[Declude.JunkMail] Authenticated Spammer
What is the best way to check the logs to see if a spammer is authenticating locally? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] WEIRD Problem!
Thanks for the suggestions all.. I had already changed the password when the first time it happened.. But I've since turned off the Norton Anti-Spam and will see if anything else happens.. Thanks again.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stanley Lyzak Sent: Tuesday, October 21, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] [OT] WEIRD Problem! One other thing you can try (I actually think Scott is on the right track if your laptop firewall is showing outbound Outlook access). Try not to save your email password in your outlook. Have it prompt you. Much easier to stop these things when they cannot authenticate. Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] [OT] WEIRD Problem! Hello, I've recently discovered something interesting happening with my laptop. Just a little FYI about it. I have all spam messages that fail the Declude Tests forwarded to a [EMAIL PROTECTED] account, which I download and review on my computer. I have NIS 2004 running on my laptop as well. I'm also running NIS Anti-virus 2004 and it's updated with Virus defs dated 10/15/2003 and a full system scan was just completed (attempted liveupdate this morning, but it's just sitting there). Anyway, the other day I received 3 Undeliverable Mail messages in this spam account and upon reviewing the message, saw that it was coming from the WAN IP address of my laptop (cable providers IP address when at home (2), and the firewall WAN IP when at work (1)). So I setup NIS to inform me whenever Outlook 2002 tried to send out messages; NIS is also configured to only allow Outlook to connect to our mail server to send and receive messages. Well, it happened again this morning; I knew because NIS popped up a window stating such. I've included the Undeliverable Mail message as well as the iMail log entry. I attempted to lookup the D*.SMD and Q*.SMD (to see what the message contained), but iMail has already deleted them and even though I have Outlook setup to store all sent messages in the sent items folder, there is nothing there as well. I got the alert while receiving messages from the spam account. Anyone every hear of anything like this before? Thank you for your time and attention.. -Jeff undeliverable to [EMAIL PROTECTED] Original message follows. Received: from %computername% [67.17.218.x] by crescentdigital.com with ESMTP (SMTPD32-6.06) id A30560E0134; Tue, 21 Oct 2003 08:13:57 -0400 From: "DO NOT REPLY TO THIS ACCOUNT - Please reply to original sender" <[EMAIL PROTECTED]> To: "'Catalina'" <[EMAIL PROTECTED]> Date: Tue, 21 Oct 2003 08:13:40 -0400 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: A762BD7065A7A046BC679108E78E7F89447F2800 Subject: Not read: This is not loan j X-Declude-Sender: [EMAIL PROTECTED] [67.17.218.x] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. eJ8+Ii4MAQaQCAAEAAABAAEAAQeQBgAI5AQAAADoAAEIgAcAFwAAAFJFUE9S eJ8+VC5J UE0uTm90ZS5JUE5OUk4AtwYBDYAEAAICAAIAAQqAAQAhQTA2MEZEM0Q4MzEwQUI0MjhB MjYwNDEyREVBMkYwNjQAEQcBA5AGAIQDAAAaCwAjAAALACkAAEAAMgDgQjiyzJfD AR4ASQABJgAAAFtOb3J0b24gQW50aVNwYW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAUwA AQAAADUAgSsfpL6jEBmdbgDdAQ9UAgAAAQBBbGx5c3NhAFNNVFAAY3B5dXNAeWFob28u Y29tAEAATgAAvK6jApjDAUAAVQCAuMGTv5fDAR4AcAABJgAAAFtOb3J0b24gQW50aVNw YW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAXEAAQAAABYBw5fMsjhj1+r3oAhAD5a+slvd v2KaAAAeAHIAAQEAHgBzAAEBAB4AdAABDgAAAFN1YnNjcmli ZXIgMzcLAAgMAAIBHQwBHgAAAFNNVFA6U1BBTUBDUkVTQ0VOVERJR0lUQUwuQ09N CwABDgEDABQOAB4AKA4BOwAAADAwMDAwMDA1AXNwYW1AY3Jlc2NlbnRkaWdp dGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AKQ4BOwAAADAwMDAwMDA1AXNw YW1AY3Jlc2NlbnRkaWdpdGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AARAB GQAAAE1lc3NhZ2Ugd2FzIG5vdCByZWFkIGJ5OgACAfgPAQAAABCnYr1wZaegRrxnkQjn jn+JAgH6DwEQp2K9cGWnoEa8Z5EI545/iQIB+w8BkgA4obsQBeUQ jn+GqG7 [message truncated] iMail Log Entry: 10:21 08:13 SMTPD(060E0134) [67.17.218.5] connect 67.17.218.x port 1371 10:21 08:13 SMTPD(060E0134) [67.17.218.x] EHLO %computername% 10:21 08:13 SMTPD(03E0) Authenticated [EMAIL PROTECTED], session treated as local. 10:21 08:13 SMTPD(060E0134) [67.17.218.x] MAIL FROM: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67
RE: [Declude.JunkMail] [OT] WEIRD Problem!
One other thing you can try (I actually think Scott is on the right track if your laptop firewall is showing outbound Outlook access). Try not to save your email password in your outlook. Have it prompt you. Much easier to stop these things when they cannot authenticate. Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] [OT] WEIRD Problem! Hello, I've recently discovered something interesting happening with my laptop. Just a little FYI about it. I have all spam messages that fail the Declude Tests forwarded to a [EMAIL PROTECTED] account, which I download and review on my computer. I have NIS 2004 running on my laptop as well. I'm also running NIS Anti-virus 2004 and it's updated with Virus defs dated 10/15/2003 and a full system scan was just completed (attempted liveupdate this morning, but it's just sitting there). Anyway, the other day I received 3 Undeliverable Mail messages in this spam account and upon reviewing the message, saw that it was coming from the WAN IP address of my laptop (cable providers IP address when at home (2), and the firewall WAN IP when at work (1)). So I setup NIS to inform me whenever Outlook 2002 tried to send out messages; NIS is also configured to only allow Outlook to connect to our mail server to send and receive messages. Well, it happened again this morning; I knew because NIS popped up a window stating such. I've included the Undeliverable Mail message as well as the iMail log entry. I attempted to lookup the D*.SMD and Q*.SMD (to see what the message contained), but iMail has already deleted them and even though I have Outlook setup to store all sent messages in the sent items folder, there is nothing there as well. I got the alert while receiving messages from the spam account. Anyone every hear of anything like this before? Thank you for your time and attention.. -Jeff undeliverable to [EMAIL PROTECTED] Original message follows. Received: from %computername% [67.17.218.x] by crescentdigital.com with ESMTP (SMTPD32-6.06) id A30560E0134; Tue, 21 Oct 2003 08:13:57 -0400 From: "DO NOT REPLY TO THIS ACCOUNT - Please reply to original sender" <[EMAIL PROTECTED]> To: "'Catalina'" <[EMAIL PROTECTED]> Date: Tue, 21 Oct 2003 08:13:40 -0400 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: A762BD7065A7A046BC679108E78E7F89447F2800 Subject: Not read: This is not loan j X-Declude-Sender: [EMAIL PROTECTED] [67.17.218.x] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. eJ8+Ii4MAQaQCAAEAAABAAEAAQeQBgAI5AQAAADoAAEIgAcAFwAAAFJFUE9S eJ8+VC5J UE0uTm90ZS5JUE5OUk4AtwYBDYAEAAICAAIAAQqAAQAhQTA2MEZEM0Q4MzEwQUI0MjhB MjYwNDEyREVBMkYwNjQAEQcBA5AGAIQDAAAaCwAjAAALACkAAEAAMgDgQjiyzJfD AR4ASQABJgAAAFtOb3J0b24gQW50aVNwYW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAUwA AQAAADUAgSsfpL6jEBmdbgDdAQ9UAgAAAQBBbGx5c3NhAFNNVFAAY3B5dXNAeWFob28u Y29tAEAATgAAvK6jApjDAUAAVQCAuMGTv5fDAR4AcAABJgAAAFtOb3J0b24gQW50aVNw YW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAXEAAQAAABYBw5fMsjhj1+r3oAhAD5a+slvd v2KaAAAeAHIAAQEAHgBzAAEBAB4AdAABDgAAAFN1YnNjcmli ZXIgMzcLAAgMAAIBHQwBHgAAAFNNVFA6U1BBTUBDUkVTQ0VOVERJR0lUQUwuQ09N CwABDgEDABQOAB4AKA4BOwAAADAwMDAwMDA1AXNwYW1AY3Jlc2NlbnRkaWdp dGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AKQ4BOwAAADAwMDAwMDA1AXNw YW1AY3Jlc2NlbnRkaWdpdGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AARAB GQAAAE1lc3NhZ2Ugd2FzIG5vdCByZWFkIGJ5OgACAfgPAQAAABCnYr1wZaegRrxnkQjn jn+JAgH6DwEQp2K9cGWnoEa8Z5EI545/iQIB+w8BkgA4obsQBeUQ jn+GqG7 [message truncated] iMail Log Entry: 10:21 08:13 SMTPD(060E0134) [67.17.218.5] connect 67.17.218.x port 1371 10:21 08:13 SMTPD(060E0134) [67.17.218.x] EHLO %computername% 10:21 08:13 SMTPD(03E0) Authenticated [EMAIL PROTECTED], session treated as local. 10:21 08:13 SMTPD(060E0134) [67.17.218.x] MAIL FROM: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] RCPT TO: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] MAIL FROM: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] RCPT TO: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] C:\IMAIL\spool\D2305134.SMD 2267 10:21 08:13 SMTP-(0878) processing C:\IMAIL\spool\Q2305134.SMD 10:21 08:13 SMTP-(0878) Trying yahoo.com (0) 10:21 08:13 SMTP-(0878
RE: [Declude.JunkMail] [OT] WEIRD Problem!
Yes, Norton Anti-Spam is installed (came with NIS 2004; installs automatically) and running on the system. Should I turn this off and see if the problem disappears? I would recommend that. Something is causing the spam to be forwarded with "Not read" in the subject. I'm guessing an anti-spam program on the client is doing it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] WEIRD Problem!
It sounds like the same thing that has been occurring lately, in that-spammers are using authenticated SMTP to get into a mail servers to forward their trash. It looks like your account authenticated to your mail server and tried sending outbound spam. Then you received the bounce. If it's a spammer who is authenticating on your behalf- your Outlook will never show outbound email. If you look into your firewall logs when these messages come in, you will find the actual IP of the offender (not that there is much you can do about it). Looking at: "Authenticated [EMAIL PROTECTED]", I would seriously change the spam@ account's password. That should clear it up. I have found that many of these incidents source from overseas (esp: China). No offense to any non pig-dog spammers ;) Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] [OT] WEIRD Problem! Hello, I've recently discovered something interesting happening with my laptop. Just a little FYI about it. I have all spam messages that fail the Declude Tests forwarded to a [EMAIL PROTECTED] account, which I download and review on my computer. I have NIS 2004 running on my laptop as well. I'm also running NIS Anti-virus 2004 and it's updated with Virus defs dated 10/15/2003 and a full system scan was just completed (attempted liveupdate this morning, but it's just sitting there). Anyway, the other day I received 3 Undeliverable Mail messages in this spam account and upon reviewing the message, saw that it was coming from the WAN IP address of my laptop (cable providers IP address when at home (2), and the firewall WAN IP when at work (1)). So I setup NIS to inform me whenever Outlook 2002 tried to send out messages; NIS is also configured to only allow Outlook to connect to our mail server to send and receive messages. Well, it happened again this morning; I knew because NIS popped up a window stating such. I've included the Undeliverable Mail message as well as the iMail log entry. I attempted to lookup the D*.SMD and Q*.SMD (to see what the message contained), but iMail has already deleted them and even though I have Outlook setup to store all sent messages in the sent items folder, there is nothing there as well. I got the alert while receiving messages from the spam account. Anyone every hear of anything like this before? Thank you for your time and attention.. -Jeff undeliverable to [EMAIL PROTECTED] Original message follows. Received: from %computername% [67.17.218.x] by crescentdigital.com with ESMTP (SMTPD32-6.06) id A30560E0134; Tue, 21 Oct 2003 08:13:57 -0400 From: "DO NOT REPLY TO THIS ACCOUNT - Please reply to original sender" <[EMAIL PROTECTED]> To: "'Catalina'" <[EMAIL PROTECTED]> Date: Tue, 21 Oct 2003 08:13:40 -0400 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: A762BD7065A7A046BC679108E78E7F89447F2800 Subject: Not read: This is not loan j X-Declude-Sender: [EMAIL PROTECTED] [67.17.218.x] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. eJ8+Ii4MAQaQCAAEAAABAAEAAQeQBgAI5AQAAADoAAEIgAcAFwAAAFJFUE9S eJ8+VC5J UE0uTm90ZS5JUE5OUk4AtwYBDYAEAAICAAIAAQqAAQAhQTA2MEZEM0Q4MzEwQUI0MjhB MjYwNDEyREVBMkYwNjQAEQcBA5AGAIQDAAAaCwAjAAALACkAAEAAMgDgQjiyzJfD AR4ASQABJgAAAFtOb3J0b24gQW50aVNwYW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAUwA AQAAADUAgSsfpL6jEBmdbgDdAQ9UAgAAAQBBbGx5c3NhAFNNVFAAY3B5dXNAeWFob28u Y29tAEAATgAAvK6jApjDAUAAVQCAuMGTv5fDAR4AcAABJgAAAFtOb3J0b24gQW50aVNw YW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAXEAAQAAABYBw5fMsjhj1+r3oAhAD5a+slvd v2KaAAAeAHIAAQEAHgBzAAEBAB4AdAABDgAAAFN1YnNjcmli ZXIgMzcLAAgMAAIBHQwBHgAAAFNNVFA6U1BBTUBDUkVTQ0VOVERJR0lUQUwuQ09N CwABDgEDABQOAB4AKA4BOwAAADAwMDAwMDA1AXNwYW1AY3Jlc2NlbnRkaWdp dGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AKQ4BOwAAADAwMDAwMDA1AXNw YW1AY3Jlc2NlbnRkaWdpdGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AARAB GQAAAE1lc3NhZ2Ugd2FzIG5vdCByZWFkIGJ5OgACAfgPAQAAABCnYr1wZaegRrxnkQjn jn+JAgH6DwEQp2K9cGWnoEa8Z5EI545/iQIB+w8BkgA4obsQBeUQ jn+GqG7 [message truncated] iMail Log Entry: 10:21 08:13 SMTPD(060E0134) [67.17.218.5] connect 67.17.218.x port 1371 10:21 08:13 SMTPD(060E0134) [67.17.218.x] EHLO %computername% 10:21 08:13 SMTPD(03E0) Authenticated [EMAIL PROTECTED], session treated as loca
RE: [Declude.JunkMail] [OT] WEIRD Problem!
I have outlook setup so that any messages received from the separate e-mail accounts (6 work e-mail accounts I look into), get automatically moved to folders other than my Inbox. So the host master account gets forwarded to the host master folder, spam to the spam folder, etc. Also, I have two rules setup so that if certain people e-mail me, their messages are moved to a separate folder as well. There aren't any rules that are setup to automatically forward messages. Yes, Norton Anti-Spam is installed (came with NIS 2004; installs automatically) and running on the system. Should I turn this off and see if the problem disappears? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 21, 2003 10:08 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [OT] WEIRD Problem! > Anyone every hear of anything like this before? Do you have any rules in Outlook to try to bounce E-mails? Are you running any anti-spam software on the laptop? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [OT] WEIRD Problem!
Anyone every hear of anything like this before? Do you have any rules in Outlook to try to bounce E-mails? Are you running any anti-spam software on the laptop? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] [OT] WEIRD Problem!
Hello, I've recently discovered something interesting happening with my laptop. Just a little FYI about it. I have all spam messages that fail the Declude Tests forwarded to a [EMAIL PROTECTED] account, which I download and review on my computer. I have NIS 2004 running on my laptop as well. I'm also running NIS Anti-virus 2004 and it's updated with Virus defs dated 10/15/2003 and a full system scan was just completed (attempted liveupdate this morning, but it's just sitting there). Anyway, the other day I received 3 Undeliverable Mail messages in this spam account and upon reviewing the message, saw that it was coming from the WAN IP address of my laptop (cable providers IP address when at home (2), and the firewall WAN IP when at work (1)). So I setup NIS to inform me whenever Outlook 2002 tried to send out messages; NIS is also configured to only allow Outlook to connect to our mail server to send and receive messages. Well, it happened again this morning; I knew because NIS popped up a window stating such. I've included the Undeliverable Mail message as well as the iMail log entry. I attempted to lookup the D*.SMD and Q*.SMD (to see what the message contained), but iMail has already deleted them and even though I have Outlook setup to store all sent messages in the sent items folder, there is nothing there as well. I got the alert while receiving messages from the spam account. Anyone every hear of anything like this before? Thank you for your time and attention.. -Jeff undeliverable to [EMAIL PROTECTED] Original message follows. Received: from %computername% [67.17.218.x] by crescentdigital.com with ESMTP (SMTPD32-6.06) id A30560E0134; Tue, 21 Oct 2003 08:13:57 -0400 From: "DO NOT REPLY TO THIS ACCOUNT - Please reply to original sender" <[EMAIL PROTECTED]> To: "'Catalina'" <[EMAIL PROTECTED]> Date: Tue, 21 Oct 2003 08:13:40 -0400 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: A762BD7065A7A046BC679108E78E7F89447F2800 Subject: Not read: This is not loan j X-Declude-Sender: [EMAIL PROTECTED] [67.17.218.x] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. eJ8+Ii4MAQaQCAAEAAABAAEAAQeQBgAI5AQAAADoAAEIgAcAFwAAAFJFUE9S eJ8+VC5J UE0uTm90ZS5JUE5OUk4AtwYBDYAEAAICAAIAAQqAAQAhQTA2MEZEM0Q4MzEwQUI0MjhB MjYwNDEyREVBMkYwNjQAEQcBA5AGAIQDAAAaCwAjAAALACkAAEAAMgDgQjiyzJfD AR4ASQABJgAAAFtOb3J0b24gQW50aVNwYW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAUwA AQAAADUAgSsfpL6jEBmdbgDdAQ9UAgAAAQBBbGx5c3NhAFNNVFAAY3B5dXNAeWFob28u Y29tAEAATgAAvK6jApjDAUAAVQCAuMGTv5fDAR4AcAABJgAAAFtOb3J0b24gQW50aVNw YW1dIFRoaXMgaXMgbm90IGxvYW4gIGoCAXEAAQAAABYBw5fMsjhj1+r3oAhAD5a+slvd v2KaAAAeAHIAAQEAHgBzAAEBAB4AdAABDgAAAFN1YnNjcmli ZXIgMzcLAAgMAAIBHQwBHgAAAFNNVFA6U1BBTUBDUkVTQ0VOVERJR0lUQUwuQ09N CwABDgEDABQOAB4AKA4BOwAAADAwMDAwMDA1AXNwYW1AY3Jlc2NlbnRkaWdp dGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AKQ4BOwAAADAwMDAwMDA1AXNw YW1AY3Jlc2NlbnRkaWdpdGFsLmNvbQFzcGFtQGNyZXNjZW50ZGlnaXRhbC5jb20AAB4AARAB GQAAAE1lc3NhZ2Ugd2FzIG5vdCByZWFkIGJ5OgACAfgPAQAAABCnYr1wZaegRrxnkQjn jn+JAgH6DwEQp2K9cGWnoEa8Z5EI545/iQIB+w8BkgA4obsQBeUQ jn+GqG7 [message truncated] iMail Log Entry: 10:21 08:13 SMTPD(060E0134) [67.17.218.5] connect 67.17.218.x port 1371 10:21 08:13 SMTPD(060E0134) [67.17.218.x] EHLO %computername% 10:21 08:13 SMTPD(03E0) Authenticated [EMAIL PROTECTED], session treated as local. 10:21 08:13 SMTPD(060E0134) [67.17.218.x] MAIL FROM: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] RCPT TO: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] MAIL FROM: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] RCPT TO: <[EMAIL PROTECTED]> 10:21 08:13 SMTPD(060E0134) [67.17.218.x] C:\IMAIL\spool\D2305134.SMD 2267 10:21 08:13 SMTP-(0878) processing C:\IMAIL\spool\Q2305134.SMD 10:21 08:13 SMTP-(0878) Trying yahoo.com (0) 10:21 08:13 SMTP-(0878) Connect yahoo.com [64.157.4.78:25] (1) 10:21 08:13 SMTP-(0878) 220 YSmtp mta109.mail.sc5.yahoo.com ESMTP service ready 10:21 08:13 SMTP-(0878) >EHLO crescentdigital.com 10:21 08:13 SMTP-(0878) 250-mta109.mail.sc5.yahoo.com 10:21 08:13 SMTP-(0878) 250-8BITMIME 10:21 08:13 SMTP-(0878) 250-SIZE 10485760 10:21 08:13 SMTP-(0878) 250 PIPELINING 10:21 08:13 SMTP-(0878) >MAIL FROM:<[EMAIL PROTECTED]> 10:21 08:13 SMTP-(0878) 250 sender <[EMAIL PROTECTED]> ok 10:21 08:13 SMTP-(0878) >RCPT To:<[EMAIL PROTECTED]> 10:21 08:13 SMTP-(000
Re: [Declude.JunkMail] what's wrong with this REVDNS filter
I want to give some negative weight for the following mail headers Received: from mx0.gmx.net [213.165.64.100] by mail.zcom.it (SMTPD32-7.15) id A9F343600D8; Sun, 19 Oct 2003 18:21:07 +0200 It's very hard to tell from these headers where the E-mail may have come from. What you want to look at is all the headers, in the proper order (as they will also include the Declude headers). As far as REVDNS goes, the most header is the "XINHEADER X-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%])" header, if you have one. That shows the reverse DNS entry. Otherwise, we have to guess here (unless we know your HOP/HOPHIGH settings and want to take the time to wade through those spam-like 9 Received: headers). So I'm assuming the E-mail came from 213.165.64.100, and has a reverse DNS entry of mx0.gmx.de or mx0.gmx.net (per http://www.dnsstuff.com/tools/ptr.ch?ip=213.165.64.100 ). REVDNS -5 ENDSWITH .grp.scd.yahoo.com My question would be where you are getting ".grp.scd.yahoo.com" from. Did you look at one of the IPs in the Received: headers and look up the reverse DNS entry? The filter was not triggered. I asume because it was forwarded by a GMX-Mailserver and so the grp.scd.yahoo.com is out of my HOPHIGH=1 settings. Almost correct. The REVDNS test only looks at the IP address that connected to the IMail server (taking HOP/IPBYPASS into account), not any subsequent hops. Question: What consequences can I expect if I increase the HOPHIGH-value to 3 of 4. It won't change the outcome of the REVDNS test. However: More false positives from Spam-Databases? Very unlikely, unless you have dialup-type tests that do not have "DUL" or "DYNA" in them. More successfull catches from Spam-Databases? Sometimes. For example, if a spammer uses an open relay that forwards to a smart host, and the open relay is listed in a spam database but the smart host is not, the HOPHIGH could help catch that. Longer processing times because the number of NS-lookups are doubled or trippled? Correct. There will be a slight delay (typically a few seconds) as the extra DNS lookups are done (but, they will all be done as a batch in parallel, rather than one-at-a-time). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] what's wrong with this REVDNS filter
I want to give some negative weight for the following mail headers Received: from mx0.gmx.net [213.165.64.100] by mail.zcom.it (SMTPD32-7.15) id A9F343600D8; Sun, 19 Oct 2003 18:21:07 +0200 Received: (qmail 2815 invoked by alias); 19 Oct 2003 16:21:07 - Delivered-To: GMX delivery to [EMAIL PROTECTED] Received: (qmail 2767 invoked by uid 65534); 19 Oct 2003 16:21:07 - Received: from n17.grp.scd.yahoo.com (HELO n17.grp.scd.yahoo.com) (66.218.66.72) by mx0.gmx.net (mx035-rz3) with SMTP; 19 Oct 2003 18:21:07 +0200 X-eGroups-Return: [EMAIL PROTECTED] Received: from [66.218.67.200] by n17.grp.scd.yahoo.com with NNFMP; 19 Oct 2003 16:21:01 - X-Sender: [EMAIL PROTECTED] X-Apparently-To: [EMAIL PROTECTED] Received: (qmail 7332 invoked from network); 19 Oct 2003 16:21:00 - Received: from unknown (66.218.66.172) by m8.grp.scd.yahoo.com with QMQP; 19 Oct 2003 16:21:00 - Received: from unknown (HELO mxsf15.cluster1.charter.net) (209.225.28.215) by mta4.grp.scd.yahoo.com with SMTP; 19 Oct 2003 16:21:00 - Received: from tuscolahnjiiu5 (24.231.210.135.bay.mi.chartermi.net [24.231.210.135] (may be forged)) by mxsf15.cluster1.charter.net (8.12.9/8.12.8) with ESMTP id h9JGKnMp046823 for <[EMAIL PROTECTED]>; Sun, 19 Oct 2003 12:20:57 -0400 (EDT) So I've added in my global.cfg SFILTER filter C:\IMail\Declude\filter_special.txt x 0 0 The content of the file filter_special.txt is ### REVDNS -5 ENDSWITH .grp.scd.yahoo.com ### The filter was not triggered. I asume because it was forwarded by a GMX-Mailserver and so the grp.scd.yahoo.com is out of my HOPHIGH=1 settings. Question: What consequences can I expect if I increase the HOPHIGH-value to 3 of 4. More false positives from Spam-Databases? More successfull catches from Spam-Databases? More false positives because I will catch often the first SMTP-sending host, which usually is a lazy configured SMTP-client. (missing REVDNS, DUL-Blacklists, ...) Longer processing times because the number of NS-lookups are doubled or trippled? Thanks in advance Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.