Re: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail
At 10:39 AM 7/9/2004, Dan Geiser wrote: Is this guy serious when he says The test is available for download. What do we have to download? What version number includes this test? What is the format of the test? Is it just an IP4R test? What host name do we use? I found that kinda strange as well, but in blind faith, I did download and install it. So far it seems to be running very well. Very useful in conjunction with SA and Sniffer. All that I can tell about it is that it added a line to my global.cfg. I'm sure Scott or someone will comment with more information shortly. It is an ip4r test, but I'm not sure what all I'm allowed to share... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail
At 10:49 AM 7/9/2004, Jay Calvert wrote: I don't think I have ever had an username and password with Declude. Where do we find this information? All we ever had to provide as verification was our Hostname. I never had one either, so I just clicked new user, and it asked me for an email address/password to use, and it continued on... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail
At 01:38 PM 7/9/2004, Dan Horne wrote: Ah, but you DO recognize that ICMP is a threat, and so you have set access-rules on it. That was my main point. And as Sandy pointed out, Obviously ICMP _CAN_ be a security risk, but so is having your network connected to the Internet. I know a lot of admins that block ICMP for a plethora of reasons. At this point, this is probably getting a little off-topic, but in reality, if you block ICMP, you break IP. That's the bottom line, and nobody can argue that. So, everyone does what he/she needs to do to sleep better at night, and if this includes blocking ICMP, then so be it... But I'm gonna have to agree with Scott when he said I can't ping you, fix that problem first!! -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] NOW OT: ICMP
At 03:03 PM 7/9/2004, Dan Horne wrote: if you block ICMP, you break IP. That's the bottom line, and nobody can argue that. Sorry, but I can and will argue with that. ICMP relies on IP, not the other way around. IP works with or without ICMP. RFC792, which defines ICMP, states The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. Acknowledged!! It also states that ICMP is actually an integral part of IP, and must be implemented by every IP module, but that only means that anything that has an IP address must also understand ICMP. It does NOT mean (IMO) that I must accept ICMP across my firewall. I guess this is open to interpretation. My interpretation is that if my machine is behind an ICMP blocking firewall, ICMP is no longer actually implemented on my machine because ICMP no longer works on my machine. Again, just my personal interpretation. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] NOW OT: ICMP
At 03:45 PM 7/9/2004, Doug Anderson wrote: Actually Russ, ICMP still works. Can you ping 127.0.0.1, the local loop back? Can you ping other items on your local network? It comes down intranet vs internet separated by a firewall. Many corporations kill ICMP externally, but it works fine internally and is used as intended OR they allow outgoing only on the intranet and outgoing/incoming to the DMZ. That is true, but the one case that comes to mind is PMTU. I've seen first hand instances where a corporation blocked all ICMP traffic, and then some of my users couldn't access that companies website. For whatever reason, the remote web server had a smaller than normal MTU size, and the PMTU message was being blocked by their firewall. A very hard problem to troubleshoot considering the company was a bank that was under constant security audits, and they didn't want to send me their log files to look over. I insisted that they have someone qualified look at them, and sure enough that was the problem. This is kind of an uncommon situation, but it is a situation in which disabling ICMP broke the IP communication. Since I deal with security, I get to read firewall logs (real boring). We get a number of ping attacks (DOS attempts) and/or ping scans (up and down the range from same ip) per day...script monkey's looking for a way in. I'm not a security expert, but I do run an IDS, and I see this stuff all the time as well. We also get tons of DOS attempts, and tons of port scans. And really that's just Security through Obscurity, which I'm sure you know all about. I could just as easily map your net work using plain old nmap and telling it not to ping thereby circumventing your ICMP blocking. As for DOS attempts, it's just as easy to issue a DOS attack to any open port. But again, every body has their own way of doing things!! If you ever go through a security audit like we do, you'll understand. I've never gone through a formal audit, but believe me you, if I do, I will fight tooth and nail against blocking every type of ICMP packet. And I would assume that if you're required to have formal security audits, that you already have a firewall that's robust enough to pick and choose ICMP type/codes. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail
At 03:59 PM 7/9/2004, Andy Schmidt wrote: Hi Scott: As a rule of thumb, when people ask me for assistance regarding troubles reaching a computer and I can't ping it, I tell them that it can't be pinged, and they have to take care of it from there. If you disable a vital networking tool, you need to accept the consequences. That's fine - IF I asked Computerized Horizon to diagnose connectivity to my network, I would support that position. But, since we are NOT talking about that, I really don't see how your comment could remotely apply to the issue at hand. The ONLY entity who has any reason to diagnose my connectivity are my backbone providers - and anyone can ping up to and even across my border routers to the internal interfaces. There is no point, even for THEM, to ping INSIDE my network, because my local Ethernets and its wiring are MY responsibility - not theirs. (The only exception might be if they were managing my border routers for me.) You've never had to request additional IP blocks from an upstream provider have you?? ;) They will rarely grant you the additional blocks if they can't verify that you are efficiently using the blocks that you have. They do this verification with an echo request... But of course, you can open your firewall to only allow them in!! Anyone who successfully ping across my router has done all the diagnostics they need to do. I can handle it from there. If anyone wants to ping inside my network, they'll have to come to my office and then they are more than happy to send ICMP commands all over my Ethernets. I suggest people become familiar with the very long list of various ICMP exploits and DOS attacks, before suggesting that it should be wide open. I Maybe I'm way off base here, but I was (possibly wrongly) under the assumption that the majority of ICMP vulns/sploits were pretty old. If there have been some recent vulns/sploits, I'd love to read more about them. And remember a DDoS or DoS is just as easy to launch against a TCP/UDP port as it is against ICMP. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] NOW OT: ICMP
At 04:44 PM 7/9/2004, Andy Schmidt wrote: one case that comes to mind is PMTU. I've seen first hand instances where a corporation blocked all ICMP traffic, and then some of my users couldn't access that companies website. For whatever reason, the remote web server had a smaller than normal MTU size Yes - ICMP should be blocked selectively. PING clearly is nice to have for support/diagnostic - it is NOT needed for regular operation. If Declude wants to make sure that the connection to their DNS server works - then they should test the connection to a DNS port. Those ports ARE open. Agreed 100% :-) -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ICMP
At 04:49 PM 7/9/2004, Andy Schmidt wrote: You've never had to request additional IP blocks from an upstream provider have you?? Do that occasionally - the last time in May. I fill out the form, and voila, half a day later Quest assigns another C-class for my T3s. Boy, that would be nice. ATT's not quite that easy. Of course it could be that we already had a /21, and I was requesting another /22 within a year. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [Declude.Virus] OT- Anyone know about this latest attack reported by CNN?
At 01:50 PM 6/25/2004, Jeff Maze wrote: Oh darn.. The page didn't open in Opera 7.51 and Norton Antivirus 2004 caught the download.ject worm.. :) I've just recently been turned on to FireFox http://www.mozilla.org/products/firefox/ I love it... Nice, simple, it works, and it's not vulnerable to all those silly IE exploits... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Where is ARIN?
At 11:21 AM 6/2/2004, Rick Davidson wrote: Is it me or did ARIN drop of the face of the Internet today? It appears that they have fallen off the face of the Internet :) If you go to http://ops.sprint-canada.net/ you can use a bunch of different service providers to look at BGP route entries from various route servers, and none of the handful that I checked had a route to the arins network. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Where is ARIN?
At 12:43 PM 6/2/2004, Pete McNeil wrote: No problem getting there from here. multi-homed through Savvis and Sprint on a pair of T1s. _M If you take a look at the BGP looking classes, you can see that the route has been flapping, and therefor being penalized. Usually BGP route flapping is indicative of either bad physical connection, or bad administrator... ;) It appears to be rather sporadic... I would bet that they are aware of the problem, and that they are in the process of fixing it... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help - Gateway Question
At 10:08 AM 5/27/2004, Bridges, Samantha wrote: I believe you need to add the IP address of the GW server to your hosts file for resolution. You are pulling out an MX record somewhere that is saying send to the Trend server. At least that's how I get to my GW server. I did - In the \\..\\winnt\system32\drivers\etc I changed the hosts file to include the line: 64.88.9.99 lsps.org Gotta be something on their endbut what??? Are you using Imail 8 by chance? I'm not sure of the order of operations when using IMail 8's DNS cache, but is it possible that you need to clear out that cache? Might want to give that a try. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Are these Forged?
At 02:34 PM 5/20/2004, Mike Wiegers wrote: Started getting these lately and needed to find out if they are forged and if Declude site is setup to handle them as forged. Exploit-ObjectData trojan Yep...and Downloader-IU!zip trojan Yep... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DLA Test Downloaded
At 01:28 PM 5/18/2004, Goran Jovanovic wrote: Kevin, I tried the link below and was unable to get there??? Change the b in blabeta to a d -Russ at http://www.ssc-isp.net/blabeta/DLAApp.zip It fixes a few bugs. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPS CONTAINS END not ending?
At 11:00 AM 5/13/2004, R. Scott Perry wrote: You are correct -- I'll see if I can get a new interim release online which will take care of this. There is a new interim release 1.79i7 at http://www.declude.com/version/interim . It takes care of the issue of the ALLRECIPS filter not working properly. Thanks Scott... It appears to be doing the trick here!! -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
At 03:38 PM 5/13/2004, Matt wrote: Scott, I've been thinking about this for a while as a way to increase spam detection and do things that are otherwise more difficult to do, and then the other day I found that MailPolice was actually promoting their RHSBL's for use on both the Mail From and the reverse DNS entry, and now they have a zone that is built to detect DUL users using reverse DNS entries. I think that both additions would be very useful for spam blocking. Here's their current list of zones: bulk.rhs.mailpolice.com - domains used to send or host spam/bulk-sender/unconfirmed mailing lists/advertising sites porn.rhs.mailpolice.com - domains used to send or host pornographic sites block.rhs.mailpolice.com - combined porn.rhs.mailpolice.com and bulk.rhs.mailpolice.com dynamic.rhs.mailpolice.com - dynamic PPP/DSL/cable reverse DNS hostnames, useful for stopping spam from broadband proxies fraud.rhs.mailpolice.com - domains and IPs hosting fraudulant content, aka phishing Maybe I'm missing something obvious here, but I've been using this for sometime now... MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 10 0 Is this different from what you're trying to do? -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
At 04:01 PM 5/13/2004, Matt wrote: Currently, to the best of my knowledge, 'rhsbl' tests in Declude only work on the Mail From and not the reverse DNS value. I'm interested in the reverse DNS value to be added. Aha... I figured it was something obvious... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPS CONTAINS END not ending?
At 02:09 PM 5/12/2004, Matt wrote: Scott, I have a filter called FOREIGN that I have been defeating with END statements for certain domains with international traffic like so - Foreign.txt - ALLRECIPSENDCONTAINS@clientdomain.com Matt, Are you using an interim version of Declude? I just recently had this problem, and contact [EMAIL PROTECTED] They told me there was a bug with the ALLRECIPS in the current interim, and that it would be resolved in a future interim. For now, I've had to return back to the latest beta. If you hear something different, please let me know. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPS CONTAINS END not ending?
At 02:31 PM 5/12/2004, R. Scott Perry wrote: Are you using an interim version of Declude? I just recently had this problem, and contact [EMAIL PROTECTED] They told me there was a bug with the ALLRECIPS in the current interim, and that it would be resolved in a future interim. For now, I've had to return back to the latest beta. If you hear something different, please let me know. Ah, I like it when customers are able to take care of things that I forget about. :) You are correct -- I'll see if I can get a new interim release online which will take care of this. Not to start a huge long thread about interims and such, but if you can get this interim released, do you know if that little problem with the zip files (zipped but didn't abide by the zipped rules) getting caught by banext ezip will be fixed as well... Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamc32 installation
At 04:53 PM 4/19/2004, Markus Gufler wrote: After installing the latest release of cygwin (1.5.9-1) I can open the command prompt but I cant start cpan I've tried: bash-2.05b$ ls egrep egrep Ok, egrep is in the current directory bash-2.05b$ egrep Usage: egrep [OPTION]... PATTERN [FILE]... Try `egrep --help' for more information. Ok, executing this file is working fine. bash-2.05b$ ls cpan cpan So as I can understand cpan is in the current directory in the same manner as egrep. bash-2.05b$ cpan bash: cpan: command not found Maybe I'm off here, but have you tried ./cpan?? -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Server Recommendation
At 11:35 AM 3/12/2004, TC Online Support wrote: We are currently looking to upgrade our mail server. Lately the processing of the CPU has causing the SMTP to be working real slow, causing a lot of timeouts. We currently we are running a P3 1.133GHz with 512MB RAM. We are looking to upgrade to a dual processor. I was wondering if anybody was willing to share what type of server hardware they are using and if anybody had any recommendations on the CPU power and RAM to have optimal performance. I had this same problem about 2 months ago, and asked a similar question to this list. The advice I personally liked best, and the advice that I took, was to build an inexpensive gateway box to deny the spam before it got to my mailbox server. We bought 2 fairly inexpensive Compaq rack servers, about $2300 a piece, and we are deny a good portion of mail at those boxes before they ever make it to our mailbox server. None of our servers are taxed at all anymore. Our current mailbox server is a dual 900 MHz machine with 1.5 GB of RAM, the spool partition is on a mirrored 15k rpm hardware raid card with 128MB of on-board cache, separate from our mailbox and app directory. We process about 200,000 emails a day. This machine was badly taxed. We added the two 2.04 GHz with 512 MB of memory in front of this one, and now nobody is working up a sweet!! This set up works great for us. Just as a side note, our gateway servers are running FreeBSD/postfix/spamassasin/clamav, but it could just as easily run win2k/imail/declude/sniffer. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Gateway Mailservers and IPBypass
I've setup a gateway mailserver using postfix and amavisd. I want to make sure that the IP for this gateway server is skipped, but I'm kinda confused since the postfix box hands off the message a few times. Below are the received headers from one of the messages, and also what I put in my global.cfg. Does this all look okay? It seems to be working, but I want to check. Thanks, Russ Received: from mx2.parallax.ws [12.161.104.8] by mail.parallax.ws with ESMTP (SMTPD32-8.05) id A0D5F731012C; Mon, 01 Mar 2004 08:55:33 -0500 Received: from localhost (localhost.parallax.ws [127.0.0.1]) by mx2.parallax.ws (Postfix) with ESMTP id C12635A21 for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) Received: from mx2.parallax.ws ([127.0.0.1]) by localhost (mx2.parallax.ws [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10949-06 for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) Received: from hotmail.com (bay14-f5.bay14.hotmail.com [64.4.49.5]) by mx2.parallax.ws (Postfix) with ESMTP id 3C73F5A1F for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 1 Mar 2004 05:55:32 -0800 Received: from 12.161.104.23 by by14fd.bay14.hotmail.msn.com with HTTP; Mon, 01 Mar 2004 13:55:32 GMT IPBYPASS12.161.104.8 IPBYPASS127.0.0.1 --- Russ Uhte, CCNA, MCP, A+ Network Administrator Richmond Power Light Parallax Systems Division 2000 US 27 South Richmond, IN 47374 USA Richmond: 765.973.7348 Toll-free: 888.962.3770 Cell: 765.993.3944 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Gateway Mailservers and IPBypass
At 09:09 AM 3/1/2004, R. Scott Perry wrote: I've setup a gateway mailserver using postfix and amavisd. I want to make sure that the IP for this gateway server is skipped, but I'm kinda confused since the postfix box hands off the message a few times. Below are the received headers from one of the messages, and also what I put in my global.cfg. Does this all look okay? It seems to be working, but I want to check. In this case: Received: from mx2.parallax.ws [12.161.104.8] by mail.parallax.ws with ESMTP (SMTPD32-8.05) id A0D5F731012C; Mon, 01 Mar 2004 08:55:33 -0500 Received: from localhost (localhost.parallax.ws [127.0.0.1]) by mx2.parallax.ws (Postfix) with ESMTP id C12635A21 for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) Received: from mx2.parallax.ws ([127.0.0.1]) by localhost (mx2.parallax.ws [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10949-06 for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) Received: from hotmail.com (bay14-f5.bay14.hotmail.com [64.4.49.5]) by mx2.parallax.ws (Postfix) with ESMTP id 3C73F5A1F for [EMAIL PROTECTED]; Mon, 1 Mar 2004 08:55:33 -0500 (EST) The actual IP is 64.4.49.5. The IPs in Received: headers before that are 12.161.104.8 and 127.0.0.1. In this case, I would recommend using HOP 0, IPBYPASS 12.161.104.8, and IPBYPASS 127.0.0.1. So: IPBYPASS12.161.104.8 IPBYPASS127.0.0.1 This is exactly what I would use (assuming you are using the default HOP 0). That I am!! Thanks a million. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] **OT** Intrusion Detection Software
At 10:02 AM 2/4/2004, Sharyn Schmidt wrote: I have been asked to research Intrusion Detection Software. I have done a Google search, but most of what I see is an actual appliance. All I am looking for is software that will notify me when something suspicious attempts to hit our network. Anyone have any suggestions? Sharyn As other's have already suggested, Snort. It is by far the best. It will easily run on either *nix or windows. I ran it on windows for about 6 months, and then decided it would be easier to keep updated on a *nix platform. I found FreeBSD to be the best option for me. YMMV. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manual
At 03:36 PM 1/23/2004, Mike K wrote: Scott: Your abilities as a writer are fine. I have seem many of your explanations on use of features and for most I think they would suffice. They just need to be put in the online manual at the same time you post a message to the list. I agree that beta features should not be in the main manual but could be listed in a separate change.log file or in a beta/interim release file. I agree with this completely. Just a simple change.log file that has the skeleton for the added test, and maybe just a brief definition, would be more than sufficient. I would imagine that Scott and his boys (and possibly girls.. :) probably keep some type of log like this anyways. But definitely keep this stuff out of the main manual. My .02. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT zip from command prompt
At 08:13 AM 1/15/2004, ISPhuset Nordic AS wrote: Hi a little off topic Anyone knowing off a free or nearly free zip utility which can pack some files to a zip archive. unpacking isn't a problem It is a must that it can run for a command prompt WinRar. It's command line features blow WinZip out of the water. Very full featured, I think it's about $29.00. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT zip from command prompt
At 08:47 AM 1/15/2004, ISPhuset Nordic AS wrote: Yes i know but i hvae to distribute this on 150 boxes and that is a lot of licenses :-) so free or nearly free are the keyword here Ohhh... I think WinRar is like $5.40 a liscense in that case, which is still pretty expensive. I _believe_ the unxutils have this capability, and they are free. http://unxutils.sourceforge.net/. Plus, you don't have to actually install them, you can just copy the directory to the machines. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Does Diskeeper Help on an imail server
At 12:47 PM 1/14/2004, Timothy Bohen wrote: My imail server is obviously hugely fragmented. If I spend the money on diskeeper will it be able to keep up with the fragmentation on a very busy imail server? I know this isn't a diskeeper mailing list but I always get the best/fastest answers on this list. Thanks I generally process about 200,000 messages per day (or roughly 2/sec.) Diskeeper made a world of difference on my server. I schedule it to do smart scheduling on off peak hours, and it has no problem keeping up. Well worth the money in my opinion. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Does Diskeeper Help on an imail server
At 01:54 PM 1/14/2004, Omar K. wrote: This is good stuff, other than the obvious scheduling capability, does diskeeper do a better job than the built-in defrag in windows server? I found that I had to run windows defrag a few times before it would effectively defrag the drive. By the time it was defragged, it was time to defrag again. So I use the scheduling feature in diskeeper, and I don't have to worry about it anymore. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Does Diskeeper Help on an imail server
At 02:29 PM 1/14/2004, Matt wrote: I'm wondering about similar things along these lines. I assume that Diskeeper does a better job and is more efficient and has nice reporting tools, but is this more of a convenience for those with lower volume servers? I'm particularly interested in the effect on RAID 5. I've never really used the reporting tools, and I don't know that they're really all that great. As far as my other servers (web, dns, file...) I just use the built in defrag utility, and that works great on those servers. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] SpamD/SpamC for Declude
At 05:05 PM 1/12/2004, Sanford Whiteman wrote: I guess that was a noble try... but it didn't work. Well, it probably worked, just not enough. :) Yeah, I'll buy that! :) I'm going to try to separate the spamd/spamc processes and see how that goes. That will alleviate the utilization issue, for sure. Depending on the age of your server, you should think about adding an additional processor. I find that that's one fun part about running mail on old boxes with new disks: as it gives you ability to scale up processing on the cheap as needed, while still giving peak performance for disk-starved tasks. A lot of people inadvertently err on the side of processor power by buying new boxes and ignoring DASD optimization. Unfortunately, this particular server is out of space for new drives internally. Now realistically, I could rebuild it and do it right, and it would probably last a very long time. When I got the server, it had 4 drives configured for Raid 5 in a single logical drive with 3 partitions. I added two more drives in a mirrored set, and moved the spool to this. That helped drastically. I may look into external scsi drives... I know this server is grossly underpowered for what I'm trying to do, but I inherited it this way, and I don't think I'm gonna get to buy a new one here anytime soon. The person before didn't understand how to spec out a mailserver. Gotcha. One thing you should know about that I'm building into SPAMC32 right now is a SKIPIFWEIGHT option that will return 0 immediately if a (Declude) weight has already been exceeded, thus saving processing for way out-of-range spam. Now that would be awesome. If there's anything I can do to help, let me know. I don't know a much about VB (I think that's what it's written in?) but I'd be willing to help in anyway I can. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamD/SpamC for Declude
At 05:52 PM 1/12/2004, Matt wrote: Russ, I'm not sure what actions will result in bypassing Declude Virus, but HOLD and DELETE surely do. Since over 80% of E-mail is spam on the typical system, that should save you a great deal over processing everything with Virus, though JunkMail is where most of the processing goes when you are running custom filters. I'm not sure if you have upgraded to 1.77i7+ yet, but the SKIPIFWEIGHT, MAXWEIGHT and END functionality was a huge savings for my server. Even re-ordering your custom filters to put the bigger hogs with the least impact and rarest hits at the bottom was a big help with SKIPIFWEIGHT. Probably more than 80% of my spam never hits a custom filter, and 97% of my spam never hits every filter file. Yeah, I'm currently running 1.77i15 as of this morning, and I've been using your latest filters. Previously, I had to remove your old filters due to processing limitations, but the new ones are great!! Yeah, I guess it makes since that if I'm stopping 160,000 of the message with Junkmail, that I now only have to scan 40,000 messages for virii. I just upgraded to IMail 8 and am using WHITELIST AUTH and PREWHITELIST ON, and that also saves on processing. I'm nowhere near your utilization, but I hate to ever see my processors pegged due to the fact that the machine currently performs many tasks besides E-mail. I haven't yet turned those options on, but I guess I probably should. I hate to see a server this busy as well, but fortunately, all it does is mail. I'm still debating on a gateway mail server (like IMGate)... Still weighing all the Pros and Cons to try and determine if it's worth my time to learn a whole new mail server software package. Only time will tell... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released
At 03:57 AM 1/13/2004, Sanford Whiteman wrote: SPAMC32 0.5.55 is available for download at http://www.mailmage.com/download/software/freeutils/spamc32/release Users anticipating the big RegEx rollout will have to wait a little longer, but there are some very powerful new features and performance improvements in this release: - You can add a SKIPIFWEIGHT-type threshold to ensure that no SpamAssassin tests will be run if the message is already over a certain weight: SPAMC32 will pass (0) such messages immediately. See the -cw/-sw combo. Well, this did help considerably... but not quite enough. I moved the SpamD server onto a server that currently does nothing but DNS. It is a dual PIII 1GHz machine that usually runs between 0 and 5 % utilization. With SpamD running on it, it averaged about 70% utilization. Now my mailserver wasn't noticeably affected by the SpamC process. That was using a -sw entry of 20 (my hold weight) So, I think if I want to utilize SA, I'm going to have to do something drastic... I'm open to suggestions if anyone has any!! :) -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released
At 11:30 AM 1/13/2004, Bill Landry wrote: Russ, a not too drastic option would be to run SA on a linux mail gateway sitting in front of your IMail server and then track the hit=xx.x header counts with Declude. That's what we do here, and it has worked great for us. With this configuration you could also set IMail to gateway all outbound mail to the SA box for all external mail delivery, thus taking this Bill... This is what I would like to do, but there are a couple issues/questions I have. 1. How do I reject messages with an invalid RCPT TO: command? 2. What size machine do I need? Let's say I process 200,000 messages a day, and I want to plan for 20% growth before this box is retired. I understand that fast hard drives and proper partitioning are still extremely important, but what about processor/memory requirements? I'm guessing this would be pretty high need as well. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 1.77i12 Bug: Aliases Counted in BYPASSMULTIRECP
At 09:23 AM 1/12/2004, R. Scott Perry wrote: The *ONLY* changes that were made were [1] To move the Msg failed logging from LOGLEVEL LOW to LOGLEVEL HIGH, and [2] To add a one-line summary to LOGLEVEL LOW. No other changes were made. LOGLEVEL MID is not involved (except that it will also get the one-line summary, as it incorporates everything from LOGLEVEL LOW). I think I heard mention at one time for there to be a line added to the LOGLEVEL LOW for the total weight of the message. As anymore thought gone into this? -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamD/SpamC for Declude
I'm trying to get this set up on a couple of test machines. It appears as if I have spamd up and running successfully. I can telnet to the ip address of the spamd server on port 783, and I see the message logged by spamd on the console. However, when I go to run spamc from a machine, it never connects. It just shows Loading... and then nothing. Any ideas. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamD/SpamC for Declude
At 10:02 AM 1/12/2004, Russ Uhte \(Lists\) wrote: I'm trying to get this set up on a couple of test machines. It appears as if I have spamd up and running successfully. I can telnet to the ip address of the spamd server on port 783, and I see the message logged by spamd on the console. However, when I go to run spamc from a machine, it never connects. It just shows Loading... and then nothing. Any ideas. Okay... forget this question... RTFM... Now the important question... for those of you using this, what percentage of your hold weight are you giving this test? Do most of you install SpamD on your mail server, or do you use the TCP/IP feature of SpamC? Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamD/SpamC for Declude
At 11:10 AM 1/12/2004, Nick Hayer wrote: Hi Russ, I have it set for 8. I hold on 10 delete on 30. It runs on my mailserver. Awesome!! When you installed all the CPAN stuff, did you also install the HTML::parser? It told me when I went to make the spamassassin package, that it was missing. I just installed it, and all seems okay... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SpamD/SpamC for Declude
At 12:39 PM 1/12/2004, Sanford Whiteman wrote: Okay... forget this question... RTFM... Wow, and here I thought I was still working on the manual. :) Yeah... not really the manual, but the spamd -? works too!! :) I just installed it on my server which is a pretty busy server. I think someone (you?) were looking for some performance stats, so here ya go. This server normally processes about 200,000 emails a day, running sniffer, most of the MailPure filters, and antivirus. Normally the processor utilization during peak times is right around 40-50% on a 1 minute average. Once I started the SpamD daemon and configured Declude to use SpamC, and disabled my filters, my processor utilization went straight to 100% and stayed there. I'm going to (hopefully) find a box to through FreeBSD on and install the SpamD engine on it. I'll let you know what I see. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.JunkMail] SpamD/SpamC for Declude
At 01:23 PM 1/12/2004, Sanford Whiteman wrote: This server normally processes about 200,000 emails a day, running sniffer, most of the MailPure filters, and antivirus. Normally the processor utilization during peak times is right around 40-50% on a 1 minute average. That's pretty high to start out. Try lowering the priority of Perl.exe to Low and see if the server stabilizes. I guess that was a noble try... but it didn't work. I'm going to try to separate the spamd/spamc processes and see how that goes. I know this server is grossly underpowered for what I'm trying to do, but I inherited it this way, and I don't think I'm gonna get to buy a new one here anytime soon. The person before didn't understand how to spec out a mailserver. On a related note, does anyone know if there is any performance gain in having Junkmail or Virus running first? We currently scan for JunkMail first just to get an accurate count of the spam we receive. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
At 10:34 AM 12/22/2003, John Tolmachoff \(Lists\) wrote: If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. I am having this problem and am narrowing it down. John, Do you run Sniffer? If so, are you running the wide beta release? If so, make sure you're using the latest version. We saw this with all versions except the latest which I believe is 2-2b6. Which has been running as smooth as silk!! -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log Analysis using unxutils
Greetings, I feel like I've been making progress teaching myself a lot about the log files, and the unix tools. I've created a batch file that will hopefully count the total number of viruses, the total number of vulnerabilities, a few spam tests, and finally the total number of messages. I'm passing this to the list in hopes that it may help someone else, and also in hopes that someone will say, Hey, you can't do it like that! or Hey, here's a better way to do that! So if I'm missing something, please let me know. Thanks, Russ REM Virus Section grep INFECTED s:\vir10*.log | grep -cv Vulnerability grep Vulnerability s:\vir10*.log | cut -d -f 3 | usort | uniq | grep -c Q REM Spam Section egrep -i Msg failed WEIGHT20 | Msg failed WEIGHT30 | Msg failed SNIFFER s:\dec10*.log grep -ic Msg failed WEIGHT20 c:\batch\temp grep -ic Msg failed WEIGHT30 c:\batch\temp grep -ic Msg failed SNIFFER c:\batch\temp REM Total Message Section grep -i SMTPD s:\sys10*.log | grep -ci rcpt to: --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Delete based on word filter!
Well, my answer was that Declude can, but the risks of accidentally deleting good mail outweighed the convenience of not having to hit delete. She went over my head and got the bosses on her side. Now I've gotta have a meeting with them and come up with a solution. Any suggestions? I'm by no stretch of the word an expert, and I'm sure you'll get better advice from others on this list, but I would think the best option would be to have a per-user file for her account, and just apply the delete action to her account. That might work... Let us know what you come up with. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [OT] iMail 6.06 behind firewall
At 07:42 AM 10/6/2003, Jeff Maze - Hostmaster wrote: I know this is off-topic, but I've attempted numerous times to put our server behind a firewall, but upon doing so, the queue grows to an enormous proportion and the only way to clear it is to remove it from behind the firewall. Besides the normal ports 25, 110 and 80 (for web mail), do I also have to keep 1024-65525 open as well for iMail to work properly? Seems stupid to do since normal standardized e-mail should only use the above mentioned three ports (sendmail does). Where does your DNS server sit? If it isn't behind the firewall, you're gonna have to open up ports for DNS. I would recommend udp from mail IP src port 1024-65525 to DNS ip dst port 53. And also the opposite of that, udp from DNS IP src port 53 to mail ip dst port 1024-65525. As a side note, you won't need the reverse rule if your firewall can do UDP stateful inspection. Also, a big clue would be in your IMail logs. Post a clip of those, and I'm sure you'll find your answer. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Classless Reverse DNS Delegation and DNSStuff.com
Greetings- I've attempted to setup classless reverse DNS delegation for a customer of mine. I think I have it done correctly, but I don't understand exactly what I'm seeing on www.dnsstuff.com when I do a reverse DNS query. The specific address I'm testing is 12.161.105.129. It appears that if ns2.parallax.ws (my secondary, Windows NT NS server) resolves the request, all is okay. However if ns1.parallax.ws (my primary, Windows 2k NS server) resolves the request, I get the message that says An error occurred: I got a CNAME with no NS record. But both servers are setup identical (I think!!) Note... the error from ns2.parallax.ws is expected at this time!! Any inputs?? Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Report System
If you would like to try it out let me know and I will make it available.. I'll jump on the bandwagon. I'd love to try that out as well. -Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS and MX record question
What is happening here is that the spammer is using their own software (spamware) to send the spam. Knowing that many people don't scan E-mail that comes through their backup mailserver(s), their spamware chooses to try the backup mailservers first. If your Exchange server isn't running any anti-spam or anti-virus, I would recommend removing it from the MX record. Here's my .02. Usually this spamware will do a normal DNS lookup and choose the MX record with the highest priority (which is wrong.) Make a 4th MX record that has the highest priority, and point it at your primary mail server. This will usually trick the spamware into sending to your primary mail server, and still keep your redundancy with real mailservers!! -Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] REDIRECT configuration
Finally getting around to updating my Declude Junkmail config. I would like to use the REDIRECT command, but want to make sure I'm using it correctly before throwing myself to the wolves! :) 1. Using the REDIRECT command, I don't need the domain folders. For example: I'm a mail gateway for example.com. I currently have a x:\imail\declude\example.com folder. Can this folder can go away when the REDIRECT command is used properly? 2. In the archives, ( This message specifically http://www.mail-archive.com/[EMAIL PROTECTED]/msg09131.html) it says to put the configuration in the global.cfg file. However, if I'm reading the manual correctly, it says to put the configuration in $default$.junkmail. Just a little guidance please!! Thanks in Advance, Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REDIRECT configuration
2. In the archives, ( This message specifically http://www.mail-archive.com/[EMAIL PROTECTED]/msg09131.html) it says to put the configuration in the global.cfg file. However, if I'm reading the manual correctly, it says to put the configuration in $default$.junkmail. It should actually be the $default$.JunkMail file (technically, it can go in any file, but it needs to be whichever one Declude JunkMail is going to use to determine the actions to take on the E-mail, which would normally be the $default$.JunkMail file for incoming E-mail). So if it's a domain that is not housed on my server, the proper place for the redirect is in the global.cfg? Because the global.cfg is the file responsible for actions on this type of email!! Thanks, Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REDIRECT configuration
At 02:39 PM 7/9/2003, you wrote: I had this problem with a domain that was not on my server and wanted to use REDIRECT to point ot another junkmail file. But it always used the outbound settings in the global.cfg. You said when I had the issue you were going to have this fixed in a future beta release. Has it been fixed The REDIRECT option was set up that way by design, and I'm not aware of any plans to change the behavior. So if I was only going to use the REDIRECT command with those types of domain, don't worry about it? I should just stay with the tried and true method? I'll agree with Kevin, this would be a nice feature for store-and-forward domains. That way I don't have to maintain a bunch of separate folders and files. Thanks, Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Domlist or other Log tool
What I'm looking for is a way to monitor store and forward domains. It appears that the domlist tool doesn't count messages for these domains. Am I missing something with domlist, or does anybody know of a tool that will be able to give me stats like the following: Total number of messages (smtpd) for example.com. Total number of messages (smtp-) for example.com. How many virus were stopped by Declude for example.com. And finally how many messages failed WEIGHT20 test for example.com. Any help would be greatly appreciated!! Thanks, Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.