[IMGate] Re: How do I whitelist this helo? (Zaep Key: 8c65c8b8.438f79b5.0c420be7)
Cool. Now I have yet another idiot ISP to blacklist and the name of = another piece of software to look for in the headers that I can use to REJECT content at the envelope. New Rules: /webmail.ki-lin.com/ REJECT ACL 420 WHAT HAS YOUR ADMIN BEEN SMOKING? /zaep.com/ REJECT ACL 420 WE DO NOT ACCEPT E-MAIL GENERATED BY SOFTWARE = THAT SENDS TO FORGED ADDRESSES (Blowback) /Zaep Antispam/ REJECT ACL 420 SEND ALL COMPLAINTS TO ZAEP.COM ADMIN William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zaep AntiSpam Sent: Thursday, December 01, 2005 2:31 PM To: Christopher Checca Subject: [IMGate] Re: How do I whitelist this helo? (Zaep=20 Key: 8c65c8b8.438f79b5.0c420be7) =20 =20 Dear Christopher, =20 Thanks for your email, but at this point I have NOT actually=20 received your message because I have implemented a=20 challenge-response based anti-spam solution. Before I can=20 receive your message you must respond in ONE of the ways=20 outlined below. =20 You will not have to do this again. =20 --- REPLY TO THIS MESSAGE --- Simply reply to this email message ensuring the subject of=20 your reply contains the subject of this message. When your=20 reply arrives I will receive your ORIGINAL message and all=20 FUTURE messages. =20 Or as an alternate method follow these instructions: =20 --- CLICK ON THE URL --- Visit the following URL and follow the simple instructions. =20 When you do this I will receive the message you sent and ALL=20 future messages. =20 http://webmail.ki-lin.com:8081/?key=3D8c65c8b8.438f79b5.0c420be7 =20 If the above URL does not appear all on one line, copy and=20 paste it into your browser's address bar. =20 PLEASE NOTE: If you receive an error message when attempting=20 to visit the above URL, it is very likely that your network=20 is not allowing you to visit my confirmation page. If this=20 is the case, contact your network administrator for help, or=20 contact me by telephone. =20 If you do not respond within 7 days, your message will be=20 DELETED and I will not be able to receive messages from you=20 in the future. =20 I apologize for this small one-time inconvenience, but I have=20 been forced to implement this challenge-response based=20 anti-spam solution to eliminate 100% of the spam I receive,=20 and it really works! =20 To learn more about the software I am using to stop spam,=20 please visit http://www.Zaep.com/. Zaep has stopped 100% of=20 all the spam messages I was receiving every day. =20 Thank you, =20 [EMAIL PROTECTED] =20 =20 =20
[IMGate] An e-mail To: x
I did not see this question anywhere in the archives. Hopefully, it isn't missing because it is too dumb of a question for anyone to have asked before! Anyway, I was just wondering if there is ever a legitimate reason to accept e-mail that has the address x or x in the To: field? I can't say as I have ever seen a legitimate message with this in the headers. Has anyone else ever seen this in a legitimate situation? I have the following rule in my header_checks.regexp file for this: /^To:.*x/ REJECT ACL 93 Not a valid To: address I've never received a false-positive report. This stops SOME of these messages, but not all of them. I don't know enough REGEXP to write a rule that would simply filter on x (and nothing else) in the To: field. Would the shortness of such a rule even make it safe, assuming it was possible to write? Thanks much! William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED]
[IMGate] Re: reject messages that return 127.0.0.4 code dnsbl.njabl.org
Paul, If your goal is low false-positives, I recommend the below. reject_rhsbl_sender block.rhs.mailpolice.com, reject_rhsbl_client dynamic.rhs.mailpolice.com, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_client rhsbl.ahbl.org, reject_rbl_client all.rbl.kropka.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcannibal.com, reject_rbl_client pub.mxrate.net=127.0.0.2, William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister Sent: Friday, November 04, 2005 1:53 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: reject messages that return 127.0.0.4 code dnsbl.njabl.org We're giving it a try, I'll let you know how it works. What black lists do people on this list use? We are now using: reject_rbl_client relays.ordb.org, reject_rbl_client dnsbl.njabl.org=127.0.0.2, reject_rbl_client dnsbl.njabl.org=127.0.0.4, Our objective is no false positives. Paul Fuhrmeister [EMAIL PROTECTED] I want to reject messages that return the 127.0.0.4 code from dnsbl.njabl.org (Other return codes from dnsbl.njabl.org would be ignored, message goes through.) I think that it would go something like this: reject_rbl_client dnsbl.njabl.org=127.0.0.4, In your main.cf file under smtpd_recipient_restrictions = . It should be grouped right along-side your existing DNSBLs. William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED]
[IMGate] Re: hotmail being blocked
Omar, SORBS has never been one of those blacklists that I would trust to = outright reject messages. It is probably better used in a weighted system like Spamassassin, Declude, etc. The simple fact is, those servers ARE being = used to send spam. So, it isn't like SORBS is reporting bogus information. = I've noticed a large increase in spam coming from certain Hotmail servers = this past week. Mostly Nigerian 419 scams. If you want to go ahead and = completely whitelist all Hotmail servers, be prepared to let a lot of spam get by. = If you're going to do that, you might as well let all mail from AOL go = through as well, etc. SORBS is a valuable tool, if used correctly. Criticizing = them because they are being too accurate just doesn't wash though. WVH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar K. Sent: Monday, October 17, 2005 1:51 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] hotmail being blocked =20 =20 Anyone else noticed that hotmail mail servers are being=20 blocked by the spam-sorbs list? How unreliable is that! Looks=20 like sorbs is being dropped from my list =20 =20 =20 =20 =20 =20 =20
[IMGate] Spam Weasels Bypassing IMGate
All, I am not sure if this question would be more appropriate on the Imail = forum, but here it goes. I have been using IMGate for well over a month now. I = have two IMGate boxes on different networks that all of my domain MX records = are pointed to. The two IMGate boxes forward legit mail to my one Imail = server by IP address. As far as I can tell, there is no MX record of any kind = for the Imail box available to the public. Now, here's the problem. I still have a significant number of spammers sending mail to my Imail box directly, thus bypassing all of IMGate's security. I'm not sure where these spammers are even getting the server = info from, unless it is old (cached) information, or perhaps they are = targeting the actual FQDN names on my server (I still have A records for mail.thedigest.com)? I thought about using the SMTP security settings in Imail 8.05 to block = all traffic coming for IP addresses besides IMGate, but all of my users are still using mail.thedigest.com for outbound SMTP, and doing that would = keep my users from sending outbound mail through IMail, right? Any clues as = to how I can close this security loophole? Thanks! William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED]
[IMGate] Re: Spamware?
Most of these are in Len's list. Any others are ones that have been = added from securitysage.com and myself. You will probably have to make a minor tweak to the script spam-stats.pl in order to get these to show-up = properly in your reports. I have made some rather extensive additions to the ACL = list and reject codes, so they do not necessarily match that of the basic = IMGate ACLs.=20 From: header_checks.regexp # SPAMWARE MAILERS - ACL 85 /^X-Mailer: 0001/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Avalanche/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Crescent Internet Tool/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: DiffondiCool/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: E-Mail Delivery Agent/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Emailer Platinum/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Entity/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Extractor/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: Floodgate/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: GOTO Software Sarbacane/REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: MailWorkz/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: MassE-Mail/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: MaxBulk.Mailer/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: MIME\:\:Lite/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: News Breaker Pro/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: SmartMailer/REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: StarfieldSmtp/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: StormPort/ REJECT ACL 85 MASS MAILER SPAMWARE /^X-Mailer: SuperMail-2/REJECT ACL 85 MASS MAILER SPAMWARE /^Bel-Tracking: .*/ REJECT ACL 85 MASS MAILER SPAMWARE /^Hel-Tracking: .*/ REJECT ACL 85 MASS MAILER SPAMWARE /^Kel-Tracking: .*/ REJECT ACL 85 MASS MAILER SPAMWARE /^BIC-Tracking: .*/ REJECT ACL 85 MASS MAILER SPAMWARE /^Lid-Tracking: .*/ REJECT ACL 85 MASS MAILER SPAMWARE FYI, Below is a snapshot from my logs for today. It's not even close to = an entire day's logs, but gives a pretty good example of what % of stuff I = am catching. The other in the list is 99% stopped by Greylisting, an incredibly effective tool, if used correctly. Also, notice that I was finally able to get mxrate to work, just by adding the =3D127.0.0.2 to = the main.cf file. It has been a valuable RBL addition. Any other = unrecognizable filters are ones that I have written myself. Mostly in CAPS. 1 SMTP unauthorized pipelining 1 ACL to_local_recipients unknown recipient 1 ACL 91 BLACKLISTED FROM ADDRESS 1 ACL SAV: new verification in progress 1 ACL 52 SPAMMER MAILING ADDRESS IN BODY 1 RBL dnsbl.ahbl.org 2 ACL from_senders_regexp 2 RBL pub.mxrate.net=3D127.0.0.2 3 ACL RAV: unverifiable recipient address 3 ACL 89 SPAMHAUS NETWORK (Headers) 3 RBL block.rhs.mailpolice.com 3 ACL 50 SPAM PHRASE IN BODY 4 RBL psbl.surriel.com 4 ACL 92 OBFUSCATED WORD IN SUBJECT 4 ACL 51 SPAMHAUS NAME IN BODY 5 ACL 94 TOO MANY BLANK SPACES IN SUBJECT 5 RBL bl.spamcop.net 5 ACL 85 MASS MAILER SPAMWARE 5 ACL 96 SPAM PHRASE IN SUBJECT 6 ACL header checks 6 ACL unauthorized relay 8 RBL rhsbl.ahbl.org 9 ACL to_relay_recipients unknown recipient 13 ACL SAV: unverifiable sender address 16 RBL list.dsbl.org 18 RBL all.rbl.kropka.net 22 RBL dynamic.rhs.mailpolice.com 30 RBL combined.njabl.org 30 ACL 55 SPAM DOMAIN IN BODY 30 DNS no A/MX for @sender.domain 35 ACL helo_hostnames 58 ACL SAV: undeliverable sender address 58 DNS nxdomain for MTA PTR hostname (forged @sender.domain) 79 RBL sbl-xbl.spamhaus.org 318 SMTP Exceeded Hard Error Limit after RCPT 349 SMTP Exceeded Hard Error Limit after DATA 529 ACL RAV: undeliverable recipient address 946 Other 2614 TOTAL William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of List_Mail Sent: Tuesday, September 27, 2005 11:53 AM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: Spamware? =20 =20 Hello, can you post your list ? I like to do this also. =20 Md - Original Message -=20 From: William Van Hefner [EMAIL PROTECTED] To: IMGate@mgw2.MEIway.com Sent: Saturday, September 24, 2005 9:22 AM Subject: [IMGate] Spamware? =20 =20 All, =20 I have
[IMGate] pub.mxrate.net
Does anyone out there have any idea how to implement pub.mxrate.net as an RBL in Postfix? It seems that they do not operate as a regular blacklist, but instead return hits on bad senders, good senders, and suspicious. Their website is at http://www.mxrate.com . It says that their RBL should work with Postfix, but they give no specific instructions on how to get it to work. When I tried simply using pub.mxrate.net it wound-up bouncing mail from known good servers. William Van Hefner Network Administrator Vantek Communications, Inc.
[IMGate] Re: IMGate/Postfix under Ubuntu/Debian
Aaron, First of all, you might want to uninstall any programs that you aren't actually using. That will not only save you some disk space, but keep dependency issues to a minimum. Secondly, you might also try editing the /etc/apt/sources.list directly = and follow the directions in the # comments section in order to upgrade to = the unsupported software in Ubuntu. I was able to upgrade to the latest version of Postfix by following the directions in that file. It is very simple. Just comment/uncomment a couple of lines in the text file. Next, you might try just running apt-get from the command line, rather = than Synaptic. Sometimes apt-get seems better at solving dependency problems. After you have modified the above file, just go to the command line and enter apt-get upgrade postfix (no quotes). That will hopefully do the trick. If that doesn't work, you might consider just ditching Ubuntu altogether = and install the Testing version of Debian. I ended-up doing that for what is = now my main IMGate box, and it was a lot less of a hassle than I thought it would be. The install CD-ROM is only like 100MB, and although it is = called Testing, I have found that version to be rock solid, at least for all = of the apps that I am running. The main stuff that I have on the box is = Postfix (duh!), BIND 9, Webmin, PERL, SSH, etc. It is very lean and mean, and my average CPU usage is something like .01%. It has blocked over 3,200 = messages so far today, running a 2.6 GHz Athlon XP, a single 20GB IDE drive, 1GB = of PC133 RAM and Len's scripts, along with my own set of limited rules and domain blacklist, which alone is blocking more traffic than all of the = RBLs combined. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Clausen Sent: Thursday, September 08, 2005 4:11 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: IMGate/Postfix under Ubuntu/Debian =20 =20 =20 On Thu, September 8, 2005 6:29 am, William Van Hefner wrote: A. Yes, you can change the directory that is used by Ubuntu=20 (or any =3D=20 distro based upon Debian) to that of a server which has the latest=20 Testing release. By default, I believe that Ubuntu is set=20 up to look=20 to the CD =3D ROM first for new installs and to the Security distro=20 download site in =3D order to download updates. If you go into the settings in the=20 Synaptic package manager, you can manually change the address for updates to=20 the Debian testing version. You can either replace the Security URL,=20 or add a =3D new place to look for software. Just add the path http://ftp.us.debian.org/debian/ . If this doesn't work, I=20 believe that =3D you can manually edit the table that apt-get uses to look for=20 updates by =3D editing the text file /etc/apt/sources.list. You will need to add=20 the following =3D line to that file: deb http://ftp.us.debian.org/debian/ testing main contrib You can go ahead and # Comment out the Ubuntu directory=20 temporarily. =3D=20 This way Synaptic and apt-get will look online to the=20 latest testing=20 version =3D of Debian for all software you ask it to (don't run the=20 security updates =3D GUI, or it will tell you that you need top update every package on your = =3D system!). Be sure to change the settings back, if you do not want to upgrade = =3D anything else afterwards. You should at least upgrade to the latest=20 version of Postfix, Postgrey, Spamassassin and any other mail-related=20 programs you might be using. They have all integrated fine into my=20 system. Six weeks =3D ago I couldn't even install Linux by myself. I wish that I'd=20 listened to Len =3D and set up an IMGate box years ago. Hope this helps. P.S. Don't forget to back up your original config files.=20 The upgrade =3D=20 should go smoothly, but you never know. =20 I tried as you suggested, but there were numerous dependency=20 problems.=20 Synaptic even wanted to uninstall Linux-386! I'm at a bit of=20 a loss on how to proceed. =20 --=20 Aaron Clausen [EMAIL PROTECTED] =20 =20 =20
[IMGate] Re: IMGate/Postfix under Ubuntu/Debian
A. Yes, you can change the directory that is used by Ubuntu (or any = distro based upon Debian) to that of a server which has the latest Testing release. By default, I believe that Ubuntu is set up to look to the CD = ROM first for new installs and to the Security distro download site in = order to download updates. If you go into the settings in the Synaptic package manager, you can manually change the address for updates to the Debian testing version. You can either replace the Security URL, or add a = new place to look for software. Just add the path http://ftp.us.debian.org/debian/ . If this doesn't work, I believe that = you can manually edit the table that apt-get uses to look for updates by = editing the text file /etc/apt/sources.list. You will need to add the following = line to that file: deb http://ftp.us.debian.org/debian/ testing main contrib You can go ahead and # Comment out the Ubuntu directory temporarily. = This way Synaptic and apt-get will look online to the latest testing version = of Debian for all software you ask it to (don't run the security updates = GUI, or it will tell you that you need top update every package on your = system!). Be sure to change the settings back, if you do not want to upgrade = anything else afterwards. You should at least upgrade to the latest version of Postfix, Postgrey, Spamassassin and any other mail-related programs you might be using. They have all integrated fine into my system. Six weeks = ago I couldn't even install Linux by myself. I wish that I'd listened to Len = and set up an IMGate box years ago. Hope this helps. P.S. Don't forget to back up your original config files. The upgrade = should go smoothly, but you never know. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Clausen Sent: Wednesday, September 07, 2005 2:13 PM To: IMGate@mgw2.MEIway.com Subject: [IMGate] Re: IMGate/Postfix under Ubuntu/Debian =20 =20 Alright, I've got Ubuntu 5.4 installed. I see that it comes=20 with Postfix, but obviously to get stuff like Anvil up and=20 running, I need to install the experimental version. Any=20 notions on how to do this? =20 --=20 A. Clausen =20 =20 =20
[IMGate] antivirus engines
I was just wondering if anyone out there has been able to get any other cheap/free/inexpensive Linux command line antivirus scanners to work = with IMGate? A copy of the F-Prot scanning engine was included with the = Ubuntu distro, but there is really no documentation on how to get it to work. = There does seem to be an option to get it to work in MailScanner, which is = another add-on to Postfix, but that requires a lot of extra work to install. = CLAMAV seems to work just fine on its own. All of the commercial mail server licensed versions of these scanners I have seen are way out of my = budget. Thanks. William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED]
