RE: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me...
I guess I never really looked. I just assumed that when mail came from my server, even if it was to a local user, that it would have the IP of my server as the sending IP, as it would if my server was sending mail to another server. I wonder if I had them authenticate at a different SMTP or did a store and forward server and having that IP whitelisted, if that would assuage this issue. IMAIL 8 scares me. 80% of my users use the web interface exclusively and the reported slowness will get me tarred and feathered -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Wednesday, November 12, 2003 1:12 AM To: Marc Catuogno Subject: Re: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me... Why wouldn't they be getting the IP of my server once they authenticate? Does this happen with other users? Of course not! Since Declude with IMail 7.x and lower doesn't know whether a connection was AUTHed, there's no way that this could work. And with 8.x and higher, the connecting IP remains the same even if WHITELIST AUTH is on--as logic would predict, no? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me...
I just assumed that when mail came from my server... From your server = originating IP is your server's IP. This is not the case when sending from any MUA other than an app running on the server itself! You've def'ly been confused about the connecting IP of mail from your local users, from spammers, from legit remote users...in all cases, the IP is the IP that connects to your server to send mail, pure and simple. There's no translation of the IP for anyone. I wonder if I had them authenticate at a different SMTP or did a store and forward server and having that IP whitelisted, if that would assuage this issue. Well, that's one way to do it, if you don't mind disparate userbases, unnecessary dedicated servers, et al. IMAIL 8 scares me. 80% of my users use the web interface exclusively and the reported slowness will get me tarred and feathered... Why don't you try with IMail Express and see what you think first? You seem a prime candidate for WHITELIST AUTH, and it's painful to know you're jumping through hoops to avoid that straightforward solution. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
I'm sorry, when I said the help files .. I meant the online manual. Those are the files I used as a reference. Jonathan At 08:13 PM 11/11/2003, you wrote: In an effort to clean up our junkmail configs, and only use valid tests, we cleaned out our previous tests (old services that were dead etc) and replaced them with the ones currently in the declude help files. Since then, we've been seeing complaints of increased spam/etc. Does anyone have some good configs they'd be willing to share? Good RBLs to use/etc. I'd really appreciate it, it's gettin pretty bad here. Don't go by the help files -- go by the default config files at http://www.declude.com/junkmail/manual.htm . They have the tests that we currently recommend, which should do a very good (not perfect, though) job of catching spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
The neat thing about Posini though is that my delivery load PrePostini was 220,000 emails AFTER Declude sorted. PostPostini it is now 35,000. Postini stops DHA and SPAM DOS as well. They use Postfix. It really is neat and I would prefer if I could have the staff and resources to build a redundant infrastructure like that but I don't so we will do this for now. Perhaps they will one day integrate it with mail suites like Imail and Brightmail but that is the only drawback I see ATM. Maybe you should bite the bulllet and offer the service to your customers as well. (The ROI makes sense if you are inundated with SPAM. BW savings is a factor if your BW is expensive.) Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sheldon Koehler Sent: Thursday, November 06, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java? I'd gladly pay for something that worked. I did not expect it for free. I have the KWM price in mind as a point I could get my partners to go for. Any higher than this and it would be a very hard sell for me. So this means a lot of people need to be interested in it! Our local competition uses Postini. And I have lost a few customers over to them as people do seem to like that interface. However, I have thrown out the security thing to muddy the waters ;-) We do not send their email out to someone else's servers... I let them draw their own wrong conclusions... But if I could lighten my own load and give users an easy to use interface, I would be extremely happy! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] URL Redirectors
Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id= leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Non-English Emails.
I have attached 2 emails that are not English in the subject line and still did not fail the Non-English test. I am seeing that the subject is encoded in the headers however. Actually: Subject: O?eoa Aiaeeeneee o Ian 995-8241 a Iineaa Subject: AECIAN EO?N II YOOAEOEAIIE ?AAIOA IOENA Those headers aren't encoded (either that, or they were encoded, and your mail client is displaying the decoded version). Although they look like they are encoded, they aren't. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS CONSOLE ON HOP 0 #HOPHIGH1 IPBYPASS127.0.0.1 LOOSENSPAMHEADERS OFF LOGFILE spool\dec.log LOGLEVELMID PREWHITELISTON WHITELIST AUTH XSENDER ON XSPOOLNAME ON #HEADERS XINHEADER X-Country-Chain: %COUNTRYCHAIN% XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADER X-Note: Reverse DNS: %REVDNS%. XINHEADER X-Note: Header code: %HEADERCODE% XINHEADER X-Note: Queue name: %QUEUENAME% XOUTHEADER X-Note: Total spam weight of this e-mail is %WEIGHT%. XOUTHEADER X-Note: Reverse DNS %REVDNS% . #FROMFILE ## BADSENDERS fromfilee:\IMail\Declude\badaddresses.txt x 5 0 KillListGen fromfilee:\IMail\Declude\Destination.txt x 10 0 #IPFILE ## ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 0 #FILTERS ## ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt x 3 0 ANTI-GIBBERISHSUB filter e:\IMail\Declude\filters\Anti-GibberishSub.txt x -4 0 ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt x -11 0 BODYCURSE filter e:\IMail\Declude\filters\bodycurse.txt x 3 0 BODYSEX filter e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY filter e:\imail\declude\filters\country.txt x 6 0 DBL filter e:\IMail\Declude\filters\dbl.txt x 0 0 DNS_TESTS filter e:\IMail\Declude\filters\dns_tests.txt x 0 0 DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt x 3 0 FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt x 3 0 GIBBERISH filter e:\IMail\Declude\filters\Gibberish.txt x 4 0 GIBBERISHSUBfilter e:\IMail\Declude\filters\GibberishSub.txt x 4 0 GMA_SENTfilter e:\imail\declude\filters\gma.txt x 0 0 MALICIOUS filter e:\IMail\Declude\filters\viri.txt x 6 0 OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt x 7 0 REVDNSCKfilter e:\IMail\Declude\filters\revdns.txt x 0 0 SUBJCURSE filter e:\IMail\Declude\filters\subjcurse.txt x 3 0 SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt x 3 0 TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt x 3 0 TLD-ASIAN filter e:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 TLD-CARIBBEAN filter e:\IMail\Declude\Filters\TLD-Caribbean.txt x 3 0 TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmerican.txt x 3 0 TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEuropean.txt x 3 0 TLD-MIDDLEEASTERN filter e:\IMail\Declude\Filters\TLD-MiddleEastern.txt x 3 0 TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt x 3 0 TLD-SOUTHAMERICAN filter e:\IMail\Declude\Filters\TLD-SouthAmerican.txt x 3 0 TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEuropean.txt x 3 0 TLD-TRUSTED-HELOfilter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt x 0 0 TLD-TRUSTED-MAILFROMfilter e:\IMail\Declude\Filters\TLD-Trusted-MAILFROM.txt x 0 0 TLD-TRUSTED-REVDNS filter e:\IMail\Declude\Filters\TLD-Trusted-REVDNS.txt x 0 0 VIRUSBLKfilter e:\IMail\Declude\filters\virusblk.txt x 50 0 WORDFILTER filter
RE: Re[2]: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me...
Of course I know that you're right. I will do an express install somewhere, but I doubt I'd be able to simulate the load and the processes. I am backing up my IMAIL reg and all the user mailboxes. Where my mail is hosted I am due for an upgrade of the server, I may install 7.15 on the new server, move everything over upgrade the new box to 8.04 and keep the old one at 7.15 for as long as the hosting company will let me. Please excuse my ignorance again, but since I have updated my Declude to include the EASYNET-DYNA test someone who is sending from an optimum online account is getting caught by this test. Are all of optonline's servers listed by this test? Or is something else going on with this guy's optonline? Maybe I'm just tired... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Wednesday, November 12, 2003 2:18 AM To: Marc Catuogno Subject: Re[2]: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me... I just assumed that when mail came from my server... From your server = originating IP is your server's IP. This is not the case when sending from any MUA other than an app running on the server itself! You've def'ly been confused about the connecting IP of mail from your local users, from spammers, from legit remote users...in all cases, the IP is the IP that connects to your server to send mail, pure and simple. There's no translation of the IP for anyone. I wonder if I had them authenticate at a different SMTP or did a store and forward server and having that IP whitelisted, if that would assuage this issue. Well, that's one way to do it, if you don't mind disparate userbases, unnecessary dedicated servers, et al. IMAIL 8 scares me. 80% of my users use the web interface exclusively and the reported slowness will get me tarred and feathered... Why don't you try with IMail Express and see what you think first? You seem a prime candidate for WHITELIST AUTH, and it's painful to know you're jumping through hoops to avoid that straightforward solution. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
Hi Markus, Declude.ini reads... [system] url=http://www.declude.com/version.txt imailpath=c:\imail\ [EMAIL PROTECTED] userelease=-1 To test the functionality, I copied an version 165 of declude into the c:\imail directory, and deleted the release/175 folder. I then ran DU manually and received notification of the download. I noted that the release/175 folder was recreated. However, the declude 165 version was still present under c:\imail. Declude -diag confirmed this. I even tried stopping SMTPd32, but this didn't correct anything either. Up until now I've been running DU via script once a month. My DecludeUpdater folder currently has 2 subfolders under release (165 and 175) and 6 under beta (165, 167-170, 175-176). Does a beta/175 prevent release 175 from being copied to the imailpath? Thanks for replying. Get back to whenever its convenient. B At 05:28 PM 11/11/2003, you wrote: I've uninstalled and reinstalled the updater. It updates the files in c:\program files\decludeupdater, but it does not update the Declude.exe file under c:\imail. Any ideas? What is in the declude.ini file in the updater program directory? Haven't heard about such a problem sinch the updater is available. Keep in mind that it will download and replace the declude.exe file only if it was not already downloaded. For example if you have already downloaded ver 1.75beta then this file will be saved under /beta/175/declude.exe If this file is already there then it will not be downloaded and replaced in the Imail folder. To redownload the file simply delete the /beta/175 folder and run the updater manualy. Markus PS: I'm out of office for the next 24 hours. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Originating IP -I'm confused, please don't flame me... flame me...
Marc Catuogno wrote: Please excuse my ignorance again, but since I have updated my Declude to include the EASYNET-DYNA test someone who is sending from an optimum online account is getting caught by this test. Are all of optonline's servers listed by this test? Or is something else going on with this guy's optonline? Maybe I'm just tired... That would be quite hard to figure out, but it is likely that if they have one block, they have many listed. Again, you can counterbalance for that reverse DNS setting or all the local blocks of IP's, even up to the B level if it makes it easier to do. DUL lists shouldn't be scored very high anyway because FP's are common enough and if you aren't whitelisting AUTH, it will definitely pick up some stuff. It's important to understand which tests have a high likelihood of interacting with others when you add them, such as DUL tests, foreign-type tests, bulk mail tests, etc. It's a balancing act where too few of one type can let too much in and too many of one type can create those FP's. Scoring of course should be considered as a component of all related tests. At least that's the way I look at it. Maybe you should be trimming back on the EASYNET-DYNA and forged from address scores. I might get some of this stuff to 70% of my fail weight with those tests, but it's still passing through and it's helpful with blocking. Your userbase might of course be more challenging in other respects as well. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Nick, I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests). I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config: LOGLEVELLOW HOP0 CONSOLEOFF LOOSENSPAMHEADERSON DSBLip4rlist.dsbl.org*70 ORDBip4rrelays.ordb.org*70 SPAMCOPip4rbl.spamcop.net127.0.0.290 EASYNET-DYNAip4rdynablock.easynet.nl127.0.0.240 EASYNET-DNSBLip4rblackholes.easynet.nl127.0.0.2 50 EASYNET-PROXIESip4rproxies.blackholes.easynet.nl 127.0.0.2 70 FIVETEN-SPAMip4rblackholes.five-ten-sg.com127.0.0.2 40 FIVETEN-BULKip4rblackholes.five-ten-sg.com127.0.0.4 40 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com127.0.0.5 50 FIVETEN-SPAMSUPPORTip4rblackholes.five-ten-sg.com 127.0.0.740 FIVETEN-MISCip4rblackholes.five-ten-sg.com127.0.0.9 70 BLITZEDALLip4ropm.blitzed.org*70 SBLip4rsbl.spamhaus.org127.0.0.2500 CBLip4rcbl.abuseat.org127.0.0.280 SBBLip4rsbbl.they.com*40 SORBS-DULip4rdnsbl.sorbs.net127.0.0.1060 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.260 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.460 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.360 SORBS-SPAMip4rdnsbl.sorbs.net127.0.0.650 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.290 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.290 DSNrhsbldsn.rfc-ignorant.org127.0.0.210 NOABUSErhsblabuse.rfc-ignorant.org127.0.0.4 10 NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org127.0.0.3 10 BONDEDSENDERip4rquery.bondedsender.org127.0.0.10 -500 BADHEADERSbadheadersxx50 HELOBOGUShelovalidxx40 MAILFROMenvfromxx70 IPNOTINMXipnotinmxxx0-2 PERCENTpercentxx20 #REVDNSrevdnsexistsxx00 ROUTINGspamroutingxx70 SPAMHEADERSspamheadersxx50 NOLEGITCONTENTnolegitcontentxx0-1 BASE64base64xx30 COMMMENTScomments5x70 NONENGLISHnonenglishxx20 BCC-3bcc3x10 BCC-5bcc5x10 SUBSPACE-15subjectspaces15x10 SUBSPACE-25subjectspaces25x20 SUBSPACE-40subjectspaces40x30 Matt Nick Hayer wrote: Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS CONSOLE ON HOP 0 #HOPHIGH 1 IPBYPASS 127.0.0.1 LOOSENSPAMHEADERS OFF LOGFILE spool\dec.log LOGLEVEL MID PREWHITELIST ON
Re: [Declude.JunkMail] URL Redirectors
George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yahoo.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id= leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] global.cfg outgoing
How does declude know at what point in the global.cfg is for checking outgoing mail only? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spammer wanting servers?
I received this over the weekend and thought others may be interested. This guy wants to get servers so he can spam.. Below is the headers and the message. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * Received: from blackadder.aqhostdns.com [63.247.129.138] by mail.tymewyse.com with ESMTP (SMTPD32-6.06) id AF471FB6010E; Sun, 09 Nov 2003 22:25:11 -0800 Received: from jimer013 by blackadder.aqhostdns.com with local (Exim 4.24) id 1AJ5Rb-qo-A9 for [EMAIL PROTECTED]; Mon, 10 Nov 2003 01:22:35 -0500 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: Dedicated Servers Needed Message-Id: [EMAIL PROTECTED] Date: Mon, 10 Nov 2003 01:22:35 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - blackadder.aqhostdns.com X-AntiAbuse: Original Domain - tymewyse.com X-AntiAbuse: Originator/Caller UID/GID - [32157 32157] / [47 12] X-AntiAbuse: Sender Address Domain - blackadder.aqhostdns.com X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 15. X-RBL-Warning: This E-mail failed the following tests: IPNOTINMX, NOLEGITCONTENT, SPAMCHK, WEIGHT15. X-Declude-Sender: [EMAIL PROTECTED] [63.247.129.138] X-Note: This E-mail was scanned for spam by TymeWyse Internet. X-Note: This E-mail was scanned for viruses by TymeWyse Internet. X-Note: This E-mail failed the following tests: IPNOTINMX, NOLEGITCONTENT, SPAMCHK, WEIGHT15. Hello, I need 2 dedicated windows 2000 servers with at least 2,000 ip addresses. These servers will be used to run my email campaign and send bulk email in direct mode with my own optin mailing software. If you are in a position, and have a dedicated network setup to deal with the complaints generated from my email advertising I would be willing to pay $2,000 a month for the 2 servers. I need a reliable provider to set me up immediately. If you can offer me such service please call me at: 1617-901-4129, Leave me a message and I will get back to you right away. Please dont reply back to this email, only call me. Thanks Bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] global.cfg outgoing
How does declude know at what point in the global.cfg is for checking outgoing mail only? When Declude JunkMail goes through the global.cfg file, it first looks for any commands (such as CODE or XINHEADER). If it sees a line that it does not recognize, it assumes that it is a test definition (with the first word on the line being the test name). Any subsequent lines beginning with the name of the test will be used for determining the action to take on outgoing mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] URL Redirectors
Matt, Thanks for the info. It's still difficult for me to imagine a legitimate user having a redirected web site being pointed to as their web site in an email. More research I guess. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, November 12, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] URL Redirectors George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yaho o.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id = leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Matt - Thank you much for your suggestions. I did not realize about the compounded scoring w/the blackholes country test - fixed! I wasn't using the FiveTen tests because I thought I read in this list they were not that reliable - I've added them will monitor. I was using the in.dnsbl.org tests, you had them omitted - as well as spamdomains. Any particular reason? Also added the BCC test - missed that one - Your filters have been very effective not only in catch spam but getting me to make my own as well eg: got my thought process going - Thanks again! -Nick Date sent: Wed, 12 Nov 2003 14:23:33 -0500 From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Junkmail Tests and Configs Send reply to: [EMAIL PROTECTED] Nick, I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests). I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config: LOGLEVELLOW HOP0 CONSOLEOFF LOOSENSPAMHEADERSON DSBLip4rlist.dsbl.org*70 ORDBip4rrelays.ordb.org*70 SPAMCOPip4rbl.spamcop.net127.0.0.29 0 EASYNET-DYNAip4rdynablock.easynet.nl127.0.0.2 40 EASYNET-DNSBLip4rblackholes.easynet.nl 127.0.0.2 50 EASYNET-PROXIESip4r proxies.blackholes.easynet.nl127.0.0.2 70 FIVETEN-SPAM ip4rblackholes.five-ten-sg.com127.0.0.240 FIVETEN-BULKip4rblackholes.five-ten-sg.com127.0.0.4 40 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com 127.0.0.550 FIVETEN-SPAMSUPPORTip4r blackholes.five-ten-sg.com127.0.0.740 FIVETEN-MISC ip4rblackholes.five-ten-sg.com127.0.0.970 BLITZEDALL ip4ropm.blitzed.org*70 SBL ip4rsbl.spamhaus.org127.0.0.2500 CBL ip4rcbl.abuseat.org127.0.0.280 SBBL ip4rsbbl.they.com*40 SORBS-DULip4rdnsbl.sorbs.net127.0.0.106 0 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.26 0 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.4 60 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.3 60 SORBS-SPAMip4rdnsbl.sorbs.net 127.0.0.650 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.290 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.290 DSNrhsbldsn.rfc-ignorant.org127.0.0.21 0 NOABUSErhsblabuse.rfc-ignorant.org127.0.0.4 10 NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org 127.0.0.310 BONDEDSENDERip4rquery.bondedsender.org127.0.0.10 -500 BADHEADERSbadheadersxx50 HELOBOGUShelovalidxx40 MAILFROMenvfromxx70 IPNOTINMXipnotinmxxx0-2 PERCENTpercentxx20 #REVDNSrevdnsexistsxx00 ROUTINGspamroutingx
RE: [Declude.JunkMail] Spammer wanting servers?
I received the same exact message too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka Sent: Wednesday, November 12, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spammer wanting servers? I received this over the weekend and thought others may be interested. This guy wants to get servers so he can spam.. Below is the headers and the message. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ldeliver interpretation
If, when I run find ldeliver sys.txt /c, I get 20,699 is that the number of messages that Imail is receiving before Declude Junkmail Pro scans our incoming mail or after? Thanks, Katie --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ldeliver interpretation
If, when I run find ldeliver sys.txt /c, I get 20,699 is that the number of messages that Imail is receiving before Declude Junkmail Pro scans our incoming mail or after? After. So if Declude JunkMail deletes/quarantines any E-mail, it will not be included in the count. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammer wanting servers?
Number is a Sprint PCS cell phone in Boston. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Jeff Kratka Sent: Wednesday, November 12, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spammer wanting servers? I received this over the weekend and thought others may be interested. This guy wants to get servers so he can spam.. Below is the headers and the message. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * Received: from blackadder.aqhostdns.com [63.247.129.138] by mail.tymewyse.com with ESMTP (SMTPD32-6.06) id AF471FB6010E; Sun, 09 Nov 2003 22:25:11 -0800 Received: from jimer013 by blackadder.aqhostdns.com with local (Exim 4.24) id 1AJ5Rb-qo-A9 for [EMAIL PROTECTED]; Mon, 10 Nov 2003 01:22:35 -0500 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: Dedicated Servers Needed Message-Id: [EMAIL PROTECTED] Date: Mon, 10 Nov 2003 01:22:35 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - blackadder.aqhostdns.com X-AntiAbuse: Original Domain - tymewyse.com X-AntiAbuse: Originator/Caller UID/GID - [32157 32157] / [47 12] X-AntiAbuse: Sender Address Domain - blackadder.aqhostdns.com X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 15. X-RBL-Warning: This E-mail failed the following tests: IPNOTINMX, NOLEGITCONTENT, SPAMCHK, WEIGHT15. X-Declude-Sender: [EMAIL PROTECTED] [63.247.129.138] X-Note: This E-mail was scanned for spam by TymeWyse Internet. X-Note: This E-mail was scanned for viruses by TymeWyse Internet. X-Note: This E-mail failed the following tests: IPNOTINMX, NOLEGITCONTENT, SPAMCHK, WEIGHT15. Hello, I need 2 dedicated windows 2000 servers with at least 2,000 ip addresses. These servers will be used to run my email campaign and send bulk email in direct mode with my own optin mailing software. If you are in a position, and have a dedicated network setup to deal with the complaints generated from my email advertising I would be willing to pay $2,000 a month for the 2 servers. I need a reliable provider to set me up immediately. If you can offer me such service please call me at: 1617-901-4129, Leave me a message and I will get back to you right away. Please dont reply back to this email, only call me. Thanks Bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] URL Redirectors
George, I did build a test for this exact thing and shared it on my site (called Y!DIRECTED), but I thought that you might have been more interested in that URL in particular and replied accordingly. My Y!DIRECTED filter will stop most of this stuff and it allows for places like Yahoo and Yahoo's ads (and counterbalances for the chance that a link might be forwarded or replied to and sent to a local user). It only works with Declude Pro (like all other custom filters). MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Matt George Kulman wrote: Matt, Thanks for the info. It's still difficult for me to imagine a "legitimate" user having a redirected web site being pointed to as "their web site" in an email. More research I guess. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, November 12, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] URL Redirectors George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yaho o.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id = leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ldeliver interpretation
Okay, so is there a way I can get a count before scanning by Declude? I want concrete data to take to a meeting where we will evaluate if a new machine or upgrade is necessary. CPU usage has been very high with smtp and Declude being the biggest users. The machine is 400mhz w/ 384mb ram. CPU average this afternoon has been 68% but hangs at 100% for long periods at a time. Ldeliver count for yesterday was 20,699 and rdeliver was 3,725. As always, I appreciate your help. Thanks, Katie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 12, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] ldeliver interpretation If, when I run find ldeliver sys.txt /c, I get 20,699 is that the number of messages that Imail is receiving before Declude Junkmail Pro scans our incoming mail or after? After. So if Declude JunkMail deletes/quarantines any E-mail, it will not be included in the count. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dns blacklist
Scott, I have over 5000 ip's that I have blocked with Imails ACL -now over time I am worried that some my need to be removed. Since I cannot think of a way to check them all at once I am considering a filter file with thousands of lines or is a dns blacklist the better choice? Or? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammer wanting servers?
offer me such service please call me at: 1617-901-4129, Leave me a message Number is a Sprint PCS cell phone in Boston. ... or an ATT wireless phone in Boston, per http://www.dnsstuff.com/tools/dophone.ch?name=1617-901-4129 . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: OE contacts to Outlook
Does anyone have a process to move Outlook Express 6.0 contacts and messages to Outlook 2000? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.JunkMail] Junkmail Tests and Configs
Resending because I think the first one got munged. Matt Original Message Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Date: Wed, 12 Nov 2003 17:10:05 -0500 From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Nick, Some of the FIVETEN tests are overzealous in catching newsletters and other legit membership stuff, but at the same time, they fill in some holes that other RBL's don't cover. So I've added them, but score them low, especially since they tend to FP along with some other things which are prone like MAILPOLICE-BULK (which would still fail my system). I also have some counterbalances in filters for stuff that I consider legit but tends to score high or get blocked. Some admins don't like this stuff getting through, in which case FIVETEN is less problematic, though FIVETEN is tagging Yahoo and will list some ISP mailservers, though the latter tends not to not have many problems elsewhere in my config. Those additional DNSBL tests look promising so I will give them a try. With the BCC tests as I have them configured, hardly does a thing on my system, though it can help with some dictionary type BCC senders. You could also add in a test for just one BCC, but I wouldn't score that higher than 1 since it will catch a lot of legit stuff...but it might help more than it hurts. Take a closer look at how I score the SUBJECTSPACES test also, that was tried as a result of something I saw here, and it works more effectively IMO if you step it instead of just as a single test. Other similar tests like COMMENTS though is probably better left as a single test because if someone does improperly use such a thing, it is likely to appear any range of times. Scott said setting it at 5 hits works for him and I concur. I left out my filters which is where SPAMDOMAINS is. I do use SPAMDOMAINS and have it scored currently at 5, but I am also using it like so: @aol.com aol.com That helps with false positives from VERP, but it limits it to just one REVDNS check. I'm still in the process of building my list and will share it at least privately when it is more complete. I did also notice some of your own custom filters. Please share if you have any good tricks up your sleeve :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammer wanting servers?
Hi Scott- Where on the tools page is this nifty test located? :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 12, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spammer wanting servers? offer me such service please call me at: 1617-901-4129, Leave me a message Number is a Sprint PCS cell phone in Boston. ... or an ATT wireless phone in Boston, per http://www.dnsstuff.com/tools/dophone.ch?name=1617-901-4129 . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dns blacklist
I have over 5000 ip's that I have blocked with Imails ACL -now over time I am worried that some my need to be removed. Since I cannot think of a way to check them all at once I am considering a filter file with thousands of lines or is a dns blacklist the better choice? Or? The IMail Control Access file is usually the best option, as it will prevent those IPs from even sending to the server (minimizing bandwidth). Otherwise, the IP blacklist in Declude JunkMail would probably be the next best option (in terms of speed and resources used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammer wanting servers?
... or an ATT wireless phone in Boston, per http://www.dnsstuff.com/tools/dophone.ch?name=1617-901-4129 . Where on the tools page is this nifty test located? You can find that one hidden at http://www.declude.com/pages/testbed.htm . :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] URL Redirectors
Title: Message Matt, I'm familiar with the Y!DIRECTED and other tests that you've so kindly made available. In this case I'm trying to find a way to identify these and block them with the basic IMail tests. If I can't, then I'll have to route all of their mail through my Declude Pro environment. George -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew BrambleSent: Wednesday, November 12, 2003 5:16 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] URL RedirectorsGeorge,I did build a test for this exact thing and shared it on my site (called Y!DIRECTED), but I thought that you might have been more interested in that URL in particular and replied accordingly. My Y!DIRECTED filter will stop most of this stuff and it allows for places like Yahoo and Yahoo's ads (and counterbalances for the chance that a link might be forwarded or replied to and sent to a local user). It only works with Declude Pro (like all other custom filters). MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/MattGeorge Kulman wrote: Matt, Thanks for the info. It's still difficult for me to imagine a "legitimate" user having a redirected web site being pointed to as "their web site" in an email. More research I guess. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, November 12, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] URL Redirectors George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yaho o.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id = leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ldeliver interpretation
Katie, If you want the fully loaded mail / recipient count on the incomings try find RCPT TO: sys.txt /C /I George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 12, 2003 6:39 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ldeliver interpretation Okay, so is there a way I can get a count before scanning by Declude? One option would be to count HELO and EHLO's, such as: find HELO sys.txt /c find EHLO sys.txt /c and add them. The drawback to this is that it will also include non-delivered E-mail (for example, someone doing a dictionary attack), and groups incoming/outgoing together. Alternatively, you could add the number of ldeliver/rdelivers to the number of E-mails held/deleted. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] URL Redirectors
Not sure why Scott's server hates me :) Maybe you should try non-HTML. ;) -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Processes
sandy, john look at the graph below for number of .smd files in spool. notice the difference in pattern between this week and last what should i investigate ? what are the possible causes ? bandwidth saturation ? incoming spam ? outgoing spam ? - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Serge [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:01 AM Subject: Re: [Declude.JunkMail] OT: Processes looking at the running processes, there was only one SMTP and one SMTPD process shouldn't there be more smtp/d process running ? SMTPD has always been one process per server. SMTP has a very short lifespan in 8.x--it's not really performing delivery, QUEUEMGR is--so even if you're swamped, you may not see them running. The question is why you're getting swamped, by what, whether a restart helps, etc. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. spool1-week.gif
RE: [Declude.JunkMail] OT: Processes
You would probably need to analyze the logs for those days to see for sure. What are the total number of messages for those days? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Serge Sent: Wednesday, November 12, 2003 5:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Processes sandy, john look at the graph below for number of .smd files in spool. notice the difference in pattern between this week and last what should i investigate ? what are the possible causes ? bandwidth saturation ? incoming spam ? outgoing spam ? - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Serge [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:01 AM Subject: Re: [Declude.JunkMail] OT: Processes looking at the running processes, there was only one SMTP and one SMTPD process shouldn't there be more smtp/d process running ? SMTPD has always been one process per server. SMTP has a very short lifespan in 8.x--it's not really performing delivery, QUEUEMGR is--so even if you're swamped, you may not see them running. The question is why you're getting swamped, by what, whether a restart helps, etc. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
