I'm eagerly awaiting the results of your research :)
Well, I wish I had better news, but the problem (they'd call it a
feature, and for once I think I'd agree) is that MS SMTP normalizes
the envelope fields as part of of normal message flow. Thus, even
though the IIS and ORF logs
Is there any tests (or any chance to add in the near
future) for the message size and for the number of
recepients ?
http://www.mail-archive.com/[EMAIL PROTECTED]/msg16853.html
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail
I only know the answer to point 1, this would count as 20 messages.
Don't think 2 or 3 are possible.
I also have a question about HiJack... Authenticated users are still
bound to the hijack limits aren't they?
-Original Message-
From: Serge [mailto:[EMAIL PROTECTED]
Sent: 06 April
Hello,
I received the following email... it only got a weight of 6. When I ran
the dnsstuff spam lookup it faild more things than what is listed. I have
my config file at the bottom I also have the log entries
Why did it make it thru.
Bennie
hi
scott,
i know it's been
discussed before, but isn't there a possibility to add something to declude,
thatdeals with preceeding spaces in filters?
for
example:
ANYWHERE 20 CONTAINS
badword
catches:
- badword
-anotherwordbadword
etc.
but it's not
possible to catch only the "
1- A message with 20 recipients, does it count as 1 message or 20 message
toward the threshold?
It will count as 20 E-mails (since spammers typically operate that way).
2- If a user exeeds therhold 1, and not 2, is there a way to release his
hold messages at a certain hour, instead than after
I see many ways to adjust levels of logging, is there any way to
temporarily turn it off to save processing power?
The best option in this case, if you are sure that you do not want logging,
is to use LOGLEVEL WARN. This will only report warnings and errors to
the log file, which you really
i know it's been discussed before, but isn't there a possibility to add
something to declude, that deals with preceeding spaces in filters?
Yes, it has been discussed before, and the answer is that it is much more
difficult to implement than most people realize (it would involve both code
to
i know it's been discussed before, but isn't there a
possibility to add something to declude, that deals
with preceeding spaces in filters?
http://www.mail-archive.com/[EMAIL PROTECTED]/msg16885.html
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
http://www.newscientist.com/news/news.jsp?id=ns4858
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
Wondering if a rule in Declude could trap such an email?
This is actually a very old vulnerability in almost all mail
servers.
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
- Copy of Original Message(s): -
MS http://www.newscientist.com/news/news.jsp?id=ns4858
---
[This
Getting this error message in logs. Didn't see it last week. It was in the
last interim I was running, and it is in 1.79 beta. Don't find a reference
to it in the archives.
Don't recall making any change to global.cfg recently.
Here's a log snippet (logging set to debug):
04/06/2004
Does Imail have this problem ?
If So, what can we do to fix it ?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Lee Heath
Sent: Tuesday, April 06, 2004 8:59 AM
To: Mark Smith
Subject: Re: [Declude.JunkMail] OT: Email attack could kill servers
Rob, check your spelling of ANYWHERE there is a typo in it.
Andrew 8)
-Original Message-
From: Robert Grosshandler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Invalid Whitelist Type: Anywhere
Getting this error
It looks to me like this e-mail should have failed SpamRouting, but it
passed. Declude headers show it was routed US---Chile--Destination (US).
Using Pro ver 1.78i31, but upgrading to 1.79 beta momentarily.
Received: from SMTP32-FWD by inetconcepts.net
(SMTP32) id A07AC9635; Tue, 6 Apr 2004
Big Duh!!! Slapped my wrist, sorry for the dumb question.
Rob
Rob, check your spelling of ANYWHERE there is a typo in it.
Andrew 8)
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail
Scott,
I have tried scripting several different things with vbscript for use
as external tests in Declude to no avail. Here for example is a simple
piece of code that can detect if a message is above or below a certain
size:
Dim Args, oFSO, oFile
Set Args = WScript.Arguments
Set oFSO =
Matt
try using CSCRIPT to execute the script. CScript is the console version of WSH
and it may return your code properly.
Kevin
Bilbee
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
MattSent: Tuesday, April 06, 2004 12:53 PMTo:
[EMAIL
Probably need to use cscript to call the vbs file
like "cscript filesize.vbs d0smd"
Also, it would probably be much better to compile
this into aC++ or C#/VB.net console app. Interpreted code like this
runsa lotslower than compiled. Haven't done tests for this in
the past couple of
It looks to me like this e-mail should have failed SpamRouting, but it
passed. Declude headers show it was routed US---Chile--Destination (US).
Using Pro ver 1.78i31, but upgrading to 1.79 beta momentarily.
Received: from dutch-courage.com [164.77.48.71] by inetconcepts.net
(SMTPD32-8.05) id
I run my own dns server...
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 7:29 AM
Subject: Re: [Declude.JunkMail] Why is this getting thru
I received the following email... it only got a weight of 6.
That's
RSP It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those
RSP IPs are from North America, so the ROUTING test does not get triggered.
However, when I just did a ARIN lookup on 164.77.48.71, it says that
IP belongs to LACNIC. A LACNIC lookup says the IP is located in Chile.
So,
I run my own dns server...
Is it listed in the IMail SMTP settings?
I would trying running some tests, such as ping 2.0.0.127.bl.spamcop.net
to see if it is functioning properly (you should see [127.0.0.2] in
response to the ping).
-Scott
---
Kevin and Darin,
This is something that would be configured as an external test in
Declude, and it's not calling any other programs so I'm not sure that
cscript is useful here. If I was calling something like Sniffer, I do
understand that the call should be made with cscript though. I also
Sandy,
Am I correct in assuming that you attempted something similar to the
following script on the VAMSoft site?
Envelope header information
http://www.vamsoft.com/orf/tools.asp#smtpenvl
This is how they add headers to the messages containing the MAIL FROM
and RCPT To data. I get the
I just wanted to clarify also that I have been testing with
WScript.Quit(30) instead of a code of 1.
Matt
Matt wrote:
Kevin and Darin,
This is something that would be configured as an external test in
Declude, and it's not calling any other programs so I'm not sure that
cscript
Then, does %countrychain% get its info from a different, more correct
source? It showed Chile in the flow.
Tuesday, April 6, 2004, 3:29:35 PM, R. Scott Perry [EMAIL PROTECTED] wrote:
RSP It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those
RSP IPs are from North America,
Scott, is there a reason why Declude isn't accepting the result code from
WScript.Quit? Here's a sample piece of code that I was using to test:
- Global.cfg -
EXTERNALTESTexternal30C:\IMail\Declude\test.vbs
00
- test.vbs -
Andrew,
Thanks for taking the time to check things out. I haven't tried
calling the script with another script, just Declude, so there are no
cscript calls being made here. I came across this old post where Scott
provided some background though on the "ExitProcess" method:
Matt
what is the line in declude for calling the script???
I did
not intend for you to change your script? change the line in declude to call the
script using "cscript.exe nameofscript.vbs".
Leave
your script the way tiy have it.
Kevin
Bilbee
-Original Message-From:
Try this
- Global.cfg -
EXTERNALTEST external 30 cscript C:\IMail\Declude\test.vbs //nologo //T:60
0 0
Kevin Bilbee
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just
Hi Matt,
WScript.Quit(errorlevel) is the correct command
within your script. The problem is that you probably need to explicitly
call cscript and pass it the vbs script name as mentioned before. Cscript
is always used to process WScript or VBScript, but depending on your
environment, you
I would appreciate advise on how to make junkmail (pro) ignore checking spam
for a certain domain name please
Cheers
Peter
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send
I would appreciate advise on how to make junkmail (pro) ignore checking spam
for a certain domain name please
Two options here would include [1] a line WHITELIST TODOMAIN @example.com
in the \IMail\Declude\global.cfg file, or [2] a per-domain file
\IMail\Declude\example.com\$default$.JunkMail
Thanks for your quick response Scott
Cheers
Peter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, 7 April 2004 11:20 a.m.
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Tell junkmail not to scan email to a domain
Hi Matt,
What we're saying is totry this
EXTERNALTEST
external 30 "cscript.exe
C:\IMail\Declude\test.vbs" 0
0
instead of
EXTERNALTEST
external 30
"C:\IMail\Declude\test.vbs" 0
0
Not sure, but you may have to provide a path to
cscript.exe. It should be in the
I am having limited success in using this, as the Declude headers are not
being added to the copied D file. Is there a way that the process can be
changed, whereby the file is copied AFTER all headers are added, not at the
moment the test is run?
John Tolmachoff
Engineer/Consultant/Owner
Title: Message
Matt, try the
more verbose:
EXTERNALTEST
external 30 "C:\Windows\System32\cscript.exe
C:\IMail\Declude\test.vbs //B //NoLogo
//T:2" 0 0
I don't know how
that will mangle the order of the parameter passing of the message filename, but
sniffer manages to cope with a
I am having limited success in using this, as the Declude headers are not
being added to the copied D file. Is there a way that the process can be
changed, whereby the file is copied AFTER all headers are added, not at the
moment the test is run?
No, there is not (at least not currently), given
Can we specify the holding directory in the Hold action ? or can this be
added in the near future ?
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 12:11 AM
Subject: Re: [Declude.JunkMail] COPYFILE
I am having
Continuing my training in declude hijack;
1- Does hijack work on IP bassis, or mail from basis ? If IP, and a client
get to a threshhold, than disconnect, and another client connect to that
same modem (IP), the second client will be penalised ?
2- Threshold 1 = 20, Threshold 2 =50
A client send
Thanks everyone for your help here. The CScript method does in fact
work! Looks like I'll probably be able to get some of those other
things taken care of as well now that I understand what was at issue
here, or at least how to work around it.
Darin, I hear you loud and clear about the
1. Hijack is IP based, so IP is time tracked, irregardless of who is behind
it.
2. All 25 will be released at once.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of serge
Can we specify the holding directory in the Hold action ? or can this be
added in the near future ?
That is something that we plan on adding.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude
1. Hijack is IP based, so IP is time tracked, irregardless of who is behind
it.
So that makes it unusable for dial up connections.
Still can be usefull for our wireless clients, those are assigned fixed IPs.
But we will have to hijack white list all the Dial up IPs, correct ?
- Original
Matt
I would definetly be interestedby the
code
I suppose you are going to pass a size as a
parameter to the script, and have the test pass or fail if the file is
smaler/larger than the parameter ?
Also, I am curious about the test environement you
are using, is this documentend somewhere?
Am I correct in assuming that you attempted something similar to the
following script on the VAMSoft site?
In the same vein, yes (though actually part of an existing compiled
sink that we wrote).
This is how they add headers to the messages containing the MAIL
FROM and RCPT To data.
Glad it's working now.
There's a significantly different object model in .NET, so you'll have to
rewrite the file access portions to use the new objects... and you
obviously have to have the framework deployed on the server to use it, but I've
been very pleased over the past couple of
Definitely,
I see this as primarily being used in two
ways
1. Reduce false positives by negative weighting
larger filesmaybe...
2. Stopgap for new viruses until new definitions
are released by check for file size ranges (assuming a particular virus always
sendssimilar file sizes).
Sandy,
Well, I haven't yet given up. For one, I could ask that VAMSoft if
they could allow for header tagging of this type. There is another
kludge though that I am thinking might be of use here...
With a recent IMail release, you can now set up peering to use RCPT TO
to test incoming
Serge,
I was actually going to hard code the size parameters in the script
because I believe Declude will end up running it multiple times if the
calls are different, but only once if they are all the same and you are
tracking different result codes.
So far I've thought that I would do one
So that makes it unusable for dial up connections.
Still can be useful for our wireless clients, those are assigned fixed
IPs.
But we will have to hijack white list all the Dial up IPs, correct ?
No, it makes it still usable for dial up connections.
If user A sends out enough messages to
With a recent IMail release, you can now set up peering to use RCPT
TO to test incoming messages for valid senders.
Right, but the resulting envelope behavior is not different from the
old VRFY scenario, AFAIK.
As long as IMail does envelope rejection for peered domains that
fail
53 matches
Mail list logo
