RE: [Declude.JunkMail] OT SPF poll
After reading up on SPF, Caller-ID and Domain Keys, I'm backing SPF! I prefer SPF over caller-id because is looks like SPF is being pushed by the internet community in general, making it easy to adopt by all. Caller-id on the other hand is being developed and pushed my Microsoft (trying to take over the world! lol). Caller-id seems to be unnecessarily longer txt fields compared to SPF, and also unnecessarily using XML (language written by MS!) I also prefer SPF over Domain Keys because Domain Keys seem slightly more unnecessarily complex, with a greater overhead and harder to implement. Does not have the same issues with mail forwarding as SPF does, but I believe those issues can still be overcome with SPF. Regards, Lyndon Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
> There is also nothing stopping a static bulk mailer from > implementing SPF on their own system, and to my knowledge, > there is no way to stop that from happening. That is correct. As somebody else has said passing the SPF does not mean the email isn't spam, and as SPF states it is aimed to work in line with existing black lists. In that scenario it would prevent the spammer from hijacking somebody else's domain. And as you said, if static bulk mailers implemented SPF on their own domains, they'd be somewhat easier to blacklist. > To each their own of course. I'm just trying to document > some of the issues that people should look out for when > implementing SPF for their domains, and scoring it on their systems. I'm sure your input is appreciated, the replies you have generated from other members of the list have helped me see more pros in SPF in the number of ways it is beneficial. You have certainly prompted more of a discussion which may have helped other people on the list understand, or made aware of SPF. Regards, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SPF
> Example, I host hundreds of domains that have no associated email > accounts and are not using for outbound messages. I would only HOPE > that you would NOT deliver spam or viruses generated as > [EMAIL PROTECTED] Word to that! You own the domain, you set the policy. Anyone who has the technical ability to interpret the policy but chooses not to is "going rogue" or just doesn't get it. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SPF
> To each their own of course. I'm just trying to document some of the > issues that people should look out for when implementing SPF for > their domains, and scoring it on their systems. You still don't seem to get the nuances of "my system" vs. "my domain." Scoring SPF FAIL at anything less than immediate HOLD--unless you are in a _purely_ experimental phase--shows that you don't understand SPF. I never said anything about giving any credit to SPF PASS: it is accepted in the SPF world that neither PASS nor UNKNOWN will have utility in giving "points" to mail, so that's a strawman. Look, if you still refuse to give the spec (or its competitors, which basically have the same known issues you mention) a diligent review...well, have fun accepting those PayPal phishing scams in the future, while the rest of us enjoy immunity from several kinds (though not all kinds, certainly) of mail abuse. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Title: Message Matt, I think the point is, that there are TWO different decisions: a) can you implement SPF for your own domain - you say "No" - then don't. b) can you follow the SPF policies that OTHER administrators set for THEIR domains - apparently they want you to. IF someone created an SPF policy (even if you can NOT for YOUR domains) and IS able of using "-all" and your server gets an email that violates the stated policy, then you are doing YOUR customers a favor in not delivering that message. Example, I host hundreds of domains that have no associated email accounts and are not using for outbound messages. I would only HOPE that you would NOT deliver spam or viruses generated as [EMAIL PROTECTED]! Because then YOUR costumers will try to send me (as the hoster) SPAM by complaining about viruses and/or advertisements that used a fake domain of @Gameware.com. Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] SPF
> >You could setup port forwarding for the users that are blocked > so their mail > >goes out your server. So instead of using port 25 to send mail they could > >use port 925 for example. The ISP probably is not blocking this. > > > > > I could if I had a router capable of this, but I don't right now. > Sounds like a good way to solve that issue of being blocked. > Regardless, some of my customers will set up their E-mail with their ISP > for SMTP even when it is not blocked, especially when they have multiple > accounts configured in Outlook and it uses a master account for SMTP. I > can't stop this from happening. I have actually argued with customers > telling them to set it up this way, and if they don't, then I advise > them to not call me (anymore) for issues relating to mail delivery. > They still call though of course :) You do not need a router capable of the port forwarding. There are programs you can run on your mail server or another server to do this for you. Check th archives it has beed discussed many times. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF
This is why I am not implementing SPF on my system. As a blacklist, it would punish some of my customers, so I would be forced to list them as unknown which is in effect as effective as not listing them as all. I certainly wouldn't want to assume that since 95% of them would pass a strict test, I should list them as known and then allow another administrator to reject the other 5% at the SMTP envelop as has been suggested. As a method of crediting users, I see an increasing amount of zombie spam being sent from legit mail servers and I don't have issues with rejecting legitimate E-mail unless it comes from a known zombie or open relay, and then it still generally passes. I see no reason to give credit for such cases, and under that form of thought, I would also not recommend that others credit my users simply because they passed SPF since they are certainly capable of spamming at any point in time (and some have asked to do so in the past). There is also nothing stopping a static bulk mailer from implementing SPF on their own system, and to my knowledge, there is no way to stop that from happening. It's niche bulk E-mail sent in low volume that has the greatest likelihood of getting past my filters. To each their own of course. I'm just trying to document some of the issues that people should look out for when implementing SPF for their domains, and scoring it on their systems. Matt Sanford Whiteman wrote: I get a lot of E-mail that would fail SPF that is in fact valid. A lot of mail scripts and E-commerce sites are set up to send E-mail notifications with the Mail From generated from a user submission (since one can just simply press reply in order to respond). While that may imapct the willingness of the owners of some domains to publish SPF policies, that's irrelevant to the legitimacy of mail that does not conform to already published SPF policies. Also, some of my own customers are blocked by their ISP's from using my mail server for SMTP, which means that if I configured SPF strictly for their domains, they would fail this test wherever implemented. That's right: if you want to prevent people from forging your domain whenever and wherever they want, you have to prevent people from forging your domain whenever and wherever you want--Q.E.D. Your "own" users need to conform to your policies. You're confusing the _obligations_ of those who want to publish SPF records, and the related customer relationship management, for a problem in published SPF records. If you opt to use SPF on your system, take advantage of the weighting capabilities of Declude, and I would suggest at most being very cautious about how much weight you give it. Sorry, Matt, but that's a bit of FUD. If a domain owner publishes a strict sender policy for mail using their registered domain, if I do anything but follow that policy, I am defying the wishes of the legal owner of the domain. To accept and deliver mail as legitimate that is known to be illegitimate--the SPF policy, not my subjective notion of message content, dictates legitimacy--is putting your faith in the wrong place. I d**n sure hope that nobody is testing for SPF and delivering mail for the domains for which I have published policies, especially without contacting us--I'd have very strong words for them. Of course, it's incumbent upon the domain owner to make sure that their SPF policies, their AUP, and their customer relationships are in order. But I _must_ trust that they are, or I am behaving most illogically. We HOLD on SPF FAIL. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] SPF
> Also to add to Matt's comments a lot of problems also come up > with web forms. This is one reason we have not yet > implemented SPF for our server.. Have not taken the time to > figure out .. Wouldn't this be similar to a mail forwarder? Whereby implementing an SRS system would get round the issue? (http://spf.pobox.com/srs.html) Regards, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SPF
> I get a lot of E-mail that would fail SPF that is in fact valid. A > lot of mail scripts and E-commerce sites are set up to send E-mail > notifications with the Mail From generated from a user submission > (since one can just simply press reply in order to respond). While that may imapct the willingness of the owners of some domains to publish SPF policies, that's irrelevant to the legitimacy of mail that does not conform to already published SPF policies. > Also, some of my own customers are blocked by their ISP's from using my > mail server for SMTP, which means that if I configured SPF strictly for > their domains, they would fail this test wherever implemented. That's right: if you want to prevent people from forging your domain whenever and wherever they want, you have to prevent people from forging your domain whenever and wherever you want--Q.E.D. Your "own" users need to conform to your policies. You're confusing the _obligations_ of those who want to publish SPF records, and the related customer relationship management, for a problem in published SPF records. > If you opt to use SPF on your system, take advantage of the > weighting capabilities of Declude, and I would suggest at most being > very cautious about how much weight you give it. Sorry, Matt, but that's a bit of FUD. If a domain owner publishes a strict sender policy for mail using their registered domain, if I do anything but follow that policy, I am defying the wishes of the legal owner of the domain. To accept and deliver mail as legitimate that is known to be illegitimate--the SPF policy, not my subjective notion of message content, dictates legitimacy--is putting your faith in the wrong place. I d**n sure hope that nobody is testing for SPF and delivering mail for the domains for which I have published policies, especially without contacting us--I'd have very strong words for them. Of course, it's incumbent upon the domain owner to make sure that their SPF policies, their AUP, and their customer relationships are in order. But I _must_ trust that they are, or I am behaving most illogically. We HOLD on SPF FAIL. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
> > I get a lot of E-mail that would fail SPF that is in fact valid. A > > lot of mail scripts and E-commerce sites are set up to send E-mail > > notifications with the Mail From generated from a user submission > > (since one can just simply press reply in order to respond). > > Many e-commerce sites do this type of stuff improperly. They > should use an address from their site as the from with the > reply-to header for where you ar to reply to. I'd agree. Admittedly that's not how our own sites are set to work right now but I'd change them to confirm to new standards aimed at improving email authenticity and reducing spam. The internet community has to be proactive and cooperative if things are to improve. > > Also, some of my own customers are blocked by their ISP's > from using > > my mail server for SMTP, which means that if I configured > SPF strictly > > for their domains, they would fail this test wherever implemented. > > You could setup port forwarding for the users that are > blocked so their mail goes out your server. So instead of > using port 25 to send mail they could use port 925 for > example. The ISP probably is not blocking this. I'd accept this as an issue, but I'd say this one is down to the client. The client should be advised to choose an ISP who supports pro-active measures for reducing spam and improving email authenticity, or accept the fact that their emails may not be delivered to some companies/ISPs. This would be similar to clients who use ISPs that are black listed for whatever reason, or their own server is open relay, and then whinge when their emails don't get through. Alternatively you could add the IP range of their ISP to their domain records that you host - better than nothing. > > If you opt to use SPF on your system, take advantage of the > weighting > > capabilities of Declude, and I would suggest at most being very > > cautious about how much weight you give it. If a domain is using SPF, and an email is received from an invalid client IP, you should have the option to reject before receiving. However in the case with some of your domains, you'd probably use the neutral or pass all mechanism, allowing others to accept the email but apply a weighting to it. Wouldn't you agree? It's a two way thing, 1) up to the receive to decide how stringent they want to be 2) up to the hostmaster/postmaster to decide what other people should do with emails received from their domain not passing the SPF test. Regards, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF
Kevin Bilbee wrote: Many e-commerce sites do this type of stuff improperly. They should use an address from their site as the from with the reply-to header for where you ar to reply to. They should only because of spam blocking, but in practice, many don't. The bigger ones have of course mostly figured this out, but for instance, I host a lot of car dealers, and every third-party lead generation system out there displays this behavior, including those maintained by the automakers themselves. Contact forms on the majority of Web sites will also normally display this behavior. Although I now use Reply-To addresses to circumvent this issue myself, I have many forms that still do this that I have coded over the years, and trying to explain to developers why this is necessary is hit or miss. You could setup port forwarding for the users that are blocked so their mail goes out your server. So instead of using port 25 to send mail they could use port 925 for example. The ISP probably is not blocking this. I could if I had a router capable of this, but I don't right now. Sounds like a good way to solve that issue of being blocked. Regardless, some of my customers will set up their E-mail with their ISP for SMTP even when it is not blocked, especially when they have multiple accounts configured in Outlook and it uses a master account for SMTP. I can't stop this from happening. I have actually argued with customers telling them to set it up this way, and if they don't, then I advise them to not call me (anymore) for issues relating to mail delivery. They still call though of course :) Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Lyndon: Also to add to Matt's comments a lot of problems also come up with web forms. This is one reason we have not yet implemented SPF for our server.. Have not taken the time to figure out .. Imagine someone on CNN's site using the eMail friend - to show you this I went to CNN and sent myself an email using the email feature. Look at the header: X-Note: Spool File: Db7d90d5d018a63fd.SMD X-Note: Server Name: relay.clickability.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS & IP: relay.clickability.com [208.184.224.73] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES->destination If we delete an email base on SPF of ClickandPledge it would be deleted. Hope this helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, March 11, 2004 1:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPF Lyndon, I get a lot of E-mail that would fail SPF that is in fact valid. A lot of mail scripts and E-commerce sites are set up to send E-mail notifications with the Mail From generated from a user submission (since one can just simply press reply in order to respond). Also, some of my own customers are blocked by their ISP's from using my mail server for SMTP, which means that if I configured SPF strictly for their domains, they would fail this test wherever implemented. If you opt to use SPF on your system, take advantage of the weighting capabilities of Declude, and I would suggest at most being very cautious about how much weight you give it. Matt Lyndon Eaton wrote: >That's a real shame! If you received a negative response from an SPF >participating domain, you should be able to reject the message straight >off. That way you aren't left 'carrying the can' so to speak, and the >email gets stuck with the HiJacked server or the spammer. Similar to >how AOL reject connected if the rev DNS lookup fails. > > > >Email checked by UKsubnet anti-virus service >To prevent email abuse & block spam >contact [EMAIL PROTECTED] >Tel: +44(0)8712360301 Web: www.uksubnet.net >Fax: +44(0)8712360300 > >Powered by UKsubnet Internet Service Provider Business to Business >Internet (ISP) > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > > > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matt > Sent: Thursday, March 11, 2004 10:48 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] SPF > > > Lyndon, > > I get a lot of E-mail that would fail SPF that is in fact valid. A lot > of mail scripts and E-commerce sites are set up to send E-mail > notifications with the Mail From generated from a user submission (since > one can just simply press reply in order to respond). Many e-commerce sites do this type of stuff improperly. They should use an address from their site as the from with the reply-to header for where you ar to reply to. > > Also, some of my own customers are blocked by their ISP's from using my > mail server for SMTP, which means that if I configured SPF strictly for > their domains, they would fail this test wherever implemented. You could setup port forwarding for the users that are blocked so their mail goes out your server. So instead of using port 25 to send mail they could use port 925 for example. The ISP probably is not blocking this. > > If you opt to use SPF on your system, take advantage of the weighting > capabilities of Declude, and I would suggest at most being very cautious > about how much weight you give it. > > Matt > > > > Lyndon Eaton wrote: > > >That's a real shame! If you received a negative response from an SPF > >participating domain, you should be able to reject the message straight > >off. That way you aren't left 'carrying the can' so to speak, and the > >email gets stuck with the HiJacked server or the spammer. Similar to how > >AOL reject connected if the rev DNS lookup fails. > > > > > > > >Email checked by UKsubnet anti-virus service > >To prevent email abuse & block spam > >contact [EMAIL PROTECTED] > >Tel: +44(0)8712360301 Web: www.uksubnet.net > >Fax: +44(0)8712360300 > > > >Powered by UKsubnet Internet Service Provider > >Business to Business Internet (ISP) > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
There are four, - fail, ~ softfail, + pass & ? Neutral. There are also: error (if the DNS fails) unknown (if the syntax is unrecognised) none (if there is no SPF info) How do these difference responses work? Apologies if these have already been covered... Those have apparently changed since the original frozen RFC proposal, but are really implementation specific. I'll look into those. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
There are four, - fail, ~ softfail, + pass & ? Neutral. There are also: error (if the DNS fails) unknown (if the syntax is unrecognised) none (if there is no SPF info) How do these difference responses work? Apologies if these have already been covered... -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 18:37 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF Scott I remember an issue with SPF that does not fall into pass or fail but if they use the ? in the spf record the email may be a maby. Has this been resoved? Or am I understanding it improperly? I do not want to negative weight a maby if it falls into the pass category. I know I do not have to negative weight and can use the fail only. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Thursday, March 11, 2004 10:03 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] SPF > > > > >First I'd heard about SPF. Sounds like a way forward! > > > >On the SPF site is says SPF is supported by Declude, how can I begin > >to check inbound emails for SPF? > > Here's a copy of my original post. The latest beta version (1.78) and > recent interims have the SPF support. > > --- > For those that are interested, we now have an interim release with SPF > support in it. [interim information removed] To use the new SPF test, > you can add lines such as: > > SPFPASS spf passx -5 0 > SPFFAIL spf failx 8 0 > > to your global.cfg file. SPF returns "PASS" for E-mail that passes > SPF (that comes from an IP that is acceptable to the owner of the > domani that it claims to be coming from), "FAIL" for E-mail that fails > SPF (that does not come from an acceptable IP for the domain), or > "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for > some other reason should return UNKNOWN). > > This will help reduce false positives (for domains that have SPF > support), and help capture more spam (as spam comes in from domains > that have SPF support, but the spammer isn't using an acceptable IP). > --- > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. Declude Virus: Catches known viruses and is > the leader in mailserver vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF
Lyndon, I get a lot of E-mail that would fail SPF that is in fact valid. A lot of mail scripts and E-commerce sites are set up to send E-mail notifications with the Mail From generated from a user submission (since one can just simply press reply in order to respond). Also, some of my own customers are blocked by their ISP's from using my mail server for SMTP, which means that if I configured SPF strictly for their domains, they would fail this test wherever implemented. If you opt to use SPF on your system, take advantage of the weighting capabilities of Declude, and I would suggest at most being very cautious about how much weight you give it. Matt Lyndon Eaton wrote: That's a real shame! If you received a negative response from an SPF participating domain, you should be able to reject the message straight off. That way you aren't left 'carrying the can' so to speak, and the email gets stuck with the HiJacked server or the spammer. Similar to how AOL reject connected if the rev DNS lookup fails. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Scott I remember an issue with SPF that does not fall into pass or fail but if they use the ? in the spf record the email may be a maby. Has this been resoved? Or am I understanding it improperly? That isn't an issue -- it's just how SPF works. The "?" means "Unknown". For example, "v=spf1 +mx ?all" means "Anyone sending from an IP in our MX record is OK, anyone else should go through standard spam filtering". -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Scott I remember an issue with SPF that does not fall into pass or fail but if they use the ? in the spf record the email may be a maby. Has this been resoved? Or am I understanding it improperly? I do not want to negative weight a maby if it falls into the pass category. I know I do not have to negative weight and can use the fail only. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Thursday, March 11, 2004 10:03 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] SPF > > > > >First I'd heard about SPF. Sounds like a way forward! > > > >On the SPF site is says SPF is supported by Declude, how can I begin to > >check inbound emails for SPF? > > Here's a copy of my original post. The latest beta version (1.78) and > recent interims have the SPF support. > > --- > For those that are interested, we now have an interim release with SPF > support in it. [interim information removed] To use the new SPF > test, you > can add lines such as: > > SPFPASS spf passx -5 0 > SPFFAIL spf failx 8 0 > > to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF > (that comes from an IP that is acceptable to the owner of the domani that > it claims to be coming from), "FAIL" for E-mail that fails SPF (that does > not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail > from domains that do not use SPF yet, or for some other reason should > return UNKNOWN). > > This will help reduce false positives (for domains that have SPF > support), > and help capture more spam (as spam comes in from domains that have SPF > support, but the spammer isn't using an acceptable IP). > --- > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
That's a real shame! If you received a negative response from an SPF participating domain, you should be able to reject the message straight off. That way you aren't left 'carrying the can' so to speak, and the email gets stuck with the HiJacked server or the spammer. Similar to how AOL reject connected if the rev DNS lookup fails. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
One more question, In the event we want to reject an email that fails the SPF test for a SPF participating domain, is Declude able to reject incoming emails before receiving the message body? IE terminate the SMTP connection? No. IMail doesn't have the ability to do that, either with or without third party programs (not even IMail v8's anti-spam can do that). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
You can use SPF to just check. But it would work best when you do both. Otherwise if nobody implemented, nobody would have anything to check against - catch 22. By implementing you also protect your own domain(s) from being spoofed (providing the recipient checks against SPF). The more publicity SPF gets and the more IT bods that implement it, the better everything will get (in my opinion). -Original Message- From: John Carter [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 18:28 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF Forgive the ignorance. To use the SPF test, do we have to have implemented SPF ourselves or can it be used to check against those who have? Thanks, John --- For those that are interested, we now have an interim release with SPF support in it. [interim information removed] To use the new SPF test, you can add lines such as: SPFPASS spf passx -5 0 SPFFAIL spf failx 8 0 to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), "FAIL" for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN). This will help reduce false positives (for domains that have SPF support), and help capture more spam (as spam comes in from domains that have SPF support, but the spammer isn't using an acceptable IP). --- -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Forgive the ignorance. To use the SPF test, do we have to have implemented SPF ourselves or can it be used to check against those who have? Thanks, John --- For those that are interested, we now have an interim release with SPF support in it. [interim information removed] To use the new SPF test, you can add lines such as: SPFPASS spf passx -5 0 SPFFAIL spf failx 8 0 to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), "FAIL" for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN). This will help reduce false positives (for domains that have SPF support), and help capture more spam (as spam comes in from domains that have SPF support, but the spammer isn't using an acceptable IP). --- -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT SPF SRS
What is the best way to implement SRS in Imail? Maybe one for the Imail list (or SRS somewhere). Regards, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
Thanks for that Scott! One more question, In the event we want to reject an email that fails the SPF test for a SPF participating domain, is Declude able to reject incoming emails before receiving the message body? IE terminate the SMTP connection? Regards, Lyndon. -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 18:03 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF >First I'd heard about SPF. Sounds like a way forward! > >On the SPF site is says SPF is supported by Declude, how can I begin to >check inbound emails for SPF? Here's a copy of my original post. The latest beta version (1.78) and recent interims have the SPF support. --- For those that are interested, we now have an interim release with SPF support in it. [interim information removed] To use the new SPF test, you can add lines such as: SPFPASS spf passx -5 0 SPFFAIL spf failx 8 0 to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), "FAIL" for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN). This will help reduce false positives (for domains that have SPF support), and help capture more spam (as spam comes in from domains that have SPF support, but the spammer isn't using an acceptable IP). --- -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF
First I'd heard about SPF. Sounds like a way forward! On the SPF site is says SPF is supported by Declude, how can I begin to check inbound emails for SPF? Here's a copy of my original post. The latest beta version (1.78) and recent interims have the SPF support. --- For those that are interested, we now have an interim release with SPF support in it. [interim information removed] To use the new SPF test, you can add lines such as: SPFPASS spf passx -5 0 SPFFAIL spf failx 8 0 to your global.cfg file. SPF returns "PASS" for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), "FAIL" for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or "UNKNOWN" (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN). This will help reduce false positives (for domains that have SPF support), and help capture more spam (as spam comes in from domains that have SPF support, but the spammer isn't using an acceptable IP). --- -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: SPF [Declude.JunkMail]
First I'd heard about SPF. Sounds like a way forward! On the SPF site is says SPF is supported by Declude, how can I begin to check inbound emails for SPF? Regards, Lyndon. Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPF poll
FYI, there is a poll about SPF, DomainKeys and Caller-ID on the winnetmag.com website. For those who support SPF, you may want to vote at http://www.winnetmag.com/windowssecurity (the "Instant Poll" section on the right side of the screen). Note that it is (unfortunately) listed as "Sender Policy Framework" rather than SPF, but it's still SPF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2,000,000 + emails today
Sounds like you have a sales "opportunity" to get them on filtering, but also sounds like filtering won't help with the flood. Is this flood with or without the nobody alias? I would definitely be contacting the authorities as this amounts to a DOS attack. Maybe others who have dealt with this before can offer advice on who to contact and how to work with them...? Darin. - Original Message - From: "Darryl Koster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 11, 2004 10:06 AM Subject: RE: [Declude.JunkMail] 2,000,000 + emails today The problem with it is we give clients the choice if they want to be on the filters or not, they have made the choice not to be on the filters. We put them on it anyway and then we ended having to remove the mx records for them. The qmail server (our spool server) had no problems keep up, it kept on accepting mail etc. The problem came in though when we had 100,000 plus in the queue and it kept sending all these e-mails over to the imail server ever x minutes and it would flood the server, after 12 hours the servers just could not keep up anymore with the amount of incoming and outgoing mails. Darryl PS. As I think I stated earlier, knowing me I have something wrong on some shi**y little setting I have not looked at in years and its causing a problem now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, March 10, 2004 10:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 2,000,000 + emails today Hmmm...so no chance of an envelope rejection when it's destined for valid email addresses. Anyone heard of envelope rejection by subject word/phrase? That could be useful in the future as they get more nimble. Perhaps even Bayesian filtering on it... Darryl, it looks like there's no choice but to process the messages (I'm sure most will get junked by your filters), and gather evidence in hope that authorities can use it to track down and shut down the spammer. Darin. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 9:16 PM Subject: Re: [Declude.JunkMail] 2,000,000 + emails today In this case, headers don't provide any benefit because this stuff all comes from zombies with forged info. It's the payload links, where they might be redirected to and/or is hosted , where their DNS is hosted, and where their names were registered. Chances are that everything can be tracked back to the same spam gang. I searched the newsgroups for one of the subjects, and found a bunch of zero day domains, one of which was still active and hosting images for this spam, turwy33.info. I then looked up the IP and found it listed in SBL fresh as of today: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807 This has been attributed to ROKSO spammer MailTrain, who's evidence file can be found at the following: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain Here's the full list of their current SBL listings...lots from China, as all good pill spammers who need dishonest hosts go (unless they can get a good rate at Exodus): http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id= ROK One of the contacts listed in SBL shows that at least one of these guys is Scott's neighbor (figuratively). I would be curious about whether or not this was the same spammer causing issues with Darin. Nevertheless, everyone should turn off the Nobody alias for fear that they might get harvested from not rejecting a dictionary attack during the SMTP envelope. Matt Darryl Koster wrote: >We generally do not have nobody alias's set on the domains we have, this was >set up to capture some of the emails that were being held by the server so >we could look at the headers. Once we knew we had enough of them to work >with we removed the nobody alias. Basically those 10 Megs worth of emails >span about 10 minutes worth of time. > > >Here are a couple sample headers. The IP range found within some of the >(207.164.190.***) is our IP Range. > > >Take a look, there are two of them I have not been able to find any >similarities between them. There are hundreds like this. > > > >Darryl Koster > > > >---HEADER ONE -- >>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004 >Received: from mx2.statusconcepts.com [207.164.190.21] by >mail.statustechnologies.com > (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500 >Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 - >Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133) > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 - >Received: from (HELO idif) [126.202.95.91] by >spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat, >13 Mar 2004 15:38:00 -0600 >Message-ID: <[EMAIL PROTECTED]> >From: "Lakisha Woody" <[EMAIL PROTECTED]> >Reply
RE: [Declude.JunkMail] 2,000,000 + emails today
The problem with it is we give clients the choice if they want to be on the filters or not, they have made the choice not to be on the filters. We put them on it anyway and then we ended having to remove the mx records for them. The qmail server (our spool server) had no problems keep up, it kept on accepting mail etc. The problem came in though when we had 100,000 plus in the queue and it kept sending all these e-mails over to the imail server ever x minutes and it would flood the server, after 12 hours the servers just could not keep up anymore with the amount of incoming and outgoing mails. Darryl PS. As I think I stated earlier, knowing me I have something wrong on some shi**y little setting I have not looked at in years and its causing a problem now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, March 10, 2004 10:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 2,000,000 + emails today Hmmm...so no chance of an envelope rejection when it's destined for valid email addresses. Anyone heard of envelope rejection by subject word/phrase? That could be useful in the future as they get more nimble. Perhaps even Bayesian filtering on it... Darryl, it looks like there's no choice but to process the messages (I'm sure most will get junked by your filters), and gather evidence in hope that authorities can use it to track down and shut down the spammer. Darin. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 9:16 PM Subject: Re: [Declude.JunkMail] 2,000,000 + emails today In this case, headers don't provide any benefit because this stuff all comes from zombies with forged info. It's the payload links, where they might be redirected to and/or is hosted , where their DNS is hosted, and where their names were registered. Chances are that everything can be tracked back to the same spam gang. I searched the newsgroups for one of the subjects, and found a bunch of zero day domains, one of which was still active and hosting images for this spam, turwy33.info. I then looked up the IP and found it listed in SBL fresh as of today: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807 This has been attributed to ROKSO spammer MailTrain, who's evidence file can be found at the following: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain Here's the full list of their current SBL listings...lots from China, as all good pill spammers who need dishonest hosts go (unless they can get a good rate at Exodus): http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id= ROK One of the contacts listed in SBL shows that at least one of these guys is Scott's neighbor (figuratively). I would be curious about whether or not this was the same spammer causing issues with Darin. Nevertheless, everyone should turn off the Nobody alias for fear that they might get harvested from not rejecting a dictionary attack during the SMTP envelope. Matt Darryl Koster wrote: >We generally do not have nobody alias's set on the domains we have, this was >set up to capture some of the emails that were being held by the server so >we could look at the headers. Once we knew we had enough of them to work >with we removed the nobody alias. Basically those 10 Megs worth of emails >span about 10 minutes worth of time. > > >Here are a couple sample headers. The IP range found within some of the >(207.164.190.***) is our IP Range. > > >Take a look, there are two of them I have not been able to find any >similarities between them. There are hundreds like this. > > > >Darryl Koster > > > >---HEADER ONE -- >>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004 >Received: from mx2.statusconcepts.com [207.164.190.21] by >mail.statustechnologies.com > (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500 >Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 - >Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133) > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 - >Received: from (HELO idif) [126.202.95.91] by >spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat, >13 Mar 2004 15:38:00 -0600 >Message-ID: <[EMAIL PROTECTED]> >From: "Lakisha Woody" <[EMAIL PROTECTED]> >Reply-To: "Lakisha Woody" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Subject: turn your Spud into a stud!! m >Date: Sat, 13 Mar 04 15:38:00 GMT >X-Mailer: Microsoft Outlook Express 6.00.2462. >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="B0DD5_.B3._
RE: [Declude.JunkMail] Declude, Outlook 2003 and Spamheadersfailed?
Amazing! -Original Message- Yes. Apparently, a small percentage of their customers complained that the Message-ID: header included information they did not want others to see. Instead of adding an option to either disable the Message-ID: header or alter the content used in it, they opted to remove it completely, with the understanding that all Outlook 2003 customers are more likely to have their E-mail tagged as spam than they otherwise would. -Scott Email checked by UKsubnet anti-virus service To prevent email abuse & block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude, Outlook 2003 and Spamheaders failed?
a customer uses Outlook 2003 and his mail fails the Spamheaders Test 421e. Correct. is this an known feature? ;) Yes. Apparently, a small percentage of their customers complained that the Message-ID: header included information they did not want others to see. Instead of adding an option to either disable the Message-ID: header or alter the content used in it, they opted to remove it completely, with the understanding that all Outlook 2003 customers are more likely to have their E-mail tagged as spam than they otherwise would. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude, Outlook 2003 and Spamheaders failed?
Hello, a customer uses Outlook 2003 and his mail fails the Spamheaders Test 421e. this is: - This E-mail is missing a Message-ID: header. Although it is legal not to have one, the RFCs say that E-mails SHOULD have this (which, in RFC terms, means that you must have the Message-ID: header or accept the consequences -- in this case, the E-mail may be treated as spam). Note that you may see a Message-ID: header; if so, it was one that IMail added later. - is this an known feature? ;) I lowered the weight for Spamheaders, is this the solution? ;) Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Imail Queue manager and gateway
So should I just disable the DNS Cache and skip list then? Mark > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John > Tolmachoff (Lists) > Sent: Wednesday, March 10, 2004 5:45 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] OT: Imail Queue manager and gateway > > You can not disable the Queue Manager. That is the delivery > process, to where ever the message is to be delivered. DNS > cache can be disabled if desired, irregardless of Imail > configuration or use. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Mark Smith > > Sent: Wednesday, March 10, 2004 10:27 AM > > To: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] OT: Imail Queue manager and gateway > > > > If I'm only using imail as a gateway for Exchange and only > one domain > > is being forwarded to, wouldn't it make sense to disable > the DNS cache > > and Queue manager. > > In the remote case the receiving Exchange server is put on the skip > > list that would mean that all email would stop. > > > > Right? > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.