[Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server
Hello All, I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. I look forward to your help. Troy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Overflow directory
Hi Scott, Can I manually move spooled D and Q-files in the overflow folder? When they will be respooled? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Outblaze is not happy with our fromfile - Image`fx (part5)
I've had issues with Outblaze's clients, mail.com, e-mail.com, when I was blocking them Outblaze contacted me about it. I have to say in their defense, when I had an issue with a user of theirs they took care of it right away and terminated the account. In a way it's no big deal, the spammer has 100 other addresses to use, but at least they did back up the no spam policy they say they have. Just my dealing with them, FWIW. Paul In any event outblaze has not been active since 2002/11/24 so it was not really a problem removing them, however, when I viewed their web site I got the impression that they do some sort of bulk mailing or campaign. I don't know what to make of them. They don't describe their services clear enough for us simple folk. ;) Sorry if this wasted your time, I figured it may be of interest. Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server
Add the appropriate records in your DNS. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Troy Hilton Sent: Tuesday, January 07, 2003 6:06 AM To: Declude Junkmail Forum (E-mail) Subject: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server Hello All, I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. I look forward to your help. Troy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT a bit..spam databases
Hi, I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. What, in everyone's opinion, is the most common one used? TIA Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow directory
Can I manually move spooled D and Q-files in the overflow folder? When they will be respooled? You can, but it is not recommended. If there are any files in the overflow directory (there should only be Q*.* files in there), it means that your mailserver is overloaded (not that it *was* overloaded, but that it currently *is* overloaded and is sending mail at its maximum capacity). If there are files in there, Declude Queue is taking care of feeding them to IMail at a rate that it can handle (so that it will send them as soon as it can, overriding the default IMail behavior of sending it 1/2 hour or more later). Although you can move the files back to the spool directory (no harm will be done by doing that), it prevents Declude Queue from speeding up the message delivery, and will revert back to the IMail method (which can take often take hours to deliver E-mails that could otherwise go out in a few minutes). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legitserver
I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. That's because your web server is claiming to be an Internet host named server_name (which isn't valid -- an Internet host needs to be in the format server_name.example.com), and sending mail from a non-existent domain (probably something like webmaster@server_name). The best way to deal with this is to fix the problem, and have the web server send out mail properly, by using server_name.example.com as the host name and a return address of [EMAIL PROTECTED] (or [EMAIL PROTECTED]). That way, the E-mail won't be caught as spam on other servers. The quick fix, though, would be to whitelist the IP address of the web server (WHITELIST IP 192.0.2.25 in the \IMail\Declude\global.cfg file). That will prevent the E-mail from getting caught by Declude JunkMail, but it could still get caught on the receiving server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
No there is no file in the overflow directory. The problem is not that there are to much msgs for the server. The problem is that there are 600 clients returning from holidays and everone begins to donwload his email. In addition they begin to send relative large mails (here the picture where I'm ... made with his new 5 megapixel camera) Not enough there is a hoax mail arround and thousands of Attention New virus!!! msgs where send. (I've set a keyword in our SpamChk to block this now.) The problem is now that also other mailservers in our zone here seem to have the same problem and the delivery to this servers is very slow. So we have a very large spool folder with many timed out delivery attempts and I will try to move some large msgs in a temporary folder until tonight. Another problem is, that spooled files that are in delivery (_[id].smd) can't be deleted or moved manualy. Where can I read more about the overflow functionality? Can it be useful to not only move to much msgs in the overflow folder but also if there is to much data in the spool folder? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, January 07, 2003 4:08 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow directory Can I manually move spooled D and Q-files in the overflow folder? When they will be respooled? You can, but it is not recommended. If there are any files in the overflow directory (there should only be Q*.* files in there), it means that your mailserver is overloaded (not that it *was* overloaded, but that it currently *is* overloaded and is sending mail at its maximum capacity). If there are files in there, Declude Queue is taking care of feeding them to IMail at a rate that it can handle (so that it will send them as soon as it can, overriding the default IMail behavior of sending it 1/2 hour or more later). Although you can move the files back to the spool directory (no harm will be done by doing that), it prevents Declude Queue from speeding up the message delivery, and will revert back to the IMail method (which can take often take hours to deliver E-mails that could otherwise go out in a few minutes). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
So we have a very large spool folder with many timed out delivery attempts and I will try to move some large msgs in a temporary folder until tonight. Ah, I see. The overflow directory won't help here -- if you move the \IMail\spool\Q*.SMD files to the \IMail\spool\overflow directory, Declude Queue would try sending them immediately. If the E-mails can't be sent because of problems reaching the remote mailservers, Declude Queue won't be able to speed up the process. Another problem is, that spooled files that are in delivery (_[id].smd) can't be deleted or moved manualy. That's intentional. If you could delete one of those files, it would prevent the E-mail from being delivered. If you could move it, then IMail wouldn't be able to properly process the file. What would be nice, though, is if IMail had a way of listing all the SMTP processes in memory and what they were working on, and allowed you to stop them. Where can I read more about the overflow functionality? Can it be useful to not only move to much msgs in the overflow folder but also if there is to much data in the spool folder? The overflow directory is designed to work automatically, so you shouldn't need to move files there. You can find out more information about it at http://www.declude.com/dq.htm . In this case, you could move some of the Q*.SMD files to a temporary directory, and perhaps wait 8 hours or so and then move them back to the spool directory. Or, you could try changing the SMTP settings in IMail to retry E-mail every few hours, rather than the default of every 30 minutes. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BADHEADERS Code a400010b -- not at /tools/header?
Scott/All, I can't retrieve the extended info for code a400010b. Does anyone have it on hand? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS Code a400010b -- not at/tools/header?
I can't retrieve the extended info for code a400010b. Does anyone have it on hand? That one is caused by a missing To: header. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Overflow directory
So there are a lot of msgs where the remote mailserver after some mb's of transfered data terminates the trasmission. Any mail server that terminates the session instead of sending a 5xx is broken, as it's just inviting more waste on both sides. If the server terminates the session and blacklists you temporarily or permanently for future attempts, that's politically draconian, but at least it's technically wiser about bandwidth. I had a lengthy argument about this with Len Conrad on the IMail list; you may wish to look it up. As you mention, setting an outgoing size limit may help. But it will not help if you set a (generous, but not crazy) 10 MB limit and users send to domains with even lower limits. And these domains are the ones most likely to muck with your retries. It is, essentially, a no-win situation unless you counsel users to be sure that the destination domain willaccepttheirattachments--fareasierin corporate-to-corporate situations than in person-to-person. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] BADHEADERS Code a400010b -- not at /tools/header?
I can't retrieve the extended info for code a400010b. Does anyone have it on hand? That one is caused by a missing To: header. Thanks--I would've caught it if I'd had the original e-mail, but I just had the alert. Is it indeed not at /tools/badheaders? -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I don't know about popularity, but I'd use the SPAM database lookup tool at http://www.dnsstuff.com/ That's perfect..that's exactly what I was looking for! Thanks! Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I'm rather fond of this web tool for doing multiple simultaneous lookups: http://openrbl.org/ Specifically, it returns hyperlinks and text messages if returned by the bl. It also puts up spam related news and info. Andrew 8) -Original Message- From: Sharyn Schmidt [mailto:[EMAIL PROTECTED]] I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
Any mail server that terminates the session instead of sending a 5xx is broken, as it's just inviting more waste on both sides. Why they don't answer with an 5xx code? There was one single 531 - Mailbox has exceeded disk quota today but a lot of 01:07 10:00 SMTP-(07BC) . 01:07 10:00 SMTP-(07BC) rl-recv: connection reset 01:07 10:00 SMTP-(07BC) 01:07 10:00 SMTP-(07BC) SMTP_DELIV_FAILED 01:07 10:00 SMTP-(07BC) QUIT If the server terminates the session and blacklists you temporarily or permanently for future attempts, that's politically draconian, but at least it's technically wiser about bandwidth. According to our MRTG-Stats and SMTP-Logfiles they neither has done this. I had a lengthy argument about this with Len Conrad on the IMail list; you may wish to look it up. Do you remember some keyword or the subject line? In this list Imail-keywords are commonly used ;-) In any case a tool as mentoined from Scott to watch and control single smtp transmissions should be very usefull in such a situation. It is, essentially, a no-win situation unless you counsel users to be sure that the destination domain willaccepttheirattachments It's not so easy: Most of the users aren't able to differentiate between kB and MB... Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO
Scott/All, - I've found HELOBOGUS is often counterproductive, even with a low weight, since legit sites, even (especially?) big guns (Fortune 500, whatever) often give their servers fully-qualified, RFC-legal--yet publicly nonexistent--hostnames. What would help a lot, I think, is the ability to let theoretically publishABLE FQHNs go, but still catch unqualified hostnames, illegitimate characters, and IP addresses. - I would never, ever, ever block someone who had non-matching HELO and PTR. Repeat, I would never hold this against someone, and it really peeves me when clients (one of our military sites, for example) suggest it. But I WOULD use a negative test in the style of IPNOTINMX, rewarding a site slightly for having the ability, experience, and control to match the two and hopefully combatting some FPs. In particular, this separates people using consumer DSL providers (who pre-assign a non-matching PTR reflecting the PPPoE or static IP address) from companies with a tighter hold on their IT, and--although we provide hosting services ourselves!--would also give a boost to those that don't use shared servers. Of course, the more people learn about this counterweight, the less useful it would be, and there are some spammers who already would benefit from it. Yet it would definitely assist when (untreatable) SPAMHEADERS/BADHEADERS/HELOBOGUS blasts come from legitimate sources. Kind of a toss-up, but I'd like to discuss it. Please post your thoughts. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Overflow directory
Why they don't answer with an 5xx code? There was one single 531 - Mailbox has exceeded disk quota today... Because they're stupid. They don't want to wait, so they just keep it comin' 1/2 hour later. If the server terminates the session and blacklists you temporarily or permanently for future attempts... According to our MRTG-Stats and SMTP-Logfiles they neither has done this. Even more enraging--they don't even know how to be smart about being strict. Do you remember some keyword or the subject line? In this list Imail-keywords are commonly used ;-) The thread is called Hotmail rejection from Dec 2002. It's not so easy: Most of the users aren't able to differentiate between kB and MB... Word to that. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EXE files, again!
I have a persitant old lady that is very upset by the fact we do not allow EXE files. She is making greeting cards with MS Home Publisher. I showed her this link on Microsofts site http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx , but she is still adamant that it does not pertain to Home Publisher... I tried searching Symantec and a couple other sites looking for a generic page by a major authority that EXE files are a Bad Thing (tm). Anyone have good links? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Feature requests: LOOSEN HELOBOGUSON/OFF, REVNOTHELO
- I've found HELOBOGUS is often counterproductive, even with a low weight, since legit sites, even (especially?) big guns (Fortune 500, whatever) often give their servers fully-qualified, RFC-legal--yet publicly nonexistent--hostnames. What would help a lot, I think, is the ability to let theoretically publishABLE FQHNs go, but still catch unqualified hostnames, illegitimate characters, and IP addresses. It's also important to realize the purpose of the HELOBOGUS test. It isn't designed primarily to catch spammers. It's designed to help detect poorly administered mailservers -- ones that are likely to be abused by spammers. And those Fortune 500 companies that have their mailserver advertise itself with a name other than what it really is, well, they are running mailservers that are poorly administered. It's a catch-22: If you penalize a mailserver for bending the rules too far, you risk losing some legitimate mail. But if you don't penalize them, they will definitely continue bending the rules too far, which helps increase spam. As spam gets worse (increasing over 400% last year), legitimate mailers can either complain that some of their mail gets caught as spam, or they can get their acts together and fix their problems. That doesn't mean that we won't consider it (I dislike the LOOSENSPAMHEADERS option, for example, but it was added because others liked it). - I would never, ever, ever block someone who had non-matching HELO and PTR. Repeat, I would never hold this against someone, and it really peeves me when clients (one of our military sites, for example) suggest it. Good -- because it would catch mail from this list. :) But I WOULD use a negative test in the style of IPNOTINMX, rewarding a site slightly for having the ability, experience, and control to match the two and hopefully combatting some FPs. Aha -- like the IPNOTINMX test. That's a good idea. The tricky part is figuring out exactly what makes a match -- it's easy if the HELO is example.com and the PTR is mail.example.com. But, it gets a bit more confusing if the HELO is host.example.co.uk and the PTR is host2.example.co.uk. Perhaps two separate tests, so that if they match exactly, you could subtract X points from the weight, and if they match partially (such as the host/host scenario), you could subtract Y points. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] free or popular domains
Any one have a fairly up to date list? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft down?
Is anyone having problems using relays.osirusoft.com and relays.ordb.org? Should I comment these out in the global.cfg file to avoid excessive timeouts? It's a temporary problem due to the Santa Monica Winds in California, which are apparently blowing cars from one lane on highways to another. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] free or popular domains
We've setup the following domains: @yahoo.com @yahoo.co.uk hotmail.com msn.com email.com aol.com @mail.com lycos.com lycos.co.uk @usa.net earthling.net xx.com I think Len Conrad should have a lot more of them: He wrote today on the Imail-list: One of the ways IMGate stops spam is, for 3500 domains that are frequently forged,... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Tuesday, January 07, 2003 11:38 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] free or popular domains Any one have a fairly up to date list? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] free or popular domains
earthling.net I am sure that is earthlink.net, correct? Of course, some people claim they are aliens. :)) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
DSN:Re: [Declude.JunkMail] osirusoft down?
That's Santa _Ana_ winds Scott ;-) It has been in the 80's here in So Cal. and the winds have knocked out our electricity twice for a total of about 8 hours, and our backup copper T1 once. Our big fiber line and batteries have kept us up and running. This morning I woke up and when I turned on the lights they were all dim. I checked and we had 60 volts! Things were beeping all over the house. Dang APC UPS's don't have a bell off button. I guess the electricity was off for 3 hours or so, and when the power came back up it was a few volts short. I have never seen anything like this before, especially in January. Brian On 01/07/03 5:56pm you wrote... Is anyone having problems using relays.osirusoft.com and relays.ordb.org? Should I comment these out in the global.cfg file to avoid excessive timeouts? It's a temporary problem due to the Santa Monica Winds in California, which are apparently blowing cars from one lane on highways to another. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ://www.mail-archive.com. ve.com. --- [This E-mail scanned for viruses by Solid Oak Software] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO
It's also important to realize the purpose of the HELOBOGUS test. It isn't designed primarily to catch spammers. It's designed to help detect poorly administered mailservers -- ones that are likely to be abused by spammers. True, but if you're using HELOBOGUS for anything other than advertising to your clients' clients--which Declude is definitely good for :)--you're giving it a weight, so you are using it not only as community outreach, but as a spam test. And those Fortune 500 companies that have their mailserver advertise itself with a name other than what it really is, well, they are running mailservers that are poorly administered. I have zero respect for people who think they're too big to change: CitiGroup actually has a stated policy that they do not make changes for outside companies or suchlike, which they use to avoid fixing problems they don't really understand. But we can't have zero-tolerance for HELOBOGUS in practical terms, since we risk losing clients by losing their clients, and the more hoops it takes to get to an IT group, the more annoyed everyone becomes (even if their own bureaucracy is at fault). But if you don't penalize them, they will definitely continue bending the rules too far, which helps increase spam. Yes, something must actually break, even if it just means that they consistently trip the weekly ALERT threshold. But again, speaking from a combo of experience and my own grudges, a dead HELO of 'www03.example.com' is a lot less likely to get fixed than a dead HELO of just 'mail.' Even the stupid mail admin can see and fix some problems with the latter, while the former will likely involve contacting the much-feared DNS group, blah blah blah. And when people do ask us how to fix pass a looser test, we will of course continue to say that a published FQHN is required, still spreading the tighter word to those admins. We're pretty strict on our own. SPAManager, for example, was not our idea. But clients dictate varying tolerances. Something that has surprised me is how likely difficult internal users are to have irascible, irrational external contacts/friends--self-evident, I suppose, but the parity is just uncanny sometimes! At any rate, a looser HELOBOGUS option (maybe a separate test completely, now that I think about it, to enable varying weights) would make HELOBOGUS less of a liability for us. But I WOULD use a negative test in the style of IPNOTINMX, rewarding a site slightly for having the ability, experience, and control to match the two and hopefully combatting some FPs. Aha -- like the IPNOTINMX test. That's a good idea. Glad you agree there! I think the two tests (exact match and parent/grandparent domain match) would be perfect. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] osirusoft down?
Is anyone having problems using relays.osirusoft.com and relays.ordb.org? Should I comment these out in the global.cfg file to avoid excessive timeouts? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re: [Declude.JunkMail] osirusoft down?
That's Santa _Ana_ winds Scott ;-) Brian, you got it easy up there in Santa Barbra. Try being in the San Gabriel Valley where I live. Remember the 2 big fires we had a number of months ago? All that ash is in the air and in eyes and lungs and everywhere. The area around them looks like a big black cloud. My eyes have been constantly watering for the last 2 days. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] free or popular domains
My list would be the same as previously cited, and yes, earthling.net is not a typo. All of these would make it to my list as the top faked from: domains. But of the ones that I've seen make it through to the spamtraps, none. Which is why I haven't implemented a small negative weight for these domains; the spam that pretends to come from these domains is always overwhelmingly spammy and is caught anyway. What would be useful is a rigorous test for these domains that can tell the difference between a bogus MSN.com (or whatever) and the real one. If it's definitely bogus, then I could set the action to DELETE instead of getting a HOLD from the high weight. That would take a big bite out of the messages I have to wade through with the excellent SpamReview app. (gazing at navel...) I could probably get there anyway by giving these domains a negative weight and creating a DELETE action at a high enough WEIGHT. Ah well. The volume caught (average of 700 a day) hasn't yet exceeded our ability to deal with the HOLD messages. Andrew 8) -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] free or popular domains earthling.net I am sure that is earthlink.net, correct? Of course, some people claim they are aliens. :)) John Tolmachoff MCSE, CSSA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A line in one of my filter text files didn't fire
Is there a gotcha in filter text files when the message is in HTML format? The following line works if I send myself a message from HotMail, but didn't on an actual piece of spam I just received, whose relevant bit of text I'll reproduce here with an underscore inserted to get around my own filter: #Dec-02-2002 AC Very common in Chinese hosted spamvertisement unsubscribe footers BODY 0 CONTAINS btamail.net.cn And the verbatim snippet: FONT face=verdana color=#80 size=3STRONGUnsubscribe at:nbsp;nbsp;[EMAIL PROTECTED]/STRONG/FONT **/BODY/HTML If it makes any difference, the header defines the e-mail format as: MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 I have already checked the Declude log (MED) to make sure there was no error reported in accessing the filter text file... No problem reported. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A line in one of my filter text filesdidn't fire
Is there a gotcha in filter text files when the message is in HTML format? No (unless the spammer uses comments to break up text that would otherwise be filtered). FONT face=verdana color=#80 size=3STRONGUnsubscribe at:nbsp;nbsp;[EMAIL PROTECTED]/STRONG/FONT **/BODY/HTML If you add a line BODY 0 CONTAINS bta_mail.net.cn, it should work. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire't fire
(sigh) Keyboard virus... I should have had an underscore in *both* of the entries. To recap I'll reproduce here with an underscore inserted to get around my own filter: #Dec-02-2002 AC Very common in Chinese hosted spamvertisement # unsubscribe footers BODY 0 CONTAINS bta_mail.net.cn And the verbatim spam snippet with an underscore inserted: FONT face=verdana color=#80 size=3STRONGUnsubscribe at:nbsp;nbsp;[EMAIL PROTECTED]/STRONG/FONT **/BODY/HTML And the symptom was that this line in my filter text didn't fire on an actual spam but did fire on a follow-up test (and my message to this list when I neglected to insert *both* underscores). Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text filesdidn 't fire 't fire
BODY 0 CONTAINS bta_mail.net.cn FONT face=verdana color=#80 size=3STRONGUnsubscribe at:nbsp;nbsp;[EMAIL PROTECTED]/STRONG/FONT **/BODY/HTML That should get caught. Does the BODY 0 CONTAINS bta_mail.net.cn line contain any spaces/tabs at the end of it? Could the E-mail that was caught have been sent using base64 encoding perhaps? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire 't fire't fire 't fire
Except for the underscore I inserted, both snippets are verbatim. No trailing spaces or hidden control characters. The message was not in Base-64. I just checked my Declude log for today and it did fire off on 7 other messages today. I'll include the whole spam message in an attachment here. Andrew 8) -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire 't fire BODY 0 CONTAINS bta_mail.net.cn FONT face=verdana color=#80 size=3STRONGUnsubscribe at:nbsp;nbsp;[EMAIL PROTECTED]/STRONG/FONT **/BODY/HTML That should get caught. Does the BODY 0 CONTAINS bta_mail.net.cn line contain any spaces/tabs at the end of it? Could the E-mail that was caught have been sent using base64 encoding perhaps? -Scott SpamSample.zip Description: Binary data
RE: [Declude.JunkMail] free or popular domains
Any one have a fairly up to date list? I have a list of servers that are considered ISPs, Mail Services and services that may be significant. Let me know off the list if this is what you are looking for. Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT a bit..spam databases
I use the Spam Database Lookup tool on Scott's www.dnsstuff.com. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt Sent: Tuesday, January 07, 2003 6:51 AM To: Declude Junkmail List Subject: [Declude.JunkMail] OT a bit..spam databases Hi, I'm trying to see if a certain IP address is listed in any of the Orbz-like spam databases. What, in everyone's opinion, is the most common one used? TIA Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow directory
What would be nice, though, is if IMail had a way of listing all the SMTP processes in memory and what they were working on, and allowed you to stop them. Can we place another wish list, even if christmas just passed? ;-) In this case, you could move some of the Q*.SMD files to a temporary directory, and perhaps wait 8 hours or so and then move them back to the spool directory. Ok, done. The situation now ist turned back normal. Our users heven't set (until now) any outgoing msgs size limit. So there are a lot of msgs where the remote mailserver after some mb's of transfered data terminates the trasmission. The retransmission of this msgs uses a lot of bandwith so also other large mails for recipients able to recieve them cannot be delivered because the remote mailserver terminates the transmission after 1-2 hours of very slow transmission. I've now 2 questions. I think it's better to place them in the imail list... Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] BADHEADERS Code a400010b -- not at/tools/header?
Thanks--I would've caught it if I'd had the original e-mail, but I just had the alert. Is it indeed not at /tools/badheaders? No, it isn't -- the problem is that there were some other flags in there that were causing the lookup tool to fail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Service Introduced To Help Legitimate Bulk Mailers Evade Spam Filters
Horrifying doublespeak: they agree that spamtraps are foolproof evidence of harvesting, and yet they may somehow be found in an otherwise verifiable opt-in list? I'm sure their verification process is really in-depth. Anyone thought about how much they could have made by getting $5-15MM in VC a couple of years ago just to set up spam cannons? God, we're lucky that kind of go-getting isn't feasible right now. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
