Re: [Declude.JunkMail] Can someone help?
Thanks to everyone for your input. It is GREATLY appreciated. I was finally able to figure it out. In IIS, the anonoymus logon was using a User account and not an Admin account. I changed it and it worked, thank the Lord! I'm off to bed before i drop. Goodnight all and THANK YOU again! - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, November 03, 2006 1:36 AM Subject: RE: [Declude.JunkMail] Can someone help? To turn on auditing (which I never understand, why it's not turned on by default in Windows) - MS gives you quite a run-around: First, in the NT 4.0 days, auditing could easily use up resources and create a huge security log file depending upon the configuration of the security log file. Second, auditing can produce a lot of data, even if configured very narrowly, that one then has to wade through. - Windows Explorer - go to the root directories of each disk, properties, security, Advanced, Auditing, add the Everyone user and mark the failed checkmarks for the complete list of accesses (I personally also audit successful change permissions and take ownership). Apply this and let it propagate to all subfolders. - Local Security Policy - to to Local Policies, Audit Policies and turn on all failures. (I personally also audit successful account management and audit policy changes). Actually, what I do for my servers and for client, is in the Default domain policy (local security policy if no domain,) enable those auditing policies that are appropriate (not all are needed for normal business) AND enable both success and failure on object access. NOTE that auditing of object access is the ONLY auditing that requires 2 steps. All other auditing takes affect without further intervention. Then, only when needed, (or if by company policy they want to track changes to files in a particular folder such as say payroll data sheets) I go to the folders properties that I want to audit and enable auditing again for what is needed only. Once I am done auditing, I disable on that directory. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Can someone help?
Hi, I only bring this up because I can't tell you how often I have run into power users and server administrators trying to debug some application problem who were convinced they had no permission problems - because their security log showed nothing. Not only did they not understand that auditing had been off - they had no idea how to turn it on to trace a problem to its roots. Auditing is a key aspect of running a secure system. Shipping a secure operating system with failure auditing turned off borders on a security vulnerability in my mind. create a huge security log file depending upon the configuration of the security log file. If by default it would only audit failure, then the log file should not be huge at all. I have never set up a machine (server OR workstation) where failure logging was off and never encountered any log size issues. In, fact if there ARE failures, then in most cases you do WANT to know about it. There may be certain folders where you expect logon errors, so you adjust the auditing for those folders. By inspecting the security log I've often identified client site problems (e.g., failed attempts to update web site files by the application) and was able to fix things for them before they even realized that there WAS a problem with their web site. Second, auditing can produce a lot of data, even if configured very narrowly Yes, success auditing could. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, November 03, 2006 02:37 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Can someone help? To turn on auditing (which I never understand, why it's not turned on by default in Windows) - MS gives you quite a run-around: First, in the NT 4.0 days, auditing could easily use up resources and create a huge security log file depending upon the configuration of the security log file. Second, auditing can produce a lot of data, even if configured very narrowly, that one then has to wade through. - Windows Explorer - go to the root directories of each disk, properties, security, Advanced, Auditing, add the Everyone user and mark the failed checkmarks for the complete list of accesses (I personally also audit successful change permissions and take ownership). Apply this and let it propagate to all subfolders. - Local Security Policy - to to Local Policies, Audit Policies and turn on all failures. (I personally also audit successful account management and audit policy changes). Actually, what I do for my servers and for client, is in the Default domain policy (local security policy if no domain,) enable those auditing policies that are appropriate (not all are needed for normal business) AND enable both success and failure on object access. NOTE that auditing of object access is the ONLY auditing that requires 2 steps. All other auditing takes affect without further intervention. Then, only when needed, (or if by company policy they want to track changes to files in a particular folder such as say payroll data sheets) I go to the folders properties that I want to audit and enable auditing again for what is needed only. Once I am done auditing, I disable on that directory. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] One step forward, ten back
Thanks for the feedback everyone. As an update to my other email, I received 38 spam messages in the last 12 hours. From what I was used to, this is a 1000% improvement. Obviously our spam account is filling up so I'm going to sort through them and get a feel for what kind of weights they are hitting, then set something else up accordingly. Again, I appreciate the feedback. This does help a lot! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, November 03, 2006 12:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] One step forward, ten back Yes the can coexist but be sure to use weightrange to instead of weight. SPAM-LOWweightrange x x 8 13 SPAM-MEDweightrange x x 14 24 SPAM-HIGH weight x x 25 0 SPAM-LOWSUBJECT [%WEIGHT%] SPAM-MEDHOLD SPAM-HIGH DELETE -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, November 02, 2006 9:20 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] One step forward, ten back I wondered if it's possible to set another one higher to do the deleting, as I'm seeing a lot of stuff at 40 or more. Absolutely. Several action directives can coexist peacefully in your $default$.junkmail file, like this: WEIGHT10 SUBJECT [%WEIGHT%] WEIGHT20 MAILBOX SPAM WEIGHT30 DELETE Any message scoring at least 10 will have the weight added at the head of the subject in brackets, like: [12] Buy My Stuff! Any message with 20-29 points will be diverted to the spam folder, and anything scoring 30+ will be deleted. - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, November 02, 2006 11:55 PM Subject: RE: [Declude.JunkMail] One step forward, ten back Thanks Dave. Actually, I do, but with settings of weight20 send to spam mailbox. I was worried about too many false positives. I wondered mailboxif it's possible to set another one higher to do the deleting, as I'm seeing a lot of stuff at 40 or more. As an update, I found that I had a discrepancy in my weights. I corrected that, and my filtering is doing great now. I logged into my spam mailbox a little bit ago and the few hundred messages that are in there are definitely spam. So it's catching things now and keeping them from my mailbox - which was my main goal. However, now I'd like to clean things up just a little more... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, November 02, 2006 9:34 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] One step forward, ten back It seems like you're detecting things OK, but not taking action on the results. Make sure you have directives like WEIGHT14MAILBOX SPAM WEIGHT20DELETE in your default.junkmail file - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, November 02, 2006 7:38 PM Subject: [Declude.JunkMail] One step forward, ten back Hi Everyone - We are getting completely hammered by spam and I'm about at my wits end. A few weeks ago I added a 30-day trial of Message Sniffer and it doesn't seem to be doing any good. Today, I upgraded to the newest version of Declude. I think everything went ok. After reading through the documentation (again) I went through my global.cfg file and cleaned up some things that were questionable. For instance, we had several domains in the WHITELIST TO and WHITELIST FROM. From what I've read and heard through the lists, it's not a good idea to whitelist anything.In fact, earlier today I had some spam come through that was from a whitelisted domain so it just let it through. So I commented them out and planned to watch my spam account (instead of deleting I have caught messages sent to another account for review) to see the results. So... This happened about 5pm tonight. I went through a short spurt but in the last 90 minutes since then I alone have received over 150 spam messages. Before I made my changes tonight, that is about the number I would receive in one day (which is still too many). In one message, this was in the header. To me, it should have failed and been stopped. X-Declude-Scan: Incoming Score [39] at 17:59:29 on 02 Nov 2006 X-Declude-Fail: CBL [6], FIVETEN-SRC [4], SPAMCOP [7], REVDNS [8], ROUTING [2], SNIFFER [12], WEIGHT10 [10], WEIGHT14 [14], WEIGHT20 [20], WEIGHT20a [20] Does anyone have any suggestions to what I might be doing
RE: [Declude.JunkMail] orphaned .hdr files
Do you run fprot by any chance? -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dobbin Sent: Thursday, November 02, 2006 4:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files I seem them from time to time too - never been able to figure out what's going on with them. John Has anyone else using SmarterMail and Declude 4.3.7 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] orphaned .hdr files
Yes- but real-time protection is disabled. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Friday, November 03, 2006 4:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files Do you run fprot by any chance? -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dobbin Sent: Thursday, November 02, 2006 4:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files I seem them from time to time too - never been able to figure out what's going on with them. John Has anyone else using SmarterMail and Declude 4.3.7 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] orphaned .hdr files
Same here. Declude support advised me to disable fprot and turn on the builtin scanner. That was about an hour ago, and I haven't had any screwed up messages. Typically, I was getting 2-3 every 10 minutes. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dobbin Sent: Friday, November 03, 2006 5:31 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files Yes- but real-time protection is disabled. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Friday, November 03, 2006 4:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files Do you run fprot by any chance? -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dobbin Sent: Thursday, November 02, 2006 4:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] orphaned .hdr files I seem them from time to time too - never been able to figure out what's going on with them. John Has anyone else using SmarterMail and Declude 4.3.7 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.