Re: [Declude.JunkMail] PowerMTA

[Matt]

Dave,

A lot of the largest static spammer organizations use this software, but 
unfortunately a good number of fully legitimate companies use it also.  
PowerMTA also allows for full customization of the header formating and 
many spammers edit this to be nondescript as well.  I would guess that 
maybe 30% of static spam (where the spammer uses leased/owned IP space) 
utilizes PowerMTA.


I personally use some extensive filtering to categorize E-mail into bulk 
(anything sent in volume or automated) and personal E-mail (stuff sent 
by an E-mail/webmail client), and then I set my weighting tolerances 
differently as obviously stuff that isn't clearly non-forged personal 
E-mail is were the spam is.  Weighting PowerMTA more aggressively, 
though not blocking it outright is a start in that direction, but only 
part of the solution unless you wish to block some legitimate stuff as well.


Matt



Dave Beckstrom wrote:

I'm seeing a lot of spam with this in the headers:

PowerMTA(TM) v3.0c2


Is powerMTA mainly a spam tool or do legitimate mailers use it too? Just
trying to decide if I can add some weight if that header exists.

Also of late I'm seeing a lot of spam containing ssl in part of the domain
name:

Return-Path:  Wed Jan 13 15:03:22 2010
Received: from ssl.realnightlywork.com [173.45.68.45] by

Anyone adding weight if the domain contains ssl?





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] PowerMTA

[Dave Beckstrom]

I'm seeing a lot of spam with this in the headers:

PowerMTA(TM) v3.0c2


Is powerMTA mainly a spam tool or do legitimate mailers use it too? Just
trying to decide if I can add some weight if that header exists.

Also of late I'm seeing a lot of spam containing ssl in part of the domain
name:

Return-Path:  Wed Jan 13 15:03:22 2010
Received: from ssl.realnightlywork.com [173.45.68.45] by

Anyone adding weight if the domain contains ssl?





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude Hijack

[Mon Mariola - Rubén]

Sorry, another question:

Is there any problem with incoming and outgoing emails if I restart 
decludeproc?

What problems can I find if I restart decludeproc?

I worry about this.

Thank you.
Ruben Marti.
  - Original Message - 
  From: David Barker
  To: declude.junkmail@declude.com
  Sent: Wednesday, January 13, 2010 4:50 PM
  Subject: RE: [Declude.JunkMail] Declude Hijack


  You cannot unblock a single IP. Restarting the decludeproc will reset the 
counter.



  David Barker
  VP Operations Declude
  Your Email security is our business
  978.499.2933 office
  978.988.1311 fax
  dbar...@declude.com







  From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon 
Mariola - Rubén
  Sent: Wednesday, January 13, 2010 10:45 AM
  To: declude.junkmail@declude.com
  Subject: Re: [Declude.JunkMail] Declude Hijack



  How do I unblock an IP that is banned for exceeding the 2nd threshold?



  Thank you.
  Ruben Marti.

- Original Message - 

From: David Barker

To: declude.junkmail@declude.com

Sent: Wednesday, January 13, 2010 3:27 PM

Subject: RE: [Declude.JunkMail] Declude Hijack



Hijack is the solution to your problem. As we count the number of emails
from a specific IP or address with the latest release. When the hold2
threshold is reached these messages are quarantined, regardless of 
whether
they are whitelisted or authenticated.

We will be updating the Hijack manual with this latest release of 
4.10.42

The console is no longer used as this information has been replaced by 
the
\Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you 
want to
exempt users or IP's from triggering hijack.

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com





-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon
Mariola - Rubén
Sent: Tuesday, January 12, 2010 9:42 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Declude Hijack

Some time ago I'm declude user, initially with imail and in recent years
with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42.

Now I have a problem not solved. Some adware, or viruses, steal the 
account
settings of outlook express to my customers. So my server sends mail 
without

checking because they are authenticated. Every time this happens I have 
to
block the email account of my client, I contact him to remove the adware
from your computer and when I confirmed that your computer is 
disinfected to

reactivate your account. This is being increasingly common and this week 
has

come to me SenderBase rate of poor reputation.

Does anyone else have this problem? How do you solve?

I have tried using Declude Hijack, but I can not figure out how to 
unblock
an IP that is blocked for exceeding the limit 2.


From Hijack manual:
"Since the spammer has passed the 2nd threshold, he is banned, and all 
his
Email gets held permanently in \ spool \ spam \ HOLD2. He will only be 
able
to send mail again if the Declude Console is closed ... In which case he
will get banned again as soon as he passed the 2nd threshold again. "

What is "Declude Console"?

Declude Hijack seems like a good option in theory but in my case I have
clients that send emails via Outlook Express and CCO. I think I can 
solve
this problem by creating a list of users to avoid them with ALLOWIP or
ALLOWADDR.

Thank you.
Ruben Marti.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com.


  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude Hijack

[David Barker]

You cannot unblock a single IP. Restarting the decludeproc will reset the
counter.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon
Mariola - Rubén
Sent: Wednesday, January 13, 2010 10:45 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Declude Hijack

 

How do I unblock an IP that is banned for exceeding the 2nd threshold?

 

Thank you.
Ruben Marti.

- Original Message - 

From: David Barker   

To: declude.junkmail@declude.com 

Sent: Wednesday, January 13, 2010 3:27 PM

Subject: RE: [Declude.JunkMail] Declude Hijack

 

Hijack is the solution to your problem. As we count the number of emails
from a specific IP or address with the latest release. When the hold2
threshold is reached these messages are quarantined, regardless of whether
they are whitelisted or authenticated.

We will be updating the Hijack manual with this latest release of 4.10.42

The console is no longer used as this information has been replaced by the
\Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you want to
exempt users or IP's from triggering hijack.

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com

 



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon
Mariola - Rubén
Sent: Tuesday, January 12, 2010 9:42 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Declude Hijack

Some time ago I'm declude user, initially with imail and in recent years 
with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42.

Now I have a problem not solved. Some adware, or viruses, steal the account 
settings of outlook express to my customers. So my server sends mail without

checking because they are authenticated. Every time this happens I have to 
block the email account of my client, I contact him to remove the adware 
from your computer and when I confirmed that your computer is disinfected to

reactivate your account. This is being increasingly common and this week has

come to me SenderBase rate of poor reputation.

Does anyone else have this problem? How do you solve?

I have tried using Declude Hijack, but I can not figure out how to unblock 
an IP that is blocked for exceeding the limit 2.


>From Hijack manual:
"Since the spammer has passed the 2nd threshold, he is banned, and all his 
Email gets held permanently in \ spool \ spam \ HOLD2. He will only be able 
to send mail again if the Declude Console is closed ... In which case he 
will get banned again as soon as he passed the 2nd threshold again. "

What is "Declude Console"?

Declude Hijack seems like a good option in theory but in my case I have 
clients that send emails via Outlook Express and CCO. I think I can solve 
this problem by creating a list of users to avoid them with ALLOWIP or 
ALLOWADDR.

Thank you.
Ruben Marti. 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude Hijack

[Mon Mariola - Rubén]

How do I unblock an IP that is banned for exceeding the 2nd threshold?

Thank you.
Ruben Marti.
  - Original Message - 
  From: David Barker
  To: declude.junkmail@declude.com
  Sent: Wednesday, January 13, 2010 3:27 PM
  Subject: RE: [Declude.JunkMail] Declude Hijack


  Hijack is the solution to your problem. As we count the number of emails
  from a specific IP or address with the latest release. When the hold2
  threshold is reached these messages are quarantined, regardless of whether
  they are whitelisted or authenticated.

  We will be updating the Hijack manual with this latest release of 4.10.42

  The console is no longer used as this information has been replaced by the
  \Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you want 
to
  exempt users or IP's from triggering hijack.

  David Barker
  VP Operations Declude
  Your Email security is our business
  978.499.2933 office
  978.988.1311 fax
  dbar...@declude.com





  -Original Message-
  From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon
  Mariola - Rubén
  Sent: Tuesday, January 12, 2010 9:42 PM
  To: declude.junkmail@declude.com
  Subject: [Declude.JunkMail] Declude Hijack

  Some time ago I'm declude user, initially with imail and in recent years
  with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42.

  Now I have a problem not solved. Some adware, or viruses, steal the 
account
  settings of outlook express to my customers. So my server sends mail 
without

  checking because they are authenticated. Every time this happens I have to
  block the email account of my client, I contact him to remove the adware
  from your computer and when I confirmed that your computer is disinfected 
to

  reactivate your account. This is being increasingly common and this week 
has

  come to me SenderBase rate of poor reputation.

  Does anyone else have this problem? How do you solve?

  I have tried using Declude Hijack, but I can not figure out how to unblock
  an IP that is blocked for exceeding the limit 2.


  From Hijack manual:
  "Since the spammer has passed the 2nd threshold, he is banned, and all his
  Email gets held permanently in \ spool \ spam \ HOLD2. He will only be 
able
  to send mail again if the Declude Console is closed ... In which case he
  will get banned again as soon as he passed the 2nd threshold again. "

  What is "Declude Console"?

  Declude Hijack seems like a good option in theory but in my case I have
  clients that send emails via Outlook Express and CCO. I think I can solve
  this problem by creating a list of users to avoid them with ALLOWIP or
  ALLOWADDR.

  Thank you.
  Ruben Marti.




  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.JunkMail".  The archives can be found
  at http://www.mail-archive.com.



  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.JunkMail".  The archives can be found
  at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude Hijack

[David Barker]

Hijack is the solution to your problem. As we count the number of emails
from a specific IP or address with the latest release. When the hold2
threshold is reached these messages are quarantined, regardless of whether
they are whitelisted or authenticated.

We will be updating the Hijack manual with this latest release of 4.10.42

The console is no longer used as this information has been replaced by the
\Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you want to
exempt users or IP's from triggering hijack.

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com

 



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon
Mariola - Rubén
Sent: Tuesday, January 12, 2010 9:42 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Declude Hijack

Some time ago I'm declude user, initially with imail and in recent years 
with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42.

Now I have a problem not solved. Some adware, or viruses, steal the account 
settings of outlook express to my customers. So my server sends mail without

checking because they are authenticated. Every time this happens I have to 
block the email account of my client, I contact him to remove the adware 
from your computer and when I confirmed that your computer is disinfected to

reactivate your account. This is being increasingly common and this week has

come to me SenderBase rate of poor reputation.

Does anyone else have this problem? How do you solve?

I have tried using Declude Hijack, but I can not figure out how to unblock 
an IP that is blocked for exceeding the limit 2.


>From Hijack manual:
"Since the spammer has passed the 2nd threshold, he is banned, and all his 
Email gets held permanently in \ spool \ spam \ HOLD2. He will only be able 
to send mail again if the Declude Console is closed ... In which case he 
will get banned again as soon as he passed the 2nd threshold again. "

What is "Declude Console"?

Declude Hijack seems like a good option in theory but in my case I have 
clients that send emails via Outlook Express and CCO. I think I can solve 
this problem by creating a list of users to avoid them with ALLOWIP or 
ALLOWADDR.

Thank you.
Ruben Marti. 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.