Re: [Mimedefang] Block .js extension was Fwd: G Suite Update Alerts
DFS wrote on 01/26/2017 09:12:51 AM: > A blanket block of .js would really annoy web developers who seem to mail > around zip files of projects (yeah, yeah, this "git" nonsense will never > catch on...) Git outta here!! (Sorry, couldn't resist!) Even Google recommends using a file sharing site, pushing their own obviously. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
> From: "Jon Rowlan" > I want to selectively use SPF for some domains and not others for the > purposes of the functionality that SPF offers. I want to tune this > depending on the client domain. Then test for the domain name and if they want SPF test, run them. If not, skip them. You might want to stream by domain in case a message is sent to multiple domains. You might want to look into Roaring Penguin's CanIt Pro, which is based on MIMEDefang. It handles this easily and let's you define SPF (and other rules) rules for each stream. Bill (Just a happy CanIt Pro user) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ADMINISTRIVIA: Yahoo users may not post to this mailing list
Les wrote on 04/23/2014 12:29:40 PM: > That's ummm, interesting, that you can't see their example format > without a login. But it looks like they want to rewrite the > Reply-To: as the original sender which seems very wrong, at least for > technical lists where most posters would never want to request a > private reply.And doing anything 'selectively' also seems wrong if > you ever expect users to catch on to how a system works. Sorry about that login to unmask issue... Here is the full text of that post on the LISTSERV List Owner's Forum: ** This is posted from my yahoo.com account to illustrate L-Soft's solution to the From: address re-write issue. We think it is superior because it works as follows: -LISTSERV does a DNS lookup on the From: address to see if a re-write for DMARC Reject reasons is needed. We are already handling *@aol.com addresses automatically and immediately. -If From: address re-write is necessary, you can see the format: [token]-dmarc-requ...@listserv.xyz.com. The numerical [token] is unique to each LISTSERV instance. -Reply-To: field is populated with non-rewritten address so private reply-to-sender will actually go to sender as expected and not be accidentally posted to the list. -Return-Path: field is also populated with PROBE format non-rewritten address so that true bad-addresses bounces can be handled correctly. -List mail should still filter into the correct mail folder so users will not complain about 'lost' mail. This is a fix server admins can install and forget, and everything just works like before. No need for everyone to change their habits and their folder rules for incoming mail. No need for special configuration settings. No need to monitor the trade press for daily updates. ** The sender's Yahoo address was rewritten to be "Ben Parker <0007fbf933af-dmarc-requ...@peach.ease.lsoft.com>" where peach.ease.lsoft.com is the list host. The reply-to field is only set on lists configured to reply to sender. It is not set on lists configured to reply to the list. I am on several technical lists (bind-users and dns-operations ) that reply by default to the sender. Yeah, the whole thing sucks. But unless we come up with a 1,000lb gorilla to take on the 800lb gorillas, we'll have to resort to this sort of guerrilla warfare. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ADMINISTRIVIA: Yahoo users may not post to this mailing list
Les wrote on 04/23/2014 11:01:22 AM: > So, is it time for mailing lists to rewrite the From: header? I've > always preferred ones that supply a Reply-To: back to the list so > people don't accidentally answer off-list anyway, but I know there are > arguments on the other side. That seems to be the consensus on the Listserv(TM) mailing lists. They are doing it selectively after doing a DNS Query and detecting the broken setting. See http://peach.ease.lsoft.com/scripts/wa-peach.exe?A2=ind1404&L=LSTOWN-L&F=&S=&P=61953 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?
DFS wrote on 03/20/2014 03:04:07 PM: > Post-Cisco, ClamAV seems to have greatly declined in usefulness. > It catches hardly anything anymore... anyone else experiencing this? > > In my experience, most of the commercial AV scanners for Linux are horrible. > They often use undocumented wire protocols making it difficult/impossible > to use them efficiently from MIMEDefang. The "MIMEDefang-friendliest" one > I know of is F-PROTD version 6. > > On our hosted anti-spam offering, we simply block outright *.EXE, *.SCR etc > whether directly attached or within zip files, RAR files, etc. So far > no-one has complained. We haven't seen an increase in virii detected by McAfee or Symantec on servers downstream from our CanIt system. Maybe that's because blocking the unsafe extensions kills them before we even call ClamAV. Or are there fewer infections being sent by mail, rather focusing more on phishing emails? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Can I get MimeDefang to email alert me when a customer server is on an RBL
Jon wrote on 02/25/2014 04:15:31 AM: > I use sendmail/md/sa/clam to test for inbound, I actually don't know > whether any checks are performed on the outgoing by this combination of > systems, I would have thought that some check are made on mail going out > as well as in. > The systems relaying are a disparate bunch of customer servers. Windows > mainly. > > Occasionally we find a compromise and have to clean up but I am looking > for ways to clean up far sooner and if possible to fix and block an > impending flood before or as it happens. > > What I realised is that an entry in my Access table that allows relay > though my servers does not check RBL. If the spam is being relayed out through your filter, your IP address is likely to be the one that will get blacklisted. It will be seen as the source of the spam. You might want to look into rate limiting your customers as well as scanning the messages. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bad Extensions in suggested example filter
Better list at http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx -- William Brown Core Hosted Application Technical Team and Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bad Extensions in suggested example filter
Kevin wrote on 11/05/2013 01:30:17 PM: > 3 - Has anyone written description of all the extensions and a short > what/why description? If not, I'll take a pass at it. (example below). Microsoft has a partial list at http://support.microsoft.com/kb/291369 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness
DFS wrote on 10/10/2013 12:08:04 PM: > Has anyone noticed that ClamAV does a pretty poor job lately of > catching viruses? Here are a few days' worth of statistics from a > reasonably-busy mail server cluster: Not seeing it being caught by Symantec or McAfee on mail servers behind our CanIt system either, so it's not just ClamAV. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
From: Renaud Pascal > well, after all wasn't SPF an idea from Microsoft, a gang of squares > thinking they're geeks... No, that was CallerID, later SenderID. SPF was from Meng Wong at POBOX.com, based on the work of others. The MARID working group tried to merge SenderID with SPF, but that effort failed. SenderID was a bloated mess of XML jammed into DNS TXT records. Sometimes EDNS0 (if it was even available) wouldn't keep it from failing over to TCP for the DNS query. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reject pre greeting traffic with mimedefang?
Franz wrote on 01/11/2013 02:49:54 PM: > ok, so let's rephrase the question... ;-) > > Is there a way to prevent SMTP slamming with mimedefang? Why reinvent the wheel? Sendmail does it very nicely as docummented w/ GreetPause. What would be gained by moving it to MimeDefang? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Help needed to block all attachments
DFS wrote on 12/17/2012 03:00:33 PM: > (I'm tempted to go further and > say that such a policy-maker exemplifies the Peter Principle but I > won't... darn! Too late!) Or maybe s/he hasn't quite reached their ultimate level according the Dilbert Principle. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] The .local TLD
DFS wrote on 08/18/2012 04:34:20 PM: > Sure, x.y.z.10.in-addr.arpa probably does hit the root name servers pretty > often. Yes it does. http://public.as112.net/node/6 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mail Admin Question
Ben wrote on 08/17/2012 02:58:05 PM: > I had an official internet email address in 1989 when I was on GEnie > Information Services. I was bka...@genie.geis.com According to the grasshopper book, RFCs 882 and 883 were released in 1984, which defined DNS, which replaced a centrally managed hosts.txt file. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mail Admin Question
Jon wrote on 08/17/2012 01:41:15 PM: > As I run exchange and sendmail/MD systems I thought I would see why the > exchange bods were being bashed again ... Running exchange is not proof you don't know what you're doing, but not knowing how to run a mail system seems to correlate closely with running exchange. > Someone has obviously had a pretty bad time with an Exchange dodo ... Seems more than one someone. > This seems to have come from nowhere (at least as far as I can see in > this thread) It would be interesting if Nate would post what mail system is used at domain he raised the question about. Does it even respond to "telnet $HOST 25"? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mail Admin Question
Ben wrote on 08/17/2012 01:07:46 PM: > And I've run into those types... > > They're scary. And they tend to resent when you point out their problems. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mail Admin Question
Ben wrote on 08/17/2012 12:39:45 PM: > Not a whole lot you can do for them. Lately, my attitude runs towards "Just because you can install Exchange doesn't mean you know what you're doing." Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mail Admin Question
Nate wrote on 08/17/2012 05:29:51 AM: > Is it generally accepted as being ok to directly contact the other > servers email administrator in order to try to resolve an undelivered > email? I am finding myself being berated by the other systems admin for > my "unconventional" methods in trying to resolve the matter because I > sent him an email asking him to look into the "connection reset by mail" > message. I am a total newbie in this arena. If you have done everything you can on your end and have network dumps or some other evidence that it is at their end, then you will need their help. I get emails and phone calls routed through our service desk from outsiders (usually end users) about delivery issues. Frequently, they are not even my fault (borked SPF, etc.) That being said, the call I hate the most is "I didn't get and email from someone!" It's so much easier to track from the sending side. If a cursory look doesn't find it I tell them to call sender to have it tracked from that end. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Passphrase - was:Re: FYI: LinkedIn MIMEDefang group is gone
Kevin wrote on 06/06/2012 03:06:16 PM: > After that, my general guideline is to use passphrases not passwords. > Things like My_Birthday_is_on_January_1st! are better than randomly > generated passwords. Sorry for reviving an old thread, I was on vacation and I'm just getting back to some of the non-critical messages from them. How do we get system designers to start prompting for passphrases instead of passwords. That alone should clue the user into using something longer than "link" as their password. I use correcthorsebatterystaple everywhere. (NOT!) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Mike wrote on 02/10/2012 12:23:52 PM: > > On Thu, 9 Feb 2012 14:49:39 -0500 > > "David F. Skoll" wrote: > > > >> Do they all have message IDs starting "CHILKAT-MID"? > > > > That appears to be the format of a Message-ID inserted by legitimate > > software, so it was probably a coincidence. > > Yes, but every message I have checked contains that type of message-id. Just for giggles, I grepped for that string in my logs. None of the hits looked like they would be missed if they were blocked - Dynamic IP, salesy-sounding domains, etc. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Michael wrote on 02/09/2012 12:20:46 PM: > We had a compromised account doing this last weekend! CanIt caught a > few of the outgoing messages, and I soon blocked the account. The email > were initially all going to a single gmail and a single ebay account. > Later messages (all blocked) branched out to hotmail, and a few others. > > No idea what is up with this? I am curious, is there a reason the > customer might be harassed in this way? I suspect that the customer wasn't being harassed per se. My experience as recipient from several hacked accounts has been that some compromised accounts are only used to send to contacts in the address book. Perhaps this user only had the two entries. Of course they can also send to external lists of addresses as you've seen. Having the user change their password is usually enough to shut down the abuse. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mailman Footer in MS Outlook Link
servings...@gmail.com wrote on 10/24/2011 12:23:14 PM: > By the way, the footer now is not an attachment but the unsubscribe > link in the footer is not clickable. > > _I wonder if there is a solution for the link?_ This is likely to be a feature/function of your mail client to take URLs and turn them into clickable links. You may have it turned off for security or other reasons, or your client doesn't support it. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: I am a sick man...
DFS wrote on 09/08/2011 02:07:17 PM: > I just had to do the phishing song: > http://www.youtube.com/watch?v=ccIzZS_wD6U Now I need a new keyboard after spewing Mt Dew on it. I should have known better than to drink and watch an RPSTV production. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] More than one From address
Todd wrote on 08/25/2011 09:42:19 AM: > Thanks also for the information about multiple From addresses... in the > 15+ years I've been in IT and managing email, I'd never seen messages with > multiple From addresses before. I recall discussions either here or on some other list where spammers were using multiple From: header entries to try to get past. One would have your address, or at least your domain, which they hoped would be the one to show up in your mail client so you would trust it, and hopefully, the filter would look at the other one so it wouldn't block the email because it was from your domain. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.68 panic: top_env problems
DFS wrote on 02/25/2010 09:06:56 AM: > Oh, dear. It's probably a Perl bug that's triggered by some peculiarity > of your filter or one of your Perl modules. > > Googling for "panic: top_env" yields little enlightenment other than > "It's probably a Perl bug." :( Mastering Regular Expressions (O'Reilly) has this to say: "If you're working with embedded code or a dynamic regex, and your program suddenly ends with an unceremonial panic: top_env it is likely due to a syntax error in the code part of the regex. Perl currently doesn't handle certain kinds of broken syntax well, and the panic is the result. The solution, of course, is to correct the syntax." Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] problem from MIMEDefang
Hadi wrote on 02/22/2010 12:10:29 PM: > Here is the permission > > bash-2.05$ ls -ld /var/spool/MIMEDefang/mimedefang.sock > srwxr-x--- 1 defang nobody 0 Feb 22 09:46 /var/spool/ > MIMEDefang/mimedefang.sock > > Its right or wrong >> Did it work before? If so what changed? Does the socket exits? What do >> you get if you try "ls -l /var/spool/MIMEDefang/mimedefang.sock"? Are the >> permissions correct? The permissions are the same as my CanIt installation, but the group is not the same. Mine has defang as both owner and group. Please answer the other questions above for further assistance. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] problem from MIMEDefang
Hadi on 02/22/2010 11:04:46 AM: > before upgrade there's any fix for this meanwhile? Did it work before? If so what changed? Does the socket exits? What do you get if you try "ls -l /var/spool/MIMEDefang/mimedefang.sock"? Are the permissions correct? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Choice of desktop OS (was Re: watch-mimedefang)
DFS wrote on 02/12/2010 06:54:27 PM: > I must confess, I've never understood people who administer Linux servers, > yet don't run a Linux desktop. Heck, run Linux in VMWare if you must, > but at least use proper desktop tools to administer a Linux server. When I first started using Linux for production servers (Roaring Penguin's CanIt Pro), I wasn't as comfortable w/ Linux as I knew I should be. I switched my day to day laptop to Linux and for the Windows apps I have to run, I use VMWare Workstation. VMWare player was not available back then, and I've kept to pay version for the extra features. > The frustration of having to run a Windows desktop would drive me insane. Making the switch caused some grief, but I think it was worth it in the long run. If nothing else, patches don't eventual bog the system down like they do in Windows. If you don't believe me, take a fresh machine and install Windows 2000 on it. Time how long it takes to boot. Then do nothing but patch it. Alot. Reboot repeatedly. Burn most of a day doing so. Time how long it takes to boot after all current patches are applied. Last time I did this, it took about 3 times longer to boot. Now when my laptop takes longer to boot, it's because I added something. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] HOW TO install clamd on Fedora 11forusebymimedefang
Cool! Now just set the text of the message to tell you that clam failed and it is time to panic. :) -- William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES "Cliff Hayes" wrote on 01/25/2010 03:24:34 PM: > From: "Cliff Hayes" > To: > Date: 01/25/2010 03:39 PM > Subject: Re: [Mimedefang] HOW TO install clamd on Fedora 11 forusebymimedefang > Sent by: mimedefang-boun...@lists.roaringpenguin.com > > Figured it out. > I had the eicar string in the body and not in an attachment. > Once I put it in an attachment, it worked. > Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] HOW TO install clamd on Fedora 11 for usebymimedefang
Cliff wrote on 01/22/2010 05:42:34 PM: > I sent an internal test and it got blocked by clamd as expected. > I sent an external test and it sailed right through undetected. So now I'm > confused :( Is your external address whitelisted or otherwise not being processed w/ the same rules as the internal sender? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] HOW TO install clamd on Fedora 11 for use by mimedefang
Cliff wrote on 01/22/2010 03:14:19 PM: > One thing I would like to add to this list is a way to verify clamd is still > checking emails. How about automatically sending an email with the EICAR test virus through the system on a regular schedule. If it ever shows up in your inbox, you would know clamd (or something else equally panic inducing) failed. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spam ethics question
Kelson wrote on 01/14/2010 02:43:35 PM: > It's not the effect that's at issue, it's the process. > > The whole point of a honeypot is that you have a guarantee that no one > has ever requested that mail go to that address, so any mail sent there > is unsolicited by definition. > > If you subscribe an address to a list, then *you* have solicited mail > for that address. As a result, your data is no longer reliable, because > at least some of that mail coming into that address is mail that you > requested. This is the best argument against what I asked about. Thanks > OTOH, if you actively *unsubscribe* an address, then you have > specifically requested that mail *not* go there. If they turn around and > use that information to put the address on one of their lists, then > you've caught them violating your request. It's still unsolicited, so > it's valid data. Other option is to raise hell with the mail outsourcing company but does that really work? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spam ethics question
Andrzej Adam Filip wrote on 01/14/2010 01:05:49 PM: > But actively un-subscribing not subscribed email addresses is OK > => as far as I have heard the effect is almost identical :-) In many cases that's probably true. Upon further review of the headers, they are passing through mail outsourcer Magnet Mail. How likely is it that complaining to them about their customer will do any good? Our abuse address does not ever send email, and as far as I know it only appears on the domain records of any domain hosted on our DNS servers, and our ARIN records. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Spam ethics question
I just got spammed by a company that claims on their website "We hate SPAM as much as you do." So why did they repeatedly send it to our abuse address? They also sent it to almost every school district we filter email for. To the best of my knowledge, none of them requested the email either. Needless to say, they got a block in our global rules and submitted to SURBL. As I was checking their web site, I found the statement above right below the box to sign up for their newsletter, which was at the very top of the page. My dilemma is this: Why shouldn't I find some honey-pot addresses and submit submit them to subscribe? -- William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail::Milter
Joseph Brennan wrote on 11/24/2009 03:58:08 PM: > There are mailing list products that send to 1 recipient per message > and close the connection after each one. They don't pipeline when > running a queue either. I think the products run their own queue > instead of handing it off to a sane MTA. LSoft's Listserv can be configured to use one recipient per message, but it is not the default configuration. Using this setting can help with tracking mail delivery errors. Listserv requires the use of a mail relay, but I don't know if it closes the connection between each message or uses RSET when delivering to the relay. After that, behavior is up to the MTA being used. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Odd messages
I've seen a few messages recently, mostly from Google mail, that are unusual in that there is no obvious reason for them. No sales pitch, link or malware attached. The headers indicate it was a legit gmail message. This is the latest received: Hi Sir/Madam, Have a nice Day. Regards Hook Could they just be probing to see if an address is valid (or at least doesn't bounce)? Other possibility is that the developing region slave-bot manually typing it for a pittance forgot the money shot part of the message. Anyone else seeing these? Any idea what is behind them? -- William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Obscuring email addresses on the web
A colleague quoted in an email "email spam from web crawlers is a problem for you and your IT department, obfuscating email addresses on your website turns your problem into a problem for your users". Has anyone seen this or something similar? The original question posed to him was about making it more difficult for crawlers to harvest addresses, not make it difficult for users. I know about and have shared with the web developers the usual JavaScript techniques for breaking down, then reassembling addresses at the browser. I was told he found this twaddle "on the web." Anyone know where this quote might have come from? -- William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Message header madness - was Re: SPF Usefulness(was Re: SNARE spam detection)
- wrote on 07/31/2009 06:39:21 PM: > Whether the URL appears in a signature (i.e. after a line that has > DASH-DASH-SPACE) or not should be a scoring factor. Legitimate > personal mail often have signatures. Spam often doesn't. People don't have a clue about the tear line before the signature. I've seen just about any thing used as a separator, from a row of all the same characters to repeating patterns of 2 to 5 characters. Try finding all of those to test if the URL is part of a signature. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Les wrote on 06/09/2009 01:59:38 PM: > And unless you expect messages with a large number of recipients you can > refuse to accept them without running any perl code: > define(`confMAX_RCPTS_PER_MESSAGE',`5')dnl > 'Real' senders are supposed to figure this out and resend but I don't > know how it works out in practice. This can cause long delays in processing messages with a lot of recipients. After the 5 allowed RCPT TO's, the rest are tempfailed. The sender has to queue the message again for the remaining recipients and it waits for the next queue run before trying them. Lather - rinse - repeat. For 100 recipients, it will take 19*interval minutes to deliver the message. Even if the queue interval is 5 minutes, that's still more than an hour and a half. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] crappy message format standards (the RFCs suck)
Kenneth Porter wrote on 03/28/2009 02:41:35 PM: > Is it feasible to write a new message standard to replace 2822, with all > MUSTS, and something like HTML's doctype strict to declare that the message > either meets the standard or is rejectable? I'm sure it could be written. Getting it adopted and in widespread use? That be a lot harder. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] duplicate subject headers {Scanned by vsl mailsafe}
Kenneth Porter wrote on 03/27/2009 02:19:30 PM: > Does such a thing as an "RFC 2822 validator" exist? Something that checks a > message for conformance? Would rejecting for non-conformance of a message be any different than using rfc-ignorant.org which will blacklist you if you don't have working postmaster and abuse addresses. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PDF vulnerability
Looks like ClamAvV has added definitions for some PDF vulnerabilities today: http://lurker.clamav.net/message/20090224.162205.44ab94c8.en.html -- May you solve interesting problems William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716)821-7285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PDF vulnerability
Kevin wrote on 02/24/2009 02:16:38 PM: > Recommending that people disable JavaScript in Adobe I believe is the only > current course of action other than blocking PDFs which will likely cause > people wth pitchforks and torches to storm the IT Castle. Blocking PDF's is not going to be popular. Can/will the AV definitions be able to detect malicious files? > Other than that, unfortunately I'm hoping March 11th when Adobe is supposed > to patch comes quickly without other issues. Other than that, we'll like > start sacrificing IT interns as a blood offering. March 11 is only for version 9 of Acrobat. Earlier versions will come out after that. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Verifying that a server has seen a message (was Re: Unique identifier)
DFS wrote on 02/20/2009 03:08:06 PM: > > So, if I substitute a period for the "@" do a DNS query for > > C71C5F34D3FD4A82861FD18EEF700959.peregrinehw.com, their nameserver could > > return a coded response that message did indeed originate from that server. > > The Message-ID values would need to be kept for some minimum time period > > before being flushed, perhaps seven to ten days. > > I'm not sure that Message-IDs can always be converted to legitimate > DNS names with that transformation. But anyway, that's a minor problem. True, might have to insert a psuedo-sub-domain and query something like C71C5F34D3FD4A82861FD18EEF700959.verify.peregrinehw.com > > > 1. Unlike Domain Keys and other crypto-signature systems, requires no > > central authority. > > Yes, but it's also vulnerable to a trivial replay attack. Fixing that > is really hard. OK, so I'm not going to get rich on my anti-spam inventions... At least I'm not claiming "Two years from now, spam will be solved." But just watch, someone will try to market this in the near future and patent it, and then someone else will implement it and get sued by the patent holder :) > I would be much more interested in a good way to determine that a DSN > is in response to a message you've sent (rather than being backscatter from > someone faking your address.) Unfortunately, the information preserved > in a DSN is unreliable. :-( You're at the whim of the MTA authors. > > (The only foolproof way to do this is to manipulate the envelope > sender address, and that has all kinds of other down-sides.) Yeah, tell me about it. Try whitelisting a mailing list hosted on Lyris. They use unique senders for each message. I hate whitelisting domains if I can avoid it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re : HTML Boilerplates Disclaimers and image files e.g. jpeg/tiff
DFS wrote on 02/05/2009 11:30:59 AM: > I wonder if the ZA government anticipated silliness like this? > http://www.pioneerfoods.co.za/downloads/pdf/email_disclaimer.pdf > Or how the folks at > http://www.hsrc.ac.za/Corporate_Information-10.phtml (who claim "This > e-mail legal notice shall at all times take precedence over any other > e-mail disclaimer(s) received by employees or contractors utilising > the communications facilities of HSRC.") will react to the disclaimer > the MIMEDefang list adds? The mind boggles at the jurisdictional bickering... Holy crap Batman, Those are just evil! And I thought the 25 lines of disclaimer where my wife works (a law firm) were bad ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re : HTML Boilerplates Disclaimers and image files e.g. jpeg/tiff
"Ernst" wrote on 02/05/2009 04:45:19 AM: > I can't agree more. It is absolutely ridiculous to add disclaimers to > e-mail. I however understand Gibson's problem since he is from South > Africa. The South African government requires by law that all e-mail > messages originating from South African companies MUST contain a disclaimer. > I have had many arguments with "so called" IT lawyers in this regard, and > even if you convince them about the stupidity of it all, it's still enforced > by SA law. There is nothing an e-mail administrator can do about it. Very > sad but true :( Apparently, the State of New York is going to require disclaimers on email at all public offices and agencies. On top of archiving requirements, I wonder if anyone has done the math on how much storing the extra text on every single message is going to cost. Fun? WOW! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Nolisting
Volume 50 of jgc's spam and antispam newsletter had a link for Nolisting, Poor Man's Greylisting at http://www.joreybump.com/code/howto/nolisting.html . Basically, the premise is set an MX with a high preference pointing to a system that does not listen on port 25. Broken mailers would attempt to connect to it, fail, and not try a lower preference mail exchanger. A real mailer would fall back to a lower pref MX. When I was first starting with spam filtering, I had 2 server with unequal preferences and it seemed that more garbage would head to the lower preference exchanger, possibly thinking ti was an offsite backup MX that wouldn't have as stringent a filter, or none at all. What you would end up with is three classes of MX records: 1. One High priority record which point to an address tha doesn't answer on SMTP. 2. Medium priority records that point to real mail servers that acccept your mail. 3. One or more low priority records that point to addresses that do not answer on SMTP. What does the collective wisdom of the list think about Nolisting, and the idea of a low preference MX record as well? --- The Vista Content Protection specification could very well constitute the longest suicide note in history -- Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716)821-7285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: On pinheaded ISP's (sort of OT)
Les wrote on 01/31/2007 03:52:58 PM: > Is 'your' queue better than everyone else's? Why not do a 4xx tmpfail > if your address check temporarily fails? Any real MTA should be > prepared to queue and retry. Why bother even having a backup MX if all it will do is return a 4xx? Why not let the sending server just fail to connect you your server and it will retry just as long before failing. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] On pinheaded ISP's (sort of OT)
Sven Willenberger <[EMAIL PROTECTED]> wrote on 01/31/2007 01:04:26 PM: > While the AOL feedback loop can be useful occasionally to track down a > spammer on our end, I find that most of the submissions are completely > unwarranted. I constantly see things like "Hi jim, just lettin you know > betty recovered fine from her operation", or holiday photos, or even > confirmation of orders the aol user placed being reported. There is no > accountibility placed on the AOL users (i.e. a weighting system that > says that what user A reports as spam is generally very much spam while > User B tends to report almost everything as spam regardless of content). > It only becomes an issue when there are enough User B's there to cause > temporary blacklisting of our outbound mailservers . . . On a Listserv list, it was mentioned that the delte button and the report as spam buttons are very close together in the AOL client, leading to a lot of false reporting. Too bad they don't require confirmation when you click the reportas spam button. If their spam filters are as effective as they claim, this shouldn't be a big deal. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: On pinheaded ISP's (sort of OT)
Scott Silva <[EMAIL PROTECTED]> wrote on 01/31/2007 11:37:04 AM: > David F. Skoll spake the following on 1/31/2007 8:07 AM: > > Philip Prindeville wrote: > > > >> What interest would the victim of the spam have in forging > >> log files? What does he have to cover up? > > > > The alleged victim may not be a victim at all, but might be trying > > to get the person he's complaining about in trouble. > > > > We've had a few unfounded accusations that we've been sending > > spam over the last few years; I'm sure it's happened to many others on > > this list. > > > You evil spammers always say that you don't send spam! ;-) > (Please notice the smiley, I don't want to start a war!) > And people will report stuff that they actually "subscribed" to as spam when > they tire of it. Which is why the end recipient of the message suspected/accused of being spam must submit the entire message, or at least enough to substantiate the claim that it is spam, to their ISP and/or the sender's ISP, and/or the abuse addrress for the sender's domain. Any other claim doesn't have sufficient evidence on it's own to prove spamming. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Blocking Port 25
[EMAIL PROTECTED] wrote on 01/29/2007 05:53:01 PM: > I'm not even that sure it would help the spam problem. The majority > of the spam I receive these days come via ISP mail servers or open > relays. This may of course simply mean that I'm not receiving a > "normal" pattern of spam... I don't think you're seeing anything unusual. I see a lot coming through the local cable internet company's mail servers. Probably zombied winboxes picking up the relay setting from Outlook. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Blocking Port 25
[EMAIL PROTECTED] wrote on 01/29/2007 04:14:36 PM: > Reminds me of when I had Footguy (http://www.waste.org/footguy/) > running on port 25 of my firewall and I received a call from a rather > befuddled Comcast technician wondering just what that was... Sounds like a fun thing to do to spammers... For known spam IPs, redirect them to a footguy server! Footguy for president!! Or for David: Footguy for Prime Minister! Can't be any stiffer that Steven Harper! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] On pinheaded ISP's that insist on a copy of Spam
Since the receiving end user is the one initiating the complaint (to their ISP), they are the one that should provide the offending email, including all headers. Without it, their ISP should decline to procede any further. No on need violate anyone privacy. --- The Vista Content Protection specification could very well constitute the longest suicide note in history -- Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] regex filter unwanted words
> > You can probably think of more examples. I always liked the example of the town of Scunthorpe in the UK. See http://en.wikipedia.org/wiki/Scunthorpe_Problem My wife used have problems with "Hiscock" being part of her employer's domain name. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] regex filter unwanted words
John Rudd wrote on 01/22/2007 06:17:48 PM: > As many as you can fit. But I would be very careful about it. Plus, I > would make sure to use "\b" around the words, so that you're not getting > sub-string matches. For example: > > \bsex\b will match "sex" but not match "Wesex". I can't second this strongly enough! I had a very *IRATE* user complaining about not receiving email from his boss. Turns out he had created a rule in his mail client to block a certain four letter word and forgot about it. The problem started when he added his title "Programmer Analyst" to his signature block and he stopped getting replies to his messages. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
DFS wrote on 01/18/2007 09:21:32 AM: > (My marketing people will kill me for mentioning competitors...) No doubt, but your openess is appreciated! > Two big ones come to mind: Brightmail and PureMessage. Also, some > outsourced solutions like Postini and MessageLabs seem to do at least > some rejection during the SMTP conversation. I looked at Brightmail, but did not do an eval. Price and level of customization were the big factors. Given our end users are teacher who would not want their own trap to review, and CanIt streamed by domain (school district) works very well for us. > There's definitely a tradeoff. Doing your filtering during SMTP imposes > very aggressive time constraints. It's quite a challenge to scale a > MIMEDefang/CanIt installation up to the several-million-messages/day level. > Doing filtering after-the-fact lets you breathe a bit easier and smooth > out peak loads over the day. Yeah, tell me about it. We're up to 71 school districts we're filtering and I'm in my second round of adding servers. But I remain convinced that filtering during SMTP is the correct way to go. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
John Rudd <[EMAIL PROTECTED]> wrote on 01/17/2007 07:11:51 PM: > Dropping without notifying _anyone_ is "an even worse practice". You > don't have to notify the sender, as long as you notify the recipient > (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
Les Mikesell <[EMAIL PROTECTED]> wrote on 01/17/2007 06:25:29 PM: > Which is why the scanner should run as a milter so it can inform the MTA > what to do at the appropriate time. Does anyone know of other commercial spam filters besides CanIt that are milter based or at least operate during the SMTP conversation. When I selected CanIt 3 years ago, it was the only one I came across that operated in this manner. Everthing else I looked at closed the connection and then scanned the message. I liked the milter approach, which made the selection a simple choice. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Problem on attachment name
"Ing. Andrea Vettori" <[EMAIL PROTECTED]> wrote on 01/17/2007 09:13:03 AM: > if this is an acceptable solution to the company where the mimedefang/ > f-secure installation is, how can I check the condition and how can I > send the email to the sender ? > Does exist in mimedefang a standard way to send a report back to the > sender ? And how can I check for the "unquoted content-type filename" > condition before mimedefang runs the antivirus on the message ? I should have been more explicit. This is my response to internal users that contact me complaining about mail problems, and I have determined the issue is at the remote end. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Problem on attachment name
"Ing. Andrea Vettori" <[EMAIL PROTECTED]> wrote on 01/17/2007 02:30:09 AM: > Apple confirmed the bug and says they are working on it. Now I really > need a temporary workaround. Any hint ? "The sending server is broken. There is nothing I can do about it as it is not under my control. Please advise the sender to fix their mail server or find an alternative method of sending the information/file." Substitute "receiving server" as appropriate, depending on which direction the message is flowing. This statement or some variation of it is my standard response when the other end is the cause of the problem. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: OT: New Attack/Poor SPAMming programming?
Jan-Pieter Cornet <[EMAIL PROTECTED]> wrote on 01/16/2007 05:20:44 PM: > > >http://www.acme.com/mail_filtering/sendmail_config_frameset.html > > The information is a bit outdated. Also I don't agree with the "DNSBLs > are bad" recommendation (we're blocking over 50% of the mail using > DNSBLs here). A more accurate statement would be "Some DNSBLs are bad." Not all are as evil as he makes them out to be. Some are truly horrendous. One in particular sticks in my mind, but I went looking for it the other day and [I] Ding dong BlarsBL is dead! [/I] In fact, it seems his domain has been sucked up by a squatter. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
John Rudd <[EMAIL PROTECTED]> wrote on 01/16/2007 03:10:29 PM: > But the other side of that coin is: if you need that kind of > hand-holding, you might be better off paying for canit-pro. It uses > MIMEDefang at its core (right? I didn't misinterpret that?), and wraps > around that a support/etc. package. I'm willing to bet that it ends up > doing a lot of that kind of "softened learning curve" stuff for you. Yes, CanIt uses MIMEDefang as it's core, wrapped with a web GUI and a database backend for clustering. I'm using CanIt Pro to filter email for 71 school districts in Western NY with great success. I have had very few problems, and Roaring Penguin provides great support. I did set up a MIMEDefang box before investigating CanIt Pro and liked the way it works (see previous messages about milter operation). CanIt Pro has also proved to be very cost effective for our organization in addition to doing a great job filtering mail. Disclaimer: This has been an unsolicited testimonial from a satisfied user. Even though I use CanIt, I read the MD list because I find it fascinating, and I learn a lot, but I don't touch any of the code samples, even though I could since CanIt comes with full source code. -- William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DoD finally bans HTML e-mail
DFS wrote on 01/08/2007 10:11:53 AM: > I think you'd be better off filtering the HTML part through lynx -dump. > You can even do it with some fairly simple MIMEDefang code in filter: [code snipped] > Be aware that this will consume quite a bit of CPU power, and very likely > annoy the h*ll out of your users. :-) Oh, I have no doubt of that it will p!ss off the users, and thats why no one wants to do it. But if the ban spreads beyond the military and to other parts of the US governement, it might be possible to push for it here. Guess I would just have to place an order for more hardware. On my original suggestion, would it be worth blocking messages where there is either no plain text or it differs signicantly from the HTML in terms of blocking spam? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DoD finally bans HTML e-mail
Kenneth Porter <[EMAIL PROTECTED]>wrote on 01/07/2007 04:50:11 AM: > Some of the replies have some good points. > > This one is interesting: > > > won't do wht you think it does > > Hey folks, this isn't going to do anything for security. There's > > going to be a button that allows them to simply click and turn this back > > into an html email. It's NOT stripped text, it's just hidden the html > > code behaviors. Push the button and you're back to HTML! OK, so that's just a stupid implementation. I would like to ban HTML here, and sending all sorts of articles and links to gartner reports etc. doesn't seem to get the message through. If I were implementing it, I would simply strip any tags, possibly replacing some of them with their intended action, ie spaces and line breaks. Maybe HREF tags wowuld get everything but the URL stripped so users could still get the link being sent. What would be left might be a little ugly, but at least readable, and they couldn't hide stupid text with white on white or small fonts. At least the message gets through. A different way to do it would be see if there text and HTML sections that are nearly the same and strip the HTML portion. If there isn't a text portion, or they aren't similar, then reject the message. Or just say "screwit" and reject anything with HTML. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail 8.14.0 Beta available
Joseph Brennan <[EMAIL PROTECTED]> wrote on 01/04/2007 12:29:03 PM: >CONFIG: New FEATURE(`require_rdns') to reject messages from SMTP > clients whose IP address does not have proper reverse DNS. Do they define "proper reverse DNS"? > CONFIG: New FEATURE(`block_bad_helo') to reject messages from SMTP > clients which provide a HELO/EHLO argument which is either > unqualified, or is one of our own names (i.e., the server > name instead of the client name). >CONFIG: New FEATURE(`badmx') to reject envelope sender addresses > (MAIL) whose domain part resolves to a "bad" MX record. > Based on contribution from William Dell Wisner. > > > All of these are a little dangerous. Notably, an smtp server should > accept mail with bad HELO strings from clients. Yes, anything that blocks any email caould be considered a little dangerous because some email some (L)user wants was blocked. Just like ORDB blocking open relays blocked legitimate mail from misconfigured mail servers. But it forced people to clean up their server configs. I think these new options will do the same. And that's a good thing. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering usernames
Kenneth Porter <[EMAIL PROTECTED]>wrote on 12/15/2006 07:43:46 AM: > One rule that comes to mind is to reject all usernames with no vowels in > them. The names I choose always have vowels. Does anyone see any obvious > problems with that? I can't do that with a sendmail table, but it's easy to > do with MD. I'm not sure how much you would catch with that. Why not always include a special string in all email addresses you use, such as "KP-SW" and test for that. Reject any message that does not include it in the recipient address. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $RelayHostname not matchingsendmail's Receivedheader?
Jeff wrote on 12/09/2006 04:57:51 PM: > So, when my server sends e-mail, it uses "saber.nabs.net" as its > "EHLO", and the connection comes from 71.246.216.107. "host > saber.nabs.net" returns 71.246.216.107, which is the same IP that the > connection comes from. So far, so good. > > But, "host 71.246.216.107" returns: > static-71-246-216-107.washdc.fios.verizon.net. > > This hits on just about every "is this a generic rDNS" regex. But, as > you can see by the name, it's not likely to be a dialup/dynamic, etc. > > So, I vote for any change to the Botnet code that ends up with my type > of situation (which is pretty much what Jan-Pieter was also describing) > not getting rejected. Since many home dialup/DSL/Cable users that want to connect to their AUP violating servers at home use free dynamic DNS services, I have a proposal to help seperate them from the legit servers like Jeff describes. The free dynamic DNS servers usually have very short TTL values, and presumably, a legitimate server like saber.nabs.net has a more reasonable (greather than 2 hour) value. By checking the TTL, you can help weed out the bogus servers without blocking small business mail servers on DSL/etc connections. Another test might be to see who hosts their DNS, but that might be more problematic. If it is a known free, dynamic DNS server, regardless of TTL, would that be a spam indicator? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
DFS wrote on 11/30/2006 02:10:27 PM: > What's your internal server running? Some versions of MS Exchange and qmail > don't reject invalid recipients at RCPT time, so md_check_against_smtp_server > is useless. With other versions of Exchange, you need to explicitly > enable RCPT-time checks; google for "Exchange Recipient Filter" Early versions of Lotus Domino servers did not reject invalid recipients at RCPT time either. It became an option in 6.0 or 6.5. If the original poster needs help finding the option, contact me off list, I'd be glad to help. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Joseph Brennan <[EMAIL PROTECTED]> wrote on 11/30/2006 08:56:14 AM: > If you reject messages with executable attachments first, let us know > whether the virus check catches anything at all. Out of curiousity, I looked at the statistics report from my CanIt Pro installation. More virii than executables. I hadn't really paid attention to that before. I checked the documentation and it indicates that it checks for infection before executable. Now I'm curious why. I agree that it would seem to make sense to check for extension before virus scanning. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question about mimedefang-filter
> Not to mention legit words that contain blacklisted words. Looking for > "cialis" will trigger on "specialist", for instance. Best one I ran into was someone who no longer got replies when emailing his boss after he added his title of "Analyst" to his sig block and started hitting the existing simple rule in his slient to delete emails with a certain 4 letter word in it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Gary McLean/UK/INSTINET is out of the office.
DFS wrote on 10/20/2006 12:54:28 PM: > Does Lotus Notes/Domino respect the "Precedence: list" header and not > send auto-replies? Apparently not. > Does it avoid sending auto-replies if the > sender matches *-request, *-relay, *-owner, owner-*, > postmaster, mailer and mailer-daemon? Probably not, and it doesn't seem to avoid replies to *-bounces either. > Does it add an > Auto-Submitted: auto-replied header? I didn't see one in the OoO that sparked this thread. > Sendmail's "vacation" does all of those things. Very few > other auto-responders do, alas. Most other auto-responders will bring a list to it's knees with message loops. Sendmail and Domino won't, even if the user misses some of the configuration options available to prevent sending to lists. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
OT: Re: [Mimedefang] Gary McLean/UK/INSTINET is out of the office.
renaud pascal <[EMAIL PROTECTED]>wrote on 10/20/2006 08:54:57 AM: > Le vendredi 20 octobre 2006 14:47, Gary McLean a écrit : > > I will be out of the office starting 20/10/2006 and will not return until > > 23/10/2006. > > that's funny, now let's test if this 'vacation' program has got the > second thoughts bug too ?-) As much as people complain about the oddities of Lotus Notes/Domino, the Out of Office agent will not cause a message storm on mailing lists. It only replies once to each recipient. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [PATCH] Have real load sharing between milters
Martin Blapp <[EMAIL PROTECTED]> wrote on 09/05/2006 06:56:48 PM: > But after one of the milters have been shut down, we found out > that DNS round robin with bind sucks. Does it still do this if, instead of round robin on the A records, you use round robin on the MX records? ie: mailIN MX 10 milter1.domain.com mailIN MX 10 milter2.domain.com mailIN MX 10 milter3.domain.com (assume unique A record for each milter) Right now, I only have two servers running in parallel, but hope to add a third soon. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Allowing only certain sender/recipient pairs
[EMAIL PROTECTED] wrote on 08/09/2006 08:43:19 AM: > List, > > I have been asked to investigate setting up a solution to allow only certain > senders... to email only certain recipients, with any non-approved > sender/recipient messages being rejected. It sounds like the company wants > to look into a "deny-all except that which is specifically allowed" > framework for email. That sounds like a nightmare to manage!! > Has anyone ever set up something like this? What database types were used > to contain the lookup tables for valid sender/recipient pairs? What kind of > performance hits were encountered? And I assume "stream by recipient" was > needed to allow a message to be passed to an allowed user, yet not passed to > a disallowed recipient. What kinds of problems did that create (aside from > the obvious "one message cc'd to 10 people in becomes 10 messages out" kind > of scenario)? > > David - Is this a feature available in the Can-It products? As a CanIt Pro user, it would be possible, at least for the recipients that you want to control being internal users. Set up a stream for each internal user. >From the manual: 5.1.1 Holding Unlisted Senders CanIt-PRO can allow you to decide to only accept mail from a specific list of sender addresses, and to hold mail from all others. This essentially gives you the benefits of a challenge-response or sender opt-in system without requiring that senders perform any extra additional actions before sending you a message. To use this feature: 1. Go to Rules : Senders and add the addresses of people you wish to receive mail from as Always allow. 2. Enable the Hold mail from any sender not listed in Senders Table setting under Preferences : Stream Settings. Messages from the addresses you whitelisted will be allowed, and all messages from senders not specifically listed in the Sender Action Table will be held in your Pending trap, even if they score below your spam threshold. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SPF and really stupid mailers
DFS wrote on 07/12/2006 11:22:37 AM: > > Anyways, my question is how do you all handle stupid mailers like Hallmark > > when users complain about them getting blocked for poor email practices. > > I don't handle them particularly. That's my preference! > I would petition Hallmark to use > something like [EMAIL PROTECTED] as the envelope > sender and the entered e-mail address as the From: header. You might > want to try that. I'll add that to my comments in the future when asked about similar situations. If the end user wants to persue it, I'll leave it up to them. I try to avoid taking responsibility for mail servers beyond my control. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] SPF and really stupid mailers
This morning, I had an issue come up with a customer involving Hallmark.com trying to send a greeting card through our filters. Apparently Hallmark uses the email address of the sender as entered on the web form as the SMTP Mail From: data. That's all well and good until someone uses a domain like Adelphia.net who has an SPF record that says "-all". General practice is to add 5 points for SPF hard failures like this, so the message eventually bounces. I explained what happened to the customer, and he accepted it, but i'm not sure about the end user. (She was sending the card to herself.) Those e-cards always struck me as a bit lame anyways... Anyways, my question is how do you all handle stupid mailers like Hallmark when users complain about them getting blocked for poor email practices. --- SPAM(tm) Ingredients: Pork with Ham, Salt, Water, Modified Potato Starch, Sugar, Sodium Nitrate William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716)821-7285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Starting all over to kill invalid users
Steve Campbell wrote on 07/06/2006 05:11:25 PM: > 2). It would be nice to be able to do the md_check_against_smtp_server > using an IP address as opposed to a hostname for the variable $rcpt_host. > Looking at my logs, I see where it checks the IP defined by my DNS for the > $rcpt_host, even though I have a different internal address defined in my > host file (much like sendmail does if you don't put square brackets around > the IP), so I guess it is working correctly. Is there anyway to force the > function to use an alternately-defined IP for a hostname? GAH!!! Hard coding IP addresses whenever not absolutely necessary is one of my pet peeves. What happens when that server gets moved to a different VLAN and the address changes. Odds are that someone will forget the numeric address was hard coded into your filter and the whole thing stops working. Remembering to update it once in the DNS is a no brainer. Why would you want to use IP instead of name? Don't your users resolve the mail server's name via DNS anyways? I know that in most POP/IMAP clients you do, as well as Lotus Notes. Can't speak for M$ Exchange though. DNS was invented to do away with having to maintain hosts files. Can you explain the scenario better, we might understand why you might need to use IP address, but I'm sceptical of the need ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] OT Happy Birthday SPAM
http://en.wikipedia.org/wiki/Spam_%28food%29 --- SPAM(tm) Ingredients: Pork with Ham, Salt, Water, Modified Potato Starch, Sugar, Sodium Nitrate William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716)821-7285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Sendmail 8.13.7 relased
[EMAIL PROTECTED] wrote on 06/15/2006 08:35:56 AM: > You just reminded me of a quote... > "It's not black magic, but there are legitimate technical reasons why > sendmail configuration requires the sacrificing of a live chicken." > > -unknown- I have the same quote posted prominantly on my wall... ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: www. and "lazy users" (was Re: DNS and MX records)
Kelson <[EMAIL PROTECTED]> wrote on 05/15/2006 01:41:17 PM: > The only real use for the www. prefix is as a visual cue indicating that > the address refers to a website. It's shorter and more aesthetically > pleasing than http:// It's certainly not easy in speech. "double-u > double-u double-u dot example dot com" takes a lot longer to say than > just "example dot com." And let's not even start with "H T T P colon > double-slash..." I gotta say the www. is more pleasing the HTTP:// and it's shorter too. Four keystrokes (three of them on the same key) vs. seven. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] DNS and MX records
[EMAIL PROTECTED] wrote on 05/10/2006 08:57:53 AM: > That is known as the implicit MX and is held over from before the MX > resource record existed. However, in my opinion, it has long outlived > it's usefulness and now poses issues when a domain really doesn't want > to have mail exchanged in their name. I've resorted to using an MX > record of "0 ." for my domains that do not send or receive mail. This > at least causes an immediate bounce and saves mail servers from connecting > to a web server for 5 days. I've taken several approaches to blocking mail. On some domains, I set up an MX record that points to a server where the access file rejects everything for the domain. I usually do this where the domain used to accept mail and real humans may still try sending to it. The other thing is to put the server the A record points to behind a firewall that drops all traffic except that which is expected. Usually, domain.tld would be the same as www.domain.tld, registered for those too lazy to type "www." as part of the address. Of course marketing type like to say "Visit us online at sony.com!!" The later ties up the sending host a little because it has to wait for the packet to time out because of the drop rule. And who cares if they keep trying for 5 days. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Another silly idea
Martin Blapp wrote on 05/03/2006 05:27:55 PM: > Do you mean something like: > > http://antispam.imp.ch/03-wormlist.html?lng=1 Exactly. I saw the comments in your other message about it being regional. How are you collecting the data? Is it only systems that have sent to your server(s)? Do you age systems out of the RBL after three days? Do you think it blocks much spam (the UCE type), or just repeat virus senders? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [ot] rant about changing ISPs being ludicrous Re: [Mimedefang]Another silly idea
[EMAIL PROTECTED] wrote on 05/03/2006 11:48:16 AM: > You guys in the States need to embrace the world of technology ;-) But if you listen to our politicians, we're leading the world when it comes to technology. Hell, even China has better penetration of high speed internet than the US does in rural areas. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Another silly idea
[EMAIL PROTECTED] wrote on 05/03/2006 04:08:05 AM: > adsl.$a.$b.$c.$d.someisp.net is not what I expect to be the email > server of any decent organization ... whether it's a company or a home > mail server (btw: I am in that latter category). If you are an > end-user, then you should go through your ISP's mail server. No if's > and's nor but's. If you're a server, whether it's corporate, so-ho, or > home enthusiast, then set up your service and system to look like one. > If you don't, I don't see why I should accept email from you. So I > don't. [snip] > I don't see how that's my problem. For one, I do pay a slightly higher > fee in order to have a static IP address through an ISP that lets me > set my PTR record to match my forward DNS. That's the price _I_ pay > for having my own mail service instead of doing email through services > whose processes I don't like. Congratulations. You have an ISP that will configure that for you. Not all will for any amount of money. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Another silly idea
[EMAIL PROTECTED] wrote on 05/03/2006 05:19:31 AM: > Effectively, a certificate system would be the same as a whitelist - the > owner of the system has to take action to have it recognised as a valid mail > server. Sounds like SPF... "Owner taking action..." to register SPF record. Some now consider that to be a sign of spam. > The problem with a certificate system is that I have to be able to > check the validity of the certificate. 99.99% of home users would have no > idea of how to register their system as a mail server, which is fine, as they > also have no idea of how to run a mail server anyway, and wouldn't want to > even if they had it explained to them, since their ISP does the job for them > and they are already paying for this service. ...and don't run a mail server and don't send direct to my MX unless they are infected and if their PC ends up on a virus blacklist, who cares? My proposal was not to tackle the differences between Dynamic vs. static mail senders. I was just thinking that the sending of viruses was a precursor to the same system sending spam, which might sneak in just below your spam threshold. Detect the virus, block the subsequent spam. Also, save CPU detecting the future viruses from the same machine. And as an added benefit, ISPs would start running AV software on their mail servers and start blocking the malware closer to the source. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Another silly idea
[EMAIL PROTECTED] wrote on 05/03/2006 02:56:40 AM: > Well, there is yet another possibility: > > The AV software the ISP is running did simply not detected that particular > malware. Granted. Perhaps detecting when they first send that virus and allowing them 2 hours to get new defs before actually adding them to the blacklist. Of course, clear expalanation and a good link on the "550 rejected because your server sent a virus. See http://virusblocklist.org for info" message would help. Of course, those poor saps running Exchange which hides such useful info would be SOL. At that link, an easy link for timely removal would help get things flowing again. Tag the address so that if they send another virus within a week, they cannot request removal. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Another silly idea
[EMAIL PROTECTED] wrote on 05/02/2006 12:11:00 PM: > I tried this. Turns out a shocking number of ISPs and businesses don't > bother running AV software on their outbound servers and just blindly > relay their users' mail. If you run the BL locally and no one knows about it. If it's a publicly available RBL that show up on some of the RBL lookup tools like DNSStuff.com, etc. then the mail server owner wouldn't take the heat. All you would have to do is point to the RBL and say "Your server has sent viruses, and is therefore blocked for security reasons. Please address the situation with the RBL. And by the way, you might want to install some antivirus software on your server." Maybe that way more ISP could be encouraged to run AV software and prevent the spread. > If you blacklist IPs based simply on if they've sent you a worm, then > you'll likely be blocking a lot of legit mail as well. I was just doing > this as an input to a greylisting system (send me a worm and get > greylisted for an hour, send mail to too many bad addresses and get > greylisted, etc.) and I *still* had a whole pile of complaints from my > users. :-( I tried maintaining a whitelist, but eventually gave it up > as a bad job. Blocking open relays used to block a lot of legitimate mail too until owners started closing them down. There is no reason to relay a virus either. By shaming owners and punishing them for poor behavior, maybe we can have the same effect and get them to clean up their act. > Sticking with SBL-XBL, at least I can be fairly certain that if an ISP > or business gets themselves blacklisted, they'll find out in short order > and get themselves removed. The same isn't really true if you're > running a local blacklist--I shudder to think what would have happened > if I'd blacklisted and bounced the mail, rather than just delaying it I use SBL-XBL. I'm looking to enhance it by listing anything that sends a virus and another sign of poor server management. I am not talking about this being a local blacklist, but a public one where anyone can query 1.2.3.4.virusrbl.org and find out whether that address is a known virus source, and www.virusrbl.org will provide information about why the address is blocked. I'm fairly sure that if an ISP or business gets listed for passing a virus, they'll find our in short order and get themselves removed. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Another silly idea
[EMAIL PROTECTED] wrote on 05/02/2006 09:09:08 AM: > Probably not. Such a blacklist is probably a good idea, but doesn't it > overlap somewhat with XBL? > > http://www.spamhaus.org/xbl/index.lasso Yes, to a certain degree it will overlap with CBL (one of the lists aggregated into XBL). XBL's description says it detects open relays and open proxies. My thinking is to try to detect the zombies that are closed except to their master (or those renting capacity from the controller). Most of them will eventually end up on RBLs once they start sending spam, but why wait until then if they propagate the infection first? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Another silly idea
Since my last idea got shot down pretty thoroughly, I though I'd float another idea past the list. :) Since a large volume of spam is sent by machines that have been compromised, frequently by virii, is there any reason to trust a sender that has been seen sending virii in the recent past. My thinking is why not add them to an RBL if they have sent a virus in the past week or two, automatically aging them out after that time (or not, requiring them to request removal). Even if it is a "legitmate" mail server, I cannot think of any reason to trust it if it does not have functioning antivirus software running. Well, perhaps if it is a very new strain of virus and their provider hasn't updated definitions... --- "Solving the spam problem is like curing cancer. It's not one disease but 100 diseases, each with their own issues." -- John Levine co-chairman of the independent Antispam Research Group, part of the Internet Engineering Task Force. William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylist-busting ratware?
[EMAIL PROTECTED] wrote on 04/21/2006 02:05:52 PM: > I see this as a good thing. You can tie the spam back to a > particular user. They change their password, and the ratware is blocked. Are the credentials really stolen, or is the ratware actually using the credentials that belong on the zombied computer. I would bet the later. User changes password without cleaning off the infection and goes right back to sending spam. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image blocking idea
DFS wrote on 04/20/2006 09:02:24 AM: > This is a good idea until spammers start mutating their images. The same can be said for any spam blockling technique: It's effective until they work around it. Grey listing worked until they started honoring 450 responses. Bayes worked until the started poisoning it. Subtracting points for valid SPF was considered a good idea until spammers started registering SPF records. How long would it take for spammers to start generating a new graphic for each message? How much would it slow down the sending for them to do so? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Image blocking idea
Here's an idea for blocking image spam: What about taking the idea of SURBL and DNSRBls and extending it to images. My proposal is to hash the image and do a DNS query using the hash value and domain hosting the image RBL. This eliminates the need to OCR the graphic, and if they obscure the text, it doesn't matter. If they send the same image to many recipients, it'll get detected blocked. Maybe combine this with OCR, doing the hash/lookup first since it should be low cpu cost (but slow on network lookup unless it's already cached). Odds of a false positive would depend on hash length which would really only be limited by the RFCs for DNS. How long can any element of a DNS name be? Total length of a fully qualified name? A collegue suggested calling such a system Gerbil, taking the sound of the last 5 letter of "image RBL". --- "Solving the spam problem is like curing cancer. It's not one disease but 100 diseases, each with their own issues." -- John Levine co-chairman of the independent Antispam Research Group, part of the Internet Engineering Task Force. William Brown Web Development & Messaging Services Technology Services, WNYRIC, Erie 1 BOCES (716)821-7285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: sendmail dnsbl
[EMAIL PROTECTED] wrote on 04/07/2006 11:34:19 AM: > No it will be logged. I have a script that runs through the maillog and > makes some rrdtool graphs, and i want stats on the number of hits for > each rbl. So i need sendmail to log a different entry for each rbl. You might research how combined lists such as Spamhaus' XBL do this. http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20XBL#136 You can then log the returned address and parse it to determine which RBL(s) it was listed on. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: sendmail dnsbl
[EMAIL PROTECTED] wrote on 04/07/2006 11:13:12 AM: > > All, > > Is there a way to change the port number that sendmail's dnsbl and endnsbl > features use? I run a local rbldnsd server and rsync some blacklists. I > want to know which list rejected an IP, so cant just have one > FEATURE(`dnsbl') in sendmail.mc. > > Rather than having to bind a separate IP address to the rbldnsd server for > every list, i'd rather just have rbldnsd listen on a differet port for > each list. Anyone doing this? thanks for any ideas... Are you going to log and/or add to each message's header or will you be checking it manually if there is a question? If the latter, use something like the spam database lookup at http://dnsstuff.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Phishing Question
[EMAIL PROTECTED] wrote on 04/06/2006 10:45:39 AM: > Not that I would necessarily condone this type of activity, but with the > amount of spam/spyware/adware/phishing attempts I see in a day, wouldn't > be a really interesting project to do something like this? Set up a > database somewhere that had all of the current phishing websites > locations and the form fields asking for input. Then, create a network > of computers like SETI, where nice home users run a program on their > computer that will take idle cycles and put false usernames and > passwords to these sites. If enough people participated, the data > collected by the phishers would be so bad, noone would ever buy it. > Noone could possibly verify every entry, either. You'd probably be taking out (somewhat) innocent third parties. Most of the phishing web sites are on legit servers that have been compromised. I guess you could argue that they deserve it for not securing their servers, but I doubt the owner would feel that way when their business just dies. That would bring in the lawyers, and once that happens nobody wins (except those that bill by the hour). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Attention Yahoo subscribers
[EMAIL PROTECTED] wrote on 03/30/2006 12:12:44 PM: > As I understand it, Yahoo is only using GoodMail to certify > transactional mails -- i.e. to identify real mail from your bank vs. > phishing mail, or order confirmations, shipping notices, etc. So the > lack of a GoodMail seal isn't likely to cause this list any problems. hhmmm yeah. I wonder how many online retailers are signing up for Goodmail, just so their customers get their order confirmations. On a related note it seems Avon can't seem to get SPF right. I found several mails from them confirming orders and then corresponding shipment notifications in my trap. Only score was a hard fail for SPF. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Attention Yahoo subscribers
[EMAIL PROTECTED] wrote on 03/30/2006 10:47:59 AM: > Is it just me or is everyone feeling sense of impending doom as well? Let's just say I'm not optimistic about this. > Wouldn't it be funny if everyone simply blocked GoodMail users for 1 week? > > in access: > yahoo.com REJECT Please send a check for $0.01US to deliver your email > aol.com REJECT Please send a check for $0.01US to deliver your email My inclination is to wait until they reject something. Then tell AOL/Yahoo that you'll accept their for a flat rate of $20 per month. (Simpler bookkeeping) > Let AOL and Yahoo email each other. ;) You've got to wonder whether it will come to that. Has anyone heard how many have actually bought into this extortion scheme. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick
DFS wrote on 03/09/2006 11:11:05 AM: > Probably not... too difficult to implement and too little demand, alas... OK, but it does sound like a nice feature. > If I worked at a place like that, my e-mails would all look like this: > > PHB-decreed HTML mail [snip] Guess that's why you started your own company. ;) The HTML is generated by the mail server (Domino in the case of IBM, but I'm sure Exchange works the same way), so the end user wouldn't have much control over it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick
DFS wrote on 03/08/2006 10:12:51 PM: > Ooh! You're onto something! Allowing only strictly-validated HTML > would have the same effect as disallowing HTML altogether, but would > be far easier to justify to the PHBs as a > security/compliance/standards/pick_your_buzzword issue... I like it! Can I place a request to have it added to CanIt? Perhaps as a per stream option in Pro? I am still kicking myself for not starting to block all incoming HTML messages as a "security/compliance/standards/pick_your_buzzword issue..." when I first started filtering. This would be a nice compromise that should make it past management. I was told at an IBM/Lotus presentation that it is corporate policy that all email must be sent as HTML. Hope they format it correctly. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Better file transfer system?
Les Mikesell <[EMAIL PROTECTED]> wrote on 02/27/2006 12:02:51 PM: > Email at least makes a token effort to maintain privacy with > file level permissions that is hard to duplicate with other > ad-hoc file exchanges. And, you've probably gone to some trouble > to screen viruses that would pass other methods. What was the > problem with email again? It was over the 10MB limit we have in place. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
