Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Sandy et al., Regarding how peering is handled, that sucks! It was a bit of a kludge anyway, more than most at least. I just got mail bombed on both servers by three different ISP relays. The recipient address was invalid (sent to and from itself), and if I had MS SMTP/ORF configured on both machines to blacklist invalid addresses (instead of just the domain on the backup as is done currently), this would have stopped that attack cold without me lifting a finger. Instead I was stuck scanning as many as 15 incoming messages per second, or at least trying to do so, but not succeeding. Worse yet, the destination server was bouncing NDR's back through our server and each of those were being virus scanned despite the original being in plain text. I've also noticed that there are a couple hundred E-mails a day in the backup's BadMail directory for locally hosted domains with non-existant accounts. I'm only hosting about 300 accounts in total, and this is all to just those addresses and not the gatewayed domains. Address validation would stop these needless bounces to forged addresses from my servers and help to clean up the Internet. I have a feeling that the need for CMDSPACE detection falls far short of the need for address validation for gatewayed domains. ORF seems to be a great tool for this because I can do things like configure a local RBL for instance to block virus sending machines on the gateway by maintaining a single zone, along with sender and recipient blacklisting. ORF of course is a very limited spam blocking tool at the moment and not appropriate for such needs. I'm still thinking about approaching IMail for a solution to recipient blacklisting on gatewayed domains using an 'everything but' methodology. How unrealistic do you think that would be??? It might just be easier to ask VAMSoft for CMDSPACE header logging and dealing with the two separate pieces of technology. Matt Sanford Whiteman wrote: With a recent IMail release, you can now set up peering to use RCPT TO to test incoming messages for valid senders. Right, but the resulting envelope behavior is not different from the old VRFY scenario, AFAIK. As long as IMail does envelope rejection for peered domains that fail validation, this setup should work. There's never been real-time validation and rejection with peering. With just IMail servers, the idea is that a message can enter a "farm" of peers and will only be bounced (not rejected) after the message has been spooled and delivery attempted at every peer. Once you add an MS SMTP server into the mix, you only have one-way peering. Maybe I'm not clear on what you're suggesting, but I don't see it shedding any light on your issue. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Sandy, Am I correct in assuming that you attempted something similar to the following script on the VAMSoft site? Envelope header information http://www.vamsoft.com/orf/tools.asp#smtpenvl This is how they add headers to the messages containing the MAIL FROM and RCPT To data. I get the feeling from reading the code that they are using some sort of pre-normalized data that MS SMTP spits out, though I'm not at all sure about that. If this data isn't normalized, then this would seem to do the trick with a little bit of modification. Thanks, Matt Sanford Whiteman wrote: I'm eagerly awaiting the results of your research :) Well, I wish I had better news, but the problem (they'd call it a feature, and for once I think I'd agree) is that MS SMTP "normalizes" the envelope fields as part of of normal message flow. Thus, even though the IIS and ORF logs will show extra spaces, they're the only place where the actual protocol commands are preserved. ORF doesn't do anything special to change this data; it just automatically changes after the message is submitted, and subsequent message inspection during MS SMTP transport will not show any of the original formatting errors. The only way you could retain the protocol-level data is by plugging in another protocol event sink alongside ORF, but running more than one custom PES on the same system is pretty un-heard-of (I believe it's possible using different priorities, but I've never seen it in practice). So you are pretty much stuck with (a) giving up, or (b) trying the log inspection option. I really wouldn't trust the latter, since you might actually have to throttle _down_ processing to make sure that the logs can be parsed in time to intercept the message...not good. Sorry I don't have a fix. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Sandy, Well, I haven't yet given up. For one, I could ask that VAMSoft if they could allow for header tagging of this type. There is another kludge though that I am thinking might be of use here... With a recent IMail release, you can now set up peering to use RCPT TO to test incoming messages for valid senders. You could set up each gateway domain to peer off of the ORF enabled instance of MS SMTP for validation with RCPT TO, and then it would handle delivery according to your host file settings (MS SMTP has better queue settings anyway). As long as IMail does envelope rejection for peered domains that fail validation, this setup should work. I do understand of course that this would be somewhat limiting in terms of capacity due to the delay while checking the RCPT TO, however if installed on the same box or network, this should be very quick. I'm hoping that down the line IMail will have the ability to do envelope rejection for gatewayed domains, and if that comes, you could just strip out the MS SMTP/ORF part without needing to totally retool your environment. What do you think? Matt Sanford Whiteman wrote: Am I correct in assuming that you attempted something similar to the following script on the VAMSoft site? In the same vein, yes (though actually part of an existing compiled sink that we wrote). This is how they add headers to the messages containing the MAIL FROM and RCPT To data. I get the feeling from reading the code that they are using some sort of pre-normalized data that MS SMTP spits out, though I'm not at all sure about that. Yes, MS SMTP's envelopefields collection is all normalized, and that's all that's available after submission. That's what I was double-checking, --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Matt, Let me do some research tonight; it's possible that I will have something tomorrow that will let you forward through the incoming envelope stuff in an x- header. (I shudder to think about the log parsing alternative.) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Sandy, I'm eagerly awaiting the results of your research :) Thanks, Matt Sanford Whiteman wrote: Matt, Let me do some research tonight; it's possible that I will have something tomorrow that will let you forward through the incoming envelope stuff in an x- header. (I shudder to think about the log parsing alternative.) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.