailbox: test    made all mail forward 
  to: nul   
   
  2) Set up an Aliases: nobody    made it resolve to: 
  test
  all mail that was not sent to a valid user name will be passed 
  to thealias "nobody". Which will resolve to "test". As the mail arrives in 
  "test"it is deleted.
   
  but when I iupgraded my Imail.. this test does 
  not seem to work anymore.  Very confused. Please help
   
  Bennie

Re: [Declude.JunkMail] Imail nul

2004-02-26 Thread Joe Wolf 
Sandy,

I'm not going to claim to be an email server expert, but here's what I
see... I could be wrong.

When you're hit with a dictionary attack we all know they send to thousands
of addresses at the domain.  If the final delivery address is invalid the
server creates an "Unknown User" (or whatever it's called) message that it
tries to send back to the sender.  If you have high queue retires those
messages sit in the queue for a long time being retried over and over again.
At least that's what appears to be happening to me.

Now if I sent all those attempts to NUL then the server doesn't have to
worry about all the unknown user messages, etc. and the queue will actually
be open to valid traffic.  I don't know if Imail will actually queue a
message going to NUL or not.

I've also noticed that on a couple of domains where the customer has a
nobody alias the dictionary attacks cut off pretty quick.  They don't
attempt to go through the entire alphabet like they do on a domain without a
nobody alias.  I'm guessing that they don't want to waste their time either
on a domain that will accept anything for an address?

Like I said... I could be 100% wrong on this entire matter, but it seems
reasonable.

I'm open to the knowledge of those that know a whole lot more than I do.

-Joe

- Original Message - 
From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "Bennie" <[EMAIL PROTECTED]>
Sent: Thursday, February 26, 2004 10:51 AM
Subject: Re: [Declude.JunkMail] Imail nul


> > all  mail  that  was not sent to a valid user name will be passed to
> > the  alias  "nobody".  Which  will  resolve  to  "test". As the mail
> > arrives in "test" it is deleted.
>
> Do you think that it's helping your server's performance to spool mail
> that will never be delivered to a human?
>
> The  'nobody'  alias is the enemy of server integrity and performance.
> Please search the archives--they're down now--for lots of info.
>
> --Sandy
>
>
> 
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> e-mail: [EMAIL PROTECTED]
>
> SpamAssassin plugs into Declude!
> http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail nul

2004-02-26 Thread Joe Wolf 



OK, I'm convinced.  Whoever posted it made me 
think it might be a method to try.  I yield to those with superior 
knowledge.
 
-Joe

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, February 26, 2004 2:39 
  PM
  Subject: Re: [Declude.JunkMail] Imail 
  nul
  Someone recently experienced a situation where a spammer 
  distributed a list of nonexistent addresses and totally hammered a domain with 
  them.  It seems that not all spammers care about the purity of their data 
  and an accepted message may get that address on their list, even if you 
  accepted thousands of them.  If this wasn't the case, your point would 
  make more sense, and I had contemplated this myself.I don't use nobody 
  aliases now, I just let the messages bounce back, and this way legitimate 
  senders will get their E-mails returned when unaddressable.  In the 
  future there will likely be a method of detecting and stopping a dictionary 
  attack, but for smaller domains, these attacks seem limited to only a list of 
  a few hundred or thousand generic addresses.MattJoe 
  Wolf wrote:
  Sandy,

I'm not going to claim to be an email server expert, but here's what I
see... I could be wrong.

When you're hit with a dictionary attack we all know they send to thousands
of addresses at the domain.  If the final delivery address is invalid the
server creates an "Unknown User" (or whatever it's called) message that it
tries to send back to the sender.  If you have high queue retires those
messages sit in the queue for a long time being retried over and over again.
At least that's what appears to be happening to me.

Now if I sent all those attempts to NUL then the server doesn't have to
worry about all the unknown user messages, etc. and the queue will actually
be open to valid traffic.  I don't know if Imail will actually queue a
message going to NUL or not.

I've also noticed that on a couple of domains where the customer has a
nobody alias the dictionary attacks cut off pretty quick.  They don't
attempt to go through the entire alphabet like they do on a domain without a
nobody alias.  I'm guessing that they don't want to waste their time either
on a domain that will accept anything for an address?

Like I said... I could be 100% wrong on this entire matter, but it seems
reasonable.

I'm open to the knowledge of those that know a whole lot more than I do.

-Joe

- Original Message - 
From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "Bennie" <[EMAIL PROTECTED]>
Sent: Thursday, February 26, 2004 10:51 AM
Subject: Re: [Declude.JunkMail] Imail nul


  

  all  mail  that  was not sent to a valid user name will be passed to
the  alias  "nobody".  Which  will  resolve  to  "test". As the mail
arrives in "test" it is deleted.
  Do you think that it's helping your server's performance to spool mail
that will never be delivered to a human?

The  'nobody'  alias is the enemy of server integrity and performance.
Please search the archives--they're down now--for lots of info.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
  
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] JunkMail User Friendly Interface

2004-02-07 Thread Joe Wolf 
I second that opinion.  On our production servers we outsource to Postini
and that setup works great.  I only host about 50 domains on my Imail server
and prefer not to run them through Postini for a variety of reasons.  The
idea of having a user control panel would make my life easier.  I'm to the
point of holding all Weight 20's and above, but I have to go digging for a
message or two every week for a customer.

Seems like the back end is already built.  Someone with some skills could
probably come up with a user front end of some kind (biggest problem that
comes to my mind is that there's no real web server on an Imail box.  I
don't know if you could use the Ipswitch features or not.)

-Joe

- Original Message - 
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 07, 2004 10:16 AM
Subject: [Declude.JunkMail] JunkMail User Friendly Interface


> Lately the amount of spam we've been receiving has at least tripled and
we'd
> like to update to JunkMail Pro in order to allow the end users to control
> their anti-spam settings.
>
> A while back there was a bunch of talk about user interfaces for JunkMail
> Pro so that user could control their own levels of Spam scanning.  Are
their
> any of these available?
>
> Thanks,
>
> Mike Achenbach - HostMaster
> 4BusinessHosting.Com - Powerful Hosting @ Affordable Prices
> 207-247-2316 (Sales & Support)
> 207-247-2716 (Fax)
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: Re[4]: [Declude.JunkMail] How do they do it?

2004-02-07 Thread Joe Wolf 
Your experience agrees with what the Black Ice tech told me.

Perhaps this will be a duplicate question, but I'll address it to Scott...
why can't JunkMail identify and stop dictionary attacks?  It would seem like
stopping dictionary attacks would be a primary function of anti-spam
software.

Is this planned, or even possible with future versions of JunkMail?

I'm convince that the Black Ice is not the solution for this problem.

Thanks for all the opinions!

-JOe

- Original Message - 
From: "Terry Fritts" <[EMAIL PROTECTED]>
To: "Joe Wolf" <[EMAIL PROTECTED]>
Sent: Saturday, February 07, 2004 6:00 AM
Subject: Re[4]: [Declude.JunkMail] How do they do it?


> > I do know that his bottom line was that Black Ice wouldn't do what I
> > wanted, but he did try and sell me on the firewall and intrusion
> > detection features.
>
>   I have written on this previously. Black Ice does not stop
>   dictionary attacks per se. It does test errors returned from Imail
>   and if the number exceeds its threshold (maximum errors returned)
>   then it will temporarily blacklist the IP address. This is only
>   slightly better than nothing at all. Imail apparently reports these
>   either after the SMTP session or after some unknown interval or
>   event. I've watched one dictionary attack hit more than 4,000 rcpt
>   to errors without Black Ice being triggered.
>
>   Just for the record I wrote a program which tailed the log file
>   looking for rcpt to errors and would automatically then add the
>   offending IP address to the Imail ACL. However, there were many
>   problems with this. Just as with Black Ice the error information is
>   just not available from Imail rapidly enough, i.e., the log files
>   represent history. So I finally stopped it because it was more
>   trouble than it was help.
>
>   We also began having "0x0008 Double Fault" errors which I
>   believed had something to do with Black Ice.  I turned it off and
>   have never had another error since.
>
>   This should be addressed inside the SMTP dialogue.
>
>
>   Terry Fritts
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: Re[2]: [Declude.JunkMail] How do they do it?

2004-02-06 Thread Joe Wolf 
Sandy,

I asked about that exact issue.  He said that it would be pointless to run
Black Ice on the backup spoolers because they will accept all addresses of a
dictionary attack.  No errors are reported.  The errors come in when the
backup spooler forwards the messages to the primary server and those
transactions must be whitelisted.

He seemed to be pretty knowledgeable and knew of Imail.

I'm not the expert on this subject and it's possible I didn't properly
report what he meant.  I do know that his bottom line was that Black Ice
wouldn't do what I wanted, but he did try and sell me on the firewall and
intrusion detection features.  We run pretty good firewalls and lock down
the servers pretty well so I see no reason for a software firewall.

-Joe

- Original Message - 
From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "Joe Wolf" <[EMAIL PROTECTED]>
Sent: Friday, February 06, 2004 6:07 PM
Subject: Re[2]: [Declude.JunkMail] How do they do it?


> > He  also had major concerns about backup mail spoolers. He said that
> > you have to whitelist your backup spoolers and that will still allow
> > the spammer to run their dictionary attacks.
>
> Only if the backups don't run BlackIce. :)
>
> But if _they're_ downselling it, that's interesting.
>
> --Sandy
>
>
> 
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> e-mail: [EMAIL PROTECTED]
>
> SpamAssassin plugs into Declude!
> http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] How do they do it?

2004-02-06 Thread Joe Wolf 
I called the Black Ice tech support people today and discussed this issue.
They told me that Black Ice will not stop a dictionary attack that is in
progress, but it would shut the spammer down for a second attempt.

He also had major concerns about backup mail spoolers.  He said that you
have to whitelist your backup spoolers and that will still allow the spammer
to run their dictionary attacks.

He didn't think Black Ice was a good product for such use.  He seemed like
he knew what he was talking about.

-Joe

- Original Message - 
From: "Jeff Kratka" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 06, 2004 5:17 PM
Subject: RE: [Declude.JunkMail] How do they do it?


> Are there others suggestion for firewall software for the server. Does
> Zonealarm have a server version and if so does it work as well as Black
Ice.
>
>
> Jeff Kratka
>
> *
> TymeWyse Internet
> P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417
> tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
> *
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] How do they do it?

2004-02-06 Thread Joe Wolf 
I'm glad that I'm not the only one with these problems!  Not that I like
having the problem, but I thought there must be some kind of undetectable
Trojan on my system letting the spammers know when I add a domain or user.
Misery like company I guess.

I did happen to talk to DigiHost yesterday and was told that they don't have
any real spam filter, but they do have something in place that prevents
dictionary attacks.  I'm NOT an expert in this field but he was saying that
they only allow 10 attempts so the dictionary attacks don't work.  Is there
a way to make JunkMail do such a thing?  (I really don't even know what I'm
asking about here, but hopefully someone else will).

-Joe

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 05, 2004 12:27 PM
Subject: Re: [Declude.JunkMail] How do they do it?


> I had the exact same thing happen to me about 5 months ago..we moved our
> servers to a new location and changed IPs on everything...the spam filter
> broke because I needed a new key for it to work..it was only down about 24
> hrs...and I got bombarded during those hours..but I have been fighting
spam
> more aggressively ever since...and my customers noticed a big change
also..
> My upline provider offered to put their spam filter (Sublinme) in front of
> mine and all that seemed to do is put less work on my server but the spam
is
> still worse than before I made the move...and all that changed were the
> IPs..same Declude...same Sortmonster...same everything...I have been
racking
> my brain ever since to figure out why?
>
> Richard Farris
> Ethixs Online
> 1.270.247. Office
> 1.800.548.3877 Tech Support
>
> - Original Message - 
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, February 05, 2004 9:16 AM
> Subject: Re: [Declude.JunkMail] How do they do it?
>
>
> >
> > >I've had two cases recently where I had hosting customers move their
> email
> > >services to my Imail/Declude box.  Both moved from a national hosting
> > >company and had no spam protection of any kind on their services.  Both
> > >complained within a week of the move that they're getting bombarded by
> spam.
> > >Both claim that they didn't receive much spam on their old host.  One
had
> a
> > >mail archive that I was able to look at and there really wan't much in
> the
> > >way of spam in there.
> >
> > The only thing that I can think of is that the spammers have access to
the
> > zone files (which list all the domains in a TLD and their NS records),
and
> > are looking for changes in the NS records, and targeting those domains.
> >
> > Are the spams going to valid user accounts?  Is this a dictionary
> > attack?  My guess is that the hosting company was indeed filtering spam.
> >
> > >How is it that these spammers are hitting these domains when they move
to
> my
> > >box?  I have JunkMail pretty well configured (I think) and they still
get
> > >more spam than they did before the move.  Doesn't make sense to me.
> >
> > Could you send me the full headers of several spams that are getting
> > through?  I may be able to get a better idea of what is happening.
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> > since 2000.
> > Declude Virus: Catches known viruses and is the leader in mailserver
> > vulnerability detection.
> > Find out what you've been missing: Ask for a free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] How do they do it?

2004-02-05 Thread Joe Wolf 
Thanks for the reply.

No dictionary attacks that I can see in the logs for these domains, but it's
possible that it happened.

The previous host was DigiHost.  There was no sign of spam filtering and
it's not on their list of features or options.

Will ask one of the customers for permission to post a header.  Gotta keep
inside our Privacy Policy.

Thanks for the quick reply!

-Joe

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 05, 2004 9:16 AM
Subject: Re: [Declude.JunkMail] How do they do it?


>
> >I've had two cases recently where I had hosting customers move their
email
> >services to my Imail/Declude box.  Both moved from a national hosting
> >company and had no spam protection of any kind on their services.  Both
> >complained within a week of the move that they're getting bombarded by
spam.
> >Both claim that they didn't receive much spam on their old host.  One had
a
> >mail archive that I was able to look at and there really wan't much in
the
> >way of spam in there.
>
> The only thing that I can think of is that the spammers have access to the
> zone files (which list all the domains in a TLD and their NS records), and
> are looking for changes in the NS records, and targeting those domains.
>
> Are the spams going to valid user accounts?  Is this a dictionary
> attack?  My guess is that the hosting company was indeed filtering spam.
>
> >How is it that these spammers are hitting these domains when they move to
my
> >box?  I have JunkMail pretty well configured (I think) and they still get
> >more spam than they did before the move.  Doesn't make sense to me.
>
> Could you send me the full headers of several spams that are getting
> through?  I may be able to get a better idea of what is happening.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] How do they do it?

2004-02-05 Thread Joe Wolf 
Perhaps someone here might be able to shed some light on my problem.

I've had two cases recently where I had hosting customers move their email
services to my Imail/Declude box.  Both moved from a national hosting
company and had no spam protection of any kind on their services.  Both
complained within a week of the move that they're getting bombarded by spam.
Both claim that they didn't receive much spam on their old host.  One had a
mail archive that I was able to look at and there really wan't much in the
way of spam in there.

How is it that these spammers are hitting these domains when they move to my
box?  I have JunkMail pretty well configured (I think) and they still get
more spam than they did before the move.  Doesn't make sense to me.

I have checked my mail server for viruses (three different scanners),
spyware, etc.  Nothing found.  No open relays... ever.

I thought they may be getting info off my DNS servers, but I don't allow
zone transfers.  Nothing unusual in the firewall logs that I can see.

Any idea how this happens?  Anyone else have this problem?

Thanks,
Joe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] JunkMail config files...

2003-12-16 Thread Joe Wolf 
Scott,

Here's the header from a legit message to me that failed SORBS-DUHL.

Received: from SMTP32-FWD by csimo.com
  (SMTP32) id A0298; Tue, 16 Dec 2003 07:11:26 -0600
Received: from SMTP32-FWD by csimo.com
  (SMTP32) id A049C; Tue, 16 Dec 2003 07:11:26 -0600
Received: from brothers [64.251.138.48] by brothersmaytag.com
  (SMTPD32-7.15) id A47B5700112; Tue, 16 Dec 2003 07:11:23 -0600
Message-ID: <[EMAIL PROTECTED]>
From: "Jim Miller" <[EMAIL PROTECTED]>
To: "Joe Wolf" <[EMAIL PROTECTED]>
Subject: Enola Gay Exhibit
Date: Tue, 16 Dec 2003 07:10:28 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_NextPart_000_001D_01C3C3A3.AF2F3CE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-RBL-Warning: SORBS-DUHL: Dynamic IP Address See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=64.251.138.48
X-Declude-Sender: [EMAIL PROTECTED] [64.251.138.48]
X-Note: This E-mail was scanned for spam.
X-Spam-Tests-Failed: SORBS-DUHL, IPNOTINMX, NOLEGITCONTENT [4]
X-Note: This E-mail was sent from 64-251-138-48-dialup-mo.fidnet.com
([64.251.138.48]).
Status: U
X-UIDL: 355029812

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 10:55 AM
Subject: Re: [Declude.JunkMail] JunkMail config files...


>
> >I don't know anything about "HOPHIGH".  Mine is set at whatever your
default
> >is.
>
> OK, then that isn't a problem.
>
> But it still doesn't explain why you have so much legitimate E-mail
failing
> the SORBS-DUHL test.  That's a serious problem.  Could you post the full
> headers of a legitimate E-mail that failed the SORBS-DUHL test?
>
> >So it sounds like you're saying I've done the right thing and not much
more
> >to do?
>
> Correct, *if* you are configured correctly.  But many people aren't -- the
> two most common reasons are that they have backup/gateway mailservers that
> Declude JunkMail doesn't know about (in which case the E-mail can't be
> scanned properly), or that they use poor whitelists (such as "WHITELIST
> FROM @my_domain.com" (which whitelists lots of spam) or "WHITELIST FROM
> mail.com" (which whitelists mail from @hotmail.com)).
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] JunkMail config files...

2003-12-16 Thread Joe Wolf 
Scott,

I'm not looking at the file right now, but all I do is change the Weight 10
and 20 from Warn to Subject "Sapm:" or whaterver the correct syntax is.  The
result is that the message is sent on with the subject prefix of SPAM:
added.  That's all I want to do.  Then it's up to the user if they want to
delete it or whatever.

I don't know anything about "HOPHIGH".  Mine is set at whatever your default
is.

So it sounds like you're saying I've done the right thing and not much more
to do?

-Joe

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 9:40 AM
Subject: Re: [Declude.JunkMail] JunkMail config files...


>
> >I have installed the latest files... I try and keep up with them.  I
think
> >the only changes I make are on the Weight 10 and 20 and I change the
> >subject.  I look at the headers on a bunch of the spam messages that come
> >thru and most fail SORBS-DUHL, but then I see that many legit messages do
as
> >well.
>
> Are you using a HOPHIGH setting in your global.cfg file?  If so, that
would
> account for it.  In that case, you can rename the test to SORBS-DUL, in
> which case Declude JunkMail will bypass it for inappropriate IPs.
>
> >I have to admit that I've never taken the time to look at this very much.
I
> >had hoped that someone had come up with a good config that I could use
> >without making learning about all these spam databases part of my life.
>
> Well, it sounds like you want to make it part of your life.  :)
>
> I would guess that about 80% of our customers are simply using the default
> config files and blocking on WEIGHT20 or WEIGHT10.  If you have everything
> set up correctly, that should capture a significant amount of spam.  If
you
> were blocking 60% of spam using an old config file, you should see much
> better results with the latest config file.
>
> So, it's time to determine if the spam capture ratio is good enough.  If
it
> is, sit back and let Declude JunkMail do its thing.  If not, you should
> first determine if there is a configuration problem.  If so, it needs to
be
> fixed; otherwise, time will need to be spent learning about ways to
improve
> the spam detection.
>
> >My goal is to give my mail users the ability to filter out most spam
based
> >on the subject line of the message.
>
> Do you mean that you want to filter spam based on the subject line that
the
> spammer used (in which case you're choosing to spend a lot of time dealing
> with spam on your own, rather than using existing tools -- and you would
> need to explain *why* you want to do it this way), or do you mean that you
> want to filter spam based on subject modifications that Declude JunkMail
> makes (such as "WEIGHT20 SUBJECT Spam:")?
>
> >The default config files do nothing toward that goal and I have to make
> >changes.
>
> The default config files intentionally do not take any action on spam,
> because everyone's needs are different.  However, changing "WEIGHT20 WARN"
> to "WEIGHT20 SUBJECT Spam:" is very simple, so I'm assuming you are
wanting
> to do subject filtering on your own.
>
> So my question becomes, "Why do you want to filter based on the subject?"
>
> >If I change all the warn's, to subject changes then it seems that most
> >every message would be marked as
> >spam.  There has to be a good medium in there, but I sure don't want to
make
> >it my lifes work to find it.
>
> AH!  I think I understand now.
>
> Our recommendation for several years now has been to use the default
> configuration file, and then block E-mail based on either the WEIGHT20 or
> WEIGHT10 tests.  So in this case, you would just change the "WEIGHT20
WARN"
> to "WEIGHT20 SUBJECT Spam:".
>
> We do NOT recommend blocking on all tests.  For most of our customers,
only
> blocking on the weight tests works very well.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] JunkMail config files...

2003-12-16 Thread Joe Wolf 
Scott,

I have installed the latest files... I try and keep up with them.  I think
the only changes I make are on the Weight 10 and 20 and I change the
subject.  I look at the headers on a bunch of the spam messages that come
thru and most fail SORBS-DUHL, but then I see that many legit messages do as
well.  I see many fail SPAMCOP that get thru, but again I don't know how
many legit message fail that test.  I can't spend hours looking at message
headers.

I have to admit that I've never taken the time to look at this very much.  I
had hoped that someone had come up with a good config that I could use
without making learning about all these spam databases part of my life.

My goal is to give my mail users the ability to filter out most spam based
on the subject line of the message.  The default config files do nothing
toward that goal and I have to make changes.  If I change all the warn's, to
subject changes then it seems that most every message would be marked as
spam.  There has to be a good medium in there, but I sure don't want to make
it my lifes work to find it.

Thanks for your suggestions,
Joe

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 8:10 AM
Subject: Re: [Declude.JunkMail] JunkMail config files...


>
> >I have been using JunkMail Pro for about a year.  I only make minor
changes
> >to the standard config files because I've never had the time to learn
about
> >all the ever changing spam tests, etc.  The only action I take on spam is
to
> >prefix the subject with "SPAM:" and send it on to the user for their
> >consideration.  Right now I probably only catch 60% of the spam messages
due
> >to the poor way my files are configed.
> >
> >Is anyone willing to share with me (or others on the list in my
situation) a
> >good set of config files that are effective at catching spam but not too
> >many false positives on legit email?
>
> The first thing you should do is download the latest
> \IMail\Declude\global.cfg file from
> http://www.declude.com/junkmail/manual.htm .  Since August, there have
been
> a lot of changes to the spam tests that are likely accounting for the very
> poor capture rate you are seeing (a number of tests were killed off by
> spammers, and there are some new tests).
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] JunkMail config files...

2003-12-16 Thread Joe Wolf 
I have been using JunkMail Pro for about a year.  I only make minor changes
to the standard config files because I've never had the time to learn about
all the ever changing spam tests, etc.  The only action I take on spam is to
prefix the subject with "SPAM:" and send it on to the user for their
consideration.  Right now I probably only catch 60% of the spam messages due
to the poor way my files are configed.

Is anyone willing to share with me (or others on the list in my situation) a
good set of config files that are effective at catching spam but not too
many false positives on legit email?

Thanks very much,
-Joe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Postini type interface for JunkMail?

2002-11-08 Thread Joe Wolf / CompuService 
Has anyone tried to build an interface for JunkMail that allows users or
domains to set their own junk mail settings?  The Postini interfaces seems
easy enough and there should be a way to tranlate that to JunkMail.

Just a thought.

-Joe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Two JunkMail questions please...

2002-11-04 Thread Joe Wolf / CompuService 
Everyone thanks for the replies.  I did take a look at the overflow
directory and it was empty.  I cleaned out the spool directory and offloaded
all outbound to our production servers.  We'll see how this works out before
digging in too far.

This server has a dedicated T1 and is saturated some of the time.  On busy
days it sends 100,000 messages out, but on average only about half of that.
The CPU load stays at about 30 - 35%, but that's all.   It should now send
everything to our production machines and should keep nothing in the queue.
I hope that solves it.

Thanks again,

Joe
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 04, 2002 11:13 AM
Subject: Re: [Declude.JunkMail] Two JunkMail questions please...


>
> >#2My mail server does quite a bit of list serving.  I've noticed that
> >since I installed JunkMail my server is running further and further
behind.
> >I've gone from nearly immediate delivery of messages to nearly an hour
> >behind.  Is the Declude replacement to the Ipswitch mail handler that
much
> >more inefficient, or does JunkMail just take alot more processing?  My
CPU
> >utilization chart is not too high, but it take so long to process
messages.
>
> The only thing that I can think of is that you're already close to the
> limits of your server.
>
> Declude JunkMail only scans mailing list messages once (when they come
in),
> and can actually improve delivery time.  I'm guessing that the extra
> overhead of spam scanning (which isn't that much, BTW) is pushing you to
> the point where the delays are occurring.
>
> When the mail is slow in being delivered, do you see lots of files in the
> \IMail\spool\overflow directory?
> -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Two JunkMail questions please...

2002-11-04 Thread Joe Wolf / CompuService 
First I'm still a newbie to JunkMail so forgive my ignorance.  Two issues to
cover:

#1I am basicly using the default settings for JunkMail.  I have had a
few valid messages marked as spam, but I still get quite a bit of spam thru
that I wish to get rid of.  Does anyone have a template, or suggestion on
what settings work the best for JunkMail?  I know that I can customize
anything I want, but at the same time I don't want to make it my life to
investigate which database is best, etc.  Any help would be appreciated.

#2My mail server does quite a bit of list serving.  I've noticed that
since I installed JunkMail my server is running further and further behind.
I've gone from nearly immediate delivery of messages to nearly an hour
behind.  Is the Declude replacement to the Ipswitch mail handler that much
more inefficient, or does JunkMail just take alot more processing?  My CPU
utilization chart is not too high, but it take so long to process messages.

Thanks,
Joe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Can I bounce message based on...

2002-10-31 Thread Joe Wolf / CompuService 
I can certainly take the whitelist off in the global file, but how would I
implement the search?  I could easily turn off the rest of the tests for
that domain.

-Joe

- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 31, 2002 7:40 AM
Subject: Re: [Declude.JunkMail] Can I bounce message based on...


>
> >I have the PRO version, and currently the domain that has the list is
> >whitelisted.  I would like to somehow make a rule in JunkMail that would
> >send a specific bounce message if the incoming list message requests a
read
> >receipt.  The bounce message would have to be unique for that domain.
>
> Unfortunately, it can't be done in this case.  Whitelisting E-mail was
> designed to be a last resort to get mail through, and it can't be
> undone.  It will always take priority over everything else.
>
> If the E-mail wasn't whitelisted, you could have a filter that would
search
> for the return receipt header, and then would bounce the message.  I kind
> of like that idea.  
>  -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Can I bounce message based on...

2002-10-30 Thread Joe Wolf / CompuService 
This is a strange request I'm sure, and I'm a newbie to Declude JunkMail.  I
run a list on Imail 7.13 and I dislike the users who send messages to the
list that request a return or read receipt.  I get hundreds of return
receipts, etc.   Since messages sent to a list on Imail are sent to a
program alias none of the incoming rules work properly, including the "list"
rules.  The alias apparently has a higher priority than the rules.  So now I
think about JunkMail since it is a pre-processor to Imail.

I have the PRO version, and currently the domain that has the list is
whitelisted.  I would like to somehow make a rule in JunkMail that would
send a specific bounce message if the incoming list message requests a read
receipt.  The bounce message would have to be unique for that domain.

Any suggestions?

Thanks,
Joe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.