[Declude.JunkMail] automated response
Effective immediately, please use dave.marche...@connectedindustries.com for all business and non-business related correspondence. The citcomm.com address is no longer valid. Thanks, Dave Marchette --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] automated response
Effective immediately, please use dave.marche...@connectedindustries.com for all business and non-business related correspondence. The citcomm.com address is no longer valid. Thanks, Dave Marchette --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Alligate Problems (ES)
Always copy and paste, and always don't allow a trailing space at the end of the domain name to also be pasted because if you do, Alligate will ignore it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Friday, August 29, 2008 7:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Alligate Problems (ES) Yeah. Glad to hear that it all works for you. ALWAYS copy and paste domain names and email addresses!!! Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fosseen Sent: 29 August 2008 16:03 To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Alligate Problems Thanks everyone for your input. It looks like my install is now working as it should be. The slow delivery times was caused by performance problems on a remote mail server and a MX record that should have been reconfigured. The simple story was that 5+ years ago I was running backup smtp servers for some of my clients. The problem was that I still had one of these clients setup with me running a backup to their mailserver. What looks to have happened is that the recent increase in mail caused their mail server beyond capacity which caused an assortment of problems from not responding, to starting to accept mail and then stall. So when their mail server was choking mail started to come into my Alligate server. When my Alligate tried to verify users it would contact the sick mail server which for all practical purposes tar-pitted the requests. Eventually Alligate was using all it's resources to establish connections to a mail server that could not complete requests, and email simply backed up. Once AGSupport reconfigured my AG box to not accept mail for the problem domain the problem went away (after is cleared it's backlog). The 2nd issue was a new domain I added I misspelled the domain name. Even after I had checked the spelling on not less than 5 occasions I missed the typo each time. Once that was corrected AG worked as expected. -- From: Scott Fosseen [EMAIL PROTECTED] Sent: Monday, August 25, 2008 5:19 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT: Alligate Problems | From the recommendations from this list I am currently evaling alligate. I | have to say my installation has been plagued with problems. I installed on | a fresh HP DL360 G3 with dual 2.8 Ghz Xeon processors, 4 gig of ram, and | mirrored Ultra320 SCSI 72 Gig drives. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude/Sniffer Issues
Based on these numbers, in addition to everyone else's suggestions you may consider adding a prescanning gateway in front of Declude. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Patterson Sent: Monday, February 19, 2007 12:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues Threads = 500 3 days (approx): 1420731 [Spam: 1392289Virus: 114] Relay High: 0 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 2:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What is your mail volume and how many threads do you have declude configured for? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 2:20 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 1:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 1:03 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically). _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you seeing those entries? Also, during these times when you look at task manager do you see a bunch of idle sniffer processes? Typically from my experience when you see all the threads being used with very little to no CPU usage it tends to be a DNS issue (i.e slow or not responding DNS server). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 8:47 AM Subject: [Declude.JunkMail] Declude/Sniffer Issues I am running 2 versions of Smartermail Declude both running Sniffer and InvURIBL. One is Smartermail4/Declude4.3.3 Other is Smartermail2/Declude3. These servers can run perfectly for weeks but for the past few weeks we have been sporadically seeing Declude back up files in the Proc directory. At this time all Declude threads are being used with no processing power being used. It appears Sniffer is not finishing and hogging up all the threads after reviewing the logs. Anyone else experiencing this? Thanks, Chris Patterson, CCNA Network Engineer/Support Manager Rapid Systems
RE: [Declude.JunkMail] Paid Subscription Black Lists
MXrate seems relatively competent so far. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Thursday, November 09, 2006 9:18 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Paid Subscription Black Lists Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] picture spam
Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] picture spam
Thanks Chris. CommTouch definitely seems to have promise. But for now, Id like to experiment with the filter. Is this something we can have access to? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chris Sent: Wednesday, October 11, 2006 10:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] picture spam CommTouch catches them all, I have a filter that can add some weight to image based spam, it may be able to push it over the threshold and at least quarantine it for you. Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Wednesday, October 11, 2006 1:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] picture spam Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] picture spam
Thanks all for the various suggestions. Agreed- combo is the way to use that test, for sure. A bit OT, but what is the popular and accurate DUL database these days? How accurate is fiveten at DUL lookups? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, October 11, 2006 12:49 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] picture spam I combo thegraphics hit (jpg, gif or png) with: 1. bad DNS - None or timeout 2. bad language (eastern European iso-8859-2) or Cyrillic (koi8-r or iso-8859-5), etc 3. cmdspace 4. good DUL IP lists/tests 5. having forged your local domain. I still get 5-10 a day. It is a pain. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 12:08 PM Subject: [Declude.JunkMail] picture spam Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Loads of ndr's - I think we're failing spam tests
The logs should tell you why other servers are rejecting you. Based on personal observation, it appears lately that less experienced admins are actually using SpamCops RBL list to reject incoming SMTP at the envelope. This is foolish for a myriad of reasons yet nevertheless, it is happening. Others, such as Comcast and AOL, employ similar tactics for equally insidious reasons. For instance- If you are using gatewayed domains, and then bounce mailbox full notifications, or if your users are utilizing autoresponders(big no no), then if just one of these bounces hits a Spamcop, AOL or Comcast trap, then your goose is cooked. With AOL specifically, if just one AOL user complains about your server, then AOL will place you on a blocking call list, which effectively throttles your mail delivery to AOL. This is evidenced in the logs by blocking call canceled. This is actually far less bad than what others are doing now, which is sending invalid user response which means delivery attempts stop immediately. For at least AOL, you can request a postmaster feedback loop so that anytime an AOL user complains, they will automatically send you the email that caused the complaint. Though I understand AOLs need to filter vast quantities of spam, their militant behavior will eventually cause them to lose enough business that they will ultimately become insignificant. Lately, we have started telling users that we do not support sending email to AOL or Comcast users, and we cite very specific examples of why. Probably too much info, but the point is, admins of both large and small domains these days are dropping transmission of valid email at the envelope based in some cases upon inaccurate criteria. Advice: Make sure you are not erroneously bouncing email to stay off of their overly sensitive blacklists. Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Wednesday, September 27, 2006 2:29 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Loads of ndr's - I think we're failing spam tests Hello, We are getting tons of ndr's. When I check logs, receiving servers are rejecting the messages. I suspect we're failing spam tests but I can't figure out what has changed in the last few days that would have caused this problem. Does anyone see something about my email that would explain it or can anyone offer any other insight? Thanks, Katie ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server
Ill second the recommendation for Paesslers PRTG product. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. Spivack Sent: Thursday, June 01, 2006 1:16 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server MRTG is free but a pain to setup and reporting is limited. Some swear by Cacti, but setup is also complex. A reasonable cost effective tool is Paessler. Windows-specific, but well implemented and supported. http://www.paessler.com/ It has a packet capture mode (aka sniffer) which will do a lot more than just snmp counting and exports reports to pdf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, June 01, 2006 10:04 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server Hi Robert, All very good questions. The client is paying for piece work as opposed to an hourly rate so monitoring time spent against time billed is not a concern. Mostly they want to know if the developers are using the environment that has been provided to them. 2 SQL servers, 2 web servers, 2 application servers. Comments like did they just upload the new stuff the day before the deliverable date? Are they using the environment that was provided for 5 minutes a day or hours per day? I am thinking of it as more of a validation of the whole support environment for the developers rather than did they update/fix that web page. Monitoring the host machines via SNMP might be an idea. Any simple (but good) tool leap to mind? Thanks Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. Spivack Sent: Wednesday, May 31, 2006 7:01 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server Lets start at the high-level: What question are you trying to answer? e.g: Are the developers spending enough time doing the work they should be doing? Are the developers doing things they should not be doing? Are the developers competent and performing their job properly? Are the developers hours spent working matching their timesheets/project sheets? Etc. There are different solutions depending upon your objectives. Note: Personally, for outsourcing I pay based on a project or deliverable so tracking time/usage is of no interest to me. I pay for a certain result and dont care if it takes an hour or a week to do it. Also, I audit the quality of the finished product/code/service, I dont care about the tools/methods used to reach that goal. In your case: Since you have a virtual server environment, you can also audit at the host level. E.g. you can run SNMP tools and measure traffic (bps and total bytes in/out) on the virtual network ports of the virtual machine to see the activity level. You can see the protocol (http, http, netbios, smb, etc.) to see what type of activity is flowing through the machine. If you run the tool in a virtual machine on the same physical host, it can use packet capture to fully analyze the traffic and not just SNMP/WMI. You might consider re-writing your outsourcing contract. You really shouldnt have to police the project/micromanage it. Afterall, management of outsourcing is the hidden cost that can eat you alive and remove any cost benefits so why allow yourself to fall into that black hole? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, May 31, 2006 1:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server It is a dev/staging server running in a virtual server environment so I have to be a bit careful what I turn on or dont. I tried the auditing a file. Wow talk about generating Security Event Log records. I turned auditing on for two files bginfo.exe and its corresponding config.bgi file. Then I ran it to generate the background on file server. That simple little thing created 15 log entries. If we turn this on we are going to need something to parse the security log file as I can see that it is going to produce a HUGE amount traffic in there. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun Mickey Sent: Wednesday, May 31, 2006 3:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server You could also enable auditing in Windows to examine file level access, just r-click on any file/folder and select properties, click on the security tab then click advanced then click on the auditing tab. WARNING: auditing a lot of high-use files could strain the server That being said, your on a dev server so it should be alright, though I would keep the number
[Declude.JunkMail] WMF and MIME blocking
FYI from the Full Disclosure mailing list- re: WMF Preliminary testing reveals that emails containing WMF files can be blocked by filtering for the MIME-encoded WMF header. This approach works even if the file is called WORD.DOC. The string to check for is: 183GmgAA These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF. Thus, blocking all emails with those bytes in will block all emails containing WMFs. This technique can be used with common spam filters. Regarding web-based WMFs, of the three browsers on this system, only IE knows what to do with WMFs. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] PFV-Exploit
Title: Message Has anyone seen these hit the perimeter yet? http://www.f-secure.com/weblog/ http://www.kb.cert.org/vuls/id/181038
[Declude.JunkMail] OT: New exploit in the wild
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patch ed.html and http://www.securityfocus.com/bid/16074/discuss --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT- APC software JAVA certificate timeout
This is OT(sorry!) but if any of you are running APC PowerChute on your servers to enable graceful shutdown on power fail, there is an issue with a certificate expiring last week. This can cause odd RDC\TS\APC\generally bizarre and potentially debilitating network issues. More info here: http://msmvps.com/bradley/archive/2005/07/28/59861.aspx Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Potential Imail list issue
Anyoneelse having troublesending to theIpswitch Imail list? I tried a posting last night and it bounced. This is what DNS Report returns:: "Getting MX record for list.ipswitch.com (from local DNS server, may be cached)... There is no MX record for list.ipswitch.com! That's bad.Checking for an A record... Got it! Host Preference IP(s) [Country] list.ipswitch.com 0 156.21.1.21 [US] Step 1: Try connecting to the following mailserver: list.ipswitch.com - 156.21.1.21Step 2: If still unsuccessful, queue the E-mail for later delivery. Trying to connect to all mailservers: list.ipswitch.com - 156.21.1.21 [Could not connect: Could not connect to mail server (connection refused by remote mailserver)." ---
RE: [Declude.JunkMail] RBL's becoming worthless...
Agreed. I had to take my INV URI filtering offline for a few days for some testing. Upon looking back at my kill stats I was intrigued by how much is actually missed by RBL but is caught by INV URI. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, July 26, 2005 11:02 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RBL's becoming worthless... Chuck, Agreeded. This is why URI filtering is essential now. From the SURBL site. [URI Filtering] We feel this is a promising approach since it addresses the core problem of spam most directly: the sites advertised in the spams. Spammers have found ways to get around conventional RBLs by stealing services from multiple open relays or hijacking computers using viruses or trojan horse programs. Because of this theft of services and forced entry into unsuspecting victim computers, spammers are able to exploit multiple new mail sources, sometimes for only a few minutes at a time, faster than RBLs can identify and block mail from those addresses. This is a significant weakness in conventional RBLs, and spammers have devised various ways to exploit it. There are other problems with conventional RBLs that can make their use potentially problematic. (This is not meant to be a criticism of RBLs however. Like most other mail administrators, I use some conventional RBLs on my mail servers to do things like block open relays, etc. So conventional RBLs can be used effectively together with SURBL.) Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Chuck Schick writes: In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blacklist effectiveness
Darin, If you have not yet, you might consider adding SURBL testing as well. Darrell (http://www.invariantsystems.com) has a product, invURIBL, that is competent at interfacing SURBL to Declude(which in reality should and may at some point in time do this natively) as an ext. test. SURBL looks at the target link of the spam, and compares it to numerous blacklists(including name server bl). Drawbacks: 1 Processor intensive(testing showed a 15% increase in proc usage) 2 Difficult to fine tune. 'Out of the box' this product returns a weight that is a factor of several configurable tests that run inside INV. You have to fine tune each, then observe the end result. There is likely an easier way to tune this but I have not yet delved too far in. Upside: 1 As effective as Sniffer, and utilizes a different mechanism for identification. Low false positives. 2 Cheap Sniffer is _amazing_. However, we were discouraged after it took 8 hours to get a Sniffer rulebase for the last wave of German spam. So, we started testing SURBL to give Sniffer some help. Side note: The very instant we initialized testing, we started seeing a significant increase in picture spam (just a gif file, nothing else, not even a link - therefore undetectable to SURBL) We attribute this to the fact that we did not sufficiently cloak the test name in the headers and body, and the mass mailers determined by way of 'mailbox full' bounces from the test domain, that we were utilizing SURBL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Fisher Sent: Friday, June 03, 2005 7:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Blacklist effectiveness I've posted my spamtest effectiveness from Feb 2004 forward at http://it.farmprogress.com/declude/declude.htm - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Friday, June 03, 2005 8:33 AM Subject: [Declude.JunkMail] Blacklist effectiveness Anyone else noticing over the past few months that DNSBLs and RHSBLs have almost completely lost their effectiveness? We're seeing only a few (e.g. SBL, MXGATE, MAILPOLICE) that catch more than 5% of incoming spam, and they top out at less than 6%. If it weren't for Sniffer and the specialized tests in Declude we'd be buried. Just curious as to what others are seeing... Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Correct. And along those lines, two thoughts come to mind. 1 Many of your users may see hundreds(maybe thousands) of nondeliverable\unknown user bounces. 'Damage control Monday' should be fun this week. and 2 For those of you using whitelist from: address or entire @domains in Declude(not a best practice but still done often, I'd guess), then your spamfilters won't catch a fair chunk of the spam since you might be whitelisting your industry specific domains. Sniffer for instance is catching most of these with 060- a fact which rapidly approaches irrelevance if you are whitelisting the from: @domain.com of any of your related industries Just a few pre-caffeine random thoughts for a Sunday morning. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Sent: Sunday, May 15, 2005 8:28 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam On 15 May 2005 at 10:50, Marc Catuogno wrote: I am seeing randomized addresses, but they seem to be from related industries. We are in real-estate, the address are random then @ other real-estate companies, title companies, etc. Good observation - all of the ones I have received have come from medical - educational targeting a large physician database we host. Seems to be a very sophisticated campain - of which at least 90% so far are coming from clean domains/clean ip's. Maybe someone Matt? , can figure out some sort of pattern we can target from the spamware? -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] German political spam
Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT Microsoft Security Update
This one is specifically interesting because of the .GIF via email concept. -BEGIN PGP SIGNED MESSAGE- MICROSOFT SECURITY UPDATE ALERT July 30, 2004 SECURITY UPDATE SUMMARY FOR JULY 2004 Microsoft has released a cumulative security update for Microsoft(R) Windows(R) that addresses issues in Internet Explorer, a component of Windows. LEARN MORE To learn about this update and which software is affected, review this notice on Microsoft.com: http://go.microsoft.com/?LinkID=696522 __ BEWARE OF BOGUS BULLETINS If you get e-mail that claims to contain a Microsoft software update, it is probably a virus trying to trick you into infecting your computer. Microsoft never widely distributes software in e-mail. Learn how to spot a bogus bulletin: http://www.microsoft.com/verifymail/ __ ADDITIONAL RESOURCES SECURITY WEB SITE http://www.microsoft.com/security/ HELP PROTECT YOUR PC FROM MASS MAILER WORMS http://www.microsoft.com/security/incident/mass_mailer.mspx SECURITY BULLETIN SEARCH TOOL http://www.microsoft.com/technet/security/current.aspx SECURITY NEWSGROUPS http://go.microsoft.com/?LinkID=436862 PROTECT YOUR PC http://www.microsoft.com/athome/security/protect/ __ _ ABOUT THE MICROSOFT SECURITY UPDATE The Microsoft Security Update is an e-mail alert service designed for home users and small businesses that provides information about Microsoft security updates and virus alerts. Microsoft also uses this service to make subscribers aware that they might need to take action to guard against a circulating security threat. You have received this update because you are a subscriber. If you would like to unsubscribe, follow the instructions at the bottom of this page. __ _ -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBQQqdk40ZSRQxA/UrAQH8eAf/R2Dy2K0iKPQa45RFbdkXFhfnUOu8pfOy H6tk2Egeb2s9zKqmDGYYfgeYXrQUJiT26eUY3UnFXPdgCHEMb7rttRedEPJC0LoF QPz5KaxaKNf4QQsGEYK3R0HBNS4T/pDNPJv7Q2qkaM5tknrL8GodxAtJA3+mIcmt +JwlW24Ebul6CcJDhKx112mv+OwOSEHZiYnnoe89f909fa6cqktK3yqyzM/MlKTN GpdbZa9H8EucRV7sjIAtybbzRkuuNiEw8YWhRKB44djcGfvaBh3OvhpGQ7+9ytwa +Y5xqPM04wvKJptC+zk5B7SUn3iRtnLruwJNtjuqViAZEyzKwlX4mQ== =cu8p -END PGP SIGNATURE- To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at the Microsoft.com web site http://www.microsoft.com/misc/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information http://www.microsoft.com/info/legalinfo/default.mspx. This newsletter was sent by the Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bannotify.eml
If we want to block all zips, but we want to only send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude still only sees them as zip and not EZIP, and flags them as such and therefore never skips the EZIP because it does not see it as an EZIP, just as a ZIP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, July 22, 2004 3:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] bannotify.eml Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bannotify.eml
Correction: Should read If we want to block all zips, but we want to NOT send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Sorry for the confusion. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] bannotify.eml If we want to block all zips, but we want to only send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude still only sees them as zip and not EZIP, and flags them as such and therefore never skips the EZIP because it does not see it as an EZIP, just as a ZIP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, July 22, 2004 3:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] bannotify.eml Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AutoWhite by eServices
John, have you come up with a way to use this on a gateway for gateway'd domains? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 23, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] AutoWhite by eServices Also keep in mind that this test should be disabled as soon as we hear about spam messages using real existing recipient addresses that was already in contact with your local customer. Sober.G was close to do that. Generally speaking, you should not have to do that. This is because AutoWhite for Declude is intended for use as a negative weight, not as a whitelist. However, it is possible, just as it would be if there were JM whitelisting in place via the Global.cfg or white list files. Also, AutoWhite for Declude uses the sending e-mail address in the envelope as Imail receives it, not the from address in the headers. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] AutoWhite by eServices
A client has a pair of generic incoming MX servers. These then feed into a Declude server, storing and forwarding to the mailbox server. The mailbox server does its own outbound mail. Question is, due to the fact that AutoWhite works by looking at outgoing mail(which in this case is done on the mailbox server), will there ever be any way for an instance of Autowhite, running on the store and forward server, to know about the outgoing server's outbound traffic so that negative weight can be added at the store and forward device? This is the same sort of issue with Declude's Whitelist feature which looks at the address book for web messaging. Unless you have Delcude installed on the mail box server, it has no way to look at either the address book entries nor the outbound traffic, making all automatic whitelisting features essentially useless for store and forward. I'd like to know if it will ever be possible to do this, perhaps by a routine that can parse the log on the mail box server(in the case of AutoWhite) or by remote interrogation of web address lists(in the case of Declude's whitelist feature). I fear that not enough people are using Declude as a store and forward device and therefore demand will not be high enough to justify the change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Wednesday, June 23, 2004 11:59 AM To: Dave Marchette Subject: Re[2]: [Declude.JunkMail] AutoWhite by eServices John, have you come up with a way to use this on a gateway for gateway'd domains? You mean _between_ gatewayed domains, or from remote wildcard domains to remote gatewayed domains? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/rel ease/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/dow nload/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Mutant son of MyDoom plans three-pronged attack (PLEXUS-A)
Mutant son of MyDoom plans three-pronged attack Virus writers have used code from the infamous Mydoom worm to create a potentially dangerous new Internet worm which uses multiple methods to spread. Plexus-A spreads using three different methods: infected email attachments, file-sharing networks and Windows vulnerabilities (the LSASS vulnerability used by Sasser and the RPC DCOM flaw used by Blaster). The as yet unknown virus authors used MyDoom source code as the basis for creating Plexus, according to an analysis of the worm by Russian AV firm Kaspersky Labs. David Emm, senior technology consultant at Kaspersky Labs, said that the multiple spreading methods is helping Plexus to infect more machines. No worm since Nimda has used as many methods to spread, according to Emm. Kaspersky rates Plexus as a moderate risk. It is spreading - but nothing like as fast as Sasser or Blaster - and the main concern about the worm stems from the fact it creates a backdoor for hackers on infected machines. These compromised machines could be used for spam runs or as a platform for DDoS attacks. However the motives of the virus authors behind the worm remain unclear. Plexus-A chooses from five different email message headers in an attempt to bamboozle users. Each message has a different header, body and attachment name. The only characteristic which does not change is the file size: 16208 bytes when compressed with FSG and 57856 when uncompressed. Mac and Linux users are - as usual - immune but Plexus is a menace for Windows users. Upon execution Plexus-A copies itself to the Windows system registry under the name upu.exe, which runs every time a machine is rebooted after infection. Plexus sends copies of itself to email addresses harvested from the hard drives of infected machines. The worm is among the first to specifically target users of Kaspersky Labs' AV software. Plexus' payload includes attempts to prevent downloads of Kaspersky Anti-Virus database updates. Plexus also scans the Net for systems vulnerable to the flaws it exploits. The worm opens a backdoor onto infected machines on port 1250, making it possible for files to be remotely uploaded to and from the victim machine. The open port leaves the victim machine vulnerable to further attacks, Kaspersky Labs warns. Users are advised patch Windows boxes, update anti-virus signature files and use firewalls to shelter against Plexus and similar irritants that are doubtless just around the corner. Is there no end to this viral madness? �
RE: [Declude.JunkMail] OT: Internet Usage Monitoring
PIX connected to WebSense connected to SQL(or MSDE) will accomplish this goal. -Original Message- From: Doug Anderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 30, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Internet Usage Monitoring web trends firewall suite maybe? - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 30, 2004 2:43 PM Subject: [Declude.JunkMail] OT: Internet Usage Monitoring Management wants to do web usage mainitoring. They do not at this time want to do blocking. We have a pix firewall that does what Cisco calls URL logging but in relaity it does not log the url but the ip address of the server and the path on the server to the document being viewed. What they want is a log of client ip and url including the host name. They also do not want to abandon the PIX. Any one have any suggestions? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 1:35 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude not taking action I figure that each individual E-mail on my system has about a 0.6% chance of being stolen and delivered by the queue. Matt: I have spent a lot of my years in the field of mathematics. A study done a while back and it is related to data-mining stated.. men buy baby diapers and orange juice on Tuesdays more than any other day of the week. While it sounds interesting it is real hard to make any use of it. :) -- I am either very lucky or the 0.6% is only concentrating itself to my mailbox. On our very small volume server I got 2 last night and that is only me - others are probably getting it and not letting us know. Attached is an email that IMail added its headers but Declude never saw. I get about 2-3 daily. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
Gotcha. But do the headers of the copy that Imail delivered\stole have any Declude markings in the header? -Original Message- From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude not taking action Dave, It appears that the E-mail getting delivered improperly is the result of IMail stealing a copy and processing it apart from Declude. In the example that I provided, Declude deleted the copy that it got because it scored too high, but IMail delivered a copy before it was scanned by Declude. Matt Dave Marchette wrote: Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
In the mean time, until Ipswitch fixes this, is it safe to assume that the chance incident of failure can be reduced by some percentage by utilizing a monstrously overrated processor for a given volume of mail? -- Processor power up, chance of failure down, perhaps dramatically? -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2003 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude not taking action We've already tracked it down about as far as it can go. IMail's process that handles the queue run is processing E-mails between the time that they are saved to the hard drive (or unlocked) by the SMTPD process and the time that Declude is able to re-lock the files. We are trying to think of possible workarounds. However, since this is happening at a time that Declude isn't even running, it gets very tricky. Unfortunately, it looks like there isn't much that we can do here. There are some measures we could take that would help to some extent, but not enough to significantly reduce the problem. In testing here on a server at 100% CPU usage, it could take over a full second from the time that SMTPD32.exe unlocked the Q*.SMD file (to be technical, renamed the T*.SMD file to Q*.SMD) until the time that Declude.exe was fully loaded (versus about 50ms at 0% CPU). Normally, the time to start a process isn't a problem -- almost all of that 1 second of time is being used by other processes. But there is a delay of about 1 second where there isn't any chance for Declude to lock the Q*.SMD file. During this time, the file is vulnerable to being stolen by queue management. On a server with 86,400 E-mails/day (to make math easier, that's 1 per second), a server with 0% CPU and a 30-minute queue timer would have 48 queue runs in a day, with about a 5% chance that any given queue run would steal an unprocessed E-mail. At that rate, you aren't likely to notice any unprocessed E-mails. But at 100% CPU usage, there's nearly a 100% chance that any queue run will steal at least one unprocessed E-mail. The good news, though, is that this should be very easy for Ipswitch to fix. Specifically, the function that they use to determine if there are any Q*.SMD files waiting to be re-tried includes the time that the file was created. They can check to see if it is less than 10 minutes old; if so, they can skip that file. Since 10 minutes is the minimum amount of time between queue runs, E-mail that was received in the past 10 minutes does not need to be re-tried. If they are worried that it would take up to 20 minutes for an E-mail to be re-tried for the first time when the queue timer was set to 10 minutes, they could make the check for 1 minute (giving Declude ample time to start, and ensuring that first re-tries are done within 11 minutes). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Finding reason for white list
I could be on the wrong track here but if you use the 'Whitelist To' function on your domain, then if a spammer sends an email to the user that is whitelist to'd, all other users that appear on the TO address line of that email will also receive the 'Whitelist To' behavior. Example: UserB is upset because he feels your anti-spam measures are restrictive and asks you to turn them off for just him. You do this using 'Whitelist To [EMAIL PROTECTED]' in global.cfg. A spammer then sends an email to [EMAIL PROTECTED], [EMAIL PROTECTED] and [EMAIL PROTECTED] Normally, for example's sake, this spam would have been caught with a high weight. However, because of the 'Whitelist To', all three users(a, b, and c) will get the spam, and in the headers, you will see only 'Whitelisted(0)' Just a thought. -Original Message- From: Keith Purtell [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2003 2:21 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Finding reason for white list I've double-checked the logs for something like that; no luck. I'm mystified. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, December 01, 2003 2:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Finding reason for white list Recently we got much spam from one source. When I examined the headers to find out why, all indicated the items had been white listed. I have three methods of white listing: from (full address or domain), to (recipients who want everything) and anywhere (about 20 special text strings). So I began checking each but couldn't find a match between the spam samples and my white lists. I suspected it was one of the white list entries in my global.cfg file because the weight was always zero, but that theory didn't bear fruit either. If this has been asked before I don't remember seeing it: How can I find out exactly what Declude used to white list an email? There should be a log file entry that has the text that was used to whitelist the E-mail (such as E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED], where [EMAIL PROTECTED] was the text used to whitelist the E-mail). -Scott --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Finding reason for white list
I wonder how that feature reacts with a BCC? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Keith Purtell Sent: Monday, December 01, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Finding reason for white list True. However, in the case of the samples I'm looking at, each was addressed to only one user. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Marchette Sent: Monday, December 01, 2003 5:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Finding reason for white list I could be on the wrong track here but if you use the 'Whitelist To' function on your domain, then if a spammer sends an email to the user that is whitelist to'd, all other users that appear on the TO address line of that email will also receive the 'Whitelist To' behavior. Example: UserB is upset because he feels your anti-spam measures are restrictive and asks you to turn them off for just him. You do this using 'Whitelist To [EMAIL PROTECTED]' in global.cfg. A spammer then sends an email to [EMAIL PROTECTED], [EMAIL PROTECTED] and [EMAIL PROTECTED] Normally, for example's sake, this spam would have been caught with a high weight. However, because of the 'Whitelist To', all three users(a, b, and c) will get the spam, and in the headers, you will see only 'Whitelisted(0)' Just a thought. -Original Message- From: Keith Purtell [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2003 2:21 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Finding reason for white list I've double-checked the logs for something like that; no luck. I'm mystified. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, December 01, 2003 2:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Finding reason for white list Recently we got much spam from one source. When I examined the headers to find out why, all indicated the items had been white listed. I have three methods of white listing: from (full address or domain), to (recipients who want everything) and anywhere (about 20 special text strings). So I began checking each but couldn't find a match between the spam samples and my white lists. I suspected it was one of the white list entries in my global.cfg file because the weight was always zero, but that theory didn't bear fruit either. If this has been asked before I don't remember seeing it: How can I find out exactly what Declude used to white list an email? There should be a log file entry that has the text that was used to whitelist the E-mail (such as E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED], where [EMAIL PROTECTED] was the text used to whitelist the E-mail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam lists
Sawmill seems enthusiastic to make custom changes to their Imail log module, based on customer's needs. They have indicated this on both the Declude and Imail log modules. -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam lists Everybody's experiences with spam test, including DNS based tests, are going to be different. Why be so hesitant to try a test to see how it works for you. Simply setup the test in your global.cfg and set the action to IGNORE or LOG, that way you can evaluate the test results without impacting your customers or your e-mail flow. That is provided you have the time to review the logs. ;-) Which brings me to my quest in search of a log analyzer that can be configured to create a report on AND. Example, Find all that fail test1 AND test2. Show subject line, from and to. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WHITELIST suddenly not working?
Yes. If you are referring to Global config file WHITELIST entries, if you exceed the max number(depends on version) then you will experience inconsistent results. Use the Whitelist file instead, as it is apparently unlimited. -Original Message- From: Mike Robbins [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 10:44 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] WHITELIST suddenly not working? Has this happened to anyone where the WHITELIST stops working and your spamtrap catches messages from domains or IPs that are listed on the WHITELIST? Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
