Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains. In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam. When I check the headers of the e-mail they are
Absolutely! Once we installed a Postix gateway and updated the mx records
for a particular domain under constant dictionary attacks we dramatically
cut down the network flood of unknown users. However that domain is still
getting a smaller flood of unknown user spam at the old location. We suspect
I've seen about 4 different spammers, 3 zombie spammers/gangs and one
static porn spammer, cache old MX records for indefinite periods of
time. It appears that they load their machines with a table containing
the IP of the domain in question, and they don't often refresh such
records, and
Michael,
If you can't lock down the mail server, just change the IP once all of
the MX records no longer point to that box. As far as I can tell, they
don't cache the MX records, they only cache the IP that the old MX
records resolved to. I was concerned about the possibility of spammers
Hi Dan,
What we do for out store and forward customers is to lock down their
firewall to only accept port 25 traffic from our IPs. Instant end to the
end-around problem.
I moved a MX record about a week ago for a domain and I am still seeing
about 1000 messages per day still hitting the old IP
We're having a problem with some spam being
whitelisted when it shouldn't be. Here's the situation:
[EMAIL PROTECTED] is an alias that
redirects to account@domain2.com
domain1.com is whitelisted, domain2.com
isn't.
For all other domains this is working fine
(whitelisted or not), and mail
Message header and logs both show whitelisted:
X-Note: Spam Tests Failed: Whitelisted
Log (loglevel high) shows
11/18/2004 15:19:18 Q03614e0103e09e9d SNIFFER:125 AHBL:42 CSMA-SBL:35
PSBL:14 SBL:49 SPAMCOP:100 UCEPROTECTL2:21 MAILPOLICE-BULK:105
AHBLPROXIES:35 NJABLPROXIES:35 SPAMHEADERS:21 .
Log (loglevel high) shows
11/18/2004 15:19:18 Q03614e0103e09e9d E-mail whitelisted - automatically
passing all spam tests [EMAIL PROTECTED]
11/18/2004 15:19:18 Q03614e0103e09e9d From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] IP:
66.63.173.35 ID: hoi9de050u4e
Again, [EMAIL PROTECTED] is an alias
Looks like it settled down to only a 6x increase over 24 hours. Seems to be
sustained, though...across all domains.
Good thing is with some simple tweaks we're not seeing any more than normal
slip through, so our catch rate looks to be 99.5% or betterand no more
false positives than normal,
We have a few customers with multiple OU's that contain employees (i.e.
by Departments). Is there a way to include all the OU's on a single
LDAP:// parameter line or do I need to just run it several times for
each OU and not use the -nc flag except on the very first run. Thanks
again,
Keith
---
Ahh...you mean SWITCHRECIP ON grin
Yes, we are...have been for quite a while. I see where you're going with
this...but then I'm curious as to why it would suddenly start whitelisting
this when it didn't previously. We have a number of other domains that
don't have filtering, but use alias
We are definitely seeing something... 10 fold - no, but something is
definitely there.
0464
1654
2728
3543
4532
34: 537.5
12: 691
~ 22% --- that's something.
_M
On Thursday, November 18, 2004, 5:06:53 PM, Darin wrote:
DC Looks like it settled down to
Ahh...you mean SWITCHRECIP ON grin
That would do it -- that tells Declude JunkMail to use the intended
recipient (the one the E-mail was sent to) rather than the actual recipient
(the one the alias points to) for the config file.
Yes, we are...have been for quite a while. I see where you're
Hi all,
I am not sure if I really want to do this but:
I have a BYPASS filter that looks at headers and if there is an attached
PDF, XLS etc it will make my expensive BODY filters be bypassed. So
should I add:
BODY 0 CONTAINS Content-Type: image/jpeg
I see a lot of SPAM that has links to JPGs
Hmmm...
With forwarding (regardless of your Declude settings), Declude will look at
the actual user (the one with the mailbox on the server), not the E-mail
address that it gets forwarded to.
It actually comes in to an alias (postmaster), and I'm proposing alias
forwarding to an account in that
With forwarding (regardless of your Declude settings), Declude will look at
the actual user (the one with the mailbox on the server), not the E-mail
address that it gets forwarded to.
It actually comes in to an alias (postmaster), and I'm proposing alias
forwarding to an account in that domain,
To avoid confusion, it's best to use account to refer to a user account
that has a password (as opposed to an alias), and forward to refer to an
E-mail going from a user account to another account (again, as opposed to
an alias), and points to to refer to an E-mail going from an alias to a
You will be able to get this hotfix for free.
They do not charge for issues like this.
Darrell
---Check out http://www.invariantsystems.com for
utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring,
MRTG Integration, and Log Parsers.
Ok thanks. I will try and find one of the
millions of phone numbers to contact them and get the fix.
Kyle
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Thursday, November 18, 2004
10:23 PM
To: [EMAIL PROTECTED]
Subject: Re:
Hi, Dan-
Is the IP of the POP server nowhere to be found in DNS? It seems to me that
would be unlikely unless the end users are entering IP addresses into their
mail client software - a very bad idea from a system management perspective.
It is a simple matter to port scan all addresses in a DNS
I see a lot of SPAM that has links to JPGs but I have not seen SPAM with
JPGs in it.
There has been both spam and viruses that use picture files.
I have seen spam with a picture file, which is the message. Of course, that
is not the smartest thing as what ever link is there is not clickable,
Hi,
Phone
MS Tech Adv (WinNT)
800-936-4900
Tell them the KB article number and tell
them to e-mail you the link. You will not be charged. One of two things will
happen.
Most probably you will spend a bunch of
time answering questions and then they will e-mail you the link.
I am having a problem with 2003 Std. DNS and Decludes
queries. It is not Declude but actually MS DNS. I finally found two
articles from Microsoft saying it is a memory leak do to excessive queries and
to contact them for the hot fix, but there is nowhere to download it without
contacting
23 matches
Mail list logo