RE: [Declude.JunkMail] .biz Super List
Hi; The FTP address is not bogus :) I asked that you replace XYZ with the domain in my email: ClickandPledge.com We had this problem before where the search engines picked up our previous location and our company was getting indexed with some interesting words. Then we started getting complaint calls from people telling us why we are sending them v...ra emails. After about 10 calls we decided to do something. These emails are being archived and then picked up by the search engines. Naturally they follow the links they see. We tried several different ways to make the entries not seen by search engines but we were unsuccessful. So... I do not include the link in this list as a link that works. Hope that explains it... Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.D. Springer Sent: Sunday, June 15, 2003 10:35 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] .biz Super List Kami: Most of your posts are very helpful. Why put a post with a bogus FTP address? J.D. Kami Razvan wrote: Hi Dan: We have a super list of all URL's found in the body. It includes .biz and any other URL's in the body. Take a look at it.. ftp://ftp.XYZ/IMail Replace XYZ with the domain of my email address. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Sunday, June 15, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] .biz Super List .biz is getting worse with time. By in large, these are sent from general purpose (dialup and broadband) US based accounts, referencing Asian IPs. To counter this, I've begun harvesting .biz domains from the bodies of captured spam - for use in hard tests. My first day's catch: BODY 0 CONTAINSmainroute.biz BODY 0 CONTAINSibetterbuy.biz BODY 0 CONTAINShealth-now.biz BODY 0 CONTAINSdrugcabinet.biz BODY 0 CONTAINSorder-this.biz BODY 0 CONTAINSmymedicinecabinet.biz BODY 0 CONTAINShomerx.biz BODY 0 CONTAINSlender-search.biz If Scott adds a test that looks up the IP of links in the message body, we could just block the IPs. Until then, anyone else building such a list? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains Weight
We have monitored the results for this test for a long time. We have not seen a single FP. We now hold on that test. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Sunday, June 15, 2003 8:51 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamDomains Weight Whats the average weight on the Spamdomains test that people are using. I'm getting good results with Bills list and thinking about increasing the weight to 10 or so... -- Rich Griebel [EMAIL PROTECTED] http://www.kendra.com Scanned for Viruses using Declude and F-Prot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DSBL Tests - results
Hi all, Over the weekend I've configured the following ip4r-tests from Bill.B's config file that we haven't used until now. This are the results after 10 hours (4 hours business time) In this time we've catched around 300 spam messages. BLITZEDALL ip4r opm.blitzed.org * 3 0 95 positive test results. No FP. All spam messages failed also other ip4r-Tests BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 Only one single positive test. At least no FP. DEVNULL ip4r dev.null.dk * 3 0 No positive test result. DNSRBL-DUN ip4r dun.dnsrbl.net * 3 0 3 positive test results. No FP. All spam messages failed also other ip4r-Tests DNSRBL-SPAM ip4r spam.dnsrbl.net * 1 0 No positive test result. DSBL-MULTI ip4r multihop.dsbl.org * 2 0 Nearly all of the 38 positive responses are FP's. Bad test EASYNET-DYNA ip4r dynablock.easynet.nl * 3 0 Nearly all of the 130 positive responses are FP's. Bad test EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 2 0 165 positive test results. No FP. All spam messages failed also other ip4r-Tests EXSILIA-PROXIES ip4r proxies.exsilia.net * 3 0 No positive test result. EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 One single positive response. Was the only ip4r-test catching this spam message. FABEL ip4r spamsources.fabel.dk * 3 0 22 positive test results. No FP. Most spam messages failed also other ip4r-Tests FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 129 positive results. Around 20% FP's. Most spam messages failed also other ip4r-Tests FIVETEN-DUL ip4r blackholes.five-ten-sg.com 127.0.0.3 1 0 No positive test result. FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 Two positive test results. Failed also other ip4r-tests. FIVETEN-MULTI ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 3 positive test results. Failed also SPAMCOP. FIVETEN-SINGLE ip4r blackholes.five-ten-sg.com 127.0.0.6 1 0 No positive test result. IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 41 positive test results. No FP. All spam messages failed also other ip4r-Tests KITHRUP ip4r 3y.spam.mrs.kithrup.com * 2 0 No positive test result. LEADMON ip4r spamguard.leadmon.net * 3 0 51 positive results. Around 50% FP's. Most spam messages failed also other ip4r-Tests. Bad test! SORBS ip4r dnsbl.sorbs.net * 3 0 179 positive results. Around 5% FP's. All spam messages failed also other ip4r-Tests SPAMHAUS ip4r sbl.spamhaus.org * 3 0 58 positive results. No FP. All spam messages failed also other ip4r-Tests SPAMBAG ip4r blacklist.spambag.org * 4 0 A few positive test results. No FP. All spam messages failed also other ip4r-Tests UCEB ip4r blackholes.uceb.org * 3 0 A few positive test results. Around 5% FP's. All spam messages failed also other ip4r-Tests --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains Weight
We give for this test a weight of 55 points and hold on 100. FP's occur if a client uses a sender-domain listed in the spamdomains-file but uses another smtp-server (from his ISP) to send out legit messages. Another case: A message send from a web form with the sender-adress inserted by the visitor. For example booking-, information- or contact-requests. This is very common because the recipient can simply reply to the request. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integrationintegration
Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSBL Tests - results
Thanks for the valuable info are all the test below free and can be used by all of us ? and, if yes, why weren't they included in the default global.cfg ? EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0 BLITZEDALLip4r opm.blitzed.org * 3 0 EXSILIA-SPAMip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 SORBS ip4r dnsbl.sorbs.net * 3 0 SPAMHAUS ip4r sbl.spamhaus.org* 3 0 - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 9:14 AM Subject: RE: [Declude.JunkMail] DSBL Tests - results Hi all, Over the weekend I've configured the following ip4r-tests from Bill.B's config file that we haven't used until now. This are the results after 10 hours (4 hours business time) In this time we've catched around 300 spam messages. BLITZEDALL ip4r opm.blitzed.org * 3 0 95 positive test results. No FP. All spam messages failed also other ip4r-Tests BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 Only one single positive test. At least no FP. DEVNULL ip4r dev.null.dk * 3 0 No positive test result. DNSRBL-DUN ip4r dun.dnsrbl.net * 3 0 3 positive test results. No FP. All spam messages failed also other ip4r-Tests DNSRBL-SPAM ip4r spam.dnsrbl.net * 1 0 No positive test result. DSBL-MULTI ip4r multihop.dsbl.org * 2 0 Nearly all of the 38 positive responses are FP's. Bad test EASYNET-DYNA ip4r dynablock.easynet.nl * 3 0 Nearly all of the 130 positive responses are FP's. Bad test EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 2 0 165 positive test results. No FP. All spam messages failed also other ip4r-Tests EXSILIA-PROXIES ip4r proxies.exsilia.net * 3 0 No positive test result. EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 One single positive response. Was the only ip4r-test catching this spam message. FABEL ip4r spamsources.fabel.dk * 3 0 22 positive test results. No FP. Most spam messages failed also other ip4r-Tests FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 129 positive results. Around 20% FP's. Most spam messages failed also other ip4r-Tests FIVETEN-DUL ip4r blackholes.five-ten-sg.com 127.0.0.3 1 0 No positive test result. FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 Two positive test results. Failed also other ip4r-tests. FIVETEN-MULTI ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 3 positive test results. Failed also SPAMCOP. FIVETEN-SINGLE ip4r blackholes.five-ten-sg.com 127.0.0.6 1 0 No positive test result. IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 41 positive test results. No FP. All spam messages failed also other ip4r-Tests KITHRUP ip4r 3y.spam.mrs.kithrup.com * 2 0 No positive test result. LEADMON ip4r spamguard.leadmon.net * 3 0 51 positive results. Around 50% FP's. Most spam messages failed also other ip4r-Tests. Bad test! SORBS ip4r dnsbl.sorbs.net * 3 0 179 positive results. Around 5% FP's. All spam messages failed also other ip4r-Tests SPAMHAUS ip4r sbl.spamhaus.org * 3 0 58 positive results. No FP. All spam messages failed also other ip4r-Tests SPAMBAG ip4r blacklist.spambag.org * 4 0 A few positive test results. No FP. All spam messages failed also other ip4r-Tests UCEB ip4r blackholes.uceb.org * 3 0 A few positive test results. Around 5% FP's. All spam messages failed also other ip4r-Tests --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
Sorry to burst your bubble, but that's not a tarpit. You have a dynamic IP blocker. Tarpitting doesn't block, it slows the attack down, consuming more of their resources, and making their connection seem like it is stuck in a pit of tar (hence the name) Jason - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 7:51 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integrationintegration integration
Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have alot of promise. It allows you to hook into each stage of the SMTP session and apply incremental delays or drop the connection based on external tests. Wouldn't it be great if we could integrate Declude with a tool like this! Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 15:51:52 +0300 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integrationintegration integration integration integration
(or be run on a mail gateway that sits in front of the IMail/Declude server). Thats what TarProxy sort of does. TarProxy accepts the inbound SMTP connections and relays them to a backend SMTP host (imail's smtpd). What I'm saying would be great, is if TarProxy could call Declude-like tests during the SMTP session... before Imail gets its hands on the email. If Declude could be called as an external test by a 3rd party app, it might even be possible. Declude would just have to return a return value (ie: the weight), instead of handing off to smtp32.exe after its done. Bill -Original Message- From: Bill Landry Sent: Mon, 16 Jun 2003 06:22:04 -0700 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration Tarpitting can't be integrated with Declude because Declude does not answer the client SMTP connection, IMail does (SMTPD). Only after IMail has received the message does it get delivered to Declude. So, any tarpitting would have to be integrated with IMail, not Declude (or be run on a mail gateway that sits in front of the IMail/Declude server). Bill - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 6:02 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have alot of promise. It allows you to hook into each stage of the SMTP session and apply incremental delays or drop the connection based on external tests. Wouldn't it be great if we could integrate Declude with a tool like this! Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 15:51:52 +0300 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integration
Bill, Monday, June 16, 2003 you wrote: BB Thats what TarProxy sort of does. TarProxy accepts the BB inbound SMTP connections and relays them to a backend SMTP BB host (imail's smtpd). What I'm saying would be great, is if BB TarProxy could call Declude-like tests during the SMTP BB session... before Imail gets its hands on the email. Well why not just go with IMGATE and Postfix - already does all that and much, much more. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSBL Tests - results
I think Scott only included some of the more reliable ip4r tests in the default JunkMail config file. You can find a listing of lots of available tests on the Declude web site (www.declude.com/Junkmail/support/ip4r.htm), and you will see in the test descriptions that most are freely available to everyone. Bill - Original Message - From: Serge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 5:50 AM Subject: Re: [Declude.JunkMail] DSBL Tests - results Thanks for the valuable info are all the test below free and can be used by all of us ? and, if yes, why weren't they included in the default global.cfg ? EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0 BLITZEDALLip4r opm.blitzed.org * 3 0 EXSILIA-SPAMip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 SORBS ip4r dnsbl.sorbs.net * 3 0 SPAMHAUS ip4r sbl.spamhaus.org* 3 0 - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 9:14 AM Subject: RE: [Declude.JunkMail] DSBL Tests - results Hi all, Over the weekend I've configured the following ip4r-tests from Bill.B's config file that we haven't used until now. This are the results after 10 hours (4 hours business time) In this time we've catched around 300 spam messages. BLITZEDALL ip4r opm.blitzed.org * 3 0 95 positive test results. No FP. All spam messages failed also other ip4r-Tests BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 Only one single positive test. At least no FP. DEVNULL ip4r dev.null.dk * 3 0 No positive test result. DNSRBL-DUN ip4r dun.dnsrbl.net * 3 0 3 positive test results. No FP. All spam messages failed also other ip4r-Tests DNSRBL-SPAM ip4r spam.dnsrbl.net * 1 0 No positive test result. DSBL-MULTI ip4r multihop.dsbl.org * 2 0 Nearly all of the 38 positive responses are FP's. Bad test EASYNET-DYNA ip4r dynablock.easynet.nl * 3 0 Nearly all of the 130 positive responses are FP's. Bad test EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 2 0 165 positive test results. No FP. All spam messages failed also other ip4r-Tests EXSILIA-PROXIES ip4r proxies.exsilia.net * 3 0 No positive test result. EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 One single positive response. Was the only ip4r-test catching this spam message. FABEL ip4r spamsources.fabel.dk * 3 0 22 positive test results. No FP. Most spam messages failed also other ip4r-Tests FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 129 positive results. Around 20% FP's. Most spam messages failed also other ip4r-Tests FIVETEN-DUL ip4r blackholes.five-ten-sg.com 127.0.0.3 1 0 No positive test result. FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 Two positive test results. Failed also other ip4r-tests. FIVETEN-MULTI ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 3 positive test results. Failed also SPAMCOP. FIVETEN-SINGLE ip4r blackholes.five-ten-sg.com 127.0.0.6 1 0 No positive test result. IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 41 positive test results. No FP. All spam messages failed also other ip4r-Tests KITHRUP ip4r 3y.spam.mrs.kithrup.com * 2 0 No positive test result. LEADMON ip4r spamguard.leadmon.net * 3 0 51 positive results. Around 50% FP's. Most spam messages failed also other ip4r-Tests. Bad test! SORBS ip4r dnsbl.sorbs.net * 3 0 179 positive results. Around 5% FP's. All spam messages failed also other ip4r-Tests SPAMHAUS ip4r sbl.spamhaus.org * 3 0 58 positive results. No FP. All spam messages failed also other ip4r-Tests SPAMBAG ip4r blacklist.spambag.org * 4 0 A few positive test results. No FP. All spam messages failed also other ip4r-Tests UCEB ip4r blackholes.uceb.org * 3 0 A few positive test results. Around 5% FP's. All spam messages failed also other ip4r-Tests --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
i am trying to explain what i did in a simple way. n fact On my firewall i am not really blocking but reducing the bandwith for the specified ip address to 33.6 Kb /sec like a dial-up connection speed . So my Server spend more cpu time to real user than spammers. This is a tarpitting. I have also made some more complex setup ,but it is useless to say it here. In the future i will also reduce the bandwith for those who have weights over 10 and 15. I think that IDS (intrusion detection systems) type approach is a good start to protect the server. Declude is the key to decide what to do with the firewall Rifat - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 4:04 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Sorry to burst your bubble, but that's not a tarpit. You have a dynamic IP blocker. Tarpitting doesn't block, it slows the attack down, consuming more of their resources, and making their connection seem like it is stuck in a pit of tar (hence the name) Jason - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 7:51 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
Markus , I started already doing this ,but the problem here is that when you have a dynamic IP list You can not change it on IMAIL on the fly You have to stop and restart The smtp services Thats Why i am using a firewall here. Rifat - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 4:37 PM Subject: RE: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration At the moment we've running hourly a scheduled vb-script that filters out any error lines of the imail logfile and send it via email to the postmaster For example: == FROM TO [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] == So we can see which of our customers has forgot to activate the SMTP-Authentication (if outgoing), or which delivery attempts failed (if incomming). But back to the idea of blocking incomming smtp-connections of known spammer-IP's: Wouldn't it be great if someone writes a small tool with the following function: 1.) gathers all Sender-IP's from the declude logfile with a certain weight. (for example 200% of the hold value) 2.) maintains a list of this IP-Adresses and removes them after a certain time that no new spam with the same IP was catched 3.) creates a IP-blocklist for Imail so that it can block any furter smtp-connection attempt from this spamming IP's Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rifat Levis Sent: Monday, June 16, 2003 2:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---
[Declude.JunkMail] Ignoring Negative Weights
If I end up with a negative wait, how do I configure to ignore and pass e-mail along. Is the following correct? Global.cfg NEGWEIGHT weightrange x x 0 -100 Default.JunkMail NEGWEIGHT IGNORE Thanks. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integrationintegration integration integration integration integration integrationintegration integration
This approach is a bit different than IMGate because it creates a dynamic tarpit, based on the spamminess of the email. The more tests it fails, the slower the connection gets...IN REAL TIME! Thats that cool part. From what I understand, IMGate can only drop the connection...it cannot slow the connection down. With TarProxy, spam tests can be run at each stage of the SMTP session, before the next stage begins. For example... EVENT: Remote Host Connects - dnsbl tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends EHLO - HELO-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends MAIL FROM - Domain-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends RCPT TO - Recipient-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends DATA - Content filtering is executed and incremental delays are applied or connection is dropped. -Original Message- From: Smart Business Lists Sent: Mon, 16 Jun 2003 08:42:56 -0500 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integration Bill, Monday, June 16, 2003 you wrote: BB Thats what TarProxy sort of does. TarProxy accepts the BB inbound SMTP connections and relays them to a backend SMTP BB host (imail's smtpd). What I'm saying would be great, is if BB TarProxy could call Declude-like tests during the SMTP BB session... before Imail gets its hands on the email. Well why not just go with IMGATE and Postfix - already does all that and much, much more. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integration integration integration integration integration integration integration integration integration
Bill, Monday, June 16, 2003 you wrote: BB The more tests it fails, the BB slower the connection gets...IN REAL TIME! I see now, thanks for the reply. XMAIL has a setting like this with its CustMapsList and its SMTP-RDNSCheck. I've used both but I didn't find it very useful. In CustMapsList I can list however many rbl's I want it to check and then specify whether to drop the connection or delay it -S seconds between SMTP commands. Then with SMTP-RDNSCheck I can either drop or set a delay of -S seconds between commands. I used the delay when I first established XMAIL but finally decided it was pointless to make the server work so hard. So now I only put in CustMapsList the rbl tests I intend to use to drop the connection. I stopped using the RDNSCheck as I just found it slowed down the SMTP dialogue too much. Besides even if the message passed I still was going to check in the Queue for other spam tests and it seems a lot of spammers actually have RDNS. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Ignoring Negative Weights
If I end up with a negative wait, how do I configure to ignore and pass e-mail along. You don't need to do anything. The way the weighting system works, you decide what weight ranges to use to detect spam. For example, some people have it set up to HOLD E-mail based on the WEIGHT10 test (a weight of 10 or higher), and DELETE E-mail that fails the WEIGHT20 test (with a weight of 20 or higher). In this case, if you have a test that uses negative weights, the total weight of the E-mail will be reduced. For example, the weight of the E-mail may end up being -6. In this case, the E-mail would not fail the WEIGHT10 or WEIGHT20 tests. Is the following correct? Global.cfg NEGWEIGHT weightrange x x 0 -100 Default.JunkMail NEGWEIGHT IGNORE There's no need to do this, as the IGNORE action does nothing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSBL Tests - results
All of those tests are free. The ones you list have just been added to the default configuration files, except for IPWHOIS (which has a lot of false positives in our testing) and SORBS (which we do not have enough information about yet). -Scott At 08:50 AM 6/16/2003, Serge wrote: Thanks for the valuable info are all the test below free and can be used by all of us ? and, if yes, why weren't they included in the default global.cfg ? EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0 BLITZEDALLip4r opm.blitzed.org * 3 0 EXSILIA-SPAMip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 SORBS ip4r dnsbl.sorbs.net * 3 0 SPAMHAUS ip4r sbl.spamhaus.org* 3 0 - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 9:14 AM Subject: RE: [Declude.JunkMail] DSBL Tests - results Hi all, Over the weekend I've configured the following ip4r-tests from Bill.B's config file that we haven't used until now. This are the results after 10 hours (4 hours business time) In this time we've catched around 300 spam messages. BLITZEDALL ip4r opm.blitzed.org * 3 0 95 positive test results. No FP. All spam messages failed also other ip4r-Tests BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 Only one single positive test. At least no FP. DEVNULL ip4r dev.null.dk * 3 0 No positive test result. DNSRBL-DUN ip4r dun.dnsrbl.net * 3 0 3 positive test results. No FP. All spam messages failed also other ip4r-Tests DNSRBL-SPAM ip4r spam.dnsrbl.net * 1 0 No positive test result. DSBL-MULTI ip4r multihop.dsbl.org * 2 0 Nearly all of the 38 positive responses are FP's. Bad test EASYNET-DYNA ip4r dynablock.easynet.nl * 3 0 Nearly all of the 130 positive responses are FP's. Bad test EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 2 0 165 positive test results. No FP. All spam messages failed also other ip4r-Tests EXSILIA-PROXIES ip4r proxies.exsilia.net * 3 0 No positive test result. EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 One single positive response. Was the only ip4r-test catching this spam message. FABEL ip4r spamsources.fabel.dk * 3 0 22 positive test results. No FP. Most spam messages failed also other ip4r-Tests FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 129 positive results. Around 20% FP's. Most spam messages failed also other ip4r-Tests FIVETEN-DUL ip4r blackholes.five-ten-sg.com 127.0.0.3 1 0 No positive test result. FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 Two positive test results. Failed also other ip4r-tests. FIVETEN-MULTI ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 3 positive test results. Failed also SPAMCOP. FIVETEN-SINGLE ip4r blackholes.five-ten-sg.com 127.0.0.6 1 0 No positive test result. IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 41 positive test results. No FP. All spam messages failed also other ip4r-Tests KITHRUP ip4r 3y.spam.mrs.kithrup.com * 2 0 No positive test result. LEADMON ip4r spamguard.leadmon.net * 3 0 51 positive results. Around 50% FP's. Most spam messages failed also other ip4r-Tests. Bad test! SORBS ip4r dnsbl.sorbs.net * 3 0 179 positive results. Around 5% FP's. All spam messages failed also other ip4r-Tests SPAMHAUS ip4r sbl.spamhaus.org * 3 0 58 positive results. No FP. All spam messages failed also other ip4r-Tests SPAMBAG ip4r blacklist.spambag.org * 4 0 A few positive test results. No FP. All spam messages failed also other ip4r-Tests UCEB ip4r blackholes.uceb.org * 3 0 A few positive test results. Around 5% FP's. All spam messages failed also other ip4r-Tests --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSBL Tests - results
Scott, FWIW, I have had very good success with the ip4r test: ipwhois.rfc-ignorant.org but found lots of FP with the domain based test: whois.rfc-ignorant.org So I don't use that whois test any more. However, this has not been your experience? Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 8:38 AM Subject: Re: [Declude.JunkMail] DSBL Tests - results All of those tests are free. The ones you list have just been added to the default configuration files, except for IPWHOIS (which has a lot of false positives in our testing) and SORBS (which we do not have enough information about yet). -Scott At 08:50 AM 6/16/2003, Serge wrote: Thanks for the valuable info are all the test below free and can be used by all of us ? and, if yes, why weren't they included in the default global.cfg ? EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0 BLITZEDALLip4r opm.blitzed.org * 3 0 EXSILIA-SPAMip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 SORBS ip4r dnsbl.sorbs.net * 3 0 SPAMHAUS ip4r sbl.spamhaus.org* 3 0 - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 9:14 AM Subject: RE: [Declude.JunkMail] DSBL Tests - results Hi all, Over the weekend I've configured the following ip4r-tests from Bill.B's config file that we haven't used until now. This are the results after 10 hours (4 hours business time) In this time we've catched around 300 spam messages. BLITZEDALL ip4r opm.blitzed.org * 3 0 95 positive test results. No FP. All spam messages failed also other ip4r-Tests BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 Only one single positive test. At least no FP. DEVNULL ip4r dev.null.dk * 3 0 No positive test result. DNSRBL-DUN ip4r dun.dnsrbl.net * 3 0 3 positive test results. No FP. All spam messages failed also other ip4r-Tests DNSRBL-SPAM ip4r spam.dnsrbl.net * 1 0 No positive test result. DSBL-MULTI ip4r multihop.dsbl.org * 2 0 Nearly all of the 38 positive responses are FP's. Bad test EASYNET-DYNA ip4r dynablock.easynet.nl * 3 0 Nearly all of the 130 positive responses are FP's. Bad test EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 2 0 165 positive test results. No FP. All spam messages failed also other ip4r-Tests EXSILIA-PROXIES ip4r proxies.exsilia.net * 3 0 No positive test result. EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 One single positive response. Was the only ip4r-test catching this spam message. FABEL ip4r spamsources.fabel.dk * 3 0 22 positive test results. No FP. Most spam messages failed also other ip4r-Tests FIVETEN-SRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 129 positive results. Around 20% FP's. Most spam messages failed also other ip4r-Tests FIVETEN-DUL ip4r blackholes.five-ten-sg.com 127.0.0.3 1 0 No positive test result. FIVETEN-OPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 Two positive test results. Failed also other ip4r-tests. FIVETEN-MULTI ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 3 positive test results. Failed also SPAMCOP. FIVETEN-SINGLE ip4r blackholes.five-ten-sg.com 127.0.0.6 1 0 No positive test result. IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 41 positive test results. No FP. All spam messages failed also other ip4r-Tests KITHRUP ip4r 3y.spam.mrs.kithrup.com * 2 0 No positive test result. LEADMON ip4r spamguard.leadmon.net * 3 0 51 positive results. Around 50% FP's. Most spam messages failed also other ip4r-Tests. Bad test! SORBS ip4r dnsbl.sorbs.net * 3 0 179 positive results. Around 5% FP's. All spam messages failed also other ip4r-Tests SPAMHAUS ip4r sbl.spamhaus.org * 3 0 58 positive results. No FP. All spam messages failed also other ip4r-Tests SPAMBAG ip4r blacklist.spambag.org * 4 0 A few positive test results. No FP. All spam messages failed also other ip4r-Tests UCEB ip4r blackholes.uceb.org * 3 0 A few positive test results. Around 5% FP's. All spam messages failed also other ip4r-Tests --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by
Re: [Declude.JunkMail] Ignoring Negative Weights
Thanks for reply and yes this is how I use weights, but what I failed to mention is that I end up with a negative value often (i.e. -7, -1, etc.) depending on certain mail and it gets held. You are saying it should not get held. OK I must have a hold on a certain test that is failing even though ends up with negative weight too. For example I hold all that fail sniffer and are below weight of 14. Think I figured it out. Thanks! -Don -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 16 Jun 2003 10:57:11 -0400 If I end up with a negative wait, how do I configure to ignore and pass e-mail along. You don't need to do anything. The way the weighting system works, you decide what weight ranges to use to detect spam. For example, some people have it set up to HOLD E-mail based on the WEIGHT10 test (a weight of 10 or higher), and DELETE E-mail that fails the WEIGHT20 test (with a weight of 20 or higher). In this case, if you have a test that uses negative weights, the total weight of the E-mail will be reduced. For example, the weight of the E-mail may end up being -6. In this case, the E-mail would not fail the WEIGHT10 or WEIGHT20 tests. Is the following correct? Global.cfg NEGWEIGHT weightrange x x 0 -100 Default.JunkMail NEGWEIGHT IGNORE There's no need to do this, as the IGNORE action does nothing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. - Scanned for Virus' by CompBiz.Net Sent via CompBiz.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNSstuff problems
As the subject states, is DNSstuff still having problems? Seems every time I try a lookup I get a Page cannot be displayed error. Once in a while it works, super-fast in fact, but seems more often than not it's down. Just seeing what's going on. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration
Charles, Monday, June 16, 2003 you wrote: CF I can also use XMail to slow down server responses to addresses CF in response to a RBL Are you using the RDNS test in XMAIL? I felt like the time to check delayed the dialogue too long. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMDOMAINS comcast.net
It looks like these headers tell me to add: attbi..comcomcast.net to the sd.txt file. Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A15AE91F00FC; Mon, 16 Jun 2003 10:41:46 -0700 Received: from sccrmhc13.attbi.com (unknown [204.127.202.64]) by Hyperion.tenforward.com (Postfix) with ESMTP id 17D683AD90 for [EMAIL PROTECTED]; Mon, 16 Jun 2003 10:41:45 -0700 (PDT) Received: from sparelaptop (12-231-40-5.client.attbi.com[12.231.40.5](untrusted sender)) by attbi.com (sccrmhc13) with SMTP id 20030616174143016001kraje; Mon, 16 Jun 2003 17:41:43 + Message-ID: [EMAIL PROTECTED] Reply-To: Amy Fraser [EMAIL PROTECTED] From: Amy Fraser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Regarding Delivery Failure Date: Mon, 16 Jun 2003 10:42:15 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_00CD_01C333F3.F36D4540 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Declude-Sender: [EMAIL PROTECTED] [204.127.202.64] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from sccrmhc13.comcast.net ([204.127.202.64]). X-Spam-Prob: 0.000430 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319661753 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter wuestio
Is there a way to put a copy of the string that matched the filter test into the headers? thanks Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSstuff problems
As the subject states, is DNSstuff still having problems? Seems every time I try a lookup I get a Page cannot be displayed error. Once in a while it works, super-fast in fact, but seems more often than not it's down. If you try re-loading the page it should work. There is an issue with the new server that we haven't tracked down yet that is sometimes causing 100% CPU usage. This seems to be causing some connections not to get established on the first attempt. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] h:How to use X-Spam-Prob
Is there any way for us to be able to use the X-Spam-Prob tag as weighting? As I understand it, the only to use this field today is to add an IMail rule to separate / delete the mail? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] h:How to use X-Spam-Prob
Is there any way for us to be able to use the X-Spam-Prob tag as weighting? As I understand it, the only to use this field today is to add an IMail rule to separate / delete the mail? That's correct -- we are planning to add a test that will be based on the information in that header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Host unreachable when sending to Declude lists
I am noticing that often the messages I send to the Declude lists are pending in our Exchange server queue. They are easy to spot because they are the only messages in the queue. If I force several retrys, they will eventually get delivered, but it can take many attempts at times. Is anyone else experiencing this when send to either the Declude JunkMail or Virus lists? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to stop this...
Hi all, Sorry about the subject being so generic but I was not sure how to call the following. I have been seeing the following in the headers of some email: Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com The first IP is the IP of the mail server. I am not sure how to refer to this but is there a test in JunkMail that tests for this? Thanks, David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to stop this...
You can set up a filter to add a weight for that IP speciffically: HELO 10 CONTAINS 216.220.106.24 Or you could set up a filter to add a weight to any email that uses an IP as its HELO: HELO 10 ENDSWITH 0 HELO 10 ENDSWITH 1 HELO 10 ENDSWITH 2 HELO 10 ENDSWITH 3 HELO 10 ENDSWITH 4 HELO 10 ENDSWITH 5 HELO 10 ENDSWITH 6 HELO 10 ENDSWITH 7 HELO 10 ENDSWITH 8 HELO 10 ENDSWITH 9 Bill -Original Message- From: David Sent: Mon, 16 Jun 2003 22:57:22 +0300 Subject: [Declude.JunkMail] How to stop this... Hi all, Sorry about the subject being so generic but I was not sure how to call the following. I have been seeing the following in the headers of some email: Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com The first IP is the IP of the mail server. I am not sure how to refer to this but is there a test in JunkMail that tests for this? Thanks, David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
I started already doing this ,but the problem here is that when you have a dynamic IP list You can not change it on IMAIL on the fly You have to stop and restart The smtp services Thats Why i am using a firewall here. :-| Hmmm, I understand. Far from be realtime-friendly... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains: Which IP ?
Note, that for internal email, the IP address used in SPAMDOMAINS is the email address of the sender. So, for us, that gets translated to our ISP's name, as only the mail server has rDNS set up (we trap on our own mail server address in spamdomains, as that was being faked by quite a bit of email and slipping thru (we used to whitelist our own server)). So, this am, all email sent inhouse started getting held (I was updating weights) until I added an alternative domain name to the list. I assume that outside mail would have used the IP of the transmitting mail server, not that of the sender (unless they were the same). Karen -Original Message- From: R. Scott Perry The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this. Declude JunkMail uses the same IP that it uses for getting the reverse DNS entry, and that is used for IP-based spam tests. By default, this is the IP address that connected to IMail. However, depending on the IPBYPASS and HOP settings, it may be different (for example, the IP address that connected to a backup or gateway mailserver). --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using SPAMDOMAINS and negative weights?
But, this would also subtract weight from emails that didn't fail spamdomains. FWIW, we ADD a small amount of weight to most of these, rather than subtract. Karen -Original Message- From: Bill Landry A better way to do this is to setup a RDNS Filter and add a negative weight for any domain that you add that resolves correctly, like yahoo.com. For example: Global.cfg: REVDNS-FILTER filter M:\IMail\Declude\RevDNS-Filter.txt x 0 0 REVDNS-FILTER (samples): REVDNS -10 ENDSWITH .travelocity.com REVDNS -10 ENDSWITH .untd.com REVDNS -05 ENDSWITH .verio.com REVDNS -05 ENDSWITH .verio.net REVDNS -05 ENDSWITH .verizon.com REVDNS -05 ENDSWITH .verizon.net REVDNS -10 ENDSWITH .yahoo.com REVDNS -05 ENDSWITH .lockergnome.com Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 09, 2003 9:20 AM Subject: RE: [Declude.JunkMail] Using SPAMDOMAINS and negative weights? Why not configure it like SPAMDOMAINS spamdomains C:\IMail\Declude\sd.txt x 5 -5 This will give +5 points to any mail having a sender-domain listet in sd.txt and failing this test. On the other side any legit message having such a sender-domain that come from the right mailserver will have -5 points. So this message can also fail other test without creating false positives. I'm not sure about this. Seems like I miss something - it sounds to simple. ;-) The catch here is that all E-mail from domains that aren't listed in the sd.txt file will get a weight of -5 added to them, so that spam from domains not listed in the sd.txt file will be more likely to be delivered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SD Lists
I posted both of their lists here. http://downloads.wpa.net/billb_sd.zip http://downloads.wpa.net/sheldons_sd.zip Both lists current as of 6/13/2003 Of course, I see this after I just responded to the other post. Frederick, if you are going to maintain this, then I need not bother, correct? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
I decided against notifying the recipient for Vulnerabilities. Apparently, vulnerabilities are essentially spam - and notifying the recipient would mean that they end up getting an unwanted message after all. In my experience, that is true 98% of the time. That 2% percent though can cause problems. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains: Which IP ?
Note, that for internal email, the IP address used in SPAMDOMAINS is the email address of the sender. So, for us, that gets translated to our ISP's name, as only the mail server has rDNS set up (we trap on our own mail server address in spamdomains, as that was being faked by quite a bit of email and slipping thru (we used to whitelist our own server)). So, this am, all email sent inhouse started getting held (I was updating weights) until I added an alternative domain name to the list. I assume that outside mail would have used the IP of the transmitting mail server, not that of the sender (unless they were the same). In the case of E-mail from your users, the IP of their computer would be used. But, if you only list domains in the spamdomains file that your users should not be sending from, you will be fine (IE if your users are not allowed to send out E-mail with an @earthlink.com address, you could have that listed in the spamdomains file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
... While i am preparing delude weights and firewall blocking , i can have a look for information about your device also . Looks like there is a command line interface. I will ask the support and you will hear from me. I am really sorry for my BAD English , This is my 3rd language , Welcome in the club! :-) My mothers language is german, and I live in Italy. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMCOP:OT: Can't Get To SpamCop's Web Site
Hello, All, One of our techs put in a new server last week running Exchange 2000 and did not secure it from being an open relay. Today I discovered about 18,000 messages on our outgoing message queue. Apparently someone found the relay on Sunday morning. I removed the messages and then disabled the ability the server to be used as an open relay. That was earlier today. Later today someone forwarded me a message in-house and it was held by DJM. For about 5 minutes I couldn't figure out why the message was being blocked and then I noticed that one of the tests it failed was SPAMCOP. I'm guessing that because of the day or so of open relay we've been reported to them. I've been trying to get into the SpamCop web site to see if we are in their database but I can't seem to get in over the web. Does anyone if they are currently down? Also, how easy is it to get removed once you are listed? I thank you in advance for your feedback. Take Care, Dan This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] JunkMail configurable front end
Has anyone else built a front end for JM, so the end user (in our case our ISP customers) can configure certain aspects of Declude JM? What we have in mind is to charge each subscriber for using JM, and also to give some control over the actions, i.e. let them choose between IGNORE, WARN, SUBJECT, MAILBOX and DELETE within the 6 weightranges we set. Initially we will choose ranges going up to 100 and adjust the test values accordingly so that we may have a reasonable certainty that anything at 100 or over can be deleted. Perhaps the Spam-Prob test will be helpful here when it becomes available. I had hoped that there would be a possibility of per-user filtering, but perhaps it is for the best that there is not, so we are instead considering building a half dozen standard filters to choose from, such as Adult/Porn, Medical/Drugs, Financial/Mortgage/Insurance, and Home/Garden, Get-Rich-Quick/Franchieses/Work-at-Home, etc. Any thoughts or experiences? Erik --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
