[IMGate] Re: need list of RBL
reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client spamsources.fabel.dk, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net, Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Kaplan Sent: Wednesday, April 09, 2008 8:56 PM To: IMGate Subject: [IMGate] need list of RBL Can someone please share their current RBL list, think it's time to update. TIA -- Andrew P. Kaplan www.cshore.com The fishermen know that the sea is dangerous and the storm terrible, but they have never found these dangers sufficient reason for remaining ashore. Vincent Van Gogh
[IMGate] Re: Restrict a accepting SMTP connections
Have postfix(clam) run under a different port ... something really different. Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Coveney Sent: Wednesday, January 09, 2008 11:44 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Restrict a accepting SMTP connections Does anyone know of a setting where Postfix will only accept SMTP delivery from a specific set of IPs? My Configuration is: [IMGATE(Spam)] -- [POSTFIX(Clam)] -- [Firewall] -- [IMail Server] I would only like the [POSTFIX(Clam)] to accept mail from [IMGATE(Spam)] and not from the rest of the Internet otherwise spam can bypass the [IMGATE(Spam)] and be accepted for delivery. We have Postfix mynetworks is restricted for relaying but since our domains are in the transport of the [POSTFIX(Clam)] server and it is happy to accept and deliver to [IMail Server]. Thanks, Kevin
[IMGate] Re: postgrey_exceptions.map
Nobody willing to post their map? Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Monday, October 01, 2007 4:33 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: postgrey_exceptions.map Any have a newer postgrey_exceptions.map? Mine is from 12/2005 ... I'm sure there have been updates since then. sure, but each admin adds his own items. People can post their .map here and we can consolidate them. Len
[IMGate] Re: postgrey_exceptions.map
I'm seeing a lot of the airlines (southwest as of yesterday), getting stopped by the greylisting ... I think it's their automatic reservation system. Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Tuesday, October 02, 2007 8:40 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: postgrey_exceptions.map Nobody willing to post their map? Excepting from greylisting is usually not necessary because legit MTAs retry often within 10 minutes, and their IPs (and if big sender with multiple sending IPs, Class C is excepted) get automatically excepted/accepted within a very short time, and stay excepted. Len
[IMGate] postgrey_exceptions.map
Any have a newer postgrey_exceptions.map? Mine is from 12/2005 ... I'm sure there have been updates since then. Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Serious Flaw Kills Bind 8 Domain Server Software
Do you really think this would effect the IMGate setup? Christopher Checca Packard Transport, Inc. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Wednesday, September 05, 2007 1:53 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Serious Flaw Kills Bind 8 Domain Server Software Users of the widely-used addressing system software are urged to update to Bind 9.2. http://www.pcworld.com/article/id,136832/article.html?tk=nl_dnxnws End of Life has been announced for BIND8. A strange urging!?!?! ... because current version is here ftp://ftp.isc.org/isc/bind9/9.4.1-P1 BIND8 named.conf needs a little tweaking for BIND9, and you have to set up the rndc.conf and TSIG keys. I'm available if anybody needs consulting help, fbsd, linux, or windows. Len
[IMGate] Re: OT: Looking for a good Howto on integrating Antivirus with IMGate
Try http://memberwebs.com/stef/software/clamsmtp/ Easy, quick, and it works. Christopher Checca Checca.net 815 603 3182 435 608 3182 fax [EMAIL PROTECTED] www.checca.net -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Coveney Sent: Monday, June 11, 2007 3:59 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] OT: Looking for a good Howto on integrating Antivirus = with IMGate If any one has any recommendations on integrating Anti-virus on an=20 IMGate or standalone Postfix box please drop me a link. My old anti-virus server is starting=20 to show its age and I would like to replace it with a Postfix based AV Scanner (current is a = vendors qmail and Kaspersky setup). If feel I have a better understanding of the Postfix=20 system over the qmail system and logs. (please no flames) After Googling around I am only looking for some additional=20 tried-and-tested Howtos. I would really like benefit from others experimenting and testing. I would be willing (and prefer) to run this on a separate box and under=20 FreeBSD. I am considering ClamAV and/or Kaspersky as the engines - and would be=20 willing to hear other considerations and input on these. If this is too far off-topic, please feel free to drop me a line=20 off-list otherwise on-list is fine for me. Thanks all for you input, Kevin
[IMGate] Re: strange virus stats
Been very quiet here ... like you only 3 to 5 a day without seeing an increase in months. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Thursday, January 04, 2007 11:26 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] strange virus stats We used to see a small variety of viruses caught, only 3 -5 /day after we started SAV and greylisting, both of which combined to greatly reduce the number of viruses caught. But, for many weeks now, we've been seeing almost exclusively what Kaspersky calls: Email-Worm.Win32.Bagle.gt and in the last couple weeks a few of: Email-Worm.Win32.Bagle.gen Since we run SAV and greylisting, the senders are verified and the sending IPs are re-trying, meaning they are probably legit MTAs. Is anybody else seeing a lot of Bagle.?? and almost nothing of anything else? Len
[IMGate] Re: Fwd: FYI: ordb.org is dead
Thanks for the update. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Monday, December 18, 2006 10:50 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Fwd: FYI: ordb.org is dead Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 18 Dec 2006 11:34:23 -0500 From: Victor Duchovni [EMAIL PROTECTED] x To: [EMAIL PROTECTED] x Subject: FYI: ordb.org is dead x Reply-To: [EMAIL PROTECTED] x X-RCPT-TO: [EMAIL PROTECTED] http://www.ordb.org/news/?id=38 ORDB.org is shutting down 2006-12-18 11:34 We regret to inform you that ORDB.org, at the ripe age of five and a half, is shutting down. It's been a case of a long goodbye as very little work has gone into maintaining ORDB for a while. Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community. We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin). DNS and the mailing lists will vanish today, December 18, 2006. This website will vanish by December 31, 2006. -- Viktor.
[IMGate] Re: gif image spam dropped off?
Hmmm ... the number of total spam messages on my systems is up 22.4% over last week. But most seam to be stopped by greylisting, Sender address rejected undeliverable address and Sender address rejected unverified address. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Tuesday, November 07, 2006 6:56 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] gif image spam dropped off? Here's the number WARNings/day for previous 8 days at one high-volume site I admin: mx1# zegrep -ic suspected image /var/log/maillog.[0-9].gz /var/log/maillog.0.gz:1567 /var/log/maillog.1.gz:29057 /var/log/maillog.2.gz:24178 /var/log/maillog.3.gz:61723 /var/log/maillog.4.gz:52861 /var/log/maillog.5.gz:38923 /var/log/maillog.6.gz:35728 /var/log/maillog.7.gz:45805 and Tuesday is looking like Monday. Extremely weird.
[IMGate] Re: periodic update: show us your RBL servers
The one that stood out was dul.dnsbl.sorbs.net as one I hadn't seen mentioned recently. I tried it on one high-volume site in WARN mode and got tons of hits in one hour. Put it in WARN mode for a few days at the end of your restriction list and then see catches any legit. You could whitelist them and then switch to reject mode for the rest. You may not see much help from dul RBL if you're running greylist before the dul. Len thanks Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: imail real name vulnerabilty filter
Did this work for you? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Friday, October 27, 2006 11:23 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] imail real name vulnerabilty filter I'm testing this at one of my big clients /^subject: =.Windows/ HOLD Imail vulnerability in pcre:header_checks.regexp. The following is more restrictive, but I fear the number may change: /^subject: =.Windows-1251/ HOLD Imail vulnerability maybe this is better: /^subject: =.Windows\-/ HOLD Imail vulnerability Len
[IMGate] Re: Clearing databases...
any errors in maillog? if the SAV .db file is type hash: and hits 1.1=20 GB, postfix almost dies. -rw-r--r-- 1 rootwheel10567680 Sep 22 08:32 = address_verify.map.db =20 doesn't look that bad. as a lot of spam is getting by IMGate in the last two days. Any other files I should remove and let rebuild? The only file that used to need zeroing was the SAV hash: .db file because it blew up at about 1.1 GB physical size, but now everyone should use the btree: file type for SAV .db file, which is good to about 4 GB. Also, the negative cache time should be a couple of hours to avoid too much accumulation of random forged senders. Were is that time limit set? see the postfix README for ADDRESS_VERIFY apart from the slowness, if you're receiving a big increase in spam,=20 you should look at the maillog to figure out where it's coming=20 from. SAV and postgrey are very good at blocking thanks for your help Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Question: Deleting emails with blank subject lines...
Question: I've started deleting email with blank subject lines within my IMail = system to help stem the tide of spam (over the last two months the amount of = spam getting by my IMGate is up) ... I now would like to switch this over to = our IMGate. Any comments on if this is good or bad.Also where would = you go about making this change? Thanks, Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Question: Deleting emails with blank subject lines...
-Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Monday, June 26, 2006 12:18 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: Question: Deleting emails with blank subject = lines... I've started deleting email with blank subject lines within my IMail = =3D system to help stem the tide of spam (over the last two months the amount of = =3D spam getting by my IMGate is up) ... I now would like to switch this over to = =3D our IMGate. Any comments on if this is good or bad. if you are doing it on Imail acceptably, you can do it on IMGate = acceptably. In header_checks, I would REJECT rather than DISCARD, and perhaps run=20 WARN for a couple days to see how it goes, as always. /^subject: $/ REJECT Rejected because Subject: is empty. ... so legit senders will understand clearly. Len Thanks, Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: looking for a rule...
Thanks! Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Friday, May 12, 2006 10:48 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: looking for a rule... I need to block all windows video formats at the IMGate ... any ideas on what file to use and the format? you've already got the rules for blocking by extensions in the original, basic IMGate header_checks.regexp. the following should cover most of the windows multimedia formats and extensons; http://support.microsoft.com/?scid=kb;en-us;q316992 Len
[IMGate] looking for a rule...
I need to block all windows video formats at the IMGate ... any ideas on what file to use and the format? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Exporting users from Imail or SmarterMail and putting them to the Imgate box
Is relays.visi.com down? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Suggestions
I run IMGate (Len's Advanced version) on FreeBSD 5 (DELL server with a 3.0Gz P4, 1Gb RAM, dual hard drives nonRAID) with ClamAV via ClamSMTP http://memberwebs.com/nielsen/software/clamsmtp/ ... My Imail server now stops about 4 to 10 spams a day via the Imail premium filter and 1 to 3 viruses a month with the Imail antivirus. I'm very happy :) 230 Users on the web interface 5 Users via POP3 and SMTP 200 Users on the IM client 50 forwarders to outside email systems Last few days stats: eMails blocked with .xx attachment 115 Rejected 6840 Scanned by ClamAVSMTPd 11196 PS: It's been very quite over the past few weeks for my mail server ... knocking on wood. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Cobb Sent: Thursday, February 02, 2006 9:46 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Suggestions I stopped using my IMgate box about 2 years ago because I wanted something that would do weighted tests. I am using Declude on my Imail box along with Declude virus and F-Prot. The declude virus no longer catches zip viruses which are a large majority. I'm thinking of putting an IMgate back in front of my Imail server to catch the most obvious SPAM and catch viruses. Is anyone here doing something like this? What virus programs are you using. Any suggestions would be great along with IMgate configs. Thanks, Steve Cobb, A+, MCSE Computer Geeks [EMAIL PROTECTED] *** Do you know that if you died right now, you would go to Heaven? Find out how you can know! http://www.kingscrossroads.org/heaven1.htm
[IMGate] Re: What are you throughputs of amavis/spamassassin/clamav ?
I went with: http://memberwebs.com/nielsen/software/clamsmtp/ on the IMGate machine and it's the last rule in the IMGate config. From the last five days... Scanned by ClamAVSMTPd 11664 Since it's the last rule ... there's not much mail left to scan. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Friday, January 27, 2006 11:29 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] What are you throughputs of amavis/spamassassin/clamav ? A lot of you IMgate admins are running this combination, or something very similar, usually on a separate machine behind IMGate, or perhaps on IMGate. Could you let us know how about many messages/hour your machine is handling comfortably? 1. amavis/SA/Clam on a dedicated machine or on the IMGate MX machine? 2. MHz / RAM / disk ? 3. For spamassassin, which rulesets have you found to be best, or worst? 4. Any tuning advice? Thanks Len
[IMGate] Re: Virus getting past IMGate?
there's no way to reduce bandwidth. header/body checks and AV scanning don't work until the DATA command, entire msg, is received. Len Thanks Len, I was just wandering if anyone has found some other pattern for this virus that we could use to block this before the DATA command. I haven't yet but was putting it out there to see if anyone else has ... I have a bad feeling that this virus will be the next big one, my guess is next week when people return to the office I will see a lot more of these. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Question...
Since adding IMGate in front of my IMail server, I kept both MX's listed with IMGate as primary and IMail as secondary ... but at the firewall blocked port 25 to IMail. My reason was on failure of IMGate I can = just unblock the IMail server and mail will continue to flow without waiting = for the DNS to update new records. =20 BUT ... as a ?side effect? I've been seeing reduced mail traffic ... no complaints of missing 'real' mail ... just over all reduced mail = traffic. =20 Could spammers just be trying my (blocked) secondary mail server and = leaving the primary alone? Or since IMGate has done such a good job at blocking = spam they are just leaving me alone overall?? Or am I having wishful thinking = and the tidal wave is just round the coroner? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: hotmail, again
Yes, I've too seen increased timeouts when connecting to hotmail MX's. I too increased timeout to 300 seconds for testing, but still seeing quite a few timeouts vs email sent. PFDAILY.SH from today: smtp delivery failures -- connection refused 5 mx2.hotmail.com operation timed out 5 mx3.hotmail.com 2 mx1.hotmail.com 2 mx2.hotmail.com 2 mx4.hotmail.com read timeout 1 mx1.hotmail.com server dropped connection without sending the initial smtp greeting (total: 3) 1 mx3.hotmail.com 1 mx4.hotmail.com 1 mailgw.qvcmail.com total sent: 54 7474k 1.2 m 10.5 m hotmail.com Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] How do I whitelist this helo?
554 banana2.grizella.com[65.125.145.225]: Client host rejected: The sending IP is not authorized to send MAIL FROM: @sender.domain, PTR = banana2.grizella.com (in reply to RCPT TO command) How should I white list this server? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: How do I whitelist this helo? (Zaep Key: 8c65c8b8.438f79b5.0c420be7)
How about removing this guy from the list?? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zaep AntiSpam Sent: Thursday, December 01, 2005 4:31 PM To: Christopher Checca Subject: [IMGate] Re: How do I whitelist this helo? (Zaep Key: 8c65c8b8.438f79b5.0c420be7) Dear Christopher, Thanks for your email, but at this point I have NOT actually received your message because I have implemented a challenge-response based anti-spam solution. Before I can receive your message you must respond in ONE of the ways outlined below. You will not have to do this again. --- REPLY TO THIS MESSAGE --- Simply reply to this email message ensuring the subject of your reply contains the subject of this message. When your reply arrives I will receive your ORIGINAL message and all FUTURE messages. Or as an alternate method follow these instructions: --- CLICK ON THE URL --- Visit the following URL and follow the simple instructions. When you do this I will receive the message you sent and ALL future messages. http://webmail.ki-lin.com:8081/?key=8c65c8b8.438f79b5.0c420be7 If the above URL does not appear all on one line, copy and paste it into your browser's address bar. PLEASE NOTE: If you receive an error message when attempting to visit the above URL, it is very likely that your network is not allowing you to visit my confirmation page. If this is the case, contact your network administrator for help, or contact me by telephone. If you do not respond within 7 days, your message will be DELETED and I will not be able to receive messages from you in the future. I apologize for this small one-time inconvenience, but I have been forced to implement this challenge-response based anti-spam solution to eliminate 100% of the spam I receive, and it really works! To learn more about the software I am using to stop spam, please visit http://www.Zaep.com/. Zaep has stopped 100% of all the spam messages I was receiving every day. Thank you, [EMAIL PROTECTED]
[IMGate] Re: How do I whitelist this helo?
How should I white list this server? this filter is an anti-forgery filter for frequently forged=20 domains. ie, [EMAIL PROTECTED] must come from IPs with PTR=20 under a group of bigISP domain ie, [EMAIL PROTECTED] must come from a PTR of hotmail, msn, yahoo,=20 etc. but not from ipt.aol.com, or IP with no PTR. This filter pre-dates SPF which attempts the same kind of anti-forgery. would you accept [EMAIL PROTECTED] or @yahoo.com or @hotmail.com from=20 an IP with no PTR (all those big ISP have PTR), or on customer.rr.com=20 (a subscriber network)? Len This is from a service that will email your order data to a bunch of = email addresses, ftp sites, etc. from one online service. One of our clients = uses them to get us orders ... good or bad they show the clients return email address as the from address and trips this filter (by the way I don't = want to disable it for hotmail as it's forged way too much). I've talked to = them about this issue and how they need to fix it ... in the mean time I need = to white list this one IP/MTA so we can get their orders. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] starting amavisd getting this error ... what am i doing wrong?
ERROR: MISSING REQUIRED BASIC MODULES: IO::Wrap IO::Stringy Mail::Field Mail::Address Mail::Header Mail::Internet Compress::Zlib MIME::Words MIME::Head MIME::Body MIME::Entity MIME::Parser MIME::Decoder MIME::Decoder::Base64 MIME::Decoder::Binary MIME::Decoder::QuotedPrint MIME::Decoder::NBit MIME::Decoder::UU MIME::Decoder::Gzip64 Net::Cmd Net::SMTP BEGIN failed--compilation aborted at /usr/local/sbin/amavisd line 148. Installed CLAMAV 0.87.1 and working fine ... about having problems with amavisd-new ... doesn't want to start. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: CLAM AV on IMGate?
Thanks everyone Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] CLAM AV on IMGate?
How many people think it's helped them by adding CLAM AV to their IMGate setup? Or does this just add to much processing to the IMGate server and better to catch them down stream after them IMGate? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: getting tarpitted and killed
Sounds like we need some time of SAV timeout /or auto black list for these subnets. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Ogletree Sent: Friday, September 30, 2005 4:23 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: getting tarpitted and killed Maybe this is a new tactic of the spammers, they know that SAV is going to kill them. So they think maybe if they start tar pitting SAV, maybe some admins will decide SAV is not worth the trouble and abandon it. Kent - Original Message - From: Len Conrad [EMAIL PROTECTED] To: IMGate@mgw2.MEIway.com Sent: Friday, September 30, 2005 2:00 PM Subject: [IMGate] getting tarpitted and killed I guess what happened last Monday was this: 1. We got some msgs where SAV tried to verify [EMAIL PROTECTED] 2. Postfix smtpd spawned an SAV smtp session. That smtp session connected to the MX for senderdomain.com and got tarpitted. As a result, both the smtp session and the smtpd session waiting the SAV response got hung in memory (or at least the SAV smtp session did). 3. master.cf was set to 200 smtp max. When 200 of our smtp sessions got tarpitted, postfix couldn't SAV, nor could postfix send any mail. All mail delivery slowed to almost nothing, and it was taking 12+ hours for a msg to get through IMGate. 4. after several hours of trying to see where the problem was, I just increased the master.cf from smtp max from 200 to 500, and the logjam was broken.
[IMGate] Re: getting tarpitted and killed
H ... will need to take some time to think about this. My first reaction is to set an maximum SMTP session timer, but they may have = other side effects. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Friday, September 30, 2005 5:00 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: getting tarpitted and killed Sounds like we need some time of SAV timeout /or auto black list for = these subnets. There is about a 9-second timeout on SAV. If SAV doesn't finish in 9=20 seconds, the msg is rejected with 450 an sender unverifiable. But if the SAV smtp session is held by a tarpit connection, I don't=20 what would happen. The tarpitting isn't total silence, because=20 postfix smtp will timeout in the face of total silence. But if the remote tarpitting SMTPD keeps sending some kind of keep=20 alive response that holds the postfix smtp session from timing out... Len
[IMGate] Len ... has anyone heard from him?
Lenyou out there? Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: (No In-Reply-To: 001501c555a1$ce30fde0$4501a8c0@MARK
Could be either... Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of List_Mail Sent: Wednesday, May 11, 2005 6:56 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: (No In-Reply-To: = [EMAIL PROTECTED] okay. but is that due to someone on my end sending to a non exsisting=20 account or someone forging my mx stuff. ? thanks Mark - Original Message -=20 From: Len Conrad [EMAIL PROTECTED] To: IMGate@mgw2.MEIway.com Sent: Tuesday, May 10, 2005 7:58 PM Subject: [IMGate] Re: (No In-Reply-To: = [EMAIL PROTECTED] am i right in assuming this jackass is testing to see if he can relay = thru me [EMAIL PROTECTED]: host mx02.mindspring.com[207.69.200.66] = said: 550 [EMAIL PROTECTED] unknown (in reply to RCPT TO = command no, that's yr postfix being bounced because the user doesn't exist at = that=20 MX. Len
[IMGate] FYI... CLAMAV 0.84 released...
Just a note to those that are running CLAM AV; CLAM anti-virus has release 0.84 ... I've updated my IMGate server last = week and its running fine. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20
[IMGate] Re: Signed up for the spf stuff
So, is SPF a whitelist feature? a blacklist feature? Since most of us have solved 98+% of our SPAM probles, SPF will at very best be tiny increment of help, and we are a long way from very best SPF implementation. Len I see SPF records adding a low weight in the entire anti-spam system, but I see SPF as a whitelist feature. IMO SPF is dead as they high jacked a DNS record, spammers are adding SPF records faster than anyone, and not many admins can setup the mail server correctly as RFC's provide already. IMO the overall problem is the IT profession, IT went from professionals to anyone that could pass the M$ tests and could get cheap highspeed access for cheap. They aren't many true professionals in the IT field anymore ... again IMO ... it's really sad. ---off the soap box--- Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Greylisting
Thanks, Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Thursday, March 03, 2005 12:42 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: Greylisting Len, IYO is grey listing already starting to lose most of it's effectiveness? no, because a tiny %age of subscriber network operators block port 25. I'm comparing the mail server overhead delay in email delivery vs. not running grey listing. greylisting will reject a lot stuff earlier in the restrictions that=20 everything else, probably reject stuff you don't reject now, and since=20 rejects are cheap, you box could run better with greylisting, handling = less=20 messages.I don't have general rule but I've seen only 20% - 30% of=20 postgrey-rejected msgs be retried. eg, 130K greyslist rejects, and only 30K were re-tried. Len
[IMGate] Re: Stop email alerts from IMGate...
Thanks ... I looked at that, but wasn't sure it was what I needed. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of NeoBlu Sent: Monday, February 28, 2005 11:20 AM To: IMGate@mgw2.meiway.com Subject: [IMGate] Re: Stop email alerts from IMGate... My IMGate is running great! But I'd like to turn off all the email = alerts that it sends ... ?help? I'm not sure where to start ... looking for direction. Edit your notify_classes. I personally use: notify_classes =3D resource, software http://www.postfix.org/postconf.5.html#notify_classes -NB
[IMGate] Re: OT: CLAM AV FYI...
I hope everyone notes that this post is IMO... and you can run your ship your way ... this makes me feel better about my environment, to which = I have to live and be accountable. We reboot all server at lease every 30 days (AIX UNIX, FreeBSD, and Windows), we also take servers offline that are part of redundant = systems during working hours to confirm, under load that they will perform as expected. We do the same with our backup UPS's, generators, A/C units, = fire suppression, wireless building to building links, N*T1 and phone system. = I don't want an outage, not to go as expected. We do warn are users that Wednesday is maintenance day ... and systems may go offline at any time. Everyone understands (at lease at the supervisor level) this is for the = best and any minor interruptions are well worth the pain, over having a BIG outage that we were under the impression wouldn't happen. We can't = account for everything ... but we test for business operations to continue even = if we had failures in our key redundant systems. At my current position = it's taken a few years to gain the trust that our IT systems wouldn't fail = and we have no backup plan ... Packard's previous IT manager had outages so = often that many departments opted for paper ... vs ... computer. Our = continuing testing and written backup plans have turned this around. I also like = the knowledge that our systems have been tested and rebooted regularly ... = again this is just my comfort level. =20 Again sorry Len for the WAYOT. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20
[IMGate] CLAM AV FYI...
CLAM AV is now on 0.83 any one still running versions before 0.80 should think about updating. You can check to see if your are at 0.80 or better by typing freshclam ... you will get an error about you current level if your not at 0.80 or better. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] OT: CLAM AV FYI...
I like to download and install the latest stable version, when I update. There are very good instructions on the CLAM av web site. My simple instructions (you must have CLAM av running now); Download stable version Ungzip Untar Change dir to untared version ./configure make make install reboot But check their web site, I'm not the greatest FreeBSD admin. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adolfo Justiniano Sent: Tuesday, February 15, 2005 4:44 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: CLAM AV FYI... I'm using 0.80, any tips on how to upgrade it on a FreeBSD 4.7 box, I'm a novice in this particular OS. BTW CLAM AV was installed using pkg_add, I suppose that I should use pkg_update... Thanks, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Checca Sent: Tuesday, February 15, 2005 11:04 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] CLAM AV FYI... CLAM AV is now on 0.83 any one still running versions before 0.80 should think about updating. You can check to see if your are at 0.80 or better by typing freshclam ... you will get an error about you current level if your not at 0.80 or better. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system]
[IMGate] Re: OT: CLAM AV FYI...
Just because it's unix is no reason not to reboot and it doesn't hurt. Now we are wayyy OT ... sorry Len :) Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, February 15, 2005 6:30 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: OT: CLAM AV FYI... - Original Message - From: Christopher Checca [EMAIL PROTECTED] I like to download and install the latest stable version, when I update. There are very good instructions on the CLAM av web site. My simple instructions (you must have CLAM av running now); Download stable version Ungzip Untar Change dir to untared version ./configure make make install reboot These aren't windows machines, a reboot is not necessary. Simply stop the clamd service (if you are running clam daemonized) before doing the make install, and then restart if after the install completes. Bill
[IMGate] Re: Just in case you felt like relaxing....
and 4 percent of the recipients have bought something advertised = through spam within the past year. That's just great :/really helps the cause. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Thursday, February 03, 2005 11:23 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Just in case you felt like relaxing There were some reports about spam decreasing, but =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Feb 2, 9:23 PM EST Deleting spam costs billions, study finds By ANICK JESDANUN AP Internet Writer NEW YORK (AP) -- Time wasted deleting junk e-mail costs American = businesses=20 nearly $22 billion a year, according to a new study from the University = of=20 Maryland. A telephone-based survey of adults who use the Internet found that more=20 than three-quarters receive spam daily. The average spam messages per = day=20 is 18.5 and the average time spent per day deleting them is 2.8 minutes. The loss in productivity is equivalent to $21.6 billion per year at = average=20 U.S. wages, according to the National Technology Readiness Survey = produced=20 by Rockbridge Associates, Inc., and the Center for Excellence in Service = at=20 Maryland's business school. The study, to be released Thursday, also found that 14 percent of spam=20 recipients actually read messages to see what they say, and 4 percent of = the recipients have bought something advertised through spam within the=20 past year.
[IMGate] Re: Just in case you felt like relaxing....
I would love to see that ... but I think the only way it will get done = is if someone releases an virus or series of viruses that would cause the disruption. IMO an attack from legitimate MX's would cause a reverse = attack from their zombies. Something I can't afford to take on. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20
[IMGate] Re: New Virus Attack Technique Bypasses Filters
I've been blocking .rar files for about two years, as I've seen no true = need in our office for that file type. Also I can't ever remember getting an request to receive an override for this file type either. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Andrew P. Kaplan Sent: Wednesday, February 02, 2005 8:57 AM To: IMGate Subject: [IMGate] New Virus Attack Technique Bypasses Filters Perhaps it's time to block .rar extensions. Does anyone ever email a=20 .rar file ? http://www.eweek.com/article2/0,1759,1756636,00.asp?kc=3Dewnws013105dtx1k= 5 99 --=20 Andrew P. Kaplan www.cshore.com A New Year's resolution is something that goes in one year and out the=20 other author unknown --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.2 - Release Date: 1/28/2005
[IMGate] Question new virus... sober
Has anyone figured out how to stop this at the IMGate? I'm running CLAM AV and it hasn't stopped one of these yet :( I got 196 (the highest number yet) sober stopped at my IMail server antivirus just yesterday. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com
[IMGate] Re: Question new virus... sober
I ran the update manually just to check and it was ok ... the log also showed the updates were coming in ok. I ran the update script on CLAM and it was ok. It's stopping a lot of the new SomeFool and Beagle, so I can see its scanning ok. Really its doing a very good job, I've only seen Sober hitting my IMail server's antivirus, all other viruses are stopped at the IMGate. Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Russ Uhte Sent: Wednesday, November 24, 2004 10:55 AM To: [EMAIL PROTECTED] Subject: [IMGate] Re: Question new virus... sober Christopher Checca wrote: Has anyone figured out how to stop this at the IMGate? I'm running CLAM AV and it hasn't stopped one of these yet :( I got 196 (the highest number yet) sober stopped at my IMail server antivirus just yesterday. Are you running ClamAV on the postfix box? Are you sure you're using the latest version, and that your defs are updating properly and notify Clamd? My ClamAV on postfix is stopping a bunch of these... -Russ --- [This E-mail scanned for viruses by Declude Virus]
[IMGate] Re: Question new virus... sober
ClamAV devel-20041102/605/Wed Nov 24 08:09:47 2004 Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Russ Uhte Sent: Wednesday, November 24, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: [IMGate] Re: Question new virus... sober Christopher Checca wrote: I ran the update manually just to check and it was ok ... the log also showed the updates were coming in ok. I ran the update script on CLAM = and it was ok. It's stopping a lot of the new SomeFool and Beagle, = so I can see its scanning ok. Really its doing a very good job, I've only = seen Sober hitting my IMail server's antivirus, all other viruses are = stopped at the IMGate. What version are you running clamd -V? -Russ --- [This E-mail scanned for viruses by Declude Virus]
[IMGate] Re: Question new virus... sober
I've been emailing the log to my self, since Len sent out a message = about IMGate not stopping these with the default settings. No errors in the = CLAM log FRESHCLAM log or MAILLOG. They get picked up by my Norton Antivirus = on the IMail server so I'm happy about that. Not really sure why they = aren't stopped by CLAM. But at this time, I don't have a lot of time to test = out any new settings or track down the problem ... I have to get ready for = the end of year fun as our company closes all 2004 business on Dec 31 and I = have to stay until it's all done and in the computer :( (we have one bad = program doesn't know how to keep two years open at the same time, so we really = have to close 2004 before anyone can do 2005 business, it SUCKS!) Christopher Checca Packard Transport, Inc. IT Department 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 815 467 9260 815 467 6939 Fax [EMAIL PROTECTED] www.packardtransport.com =20 -Original Message- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of Russ Uhte Sent: Wednesday, November 24, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: Question new virus... sober Christopher Checca wrote: ClamAV devel-20041102/605/Wed Nov 24 08:09:47 2004 Do you have any logging turned on for clam or have you checked your=20 maillog? I just wonder if maybe one of clam's dependencies is failing,=20 and therefore can't decode the file to scan it. Just a guess... Also,=20 looking at symantec's website, it appears that this new strand has a=20 habit of corrupting itself. Could these possibly be corrupted versions=20 of the virus that clam won't detect? -Russ --- [This E-mail scanned for viruses by Declude Virus]