I'm still on an older version of f-protjust before the /archive switch
changed to /archive=5.
Darin.
- Original Message -
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 8:27 PM
Subject: RE: [Declude.JunkMail] F-Prot Windows 3.16
Hi Darin,
Should you not be using the /ARCHIVE=5 to tell it how many levels to
scan?
Goran Jovanovic
The LAN Shoppe
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Darin Cox
> Sent: Tuesday, November 23, 2004 9:44 AM
thanks for pointing that out.
Looking at the first hourly results from MDLP I can see
some hits for WS. (around 15 per hour)
OB, SC and AB has only one up to 4 hits per
hour.
The SURBL filter file has between 300 and 400 hits in the
same time ranges.
There was no SH result (SURBL says it
yep...we saw this starting last Tuesday. The extra load seems to have come
from zombie PCs, probably due to a recent spate of viruses.
We're down from about a tenfold increase on 11/16 and 11/17 to about a
3-fold increase (by 11/20). Upping CMDSPACE and SNIFFER to hold weights,
and some other mi
Yes, but this could be identified and stopped, as it all comes from the same
IP.
Darin.
- Original Message -
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 11:46 AM
Subject: RE: [Declude.JunkMail] Blocking Dictionary Attacks
Anothe
All of a sudden, my spamreview has gone from about 500 messages a day to
almost 1500is there just that more coming in...most of it in spamreview
is indeed spamvery few false positives
Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Clea
Another consideration in the "distributed dictionary attack" is that it
may simply be viral behaviour from infectees who have multiple
addressees in your domain in their address book or elsewhere on their
hard drive.
There are several viruses that fake the left hand side of the mailfrom
address, w
Folks, apparently the PH and JP lists were never setup as
separate SURBL zones, so I would recommend not querying those lists as you will
never get a response from them until Declude JunkMail supports bitmasked
responses.
Bill
- Original Message -
From:
Markus Gufler
WS is the heaviest hitter. You could add all of these
lists as a single test which will hit on any response from any of the
lists:
SURBL rhsbl multi.surbl.org * 1
0
Bill
- Original Message -
From:
Jason @
AreaTech
To: [EMAIL PROTECTED]
Sent: Tuesday, Nove
- Original Message -
From: Scott Fisher
> I don't believe the Jon Wein and the Phish are testable on their own. I
> haven't received an hits on jp.surbl.org.
Yep, that does appear to be the case for the JP list - it was the last list
added to SURBL, and since it was added after the creat
It's info gleaned from several different lists. I always
try to report anything new to this list anyway...
Bill
- Original Message -
From:
Darin Cox
To: [EMAIL PROTECTED]
Sent: Tuesday, November 23, 2004 6:02
AM
Subject: Re: [Declude.JunkMail] SURBL as
RHSBL
How are the results stacking up against your other RHSBL tests?
Very promising. Near the top of the class for RHSBL tests.
Here are my results:
>From 11/11/2004 throught 11/22:
CatchallMails 53741 total 40835 spam (76%)
AHBL-Domains 4580 total4188 spam (91.4%)
M
> I would rather not add six new tests to my config. Would you
> recommend a single SURBL test? Which one seems to work better?
I've running it now on my servers and can report the first results after 24
hours. I'll let you know how much and how accurate all 6 tests will perform.
Markus
--
I would rather not add six new tests to my config. Would you recommend a
single SURBL test? Which one seems to work better?
Regards,
Jason
- Original Message -
From: "Darin Cox" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 8:02 AM
Subject: Re: [Declude.
Hmmm...I don't know why that would be there...Scott, can you comment?
Anyway, here's what we use:
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOBOOT /DUMB /AI /PACKED /SERVER /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
VIRUSCODE 8
Note that we use the /AI, /PACKED, an
Yep...only problem is it won't help against distributed attacks that send
one message per IP, but it sounds like your problem was not as distributed.
Darin.
- Original Message -
From: "Don Schreiner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 9:24 AM
Su
IMail Administrator, SMTP Service, Security tab, Control Access button.
Darin.
- Original Message -
From: "Grant Griffith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 9:14 AM
Subject: RE: [Declude.JunkMail] Blocking Dictionary Attacks
OK, I am going to
I missed that in the release notes - ouch! So... the fpcmd.exe should be
used as Darin stated. I did not notice in the Declude Virus manual when
reviewing this morning, just double checked and sure is there as one of the
2 choices depending on version. All back to normal and thanks guys.
-Don
Thanks for reply. One thing I found this morning on IMail list recent post
was BlackIce settings whereas will auto-block IP for 3 failed non-existent
user attempts within 30 seconds. The BlackIce documentation is poor on this
subject and never figured it out myself over the years we have been u
According to Declude Virus manual states f-prot.exe in their example. I did
not know or see that recommendation?
-Don
- Original Message -
From: "Darin Cox" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 9:00 AM
Subject: Re: [Declude.JunkMail] F-Prot Window
OK, I am going to jump in here as I would like to know how to tell the
server to only accept email from the gateway, but also still allow users to
send if they authenticate. I know this might be obvious, but I have not
found a way to do this.
Thanks,
Grant Griffith
EI8HT LEGS, A Division of ETC
They certainly could have made it more noticeable, but
>From the Release Notes:
The DOS scanner is now no longer installed on NT/2000/XP/2003.
If version 3.16 is installed as an upgrade then the previous DOS
version is removed. The DOS scanner is not suitable for use on
the NTFS file system, now
Don't you want to be using fpcmd anyway? That's the recommended scanner to
use with Declude.
Darin.
- Original Message -
From: "Don Schreiner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 8:49 AM
Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Mis
Hi Bill,
You seem to always be one of the first to share new blacklists. Where do
you find this info? Is there another list that would be worth joining?
Thanks, man.
Darin.
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 2
A gateway is the only solution I know of for distributed dictionary attacks.
Since the attacks are coming from all over the place, there's no IP to
block.
All the gateway does is move the brunt of the attack off of the primary mail
server to the gateway server. The gateway server should then beco
I posted this to Declude.Virus, but apparently no longer subscribed and
wanted to give folks a heads up here.
Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m)
and this morning "by chance" I checked my declude virus log and noticed a
bunch of "Your virus scanner DOES NO
Are there any new strategies for blocking dictionary attacks with Declude?
Our log files are growing and mostly due to the following stacking up it
seems a zillion times over...
ERR MAIL.DOMAIN.NET invalid user
We have used BlackIce for years and helps a lot for those that try X number
SMTP fa
Modification, since I was not thinking, but Declude JunkMail does not
support bitmasked responses. So instead of using the multi zone, you will
need to use:
SURBL_AB rhsbl ab.surbl.org127.0.0.2 1 0
SURBL_JP rhsbl jp.surbl.org127.0.0.2 1 0
SURBL_OB rhsbl ob.surbl.org127.0.0.2 1 0
SU
Markus, if you want to test against all of the SURBLs, since
it's only a single query to the multi zone, use:
SURBL_AB rhsbl multi.surbl.org127.0.0.32 1 0SURBL_JP rhsbl multi.surbl.org127.0.0.64 1 0SURBL_OB rhsbl multi.surbl.org127.0.0.16 1 0SURBL_PH rhsbl multi.surbl.org1
29 matches
Mail list logo
