Hello all,
I may be beating a dead horse, but I cant seem to
find any threads that talk about this.
Back when I first got declude and was using it with
my imail system I setup the following in Imail.
1) Made a user mailbox: test made all mail forward
to: nul
2) Set up an Aliases: nobody
Incorrect 1024-65535 are the random TCP ACK ports.
Just do a netstat -an and you'll see TCP 0.0.0.0:{GT 5000) LISTENING
Also, only a state based firewall will allow the TCP back channel ports by
default.
An access list in a router will need to have GT 1024 explicitly told to pass
the back channel
all mail that was not sent to a valid user name will be passed to
the alias nobody. Which will resolve to test. As the mail
arrives in test it is deleted.
Do you think that it's helping your server's performance to spool mail
that will never be delivered to a human?
The 'nobody'
I may be beating a dead horse, but I cant seem to find any threads that
talk about this.
Back when I first got declude and was using it with my imail system I
setup the following in Imail.
1) Made a user mailbox: test
made all mail forward to: nul
2) Set up an Aliases: nobody
made it
I've never tried it, but couldn't you just have the
nobody ailias resolve to NUL?
It's an interesting concept that would present at
least one solution to the dictionary attacks.
I might give that a try on one of my stable domains
(no deleted users in years) just to see what it does to
Try setting it to go to username-NUL rather than
just NUL. Note that you don't need the mailbox for this, just put in the
nobody alias to directto username-NUL.
Darin.
- Original Message -
From: Joe Wolf
To: [EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 9:16 AM
Subject:
Why would the following email fail the
HELOBOGUS test?:
Received: from mail.tmlp.net
[69.64.96.3] by mail.tmlp.com with ESMTP (SMTPD32-7.07) id
AFC55F880106; Tue, 24 Feb 2004 16:19:01 -0500Received: from [69.64.96.6] by
mail.tmlp.net (SMTPD32-8.00) id AF07226F0152; Tue, 24 Feb 2004
Let me re-state the point:
If the recipient's domain name is in the left hand side of the sender's
address (to the left of the @) then it's probably from a list server. You
could also look for the word bounce in the sender address.
I don't see how sending through an ISP SMTP server is relevant.
When you're hit with a dictionary attack we all know they send to
thousands of addresses at the domain. If the final delivery address
is invalid the server creates an Unknown User (or whatever it's
called) message that it tries to send back to the sender. If you
have high queue
Ok, bad terminology, but that's what I thought. Thanks for the
confirmation, Sandy.
Darin.
- Original Message -
From: Sanford Whiteman [EMAIL PROTECTED]
To: Darin Cox [EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 1:18 PM
Subject: Re[2]: [Declude.JunkMail] Imail nul
Does
Sandy,
69.64.96.6 is my workstation. Correct me if I'm wrong, but wouldn't host
mail.tmlp.com only be interested in host mail.tmlp.net as far as the
HELOBOGUS test is concerned?
Received: from mail.tmlp.net [69.64.96.3] by mail.tmlp.com with ESMTP
(SMTPD32-7.07) id AFC55F880106; Tue, 24 Feb
Oops -- misread on my part. Looked at recipient and read sender sigh.
Sorry.
G
On Thu, 26 Feb 2004 11:44:49 -0600
Paul Fuhrmeister said something about RE: [Declude.JunkMail] test if recipient's
domain name in the sender address:
Let me re-state the point:
If the recipient's domain name
The issue is this line:
Received: from [69.64.96.6] by mail.tmlp.net
There should be a host name before the IP address. The server at
69.64.96.6 has no host name configured. When you confiure a host name,
make sure to create an A record in DNS that points to it by the same
name.
Matt
OK, I'm convinced. Whoever posted it made me
think it might be a method to try. I yield to those with superior
knowledge.
-Joe
- Original Message -
From:
Matt
To: [EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 2:39
PM
Subject: Re: [Declude.JunkMail] Imail
Hey Matt,
Maybe I'm missing something, but
69.64.96.6 is my workstation, which is just simply running the mail client
Outlook Express. Sending thru mail.tmlp.net to mail.tmlp.com. So, my question,
dumb as it may seem: Why would my workstation need an official host
name?
Thanks,
Steve
Let me correct something here.
The issue is that you are scanning internal E-mail, though the previous
advice is accurate. There are many issues that can happen with this.
You might want to whitelist your internal IP space in your Global.cfg.
Matt
Matt wrote:
The issue is this
Matt -
hop testing (I test the last 4 hops since my server can handle it
currently and that helps with forwarding). I've only seen a few FP's
Does this mean you have a HOPHIGH 4 setting in your global.cfg?
Or (3) considering HOP 0 or none of this applies..?
Thanks!
HOP 0
HOPHIGH 3
I believe the only real harm in this is the extra lookups, but your
volume shouldn't present problems as it is very similar to my own and I
have seen no issues. Most E-mail of course only has 1 or 2 hops. I
did this because of a relay chain for forwarding at one particular
In diagnosing why some messages are slipping through, I manually analyzed
the headers using spamcop and noticed that spamcop reported a blacklist
that wasn't getting scored by declude.
I'm assuming the problem is a DNS timeout when declude is trying to
perform the lookup test.
Either that, or
What is the syntax to tell Declude to use a DNS server in the Global.cfg
Fred
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 6:24 PM
Subject: Re: [Declude.JunkMail] DNS timeout and DNS configuration - does it
get
What is the syntax to tell Declude to use a DNS server in the Global.cfg
DNS 192.0.2.25 (without the quotes).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses
On Thu, 26 Feb 2004 20:35:01 -0500
DLAnalyzer Support said something about Re: [Declude.JunkMail] DNS timeout and DNS
configuration - does it get logged?:
DNS line in the \IMail\Declude\global.cfg file). Note that it is
recommended (with or without Declude) that you only use 1 DNS server
DNS line in the \IMail\Declude\global.cfg file). Note that it is
recommended (with or without Declude) that you only use 1 DNS server in
the IMail SMTP settings.
What types of problems tend to crop up with multiple DNS servers listed in
Imail?
Darrell
---
[This E-mail was scanned for viruses
Hi,
In diagnosing why some messages are slipping through, I manually analyzed the headers
using spamcop and noticed that spamcop reported a blacklist that wasn't getting scored
by declude.
I'm assuming the problem is a DNS timeout when declude is trying to perform the lookup
test.
I'm
Someone recently experienced a situation where a spammer distributed a
list of nonexistent addresses and totally hammered a domain with them.
It seems that not all spammers care about the purity of their data and
an accepted message may get that address on their list, even if you
accepted
Only problem I see with that is valid business email where a user mistyped
the email address of the recipient. Without getting the Unknown User
response, they assume the recipient got the message. My business customers
would hate a change like this as their customers continually make up their
Sandy,
I'm not going to claim to be an email server expert, but here's what I
see... I could be wrong.
When you're hit with a dictionary attack we all know they send to thousands
of addresses at the domain. If the final delivery address is invalid the
server creates an Unknown User (or whatever
From: Life Quotes [EMAIL PROTECTED]
I want to filter out the word Life Quotes, I have tried this by
HEADERS 8 CONTAINS Life Quotes
I have this in my global.cfg
FILTER_HEADER filter
C:\imail\Declude\filter_HEADERS.txt x 0 0
That should work fine.
Is
Received: from SMTP32-FWD by mail.compworldnet.com
(SMTP32) id A07B4; Thu, 26 Feb 2004 09:47:55 -0600
Received: from Primary_Imail [65.66.8.5] by mail.compworldnet.com with ESMTP
(SMTPD32-7.15) id A52ACD0272; Thu, 26 Feb 2004 09:47:54 -0600
Received: from vqkjazda.crazystart.com
Not a good test. With port 25 blocking becoming more common to force ISP
subscribers to route all email out through the ISP SMTP server the sender
address is likely to show the ISP email address while the From: line will
show whatever email address they normally use depending on the SMTP Auth
Why would the following email fail the HELOBOGUS test?:
Received: from [69.64.96.6] by mail.tmlp.net
(SMTPD32-8.00) id AF07226F0152; Tue, 24 Feb 2004 16:15:51 -0500
blank is not a valid hostname.
--Sandy
Sanford Whiteman, Chief Technologist
Broadleaf
Is there a test that tells me if the recipient's domain name is in the
sender address? It seems this would be a good tip-off that it's bulk mail,
AND IF from a DUL OR listed in SpamCop, MailPolice, etc. it's THEN it's
probably spam.
X-RBL-Warning: AHBL: 1067376393 bruns - Spam Source -
Scott,
I came up with this filter to trigger on emails with attachments with a
.zip extension. I created a file called ziptest and added it into the
global.cfg file as a filter named zipper.
Ziptest.txt
# Zip test
HEADERS 0 CONTAINSContent-Type: application/x-zip
BODY
33 matches
Mail list logo