RE: [Declude.JunkMail] How do they do it?
One problem we've recently had is that a mail server we were trying to send messages to would die intermittently.. Came to discover there were filters on their router that when a certain "incident" happened, it blocked everything from that computer IP for 4 hours.. Maybe this is something you'd like to look into.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, February 06, 2004 7:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How do they do it? I have no practical solution but you would need something that parses your SMTP logfile in realtime (like unixtool's tail or the new baretail) and track occurences of "invalid user" messages. If there are more then X connection attempts from one single IP in Y minutes causing an invalid user log entry this IP (or at least port 25 from this IP) should be blocked immediatly for Z minutes. Blocking the IP in Imail is problematic because you have to restart the service every time the IP-list is updated. I don't know if some SW firewalls like BlackIce or ZoneAlarm allow external updates for IP-filter tables. Maybe there is also some HW appliance that can do this. Filtering by IP in declude junkmail is too late because this will not block the connection attempts. Are you sure this joe jobs are the real reason why the amount of spam seems to increase after you transfer the domain to your own server? What registrar do you use? There was an intersting argument on this list some days ago about certain registrars that seems to be here specially for spammers. Or are you inserting your clients email adress in the whois information after during transfer? Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf > Sent: Saturday, February 07, 2004 12:39 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] How do they do it? > > I called the Black Ice tech support people today and > discussed this issue. > They told me that Black Ice will not stop a dictionary attack > that is in progress, but it would shut the spammer down for a > second attempt. > > He also had major concerns about backup mail spoolers. He > said that you have to whitelist your backup spoolers and that > will still allow the spammer to run their dictionary attacks. > > He didn't think Black Ice was a good product for such use. > He seemed like he knew what he was talking about. > > -Joe > > - Original Message - > From: "Jeff Kratka" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 06, 2004 5:17 PM > Subject: RE: [Declude.JunkMail] How do they do it? > > > > Are there others suggestion for firewall software for the > server. Does > > Zonealarm have a server version and if so does it work as > well as Black > Ice. > > > > > > Jeff Kratka > > > > * > > TymeWyse Internet > > P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 > > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > > * > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
I have no practical solution but you would need something that parses your SMTP logfile in realtime (like unixtool's tail or the new baretail) and track occurences of "invalid user" messages. If there are more then X connection attempts from one single IP in Y minutes causing an invalid user log entry this IP (or at least port 25 from this IP) should be blocked immediatly for Z minutes. Blocking the IP in Imail is problematic because you have to restart the service every time the IP-list is updated. I don't know if some SW firewalls like BlackIce or ZoneAlarm allow external updates for IP-filter tables. Maybe there is also some HW appliance that can do this. Filtering by IP in declude junkmail is too late because this will not block the connection attempts. Are you sure this joe jobs are the real reason why the amount of spam seems to increase after you transfer the domain to your own server? What registrar do you use? There was an intersting argument on this list some days ago about certain registrars that seems to be here specially for spammers. Or are you inserting your clients email adress in the whois information after during transfer? Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf > Sent: Saturday, February 07, 2004 12:39 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] How do they do it? > > I called the Black Ice tech support people today and > discussed this issue. > They told me that Black Ice will not stop a dictionary attack > that is in progress, but it would shut the spammer down for a > second attempt. > > He also had major concerns about backup mail spoolers. He > said that you have to whitelist your backup spoolers and that > will still allow the spammer to run their dictionary attacks. > > He didn't think Black Ice was a good product for such use. > He seemed like he knew what he was talking about. > > -Joe > > - Original Message - > From: "Jeff Kratka" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 06, 2004 5:17 PM > Subject: RE: [Declude.JunkMail] How do they do it? > > > > Are there others suggestion for firewall software for the > server. Does > > Zonealarm have a server version and if so does it work as > well as Black > Ice. > > > > > > Jeff Kratka > > > > * > > TymeWyse Internet > > P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 > > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > > * > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
It's funny but when I do a search for "dictionary" on their site to see how to configure black ice to guard against dictionary attacks or how it does I get no results. Can any user of Black Ice point me in the right direction here?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka Sent: Friday, February 06, 2004 03:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How do they do it? For a firewall, would the regular version of Blackice work ok or is the Server version needed. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * One product that people have talked highly of has been Blackice for blocking dictionary attacks. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do they do it?
I called the Black Ice tech support people today and discussed this issue. They told me that Black Ice will not stop a dictionary attack that is in progress, but it would shut the spammer down for a second attempt. He also had major concerns about backup mail spoolers. He said that you have to whitelist your backup spoolers and that will still allow the spammer to run their dictionary attacks. He didn't think Black Ice was a good product for such use. He seemed like he knew what he was talking about. -Joe - Original Message - From: "Jeff Kratka" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 06, 2004 5:17 PM Subject: RE: [Declude.JunkMail] How do they do it? > Are there others suggestion for firewall software for the server. Does > Zonealarm have a server version and if so does it work as well as Black Ice. > > > Jeff Kratka > > * > TymeWyse Internet > P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > * > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
Rick, I read the "BlackIce" User Guide and various other manuals to see if I want to pursue this software. Which feature/setting blocks Dictionary SMTP attacks? I can't seem to find any setting specific to this? Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Klinge Sent: Friday, February 06, 2004 03:16 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How do they do it? Server version: http://blackice.iss.net/product_server_protection.php ~Rick > > For a firewall, would the regular version of Blackice work ok > or is the Server version needed. > > > ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
Are there others suggestion for firewall software for the server. Does Zonealarm have a server version and if so does it work as well as Black Ice. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
For a firewall, would the regular version of Blackice work ok or is the Server version needed. My understanding is that BlackIce Server is the one that is required to help with dictionary attacks (since it deals with malicious inbound mail connections, which normally are not a problem with individual users). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
Server version: http://blackice.iss.net/product_server_protection.php ~Rick > > For a firewall, would the regular version of Blackice work ok > or is the Server version needed. > > > ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
For a firewall, would the regular version of Blackice work ok or is the Server version needed. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * One product that people have talked highly of has been Blackice for blocking dictionary attacks. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
"I did happen to talk to DigiHost yesterday and was told that they don't have any real spam filter, but they do have something in place that prevents dictionary attacks." Joe.. Check the archives on the topic of Dictionary attacks.. It has been covered in detail many times. One product that people have talked highly of has been Blackice for blocking dictionary attacks. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do they do it?
I'm glad that I'm not the only one with these problems! Not that I like having the problem, but I thought there must be some kind of undetectable Trojan on my system letting the spammers know when I add a domain or user. Misery like company I guess. I did happen to talk to DigiHost yesterday and was told that they don't have any real spam filter, but they do have something in place that prevents dictionary attacks. I'm NOT an expert in this field but he was saying that they only allow 10 attempts so the dictionary attacks don't work. Is there a way to make JunkMail do such a thing? (I really don't even know what I'm asking about here, but hopefully someone else will). -Joe - Original Message - From: "Richard Farris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 12:27 PM Subject: Re: [Declude.JunkMail] How do they do it? > I had the exact same thing happen to me about 5 months ago..we moved our > servers to a new location and changed IPs on everything...the spam filter > broke because I needed a new key for it to work..it was only down about 24 > hrs...and I got bombarded during those hours..but I have been fighting spam > more aggressively ever since...and my customers noticed a big change also.. > My upline provider offered to put their spam filter (Sublinme) in front of > mine and all that seemed to do is put less work on my server but the spam is > still worse than before I made the move...and all that changed were the > IPs..same Declude...same Sortmonster...same everything...I have been racking > my brain ever since to figure out why? > > Richard Farris > Ethixs Online > 1.270.247. Office > 1.800.548.3877 Tech Support > > - Original Message - > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, February 05, 2004 9:16 AM > Subject: Re: [Declude.JunkMail] How do they do it? > > > > > > >I've had two cases recently where I had hosting customers move their > email > > >services to my Imail/Declude box. Both moved from a national hosting > > >company and had no spam protection of any kind on their services. Both > > >complained within a week of the move that they're getting bombarded by > spam. > > >Both claim that they didn't receive much spam on their old host. One had > a > > >mail archive that I was able to look at and there really wan't much in > the > > >way of spam in there. > > > > The only thing that I can think of is that the spammers have access to the > > zone files (which list all the domains in a TLD and their NS records), and > > are looking for changes in the NS records, and targeting those domains. > > > > Are the spams going to valid user accounts? Is this a dictionary > > attack? My guess is that the hosting company was indeed filtering spam. > > > > >How is it that these spammers are hitting these domains when they move to > my > > >box? I have JunkMail pretty well configured (I think) and they still get > > >more spam than they did before the move. Doesn't make sense to me. > > > > Could you send me the full headers of several spams that are getting > > through? I may be able to get a better idea of what is happening. > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > > since 2000. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do they do it?
I had the exact same thing happen to me about 5 months ago..we moved our servers to a new location and changed IPs on everything...the spam filter broke because I needed a new key for it to work..it was only down about 24 hrs...and I got bombarded during those hours..but I have been fighting spam more aggressively ever since...and my customers noticed a big change also.. My upline provider offered to put their spam filter (Sublinme) in front of mine and all that seemed to do is put less work on my server but the spam is still worse than before I made the move...and all that changed were the IPs..same Declude...same Sortmonster...same everything...I have been racking my brain ever since to figure out why? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 9:16 AM Subject: Re: [Declude.JunkMail] How do they do it? > > >I've had two cases recently where I had hosting customers move their email > >services to my Imail/Declude box. Both moved from a national hosting > >company and had no spam protection of any kind on their services. Both > >complained within a week of the move that they're getting bombarded by spam. > >Both claim that they didn't receive much spam on their old host. One had a > >mail archive that I was able to look at and there really wan't much in the > >way of spam in there. > > The only thing that I can think of is that the spammers have access to the > zone files (which list all the domains in a TLD and their NS records), and > are looking for changes in the NS records, and targeting those domains. > > Are the spams going to valid user accounts? Is this a dictionary > attack? My guess is that the hosting company was indeed filtering spam. > > >How is it that these spammers are hitting these domains when they move to my > >box? I have JunkMail pretty well configured (I think) and they still get > >more spam than they did before the move. Doesn't make sense to me. > > Could you send me the full headers of several spams that are getting > through? I may be able to get a better idea of what is happening. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do they do it?
I noticed something similar when I added a new user to an existing domain and within 24 hours that account had SPAM traffic. Junkmail was catching it, but I'm not sure how the spammers found the address that quickly. Is this similar to Joe's issue? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Thursday, February 05, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] How do they do it? Thanks for the reply. No dictionary attacks that I can see in the logs for these domains, but it's possible that it happened. The previous host was DigiHost. There was no sign of spam filtering and it's not on their list of features or options. Will ask one of the customers for permission to post a header. Gotta keep inside our Privacy Policy. Thanks for the quick reply! -Joe - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 9:16 AM Subject: Re: [Declude.JunkMail] How do they do it? > > >I've had two cases recently where I had hosting customers move their email > >services to my Imail/Declude box. Both moved from a national hosting > >company and had no spam protection of any kind on their services. Both > >complained within a week of the move that they're getting bombarded by spam. > >Both claim that they didn't receive much spam on their old host. One had a > >mail archive that I was able to look at and there really wan't much in the > >way of spam in there. > > The only thing that I can think of is that the spammers have access to the > zone files (which list all the domains in a TLD and their NS records), and > are looking for changes in the NS records, and targeting those domains. > > Are the spams going to valid user accounts? Is this a dictionary > attack? My guess is that the hosting company was indeed filtering spam. > > >How is it that these spammers are hitting these domains when they move to my > >box? I have JunkMail pretty well configured (I think) and they still get > >more spam than they did before the move. Doesn't make sense to me. > > Could you send me the full headers of several spams that are getting > through? I may be able to get a better idea of what is happening. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do they do it?
Thanks for the reply. No dictionary attacks that I can see in the logs for these domains, but it's possible that it happened. The previous host was DigiHost. There was no sign of spam filtering and it's not on their list of features or options. Will ask one of the customers for permission to post a header. Gotta keep inside our Privacy Policy. Thanks for the quick reply! -Joe - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 9:16 AM Subject: Re: [Declude.JunkMail] How do they do it? > > >I've had two cases recently where I had hosting customers move their email > >services to my Imail/Declude box. Both moved from a national hosting > >company and had no spam protection of any kind on their services. Both > >complained within a week of the move that they're getting bombarded by spam. > >Both claim that they didn't receive much spam on their old host. One had a > >mail archive that I was able to look at and there really wan't much in the > >way of spam in there. > > The only thing that I can think of is that the spammers have access to the > zone files (which list all the domains in a TLD and their NS records), and > are looking for changes in the NS records, and targeting those domains. > > Are the spams going to valid user accounts? Is this a dictionary > attack? My guess is that the hosting company was indeed filtering spam. > > >How is it that these spammers are hitting these domains when they move to my > >box? I have JunkMail pretty well configured (I think) and they still get > >more spam than they did before the move. Doesn't make sense to me. > > Could you send me the full headers of several spams that are getting > through? I may be able to get a better idea of what is happening. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do they do it?
I've had two cases recently where I had hosting customers move their email services to my Imail/Declude box. Both moved from a national hosting company and had no spam protection of any kind on their services. Both complained within a week of the move that they're getting bombarded by spam. Both claim that they didn't receive much spam on their old host. One had a mail archive that I was able to look at and there really wan't much in the way of spam in there. The only thing that I can think of is that the spammers have access to the zone files (which list all the domains in a TLD and their NS records), and are looking for changes in the NS records, and targeting those domains. Are the spams going to valid user accounts? Is this a dictionary attack? My guess is that the hosting company was indeed filtering spam. How is it that these spammers are hitting these domains when they move to my box? I have JunkMail pretty well configured (I think) and they still get more spam than they did before the move. Doesn't make sense to me. Could you send me the full headers of several spams that are getting through? I may be able to get a better idea of what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.