RE: [Declude.JunkMail] DNS server returned server failure for
I have suffered from this also, so much so that I have even explored the use of SimpleDNS without success thinking that this was a external DNS problem. I was hoping that by bringing the DNS (as a DNS cache) locally to the mail server did infact reduce the frequency of this error, unfortunately it did not solve the occurance of this error. Just to clarify why this is happening. When Declude JunkMail is looking up the MX or A record for a hostname (such as for the HELOBOGUS test, or checking the domain of the return address), it will record this message if the local DNS server reports a server failure message. Technically, this message indicates a problem with the local DNS server. However, it seems that the RFCs do not cover what a caching DNS server is supposed to do if it receives a server failure message from a remote DNS server. When this happens, some DNS servers will pass on the server failure message. Declude JunkMail treats the server failure as a temporary error, and makes the assumption that the E-mail is not spam. If that was changed, more spam could get caught (as a server failure almost always indicates that the DNS record doesn't exist). But, if there was a real server failure on the local DNS server (if the Internet connection went out, for example, or if there was a DDoS attack on the root servers), then all E-mail would fail the spam tests. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS server returned server failure for
I see server failures on a bunch of obviously fake hostnames: WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for Me. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for host3. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for mailer1. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for jinge. ...Anything we can do to add a weight to these? We do also see server failures on some hostnames were do have an A record, so I see the delema. But it would be nice to at least add a weighting to the obvious fakes. Bill -Original Message- From: R. Scott Perry Sent: Wed, 12 Mar 2003 09:00:14 -0500 Subject: RE: [Declude.JunkMail] DNS server returned server failure for I have suffered from this also, so much so that I have even explored the use of SimpleDNS without success thinking that this was a external DNS problem. I was hoping that by bringing the DNS (as a DNS cache) locally to the mail server did infact reduce the frequency of this error, unfortunately it did not solve the occurance of this error. Just to clarify why this is happening. When Declude JunkMail is looking up the MX or A record for a hostname (such as for the HELOBOGUS test, or checking the domain of the return address), it will record this message if the local DNS server reports a server failure message. Technically, this message indicates a problem with the local DNS server. However, it seems that the RFCs do not cover what a caching DNS server is supposed to do if it receives a server failure message from a remote DNS server. When this happens, some DNS servers will pass on the server failure message. Declude JunkMail treats the server failure as a temporary error, and makes the assumption that the E-mail is not spam. If that was changed, more spam could get caught (as a server failure almost always indicates that the DNS record doesn't exist). But, if there was a real server failure on the local DNS server (if the Internet connection went out, for example, or if there was a DDoS attack on the root servers), then all E-mail would fail the spam tests. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS server returned server failure for
I see server failures on a bunch of obviously fake hostnames: WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for Me. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for host3. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for mailer1. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for jinge. ...Anything we can do to add a weight to these? We do also see server failures on some hostnames were do have an A record, so I see the delema. But it would be nice to at least add a weighting to the obvious fakes. That's definitely a problem with the DNS server -- the server failure indicates a problem with the nameserver. For hosts that are not fully qualified (such as Me), the DNS server should be reporting that the host does not exist. In fact, it's possible for Me to have an MX record someday (unlikely, as there would need to be a country that used the .me ccTLD, and it would need to be set up to accept mail, but it could happen), so your DNS server technically should be contacting the root servers for these. Although it is understandable that your DNS server does not look them up (the root servers get overwhelmed by these bogus lookups, whether caused by a spammer, or someone typing www.microsoft.cmo into their web browser), it should not be returning a server failure message. For the non-fully-qualified host names, we might be able to automatically check for that, which would get around this problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] JunkMail Kill List
Anybody have any experience of using the Kill List at imagefxonline.net to delete junkmail? I'm using the excellent SpamReview app from slsoft.com but it's taking up more and more of my time to go through the spam looking for the occasional false positive (especially on a Monday morning!!). I thought that if I could just delete 'known' spam then it would make the whole process quicker and less taxing for me. Thanks. Mark Scott IT Manager CSC (UK) Ltd --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOWTO use the X-RBL-Warning: Possible ADULT Content
Hi guys, Anybody knows hot to use the X-RBL-Warning: Possible ADULT Content undocumented feature. Is there a manpage for it (even un-official)? Thanks in advance, Adrian -- Regards, Adrian Titei Director of IT Jumbo Entertainment Inc. p: 905-634-4244 x 232 f: 905-632-2964 e: [EMAIL PROTECTED] === Confidentiality Notice: This e-mail message and any attachment to same contains confidential information intended only for the person(s) to whom the said e-mail is intended to be sent. Any review, retransmission, dissemination or other use of or the taking of any action and reliance upon this information by persons or entities other than the intended recipient violates confidentiality and is prohibited. If you have received this e-mail message in error, please notify the sender immediately and delete the e-mail message from your computer. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MSN
Hi, MSN is not accepting email from my mail server, here is what the log file entries look like: 20030312 001347 127.0.0.1 SMTP (259) Trying msn.com (0) 20030312 001347 127.0.0.1 SMTP (259) Connect msn.com [207.46.181.13:25] (1) 20030312 001347 127.0.0.1 SMTP (259) 20030312 001347 127.0.0.1 SMTP (259) SMTP_DELIV_FAILED 20030312 001347 127.0.0.1 SMTP (259) QUIT 20030312 001347 127.0.0.1 SMTP (259) Could this be I have been listed as a spammer (though I'm not) ? How do I find out? Any other thoughts, or suggestions? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] JunkMail Kill List
Hi; We use Tom's list on an auto update using a script- updating our list twice a day with his list. It is a great list but we do not delete with that list. We simply have a hold weight for it and review the emails prior to deleting them. At times we have noticed that some newsletters are blocked by that list since some of these newsletter broadcasters also send for some spammers... I think it is a definite plus to use it, at least as a weight list if not more severe action. We also have a large number of files that you may wish to use if you want. We have several filter files that is used for URL's, phone, text, IP's, and a blacklist as well as blacklists found in the header as well as blacklists found in the body. We update that list twice a day. Let me know off list and I can gladly point you to where you can download it... Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Scott Sent: Wednesday, March 12, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] JunkMail Kill List Anybody have any experience of using the Kill List at imagefxonline.net to delete junkmail? I'm using the excellent SpamReview app from slsoft.com but it's taking up more and more of my time to go through the spam looking for the occasional false positive (especially on a Monday morning!!). I thought that if I could just delete 'known' spam then it would make the whole process quicker and less taxing for me. Thanks. Mark Scott IT Manager CSC (UK) Ltd --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MSN
MSN has been having mail troubles for about two weeks. Several of our users have complained. One contacted MSN, and they told her to have us call them. We did, and MSN said they had done some sort of maintenance procedure on their mail system, and something broke. At that point in time they expected to have the fix done within 48 hours. Well, mail started going through again within about 12 hours, but it didn't last for long. Interesting side note: I had occasion to make a tech call to Microsoft yesterday. Mail from their techie handling my case arrived about three hours late. He needed to send me a little test utility, and it didn't come through at all on his @microsoft.com address. He sent it through @hotmail.com and it did arrive. Several other messages from him arrived AFTER we had finished the case. Glenn Z. - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 1:55 PM Subject: [Declude.JunkMail] MSN Hi,MSN is not accepting email from my mail server, here is what the log fileentries look like:20030312 001347 127.0.0.1 SMTP (259) Trying msn.com (0)20030312 001347 127.0.0.1 SMTP (259) Connect msn.com[207.46.181.13:25] (1)20030312 001347 127.0.0.1 SMTP (259)20030312 001347 127.0.0.1 SMTP (259) SMTP_DELIV_FAILED20030312 001347 127.0.0.1 SMTP (259) QUIT20030312 001347 127.0.0.1 SMTP (259)Could this be I have been listed as a spammer (though I'm not) ? How do Ifind out?Any other thoughts, or suggestions?Thanks,Andy---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] MSN
Thanks, That's very helpful, it was only happening to MSN email. andy - Original Message - From: Glenn \ WCNet To: [EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 1:13 PM Subject: Re: [Declude.JunkMail] MSN MSN has been having mail troubles for about two weeks. Several of our users have complained. One contacted MSN, and they told her to have us call them. We did, and MSN said they had done some sort of maintenance procedure on their mail system, and something broke. At that point in time they expected to have the fix done within 48 hours. Well, mail started going through again within about 12 hours, but it didn't last for long. Interesting side note: I had occasion to make a tech call to Microsoft yesterday. Mail from their techie handling my case arrived about three hours late. He needed to send me a little test utility, and it didn't come through at all on his @microsoft.com address. He sent it through @hotmail.com and it did arrive. Several other messages from him arrived AFTER we had finished the case. Glenn Z. - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 1:55 PM Subject: [Declude.JunkMail] MSN Hi,MSN is not accepting email from my mail server, here is what the log fileentries look like:20030312 001347 127.0.0.1 SMTP (259) Trying msn.com (0)20030312 001347 127.0.0.1 SMTP (259) Connect msn.com[207.46.181.13:25] (1)20030312 001347 127.0.0.1 SMTP (259)20030312 001347 127.0.0.1 SMTP (259) SMTP_DELIV_FAILED20030312 001347 127.0.0.1 SMTP (259) QUIT20030312 001347 127.0.0.1 SMTP (259)Could this be I have been listed as a spammer (though I'm not) ? How do Ifind out?Any other thoughts, or suggestions?Thanks,Andy---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] HOWTO use the X-RBL-Warning: PossibleADULT Content
Anybody knows hot to use the X-RBL-Warning: Possible ADULT Content undocumented feature. Is there a manpage for it (even un-official)? There used to be an undocumented adult test in Declude JunkMail, but it was removed because it was taking too much support time to deal with. However, SpamManager ( http://www.spammanager.com ) has a major emphasis on detecting adult E-mail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELO contains
Question.. I see more and more spams that is coming where the senders MTA is claiming to be the localhost As for example one of my servers is called imail.fament.com Latest spam that slipped through had following header Received: from imail.fament.com [66.81.201.98] by imail.fament.com (SMTPD32-7.13) id A7F38560150; Wed, 12 Mar 2003 16:42:59 -0600 Note that 66.81.201.98 is the spammers ip and do NOT belong to me. SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO contains
SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bounce Action and IMail Server Relay
Hi, John, Or anyone else for that matter. Can someone help fill in some blanks about how we would use our IMail Server as a Gateway to Store and Forward as described below? I did search the IMail KB as John suggested and found this... How to use IMail as SMTP Gateway for another e-mail server http://support.ipswitch.com/kb/IM-19980116-DM01.htm From what I can tell you want to do the following... 1) Point the MX record of the domain name in question, e.g. ACME.COM, to the IP Address of our IMail Server. 2) Using the steps described in the above link edit the hosts file to point the domain name ACME.COM to the IP Address of the Destination Mail Server. Which all seems very simple. How does IMail know to accept incoming SMTP Mail for a domain name that is not defined in it's internal database? We use SMTP Authentication for POP3 customers who want to route their outgoing SMTP Mail through us. Does that prevent this Store and Forward scenario from happening? Any feedback for the above or further tips for doing this as described in the below e-mail are welcome. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: John Tolmachoff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 28, 2003 4:28 PM Subject: RE: [Declude.JunkMail] Bounce Action and IMail Server Relay Currently we are planning on offering Spam Filtering (once we finish testing) to our current e-mail hosting customers, i.e. those hosted on our IMail server. We also have a few customers who don't host e-mail with us but would probably be interested in spam filtering if we had it available. For those who don't host with us we were thinking we could let them relay their e-mail through our system, filter out their spam, and then send it on the way. I know this question might be better posted to the IMail Server discussion list but I thought I would try here first. Can IMail Server be configured to act as a relay in this manner? I don't have tons of experience with IMail (only enough to be dangerous), so forgive me if that's a silly question. If IMail can be configured as a relay for Incoming Mail as I described, do you know where the IMail interface I might configure it, or perhaps a piece of documentation that would outline this setup? This is and can be done quite easily, and I am doing that here. Search the Imail KB for Store and Forward and Gateway. Also search the Declude Junkmail Archives. I can give you a detailed how to but I am swamped right now. If some one else can explain it... John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. === This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] HELO contains
Alright. Great. No the other mailserver identifies itself as backup.fament.com which I don't have declude on. On the other hand there. My backup mx server only forward mail. Do I have to get the Pro version of Declude or would Standard be enough ? I did throw out Webshield because it records the headers so badly that so much junkmail came in that direction. / Eje Wednesday, March 12, 2003, 5:17:33 PM, you wrote: SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? RSP That will work fine, just so long as you don't have any other mailservers RSP that identify themselves as imail.fament.com. If your IMail server is RSP the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! RSP Correct. There might be odd cases where the IMail server would connect to RSP itself, but if that happens, you've got another problem on your hands (as RSP it would cause a mail loop). RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. RSP --- RSP [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] HELO contains
Alright. Great. No the other mailserver identifies itself as backup.fament.com which I don't have declude on. On the other hand there. My backup mx server only forward mail. Do I have to get the Pro version of Declude or would Standard be enough ? The Standard version will work fine in this case. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How did this Spammer get through?
I've got several held emails from a spammer trying to use our system for relay. I've got the box locked down to only accept relay from authenticated users, but somehow this guy got through. Luckily, I've got hijack on the box, which has blocked all of his emails. Here's an example of the email he's trying to relay through: Received: from 208.253.112.160 [169.207.38.237] by richmond.com (SMTPD32-7.07) id A450F9200BE; Wed, 12 Mar 2003 18:35:44 -0500 Received: from 0e.ygr0.net ([143.95.123.108]) by 208.253.112.160 with SMTP; Wed, 12 Mar 2003 22:30:43 -0100 Message-ID: [EMAIL PROTECTED] From: Mervin Crow [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: re: Increase Your Gas Mileage by up to 27% ohvs eex Date: Wed, 12 Mar 03 22:30:43 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: The Bat! (v1.52f) Business MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=15978B3_057.85AE_.850_ This is a multi-part message in MIME format. --15978B3_057.85AE_.850_ Content-Type: text/html Content-Transfer-Encoding: quoted-printable htmlbodyPaul athwartship,a href=3Dhttp://[EMAIL PROTECTED] averpro.com img src=3Dhttp://[EMAIL PROTECTED]/the.jpg width=3D536= height=3D505 /asalute beacon stumpweapon gapbr%RA= NDOM_WORDhum implantation party dish/body/html --15978B3_057.85AE_.850_-- How is he successfully getting through? Also, how can I block him from coming through again? Thanks. Brian -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whats up with blars.org?
This is from their web page: In general, an entire netblock is added rather than just a single IP or customer of a larger ISP. (For example, if hugeisp has a /16 that they allocate a single /24 to spamcustomer, the /16 will be listed rather than just the /24.) An entire ISP may be added if they show a pattern of rejecting valid spam complaints for invalid reasons. Our local hospital just contacted me (they are not a customer, but I know their IT guy) that they were blocked by blars.org. They could not even get to their web page! It seems they are an innocent victim of the above policy of blocking the whole /16. I would urge anyone using this BL to stop using it as this gives blocking it's undeserved bad reputation. Now to see if I can help our hospital out... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce Action and IMail Server Relay
1) Point the MX record of the domain name in question, e.g. ACME.COM, to the IP Address of our IMail Server. 2) Using the steps described in the above link edit the hosts file to point the domain name ACME.COM to the IP Address of the Destination Mail Server. Which all seems very simple. Accept left one step out. Must add the IP address of the mail server your are SF for to Relay for Addresses list. At the bottom of that KB: In SMTP Security (IMail Administrator | localhost) you must select Relay for Addresses. List the IP address of the other mail server. In version 7.0 find services under IMail Administrator | localhost | Services. How does IMail know to accept incoming SMTP Mail for a domain name that is not defined in it's internal database? We use SMTP Authentication for POP3 customers who want to route their outgoing SMTP Mail through us. Does that prevent this Store and Forward scenario from happening? By using the information in the HOSTS file and in the Relay for Addresses file. Any feedback for the above or further tips for doing this as described in the below e-mail are welcome. As you are using Declude, make sure you are using the latest version. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
Here you go: 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] HELO 208.253.112.160 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] MAIL FROM: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] d:\IMail\spool\Dc4500f9200bec554.SMD 1114 So is he authenticating as a real user? b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whats up with blars.org?
SpamCop is just as bad. We run a web server for an associate who lives in another city. One of his customers has some java scripts ona site for free download. A spammer in Taiwan has added one of those scripts into the html on his advertisement. The script includes a reference to the download site and the name of the author of the script. SpamCop picks up on that, traces the IP of that web site to us, and sends a complaint about a "spamvertised" site. The URL for the so-called "spamvertised" site does not appear anywhere in the viewable content of the html advertisement -- it can only be seen by viewing the source code of the page. The headers of the reported spam indicate quite clearly that the message originated from elsewhere. Glenn Z. - Original Message - From: Sheldon Koehler To: [EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 6:12 PM Subject: [Declude.JunkMail] Whats up with blars.org? This is from their web page:"In general, an entire netblock is added rather than just a single IP orcustomer of a larger ISP. (For example, if hugeisp has a /16 that theyallocate a single /24 to spamcustomer, the /16 will be listed rather thanjust the /24.) An entire ISP may be added if they show a pattern ofrejecting valid spam complaints for invalid reasons."Our local hospital just contacted me (they are not a customer, but I knowtheir IT guy) that they were blocked by blars.org. They could not even getto their web page! It seems they are an innocent victim of the above policyof blocking the whole /16. I would urge anyone using this BL to stop usingit as this gives blocking it's undeserved bad reputation.Now to see if I can help our hospital out...SheldonSheldon Koehler, Owner/Partner http://www.tenforward.comTen Forward Communications 360-457-9023Nationwide access, neighborhood support!"Whenever you find yourself on the side of the majority, it's timeto pause and reflect." Mark Twain---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
What's strange is that the only thing consistent around all of the spam emails is the IP address 169.207.38.237, which is listed with SpamCop. Should declude pick that up? I've got spamcop listed as an automatic hold, but somehow he keeps getting through. Thanks. b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whats up with blars.org?
What do you mean they can not get to their web page? That has nothing to do with e-mail. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, March 12, 2003 4:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Whats up with blars.org? This is from their web page: In general, an entire netblock is added rather than just a single IP or customer of a larger ISP. (For example, if hugeisp has a /16 that they allocate a single /24 to spamcustomer, the /16 will be listed rather than just the /24.) An entire ISP may be added if they show a pattern of rejecting valid spam complaints for invalid reasons. Our local hospital just contacted me (they are not a customer, but I know their IT guy) that they were blocked by blars.org. They could not even get to their web page! It seems they are an innocent victim of the above policy of blocking the whole /16. I would urge anyone using this BL to stop using it as this gives blocking it's undeserved bad reputation. Now to see if I can help our hospital out... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whats up with blars.org?
What do you mean they can not get to their web page? That has nothing to do with e-mail. Apparently blars blocks everything at their router, probably a Linux router. From the hospital, they cannot even browse to the web page. I find it rather bizarre myself, but the IT guy is a friend and I have known him for 13 years. So I believe him when he says it... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO contains
Scott, We are seeing a case where the mail server will connect to itself. Check out the DNS for this spammer's domain: hotoptions.net It has no MX record, but an A record pointing to: 127.0.0.1 If an email from this domain is bounced due to a full mailbox, this will cause Imail to attempt to deliver the email to 127.0.0.1 which causes a mail loop. After 5 loops Imail kills it. Is there a Declude test we can use to block these based on the MX/A that the domain name resolves to? If not, perhaps the MAILFROM test could be modified to count this as a bad domain. Bill -Original Message- From: R. Scott Perry Sent: Wed, 12 Mar 2003 18:17:33 -0500 Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer
Ron, We use sniffer as a weighted test, giving it a weight of 12 and tagging emails as spam at 15. Some false positives do occur just like with any other spam test...However, using it as a heavily weighted test has been extremely effective for us, while keeping false positives to a minimum. I highly recommend purchasing sniffer. Bill -Original Message- From: Ron Harris Sent: Wed, 12 Mar 2003 23:16:34 -0700 Subject: [Declude.JunkMail] Sniffer We have been testing the evaluation copy of SortMonsters Message Sniffer and I would like some opinions from people in this forum. I am considering purchasing the product if I can set it up per domain (we use JunkMail Pro) and not spend much time sifting through e-mail to make sure it does not catch false positives. Is Message Sniffer reliable at catching only spam and not legitimate e-mail? Our eval copy of Message Sniffer has treated many legitimate e-mail as spam, particularly messages from the Declude forum, the Nanog forum and an Exchange forum. I am very interested in learning your opinions. Ron --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.