RE: [Declude.JunkMail] OT SPF poll

2004-03-11 Thread Lyndon Eaton
After reading up on SPF, Caller-ID and Domain Keys, I'm backing SPF!

I prefer SPF over caller-id because is looks like SPF is being pushed by
the internet community in general, making it easy to adopt by all.
Caller-id on the other hand is being developed and pushed my Microsoft
(trying to take over the world! lol). Caller-id seems to be
unnecessarily longer txt fields compared to SPF, and also unnecessarily
using XML (language written by MS!)

I also prefer SPF over Domain Keys because Domain Keys seem slightly
more unnecessarily complex, with a greater overhead and harder to
implement. Does not have the same issues with mail forwarding as SPF
does, but I believe those issues can still be overcome with SPF.

Regards,
Lyndon 



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
> There is also nothing stopping a static bulk mailer from 
> implementing SPF on their own system, and to my knowledge, 
> there is no way to stop that from happening.  

That is correct. As somebody else has said passing the SPF does not mean
the email isn't spam, and as SPF states it is aimed to work in line with
existing black lists. In that scenario it would prevent the spammer from
hijacking somebody else's domain. And as you said, if static bulk
mailers implemented SPF on their own domains, they'd be somewhat easier
to blacklist. 

> To each their own of course.  I'm just trying to document 
> some of the issues that people should look out for when 
> implementing SPF for their domains, and scoring it on their systems.

I'm sure your input is appreciated, the replies you have generated from
other members of the list have helped me see more pros in SPF in the
number of ways it is beneficial. You have certainly prompted more of a
discussion which may have helped other people on the list understand, or
made aware of SPF. 

Regards,
Lyndon.



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re[2]: [Declude.JunkMail] SPF

2004-03-11 Thread Sanford Whiteman
> Example,  I  host  hundreds of domains that have no associated email
> accounts  and are not using for outbound messages. I would only HOPE
> that   you   would   NOT   deliver  spam  or  viruses  generated  as
> [EMAIL PROTECTED]

Word  to  that! You own the domain, you set the policy. Anyone who has
the  technical  ability  to interpret the policy but chooses not to is
"going rogue" or just doesn't get it.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re[2]: [Declude.JunkMail] SPF

2004-03-11 Thread Sanford Whiteman
> To each their own of course. I'm just trying to document some of the
> issues  that  people  should  look out for when implementing SPF for
> their domains, and scoring it on their systems.

You  still  don't  seem  to  get  the  nuances  of "my system" vs. "my
domain." Scoring SPF FAIL at anything less than immediate HOLD--unless
you  are  in  a  _purely_  experimental  phase--shows  that  you don't
understand SPF.

I  never  said  anything  about  giving  any credit to SPF PASS: it is
accepted  in  the  SPF  world  that neither PASS nor UNKNOWN will have
utility in giving "points" to mail, so that's a strawman.

Look,  if you still refuse to give the spec (or its competitors, which
basically   have  the  same  known  issues  you  mention)  a  diligent
review...well,  have  fun accepting those PayPal phishing scams in the
future, while the rest of us enjoy immunity from several kinds (though
not all kinds, certainly) of mail abuse.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Andy Schmidt
Title: Message



Matt,
 
I 
think the point is, that there are TWO different decisions:
 
    a) can you implement SPF for your own domain - you say 
"No" - then don't.
    b) can you follow the SPF policies that OTHER 
administrators set for THEIR domains - apparently they want you 
to.
 
IF 
someone created an SPF policy (even if you can NOT for YOUR domains) and IS able 
of using "-all" and your server gets an email that violates the stated policy, 
then you are doing YOUR customers a favor in not delivering that 
message.
 
Example, I host hundreds of domains that have no associated email 
accounts and are not using for outbound messages. I would only HOPE that you 
would NOT deliver spam or viruses generated as [EMAIL PROTECTED]!
 
Because then YOUR costumers will try to send me (as the hoster) SPAM by 
complaining about viruses and/or advertisements that used a fake domain of 
@Gameware.com.  
Best 
RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206http://www.HM-Software.com/ 


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Kevin Bilbee

> >You could setup port forwarding for the users that are blocked
> so their mail
> >goes out your server. So instead of using port 25 to send mail they could
> >use port 925 for example. The ISP probably is not blocking this.
> >
> >
> I could if I had a router capable of this, but I don't right now.
> Sounds like a good way to solve that issue of being blocked.
> Regardless, some of my customers will set up their E-mail with their ISP
> for SMTP even when it is not blocked, especially when they have multiple
> accounts configured in Outlook and it uses a master account for SMTP.  I
> can't stop this from happening.  I have actually argued with customers
> telling them to set it up this way, and if they don't, then I advise
> them to not call me (anymore) for issues relating to mail delivery.
> They still call though of course :)

You do not need a router capable of the port forwarding. There are programs
you can run on your mail server or another server to do this for you.

Check th archives it has beed discussed many times.


Kevin Bilbee

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SPF

2004-03-11 Thread Matt




This is why I am not implementing SPF on my system.  As a blacklist, it
would punish some of my customers, so I would be forced to list them as
unknown which is in effect as effective as not listing them as all.  I
certainly wouldn't want to assume that since 95% of them would pass a
strict test, I should list them as known and then allow another
administrator to reject the other 5% at the SMTP envelop as has been
suggested.

As a method of crediting users, I see an increasing amount of zombie
spam being sent from legit mail servers and I don't have issues with
rejecting legitimate E-mail unless it comes from a known zombie or open
relay, and then it still generally passes.  I see no reason to give
credit for such cases, and under that form of thought, I would also not
recommend that others credit my users simply because they passed SPF
since they are certainly capable of spamming at any point in time (and
some have asked to do so in the past).  There is also nothing stopping
a static bulk mailer from implementing SPF on their own system, and to
my knowledge, there is no way to stop that from happening.  It's niche
bulk E-mail sent in low volume that has the greatest likelihood of
getting past my filters.

To each their own of course.  I'm just trying to document some of the
issues that people should look out for when implementing SPF for their
domains, and scoring it on their systems.

Matt




Sanford Whiteman wrote:

  
I  get  a lot of E-mail that would fail SPF that is in fact valid. A
lot  of  mail scripts and E-commerce sites are set up to send E-mail
notifications  with  the  Mail From generated from a user submission
(since one can just simply press reply in order to respond).

  
  
While that may imapct the willingness of the owners of some domains to
publish SPF policies, that's irrelevant to the legitimacy of mail that
does not conform to already published SPF policies.

  
  
Also, some of my own customers are blocked by their ISP's from using my 
mail server for SMTP, which means that if I configured SPF strictly for 
their domains, they would fail this test wherever implemented.

  
  
That's  right:  if you want to prevent people from forging your domain
whenever  and  wherever  they  want,  you  have to prevent people from
forging  your domain whenever and wherever you want--Q.E.D. Your "own"
users need to conform to your policies.

You're  confusing  the  _obligations_ of those who want to publish SPF
records,  and  the  related  customer  relationship  management, for a
problem in published SPF records.

  
  
If  you  opt  to  use  SPF  on  your  system,  take advantage of the
weighting capabilities of Declude, and I would suggest at most being
very cautious about how much weight you give it.

  
  
Sorry,  Matt,  but  that's a bit of FUD. If a domain owner publishes a
strict  sender  policy for mail using their registered domain, if I do
anything  but follow that policy, I am defying the wishes of the legal
owner  of the domain. To accept and deliver mail as legitimate that is
known  to be illegitimate--the SPF policy, not my subjective notion of
message  content,  dictates  legitimacy--is  putting your faith in the
wrong  place.  I  d**n  sure  hope  that nobody is testing for SPF and
delivering  mail  for the domains for which I have published policies,
especially without contacting us--I'd have very strong words for them.

Of  course,  it's  incumbent  upon  the domain owner to make sure that
their SPF policies, their AUP, and their customer relationships are in
order.  But  I  _must_  trust  that  they  are,  or I am behaving most
illogically. We HOLD on SPF FAIL.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=




RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
> Also to add to Matt's comments a lot of problems also come up 
> with web forms.  This is one reason we have not yet 
> implemented SPF for our server.. Have not taken the time to 
> figure out ..

Wouldn't this be similar to a mail forwarder? Whereby implementing an
SRS system would get round the issue? (http://spf.pobox.com/srs.html)

Regards,
Lyndon.



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re[2]: [Declude.JunkMail] SPF

2004-03-11 Thread Sanford Whiteman
> I  get  a lot of E-mail that would fail SPF that is in fact valid. A
> lot  of  mail scripts and E-commerce sites are set up to send E-mail
> notifications  with  the  Mail From generated from a user submission
> (since one can just simply press reply in order to respond).

While that may imapct the willingness of the owners of some domains to
publish SPF policies, that's irrelevant to the legitimacy of mail that
does not conform to already published SPF policies.

> Also, some of my own customers are blocked by their ISP's from using my 
> mail server for SMTP, which means that if I configured SPF strictly for 
> their domains, they would fail this test wherever implemented.

That's  right:  if you want to prevent people from forging your domain
whenever  and  wherever  they  want,  you  have to prevent people from
forging  your domain whenever and wherever you want--Q.E.D. Your "own"
users need to conform to your policies.

You're  confusing  the  _obligations_ of those who want to publish SPF
records,  and  the  related  customer  relationship  management, for a
problem in published SPF records.

> If  you  opt  to  use  SPF  on  your  system,  take advantage of the
> weighting capabilities of Declude, and I would suggest at most being
> very cautious about how much weight you give it.

Sorry,  Matt,  but  that's a bit of FUD. If a domain owner publishes a
strict  sender  policy for mail using their registered domain, if I do
anything  but follow that policy, I am defying the wishes of the legal
owner  of the domain. To accept and deliver mail as legitimate that is
known  to be illegitimate--the SPF policy, not my subjective notion of
message  content,  dictates  legitimacy--is  putting your faith in the
wrong  place.  I  d**n  sure  hope  that nobody is testing for SPF and
delivering  mail  for the domains for which I have published policies,
especially without contacting us--I'd have very strong words for them.

Of  course,  it's  incumbent  upon  the domain owner to make sure that
their SPF policies, their AUP, and their customer relationships are in
order.  But  I  _must_  trust  that  they  are,  or I am behaving most
illogically. We HOLD on SPF FAIL.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
> > I get a lot of E-mail that would fail SPF that is in fact valid.  A 
> > lot of mail scripts and E-commerce sites are set up to send E-mail 
> > notifications with the Mail From generated from a user submission 
> > (since one can just simply press reply in order to respond).
> 
> Many e-commerce sites do this type of stuff improperly. They 
> should use an address from their site as the from with the 
> reply-to header for where you ar to reply to.

I'd agree. Admittedly that's not how our own sites are set to work right
now but I'd change them to confirm to new standards aimed at improving
email authenticity and reducing spam. The internet community has to be
proactive and cooperative if things are to improve.

> > Also, some of my own customers are blocked by their ISP's 
> from using 
> > my mail server for SMTP, which means that if I configured 
> SPF strictly 
> > for their domains, they would fail this test wherever implemented.
> 
> You could setup port forwarding for the users that are 
> blocked so their mail goes out your server. So instead of 
> using port 25 to send mail they could use port 925 for 
> example. The ISP probably is not blocking this.

I'd accept this as an issue, but I'd say this one is down to the client.
The client should be advised to choose an ISP who supports pro-active
measures for reducing spam and improving email authenticity, or accept
the fact that their emails may not be delivered to some companies/ISPs.
This would be similar to clients who use ISPs that are black listed for
whatever reason, or their own server is open relay, and then whinge when
their emails don't get through. Alternatively you could add the IP range
of their ISP to their domain records that you host - better than
nothing. 

> > If you opt to use SPF on your system, take advantage of the 
> weighting 
> > capabilities of Declude, and I would suggest at most being very 
> > cautious about how much weight you give it.

If a domain is using SPF, and an email is received from an invalid
client IP, you should have the option to reject before receiving.
However in the case with some of your domains, you'd probably use the
neutral or pass all mechanism, allowing others to accept the email but
apply a weighting to it. Wouldn't you agree? It's a two way thing, 1) up
to the receive to decide how stringent they want to be 2) up to the
hostmaster/postmaster to decide what other people should do with emails
received from their domain not passing the SPF test.

Regards,
Lyndon.




Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SPF

2004-03-11 Thread Matt
Kevin Bilbee wrote:

Many e-commerce sites do this type of stuff improperly. They should use an
address from their site as the from with the reply-to header for where you
ar to reply to.
 

They should only because of spam blocking, but in practice, many don't.  
The bigger ones have of course mostly figured this out, but for 
instance, I host a lot of car dealers, and every third-party lead 
generation system out there displays this behavior, including those 
maintained by the automakers themselves.  Contact forms on the majority 
of Web sites will also normally display this behavior.  Although I now 
use Reply-To addresses to circumvent this issue myself, I have many 
forms that still do this that I have coded over the years, and trying to 
explain to developers why this is necessary is hit or miss.

You could setup port forwarding for the users that are blocked so their mail
goes out your server. So instead of using port 25 to send mail they could
use port 925 for example. The ISP probably is not blocking this.
 

I could if I had a router capable of this, but I don't right now.  
Sounds like a good way to solve that issue of being blocked.  
Regardless, some of my customers will set up their E-mail with their ISP 
for SMTP even when it is not blocked, especially when they have multiple 
accounts configured in Outlook and it uses a master account for SMTP.  I 
can't stop this from happening.  I have actually argued with customers 
telling them to set it up this way, and if they don't, then I advise 
them to not call me (anymore) for issues relating to mail delivery.  
They still call though of course :)

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Kami Razvan
Lyndon:

Also to add to Matt's comments a lot of problems also come up with web
forms.  This is one reason we have not yet implemented SPF for our server..
Have not taken the time to figure out ..

Imagine someone on CNN's site using the eMail friend - to show you this I
went to CNN and sent myself an email using the email feature.  Look at the
header:

X-Note: Spool File: Db7d90d5d018a63fd.SMD
X-Note: Server Name: relay.clickability.com
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS & IP: relay.clickability.com [208.184.224.73]
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Note: Country Chain: UNITED STATES->destination

If we delete an email base on SPF of ClickandPledge it would be deleted.

Hope this helps.

Kami

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, March 11, 2004 1:48 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPF

Lyndon,

I get a lot of E-mail that would fail SPF that is in fact valid.  A lot of
mail scripts and E-commerce sites are set up to send E-mail notifications
with the Mail From generated from a user submission (since one can just
simply press reply in order to respond).

Also, some of my own customers are blocked by their ISP's from using my mail
server for SMTP, which means that if I configured SPF strictly for their
domains, they would fail this test wherever implemented.

If you opt to use SPF on your system, take advantage of the weighting
capabilities of Declude, and I would suggest at most being very cautious
about how much weight you give it.

Matt



Lyndon Eaton wrote:

>That's a real shame! If you received a negative response from an SPF 
>participating domain, you should be able to reject the message straight 
>off. That way you aren't left 'carrying the can' so to speak, and the 
>email gets stuck with the HiJacked server or the spammer. Similar to 
>how AOL reject connected if the rev DNS lookup fails.
>
>
>
>Email checked by UKsubnet anti-virus service  
>To prevent email abuse & block spam   
>contact [EMAIL PROTECTED]
>Tel: +44(0)8712360301 Web: www.uksubnet.net
>Fax: +44(0)8712360300
>
>Powered by UKsubnet Internet Service Provider Business to Business 
>Internet (ISP)
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To 
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
>"unsubscribe Declude.JunkMail".  The archives can be found at 
>http://www.mail-archive.com.
>
>
>  
>

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Kevin Bilbee


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Matt
> Sent: Thursday, March 11, 2004 10:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] SPF
>
>
> Lyndon,
>
> I get a lot of E-mail that would fail SPF that is in fact valid.  A lot
> of mail scripts and E-commerce sites are set up to send E-mail
> notifications with the Mail From generated from a user submission (since
> one can just simply press reply in order to respond).

Many e-commerce sites do this type of stuff improperly. They should use an
address from their site as the from with the reply-to header for where you
ar to reply to.

>
> Also, some of my own customers are blocked by their ISP's from using my
> mail server for SMTP, which means that if I configured SPF strictly for
> their domains, they would fail this test wherever implemented.

You could setup port forwarding for the users that are blocked so their mail
goes out your server. So instead of using port 25 to send mail they could
use port 925 for example. The ISP probably is not blocking this.

>
> If you opt to use SPF on your system, take advantage of the weighting
> capabilities of Declude, and I would suggest at most being very cautious
> about how much weight you give it.
>
> Matt
>
>
>
> Lyndon Eaton wrote:
>
> >That's a real shame! If you received a negative response from an SPF
> >participating domain, you should be able to reject the message straight
> >off. That way you aren't left 'carrying the can' so to speak, and the
> >email gets stuck with the HiJacked server or the spammer. Similar to how
> >AOL reject connected if the rev DNS lookup fails.
> >
> >
> >
> >Email checked by UKsubnet anti-virus service
> >To prevent email abuse & block spam
> >contact [EMAIL PROTECTED]
> >Tel: +44(0)8712360301 Web: www.uksubnet.net
> >Fax: +44(0)8712360300
> >
> >Powered by UKsubnet Internet Service Provider
> >Business to Business Internet (ISP)
> >
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
>
>
>

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread R. Scott Perry

There are four, - fail, ~ softfail, + pass & ? Neutral.

There are also:
error (if the DNS fails)
unknown (if the syntax is unrecognised)
none (if there is no SPF info)
How do these difference responses work? Apologies if these have already
been covered...
Those have apparently changed since the original frozen RFC proposal, but 
are really implementation specific.  I'll look into those.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
There are four, - fail, ~ softfail, + pass & ? Neutral.

There are also:
error (if the DNS fails)
unknown (if the syntax is unrecognised)
none (if there is no SPF info)

How do these difference responses work? Apologies if these have already
been covered...


-Original Message-
From: Kevin Bilbee [mailto:[EMAIL PROTECTED] 
Sent: 11 March 2004 18:37
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] SPF


Scott I remember an issue with SPF that does not fall into pass or fail
but if they use the ? in the spf record the email may be a maby.

Has this been resoved? Or am I understanding it improperly?

I do not want to negative weight a maby if it falls into the pass
category. I know I do not have to negative weight and can use the fail
only.


Kevin Bilbee




> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Thursday, March 11, 2004 10:03 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] SPF
>
>
>
> >First I'd heard about SPF. Sounds like a way forward!
> >
> >On the SPF site is says SPF is supported by Declude, how can I begin 
> >to check inbound emails for SPF?
>
> Here's a copy of my original post.  The latest beta version (1.78) and

> recent interims have the SPF support.
>
> ---
> For those that are interested, we now have an interim release with SPF

> support in it.  [interim information removed] To use the new SPF test,

> you can add lines such as:
>
> SPFPASS spf passx   -5  0
> SPFFAIL spf failx   8   0
>
> to your global.cfg file.  SPF returns "PASS" for E-mail that passes 
> SPF (that comes from an IP that is acceptable to the owner of the 
> domani that it claims to be coming from), "FAIL" for E-mail that fails

> SPF (that does not come from an acceptable IP for the domain), or 
> "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for 
> some other reason should return UNKNOWN).
>
> This will help reduce false positives (for domains that have SPF 
> support), and help capture more spam (as spam comes in from domains 
> that have SPF support, but the spammer isn't using an acceptable IP).
> ---
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers since 2000. Declude Virus: Catches known viruses and is 
> the leader in mailserver vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



Email checked by UKsubnet anti-virus service  
To prevent email abuse & block spam   
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300 

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)





Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SPF

2004-03-11 Thread Matt
Lyndon,

I get a lot of E-mail that would fail SPF that is in fact valid.  A lot 
of mail scripts and E-commerce sites are set up to send E-mail 
notifications with the Mail From generated from a user submission (since 
one can just simply press reply in order to respond).

Also, some of my own customers are blocked by their ISP's from using my 
mail server for SMTP, which means that if I configured SPF strictly for 
their domains, they would fail this test wherever implemented.

If you opt to use SPF on your system, take advantage of the weighting 
capabilities of Declude, and I would suggest at most being very cautious 
about how much weight you give it.

Matt



Lyndon Eaton wrote:

That's a real shame! If you received a negative response from an SPF
participating domain, you should be able to reject the message straight
off. That way you aren't left 'carrying the can' so to speak, and the
email gets stuck with the HiJacked server or the spammer. Similar to how
AOL reject connected if the rev DNS lookup fails. 


Email checked by UKsubnet anti-virus service  
To prevent email abuse & block spam   
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300 

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread R. Scott Perry

Scott I remember an issue with SPF that does not fall into pass or fail but
if they use the ? in the spf record the email may be a maby.
Has this been resoved? Or am I understanding it improperly?
That isn't an issue -- it's just how SPF works.  The "?" means 
"Unknown".  For example, "v=spf1 +mx ?all" means "Anyone sending from an IP 
in our MX record is OK, anyone else should go through standard spam filtering".

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Kevin Bilbee
Scott I remember an issue with SPF that does not fall into pass or fail but
if they use the ? in the spf record the email may be a maby.

Has this been resoved? Or am I understanding it improperly?

I do not want to negative weight a maby if it falls into the pass category.
I know I do not have to negative weight and can use the fail only.


Kevin Bilbee




> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Thursday, March 11, 2004 10:03 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] SPF
>
>
>
> >First I'd heard about SPF. Sounds like a way forward!
> >
> >On the SPF site is says SPF is supported by Declude, how can I begin to
> >check inbound emails for SPF?
>
> Here's a copy of my original post.  The latest beta version (1.78) and
> recent interims have the SPF support.
>
> ---
> For those that are interested, we now have an interim release with SPF
> support in it.  [interim information removed] To use the new SPF
> test, you
> can add lines such as:
>
> SPFPASS spf passx   -5  0
> SPFFAIL spf failx   8   0
>
> to your global.cfg file.  SPF returns "PASS" for E-mail that passes SPF
> (that comes from an IP that is acceptable to the owner of the domani that
> it claims to be coming from), "FAIL" for E-mail that fails SPF (that does
> not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail
> from domains that do not use SPF yet, or for some other reason should
> return UNKNOWN).
>
> This will help reduce false positives (for domains that have SPF
> support),
> and help capture more spam (as spam comes in from domains that have SPF
> support, but the spammer isn't using an acceptable IP).
> ---
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
That's a real shame! If you received a negative response from an SPF
participating domain, you should be able to reject the message straight
off. That way you aren't left 'carrying the can' so to speak, and the
email gets stuck with the HiJacked server or the spammer. Similar to how
AOL reject connected if the rev DNS lookup fails. 



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread R. Scott Perry

One more question, In the event we want to reject an email that fails
the SPF test for a SPF participating domain, is Declude able to reject
incoming emails before receiving the message body? IE terminate the SMTP
connection?
No.  IMail doesn't have the ability to do that, either with or without 
third party programs (not even IMail v8's anti-spam can do that).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
You can use SPF to just check. But it would work best when you do both.
Otherwise if nobody implemented, nobody would have anything to check
against - catch 22. 

By implementing you also protect your own domain(s) from being spoofed
(providing the recipient checks against SPF). The more publicity SPF
gets and the more IT bods that implement it, the better everything will
get (in my opinion).



-Original Message-
From: John Carter [mailto:[EMAIL PROTECTED] 
Sent: 11 March 2004 18:28
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] SPF


Forgive the ignorance.  To use the SPF test, do we have to have
implemented SPF ourselves or can it be used to check against those who
have?

Thanks,
John


---
For those that are interested, we now have an interim release with SPF 
support in it.  [interim information removed] To use the new SPF test,
you 
can add lines such as:

SPFPASS spf passx   -5  0
SPFFAIL spf failx   8   0

to your global.cfg file.  SPF returns "PASS" for E-mail that passes SPF 
(that comes from an IP that is acceptable to the owner of the domani
that 
it claims to be coming from), "FAIL" for E-mail that fails SPF (that
does 
not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail

from domains that do not use SPF yet, or for some other reason should 
return UNKNOWN).

This will help reduce false positives (for domains that have SPF
support), 
and help capture more spam (as spam comes in from domains that have SPF 
support, but the spammer isn't using an acceptable IP).
---

-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



Email checked by UKsubnet anti-virus service  
To prevent email abuse & block spam   
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300 

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)





Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread John Carter
Forgive the ignorance.  To use the SPF test, do we have to have
implemented SPF ourselves or can it be used to check against those who
have?

Thanks,
John


---
For those that are interested, we now have an interim release with SPF 
support in it.  [interim information removed] To use the new SPF test,
you 
can add lines such as:

SPFPASS spf passx   -5  0
SPFFAIL spf failx   8   0

to your global.cfg file.  SPF returns "PASS" for E-mail that passes SPF 
(that comes from an IP that is acceptable to the owner of the domani
that 
it claims to be coming from), "FAIL" for E-mail that fails SPF (that
does 
not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail

from domains that do not use SPF yet, or for some other reason should 
return UNKNOWN).

This will help reduce false positives (for domains that have SPF
support), 
and help capture more spam (as spam comes in from domains that have SPF 
support, but the spammer isn't using an acceptable IP).
---

-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] OT SPF SRS

2004-03-11 Thread Lyndon Eaton
What is the best way to implement SRS in Imail? Maybe one for the Imail
list (or SRS somewhere).

Regards,
Lyndon.



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread Lyndon Eaton
Thanks for that Scott!

One more question, In the event we want to reject an email that fails
the SPF test for a SPF participating domain, is Declude able to reject
incoming emails before receiving the message body? IE terminate the SMTP
connection?

Regards,
Lyndon.



-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: 11 March 2004 18:03
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] SPF



>First I'd heard about SPF. Sounds like a way forward!
>
>On the SPF site is says SPF is supported by Declude, how can I begin to

>check inbound emails for SPF?

Here's a copy of my original post.  The latest beta version (1.78) and 
recent interims have the SPF support.

---
For those that are interested, we now have an interim release with SPF 
support in it.  [interim information removed] To use the new SPF test,
you 
can add lines such as:

SPFPASS spf passx   -5  0
SPFFAIL spf failx   8   0

to your global.cfg file.  SPF returns "PASS" for E-mail that passes SPF 
(that comes from an IP that is acceptable to the owner of the domani
that 
it claims to be coming from), "FAIL" for E-mail that fails SPF (that
does 
not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail

from domains that do not use SPF yet, or for some other reason should 
return UNKNOWN).

This will help reduce false positives (for domains that have SPF
support), 
and help capture more spam (as spam comes in from domains that have SPF 
support, but the spammer isn't using an acceptable IP).
---

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



Email checked by UKsubnet anti-virus service  
To prevent email abuse & block spam   
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300 

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)





Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPF

2004-03-11 Thread R. Scott Perry

First I'd heard about SPF. Sounds like a way forward!

On the SPF site is says SPF is supported by Declude, how can I begin to
check inbound emails for SPF?
Here's a copy of my original post.  The latest beta version (1.78) and 
recent interims have the SPF support.

---
For those that are interested, we now have an interim release with SPF 
support in it.  [interim information removed] To use the new SPF test, you 
can add lines such as:

SPFPASS spf passx   -5  0
SPFFAIL spf failx   8   0
to your global.cfg file.  SPF returns "PASS" for E-mail that passes SPF 
(that comes from an IP that is acceptable to the owner of the domani that 
it claims to be coming from), "FAIL" for E-mail that fails SPF (that does 
not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail 
from domains that do not use SPF yet, or for some other reason should 
return UNKNOWN).

This will help reduce false positives (for domains that have SPF support), 
and help capture more spam (as spam comes in from domains that have SPF 
support, but the spammer isn't using an acceptable IP).
---

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: SPF [Declude.JunkMail]

2004-03-11 Thread Lyndon Eaton
First I'd heard about SPF. Sounds like a way forward!

On the SPF site is says SPF is supported by Declude, how can I begin to
check inbound emails for SPF?

Regards,
Lyndon.



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] SPF poll

2004-03-11 Thread R. Scott Perry
FYI, there is a poll about SPF, DomainKeys and Caller-ID on the 
winnetmag.com website.  For those who support SPF, you may want to vote at 
http://www.winnetmag.com/windowssecurity (the "Instant Poll" section on the 
right side of the screen).  Note that it is (unfortunately) listed as 
"Sender Policy Framework" rather than SPF, but it's still SPF.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] 2,000,000 + emails today

2004-03-11 Thread Darin Cox
Sounds like you have a sales "opportunity" to get them on filtering, but
also sounds like filtering won't help with the flood.  Is this flood with or
without the nobody alias?

I would definitely be contacting the authorities as this amounts to a DOS
attack.  Maybe others who have dealt with this before can offer advice on
who to contact and how to work with them...?

Darin.


- Original Message - 
From: "Darryl Koster" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 11, 2004 10:06 AM
Subject: RE: [Declude.JunkMail] 2,000,000 + emails today




The problem with it is we give clients the choice if they want to be on the
filters or not, they have made the choice not to be on the filters. We put
them on it anyway and then we ended having to remove the mx records for
them. The qmail server (our spool server) had no problems keep up, it kept
on accepting mail etc. The problem came in though when we had 100,000 plus
in the queue and it kept sending all these e-mails over to the imail server
ever x minutes and it would flood the server, after 12 hours the servers
just could not keep up anymore with the amount of incoming and outgoing
mails.

Darryl

PS. As I think I stated earlier, knowing me I have something wrong on some
shi**y little setting I have not looked at in years and its causing a
problem now.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Wednesday, March 10, 2004 10:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] 2,000,000 + emails today

Hmmm...so no chance of an envelope rejection when it's destined for valid
email addresses.  Anyone heard of envelope rejection by subject word/phrase?
That could be useful in the future as they get more nimble.  Perhaps even
Bayesian filtering on it...

Darryl, it looks like there's no choice but to process the messages (I'm
sure most will get junked by your filters), and gather evidence in hope that
authorities can use it to track down and shut down the spammer.

Darin.


- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 9:16 PM
Subject: Re: [Declude.JunkMail] 2,000,000 + emails today


In this case, headers don't provide any benefit because this stuff all
comes from zombies with forged info.  It's the payload links, where they
might be redirected to and/or is hosted , where their DNS is hosted, and
where their names were registered.  Chances are that everything can be
tracked back to the same spam gang.

I searched the newsgroups for one of the subjects, and found a bunch of
zero day domains, one of which was still active and hosting images for
this spam, turwy33.info.  I then looked up the IP and found it listed in
SBL fresh as of today:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807

This has been attributed to ROKSO spammer MailTrain, who's evidence file
can be found at the following:

http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain

Here's the full list of their current SBL listings...lots from China, as
all good pill spammers who need dishonest hosts go (unless they can get
a good rate at Exodus):


http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id=
ROK

One of the contacts listed in SBL shows that at least one of these guys
is Scott's neighbor (figuratively).

I would be curious about whether or not this was the same spammer
causing issues with Darin.  Nevertheless, everyone should turn off the
Nobody alias for fear that they might get harvested from not rejecting a
dictionary attack during the SMTP envelope.

Matt



Darryl Koster wrote:

>We generally do not have nobody alias's set on the domains we have, this
was
>set up to capture some of the emails that were being held by the server so
>we could look at the headers. Once we knew we had enough of them to work
>with we removed the nobody alias. Basically those 10 Megs worth of emails
>span about 10 minutes worth of time.
>
>
>Here are a couple sample headers. The IP range found within some of the
>(207.164.190.***) is our IP Range.
>
>
>Take a look, there are two of them I have not been able to find any
>similarities between them. There are hundreds like this.
>
>
>
>Darryl Koster
>
>
>
>---HEADER ONE --
>>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004
>Received: from mx2.statusconcepts.com [207.164.190.21] by
>mail.statustechnologies.com
>  (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500
>Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 -
>Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133)
>  by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 -
>Received: from (HELO idif) [126.202.95.91] by
>spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat,
>13 Mar 2004 15:38:00 -0600
>Message-ID: <[EMAIL PROTECTED]>
>From: "Lakisha Woody" <[EMAIL PROTECTED]>
>Reply

RE: [Declude.JunkMail] 2,000,000 + emails today

2004-03-11 Thread Darryl Koster


The problem with it is we give clients the choice if they want to be on the
filters or not, they have made the choice not to be on the filters. We put
them on it anyway and then we ended having to remove the mx records for
them. The qmail server (our spool server) had no problems keep up, it kept
on accepting mail etc. The problem came in though when we had 100,000 plus
in the queue and it kept sending all these e-mails over to the imail server
ever x minutes and it would flood the server, after 12 hours the servers
just could not keep up anymore with the amount of incoming and outgoing
mails. 

Darryl

PS. As I think I stated earlier, knowing me I have something wrong on some
shi**y little setting I have not looked at in years and its causing a
problem now.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Wednesday, March 10, 2004 10:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] 2,000,000 + emails today

Hmmm...so no chance of an envelope rejection when it's destined for valid
email addresses.  Anyone heard of envelope rejection by subject word/phrase?
That could be useful in the future as they get more nimble.  Perhaps even
Bayesian filtering on it...

Darryl, it looks like there's no choice but to process the messages (I'm
sure most will get junked by your filters), and gather evidence in hope that
authorities can use it to track down and shut down the spammer.

Darin.


- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 9:16 PM
Subject: Re: [Declude.JunkMail] 2,000,000 + emails today


In this case, headers don't provide any benefit because this stuff all
comes from zombies with forged info.  It's the payload links, where they
might be redirected to and/or is hosted , where their DNS is hosted, and
where their names were registered.  Chances are that everything can be
tracked back to the same spam gang.

I searched the newsgroups for one of the subjects, and found a bunch of
zero day domains, one of which was still active and hosting images for
this spam, turwy33.info.  I then looked up the IP and found it listed in
SBL fresh as of today:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807

This has been attributed to ROKSO spammer MailTrain, who's evidence file
can be found at the following:

http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain

Here's the full list of their current SBL listings...lots from China, as
all good pill spammers who need dishonest hosts go (unless they can get
a good rate at Exodus):


http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id=
ROK

One of the contacts listed in SBL shows that at least one of these guys
is Scott's neighbor (figuratively).

I would be curious about whether or not this was the same spammer
causing issues with Darin.  Nevertheless, everyone should turn off the
Nobody alias for fear that they might get harvested from not rejecting a
dictionary attack during the SMTP envelope.

Matt



Darryl Koster wrote:

>We generally do not have nobody alias's set on the domains we have, this
was
>set up to capture some of the emails that were being held by the server so
>we could look at the headers. Once we knew we had enough of them to work
>with we removed the nobody alias. Basically those 10 Megs worth of emails
>span about 10 minutes worth of time.
>
>
>Here are a couple sample headers. The IP range found within some of the
>(207.164.190.***) is our IP Range.
>
>
>Take a look, there are two of them I have not been able to find any
>similarities between them. There are hundreds like this.
>
>
>
>Darryl Koster
>
>
>
>---HEADER ONE --
>>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004
>Received: from mx2.statusconcepts.com [207.164.190.21] by
>mail.statustechnologies.com
>  (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500
>Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 -
>Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133)
>  by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 -
>Received: from (HELO idif) [126.202.95.91] by
>spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat,
>13 Mar 2004 15:38:00 -0600
>Message-ID: <[EMAIL PROTECTED]>
>From: "Lakisha Woody" <[EMAIL PROTECTED]>
>Reply-To: "Lakisha Woody" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>Subject: turn your Spud into a stud!! m
>Date: Sat, 13 Mar 04 15:38:00 GMT
>X-Mailer: Microsoft Outlook Express 6.00.2462.
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="B0DD5_.B3._

RE: [Declude.JunkMail] Declude, Outlook 2003 and Spamheadersfailed?

2004-03-11 Thread Lyndon Eaton
Amazing!

-Original Message-
Yes. Apparently, a small percentage of their customers complained that
the 
Message-ID: header included information they did not want others to 
see.  Instead of adding an option to either disable the Message-ID:
header 
or alter the content used in it, they opted to remove it completely,
with 
the understanding that all Outlook 2003 customers are more likely to
have 
their E-mail tagged as spam than they otherwise would.

-Scott



Email checked by UKsubnet anti-virus service
To prevent email abuse & block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Declude, Outlook 2003 and Spamheaders failed?

2004-03-11 Thread R. Scott Perry

a customer uses Outlook 2003 and his mail fails the Spamheaders Test
421e.
Correct.

is this an known feature? ;)
Yes. Apparently, a small percentage of their customers complained that the 
Message-ID: header included information they did not want others to 
see.  Instead of adding an option to either disable the Message-ID: header 
or alter the content used in it, they opted to remove it completely, with 
the understanding that all Outlook 2003 customers are more likely to have 
their E-mail tagged as spam than they otherwise would.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Declude, Outlook 2003 and Spamheaders failed?

2004-03-11 Thread Hirthe, Alexander
Hello,

a customer uses Outlook 2003 and his mail fails the Spamheaders Test
421e. 

this is:
-
This E-mail is missing a Message-ID: header. Although it is legal not to
have one, the RFCs say that E-mails SHOULD have this (which, in RFC terms,
means that you must have the Message-ID: header or accept the consequences
-- in this case, the E-mail may be treated as spam). Note that you may see a
Message-ID: header; if so, it was one that IMail added later.
-
is this an known feature? ;)

I lowered the weight for Spamheaders, is this the solution? ;)

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] OT: Imail Queue manager and gateway

2004-03-11 Thread Mark Smith
So should I just disable the DNS Cache and skip list then?

Mark

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John
> Tolmachoff (Lists)
> Sent: Wednesday, March 10, 2004 5:45 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] OT: Imail Queue manager and gateway
>
> You can not disable the Queue Manager. That is the delivery
> process, to where ever the message is to be delivered. DNS
> cache can be disabled if desired, irregardless of Imail
> configuration or use.
>
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > [EMAIL PROTECTED] On Behalf Of Mark Smith
> > Sent: Wednesday, March 10, 2004 10:27 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.JunkMail] OT: Imail Queue manager and gateway
> >
> > If I'm only using imail as a gateway for Exchange and only
> one domain
> > is being forwarded to, wouldn't it make sense to disable
> the DNS cache
> > and Queue manager.
> > In the remote case the receiving Exchange server is put on the skip
> > list that would mean that all email would stop.
> >
> > Right?
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > "unsubscribe Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be
> found at http://www.mail-archive.com.
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.