Re: [Declude.JunkMail] 'X-Declude-Sender:' Question
Thanks Matt and Darrell. >I would imagine that you have AUTOWHITELIST ON and that your customer >has his own E-mail address in his Web mail address book. You both were correct...AUTOWHITELIST is ON and the customer's e-mail address was listed in his Web mail address book. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 'X-Declude-Sender:' Question
A couple of things could have caused this. If you are using whitelist auth and they guess the password of the account. Also, the user could have their own email address in their address book which would cause it to be whitelisted as long as that option is enabled. Also, is it possible you may have the domain whitelisted somehow? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Kim Premuda" <[EMAIL PROTECTED]> To: "Declude JunkMail Forum" Sent: Saturday, January 29, 2005 6:25 PM Subject: [Declude.JunkMail] 'X-Declude-Sender:' Question > Our IMail server trapped a spam message that was whitelisted by Declude JunkMail. The header of the message is shown below: > >Received: from fastwave.net [210.221.79.126] by ns3.fastwave.net > (SMTPD32-8.05) id AB32D5301D8; Sat, 29 Jan 2005 > 10:51:30 -0800 >Message-ID: <[EMAIL PROTECTED]> >Return-Path: [EMAIL PROTECTED] >From: "Kevin John" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: I got XP and Office Xp cheap. >Date: Sun, 30 Jan 2005 03:52:40 +0900 >X-Mailer: Version 1.32 >Content-Type: text/html; charset="ISO-8859-1" >MIME-Version: 1.0 >X-Priority: 1 >X-Declude-Sender: [EMAIL PROTECTED] [210.221.79.126] >X-Declude-Spoolname: Ddb320d5301d8d507.SMD > X-Note: >X-Note: Scanned by Declude JunkMail, Version 1.82 >X-Spam-Tests-Failed: Whitelisted TOTAL [0] >X-Note: This E-mail was sent from [No Reverse DNS] ([210.221.79.126]). > X-Note: >From: [EMAIL PROTECTED] >X-RCPT-TO: <[EMAIL PROTECTED]> >Status: R >X-UIDL: 397015868 > > > Note that the 'X-Declude-Sender:' line contains a valid e-mail address (altered for this list) on our IMail server, yet the originating IP address [210.221.79.126]is located in Korea. We are not whitelisting the [210.221.79.126] IP address. Is this an indication that our customer's e-mail account has been compromised and is being used to propagate spam into our network? Or, is there some other explanation? > > TIA > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 'X-Declude-Sender:' Question
I would imagine that you have AUTOWHITELIST ON and that your customer has his own E-mail address in his Web mail address book. This E-mail appears to have forged his address, and this would cause it to be whitelisted. If not, check for other forms of Mail From whitelisting. This could also be in the form of "[EMAIL PROTECTED]". Matt Kim Premuda wrote: Our IMail server trapped a spam message that was whitelisted by Declude JunkMail. The header of the message is shown below: Received: from fastwave.net [210.221.79.126] by ns3.fastwave.net (SMTPD32-8.05) id AB32D5301D8; Sat, 29 Jan 2005 10:51:30 -0800 Message-ID: <[EMAIL PROTECTED]> Return-Path: [EMAIL PROTECTED] From: "Kevin John" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: I got XP and Office Xp cheap. Date: Sun, 30 Jan 2005 03:52:40 +0900 X-Mailer: Version 1.32 Content-Type: text/html; charset="ISO-8859-1" MIME-Version: 1.0 X-Priority: 1 X-Declude-Sender: [EMAIL PROTECTED] [210.221.79.126] X-Declude-Spoolname: Ddb320d5301d8d507.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: Whitelisted TOTAL [0] X-Note: This E-mail was sent from [No Reverse DNS] ([210.221.79.126]). X-Note: From: [EMAIL PROTECTED] X-RCPT-TO: <[EMAIL PROTECTED]> Status: R X-UIDL: 397015868 Note that the 'X-Declude-Sender:' line contains a valid e-mail address (altered for this list) on our IMail server, yet the originating IP address [210.221.79.126]is located in Korea. We are not whitelisting the [210.221.79.126] IP address. Is this an indication that our customer's e-mail account has been compromised and is being used to propagate spam into our network? Or, is there some other explanation? TIA -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 'X-Declude-Sender:' Question
Our IMail server trapped a spam message that was whitelisted by Declude JunkMail. The header of the message is shown below: Received: from fastwave.net [210.221.79.126] by ns3.fastwave.net (SMTPD32-8.05) id AB32D5301D8; Sat, 29 Jan 2005 10:51:30 -0800 Message-ID: <[EMAIL PROTECTED]> Return-Path: [EMAIL PROTECTED] From: "Kevin John" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: I got XP and Office Xp cheap. Date: Sun, 30 Jan 2005 03:52:40 +0900 X-Mailer: Version 1.32 Content-Type: text/html; charset="ISO-8859-1" MIME-Version: 1.0 X-Priority: 1 X-Declude-Sender: [EMAIL PROTECTED] [210.221.79.126] X-Declude-Spoolname: Ddb320d5301d8d507.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: Whitelisted TOTAL [0] X-Note: This E-mail was sent from [No Reverse DNS] ([210.221.79.126]). X-Note: From: [EMAIL PROTECTED] X-RCPT-TO: <[EMAIL PROTECTED]> Status: R X-UIDL: 397015868 Note that the 'X-Declude-Sender:' line contains a valid e-mail address (altered for this list) on our IMail server, yet the originating IP address [210.221.79.126]is located in Korea. We are not whitelisting the [210.221.79.126] IP address. Is this an indication that our customer's e-mail account has been compromised and is being used to propagate spam into our network? Or, is there some other explanation? TIA -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BONDEDEDSENDER and SNIFFER
Thanks Matt, Scott, and Andrew, for your feedback and your perspectives on this matter. It appears BONDEDSENDER isn't as trustworthy as they claim. Best regards, -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] Exchange2Alias Question
Scott, Works great, thanks for the tip. Ended up using a program called cpau that allows you to specify the password in the batch file since runas requires manual entry and Win 2003 scheduler couldn't validate user/pass during job setup. Again, thanks. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Scott Fosseen Sent: Thu 1/27/2005 5:54 PM To: Declude.JunkMail@declude.com Cc: Subject: Re: [Declude.JunkMail] [OT] Exchange2Alias Question You need to run the script with username/password of a user on the LDAP server. If you uses the Windows Scheduler it will ask for a username/password to run the program. Just create a local user on the box that runs the script with the same username/password as an account on the LDAP Server. To test the script from a command prompt you will need to run this command runas /netonly /user:domain/username cmd The runas program will ask for your password then open up a command window allowing you to run the script as if you are logged in as that user. _ Scott Fosseen - Systems Engineer -Prairie Lakes AEA http://fosseen.us/scott _ There are 10 types of people in this world, those that understand binary, and those that don't. _ - Original Message - From: "Keith Johnson" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 26, 2005 5:32 PM Subject: RE: [Declude.JunkMail] [OT] Exchange2Alias Question Sandy, Thanks for your reply. I did use the LDAP Browser from Softerra (great tool by the way), it reports the RootDSE correctly during setup. What does an error of 0x80005000 indicate? Is this a permission error? When I use the Softerra utility, if I specify anonymous, then I do not see the Users container, however, if I specify the domain\user and a password, then I can get the full Users container. Is this by design? Thanks again for the aid. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Wednesday, January 26, 2005 12:25 PM To: Keith Johnson Subject: Re: [Declude.JunkMail] [OT] Exchange2Alias Question > I opened port 389 through a client firewall from our Imail Server > (just in testing) and attempted to query their server using the > exchange2alias script, however, it is returning the following error: > ---Export Started--- > C:\Documents and > Settings\Administrator\Desktop\exchange2aliases.vbs(41, > 1) (nul > l): A referral was returned from the server. This indicates a mismatch between your search base and the domain hosted by that AD server. If you use LDAP Browser (www.softerra.com), is that search base shown up when you query the LDAP server's RootDSE while setting up the new profile? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/rel ease/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/dow nload/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/downloa d/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] ---
