[Declude.JunkMail] ***DECLUDE NO-AUTHENTICATION KEY***
It seems clear at this point that the failure of Declude's licensing system is causing widespread havoc for their customers, and they are not responding to support issues, or any issues at all, and that they are in fact out of business. Therefore I am going to share the key that allows Declude to operate without authentication. This key will not allow either AVG nor Commtouch Zero Hour to work, but it will allow Declude to process email with filters and other add-ons. The key goes in your Declude.cfg file and it requires a restart. This is the same key that was shared, but I am changing the subject in order to highlight that the code is in here: CODE28607230-BF21-4CDE-A59B-A451CC7C9CA0 My recommendation is to configure both Sniffer (convert your license with Pete if it was bound to Declude) and ClamAV so that you have virus protection. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ClamAV with Declude
I'm going to share some old information from 2009 that I put together for integrating ClamAV. Note that I cannot confirm at this moment whether these directions are perfectly accurate for the most recent code available, so please update this if you find issues. _Please also pay close attention to any reference to directory paths and adjust accordingly_. Do not run a file system scanner on the ClamAV directory. Although Sniffer does a good job on viruses, there is nothing out there that is perfect, and every system will benefit from having a virus scanner, or several as a matter of fact. There are just too many viruses out there, and they change so rapidly, that you need to cover as many angles as possible. There are additional add-ons for ClamAV that will do this internally which are updated by individuals and companies to cover things that the stock virus scanner won't. The instructions for doing this are not included here, and I am not an expert in their integration. Matt Abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the Current Stable code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\clamd --install This will install the ClamWin Free Antivirus Scanner Service You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 6) From a command prompt run C:\ClamAV\freshclam.exe --datadir=C:\ClamAV\DB --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 7) Download the ClamAV GUI Wrapper from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and you want to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for Virus scanner 1 reports in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
Pete, There is such a thing. I lobbied Dave for this back when they went to a subscription model. It was for select users that had the lifetime licenses that were concerned about the authentication servers. I can't say for sure that this doesn't deal with their servers at all (I hope not). Maybe Dave can verify this. I'm willing to share the details of this once I am more certain that Declude is completely done. This license will not allow for AVG or Commtouch updates, but it will allow Declude to operate without validation as far as I know. Matt On 4/10/2013 6:16 PM, Pete McNeil wrote: On 2013-04-10 16:21, John Dobbin wrote: With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? I don't recall where, but I heard a rumor that there was a forever license code somewhere for Declude. Anybody know anything about that? If Declude just evaporates without saying another word that would be a good thing to have. _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Android Yahoo Mail app spam
Spammers know how to vary their headers, some more than others, and it appears that they are also using the signature merely to take advantage of bayesian filtering weaknesses. As a Declude user, if you had no issues before this campaign, you probably will continue to have no issues, and if you had issues before, you will still have them. Surely whatever you see as repeating will surely change in a matter of hours or days. The only reason why this made news is because someone mistakenly suggested that the messages were coming from Androids when in fact they are not. Google says spam emails not coming from Android botnets http://www.networkworld.com/news/2012/070512-spammers-have-started-using-android-260693.html?hpg1=bn Move on, there's nothing to see here (http://www.youtube.com/watch?v=5NNOrp_83RU). Matt On 7/6/2012 1:55 PM, John Dobbin wrote: After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com *From:*David Barker [mailto:dbar...@declude.com] *Sent:* Friday, July 06, 2012 11:51 AM *To:* Declude.JunkMail@declude.com *Subject:* RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com *From:*John Dobbin [mailto:jo...@penpublishing.com] mailto:[mailto:jo...@penpublishing.com] *Sent:* Thursday, July 05, 2012 4:28 PM *To:* Declude.JunkMail@declude.com mailto:Declude.JunkMail@declude.com *Subject:* [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx. First, each message closes with the signature *Sent from Yahoo! Mail on Android.* Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Performance issues with SM 8.2 w Declude
I'm not sure why everyone just wants to throw RAM at the thing. Using 10 GB of memory with an unspecified number of active webmail users could be reasonable in some cases, and totally unreasonable in others. Certainly SmarterMail may have some leaking issues in IIS/.Net that memory won't do much to fix. I would suggest at least offering how many logged in users you have at peak times, and how many accounts there are. I would also use something like Process Explorer to verify what process is hogging all of the memory. I would guess it is IIS and that there is some sort of .Net issue that exposes itself mostly under heavier load. I do have a client that has about 2,000 mostly webmail users who are pretty active with hundreds of GB's of mail in the accounts, and I have heard of no such issues with SM 8.x. They are Windows 2003 with 4 GB of memory and I think 4 cores, but they have a pretty fast RAID array. Regarding VMware, never short the server on disk I/O. You will see all sorts of CPU issues once the server gets backed up on disk and it falls apart pretty quickly after that. In Process Explorer running on the guest, if you see regular spikes in Hardware Interrupts CPU utilization, that says you don't have enough disk I/O. Regularly seeing more than 10% for that would indicate an issue that needs attention. Matt On 9/26/2011 3:14 PM, Nick Hayer wrote: I have it on a VM - vmware 4.1 - no issues at all. Why not just PTV it now - give it more ram and processors in the migration and see what happens? -Nick *MadRiverAccess.com**|**Skywaves.com Tech Support* US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm *From*: Scott Fosseen [Prairie Lakes AEA] sfoss...@aea8.k12.ia.us *Sent*: Monday, September 26, 2011 3:08 PM *To*: Declude.JunkMail@declude.com *Subject*: Re: [Declude.JunkMail] Performance issues with SM 8.2 w Declude Running Win 2003 Standard on 32 bit hardware. I am going to bump the RAM up to 4 Gb tonight to see if that helps. I should say what I am seeing is that the SM Web interface becomes unresponsive at times. I have been unable to correlate the unresponsive interface with specific high CPU or Memory use though. I have been planning on installing a new Win 2K8 64 bit OS to migrate SM to.. Is there any issues or suggestions on setting this up as a Virtual machine in a VMware environment? -- From: Randy A ra...@globalweb.us Sent: Monday, September 26, 2011 1:47 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Performance issues with SM 8.2 w Declude Which version of Windows server are you running? That will be important also as, for example, WIN Server 2003 Standard only allows a max of 4GB RAM, while WIN Server 2003 Enterprise has a 64GB limit -Original Message- From: Scott Fosseen [Prairie Lakes AEA] [mailto:sfoss...@aea8.k12.ia.us] Sent: Monday, September 26, 2011 11:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Performance issues with SM 8.2 w Declude I am starting to have some serious performance issues since I upgraded to SM 8.2. Although I can not be for sure that is it due to the upgrade as usage has also increased with added clients and the start of school. The big issue is that the web interface becomes unresponsive for up to about 5 minutes. The machine has 2 Gig of RAM, and a swap file of 5.5 Gig. In Windows task manager I see my peak memory usage is now 10 gig. Right now I am not sure if the performance issues are being caused by RAM, too much traffic, Smartermail, or Declude. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail]
http://danjacoby.de/modules/Search/life.html --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SmarterMail's webmail blocked by Microsoft's Smartscreen filter.
Just an FYI, Microsoft generically blocked at least version 5 and 6 of SmarterMail's webmail. This isn't domain based, but path based. Don't bother reporting it or trying to fix this yourself as this affects a ton of people. Matt --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
boundary=_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_
You need to target the _NextPart_ along with a long string of letters
and numbers (and without underscores in between. For instance, you
would search the headers for the following:
boundary=_Nextpart_(a-z0-9){20,}_
The bad news is that this particular spammer has changed their pattern
twice in the last two months after being fixed for over a year, so this
detection will likely be short-lived as the spammer is figuring out how
to randomize. This spammer accounts for about 7% of all E-mail that
makes it to my deep scanning layer. Sniffer seems to miss a good deal
of their spam, so there isn't much protection from it otherwise.
Matt
On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
Pete, Will do. I call this spammer Whitestone, but there is another very prolific spammer that also has the same volume named BlooSky Interactive (real company name) that is also frequently missed. I'm guessing that they aren't landing in spam traps to the same degree as some others, or your rules trail far enough behind that their constant supply of domains and IP's are avoiding detection early on in campaigns. I have a personal account that is hardly used which gets hit by both. This account is sent around 350 spams per day, probably around 50 to 75 of which come from the two named above. The problem with Whitestone is that they recently started changing their construction. Here is the former linking pattern which you will probably recognize: http://igw197.adtranslate.com/25_2_6966868_7B3431155618.htm http://fy238.employedreas.com/934_2_338710_649866459330.htm http://hbo5.personnelcha.com/32_2_7700225_5D5C3538530.htm The new linking pattern is like so: http://mail.latrecultradatabase.net/5767cb88bdaeba8b31221108277c5693307034 http://mail.eqxosuperiorweb.net/4656ba77ac9da9c7314012dd52c007874f85f5 http://mail.eqxoexpertsolutions.net/5767cb88bdaeba6d313518f54ac7ba8f750287 I believe they may actually have two different header patterns now, one randomized, and the other one with that NextPart boundary, though I can't say for sure if they are the same spammer or not. BlooSky Interactive has the following linking pattern (though it is obfuscated and therefore not reliable to track): http://bnqjy.fumblingmetal.info/pfjc/jnmqn/fjr/ http://smhg.thelincolnfield.com/yhdmy/nywcvpchyt/ http://dmyjyo.jollyevent.info/fjrhz/mqstjr/ Matt On 7/23/2010 3:05 PM, Pete McNeil wrote: On 7/23/2010 2:29 PM, Matt wrote: This spammer accounts for about 7% of all E-mail that makes it to my deep scanning layer. Sniffer seems to miss a good deal of their spam, so there isn't much protection from it otherwise. Matt -- Is it possible for you to zip up some samples from this guy and send them to me? I would like to do a deeper analysis of the things we've missed from them to see how we can improve our capture rate and understand how the normal process might be improved. Thanks! _M --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Matt On 7/23/2010 8:00 PM, Pete McNeil wrote: On 7/23/2010 6:37 PM, Matt wrote: Pete, Will do. I call this spammer Whitestone, Much appreciated. I'll take a closer look with the team to see what we can do to close these guys down better. Thanks! _M --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] We have opened up truncate.gbudb.net
Is the result code really 127.0.0.1? That is totally non-standard. It should be 127.0.0.2 or higher. Matt On 4/30/2010 11:31 AM, Nick Hayer wrote: you can test the bl directly with nslookup, to see what Declude is doing turn on debug log level. ** *MadRiverAccess.com**|**Skywaves.com Tech Support* US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm *From*: Michael Cummins mich...@i-magery.com *Sent*: Friday, April 30, 2010 11:20 AM *To*: declude.junkmail@declude.com *Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net That's odd. This is what I already configured it for on my first guess: TRUNCATE-GBUDB IP4Rtruncate.gbudb.net 127.0.0.120 But I haven't gotten any hits yet. Is there any way to test this from a command prompt, like you can with the invaluement RBLs and nslookup? - Michael Cummins *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Nick Hayer *Sent:* Friday, April 30, 2010 11:00 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] We have opened up truncate.gbudb.net here ya go IP4R.GBUBD ip4r truncate.gbudb.net 127.0.0.1 9 0 Above scores a 9 on a hit.. -Nick *MadRiverAccess.com**|**Skywaves.com Tech Support* US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm *From*: Michael Cummins mich...@i-magery.com *Sent*: Friday, April 30, 2010 9:36 AM *To*: declude.junkmail@declude.com *Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net I don't think I set it up properly as an ip4r test in Declude. What would the line look like, if written properly? Thanks for your time and effort. -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] We have opened up truncate.gbudb.net
Pete, Now would be the best time to change this one as there are clearly only a handful using it. I'm not sure that I am aware of any other blacklist, and certainly no blacklist that I use, which employs the 127.0.0.1 result code. I'm not 100% sure of the reason for stepping up to 127.0.0.2, but I'm sure it has something to do with localhost, and maybe there would be compatibility issues somewhere. Matt On 4/30/2010 1:17 PM, Andy Schmidt wrote: It is -- and I agree with you! *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Matt *Sent:* Friday, April 30, 2010 12:53 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] We have opened up truncate.gbudb.net Is the result code really 127.0.0.1? That is totally non-standard. It should be 127.0.0.2 or higher. Matt On 4/30/2010 11:31 AM, Nick Hayer wrote: you can test the bl directly with nslookup, to see what Declude is doing turn on debug log level. *MadRiverAccess.com**|**Skywaves.com Tech Support* US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net mailto:supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm *From*: Michael Cummins mich...@i-magery.com mailto:mich...@i-magery.com *Sent*: Friday, April 30, 2010 11:20 AM *To*: declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net That's odd. This is what I already configured it for on my first guess: TRUNCATE-GBUDB IP4Rtruncate.gbudb.net 127.0.0.120 But I haven't gotten any hits yet. Is there any way to test this from a command prompt, like you can with the invaluement RBLs and nslookup? - Michael Cummins *From:* supp...@declude.com mailto:supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Nick Hayer *Sent:* Friday, April 30, 2010 11:00 AM *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] We have opened up truncate.gbudb.net here ya go IP4R.GBUBD ip4r truncate.gbudb.net 127.0.0.1 9 0 Above scores a 9 on a hit.. -Nick *MadRiverAccess.com**|**Skywaves.com Tech Support* US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net mailto:supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm *From*: Michael Cummins mich...@i-magery.com mailto:mich...@i-magery.com *Sent*: Friday, April 30, 2010 9:36 AM *To*: declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net I don't think I set it up properly as an ip4r test in Declude. What would the line look like, if written properly? Thanks for your time and effort. -- Michael Cummins -Original Message- From: supp...@declude.com mailto:supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com mailto:declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail
Re: [Declude.JunkMail] We have opened up truncate.gbudb.net
There aren't that many RFC hawks around here these days :) Matt On 4/30/2010 1:48 PM, Pete McNeil wrote: So it is by convention that the result code would be 127.0.0.2 -- not a rule. I have no problem with this... I will make the change... better to do it now than later. Odd that nobody complained about it before. I will post another note when the change is made. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] multistage filtering [OT]
It's definitely Alligate for this purpose. Instead of using something like Postfix or IMgate which will mostly replicate functionality found in Declude, Alligate will end up blocking things using unique functionality and it runs on Windows and uses very little CPU. The two main features of Alligate as a pre-scanning gateway are the selective greylisting functionality, where it will greylist senders only if they appear that they might be zombies (since greylisting is really only effective against zombie spam), and the other is the internal MXRate blacklist. I rarely block messages with permanent errors with Alligate, but by greylisting effectively, you can avoid having 95% of your E-mail traffic hit your second layer of scanning. It also does so selectively so that your legitimate E-mail will rarely hit it and cause any issues. Matt Bonno Bloksma wrote: Hi, With the amount of spam I have to throw away each day no reaching consistant levels of over 90%... I can of course get an even faster mailserver but I think I would be better of with an extra smtp server in front of my mailserver which filters the most blatant spam mail purly based on session info. What passes that server can go on to my IMail server and have more contect based filtering using Declude, Sniffer, InvURIBL etc. What would be a good first step server? I have experience with (Debian) Linux so a Linux based solution is no problem. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder *tio * hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl mailto:b.blok...@tio.nl / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PowerMTA
Dave, A lot of the largest static spammer organizations use this software, but unfortunately a good number of fully legitimate companies use it also. PowerMTA also allows for full customization of the header formating and many spammers edit this to be nondescript as well. I would guess that maybe 30% of static spam (where the spammer uses leased/owned IP space) utilizes PowerMTA. I personally use some extensive filtering to categorize E-mail into bulk (anything sent in volume or automated) and personal E-mail (stuff sent by an E-mail/webmail client), and then I set my weighting tolerances differently as obviously stuff that isn't clearly non-forged personal E-mail is were the spam is. Weighting PowerMTA more aggressively, though not blocking it outright is a start in that direction, but only part of the solution unless you wish to block some legitimate stuff as well. Matt Dave Beckstrom wrote: I'm seeing a lot of spam with this in the headers: PowerMTA(TM) v3.0c2 Is powerMTA mainly a spam tool or do legitimate mailers use it too? Just trying to decide if I can add some weight if that header exists. Also of late I'm seeing a lot of spam containing ssl in part of the domain name: Return-Path: nore...@realnightlywork.com Wed Jan 13 15:03:22 2010 Received: from ssl.realnightlywork.com [173.45.68.45] by Anyone adding weight if the domain contains ssl? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [*195.248.173.117*] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing was suspicious. If I can make a (VERY important) suggestion. Since this clearly is NOT at all a Postini issue and certainly NOT LIMITED to Postini - how about NOT giving that feature/directive a totally misleading/inappropriate name: POSTINIFIXON Example - out of 10 emails in my current inbox, I instantly found THIS (non-Postini) sample: Received: from sha-exch9.shared.ifeltd.com ([10.1.20.9
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
You are right that I messed up on three of these. The following ones were definitely entirely forged: Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 All but one of the connecting servers in the other 5 examples forged the HELO value (which is where my brain farted), which some servers don't properly bracket. Regardless, my recommendation on how to parse the proper IP would work in every example except for the forged Received headers above (which is fake data anyway and should be ignored if at all possible, so that is better). The problem is that not all servers properly bracket and order the actual IP, which means that HELO's that come as IP's can be misleading. This is why you have to start off with the best method, and if that doesn't produce results, fall back to another method that is just simply guessing (which is what Declude actually does now). So you first throw out all data before the FROM up till the next descriptor BY/WITH/FOR or end of the header, then you search for square brackets with an IP inside and nothing else, and take the last value that appears in that format in the trimmed piece of the Received header. If you don't get any result from that, you search for all IP's that are either surrounded by spaces or parenthesis, and you take the last such value found. Note that the delimiters are very important in getting the correct IP. Also note that legitimate headers are rare where the IP is neither bracketed or enclosed at the boundary with parenthesis, but it does happen. Matt Andy Schmidt wrote: Hi Matt, Sorry -- but some of these are actually headers inserted by my OWN server. So they are NOT forged. Most of them are spam, but some of them were even false positives. Best Regards, Andy *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Matt *Sent:* Thursday, November 05, 2009 4:14 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br mailto:audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com mailto:jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [*195.248.173.117*] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com mailto:abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Dave, That's not an RFC violation, it's a problem with the code used to extract the IP from the Received headers. Matt David Barker wrote: Here is a message going through a Postini server. ---EXAMPLE 1--- -- Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: dbar...@declude.com Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: dbar...@declude.com From: David Barker dbar...@declude.com To: xxx ' x...@x.com --- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: I’m interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn’t the MX of the recipient domain pointed to Postini’s server? So Postini would be the first “received” header to be inserted before relaying the message to the client’s internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what I’m not grasping is, who inserted the “original” header that Postini has tampered with – if Postini is the domain’s MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help with Regex
Todd, There are 600,426,974,379,824,381,952 ways to spell Viagra (http://www.americanscientist.org/issues/pub/how-many-ways-can-you-spell-v1gra/3) and likewise a similar number of ways to obfuscate other words with 6 letters. It is a better to target other aspects of the message and even the obfuscation techniques themselves than to attempt to go after the actual text. Matt Todd Richards wrote: Hi Everyone - I'm seeing this come through a lot - CH!l.D P.ORN and P!rate S0ftware. So far, the spam filters are catching it ok based on all of the other filters there. However, some of them are barely being caught and I'd like to make sure they don't make it through. I threw a basic CONTAINS filter in for an exact match, but I can already see them doing different things to make it through. Any suggestions on a regular expression? Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re:Declude vs Perry (ES)
#2 was certainly the scenario. So what's the deal. Was or is Scott being bullied out of both of his businesses? Didn't Scott maintain an equity stake in both companies? That write up on the case just sounds like thievery. Matt Andy Schmidt wrote: Well, Darin -- it may be relevant to look at the timeline. Example: 1. Declude is developed 2. Declude is purchased 3. Developer keeps source code and NOW starts to reuse it to develop DNSstuff.com vs. 1. Declude is developed 2. DNSstuff is developed 3. Declude is purchased from Developer 4. DNSstuff is also purchased from Developer I would see how concerns may be raised in the FIRST case. But in the SECOND case, there are no hidden surprises. Over time, they purchased two different applications that had previously been developed by the same developer, and obviously would share some common generic functions. If I sold you a one of a kind car and then sold you a one of a kind motorcycle -- you can't act surprised years later when you find out that I was using the same hex-nuts and headlight bulbs, where appropriate. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darin Cox *Sent:* Tuesday, September 09, 2008 2:03 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Re:Declude vs Perry (ES) Did he keep a copy of the code, or did he just use libraries he developed through the years, as all programmers do, that he used for all of his programming? It's not possible to tell that without an in-depth review of source code for both products. Also, bear in mind that programmers tend to do the same tasks the same way, so two completely separate development projects can have very similar looking code just due to the way a particular programmer solves problems and writes his/her code. Also, as someone on another list pointed out, you typically aren't buying the soure code, per se, when you buy all rights to a product. What you typically buy are the rights to all marketing for the product (names/trademarks, domain names, etc.), the customer base and any other data specific to the product, and a non-compete from the seller. While source code is necessary to continue development of the product, and is included in the sale, copyrights on the source code are often meaningless due to the above points. In this case, the additional product is not a competing product. I don't know the terms of the sale, however, so it is possible that the source code was central to the purchase. However, the above two points still apply. Darin. - Original Message - *From:* Craig Edmonds mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Tuesday, September 09, 2008 1:42 PM *Subject:* RE: [Declude.JunkMail] Re:Declude vs Perry (ES) I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com http://www.123marbella.net/ E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Nick Hayer *Sent:* 09 September 2008 16:16 *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 *The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. * Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant
Re: [Declude.JunkMail] Declude Crashing
Mark, Sounds like a 'killer message'. It would help to post the contents of the HDR file associated with that log line as Declude may be dying on parsing a value in that HDR file. I've noted more common crashes of DecludeProc recently myself, but we are behind an Alligate gateway so much of the badly formated E-mail dies there. That certainly adds to the stability of Declude and also the mail server in some cases. Anything that looks at E-mail must have the ability to survive something unexpected. Matt Mark Strother wrote: For the past few hours we've had a real problem with Declude crashing and I can't figure it out. We're using SmarterMail 4.1 and Declude 4.1.14A. I've disabled all external plugins and filters and disabled the viruschecking so it's not related to that. I've cleared out all the queued messages, restarted everything and it crashes again within minutes. I've done that several times. Once I managed to get Declude running for about 10 minutes but then it crashed again. I'm not sure what else to do. For now I've had to disable Declude. I've turned up all logging to the highest level and don't see anything of note except 'Error in envelope file'. Can anyone provide some help or point in the right direction? We've been running Declude for 2 or so years and we do see the occasional crash but typically Windows restarts the service and everything is fine. In the case it just crashes over and over. Mark --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] can't deinstall 3.1.0
Uwe, I think the install has been broken for a couple of years. It always seems to drop the files in the wrong directories. I have found myself having to go into the registry to fix things every time I install it. If you look in the registry for where the services are defined, you should be able to fix everything up. Matt Uwe Degenhardt wrote: Hello list, I can't deinstall Declude 3.1.0 on a Win2003 Server engine. (although deinstalled, it is still resappearing after the 4.4.0 install). Also the installation of Declude 4.4.0 doesn't run into the right directory. (instead of d:\smartermail it goes to: d:\kunden) Any clues on that ? Uwe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] can't deinstall 3.1.0
David, On every install that I do, the spool location is always changed on both IMail and SmarterMail from the default prior to the Declude install. Maybe the latest version is now working, but at least the prior versions of 4.x were putting Declude's executables under the spool instead of back in the mail server's main directory. This would also cause failures to start as things weren't mapped correctly in the registry. I would always have to move the files around and edit the registry to get them to work. I thought you were aware of these issues. Matt David Barker wrote: The install is not broken and has never been broken. Declude installs to the correct directory based on your mail server installation and configuration. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, July 02, 2008 2:40 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] can't deinstall 3.1.0 Uwe, I think the install has been broken for a couple of years. It always seems to drop the files in the wrong directories. I have found myself having to go into the registry to fix things every time I install it. If you look in the registry for where the services are defined, you should be able to fix everything up. Matt Uwe Degenhardt wrote: Hello list, I can't deinstall Declude 3.1.0 on a Win2003 Server engine. (although deinstalled, it is still resappearing after the 4.4.0 install). Also the installation of Declude 4.4.0 doesn't run into the right directory. (instead of d:\smartermail it goes to: d:\kunden) Any clues on that ? Uwe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SORBS
Anymore??? When were they trusted? People that run a blacklist without a financial incentive generally are agressive individuals that have lost their will for tollerance, and don't want to be bothered by things like false positives. Those with easy to maintain systems (primarily automated ones based on good technique, such as CBL) deal less with problems and complaints and experiences better goodwill and results. Those with harder to maintain systems and/or bad technique likely have less tolerance for being wrong and point the finger at others much more often for their own shortcomings. I do not believe in collateral damage because it mostly hurts innocent parties and costs them lots of time and lost business and personal communications, but most blacklists use this as a tool. I believe that purposeful/practiced collateral damage also caries with it civil liability, though we have yet to see such a case go to judgment. I have however seen many instances where blacklist maintainers wise up right before it is about to cost them legal fees. These blacklists are free for all to use, so I don't complain too much, but I do wish that SORBS would change technique, be more receptive to reports of problems, make problems easier to report, and stop blaming those that are falsely blocked. You can't make all of the people happy all of the time when maintaining a blacklist, but they could do better. Being a Declude user, you should weight them according to not just their accuracy, but also how it mixes with other tests that you use. Matt David Dodell wrote: Is SORBS not a trusted spam database anymore ... multiple stories being sent to me that they are not legitimate. ie http://www.iadl.org/sorbs/sorbs-story.html http://www.natesimpson.com/blog/archives/2004/10/07/sorbs-sucks/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mail Pre-Processor recommendations
Scott, Alligate is a good gateway to use when you have something like Declude behind it. The only reason that I can think of that your Barracuda box is seeing that many messages would be because you might not be validating addresses. Like Andrew said, you can cut your _connection_ traffic by 95% with ease, but a large number of those connections are to bad addresses (backscatter and 'dictionary' attacks). You must validate addresses at your gateway. You can run Alligate on a single core box with 1 GB of memory and a single hard drive. Just make sure to dedicate the box to Alligate in order to avoid issues when resources are that sparse. Matt Scott Fosseen wrote: I believe I have seen some replies to this already, but I though I would put this out again. I am hosting about 30 domains worth of email and filtering for an additional 10 domains. My current configuration is all mail is pre-filtered through a Barracuda 400 box, then forwarded to a Smartermail 4.x server running Declude with Sniffer, Zero Hour, invURIBL. The Smartermail/Declude box is a Dual Quad Core HP server with 2 Gig of RAM. I am currently receiving about 600k email messages a day on the Barracuda box, and it is seeing performance issues. Before I purchase a 2nd Barracuda box I though I would check to see if anyone has a better solution. Declude still catches 40-60% SPAM after the Barracuda box. Thanks _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ We live in a world today where lemonade is made from artificial flavors and furniture polish is made from real lemons. - Alfred E.Neumann MAD magazine _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like ignore-old-data1 and ignore-old-data2 and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - *From:* Craig Edmonds mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, April 09, 2008 3:16 AM *Subject:* [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] form spam filter
Darin, I think you missed what I was saying exactly. If the form spammer fills out the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer script and it would pretend to have been successful. Spammers use programs to do this stuff, and although they are intelligent programs, they almost definitely will target fields named Name and E-mail, and if on their first try they fill these fields in and they get a positive response from the script, their program will stop trying to fix issues. I won't claim that this method is 100% effective, but I have used it in some cases and no one ever said that it didn't do the trick for them. If they got through that trick, I would ban URL's with a JavaScript alert and then silently with the mailer script (figuring that no real people would get a URL to the mailer script). This is the easiest of all methods to implement. It takes 5 to 10 minutes to fix a form and you don't hinder your visitors with CAPTCHAs. It's not like there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, though I suspect that the current form spammers are not doing that right now. Matt Darin Cox wrote: Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, April 09, 2008 8:55 AM *Subject:* Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like ignore-old-data1 and ignore-old-data2 and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. - Original Message - *From:* Craig Edmonds mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, April 09, 2008 3:16 AM *Subject:* [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you
Re: [Declude.JunkMail] form spam filter
Note that I'm not claiming that I have the absolute best way to go about doing this, but I do have my opinions. If a form mail spamming software is going to go through the process of parsing JavaScript and CSS, it wouldn't be a leap at all to see them parsing CAPTCHA's. There is open source CAPTCHA parsing code, and it has been around for a long time, and spammers are known to use this code for at least cracking accounts at places like Hotmail and Yahoo for sometime. If I was a spammer, I would start cracking CAPTCHA's before I bothered with JavaScript and CSS. While there may very well be code out there that mimicks keystrokes and the like, spammers are not trying to hit 100%, and that's why adding DIV visibility hidden fields fools these guys. I do consider CAPTCHA's a barrier for legitimate users, and I personally feel they are a pain, especially if they are messed up enough to not be easily broken with CAPTCHA parsing code. Since this is the most common automation blocking method, it is also the most likely to fail to protect things down the line. My take is to do something custom/non-standard, and essentially reverse engineer their methods. They test forms for success, so you fool them by pretending there is success. If a simple solution like DIV visibility hidden used on extra fields that will cause the mail not to be sent, but nevertheless verified, stops working, then I would jump to other methods. They have to have a payload, so blocking URL's with JavaScript is appropriate for many contact forms, and you check for URL's in the mail sending script and pretend success if found. Again, spammers won't know the difference, and they aren't going to great lengths to obfuscate URL's currently, so that would be 100% effective, but an occasional pain for visitors who for some reason desire to send URL's. I also like some of Mark's designer's tricks, and there are tons of tricks out there that can be effective. For instance, you could use JavaScript to read the screen sizes, and if they are too small, or non-existent, you pretend success, but do not send the E-mail. The pretend success is a major component of all of these tricks, and it is easy enough to create some sort of multi-factor hurdle that is just too custom for a generic form submission program to get right. CAPTCHA's on the other hand are a burden for legitimate users, and their utility will likely disappear in time, whereas these other methods are neither a burden, nor are they likely to cease being effective. That's my take on it. Matt Darin Cox wrote: Hmmm... good idea. Though the testing/form filler tools I've seen aren't using pasting. They are generating keystrokes and targeting them into the appropriate fields. With the tools I've seen, the ability exists to put pauses in, but that would effectively restrict volume submissions for a spammer, and therefore cut down significantly on traffic. The only drawback is for forms that a user accesses multiple times and may use previously submitted data. In those cases, they might resubmit the form as-is, thus invalidating the timer. Also, note that the confirmation page is CAPTCHA. Darin. - Original Message - *From:* Marc Catuogno mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, April 09, 2008 12:22 PM *Subject:* RE: [Declude.JunkMail] form spam filter One thing we did on our domain is to ban pasting so that the scripts couldn't paste their info into our fields. Also I just had an idea and asked the webmaster if he could program the form to perform a different action if the form page was opened for too short of a time period. Like shoot to a second page that would ask for a confirmation click or word to be typed in. This assumes that a person would take significantly more time to fill a form than a program, even if it is a keystroke generator *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darin Cox *Sent:* Wednesday, April 09, 2008 11:54 AM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] form spam filter Matt, I did understand. What I'm saying is that it doesn't always work. To clarify, in addition to less sophisticated automated form fillers that would fill out all fields, there are also more sophisticated ones that use keystroke generators to fill out forms. I just saw one in the public domain last month. CAPTCHA doesn't have this problem, would defeat those automated form fillers, and is therefore more reliable with similarly very little effort to implement. Darin. - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, April 09, 2008 11:45 AM *Subject:* Re: [Declude.JunkMail] form spam filter No, I understood completely. I've seen forms
Re: [Declude.JunkMail] ORDB RBL operations
This is without a doubt a very important thing to check out. It stung our system, and I'm sure there are others around here that have yet to check theirs for any ORDB tests. The hits for all IP's began yesterday morning for us. Thanks, Matt Michael Hardrick wrote: Everyone here should already know about this so it’s just a FYI. In December of ’06 ORDB ceased operations, but now they are replying to RBL requests. “As of yesterday, owners of the domain have begun sending replies that will cause the MailFoundry and other anti-spam appliances to believe all requests sent to it are returned as existing causing the MailFoundry to act in whatever manner it is configured to act in the case of a positive response such as delete, quarantine, etc. “ It’s probably a good idea to remove them from your config if you haven’t already. Regards, Michael Hardrick TNWEB LLC 931-359-7960 [EMAIL PROTECTED] This electronic message transmission contains information from TNWEB LLC which may be confidential or privileged. Recipients should not file copies of this e-mail with publicly accessible records. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic transmission in error, please notify us by electronic mail immediately, before we get in really big trouble. If you fail to be intimidated by this notice, we will get angry, stamp our feet, and hold our breath until we turn blue. Thank you. (Official-Copied Notice V1.7fc3) No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.0/1342 - Release Date: 3/25/2008 10:26 AM --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SORBS
Increase from a lot of FP's to exactly how many more? :) Matt David Barker wrote: Any increase on False Positives with SORBS being experienced ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: AW: AW: [Declude.JunkMail] Hardware upgrade -Software Crossgrade?
Todd, My response really had nothing to do with you, but was my reaction to SmarterTools and how they have gone past the limit of what the bulk of the market is willing to pay. They could still increase revenues in other ways, such as pushing software upgrade agreements at lower prices, pushing out new fantastic functionality that everyone will want to have, and actually marketing the availability of these things instead of expecting their customers to always come to them. They could make up in volume that they would be losing in gross profit. So because they are boneheads, we are paying more and more. My upgrade this year will cost nearly as much as my full version did before. Those are sharp increases in price, and need I not remind everyone what happened to Ipswitch's business when they pulled this stunt? Matt Todd Richards wrote: Matt -- I'm not arguing, but simply asking as I'm looking at moving to SM. Our license with Ipswitch is 3x that of the same version of SM. The service agreement that we purchased -- but never used (because I never had enough faith in the new version of IMail) is almost twice the cost of purchasing SM new. From what I've heard from everyone I've talked to, SM actually works, so the support calls are minimal anyway. You do get free updates within the version. So if once a year I have to buy the newest version at 65% of the retail, which is still much cheaper than Imail, I'm not sure what the difference is? My SA with Imail actually just expired as I haven't had a chance to test SM yet. So my dilemma is do I renew my Imail SA at almost $1000,so I can continue running 8.22, or purchase a brand new version of SM for half that through Declude, and have the features that work that we've been waiting for? As for the software protection, I was working with a rep from SmarterMail at the start of February. He informed me right then and there that they were planning a release at the end of Q1, and that I would get the new update. Doing the math, that is almost 45 days on the bat. So either they actually keep their promises (unlike Ipswitch) or they would have stretched that time to take care of me. Again, maybe I'm missing something so this wasn't to start an argument. And I apologize for continuing the OT email. Todd *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, March 10, 2008 5:17 PM *To:* declude.junkmail@declude.com *Subject:* Re: AW: AW: [Declude.JunkMail] Hardware upgrade -Software Crossgrade? Wow. One thing immediately pops into my head...these people are greedy as hell! Prices continue to rise with each successive version, and they continue this odd behavior of not selling software subscriptions, but instead charging 65% of the original price for upgrades. This might be all fine and dandy except for the fact that they are on a one-year upgrade cycle, they stop updating previous versions, and you don't get a support contract with your purchase. Of course this flies in the face of the reality of the market where hosting is heavily commoditized and only getting worse. SmarterMail works well, but it's a shame that they don't understand the economies of their customers, and that works against them. I would definitely argue that by not offering a software subscription at a reasonable and standard market rate of 30% of full retail price, they fail to capture a good deal of upgrade potential and therefore upgrade revenue, and they lose goodwill by having fewer customers due to this pricing. They also lose customers by only offering 45 days (formerly 30 days) of protection for new purchases, so anyone thinking about buying it now would be better off waiting for the release just to guarantee that they weren't stuck on an unsupported version of the product. That's hugely boneheaded of them. So it would be close to a wash in revenue to do something as typical and expected as to have a software subscription for a standard market rate. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: AW: AW: [Declude.JunkMail] Hardware upgrade -Software Crossgrade?
Wow. One thing immediately pops into my head...these people are greedy as hell! Prices continue to rise with each successive version, and they continue this odd behavior of not selling software subscriptions, but instead charging 65% of the original price for upgrades. This might be all fine and dandy except for the fact that they are on a one-year upgrade cycle, they stop updating previous versions, and you don't get a support contract with your purchase. Of course this flies in the face of the reality of the market where hosting is heavily commoditized and only getting worse. SmarterMail works well, but it's a shame that they don't understand the economies of their customers, and that works against them. I would definitely argue that by not offering a software subscription at a reasonable and standard market rate of 30% of full retail price, they fail to capture a good deal of upgrade potential and therefore upgrade revenue, and they lose goodwill by having fewer customers due to this pricing. They also lose customers by only offering 45 days (formerly 30 days) of protection for new purchases, so anyone thinking about buying it now would be better off waiting for the release just to guarantee that they weren't stuck on an unsupported version of the product. That's hugely boneheaded of them. So it would be close to a wash in revenue to do something as typical and expected as to have a software subscription for a standard market rate. Matt Hirthe, Alexander wrote: or maybe not? :-) http://www.smartertools.com/forums/t/17365.aspx Thanks for the info, I'll give it a try. Von: [EMAIL PROTECTED] [EMAIL PROTECTED] im Auftrag von Gary Steiner [EMAIL PROTECTED] Gesendet: Montag, 10. März 2008 21:00 An: declude.junkmail@declude.com Betreff: re: AW: [Declude.JunkMail] Hardware upgrade -Software Crossgrade? If you are going to purchase SmarterMail, you may want to wait a little as they are about to release a new version. 5.x is currently in beta. http://www.smartertools.com/forums/38.aspx Original Message From: Hirthe, Alexander [EMAIL PROTECTED] Sent: Monday, March 10, 2008 10:59 AM To: declude.junkmail@declude.com declude.junkmail@declude.com Subject: AW: [Declude.JunkMail] Hardware upgrade -Software Crossgrade? Hi, Ø Alexander, you are really citing two problems with your scale and performance. That's true, and I'm sure I will install IMail 8 on the new server to get an easier migration. (and to be sure, to work on just one case) That's the thing I must do, exchange the hardware. To small disks, to slow CPU. RAM would be ok. The second part (Update the Software) would be nice, even if there will be more support calls after upgrading. Ø My suggestion is that both problems would be relieved by introducing a mail gateway in front of your mailboxes. In the Windows world, Alligate and XWall are popular with Declude/Sniffer users on this list and the Sniffer support list. With either one, I think you will find that the gateway will take the brunt of the antispam effort, leaving the back-end server to service mailbox connections and requests. We use NoSpamToday as a front end server, and this lowers the incoming spam very well. The problem is, we are getting more and more customers :-) and they all want a good working email system. Ø If your existing hardware is old, you could replace the fans and disks and have it become your new gateway, while you purchase some new hardware for your back-end, which will scale much higher than before once the back-end has to do less antispam processing. We bought a new piece of hardware for the frontend Antispamserver. Ø p.s. Did you have a third problem? Were you implying that the feature-set of IMail is no longer to your liking? Is there anyone really using IMail 9? Especially if you had Imail 8 before? I'm paying about 1000$ every year, and I haven't seen a really good working version of IMail since 8.22. I tried it on my testserver, put some domains on it, and it didn't worked like it should. I called support, mailed support and it was not getting better. So I put it away and tried it some month later again. IMail 9 was (is) getting better and better, but still it's not as stable as I want it. Today I installed Smartermail and it's nice, easy to handle, has a nice webinterface, and it's *cheap*. I thought about dumping the IMail SA and buy Smartermail for that price :) That's the reason for the Mail. IMail 8 is working, but it's old. And I think, there could be a better software than IMail 8 :-) Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, March 10, 2008 1:44 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Hardware upgrade -Software Crossgrade? Hello, we are going to move to an new hardware. At the moment we are running
Re: [Declude.JunkMail] OT: Yahoo Blocking Email
That's not the correct page, that page is primarily for bulk E-mail senders so that they can keep their lists clean. Use this page instead. At the bottom is a link to the form that starts the process: http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics-55.html I would guess that it is going to be the Yahoo! Mail Unblock Request Form. This is the same form that I filled out previously for a client. Matt Robert Grosshandler wrote: http://help.yahoo.com/l/us/yahoo/mail/postmaster/ Third bullet down. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, February 21, 2008 12:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email Rob, We are using domain keys and reverse DNS as well as SPF records. Do you have a link to where I would request the whitelisting? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, February 21, 2008 12:21 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email More. Yahoo has whitelisting, and really cares about reverse DNS pointers and Domain Keys. You might want to resubmit, they were fast for us way back when. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 21, 2008 12:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email And as a further best practice to what Matt is advising, I'll mention that ideally you want to send all outbound mail from an IP that is different from your inbound gateways. And that your outbound bulk mail would be separate from both. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 21, 2008 9:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Yahoo Blocking Email
I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Yahoo Blocking Email
Oh, and one more thing... If you allow non-mail server port 25 traffic to be sent from within your network, you either want to block that entirely, or ensure that it doesn't go out from the same IP address as your mail server. I have seen many of my clients end up on lists like XBL because of an infected desktop that was NAT'ed to be sent from the same IP as their mail server. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Yahoo Blocking Email
Note that even though they ask if you are using DomainKey, this does nothing to get you whitelisted, it's only them promoting their sender verification scheme. I've said this for 4 years now. Sender verification is useless, and it is likely to only cause problems. The vast majority of senders that have either SPF or DomainKey are spammers. Those that fail SPF or DomainKey are often enough forwarded or coming from something like a contact app on a website that inserts the sender. It's not worth the trouble, and you or someone else is much more likely to block legitimate E-mail. Yahoo won't whitelist you if you are using them. Matt Robert Grosshandler wrote: More. Yahoo has whitelisting, and really cares about reverse DNS pointers and Domain Keys. You might want to resubmit, they were fast for us way back when. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 21, 2008 12:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email And as a further best practice to what Matt is advising, I'll mention that ideally you want to send all outbound mail from an IP that is different from your inbound gateways. And that your outbound bulk mail would be separate from both. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 21, 2008 9:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How can I filter this...?
There are 1,300,925,111,156,286,160,896 ways to spell Viagra (see the update at the bottom). http://cockeyed.com/lessons/viagra/viagra.html Going after the word is not the way to target the spam. Matt Chuck Schick wrote: Here is the From line. From: viagra [EMAIL PROTECTED] The X-declude Sender line is: X-Declude-Sender: [EMAIL PROTECTED] [190.172.162.107] Sorry, I was not clearer. We are getting tons of these with varying spellings of the viagra and the email address is always different. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, February 08, 2008 1:56 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? How so, can you show the X-Declude-Sender line that it did not work on ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, February 08, 2008 3:50 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? David: The first one does not work. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, February 06, 2008 12:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? Chuck you have several options: MAILFROM5 STARTSWITH Viagra MAILFROM5 CONTAINSViagra MAILFROM5 PCRE (?i:.*viagra.*@) David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Wednesday, February 06, 2008 2:17 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] How can I filter this...? Spam email is sent and the from line is vigara [EMAIL PROTECTED] Now the declude sender is [EMAIL PROTECTED] but I want to filter the sender name of vigara. Seems like it should be simple but it is eluding me. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list
Rick, I don't know why Declude hasn't fixed this bug yet.but these are being sent to the entire listserv and not just you. I noted that you keep responding to them thinking they are directed at you, but they are just auto-replies from their support ticketing system which seem to get kicked back when someone that is not a member tries to post, or possibly tries to forge as the list owner. Matt Rick Klinge wrote: Will you morons please remove me from your spam list? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, February 04, 2008 10:33 PM *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list Thank you for submitting a ticket to support. Your ticket number is [384-0F3A4F35-96D8]. Please keep this ticket number for your records and include it in the subject (including brackets) of all future emails regarding this issue. The response time during business hours is usually within 24 hours, if you have had no response in this time please do not hesitate to call our support number 1-866-332-5833 Thank You. Declude Technical Support view this ticket online http://support.declude.com/customer/viewticket.aspx?email=declude.junkmail%40declude.comticketnum=384-0F3A4F35-96D8 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blackice Server Settings
In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option
Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change
Re: [Declude.JunkMail] Hardware Upgrade
I mostly concur with Andrew here, but let me add some specifics. 1) *Memory* - for the 5000 series of chips using FB-DIMMs you need 4 total sticks to max out the memory bandwidth. 4 gets you twice the memory bandwidth of 2, though you can use just 2. The real-world benchmarks show maybe a 5% improvement, though this depends largely on what you are doing. I'm not aware of any advantage to getting faster memory as I believe these systems will run the memory at the speed dictated by the processors. The amount of memory for this particular application will depend on how many cores you have. I would do 2GB with 4 cores, and 4GB with 8 cores, but only if you are going to be pushing hard on them (and you probably won't be). 2) *CPU* - You should be fine with just 4 cores, in fact Windows will not likely be able to max out 8 cores with Declude due to heap issues (limitations in memory allocations). I run 8 x 1.86 Ghz cores and I start getting a lot of errors if I press the system to 100% from Declude, which with my config is somewhere between 150 and 200 messages being scanned concurrently. How much load per message will depend on what you are running in your Declude config. Mine is rather heavy, though I still couldn't get more out of the server in terms of total utilization due to the heap issues, though the messages would process more quickly with a lighter config. So I would guess that with 4 x 2.33 Ghz cores, you could do about 100 concurrent messages. Also take note that there are lower wattage quad-core Xeons out now that begin with L. These run about 50 Watts instead of 80 Watts for the standard quads. This does add up, especially when you consider that cooling and other supportive processes will at least 1 to 2 times that amount of power for what the server actually uses. If you pay your own power bills, the L series processors should pay for themselves. 3) *Disk and RAID* - SATA is the way to go. Try to stay away from the 2.5 drives if you can. Modern SATA controllers can handle RAID 5 without a bottleneck, and on a 4 drive system with a modern RAID controller, RAID 5 will definitely outperform RAID 10. I recommend 3Ware 9550sx controllers, but you should be safe with any SATA II controller that supports a battery backup for the cache. I would stay away from zero-channel RAID cards, and definitely anything that is host RAID or software RAID because they are much more likely to require physical intervention in the event of a drive failure. There is no need to separate the OS onto a different drive system for this purpose. I would get 250 GB drives since they will initialize faster and the extra space likely isn't needed. I run my 8 core system on a 4 drive RAID 5 array with SATA II drives and it works great. 4) *Pre-scanning Gateway* - Most Declude servers will save between 30% and 50% CPU utilization by adding an Alligate server in front of it (much more if you have catch-alls or aren't doing address verification at all). You will also block significantly more spam that way, especially the zombie stuff. I have helped many set up Alligate, and we can even host a backup server or set something up as a test if you were interested. Alligate doesn't require a lot of processing power, though the system needs to be a stand-alone system. Even a single-core server with a single drive would handle this great, though it makes sense to have a backup. Note that out of the box Alligate won't do near what it can when configured by an experienced administrator, and you can block a ton of spam and other attacks with virtually no false positives (definitely +99.99% accuracy is possible while rejecting over 80% of all connection traffic). There is another hidden benefit to using Alligate; many of the killer messages that can affect both Declude and IMail are stopped by a properly configured Alligate pre-scanning gateway, and virtually all of the automatically-spreading viruses too. Matt Colbeck, Andrew wrote: Hello, Serge. I'm happy to chime in here, but let me start off with saying that you will get divergent opinions here, and that nobody will be absolutely right, as our answers are coloured by own experiences, and each implementation is unique. I'll also start off with asking you for your current and your intended message volumes, general architecture and software mix. Answering these details will help you keep the arguments comparing apples to apples because what is true for one respondent with low volume will not be true for another respondent with crushingly high volumes! My answers: 1- Memory I used to agonize over the making the exact right decision regarding slots, interleaving and multipliers; my truth *now* is that these are tweaks that make 2% to 6% of the raw memory speed in benchmarks and that it makes precious little difference in the real world for, say, an email server. Memory is relatively cheap; buy
Re: [Declude.JunkMail] upgrade/migrate from Imail 8.15 to Smartermail
Andy, I have found the migration tool to be lacking in refinement. For instance, it won't set the admin account for each domain. It also will import the root accounts from IMail, even if disabled, and it will pull over their default passwords of passwords and enable those accounts (these will likely be hacked and used if given enough time). Essentially you will want to either go in and change the settings for every account and every domain to what it should be, or just fix up one domain and it's users, and then source that domain's config settings as a template and use a search and replace tool to fix up all of your other domains and accounts. It will work without doing all of this, but it does create a mess to deal with. Also note that it will not import calendar's. Don't mess with SmarterMail's greylisting or spam blocking unless you have less than 100 users. It won't keep up, and it's rather basic compared to Declude. I find SmarterMail to be pretty stable overall, and the interface is fairly nice, though people will get confused by the location of the submit buttons, so be prepared for these calls by webmail users if you have them. Unfortunately you can't turn off some of the menus for webmail users, so they will see things like spam filtering dialogs even though they won't necessarily do anything. You will need to determine how to integrate Declude, I believe that it can work within this system, though sometimes that isn't wise since people would then have the tools to cause themselves trouble. Matt Craig Edmonds wrote: Thanks Andrew, you are a star! Great advice and much appreciated. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* 11 December 2007 13:46 *To:* Craig Edmonds *Subject:* Re: [Declude.JunkMail] upgrade/migrate from Imail 8.15 to Smartermail Hi, Just got through doing the upgrade, a few things you should do/know. 1) cleanup imail email boxes before you run the migration utilityit takes a lot longer if you don't. 2) smartermail requires using the full email address ([EMAIL PROTECTED]) for logging in (pop3). By default, it's that way with the web interface also. 3) get smartermail setup on IIS ASAP as opposed to the built in smartermail web interface... you'll have performance issues otherwise 4) the default password rules in smartermail are for at least 5 character password and different username/pw (you can't use username for the password for the account username). If you users with shorter passwords, they'll have issues so you may want to change that from the start. 5) declude is more tightly integrated with smartermail than Imail...you're gonna like that :) Give declude a call and they'll help you get that setup. 6) make sure you read the install/migration instructions carefully. 7) If you have dialup customers, they're not going to like you in the beginningsmartermail web interface is more graphical/slower 8) there is a management learning curse...smartmail is different from Imail. You'll like smartermail better after you learn to navigate. The key here is to login as the admin first and learn to get around from there. Thanks, Andrew Baldwin [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.thumpernet.com 315-282-0020 Tuesday, December 11, 2007, 3:25:04 AM, you wrote: The time has come to dump Imail 8.15 which has been pretty solid but due to CBL.ABUSE picking on me for using Imail 8.15 I need to get rid of imail and I cant upgrade to Imail 2006 so Smartermail is looking like the best option for now. (basically cbl said you have to upgrade your imailwe don't care if it costs you money) I have two dedicated mail servers on windows I need to upgrade. Has anyone been through the migration process of Imail to smartermail and is there much involved? Also, I run declude, do I have to make many changes to that also and does anyone know if there is a cost for that? Any advice on this would be appreciated. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED
Re: [Declude.JunkMail] COPYTO Oddity
This appears to be an IMail behavior and not caused by Declude. There are double IMail headers in there, and they have different spool names too. This may be due to domains being configured for different IP's in IMail. This might require some registry hacking to straighten out. You should check and make sure that the branch with the intended IP is also associated with the domain branch in question. I could reference my own system for how this is configured if you want to share an export of this with me off-line. My system does something similar and it isn't double scanning, so it must like the way that things appear in my registry. Matt Scott Fisher wrote: I've change the IP number of my server and I've noticed this oddity. Email's that score between 100 and 199, I send a copy to a spam mailbox to scan: WEIGHT100COPY COPYTO [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] After my IP address change, the copyto message is being scanned again by Declude. I would have thought the message shouldn't be scanned again by Declude. Any ideas? Here are some headers: Extra received header: *Received: from imail.Farmprogress.com [192.168.191.6] by imail.Farmprogress.com with ESMTP (SMTPD-9.22) id A7BD01FC; Tue, 04 Dec 2007 15:33:49 -0600* Received: from mx1.farmprogress.com [192.168.191.14] by imail.Farmprogress.com with ESMTP (SMTPD-9.22) id A7A70330; Tue, 04 Dec 2007 15:33:27 -0600 Received: from forever21.com [12.129.230.91] by mx1.farmprogress.com (Alligate(TM) SMTP Gateway v3.7.10.21) with ESMPT id [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Tue, 04 Dec 2007 15:33:23 -0600 X-VirtualServerGroup: Default X-Destination-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-MailingID: 0::0::0::030884 X-SMFBL: YXNjaGFyZmVuQGZhcm1wcm9ncmVzcy5jb20= X-Mailer: StrongMail Enterprise 3.2.1(3.00.215) Received: from mail04 by forever21.com (StrongMail Enterprise 3.2.1(3.00.215)); Tue, 04 Dec 2007 13:33:38 -0800 X-SMHeaderMap: mid=X-MailingID DomainKey-Signature: a=rsa-sha1; c=nofws; s=onlinepromo; d=forever21.com; q=dns; b=ncw9REjUL4WsRgooMtB40+CfmDvpeiUhlzJIn3WP9jYCBAUgkOs+Acw70VZSuGXfywj5yvy1p9vhtFKtCNMP/a7WvVwE/ozcEbUZ87FkTa6Pld5ssUiV1k1ORcLF0V9Ks0ygEf8sNHRTe9f9XcM7U6/BbOI6EY7XEoRz75PA0Ok= Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] return-path: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mime-version: 1.0 from: Twelvebytwelve [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] to: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] date: 4 Dec 2007 13:34:01 -0800 Subject: [Possible SPAM]Button Up!! Coats With A French Accent content-type: text/html; charset=us-ascii content-transfer-encoding: quoted-printable X-MXRate-Prob: -1 X-MXRate-Country: US X-MXRate-Action: ALLOW X-Alligate-ReceivingIP: [192.168.191.14] X-Alligate-Grey: Skipped X-Alligate-REVDNS: mx11.forever21.com X-Alligate-Spam: NOSUBD; X-Alligate-ID: 30642 X-RBL-Warning: MXRATE-WHITE-LAST: GOOD SENDER X-RBL-Warning: IPNOTINMX: X-RBL-Warning: MPPT-SIZE-XS: Message failed MPPT-SIZE-XS: 4 X-RBL-Warning: MPPT-MXQUALIFIER: Message failed MPPT-MXQUALIFIER: 512 X-RBL-Warning: MPM-STATICSPAMMER: Message failed MPM-STATICSPAMMER: 1048576 X-RBL-Warning: SNIFFER-NOTFOUND: Message failed SNIFFER-NOTFOUND: 0. X-RBL-Warning: COUNTRY-0POINT: Message failed COUNTRY-0POINT test (line 6, weight 0) X-Declude-RefID: X-FarmProgress: = Inbound Header (incoming) = X-FarmProgress: Spam weight: 165. X-FarmProgress: Tests Failed: MXRATE-WHITE-LAST, IPNOTINMX, SPFPASS, MPPT-SIZE-XS, MPPT-MXQUALIFIER, MPM-STATICSPAMMER, SNIFFER-NOTFOUND, COUNTRY-0POINT, WEIGHT100, WEIGHT100COPY. X-FarmProgress: Tests Failed: MXRATE-WHITE-LAST [-15], IPNOTINMX [0], SPFPASS [0], MPPT-SIZE-XS [10], MPPT-MXQUALIFIER [0], MPM-STATICSPAMMER [180], SNIFFER-NOTFOUND [0], COUNTRY-0POINT [0], WEIGHT100 [100], WEIGHT100COPY [100] X-FarmProgress: Scan Time: 04 Dec 2007 at 15:33:49 X-FarmProgress: Spool Name: Dc7a7021d148d.smd X-FarmProgress: Server Name: forever21.com X-FarmProgress: SMTP Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-FarmProgress: Received From: mx11.forever21.com [12.129.230.91] X-FarmProgress: Country Chain: UNITED STATES-destination X-FarmProgress: Header code: e X-FarmProgress: == X-FarmProgress: This E-mail was scanned by Farm Progress Companies using Declude 4.3.64 X-FarmProgress: == X-Declude-RefID: Second pass on the email: *X-FarmProgress: = Inbound Header (incoming) = X-FarmProgress: Spam weight: 0. X-FarmProgress: Tests Failed: Whitelisted. X-FarmProgress: Tests Failed: Whitelisted X-FarmProgress: Scan Time: 04 Dec 2007 at 15:33:56 X-FarmProgress: Spool Name: Dc7bd02171491.smd X-FarmProgress: Server Name
Re: [Declude.JunkMail] OT: Adding a non-authoritative DNS A record and associated PTR record
You seem to have failed to ask the actual question here. If you create the domain locally, you must create all records on the public domain for full DNS functionality to be maintained. Just creating one record will result in lookup failures for all other records on that domain. Matt Michael Hoyt wrote: Sorry for the off topic post but I know someone here will have a easy answer to this question. I currently host DNS records for our Active Directory domain on our domain controller (Win 2003 with local domain COMMARTS.LAN) and want to create a local only NON-AUTHORITATIVE A and associated PTR record for image.commarts.com while the AUTHORITATIVE commarts.com DNS records are hosted by our ISP. I need to do this temporarily while we are developing the website and want the record to be available to my Active Directory members without having to mess with local hosts files. Thank you in advance, --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Failover advice
Rob, As far as DNS goes, the best way to do this is to use Simple DNS Plus with a server in a second location. Simple DNS does full server replication instead of individual secondaries, and if you have a lot of domains, it is nice to just manage one installation. If you have a smaller number of zones, it is easy to just set up secondaries with any software. I don't generally recommend large DNS services because they have been attacked and brought down, and that would be a single point of failure even though the providers claim to be immune from such attacks. Look up the Blue Security for one such example. This attack also brought down some of Tucow's systems for over 12 hours, including their E-mail hosting/filtering service. My company just started with VMware's hosting provider program to provide legitimate hosting on VMware ESX (virtual servers). VMware is an enterprise solution unlike most of the others on the market, and they have a lot of very nice features and add-ons for fail-over and replication. If you have multiple servers that could be placed on a big VMware server, you could save a lot of money by going with this approach since the hardware costs are greatly reduced. Administration is also simplified, and restoration or moving of the guest operating systems is a breeze. VMware is the future. As far as regional redundancy goes, you would be best off by moving way outside of Chicago. You likely won't get much more in terms of redundancy by going to Milwaukee than you would by going to another colo in Chicago. You want to be on a different power grid, and you want to be on a completely separate provider's network. If something is big enough to affect all of Chicago, it is big enough to affect Milwakee too. If you are in need of some assistance, feel free to give me a call at (888) 862-9042 x3. My company does do colocation and many other custom solutions for those that prefer choosing experience, knowledge and capabilities over branding and value. In the very least, advice is always free, and it sounds like there are many avenues for you to explore. Matt Robert Grosshandler wrote: Gents and the occasional lady: You all are the smartest network folks I interact with. If you'd be so kind as to give me your opinion / suggestions on the following, I'd be forever grateful. We're trying to increase the level of uptime and redundancy for our service. To that end, we're looking to establish a hot failover site in a location remote from our current colocation facility. We're in Chicago, we're thinking a driveable city on a completely different grid (Milwaukee, probably.) If the entire Midwest gets nuked, nobody is going to be buying much online. We're looking at approaches to achieve that failover automatically. Our budget and technical expertise aren't large (we now can handle BGP internally if we have to, but we don't have any of the necessary infrastructure to do that, and would very much prefer not to invest in that infrastructure.) We rely on our colo facility to provide bandwidth, routing, internal DNS, etc. (they have great bandwidth, routing, seven providers, etc.) but since there are humans involved, they could screw up, too. We rely on Ultradns for external DNS. Once our users actually reach our firewall, we have great redundancy inside our rack. The most promising approach at this time seems to be to use somebody like ultradns or dnsmadeeasy to provide dns failover. That is, they're watching our site, and if we go down, they switch out A records and point traffic to the backup site. If it matters, we run ms sql, mirroring and log shipping. We'd have the mirror db and the witness in the remote location. Thanks for whatever thoughts you can add to this challenge. DNS failover a workable solution? We'll be looking for a colo facility in Milwaukee or Indianapolis with 4U available if somebody wants to point us there. Yours, Rob = www.iGive.com [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Failover advice
Forgot to add the most important part regarding Simple DNS. They have an add-on monitoring piece that will switch DNS records automatically, and this can be used to automatically switch over to the backup. Matt Matt wrote: Rob, As far as DNS goes, the best way to do this is to use Simple DNS Plus with a server in a second location. Simple DNS does full server replication instead of individual secondaries, and if you have a lot of domains, it is nice to just manage one installation. If you have a smaller number of zones, it is easy to just set up secondaries with any software. I don't generally recommend large DNS services because they have been attacked and brought down, and that would be a single point of failure even though the providers claim to be immune from such attacks. Look up the Blue Security for one such example. This attack also brought down some of Tucow's systems for over 12 hours, including their E-mail hosting/filtering service. My company just started with VMware's hosting provider program to provide legitimate hosting on VMware ESX (virtual servers). VMware is an enterprise solution unlike most of the others on the market, and they have a lot of very nice features and add-ons for fail-over and replication. If you have multiple servers that could be placed on a big VMware server, you could save a lot of money by going with this approach since the hardware costs are greatly reduced. Administration is also simplified, and restoration or moving of the guest operating systems is a breeze. VMware is the future. As far as regional redundancy goes, you would be best off by moving way outside of Chicago. You likely won't get much more in terms of redundancy by going to Milwaukee than you would by going to another colo in Chicago. You want to be on a different power grid, and you want to be on a completely separate provider's network. If something is big enough to affect all of Chicago, it is big enough to affect Milwakee too. If you are in need of some assistance, feel free to give me a call at (888) 862-9042 x3. My company does do colocation and many other custom solutions for those that prefer choosing experience, knowledge and capabilities over branding and value. In the very least, advice is always free, and it sounds like there are many avenues for you to explore. Matt Robert Grosshandler wrote: Gents and the occasional lady: You all are the smartest network folks I interact with. If you'd be so kind as to give me your opinion / suggestions on the following, I'd be forever grateful. We're trying to increase the level of uptime and redundancy for our service. To that end, we're looking to establish a hot failover site in a location remote from our current colocation facility. We're in Chicago, we're thinking a driveable city on a completely different grid (Milwaukee, probably.) If the entire Midwest gets nuked, nobody is going to be buying much online. We're looking at approaches to achieve that failover automatically. Our budget and technical expertise aren't large (we now can handle BGP internally if we have to, but we don't have any of the necessary infrastructure to do that, and would very much prefer not to invest in that infrastructure.) We rely on our colo facility to provide bandwidth, routing, internal DNS, etc. (they have great bandwidth, routing, seven providers, etc.) but since there are humans involved, they could screw up, too. We rely on Ultradns for external DNS. Once our users actually reach our firewall, we have great redundancy inside our rack. The most promising approach at this time seems to be to use somebody like ultradns or dnsmadeeasy to provide dns failover. That is, they're watching our site, and if we go down, they switch out A records and point traffic to the backup site. If it matters, we run ms sql, mirroring and log shipping. We'd have the mirror db and the witness in the remote location. Thanks for whatever thoughts you can add to this challenge. DNS failover a workable solution? We'll be looking for a colo facility in Milwaukee or Indianapolis with 4U available if somebody wants to point us there. Yours, Rob = www.iGive.com [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Test or filtering option for authenticated messages
Check that you don't have PREWHITELIST ON turned on, or rather set it to OFF. This will cause other tests to run whereas with it on, it will stop processing on many of the Global.cfg triggers for whitelisting. If that doesn't work, then it is by design. Matt David Barker wrote: Adolfo, I have it on the to do list for engineering to see which version and if it indeed works correctly. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adolfo Justiniano Sent: Friday, October 26, 2007 3:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages Any news about this David? I tried with the latest interim (4.3.64) with the same result: any WHITELIST disables the CATCHALLMAILS test or any other test and it's defined action. Best, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, October 15, 2007 9:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages I thought we had added this I will check with our engineers and get back to you. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adolfo Justiniano Sent: Saturday, October 13, 2007 1:04 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages Hello David, Bad news, as soon as I enable the WHITELIST AUTH the COPYTO action is ignored. Best, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: Adolfo Justiniano [mailto:[EMAIL PROTECTED] Sent: Friday, October 12, 2007 7:27 PM To: 'declude.junkmail@declude.com' Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages Hmmm nice tip David, I'm going to try it and I'll let you know if it works. I'm using actually version 4.3.46 Best, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 12, 2007 4:04 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages To archive certain addresses you would use per-domain/per-user setting where the .junkmail file or .sender file action is CATCHALLMAILS COPYTO [EMAIL PROTECTED] I think if you are running the latest version of Declude the CATCHALLMAILS is triggered regardless of the WHITELIST status. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adolfo Justiniano Sent: Friday, October 12, 2007 3:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages I think that it wouldn't work. First because I just need to archive some addresses not all and second because probably the WHITELIST AUTH if triggered will also ignore any action like the COPYTO. Am I wrong? Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 12, 2007 3:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages Have you tried using CATCHALLMAILS catchallmails x x 0 0 David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adolfo Justiniano Sent: Friday, October 12, 2007 2:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Test or filtering option for authenticated messages Thank you David for the suggestion, but it doesn't work in my case. I'll explain what I'm doing: instead of using IMail's copyall function for archival, which BTW is very resource intensive, I use Declude's COPYTO action using a filter that triggers only the accounts that I want to archive their incoming and outgoing mail, so I can't use the WHITELIST AUTH because if I do the COPYTO action is ignored. The BYPASSWHITELIST test will do the same, ignoring the COPYTO action for those messages that are below the weight or number of recipients and I need to archive all the messages of those users that are in the filter. As I'm not using the WHITELIST AUTH I need to counterbalance some weight for those users that are authenticated, thus why I need a test or a filtering option. Thank you for considering adding it, I'm certain that it could be of some use to others as well and a good weapon to be added to Declude's great arsenal. Best, Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL
Re: [Declude.JunkMail] SMTP_DELIV_FAILED
Kevin, I haven't followed this thread much, but it seems fairly obvious what the the problem is related to. When your server is connecting to the recipient's server, it fails to establish a connection with that server. This log line indicates the likely source of the problem: 10:08 20:18 SMTP-(f30001890106) [x] using source IP for Rogersbenefit.com [192.168.0.4] While you might be doing NAT on your network, it doesn't appear that this is the case here, and the failure is probably being caused by your server thinking that it needs to send E-mail for rogersbenefit.com from a private IP, and it is unable to make a connection since that IP isn't routable across the Internet, and you are either not NATing and IMail is misconfigured for this domain, or your NATing is not set up properly. You need to check the configuration for this domain and make sure that it is bound to a public IP or if a virtual domain, that the server's primary domain is bound to a public IP address...or if you are NATing, you need to check this configuration in your router. I suppose that IMail might be screwy, but you should start with those choices. Note that your first log sample shows that you were properly resolving the recipient's MX records, and at least in my test from a second ago, their primary MX server is answering just fine. Matt Kevin Rogers wrote: OK - I turned that off and restarted the SMTP and QManager services. I then tried to send an email to healthnet.com again (one of about 15 domains that I've noticed this problem with) and it still did not go through. (By the way, why is it displaying the AUTH three times like that?) My SMTP settings are: Default Mail Host: localhost Domain Name Server address: 207.47.4.2 207.47.2.178 (these are 2 provided by my connection provider - I am not attempting to use my local DNS yet) Enable TLS is checked (nothing else is on the main screen) Security Tab: No mail relay Allow remote mail to local groups Allow remote view of local groups Auto-deny possible hack attempts are all checked - nothing else Advanced Tab: Delivery App: d:\imail\Declude.exe Enable SMTP TO Listen On All IPs is checked. the rest is pretty standard. QManager settings: DNS Cache is now disabled. I have enabled Failed Domain Skipping (Max entries 500 - skip time 30) Log snippet 10:08 20:18 SMTPD(f30001890106) [192.168.0.4] connect 64.121.33.15 port 6609 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] EHLO [192.168.1.110] 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] AUTH 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] AUTH 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] AUTH 10:08 20:18 SMTPD(f30001890106) Authenticated [EMAIL PROTECTED], session treated as local. 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] MAIL FROM:[EMAIL PROTECTED] 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] RCPT TO:[EMAIL PROTECTED] 10:08 20:18 SMTPD(f30001890106) [x] looking up healthnet.com in HOSTS 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] DATA 10:08 20:18 SMTPD(f30001890106) [64.121.33.15] d:\imail\spool\Df30001890106.SMD 759 10:08 20:18 SMTP-(f30001890106) processing d:\imail\spool\qf30001890106.smd 10:08 20:18 SMTP-(f30001890106) [x] looking up healthnet.com in HOSTS and MX 10:08 20:18 SMTP-(f30001890106) [Att-Blk] Got Attachment Blocking Host Info for Rogersbenefit.com 10:08 20:18 SMTP-(f30001890106) Trying healthnet.com (0) 10:08 20:18 SMTP-(f30001890106) [x] Connecting socket to service SMTP on host healthnet.com using protocol tcp 10:08 20:18 SMTP-(f30001890106) [x] using source IP for Rogersbenefit.com [192.168.0.4] 10:08 20:18 SMTP-(f30001890106) Connect healthnet.com [204.107.47.187:25] (1) 10:08 20:18 SMTP-(f30001890106) 421 Service not available, closing transmission channel 10:08 20:18 SMTP-(f30001890106) SMTP_DELIV_FAILED 10:08 20:18 SMTP-(f30001890106) QUIT 10:08 20:18 SMTP-(f30001890106) 10:08 20:18 SMTP-(f30001890106) [u] closing socket (u) 10:08 20:18 SMTP-(f30001890106) requeuing d:\imail\spool\qf30001890106.smd R0 T1 10:08 20:18 SMTP-(f30001890106) finished d:\imail\spool\qf30001890106.smd status=3 Thanks for your help. John T (lists) wrote: Are you using DNS caching, turn that off. It is on the QueueManger service properties. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Monday, October 08, 2007 4:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] SMTP_DELIV_FAILED I can ping yahoo.com. These errors are happening all the time. They are occuring only with specific recipient domains - not all domains. Incoming traffic appears normal even from these domains. Richard Lyon wrote: As a test, try ping something on the Internet when you see this delivery message. Like Yahoo.com. On Oct 8, 2007, at 6:52 PM
Re: [Declude.JunkMail] HELP, Declude stoped functioning
Darrell, The Web server at fluidhosting.com that dlanalyzer.com is hosted on is listed in CBL currently and has been before. http://cbl.abuseat.org/lookup.cgi?ip=204.14.91.21 Matt Darrell ([EMAIL PROTECTED]) wrote: You will need to contact Declude at this point. There is nothing we can do to help you out since the key is showing as expired thus is will not process messages. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: Darrell, thanks for thew quick response... process is running; but only at 3 threads and 0% CPU. do have a diags.txt file; looking into that it shows at bottom: [81CDE419-BDA4-44DB-9090-89C4A7492A98] IS EXPIRED KEY but we just renewed this yesterday.. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 10:10 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning Randy, Is the decludeproc service started? Also, in the declude folder to you have a diags text file? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: apologixe for false alarm; after re-install of earlier version (4.3.46) I saw messages goinf into proc folder, so assumprtion was made it was working; but apparewntly my mistake for assuming. No declude logs being generated so it still appears to be not functioning --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Randy Armbrecht [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 9:24 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning We have experienced the same issue - as of 1.30pm friday our declude just stopped working; all attempts to restart it are not working - we've rebooted, re-installed, etc. We did just renew our SA with declude at 12.30pm yesterday; I'm wondering if that has anything to do with it. Declude - please contact me! I've emailed urgent at declude and left a voice mail on your support line Randy A. Global Web Solutions Inc 804-442-56300 - Original Message - From: Serge [EMAIL PROTECTED] To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 3:02 PM Subject: [Declude.JunkMail] HELP, Declude stoped functioning Dear Support, Today my declude stoped functioning Nothing being writen to the logs since 14:00 local time (GMT) Imail smtp delivery still pointing to declude.exe Rebooting did not help what is going on ? Please help, very urgent Serge Dergham Cefib Internet Av de la Nation B.P. E1172 Bamako, Mali --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Increase?
Darin, The CPU increase was due to the high volume of ZIP and XLS viruses, something that has been pretty rare until recently. The Storm botnet started sending these out on Saturday in numbers that average about one attached virus per day per user on our system (which was a change from sending out the fake greeting cards which did not attach the viruses). That's a lot of virus scanning going on, and it is also more bandwidth than before. There's nothing worse for CPU on the average Declude system than to do virus scanning, especially with multiple scanners. The good news is that the virus traffic should drop back down soon, but the bad news is that the Storm botnet is generating now about 4 times the number of messages (spam and viruses) as it did just one month ago on my system, and it accounts for about 40% of all spam and virus traffic that survives greylisting, and the overall percentage increase in traffic that you are seeing is exclusively coming from the Storm botnet. If you aren't doing this already, you might try running Declude Virus after Declude JunkMail, that way if you run DELETE or HOLD on a message, it will avoid having Declude Virus run on it, and that can save significantly on CPU during times like this. Any other action will still result in virus scanning, so don't worry about things being skipped if you do COPYTO, ROUTETO, SUBJECT or WARN. This might well be old news to you, but it's worth mentioning. Despite the change in volume and in using attachments, I have not seen a large uptick in CPU on my system because I use the above method, and on a weekly basis, 99.4% of the Storm botnet messages are reaching our DELETE weight and not needing to be virus scanned. I attribute the relative 10% increase over last week to the change in volume. The following chart shows the effect on an 8 core server: Matt Darin Cox wrote: We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: "John T (lists)" declude.junkmail@declude.com Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl I actually saw it ramping up since last weekend and every day there have JTl been a change or 2 in the spam to keep it from being caught. JTl John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. JTl --- JTl This E-mail came from the Declude.JunkMail mailing list. To JTl unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl type "unsubscribe Declude.JunkMail". The archives can be found JTl at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Excel files in zip files spreading
John, It's just another one of the viruses from the Storm botnet. Same guys as the ones sending fake greeting card viruses and PDF stock spam among other things. Matt John T (lists) wrote: I am not sure what is the purpose yet, but I am catching a lot of emails this morning with a blank subject, Thunderbird in the header, attached zip file and the zip file contains an single xls file. THESE ARE NOT LEGIT EMAILS. Any body else seeing this and know what they are, virus or spam? *John T* --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Country code
I believe that AFRINIC is a newer RR, an off-shoot of RIPE. Maybe the original data format that Declude uses didn't expect this, or maybe they are applying *F simply for anything from AFRINIC. Matt Gary Steiner wrote: According to the whois at www.arin.net, 41.0.0.0/8 belings to AFRINIC, and if you go to www.afrinic.net and use the whois there, the numbers break down like this: 41.223.109.25 KE (Kenya) 41.207.19.204 CI(Cote d'Ivoire) 41.207.9.101 CI (Cote d'Ivoire) 41.207.2.163 CI (Cote d'Ivoire) 41.207.1.44 CI (Cote d'Ivoire) 41.221.17.90 DZ (Algeria) etc. So maybe this is just an error in the all_list.dat file. Original Message From: Scott Fisher [EMAIL PROTECTED] Sent: Thursday, July 05, 2007 11:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Country code Date Time Test FromDomain IP CountryCode 6/18/2007 6:38:50 AM COUNTRY-UNUSED goodvibesvideo.com 41.223.109.25*F 6/18/2007 4:00:28 AM COUNTRY-UNUSED reefreef.com 41.223.109.25*F 6/27/2007 6:52:38 AM COUNTRY-UNUSED yunishop.com 41.207.19.204*F 6/15/2007 5:29:54 AM COUNTRY-UNUSED farmprogress.com 41.207.9.101 *F 6/23/2007 1:07:05 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:03 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:05 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:02 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:02 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:06 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:00 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:01 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:08 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:54 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:22 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:53 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:54 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:54 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:45 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:53 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:00 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:08 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:02 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:06:54 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:13 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:25 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:22 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:22 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:08 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:08 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:05 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:21 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/23/2007 1:07:23 AM COUNTRY-UNUSED yahoo.fr 41.207.2.163 *F 6/24/2007 1:52:32 PM COUNTRY-UNUSED farmprogress.com 41.207.1.44 *F 6/18/2007 4:35:46 PM COUNTRY-UNUSED yahoo.fr 41.207.2.162 *F 6/10/2007 2:28:58 PM COUNTRY-UNUSED nospammail.net 41.221.17.90 *F 6/2/20073:31:37 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:14 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:13 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:14 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:14 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:14 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:31 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20073:02:02 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20073:02:07 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/20072:56:14 AM COUNTRY-UNUSED yahoo.fr 41.207.4.221 *F 6/2/2007
Re: [Declude.JunkMail] phone regex/pcre help
Scott,
The following should do the same. Note that I do not know if Declude
requires the whole match to be placed in parenthesis.
2[0Oo]6[\s\r\n\-\.]*888[\s\r\n\-\.]*2[0Oo]83
Matt
Scott Fisher wrote:
I'm looking to replace these lines with a pcre but it doesn't seem to
be working. Any suggestions?
BODY 175 CONTAINS 206 888-2083
BODY 175 CONTAINS 206.8882083
BODY 175 CONTAINS 2068882083
BODY 175 CONTAINS 206-8882083
BODY 175 CONTAINS 206 8882083
BODY 175 PCRE
(?i:[\(\{]?2[0o]6[\)\}]?{\-\_\.\s}?888{\-\_\.\s}?2[0o]83)
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
/This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply email and destroy all copies of the original
message. Although Farm Progress Companies has taken reasonable
precautions to ensure no viruses are present in this email, the
company cannot accept responsibility for any loss or damage arising
from the use of this email or attachments./
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] phone regex/pcre help
Dave,
{0,1} = ?
{0,} = *
{1,} = +
Also note that beginning a sub-match with a (? improves PCRE's
performance because it tells it not to track the sub-matches, and the
engine likely has a hard limit in order to prevent an expression from
causing itself to become overly complicated with sub-matches that don't
need to be tracked (which can result in missing matches). So never
start a sub-match with just a parenthesis, always use a (?, or other
more specific argument (or whatever they call it).
A good thing to remember when dealing with regex and E-mail is that
there can be both code breaks, CODE888/CODE, line breaks, and also
quoted printable encoding. For instance, between every two characters
that display immediately together and that you are attempting to match
without normalizing, you would need to test for:
(?=\r\n|(?[^]+)+)
It gets a lot worse when you start trying to apply spaces because of all
the ways that this can appear. If Declude wants to get serious about
applying regular expressions to the bodies of E-mail, you would need to
normalize the data otherwise you would end up with too many
permutations. When I do this programatically, I produce a range of
variables, for instance one that is the full original source, one that
strips out all line breaks, removes quoted-printable encoding, removes
HTML, and combinations there-of. If you are going to try to use regular
expressions for finding phrases, it is the only way to do this without
leaving a huge gaping hole that even standard E-mail clients will
produce source that would be missed. If you are going after E-mail
format and not the content, then what you have is perfect.
Matt
David Barker wrote:
This would match on all you have provided, the . meaning any character
including a space {0,1} means min of 0 max of 1
(206.{0,1}888.{0,1}2083)
If you wanted to use detect O as well as the 0 [o0] also you could use
the ?i: meaning case insensitive:
(?i:2[o0]6.{0,1}888.{0,1}2[o0]83)
David B
*From*: Matt [EMAIL PROTECTED]
*Sent*: Tuesday, July 03, 2007 4:08 PM
*To*: declude.junkmail@declude.com
*Subject*: Re: [Declude.JunkMail] phone regex/pcre help
Scott,
The following should do the same. Note that I do not know if Declude
requires the whole match to be placed in parenthesis.
2[0Oo]6[\s\r\n\-\.]*888[\s\r\n\-\.]*2[0Oo]83
Matt
Scott Fisher wrote:
I'm looking to replace these lines with a pcre but it doesn't seem to
be working. Any suggestions?
BODY 175 CONTAINS 206 888-2083
BODY 175 CONTAINS 206.8882083
BODY 175 CONTAINS 2068882083
BODY 175 CONTAINS 206-8882083
BODY 175 CONTAINS 206 8882083
BODY 175 PCRE
(?i:[\(\{]?2[0o]6[\)\}]?{\-\_\.\s}?888{\-\_\.\s}?2[0o]83)
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
/This email message, including any attachments, is for the sole use
of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of
the original message. Although Farm Progress Companies has taken
reasonable precautions to ensure no viruses are present in this
email, the company cannot accept responsibility for any loss or
damage arising from the use of this email or attachments./
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re: PDF spam detection
Here's a piece of RegEx code that should work for blank bodies with a
PDF and this particular spammer so long as he is forging Thunderbird:
-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;
Note that I have not tested this, but the code is in fact fairly simple
and it should work.
Matt
Darin Cox wrote:
So far all that I've seen have a blank body with the pdf attachment.
Anyone have any ideas as to how to test for a blank body, or one with
only whitespace characters? The new PCRE function can do it, but
we're still on 2.0.6 at the moment, waiting until IMail 2006.21 comes
out and passes testing.
I'm thinking a blank body test with PDF attachment detection should
result in very few FPs. Still possible, but hopefully enough to hold
on until a better detection method can be found.
Darin.
_
Test footer
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Winsock Cleanup
Andy, I found that this causes big spikes and valleys because Declude will batch process E-mails. i.e. it moves in x number of message pairs to work and doesn't keep moving in newer files while it waits for that batch to finish processing fully, and your CPU goes to zero, then it resets the Winsock and moves another batch into Work and the CPU spikes back up to 100% (if you have a moderate amount of volume. I would only use this if you are having an issue. I too turned it on just to be safe, but it has some bad effects. I am not aware of any Winsock issues since upgrading to 4.x. Matt Andy Schmidt wrote: Thanks Dave. So: a) Does the scenario that I described (which was not specific to IMAIL or Declude but also effected other TCP/IP applications on that machine) still fit the bill? b) What if I were to turn on WinSockCleanUp just to be safe? What risk do I take? What is the negative impact? What will resetting the winsock cause with respect to other TCP/IP applications? Performance impact? Stability impact? (After all, if there IS no impact, why would it not be ON by default)? c) Imail Bug: Has Ipswitch acknowledged that bug, e.g., they are fixing it? Or is that something that we still need to take up with them? That option is quite old and IMail has seen several new versions since then... So I wonder! *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Barker *Sent:* Wednesday, May 30, 2007 10:11 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Winsock Cleanup *Sensitivity:* Personal Some installs of IMail had an issue where there winsock would cause problems for network functionality, this was a bug in Imail, it seemed by stopping smtp32 service of Imail resolved the issue. Declude uses the winsockcleanup to reset the winsock to deal with this. winsockcleanup kicks in when the \proc directory is empty or reaches 0 files Decludeproc will reset the winsock. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Andy Schmidt *Sent:* Wednesday, May 30, 2007 9:34 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Winsock Cleanup *Sensitivity:* Personal Hi, Does anyone have any comment on the attached email (possibly even Declude personnel)? I checked the mailing list archive -- and it seems to imply as if the WinsockCleanup is specific to DNS problems and results in queues filling up. In my example, Imail and Declude didn't seem to be filling up queues. The couldn't because TCP/IP would not let any inbound connections go through... *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Andy Schmidt *Sent:* Friday, May 25, 2007 4:03 PM *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] Winsock Cleanup *Sensitivity:* Personal Hi, What are the symptoms related to Winsock Cleanup? After running fine for 2 months or so (except for occasional reboots for Hotfixes), the mail server stopped working on the TCP/IP level. It didn't respond to Ping from the outside. You could log into the console and Ping to itself. There was also some notice about a Browser Election during the outage -- so it seems as if there was still communication on the Ethernet layer (such as LAN segment broadcasts). A reboot resolved the issue. Does this sound like the situation that this option is intended to fix: *#WINSOCKCLEANUP some customers had issues related to their network stack causing loss of functionality for basic * *#network operations.The default for this directive is OFF* * * *#WINSOCKCLEANUP OFF* Is it consistent with this problem, that the server might have worked fine for a few months and had been rebooted just a few days prior -- and to suddenly display this behavior? What's the impact if that is set to ON unnecessarily? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More accidental whitelisting
Ben, This was covered early in the thread. You have AUTOWHITELIST ON in your global.cfg, and that causes Declude to whitelist whatever is in the recipient's address book (aliases.txt in all IMail versions prior to 2006). You have your own E-mail address listed in your address book, and a spammer forged your address as the Mail From. This is commonly seen by those that use AUTOWHITELIST. There is no way to stop this unless you remove your address from your address book, and this is also likely happening to your other users where they have themselves listed in their address book, as well as others on your hosted domains in the event that there are multiple recipient forging spam. There is a limited workaround for some of this using a test called BYPASSWHITELIST. You can search the archives or manual about this. The best solution if you want to keep the ability to whitelist from the address book would be for Declude to make a change to automatically exclude any recipient of the E-mail from triggering AUTOWHITELIST. This has been requested repeatedly for over 3 years and even came up again in this thread. The fact that people were quick to point out that this was likely the reason for your issue is testament to the fact that it affects a lot of people that use this functionality. Matt Imail Admin wrote: Hi All, Last week I was struggling with this mysterious accidental whitelisting. Emails addressed to me were whitelisted, even though I had (to the best of my knowledge) no whitelisting turned on for my own address. After setting the JM logging to high, I came up with the following lines: 05/28/2007 17:39:47.568 q764101a664c1.smd Past whitelisting 05/28/2007 17:39:47.568 q764101a664c1.smd Looping #0 [flags=1] 05/28/2007 17:39:47.568 q764101a664c1.smd [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]@mail2.bcwebhost.net] *local* 05/28/2007 17:39:47.568 q764101a664c1.smd Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [0] 05/28/2007 17:39:47.568 q764101a664c1.smd D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Doing whitelist file D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Using whitelist file D:\IMail\Users\ben\aliases.txt. 05/28/2007 17:39:47.568 q764101a664c1.smd Skipping4 E-mail from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. 05/28/2007 17:39:47.568 q764101a664c1.smd Domain name = mail2.bcwebhost.net, User name = ben. So, for reasons I don't understand, Declude is looking at my aliases.txt file for whitelisting. I couldn't find anywhere in the configuration files for this to happen, but there it is. I don't even know how aliases.txt is created, but when I looked inside it, I found the email addresses for various random people, and also my own address. My question is: why is Declude using this file for whitelisting? And why do I have this file anyway? Thanks, Ben - Original Message - *From:* Imail Admin mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Friday, May 25, 2007 6:01 AM *Subject:* Re: [Declude.JunkMail] accidental whitelisting Hi David, Yup, that was my first check. The address book in question is the web address book, which you access from the web interface, right? I checked it and it was empty -- not surprising because I mainly use Outlook Express in IMAP mode. I did try turning it off briefly anyway, but then decided it couldn't be the cause of the problem and turned it back on. Someone else suggested putting Declude in Debug mode, and I could try that next. Thing is, I'm not getting a lot of these types of spam, just a handful in the last couple of days. So I'm concerned about how big the log files will grow while I wait for another occurrence. Thanks, Ben - Original Message - *From:* David Barker mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Friday, May 25, 2007 5:46 AM *Subject:* RE: [Declude.JunkMail] accidental whitelisting AUTOWHITELIST ON checks your user address book make sure you don’t have your own address in your address book. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Imail Admin *Sent:* Thursday, May 24, 2007 8:42 PM *To:* declude.junkmail@declude.com *Subject
Re: [Declude.JunkMail] More accidental whitelisting
Ben, After you run the task that converts the address books into 2006 format (Access database), then you can delete all of the alias.txt files. There are also other files that aren't used after the conversion. If you move everything over, convert the address books, and then you can delete everything in the user's directory except for the MBX files and possibly IMA files. The summaries are kept in a different format in 2006. Matt Imail Admin wrote: Hi Matt, I understood the discussion about AUTOWHITELIST ON and the web address book issue. Where I got caught was that this server doesn't use aliases.txt, but the file is just there by accidental legacy. We're in the process of replacing our old 7.15 server with a new 2006.2 server by moving to a new machine. So far, the only domain we've moved over (until we get the bugs like this worked out) is our own domain. As part of that process, I copied over our old user folders (just for our domain) to the new server. The aliases.txt file must have been in the old users folder on the old server. Where I got fooled was because apparently 2006.2 doesn't use that file any more, so when I logged into the web interface, it told me the address book was empty. And, truthfully, I (and most of our users) used IMAP access via Outlook or something similar, rather than the web interface, so I wasn't even familiar with the file. I do agree with the discussion on this point: first, the whitelisting should never apply to your own address, and, I think the whole idea of whitelisting the address book should be an option that can be turned on/off from the config file. Anyway, thank you very much for clearing up this mystery for me. Thanks! Ben - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Monday, May 28, 2007 8:50 PM *Subject:* Re: [Declude.JunkMail] More accidental whitelisting Ben, This was covered early in the thread. You have AUTOWHITELIST ON in your global.cfg, and that causes Declude to whitelist whatever is in the recipient's address book (aliases.txt in all IMail versions prior to 2006). You have your own E-mail address listed in your address book, and a spammer forged your address as the Mail From. This is commonly seen by those that use AUTOWHITELIST. There is no way to stop this unless you remove your address from your address book, and this is also likely happening to your other users where they have themselves listed in their address book, as well as others on your hosted domains in the event that there are multiple recipient forging spam. There is a limited workaround for some of this using a test called BYPASSWHITELIST. You can search the archives or manual about this. The best solution if you want to keep the ability to whitelist from the address book would be for Declude to make a change to automatically exclude any recipient of the E-mail from triggering AUTOWHITELIST. This has been requested repeatedly for over 3 years and even came up again in this thread. The fact that people were quick to point out that this was likely the reason for your issue is testament to the fact that it affects a lot of people that use this functionality. Matt Imail Admin wrote: Hi All, Last week I was struggling with this mysterious accidental whitelisting. Emails addressed to me were whitelisted, even though I had (to the best of my knowledge) no whitelisting turned on for my own address. After setting the JM logging to high, I came up with the following lines: 05/28/2007 17:39:47.568 q764101a664c1.smd Past whitelisting 05/28/2007 17:39:47.568 q764101a664c1.smd Looping #0 [flags=1] 05/28/2007 17:39:47.568 q764101a664c1.smd [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]@mail2.bcwebhost.net] *local* 05/28/2007 17:39:47.568 q764101a664c1.smd Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [0] 05/28/2007 17:39:47.568 q764101a664c1.smd D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Doing whitelist file D:\IMail\Users\ben\aliases.txt 05/28/2007 17:39:47.568 q764101a664c1.smd Using whitelist file D:\IMail\Users\ben\aliases.txt. 05/28/2007 17:39:47.568 q764101a664c1.smd Skipping4 E-mail from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. 05/28/2007 17:39:47.568 q764101a664c1.smd Domain name = mail2.bcwebhost.net, User name = ben. So, for reasons I don't understand, Declude is looking at my aliases.txt file for whitelisting. I couldn't find anywhere in the configuration files for this to happen, but there it is. I
Re: [Declude.JunkMail] all_list.dat ?
Look at the headers, this isn't Declude's issue. The message is somehow looping through Pete's account and back to the list. It's the AppRiver servers that are having issues. Matt John T (lists) wrote: OK, would some one at Declude give a good swift kick to your list server? John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Thursday, May 17, 2007 12:31 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? I think we all fully understand that now Andrew. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, May 17, 2007 9:54 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? Thanks, David. It's working fine here! Andrw 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, May 17, 2007 9:29 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? New all_list.dat available from the My Account page on Declude website. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, May 17, 2007 9:52 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? Sure, I will see what I can do for early next week. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 16, 2007 7:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? Hey, David. Any chance of seeing a refresh of all_list.dat ... It's been just about 4 months since the last one. Three or four times a year doesn't sound bad. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, January 18, 2007 9:08 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? Thanks, David. The early report is that it's working for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, January 18, 2007 7:37 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? New all_list.dat available on the My Account home page of Declude. 18 Jan 07 344kB David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, January 09, 2007 4:30 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] all_list.dat ? David (or any Declude people that may be reading), Any chance of seeing a new all_list.dat any time soon, considering the current one has a date of 6 Jul 06, and considering the additional input from this recent thread? I'm starting to see false positives caused by weights I previously gave to IANA Reserved and RIPE Unlisted. Gary Original Message From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] Sent: Thursday, January 04, 2007 5:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Indeed. When we obtained our own IP space from ARIN, it was from 72/8, which had been released only about 6 months prior to it being assigned to us. You wouldn't believe the number of networks that were running with 72/8 in their bogons list and were entirely blocking traffic from our network... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, January 04, 2007 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? I would be very careful with this. IANA just released (I believe in October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat not being updated frequently I would tred very lightly in this area. Part of 96/8 has been handed out. Darrell
Re: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE
David, I'm pretty much with Andrew on this, but I generally appreciate the speed of your response and the fact that you are willing to own up to your mistakes. I don't ever expect anything to be mistake free, but I have a suggestion that would seem to make sense and help you to avoid confusion and ire in the future. Just simply reevaluate how you do versioning of your code. For instance, you currently are distributing version 4.3.46 where 4 is the major version, 3 is the minor version, and 46 is generally thought of as the interim or patch level. My recommendation would be for you to only introduce new functionality or significant changes in minor or major versions. Before any minor or major version release, you should have both betas and release candidates, i.e. 4.4.1b then 4.4.1rc, and then when you release it, it would be 4.4.0. New functionality would start appearing in the betas. The release candidates are optional, and might be reserved only for major version changes where significant changes have been made, and it would give you a way to ramp up your experience with dealing with support and unforeseen circumstances. Since the AV signatures changed in this latest version, you should have moved up to a new minor version number in order to alert people to the importance of the release. I would have also incremented when you introduced regex functionality. I would recommend that only bugs be patched within the interim or patch levels, and that you let customers know that these interims have not been through a release candidate testing, may contain errors, and should only be used if someone is looking for resolution of an issue. So if you followed this more normalized versioning methodology, you would have released 4.4.1b yesterday morning, and then 4.4.2b when you found the issue with the DLL omission. Then in a few more days when you are confident that things are stable, release 4.4.0. Matt David Barker wrote: - Pulled out the bad package Did this. - Rolled a new package (with an incremented version number) with the missing DLL, tested the package successfully and posted it to the website for downloaded Did this although no need for an incremented version number as it was not related to declude but rather the installer and it effected only Imail users who had not upgraded to the last declude build - Checked my shopping cart or web logs and found out which customers had downloaded the bad version of the package Ok I could have done this. - Contacted only those customers by phone and email; when there is an email problem, email is a lousy communications channel So far it's only John and Dave I would have updated the Whats New web page. We had updated the Release notes. Where is the what's new page ? I *may* then also notify both support mailing lists. Anyone who was the JM list only should not have been effected as they were not notified of a release. I think Matt made a good point that Declude should start without the .dll and write an error message to the log, I have added this to the dev list. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, April 17, 2007 1:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE My only two cents on this: If I were David Barker I would have: - Pulled out the bad package - Rolled a new package (with an incremented version number) with the missing DLL, tested the package succesfully and posted it to the website for downloaded - Checked my shopping cart or web logs and found out which customers had downloaded the bad version of the package - Contacted only those customers by phone and email; when there is an email problem, email is a lousy communications channel I would have updated the Whats New web page. I *may* then also notify both support mailing lists. The rest is so much sturm und drang. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 9:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE So far this issue has effected 2 people. John and Dave. If there were 10's of others I can see your point however I am not emailing 4500 users when this is no longer an issue. It is because of people on these lists that provide us with good feedback, input and their 2 cents, that helps us provide a better service to the majority of users. In short thanks too John we did not have to send a second email. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Tuesday, April 17, 2007 11:48 AM To: declude.junkmail@declude.com Subject: RE
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says Disable remote management over RPC for the DNS server via a registry key setting. at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? We have seen botnet owners launch high volume trojan campaigns at the drop of a hat, and if it is in fact the botnet owners that are going to exploit this, it would seem that they could attack from clients within one's network. It's a much less likely scenario than the worm or direct Internet attack approaches, but it certainly would still seem to be a vulnerability. I suppose that it may depend on how ultimately important security is for one's organization, after all, we don't all use retinal scanners to unlock our doors :) Keep in mind that this was detected in the wild 7 days before Microsoft even released the advisory. The original posts say that the traffic looks similar to Blaster worm traffic. Here's what happened back in 2003 with that one...note that it hit one month after the advisory and that one was using ports 1024, though fixed ports that are easier to target if open: http://isc.sans.org/diary.html?date=2003-08-11 Matt Colbeck, Andrew wrote: The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you /are not sure/, then apply the workaround. If you /are sure/, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Friday, April 13, 2007 11:53 AM *To:* [EMAIL PROTECTED] *Subject:* Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says Disable remote management over RPC for the DNS server via a registry key setting. at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED
Re: [Declude.JunkMail] Imail Anti-spam
It can be unsafe to mix, plus IMail's default spam blocking won't do anything for you that Declude can't if tuned properly. Matt Chuck Schick wrote: We are running IMAIL 8.22 and I am looking at the Anti-spam features. We are also running declude. Which Anti-spam features do people find good to turn on in Imail versus Declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increase in CPU usage since upgrade
Mike, Your graphs strongly suggest that there is an application that is hung and using a lot of CPU. Some apps will take an entire CPU, which would give ~50% utilization on a 2 processor system (hyperthreaded or otherwise). The first thing to check for though is the size of your Declude logs before and after the upgrade. If they are measurably larger, something else is happening. If they are roughly the same, then you will want to use Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx) to see what is going on. Look for things like Dr. Watson errors and other things that could be indications of errors. Also check your Event Viewer for odd errors that didn't exist before. Matt Mike Hardrick wrote: I've not added any filters and the message count is within the mean average. Here's a pic from the cpu usage. http://www.tnweb.com/declude/mailbox-04-11-07.jpg To get the cpu usage where it is now, I have a cron running to stop and start the decludeproc process every hour. Mike TNWEB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 10, 2007 11:09 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Increase in CPU usage since upgrade Mike, have you added any filters as they tend to be more cpu intensive. Secondly is it decludeproc that uses more CPU or is it something else ? David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hardrick Sent: Tuesday, April 10, 2007 11:37 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Increase in CPU usage since upgrade From version 4.3.14 to 4.3.40. Prior to the upgrade the cpu usage was: Current:32/Average:23/Maximum:49 After the upgrade to 4.3.40: Current:66/Average:49/Maximum:100 (With spikes at 100% cpu usage sometimes lasting an 3 hours.) Mike TNWEB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, April 10, 2007 7:40 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Increase in CPU usage since upgrade What version did you upgrade from? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mike Hardrick [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, April 10, 2007 1:50 AM Subject: [Declude.JunkMail] Increase in CPU usage since upgrade Greetings All, Since upgrading to v4.3.40 the CPU usage has doubled on my mail server. There have been no configuration changes in Declude or Imail in this time frame. Are there any known issues with 4.3.40 that might cause the increase in CPU usage? Michael Hardrick TNWEB LLC Middle Tennessee ISP --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam gateway/proxy...
Chuck, For ease of use and limited gateway functionality, you might want to try Alligate (www.getalligate.com or www.alligate.com). Alligate will apply greylisting 'selectively' if you want it to, and that will result in far fewer issues than full-on greylisting. Selective greylisting is at least 99.9% effective as full on greylisting as it is triggered by the behaviors that are associated with the type of spam that is vulnerable to it. I would recommend not using SAV. That will create some issues for you, and it is not appropriate to use other's servers to validate massive amounts of forged addresses. Greylisting will take care of the same problem anyway. Alligate supports either real-time querying of valid addresses from your server, or you can load it with a list of addresses just like IMGate using the same export tools. I run 4 MX records, and I reject about 80% of the connections to my MX1, while my MX2, MX3 and MX4 servers reject over 99% of the connections. Note that many of these connections would never reach Declude anyway as many are the result of dictionary attacks or backscatter which both often result in sending to bad addresses. You will however see a 50% or larger reduction in volume going to IMail/Declude as a result of just selective greylisting (which approximates the effect on legitimate addresses). Matt Chuck Schick wrote: Anyone using a spam gateway (Like IMGATE) or proxy (like ASSP) in front of declude. I am intrigued by the idea of using something that will reject the messages before accepting it for delivery and then scanning it. I would only want to use the gateway/proxy to perform graylisting, Sender Validation, tar pitting. According to Len Conrad this could result in a 70 to 90 percent reduction in spam. Ultimately I would like our spam filtering to be where we reject the message before the data command and messages that we do accept for delivery we scan with declude and if it is identified as spam it will be delivered to a junkmail folder in the users mailbox - which they can check via webmail or configure their mail clients to download it. I want to get out of the business of holding or deleting spam. Any thoughts, comments, ...? what have others done. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Dave,
This was an old, old feature request/bug fix from back in the Scott
days, where it was desired not include encoded base64 content on BODY
searches (decoded content was desired). The work around for this it to
add a separator to the end of the filter such as a period, comma, space,
tab, or left HTML bracket.
It would also help to specify what format the BODY data would come in,
for instance is a line break in the original processed by the regular
expression as a line break? It would be hugely beneficial to regular
expressions to take the BODY content and strip out all line breaks,
replacing them with spaces for the purpose of filtering with regex.
Maybe it is time to create another variable for body content that is
more regex friendly? That should be easy enough to do.
Matt
David Barker wrote:
We can certainly look at doing something like that, currently I am using
this line:
BODYEND CONTAINSContent-Transfer-Encoding: base64
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:15 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
Being able to search the body without the attachments would also be a time
saver on those BODY filters.
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Tuesday, March 13, 2007 11:24 AM
Subject: [Declude.JunkMail] PCRE FILTERING
Wanted to give a sample of how the new Regular Expressions are identifying
patterns, here is a log snip on a few patterns for Drugs:
ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cial1s S [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialiis [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : CIALIS [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialis S [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : H,G,H [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : HGH [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Human Growth Hormone [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : HxGxH [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Leviitra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra a [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levltra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : v!Agr@ a [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : V_I_A_G_R_A [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : v|aGR@ [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agr@ [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Val1um [weight - 1]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED]@ [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Vi[agra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Via gra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagr@ a [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra a [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagraa [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGR@ [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGRA [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanax [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanaxx [weight - 5]
These are the expressions I am using - as I am still on a learning curve
these expressions may be improved and become more accurate While testing I
score relatively low just in case of FP's. I use a tool called baregrep
http://www.baremetalsoft.com/baregrep/ which speeds through huge DEBUG logs
pulling out entries I am looking for. Hope this helps get you started with
PCRE, I think the Declude community can recieve great value from sharing
this type of info.
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
#HGH
ANYWHERE 5 PCRE (?i:\b(?:human growth
hormone|(?-i:HGH)|H.G.H)\b)
#LEVITRA
ANYWHERE 5 PCRE
(?i:\bl.{0,2}e.{0,2}v.{0,2}[\|li1í\!].{0,2}t.{0,2}r.{0,[EMAIL PROTECTED])
#VIAGRA
ANYWHERE 5 PCRE
(?i:v.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}g.{0,2}r.{0,[EMAIL PROTECTED])
#XANAX
ANYWHERE 5 PCRE (?i:x.{0,[EMAIL PROTECTED],2}n.{0,[EMAIL PROTECTED],2}x)
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
---
This E-mail
Re: [Declude.JunkMail] PCRE FILTERING
Just to clarify a bit on this, there is the conundrum regarding text or HTML base64 encoded attachments and other types of attachments where you want to search the text and HTML stuff in decoded format, but not the image, application and other MIME types. It is however less common to obfuscate with base64 encoding these days, so even without supporting encoded text or HTML would still be of benefit. It certainly could be done to support them though with a little extra work to look at the MIME types. Matt John T (lists) wrote: This was an old, old feature request/bug fix from back in the Scott days, where it was desired not include encoded base64 I requested this as a change long ago for two reasons: 1) To avoid false positives where search text matches the MIME or UUENCODE formatting 2) To provide an instant speed up in BODY and ANYWHERE processing because Declude has less text to match, in particular when MIME encoding text is being searched for, say, an encoded PDF, DOC or JPG. It may also have the additional benefit of being more accurate: 3) To provide for fewer false negatives, because the string size is more complete with the body text. Giving a third to what Andrew and Matt have said, I have a client that deals in electronic parts. Electronic part numbers take on all forms of sequences and not being able to limit body searches to non-base64 encoding which is primarily attachments has caused a lot of extra work on my part constantly having to make adjustments to counter this problem. Being able to have BODY not include attachments is coming to the point where it is no longer a feature but a requirement. John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction
Just a little warning about DEP. I found someone's server was having Declude caught with DEP. I recommend that DEP either be turned off or limited to just Windows services. Matt Luis Alberto Arango E. wrote: Now with version 4.13.30 everything is working fine.. I don't know why version 4.1 didn't work even with DEP deactivated.. thank you very much for your help. regards Luis Arango *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Luis Alberto Arango E. *Sent:* lunes, 19 de febrero de 2007 12:42 *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction I found that I installed a very old version. I have the installer for 4.1 version.. I will uninstall and reinstall.. I will let you know *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* lunes, 19 de febrero de 2007 12:12 *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction I know you mentioned that you have tried a reinstall - but have you tried an uninstall and made sure after that the decludeproc and declude.exe files are gone from the Imail directory? Once you know they are gone try to reinstall again. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Luis Alberto Arango E. mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Monday, February 19, 2007 10:50 AM *Subject:* RE: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction By the way, declude stopped scanning since the errors started. My proc is holding thousands of messages now. I have reinstall declude, installed older versions and the error keep showing up in the eventlog. Luis Arango *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Luis Alberto Arango E. *Sent:* lunes, 19 de febrero de 2007 10:23 *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] Decludeproc.ex Faulting Applicaction starting yesterday feb 18 at 3:33 am (ET) I get errors from decludeproc.exe every 10 to 15 seconds.. the error is as follows: Faulting application decludeproc.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x20202020 I am running Imail and decludeproc version 3.13 under windows 2003 Any ideas.. Luis Arango --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list
Re: [Declude.JunkMail] Declude/Sniffer Issues
Pete McNeil wrote: You will need to adjust the amount of time that SNF is allowed to run and extend it. I've heard of this setting but I don't know precisely where it is. Someone here probably does. I believe that way back when I was asking Scott about this on the list that the timeout is fixed to a value like 5 minutes. It was fixed to an hour or more before that point. It sounds more like something else is going on like DEP interfering or some other issue. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude/Sniffer Issues
Definitely! AUTOREVIEW ON is very dangerous. It was intended as a fix for messages that land in Review from a restart or crash, however if there is a killer message it will get moved back to Proc immediately and cause crashes over and over again. Declude could do this much better by detecting what caused the GPF and only moving those files to Review...but they don't. The workaround for both issues is to script a task that runs every 30 minutes which will move all files from Review back to Proc. This way if there is a killer message, it will only affect you once every 30 minutes, and a declude system can easily survive that. One can do a better job with the scripting to even detect repeated crashes on the same file so as to avoid them, but this works well enough in most cases since most messages that cause crashes will go through on a second try. Here's the code that you want to package up in a CMD file and run under Task Scheduler once every 30 minutes (customize for your paths): MOVE /Y F:\proc\review\*.* F:\proc Matt Colbeck, Andrew wrote: In my declude.cfg I have set the: AUTOREVIEW OFF which is the default for this directive. I've seen a poison email that makes Declude crash or stop quietly, and AUTOREVIEW ON just puts the poison email back in the queue again. You may find that there are c:\declude.gp1 and c:\declude.gp2 files on your crashed system, with corresponding decMMDD.log entries. I'm not entirely sure if the cause is actually the same, but I've also seen two Declude systems that were hosed by too much traffic; there were literally over a hundred CSCRIPT.EXE and SNIFFER.EXE child processes orphaned with each orphan allocated only 48KB in Task Manager. I've only ever seen that particular orphan behaviour on Declude based systems. Andrew. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chris Patterson *Sent:* Monday, February 19, 2007 11:20 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, February 19, 2007 1:40 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Chris Patterson mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Monday, February 19, 2007 1:03 PM *Subject:* RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically). *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, February 19, 2007 9:32 AM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude/Sniffer Issues What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you
Re: [Declude.JunkMail] Declude/Sniffer Issues
Chris, There are desktop heap issues when you start to reach around 50 non-service processes on a Windows box. Windows just doesn't enable such things, and there isn't a whole lot of tweaking that you can do to increase this. I run at 50 threads and I occasionally get heap errors. This of course depends on how many processes that Declude is launching and how long they take. Note that each thread in Declude will only be launching one external app at a time, but when these apps are slower, you can have a good number of them running concurrently. If you want to run a gateway for this type of volume, use something like Alligate or IMgate. You can run these stand-alone on a much less capable box and handle many more connections. Matt Chris Patterson wrote: This really is a front end gateway to a front end also running declude. Even thought the thread count sounds high even at 500 threads being used in Task Manager, we never hit 100% CPU. 2 -- dual-core opterons. 3 -- 15K SCSI's in Raid 5, 3 gigs Ram on a DL385. When this happens all 500 threads are being used and the CPU is doing nothing, like 2%. Get a new sniffer update, clean up the directory and it will not give a problem for days and days. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, February 19, 2007 4:08 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, Reduce your threads setting to a more reasonable number and you should be fine. A number around 50 should suffice, but you can set it, restart Declude and then see if you are redlining. Once you get to redlining when there is a backup, that is pretty much where threads should be set. By going to 500 you are definitely overdoing it and causing other issues. Matt Chris Patterson wrote: Threads = 500 3 days (approx): 1420731 [Spam: 1392289Virus: 114]Relay High: 0 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Darrell ([EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) *Sent:* Monday, February 19, 2007 2:53 PM *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude/Sniffer Issues What is your mail volume and how many threads do you have declude configured for? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Chris Patterson mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Monday, February 19, 2007 2:20 PM *Subject:* RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Darrell ([EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) *Sent:* Monday, February 19, 2007 1:40 PM *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Chris Patterson mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Monday, February 19
Re: [Declude.JunkMail] [Declude.JunkMail] IMail 2006.2
It's good practice to not release details of a vulnerability until the vulnerability is patched. Because IMail has been around for so long and has a large installed base, they are a frequent target. It would also appear that there are some security people that like to focus on IMail and are uncovering such things (people contributing to iDefense in this case). The attack vector appears quite minimal as the notes indicate that you have to browse to a site with the exploit from the server that has IMail installed on it. Matt John T (lists) wrote: Interesting. I guess those were not previously publicly disclosed. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike N Sent: Monday, February 12, 2007 11:43 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [Declude.JunkMail] IMail 2006.2 From the release notes - Addressed the following security vulnerabilities (identified by iDefense Labs): [IDEF2159] IMailServer.WebConnect Buffer Overflow Vulnerability [IDEF2160] IMail Server 2006 IMailLDAPService.Sync3 Heap Overflow Vulnerability [IDEF2161] IMail Server 2006 IMailLDAPService.Init3 Heap Overflow Vulnerability [IDEF2162] IMail Server 2006 IMailServer.Connect Buffer [IDEF2163] IMail Server 2006 IMailUserCollection.SetReplyTo Buffer Overflow Vulnerability Remote exploitation of an ActiveX control buffer overflow vulnerability in IMail Server 2006 could allow attackers to execute arbitrary code with the credentials of the user visiting a malicious website. To exploit this issue, a user would have to visit a malicious website from a computer with IMail Server installed on it.The vulnerable component is also likely installed with any IPSwitch product that includes the IMail Server. This includes products such as its Collaboration Suite packages. - Original Message - From: John T (lists) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 12, 2007 2:16 PM Subject: RE: [Declude.JunkMail] [Declude.JunkMail] IMail 2006.2 What vulnerability in 2006.1 are you referring to? AFAIK, there is none. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike N Sent: Monday, February 12, 2007 9:44 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [Declude.JunkMail] Imail 2006.2 Especially since 2006.2 fixes a vulnerabilty in 2006.1 - we'll have to roll it out quickly. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 12, 2007 12:28 PM Subject: Re: [Declude.JunkMail] [Declude.JunkMail] Imail 2006.2 It would be nice to know. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 12, 2007 11:05 AM Subject: RE: [Declude.JunkMail] [Declude.JunkMail] Imail 2006.2 We have not tested against IMail 2006.2 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Need hep - mail server sending out stock reports email
Howard, These are always blended threats. You were hacked through another mechanism and through that mechanism this file was placed on your system. There's a 99.9% chance that your server is still hacked and that this program can be placed there again, or might even appear automatically at your next reboot. You are running an insecure version of IMail, and this is the most likely way that you were hacked. You need to be on 8.22 with the latest hotfix or 9.1 and above. In the mean time, you should firewall your server so that only the minimum necessary ports are open. This can inhibit the botnet owners from controlling you and it will most likely stop what is going on since they use automation to control their zombies, but that certainly wouldn't mean that you are safe. Once hacked, the best advice is always to reformat and reinstall, plus immediately change all administrator passwords everywhere on your network and break all network shares from the hacked box to others. Keep a unique password on the hacked box until you have rebuilt it. While it is possible that one could fully remove all elements of a hack, it is neither likely nor safe to assume that you could, and it generally takes more hours to fiddle with things rather than format and rebuild it. Also, until you upgrade to a non-hackable version, you are at risk of being re-hacked, so there is no sense in rebuilding until then. The only way to protect an older version of IMail from these exploits is to firewall it and place the SMTP service behind a proxy that won't forward the exploitable commands. It is of course easier just to upgrade, and at least 8.22 with the latest hotfix is very solid and not that much different from 8.15 on the surface, however Declude will need to be upgraded to version 3 or 4. Sorry for the grim outlook, but it is all good advice. Matt Howard Smith (N.O.R.A.D.) wrote: The file location is C:\WINNT\system32\ssm.exe 118kb date 02/05/7 2:45 Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (lists) Sent: Wednesday, February 07, 2007 8:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email Going aGoogling found that the Intel LANDesk uses a file called ssm.exe and there are a couple of programs listed as monitors using it, so be careful before just deleting that file. Exactly where was the file? Since Howard is running IMail 8.15 this means that his server has been compromised ala the SMTP vulnerability that is fixed only in 8.22 (patched) and 9.1. So, it is not a virus that would be found by F-prot or Symantec, but a server hijack or comprise. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Justin Moose Sent: Wednesday, February 07, 2007 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email I called Howard on this, but for everyone elses info, if you are seeing this, look for ssm.exe to be a running process. I found this on an Imail server that I administer for another company this morning. The file was showing processing time in the task manager and showed up on the Services list at Security Systems Manager, but the file had a modified date of 2/5/07 and no updated had been done on that server for over a week. Stopping this service stopped the junk messages from going out. Neither F-prot or Symantec showed this file as a virus; however I did submit it to Symantec for analysis. Justin Moose Information Technology Manager Sioux Valley Energy DID: (605) 256-1644 Fax: (605) 256-1690 Toll Free: (800) 234 1960 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Wednesday, February 07, 2007 4:24 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports email Running imail 8.15,sniffer and declude - starting on 2/6/7 my mail server start sending out the stock reports email , even when I stop the imail smtp process , nothing is in the Imail logs indicating problems . I have ran full scans with frprot
Re: [Declude.JunkMail] SPAM reductions ?
Karl, It would be wise to fix your name servers in any event. Regarding spam reductions, we protect a fair number of domains, and nothing notable has happened. Things can vary widely on servers with only a few domains though. Matt IS - Systems Eng. (Karl Drugge) wrote: Haven't used them in years. The SPAM reduction is a lot more recent. Karl Drugge -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Colbeck, Andrew *Sent:* Wednesday, January 31, 2007 11:55 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] SPAM reductions ? Karl, maybe your spam slowdown is because of the lame delegation of two out of three of your DNS servers listed in your WHOIS. http://www.dnsreport.com/tools/dnsreport.ch?domain=casselberry.org How long have you not been using the DNS servers at twtelecom.net ? Andrew. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *IS - Systems Eng. (Karl Drugge) *Sent:* Wednesday, January 31, 2007 5:23 AM *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] SPAM reductions ? Anyone seeing a reduction in incoming SPAM ? I've been looking at my morning reports, and my incoming mail is off by 30 percent or so for the past two weeks. Typically, I'll see 12-15k messages a day, but lately it's been 9-12k. I can't believe I'm the only lucky one... Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SmarterMail Experiences
I know that cost is a big thing with many, but if you really work it out, upgrades for both can be comparable if you buy your IMail SA from a supplier that doesn't mark it up that much. SmarterMail on a one-year upgrade cycle, and they have no upgrade protection, and they don't include support in their license beyond one credit per purchase. Personally I'm not happy with the support that I did receive as they took my bug report and were verbally dismissive of it and they never got back to me. Their CEO participates on the message board, but he doesn't like anyone saying anything negative and gets defensive and dismissive. This isn't universal, though I tend not to ask for support on everyday stuff and that may be where they do a good job. There are six main things that I don't like about SmarterMail: 1) Very little control over the domain-admin and user interfaces. This includes hacking the layout, and especially hiding buttons. They have a sub-mailbox functionality for instance that can't be hidden from domain admins, and also things like spam blocking tools which I don't use and can be confusing. Essentially most features that you would want to hide can't be hidden without some very convoluted hacking with DHTML (JavaScript and CSS). 2) Their spooling will retry only 4 times, after which the message will be bounced. You can set the delay for each retry, but there is no setting for retrying until a certain point of tries or time. This might have changed in 4.x. 3) They store E-mail in a binary encoded format which makes them uneditable beyond changing the content of a message. You can't manually remove messages from a mailbox file or do things like merge two mail box files together. The interface seems to be the only way to go about doing this stuff. 4) Size limitations can only be controled by the administrator as a total for a domain. Domain admins can change their default mail box sizes and the sizes of established mailboxes through the interface with no way to stop them that I am aware of. 5) They have a issue with their service locking mailboxes occasionally that requires me to reboot to free up the lock. Others have also experienced this so it is real. I don't know if this has been fixed in 4.x, but this is also the issue that I reported to them and they blew off. 6) Sometimes they don't listen to reasonable things without an uproar. We saw this happen on this very list when there was a group of us that was unhappy about their lack of AUTH enforcement on port 587. The Declude folk helped push that issue with them, and they only then said that they would change it. Of course, this is a common occurance everywhere from a lowely user perspective, and some companies never listen. Those are the things that I didn't catch in doing my initial review that I really wish were different. There are some real nice things about it too, and when you change providers you also lose the years of baggage from the other one and start fresh. I've been on the fence about migrating back to IMail; for a while I was definitely going back and then I saw version 4 of SmarterMail, and then last week the CEO made me unhappy and took a real odd stance on providing some form of upgrade protection (pretty much indicated that if we didn't like it, we should go and find something else...and best wishes too). If I go to 4.x, it will be the third time in 1 1/2 years that I will have been paying them for their software, or around $1,000 a year at the current clip. That will average out over time, but it's less of a bargain for me than it appears. When you purchase, what size and version, and how often you upgrade will all have an effect, and this is not universal. The new car is never as nice as it is on the first day you drive it, so pay careful attention when you are reviewing. SmarterMail is no doubt the best when it comes to third-party automation through things like control panels. Regarding your Declude issues, if you run 3.x or 4.x that should fix the issue. I have no big issues with Declude and IMail 8.22, though I am also behind Alligate which keeps a lot of the trash out that can cause exceptions in things like Declude or Queue Manager. Matt Bill Green dfn Systems wrote: Well now that we have moved from IMail 8.15 to 8.22, we are now experiencing the problem where Declude needs to be restarted regularly to correct an apparent memory leak. I remember following threads about this problem and how the upgrade to IMail 2006.1 generally solved the problem. Since we are going to have to change to the new IMail platform anyway and our support agreement is up for renewal, I have been reviewing SmarterMail. The apparent benefits I've seen so far are lower cost, lower resource utilization (especially WebMail), and support beyond IMail's 8X5 hours. The only
Re: [Declude.JunkMail] Weird email problem
Sharyn, I'm not the 'list police', but it is proper etiquette not to post the same thing in multiple lists at the same time, especially when many from one list are on the other. This has in fact caused confusion in the past with your posts because one conversation starts in one place and is simultaneously being discussed in another, and in part by the same people. I would suggest that you post it in the most appropriate list, and only post it elsewhere if you can't find resolution there. Regarding your issue, it would be best to share the headers from the E-mail with the Received lines intact. Good luck, Matt Sharyn Schmidt wrote: I'm having a REALLY WEIRD email problem, makes me feel like I'm in the twilight zone... One of my users reported that she did not receive an email from [EMAIL PROTECTED] until TODAY, but the email was sent on Tuesday, 1/23, at 10:28am. She forwarded me a copy of the email. The following is from my Imail log from 1/23... 01:23 10:31 SMTPD(2a4b22aaf903) [24.73.160.163] connect 64.168.89.133 port 23634 01:23 10:31 SMTPD(2a4b22aaf903) [64.168.89.133] EHLO WDL.wilsondaniels.com 01:23 10:31 SMTPD(2a4b22aaf903) [64.168.89.133] MAIL FROM:[EMAIL PROTECTED] 01:23 10:31 SMTPD(2a4b22aaf903) [64.168.89.133] RCPT TO:[EMAIL PROTECTED] After this line, there is NOTHING else. The whole process for this email just seems to stop. In the IMAIL log for that day, I did a search for the d2a4b22aaf903.smd and the q2a4b22aaf903.smd, but turned up absolutely nothing. I did searches in both my Declude Junkmail and virus logs for the q and d files as well, nothing. I did searches in my logs on 1/24 and still turned up nothing. In the 1/23 Junkmail log, I even used the email address, [EMAIL PROTECTED], and came up with nothing. Then, I looked in todays log, at the time that the user finally received the message. Here is the log entry from Imail: 01:25 08:10 SMTPD(ac2c2766c9d4) [64.168.89.133] EHLO WDL.wilsondaniels.com 01:25 08:10 SMTPD(ac2c2766c9d4) [64.168.89.133] MAIL FROM:[EMAIL PROTECTED] 01:25 08:10 SMTPD(ac2c2766c9d4) [64.168.89.133] RCPT TO:[EMAIL PROTECTED] 01:25 08:10 SMTPD(ac2c2766c9d4) [64.168.89.133] D:\IMAIL\spool\Dac2c2766c9d4.SMD 958 01:25 08:10 SMTPD(ac2c2766c9d4) performing antispam checks That's it for the log entry in Imail. I checked the Declude Junkmail log, and found the following, below. Please note that the entire @wilsondaniels.com domain is whitelisted. Also, my user DID indeed receive this message, today, 2 days later. Going by the subject line (Good morning), it looks like the message that was send on Tues, even though the spool file names are different. Can anyone clue me in on what is going on here? This isnt the only message from wilsondaniels that was sent on Tues and received today. I just havent gotten the log entries for the other ones yet. Rec'd the message on 1/25, log entry in Declude Junkmail log: 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (63.246.13.90). nm= 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.100.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.110.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.120.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.130.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.140.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (192.168.150.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (10.10.100.0/24). nm=ff00 01/25/2007 08:10:10.125 qac2c2766c9d4.smd IP 64.168.89.133 not in whitelist (24.73.160.164). nm= 01/25/2007 08:10:18.125 qac2c2766c9d4.smd Filter URLfilter: Not skipping E-mail due to current weight of 20. 01/25/2007 08:10:18.156 qac2c2766c9d4.smd Filter InBodyFilter: Not skipping E-mail due to current weight of 20. 01/25/2007 08:10:18.171 qac2c2766c9d4.smd Filter InHeadersFilter: Not skipping E-mail due to current weight of 20. 01/25/2007 08:10:18.187 qac2c2766c9d4.smd Filter FILTER-ADULT: Not skipping E-mail due to current weight of 20. 01/25/2007 08:10:18.203 qac2c2766c9d4.smd Filter FILTER-MEDICAL: Not skipping E-mail due to current weight of 20. 01/25/2007 08:10:18.218 qac2c2766c9d4.smd FROMNOMATCH:3 HELOBOGUS:5 MAILFROM:12 . Total weight = 20. 01/25/2007 08:10:18.218 qac2c2766c9d4.smd Tests failed [weight=20]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] FROMNOMATCH=IGNORE[3] HELOBOGUS=IGNORE[5] MAILFROM=IGNORE[12] WEIGHT10=IGNORE[10] WEIGHT12=IGNORE[12] 01/25/2007 08:10
Re: [Declude.JunkMail] Weird email problem
The headers show conclusively that your server didn't receive this message until almost two days after it was sent. It was stuck on the sender's own server and not yours. Matt Sharyn Schmidt wrote: Regarding your issue, it would be best to share the headers from the E-mail with the Received lines intact. Here are the headers from the original email: Received: from WDL.wilsondaniels.com [64.168.89.133] by cruzaninc.com with ESMTP (SMTPD-9.10) id A2950324; Thu, 25 Jan 2007 00:39:33 -0500 Received: from WilsonDaniels-DOM-MTA by WDL.wilsondaniels.com with Novell_GroupWise; Tue, 23 Jan 2007 07:28:54 -0800 Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Mailer: Novell GroupWise Internet Agent 7.0.1 Date: Tue, 23 Jan 2007 07:28:28 -0800 From: Johnna Cooledge [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: 'Judith Taylor' [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Good Morning Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [64.168.89.133] X-Declude-Spoolname: D429526d4aecd.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.23 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 00:39:45 on 25 Jan 2007 X-Declude-Fail: Whitelisted X-Country-Chain: X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: X-UIDL: 465367379 X-IMail-ThreadID: 429526d4aecd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stopping Unwanted Virus Notifications
Don, More than 99% of viruses forge the sender, so therefore there is no utility in notifying anyone since 99% of it would be misplaced. The only non-forging viruses that you are likely to see are macro viruses and they are quite rare these days. The only notifications that I send out are from bannotify.eml which is for banned extensions. These will only be triggered when a banned extension is seen and a virus is not detected. I also skip sending these for encrypted archives using the following in my bannotify.eml file: SKIPIFEXT ZIP-EXE SKIPIFEXT ZIP-SCR SKIPIFEXT ZIP-PIF SKIPIFEXT ZIP-COM SKIPIFEXT RAR-EXE SKIPIFEXT RAR-SCR SKIPIFEXT RAR-PIF SKIPIFEXT RAR-COM You should also add a SKIPIFEXT line for every BANNAME entry in your virus.cfg file. Still with this config, during an outbreak like the one last week where my scanners lagged detection by one to two days, I was creating a ton of backscatter. This can be improved by running JunkMail before Virus and applying an action of either HOLD or DELETE on certain weights so that such messages if scored high enough, will not need to be bounced. If you use ROUTETO and have only one domain that you capture spam in, then you should also add to your bannnotify.eml file a line that has SKIPIFRECIP @your-capture-domain.com so that things that are captured as spam, but not deleted, will not generate bannotify.eml bounces. During any given time my system receives between 5% an 10% of all connection traffic from backscatter, virtually all of it to invalid addresses on the domains that I protect. This volume is so tremendous that it out paces legitimate E-mail by as much as three times. I would implore everyone here to stop using postmaster.eml, sender.eml and recipient.eml bounces entirely even if they take care to try to keep up with forging virus names. When over 99% of it is forging, it makes no sense to be bouncing any of it when it is detected as a virus. Matt Don Schreiner wrote: I am looking for the best approach to stop notifications to both sender and recipients of virus detection (to reduce what I call back scatter). However, if one of our own customers sends an e-mail and whereas a virus is detected, I certainly want them to receive a notification about same so they can check their computer. What is the best way to set this up in Declude 4.0+? Reviewing the Declude Manual for 4.08 (while it does not specifically state this), if you remove the Recipient.eml and the Postmaster.eml, this would be one method to stop the notifications, but I am unsure what other wanted notification functions this would break? Another approach I used prior to upgrade was to modify the EML files with the following. I am not sure this is still the best approach? Is there a more up-to-date list of Virus' that forge the sender address? SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] mailto:W32/[EMAIL PROTECTED] Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Valid Senders - Best Declude Practices
Mike, You are making your life more difficult by approaching it this way. Since you gateway, you need recipient validation, and that alone will drop your utilization by at least half if not much more. You would also benefit from pre-scanning. Alligate does both things painlessly. Just ask them for a trial license and read their manual pages. It's not that expensive either. Matt Michael Cummins wrote: I can strongly consider Alligate in front of Declude. So let's say I build a dedicated Alligate box to live in front of my two Declude enabled servers. How much of a load would it be able to handle? I would need it to handle close to 250k messages per day (current combined load) with room to grow, and it looks like Alligate is yet-another-thousand-dollar-thing-that-will-need-yearly-subscriptions-of-hun dreds-of-dollars. I'd be happier if I could just send my money to one company. So would Declude, I'm sure. But hey. If that's what you gotta do. I was thinking of using a home built postfix gateway to go in front of the boxen, and if I need more I was just going to add more identical postfix boxen a la round robin DNS. Bad idea? Good idea? But my customers could use some help today, which is why I was thinking of using Declude to do some recipient verification. Conceptually, that would cut down the work load considerably, right? I've been having trouble with my Message Sniffer (in persistent mode) going into a cascading failure during peak periods because of the volume; so I leave it off most of the time, which is a huge waste. I'm just wondering how to go about using Declude to do this. Thanks for all the feedback! I've got an open mind. -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2006 Upgrade Webmail Problem
In the IMAP service, turn off force subscribe and it should be fine. Matt Chris Anton wrote: Hi all. Glad that Ipswitch has the day off... too bad I don't. We upgraded to 2006.1 from 8.22 this weekend. I am now getting a problem with sub mail boxes in web mail... they don't show new messages, and I can't view the messages. Tried removing the .xml, .srt and .uid files to no avail. Checked the perms, and everything seems to be fine there... This isn't affecting main mail boxes, just subs. Found a Object reference not set to an instance of an object. when attempting to reply to these sub mail box emails. The mail boxes don't even show the number of new messages. Any thoughts Please help Best Regards, Chris Anton Web Solutions, Inc. Tel: 203-235- x25 [EMAIL PROTECTED] www.websolutions.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to condition on attained weight
You can do this with two filters, but not one. In the first filter you would have the following: SKIPIFWEIGHT 10 REMOTEIP 0 CONTAINS . In the second filter you would add at the top: TESTSFAILED END CONTAINS NAME-OF-THE-FIRST-FILTER Matt Don Brown wrote: Can anyone tell me how to condition a filter on the attained weight of the e-mail? Much the same as the following statement, I want to end the test unless the message has a score of 10 or more. Is there a way to do that? BODYEND NOTCONTAINS Content-Type: image/ Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
chiving scheme using some form of copy-all functionality. One should look for guidance from all applicable sources, but one should also understand that others may be in an extreme risk-adverse mindset, may be in a position to profit from certain solutions, or may not understand what is really required. As consultants, service providers, and direct staff, we all must keep in mind that we don't want to become part of the problem. Matt IS - Systems Eng. (Karl Drugge) wrote: True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: "Message" Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's "Government-in-the-Sunshine" laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Karl, If you want to buy the poster, you might try this link: http://www.thinkgeek.com/homeoffice/posters/58fc/ BTW, I wasn't suggesting that you hijacked the thread, rather I and others did from William Stillwell when he asked about E-mail archiving that doesn't cost an arm and a leg. Your point about keeping baby pictures is a valid one. Technically you are not required to keep such things under SOX...only business communications and more specifically, ones that pertain to the finances and operation of the business, are covered. There are even solutions that do filtering to determine if a message should or shouldn't be archived, though being somewhat risk adverse, and knowing that such filtering isn't perfect, I would not recommend such a solution. At the same time though, keeping unnecessary messages can be a detriment to a company as these things can come out and burn you years in the future. How many times have we heard side comments from Microsoft execs that their competition or detractors used against them. Here's one such example where a MS executive told others that he would be using a Mac if he didn't work for Microsoft. Here's the blog that tries to explain what he meant... http://windowsvistablog.com/blogs/windowsvista/archive/2006/12/12/title.aspx People are caught having affairs with others in the office, partying, and other things that represent private comments. The fact is that none of that stuff is required to be kept and it shouldn't be archived if one can help it. The SEC doesn't care about such things and they are the ones requiring retention, but having a massive stash of E-mail covering anything and everything actually increases the possibility of needing to spend money fulfilling a court order to produce such things. You can likely blanket exclude certain classes of employees since they never deal with anything the SEC is concerned with, and that is wise. Retaining all such E-mails is another example of risk-aversion as well as complication, but the retention itself should be approached with some degree of risk-aversion as well. Matt IS - Systems Eng. (Karl Drugge) wrote: Gotta love that picture Keeping it for my personal laptop back ground. I'll agree with you 99%.. I hate lawyers with a passion, and excepting the miniature French poodle and HR personnel, they are loathed beyond all else. But, in doing a risk assessment, factors like the possible cost of a possible law suit is something that should be considered. A hospital is a good example. Regardless of what the I.T. team is doing ( for good or ill ), it's a good idea to get the advice of a legal professional. Just one suit will offset the cost of hundreds of consultations. It's not always possible, especially in the smaller firms, to CYA in this fashion, but a sign off from above works just as well. As IT management, I stress that we offer the company technical solutions. What we CAN do is very different in most cases, from what we SHOULD do. The SHOULD do part comes from written company policy. Written company policy needs impartial review, from as many perspectives as possible. Medical/Legal/Financial records all have different retention requirements. This includes emails which pertain to these records ( or even have them imbedded ). So, how do you handle your archives then ? Keeping ALL the emails will get you fried if you have expunged records in your archives ( if you're an attorney ). Who sorts these emails for relevant information to determine if they even should be stored ? SOX doesn't require I keep emailed pictures of my 5 year old nieces B'day party.. So do you check each one individually ?! Yargh ! Leave it up to the end users ? Oh boy... So, why do ( or don't ) you have these records ? Company policy will be the only thing that keeps you as the email admin from getting thrown under the bus. Easy, company policy dictates it. You're off the hook. Remember, when the witch hunt ends, you don't want to be the one wearing the pointy hat. Apologies for the hijacked thread... Karl Drugge -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, December 18, 2006 2:36 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] OT: Message Storage Karl, The problem is assuming that keeping it 'legal' involves lawyers for instance. The Sarbanes-Oxley Act of 2002 was enacted by Congress and the responsibility for clarifying the law into workable practices was assigned to PCAOB (The Public Company Accounting Oversight Board, created by Sarbanes-Oxley), and signed off on by the SEC. It is the responsibility of independent auditors to verify compliance and report it's findings to the board of directors, who are ultimately responsible for the companies in question. . . Lots of good stuff
Re: [Declude.JunkMail] OT: Message Storage
are readily available for whatever legal need applies. I still believe that a smaller public company can be fully compliant by merely archiving all incoming, outgoing and internal E-mail into capture accounts, and archiving those capture accounts in a way that they can reasonably pull any data required of them as a result of an official action. Matt Sanford Whiteman wrote: Unlike... um, anyone on this list, it seems... I know firsthand what SEC and NASD think of homegrown compliance solutions. That's why you pay someone else to do it and insist that they slap on a fancy name like Perfect Super Uber E-mail Compliance Archive System. If it's hosted in-house, it's easy to tell that it's homegrown (because the fact that it's in-house alone is often illegal). Really, I get the feeling you don't really know what passes muster and what doesn't, but you're frustrated that a big (biggish, they're really quite small in personnel) company like GlobalRelay might be getting some props. I know you're healthily skeptical of big shops hosting ostensibly premium software, because of your hosting business and boutique approach. But that doesn't let you blindly extend your dismissive brush to other lines of business. Some other people know much more about compliance, and they sure ain't using VBScript to do it. 10 hours? You must be smokin' that good-good! ...no one should invest in something that doesn't meet regulations. Yeah! I do have some experience with the feds, and I did work for a multi-billion dollar corporation where my immediate boss was in charge of E-mail for the entire company, and we were always being sued by someone. Well, if you haven't been a primary participant in a compliance audit/investigation *specifically* of e-mail archives, you aren't speaking from experience. I have been part of several such processes. That experience is where I've always been coming from on this issue: I wouldn't raise a peep if I hadn't been much more intimately involved than anyone else here. That was pre-SOX though, but we all knew it was coming and that it mostly just clarified retention policies by better defining what was classified as a covered communication. If everyone's best guesses were accurate, there wouldn't be million-dollar fines handed out for inadequate archiving. I also have a good friend deals with bank audits on a regular basis as well as SOX compliance. When audited, they will always point a list of things out, and they can find fault with anything that they choose to find fault with. The real trick is ensuring that you aren't grossly negligent. The real trick is not trying to do compliance on the cheap, but understanding why it exists. Know your history. If one can't handle the budgetary heat of being in a regulated business, but one is a somewhat honest person, get out of the kitchen. On the other hand, if one is dishonest -- if one doesn't think late trading and market timing are as immoral as non-violent business gets, and if you don't think it's worth fighting for fair business practices, even if that means you make some sacrifices because of others' evils -- do everyone a favor and just walk off a cliff. Also note that congress didn't even specify retention periods within SOX or methods of retention, this was all inferred after the fact by combining aspects of various laws and regulations, and they certainly didn't endorse a particular product for providing a solution. Yeah, that's why my involvement in ACTUAL audits -- the law as applied -- is what I draw on in my responses. With all of that said, I believe that what one does should be compatible with the dynamics of one's business. For a single location entity with less than 200 employees, clearly a less robust solution could manage the task, and it could be home grown. You seem to think that # of locations or # of employees is relevant. That's a joke! Look at the mutual fund scandals of a couple of a few years ago, which led to many e-mail audits. Do you understand how many single locations with 50 heads were involved? Didn't think so. And have you pieced together why late trading was worth every penny spent on its investigation and prosecution, and subsequent tighter regulation? Here's one way of looking at it: Ever see the show Early Edition? Now, imagine if the everyday hero if that show had instead been the Eye of Sauron. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail
Re: [Declude.JunkMail] Why are these being whitelisted?
I'm afraid that your reading of SOX compliance is not widely practiced. If you block an E-mail, and it is never received by a person covered by SOX, then there is no reason to archive it. SOX in fact essentially requires that spam and virus blocking services be utilized in order to help secure sensitive information by preventing such messages and their exploitable code and/or social engineering techniques from reaching end-users. If you think of this in the same light as paper documents (which also of course need to be kept on hand when governed by SOX and many other regulations), it would be absurd to keep copies of junk postal mail along with legitimate business communications. Unsolicited bulk commercial E-mail, viruses and scams that never reach an end-user are surely not the equivalent of an business communication under any regulation. Matt Sharyn Schmidt wrote: We are required to archive ALL incoming mail. The Sarbanes-Oxley Act does not differentiate between legitimate mail and spam :) I did remove the whitelist to. I went back to using the masterbkup.junkmail file and just setting all actions to ignore. I just wanted to know what had caused this, so in the future it doesn't happen again. Thanks! -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darin Cox *Sent:* Thursday, December 14, 2006 12:20 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Why are these being whitelisted? You're required to archive spam? I can't imagine that. I would remove the WHITELIST TO. Note that if any of the recipients are whitelisted, then all will effectively be whitelisted for that message. Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 8.22 to 2006 Upgrade
Chris, 3.x or 4.x will work with IMail 8.2+. Some have said that 1.x and 2.x works with the newer IMail, but there have also been many reports of issues, and it would make sense to upgrade both at the same time. I have been running a 4.x version for over 6 months, and after you tune the Declude.cfg properly and address the 'review' issue, it is very solid and likely performs slightly better on my system than the 2.x version. Note that there have been bugs that crop up in the newer releases, so I don't recommend chasing after the latest code whenver it is released unless you believe it will fix an issue that you are having. If it matters, I have not seen any reports here about bugs in the latest 4.x release, though there were bugs in the release before that. Another note, make sure that you get the new CODE from Declude's site and place it in your Declude.cfg. The old CODE's that were in the JunkMail.cfg and Virus.cfg are no longer used and are not compatible with the new code, though it will run with a time bomb if you don't have the correct code in the correct place. Matt Chris Anton wrote: Hi... Checked the archives, but didn't find anything definitive. What version should / need we be running to upgrade to 2006. Any special considerations? We are running Declude 2.0.6 Junkmail Pro (with sniffer), Virus Standard. Thanks -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Brand it with a fancy name and they should be happy. IMail stores messages in an open format, and as long as you catch all of it, and archive it as required, that should be all that counts. Naturally I'm simplifying, but in reality, all of these other products are programmed by people too. Matt Sanford Whiteman wrote: ... and it should be acceptable to the feds. Which feds? The regulatory agencies I know would scoff at such a solution. But the OP didn't mention this being done for external regulatory reasons, anyway. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why are these being whitelisted?
Sharyn, You might want to walk into his office, pick a discarded piece of junk postal mail out of his garbage and ask him why he doesn't have to keep his junk and you do :) Of course that might get you fired, but maybe there's some middle ground with an alternative approach that would allow you to better explain it. Printing off a stack of hundreds of junk messages and showing him that the legitimate ones are less than 10% of that stack might be rather compelling. Matt Sharyn Schmidt wrote: shrug IF it is a mistake, then my boss is the one that is making it I just do what I'm told! :) -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darin Cox *Sent:* Thursday, December 14, 2006 1:31 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Why are these being whitelisted? That has to be a mistake. For example, if a company were to use an external filtering service, they would have no means of archiving spam that had been filtered out. Also, with spam currently at 90% of all incoming email, it's ludicrous to have to archive 10x the actual legitimate email volume in order to be compliant. Darin. - Original Message - *From:* Sharyn Schmidt mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Thursday, December 14, 2006 12:47 PM *Subject:* RE: [Declude.JunkMail] Why are these being whitelisted? We are required to archive ALL incoming mail. The Sarbanes-Oxley Act does not differentiate between legitimate mail and spam :) I did remove the whitelist to. I went back to using the masterbkup.junkmail file and just setting all actions to ignore. I just wanted to know what had caused this, so in the future it doesn't happen again. Thanks! -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darin Cox *Sent:* Thursday, December 14, 2006 12:20 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Why are these being whitelisted? You're required to archive spam? I can't imagine that. I would remove the WHITELIST TO. Note that if any of the recipients are whitelisted, then all will effectively be whitelisted for that message. Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Sanford Whiteman wrote: Unlike... um, anyone on this list, it seems... I know firsthand what SEC and NASD think of homegrown compliance solutions. That's why you pay someone else to do it and insist that they slap on a fancy name like Perfect Super Uber E-mail Compliance Archive System. But seriously, the baseline test is whether or not it works, and no one should invest in something that doesn't meet regulations. I do have some experience with the feds, and I did work for a multi-billion dollar corporation where my immediate boss was in charge of E-mail for the entire company, and we were always being sued by someone. That was pre-SOX though, but we all knew it was coming and that it mostly just clarified retention policies by better defining what was classified as a covered communication. I also have a good friend deals with bank audits on a regular basis as well as SOX compliance. When audited, they will always point a list of things out, and they can find fault with anything that they choose to find fault with. The real trick is ensuring that you aren't grossly negligent. Also note that congress didn't even specify retention periods within SOX or methods of retention, this was all inferred after the fact by combining aspects of various laws and regulations, and they certainly didn't endorse a particular product for providing a solution. With all of that said, I believe that what one does should be compatible with the dynamics of one's business. For a single location entity with less than 200 employees, clearly a less robust solution could manage the task, and it could be home grown. Those that have many more employees and multiple locations would likely find a commercial solution more beneficial overall. There are even situations with multi-national companies where it is pretty much impossible to be in compliance with every regulation that applies to them. For instance, some countries require removing certain records for privacy, while others require retaining all such records for oversight and legal reasons. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SmarterTools offline
Nice point about the activation issue. Matt Gary Steiner wrote: For those SmarterMail owners who may have noticed that SmarterTools has been offline for over 24 hours, you can read about it here: http://www.crystaltech.com/forum/topic.asp?TOPIC_ID=16305 Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Undocumented Directive 4.x
NICKGOBACKTOSLEEPON :) Nick Hayer wrote: Any other undocumented's that you can share? :) -Nick David Barker wrote: Just an FYI you may find it useful, in the global.cfg: BLKLSTON Writes a text file to the \spool\blklst.txt containing the IP and weight of emails eg. 1.1.1.123 2.2.2.27 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] method for reducing CPU load
Scott, This is _exactly_ what I have wanted Declude to do for over two years now all the way down to the spec. This would add low and high skip weight functionality to all filters, external apps and anything else that might be skippable, and do so by using the config in such a way that could easily be backwards compatible when not specified (you would assume null null to be 0 0 and consider that disabled). This would save tremendously in loading filter files and launching external apps. I for instance have this functionality in one of my external apps, but it still has to be run in order for the weight skipping mechanism to operate. Other external apps have no weight skipping built into them and this would add the much needed functionality to save resources. Matt Scott Fisher wrote: I've been mulling this one over as I watch my spam filtering CPU time slowly taking over the email server. And I don't expect the number of emails to go down. For external programs and filters I think it would be a good idea to add two optional fields to the global.cfg definition line: a minweight and a maxweight. These would be the last two arguments and optional so existing configs would not need to be changed. For an external program: INV-URIBL external 25 D:\INVURIBL.exe %WEIGHT% %REMOTEIP% 25 0 would become INV-URIBL external 25 D:\INVURIBL.exe %WEIGHT% %REMOTEIP% 25 0 -50 300 in this case invuribl would only get run if the current weight was between -50 and 300. For a filter: ATTACHMENT-GIF filterD:\ATTACHMENT-GIF.txt x 0 0 would become ATTACHMENT-GIF filterD:\ATTACHMENT-GIF.txt x 0 0 -50 300 in this case the attachment-gif filter would only get processed if the current weight was between -50 and 300 Here's why I think this is a good idea: Declude could check the weights before launching the external program. If it is over/under weight the external program would not be launched. 2 if statements to avoid launching a program. That seems like a CPU time saver. Especially when multiplied by 10,000s of emails per day. I use 6 external programs. I believe over half of the program launches would be avoided because of stuff that has already been declared obvious ham or obvious spam. My final of the 6 programs, gets weight skipped over 90% of the time. At 10,000 emails a day, avoiding 50% of the external programs would save 30,000 program launches a day. I believe my 50% to be a conservative number and I think that the percentage would average out to be even higher. Now I have about one hundred filters. The vast majority of them get triggered with the skipweight since the email is already at a high spam weight by the time it reaches the filters. But still every one of these filter files needs to be opened, read and closed for every email. Again 2 IF statements per filter could avoid opening 100 files. That seems to me to be a CPU time saver. By the time, email reaches the filters, I think 75% of it is bypassing filters by being over the skipweight. At 10,000 emails a day (small to many of us). That would mean 750,000 filter files a day would not need to be open, read and closed. From the programming side, I don't believe the coding changes to be too difficult. Weight verification/processing code already exists in the Declude program. It would just need to be relocated. I'm a pretty small user here, getting about 14,000 spams on a weekday. Imagine the potential CPU savings for scaling this up to an ISP with 100,000 emails per day. I don't know if this would have an impact on saving my CPU or not, but it has to help even if it is a little. Please consider this. - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude v2.06 and Imail 2006.1
Sharyn, You should specify what version of Declude you are asking about. FYI, IMail 8.2+ requires Declude 3+. Some claim that older versions of Declude will work, however there are also widely reported problems with IMail 8.2+ and it is no doubt safest to run Declude 3+. Matt Sharyn Schmidt wrote: Will my old version of Declude work with the new version of Imail? TIA, Sharyn --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MXRate-Allow
Andy, That result code is neither a whitelist or a blacklist, it is merely an indication that legitimate E-mail has been received in quantity from that IP. Due to the fact that spam levels are approaching 99% of connection traffic these days (not the same as message volume), it is not uncommon to find that places that send a lot of good E-mail also send a lot of spam from time to time. This particular result code is most useful in the context of Alligate, but it has little value when used simply as an IP4R test within Declude. You can however assume with a high degree of confidence that you won't be receiving zombie generated spam from this result code unless it was forwarded or in a very rare occasion, the server itself is hacked. You can also fairly safely assume that this will not be a static spammer. It can however be a bulk-mail provider that leaks some spam, or a real E-mail service that has Advance Fee Fraud users (Hotmail for instance), or service providers that are forwarding E-mail, or possibly forwarding phishing on behalf of hacked servers in their network. Matt Andy Schmidt wrote: Is it me - or should MXRate-Allow be treated as a spam source list? I don't know how many times I've looked at Spam that made it through and the IP is on their whitelist, such as campaigner. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- Received: from mta8br.cmpgnr.com [69.28.223.132] by hm-software.com (SMTPD-9.10) id A0C01D47C; Sat, 18 Nov 2006 11:11:44 -0500 Return-Path: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Sat, 18 Nov 2006 11:11:48 -0500 (EST) From: Purplus Inc. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Reply-To: Purplus Inc. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Great New Deals From Purplus Software Errors-To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_220171_25603728.1163866308151 X-Campaign: 829605.828864.667296.793699032 Bounces-To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: Suspected SPAM. Spam Received Recently See: http://www.sorbs.net/lookup.shtml?69.28.223.132; X-Declude-RefID: X-Declude: Version 4.3.14; Code 0xe from mta8br.cmpgnr.com [69.28.223.132] X-Declude: Triggered [4] SENDERDB-ALLOW, SPFPASS, SNIFFER X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: X-UIDL: 463610395 X-IMail-ThreadID: 30c001bc5152 *From:* Purplus Inc. [mailto:[EMAIL PROTECTED] *Sent:* Saturday, November 18, 2006 11:12 AM *To:* [EMAIL PROTECTED] *Subject:* Great New Deals From Purplus Software - SPAM DELETED -- You are subscribed as [EMAIL PROTECTED] To unsubscribe please click here http://cmpgnr.com/r.html?c=829605r=828864t=793699032l=6[EMAIL PROTECTED]la=1o=-40. http://www.campaigner.com/?testdrive_1 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MXRate-Allow
Andy, I both assumed and created a group of different definitions of things for classifying spammers things related to them. I don't claim that this list is universal, nor complete, but when I refer to something with one of these terms, this is generally what I mean. I am a believer in targeting specific types of spam with specific methods. For instance, AFF Spam is not usefully targeted primary with IP4R tests since it mostly comes from legitimate mail servers, however you will often get a zombie-type hit on the IP from the first hop. Likewise I also believe in not lumping everything under very generalized terms to describe them, i.e. spam or spammer. * *Zombie Spammer* - A spammer that hijacks other's computers where the spam is sent directly from the hijacked computer to one's server. * *Zombie *- A computer that has been hijacked and is a member of a bot-net. * *Bot-net* - A group of zombies under one group's control, typically used for spamming and for DDoS attacks, but also sometimes used to relay through legitimate servers using either AUTH hacking or trusted IP space. * *Open Relay* - A mail server that allows un-authenticated E-mail to be sent through it. * *AUTH Relay* - A mail server that has accounts where either AUTH has been hacked to send spam, or allows trusted IP space to relay spam. * *Relay Spammer* - A spammer that uses either Open Relays or AUTH Relays to send spam. * *Static Spammer* - A group dedicated to spamming that uses their own servers (contracted or owned). * *AFF Spam* (Advance Fee Fraud) - Consists of scams where the object is to get the recipient to hand over cash in expectation of a return. This typically consists of Nigerian spam, Lottery spam, buy from your store spam, and representatives wanted spam. * *Phishing Spam* - Scams designed to trick the recipients into handing over valuable information. These messages are typically sent through sites using content management tools (Wiki's, message boards, blogging software, and PHPNuke-type content management tools). The content is also often hosted on the same. * *Bulk Mailers* - Companies that are not committed exclusively to spamming, but most of which will leak spam from time to time. Some are better than others at preventing spam, and some have service designs that lend themselves to abuse. * *Niche Spam* - Small-time spammers that generally target a very specific demographic such as a region or a type of business. They often use either their own official E-mail server or that of their ISP, and they can be hard to catch without manual blacklisting. * *Backscatter *- Messages that result from automated responses to forged addresses, typically resulting from gateways that don't validate recipient addresses, but also caused by auto-responders, vacation messages, open relays, AUTH relays and AV blocking mechanisms. * *Form Spam* - Spammers that target contact forms to send their spam to the hard coded recipients, or in some cases attempt to recode the recipients if that value is specified within the form. * *Spim *- Instant messaging spam. Typically sent by zombies. * *Blog Spam* - Also affects things like guestbooks, comment mechanisms and message boards. Used either for spamdexing or to directly advertise one's products. Primarily done by zombies. * *Spamdexing *- The act of spreading links to a site by posting them in blogs, guestbooks and message boards with the goal of improving search ranking of the sites listed. Matt Andy Schmidt wrote: Hi Matt: What is a static spammer? I've looked into a few in the past week and they all were obviously were marketing mail companies (such as in this case, mta8br.cmpgnr.com [69.28.223.132]) - and, of course, the mail account that we receiving the spam was never subscribed there. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Saturday, November 18, 2006 07:54 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] MXRate-Allow Andy, That result code is neither a whitelist or a blacklist, it is merely an indication that legitimate E-mail has been received in quantity from that IP. Due to the fact that spam levels are approaching 99% of connection traffic these days (not the same as message volume), it is not uncommon to find that places that send a lot of good E-mail also send a lot of spam from time to time. This particular result code is most useful in the context of Alligate, but it has little value when used simply as an IP4R test within Declude. You can however assume with a high degree
Re: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT?
Andy, Using 'combo' filters is the way to go here. It does work, and while extra functionality would ease such things, I have always been required to work within the framework and as a result I use many sets of combo filters to do exactly what you were trying to do here in one file. It is good that END results in no hit for the filter. If this changed, it would screw up my system in a big way, and probably result in me blocking virtually all legitimate E-mail. There is a definite need for a function that aborts a filter entirely, and this is what Scott provided with END. A STOP function would not be a bad idea, and to create ABORT in the place of END (same thing, different name), and depricating END as Andrew suggested in 2004 would make sense as far as confusion goes and also to add extra functionality, but that is in fact a feature request. Matt Andy Schmidt wrote: Why the requirement of single filter? Clarity? It's easier for me to follow a logic, if it's enclosed in a SINGLE source document (= filter). If the logical is spread over multiple source documents, I have to first scour the Global.CFG to see which filters are active, then inspect each one to see if by chance any one of them might have any effect. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John T (Lists) *Sent:* Friday, November 17, 2006 12:57 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT? Why the requirement of single filter? I have different combo filters created like this: ComboFilterA REM If testa and testb fail, and if testc or testd fail, add 10 ENDONFIRSTHIT TESTSFAILED END NOTCONTAINS testa TESTSFAILED END NOTCONTAINS testb TESTSFAILED 10 CONTAINS testc TESTSFAILED 10 CONTAINS testd ComboFilterB REM If testc and testd fail, and if teste or testf fail, add 20 ENDONFIRSTHIT TESTSFAILED END NOTCONTAINS testc TESTSFAILED END NOTCONTAINS testd TESTSFAILED 10 CONTAINS teste TESTSFAILED 10 CONTAINS testf IMHO, that is a much cleaner and neater way to do it. You could also use MAXWEIGHT instead of ENDONFIRSTHIT and then assign different weights to different test. **John T** **eServices For You** *Life is a succession of lessons which must be lived to be understood.* *Ralph Waldo Emerson (1802-1882)* ** -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Andy Schmidt *Sent:* Friday, November 17, 2006 9:29 AM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT? Hi John, Was never changed. Please read the URL I posted: http://www.mail-archive.com/declude.junkmail@declude.com/msg14009.html As you can tell, ORIGINALLY it did return the weight. He was thinking of it even FAILING the test (if there was a weight). What you should have been using is MAXWEIGHT at the top, or STOPATFIRSTHIT. Kindly, please read the sample I had posted (bottom of this message). Your reply doesn't address the issue of trying to make some sections of a test conditional. Example, the goal is to return either 1 or 2 or 3 if test1 or test2 occur with test3 - and to only add test4 and test5, if test3 is not true. SKIPIFWEIGHT 20 MAXWEIGHT 3 TESTSFAILED 1 CONTAINS test1 TESTSFAILED 1 CONTAINS test2 TESTSFAILED END CONTAINS test3 TESTSFAILED 1 CONTAINS test4 TESTSFAILED 1 CONTAINS test5 etc etc Please demonstrate how MAXWEIGHT or STOPATFIRSTHIT would do this in a single filter? Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT?
Andy, Taking your original filter, this is what you would do (note the NOTCONTAINS line in the second filter): # ADD-WEIGHT TESTSFAILED 7 CONTAINS SNIFFER TESTSFAILED 1 CONTAINS SNIFFER-SCAMS TESTSFAILED 1 CONTAINS SNIFFER-PORN TESTSFAILED 2 CONTAINS SNIFFER-MALWARE TESTSFAILED 1 CONTAINS SNIFFER-OBFUSC TESTSFAILED -2 CONTAINS SNIFFER-IP TESTSFAILED 4 CONTAINS INV-URIBL-WT1 TESTSFAILED 5 CONTAINS INV-URIBL-WT2 TESTSFAILED 6 CONTAINS INV-URIBL-WT3 TESTSFAILED 7 CONTAINS INV-URIBL-WT4 - # EXTRA-WEIGHT TESTSFAILED END NOTCONTAINS ADD-WEIGHT TESTSFAILED END CONTAINS SPAMCOP TESTSFAILED END CONTAINS NJABLSOURCES TESTSFAILED END CONTAINS AHBLSOURCES TESTSFAILED END CONTAINS AHBLPSSL TESTSFAILED END CONTAINS SORBS-SPAM TESTSFAILED END CONTAINS SENDERDB-BLOCK TESTSFAILED END CONTAINS SBL TESTSFAILED 2 CONTAINS SNIFFER-IP In your Global.cfg, you would only need to make sure that ADD-WEIGHT appear before EXTRA-WEIGHT. Matt Andy Schmidt wrote: I'm familiar with MAXWEIGHT and I'm using it. It doesn't address this particular application. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John T (Lists) *Sent:* Friday, November 17, 2006 05:52 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT? OK, I understand that better but you will always be better off grouping each intent into a different combo filter. Then, you can even have a combo filter dependent upon another combo filter by why of order of list and including the name of the combo filter as an IF statement in the next one. Combo filters need to be viewed as a different type of test rather than a normal filter test. If you write down in groups want you want to do, it will be easy to then create them. Say if you want to add 12 if 4 or more rbl tests failed. You would create a combo filter like this: MINWEIGHTTOFAIL12 MAXWEIGHT12 TESTSFAILED 3CONTAINS rbl1 TESTSFAILED 3CONTAINS rbl2 TESTSFAILED 3CONTAINS rbl3 TESTSFAILED 3CONTAINS rbl4 TESTSFAILED 3CONTAINS rbl5 TESTSFAILED 3CONTAINS rbl6 TESTSFAILED 3CONTAINS rbl7 TESTSFAILED 3CONTAINS rbl8 That way, at least 4 have to hit to equal 12 before it will see this test as failing, but it will only add 12 and not more. **John T** **eServices For You** *Life is a succession of lessons which must be lived to be understood.* *Ralph Waldo Emerson (1802-1882)* ** -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Andy Schmidt *Sent:* Friday, November 17, 2006 2:13 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT? Hi John: What is the logic of the second part anyways, to add weight for test4 and test5 IF test1 and test2 failed? If you have several blacklists of the same family (e.g., multiple open-relay filters, or multiple open-proxy filters) I like to group them together. I give a big weight to the entire group (the filter itself) and then may add an increment for blacklists with few false positives (each contains clause). Simiarly with Sniffer or invURIBL. There is some overlap between those two, and there is a potential overlap between Sniffer-IP and blacklists of recent spam sources (e.g., SpamCop, MXRate-Block). I have a filter that processes my various Sniffer types and invURIBL returns. At some point, I'd like to stop and first look if certain other Blacklist Tests had fired. If so, I'm done. If not, I want to add a little extra for Sniffer-IP. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John T (Lists) *Sent:* Friday, November 17, 2006 02:41 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14 flushes WEIGHT? Any filter that I do not have as active is moved to \declude\filters\notused from \declude\filtes so that my filters folder only contains filters that I am currently using. In your example, you are putting the IF statement after the THEN statement. I am not a programmer
Re: [Declude.JunkMail] IPBYPASS with multiple domains
Bill, IPBYPASS applies to everyone that comes from Postini, and they do leak spam. To make matters worse, Postini strips some of the original Received headers. You can use HOPHIGH to get back to the first one which should be the source that connected to Postini, but I would not score prior hops the same as the last hop. Why don't you just whitelist this customer by setting up a blank per-domain config for them? If they want Postini, why not let them have it? Matt Bill Green dfn Systems wrote: I have a customer whose email domain we are hosting who recently began using Postini. This is the first time I've had to deal with a gateway. The documentation is pretty clear, but I do have one question. Since the gateway is only for one domain, will IPBYPASS work without interfering with the other domains? Or will I have to use HOPHIGH to catch them all? Bill Green dfn Systems [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
