Hi,
I changed the subject to reflect the actual content of this thread.
I think it's a measure of the vitality of this community that we feel free to share things that are sometimes "off-topic" for the basic purpose, which is, of course, Declude support. Most of us are mail administrators of one sort or another, from employees to business owners, and all mail administrators share certain common concerns and challenges.
These probably fall into the following major categories:
- "Newbie" questions about Declude and/or IMail
- Advanced configuration issues with Declude
- Performance issues with Declude and/or IMail
- Sharing of Declude resources, such as Matt's and Kami's filter scripts
- Sharing of information related to spam sources, such as Kami's phishing notices
- Sharing of information and resources related to email in general, including DNS
- Mutual aid in emergencies
YMMV. There are many other ways to categorize the messages here.
By definition, a community is a bunch of people with a common interest. Each of us comes here with unique things to bring to the table and unique expectations. Those things change with circumstance. You may not think you have a unique talent, but when somebody posts an urgent message that his server has both processors running at 100% and no mail is coming in or going out, and you faced the same situation last week, you may have a lot to offer.
I have read almost 8000 messages from this list over the last couple of years. As a result, I am wiser, better informed, and more grateful to this community than I ever could have been had the subjects of all messages been limited strictly to Declude tech support issues.
Yesterday, I posted a link to a DNS script that makes my life easier because I knew it could help others here. Yes, it is OT and that dilutes the "purity" of a Declude list, but I have had a number of positive responses to that post, and it will probably save a lot of hours for the folks who adopt it. That's my way of "paying forward" for the times I've been helped by others here.
Having said that, I do appreciate the problem stated by Dan. If you want to get into the list, get the latest about Declude, and get out, then OT posts are annoying.
One easy solution would be to prefix any subject not specifically Declude with "OT: " That way, those who do not want to treat the list as a community and wish to get Declude-only info can filter for that string. Another would be for Declude (or someone else) to offer a different "community" list.
Anyway, that's my nickel's worth...
-Dave Doherty Skywaves, Inc.
----- Original Message ----- From: "Matthew Hiltner: oliveJar Support" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 5:40 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live
I would have to agree with Dan. While there is no harm in the occasional off-topic discussion, for someone who reads the list for the purpose of Declude JunkMail related topics, sifting through the many non-Declude related topics can be tiresome at times.
Maybe it's time that Declude makes a move and starts a spam advisory list or
something similar for the mail administrator community.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Geiser Sent: Tuesday, October 05, 2004 3:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
Hi, Chuck,
I don't consider the non-existence of a common "SpamDomains" text file to be
a problem. As I said in my response to Markus no one "SpamDomains" file is
correct. So if no one "SpamDomains" file can be seen as correct then you
can't have one common "SpamDomains" text file.
With multiple "SpamDomains" source files you could choose to weight some "SpamDomains" such as those legitimate business which use outsourced 3rd party mailers but that still shouldn't effect all "SpamDomains" across the board.
My top priority is to deliver all legitimate e-mail as well. Right now our
DJM installation is looking at about 400,000 messages a month 3/4's of which
are spam. That's only for 19 domains. If other customer's start using our
spam filtering that number will go up so I am trying to keep the resource
intensive tests to a minimum so I don't have to worry too much about it
scaling up down the road.
But I go back to my original post. The Declude JunkMail discussion list is
a pretty busy list as it is. I see all sorts of news articles and phishing
URLs posted to this list which are mostly meaningless to me. Yes, most of
the news articles are related to spam filtering in general, and in the case
of the phishing URLs some DJM users are choosing to block those URLs with
body filters individually, but I still don't see why the whole group has to
be included on those phishing announcements. I think the "general spam news
articles" would be more appropriate for a list which discusses the problem
of "spam in general". And I think the "phishing URLs" would be be more
appropriate for a list which discussed "currently active phishing URLs".
Less noise and more signal on this list means less meaningless (to me)
messages that I have to wade through to get to the real meat of the new
enhancements in Declude JunkMail. As it is I can't keep up with everything
which is discussed on here and I don't think there's anything "wrong" with
inquiring about the purpose of certain postings.
Thanks, Dan Geiser [EMAIL PROTECTED]
----- Original Message ----- From: "Chuck Schick" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 3:51 PM Subject: RE: [Declude.JunkMail] Citibank - phishing- still live
Dan:
I certainly know how to run the spamdomains test but I would like to point
out some of the basic problems with the spam domains test. As I said there
is no central list for the spam domains - you posted yours and Marcus posted
his and they were different. Here are a few other problems with spamdomains
- many legitimate businesses (American Express, Dell) outsource mailings to
third party mailers - this can trigger false positives. People using
their personal email address as a reply to address and send it from a
different server (from work) - more false positives. People forwarding mail
to an account on our server from another mail server - these will trip more
false positives.
Every situation is different, everyone's objectives are a little different.
I could never get away with blocking mail without a reverse dns entry like
aol does. Our top priority is to deliver the mail, our second priority is
block unwanted email, our third priority is to minimize time spent
maintaining the mail system. I find that body filters are very good at
meeting our objectives and actually save us time. We use spam domain tests
but find they are more prone to false positives for the reasons mentioned
above and therefore we have to weigh it lower than some other tests.
Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
Chuck, If you are getting lots of false positives with SpamDomains then I don't think you are using it right. My hold weight is 100. My delete weight is 200. I have multiple SpamDomains tests with some weighing 100 points and some weighing 125 points. So almost any failure of SpamDomains is held in my setup. Obviously I wouldn't be holding on SpamDomains if it generated lots of false positives.
BTW, I don't do any filtering on the body of messages, only headers. Body filtering is a big waste of time in my opinion.
Dan
----- Original Message ----- From: "Chuck Schick" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 12:07 PM Subject: RE: [Declude.JunkMail] Citibank - phishing- still live
Unfortunately spamdomains is a test that has a lot of false positives and
there is not real solid list of spamdomains. Because of that we have to
weight spamdomains low, so I could never say that users would not see such
an email because of spam domains alone. On the other hand I can give a very
high weight to urls contained in the body of an email and will have almost
no false positives. Just my thoughts on the matter.
Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, October 05, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
Whether I classify them as spam or not, I don't post every spam that I receive to this list.
My point is that if you are blocking phish based on individual URLs I think
you are not doing it in the most efficient way. Simply adding...
@ameritrade.com .ameritrade.com @citi.com .citibank.com @citibank.com .citibank.com @ebay.com .ebay.com @fleet.com .fleet.com .gs.com @paypal.com .paypal.com @suntrust.com .suntrust.com @visa.com .visa.com @wellsfargo.com .wellsfargo.com
to the text file which maps to my Spamdomains test keeps all of the phish away from my users since none of these messages every originate from the proper domains.
Dan
----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 10:58 AM Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
areWhere else would you suggest they be posted, after all, phishing e-mail(http://www.declude.com)]spam in my book. However, with that said, more and more virus vendors are starting to add phishing e-mail recognition to their virus definitions. Both uvscan (NAI/McAfee) and the latest release candidates for ClamAV support phishing e-mail detection.
Bill ----- Original Message ----- From: "Dan Geiser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 4:22 AM Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
Can I ask why you guys post these to the Declude JunkMail discussion list? It doesn't seem to have anything to do with the subject matter of this list.
----- Original Message ----- From: Kami Razvan <mailto:[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 6:56 AM Subject: [Declude.JunkMail] Citibank - phishing- still live
Hi; the following is another phishing attempt- the site still live.
http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/>
Regards, Kami
Subject: [37~]Dear customer your details have been compromised MIME-Version: 1.0 (produced by annunciatemarginalia 8.2) Content-Type: multipart/alternative; boundary="--938071008627732911" X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html <http://njabl.org/dynablock.html> " X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a potential spam source listed in NJABL-DUL. X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> " X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11 <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> " X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 198, weight 13) X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [12.107.246.11] X-Declude-Spoolname: D26691b0502409fba.SMD X-Note: ================================================================== X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+] X-Note: Scan Time: 00:43:47 on 05 Oct 2004 X-Note: Spool File: D26691b0502409fba.SMD X-Note: Server Name: dialup-12-107-246-11.dtccom.net X-Note: SMTP Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net [12.107.246.11] X-Note: Country Chain: UNITED STATES->destination
----938071008627732911 Content-Type: text/plain; charset="iso-2059-6" Content-Transfer-Encoding: quoted-printable Content-Description: nicholson salmonberry biblical
Dear Customer:
Recently there have been a large number of cyber attacks pointing our data= base servers. In order to safeguard your account, we require you to sign o= n immediately.
This personal check is requested of you as a precautionary measure and to = ensure yourselves that everything is normal with your balance and personal= information.
This process is mandatory, and if you did not sign on within the nearest t= ime your account may be subject to temporary suspension.
Please make sure you have your Citibank(R) debit card number and your User= ID and Password at hand.
Please use our secure counter server to indicate that you have signed on, = please click the link bellow:
http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/>
!! Note that we have no particular indications that your details have been= compromised in any way.
Thank you for your prompt attention to this matter and thank you for using= Citibank(R)
Regards,
Citibank(R) Card Department
(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.
----938071008627732911--
--- [This E-mail was scanned for viruses by Declude Virus
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---------------------------------------------------------------------- - Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
