RE: [Declude.JunkMail] Ever legit?
Thanks all! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, April 26, 2007 6:09 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Ever legit? Do not accept mail with your own helo setup a helo filter HELO 15 IS igive.com Set it at your hold weight. Your actual server(s) IP addresses should already be whitelisted so it will not affect your internal mail routing. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Robert Grosshandler > Sent: Thursday, April 26, 2007 1:45 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Ever legit? > > Hi > > > We get e-mails that contain the following header (or something > similar): > > Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP > (SMTPD-9.20) > > The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. > > Are there any legit mailers that would send something in this form? > > If not, what's the best way to score this over my delete weight? > > Thanks, > > Rob > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ever legit?
Do not accept mail with your own helo setup a helo filter HELO 15 IS igive.com Set it at your hold weight. Your actual server(s) IP addresses should already be whitelisted so it will not affect your internal mail routing. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Robert Grosshandler > Sent: Thursday, April 26, 2007 1:45 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Ever legit? > > Hi > > > We get e-mails that contain the following header (or something > similar): > > Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP > (SMTPD-9.20) > > The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. > > Are there any legit mailers that would send something in this form? > > If not, what's the best way to score this over my delete weight? > > Thanks, > > Rob > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Ever legit?
It looks like you have SPF setup on your DNS. I would think that enabling the "SPFFail" test or adjusting the action/weight would correct your problem. An email comes in, Declude looks up your SPF record from DNS and compares the IP with the list of trusted senders. It should fail the test with the email coming from addresses not in your SPF record. - Original Message - From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: Sent: Thursday, April 26, 2007 3:45 PM Subject: [Declude.JunkMail] Ever legit? | Hi | | | We get e-mails that contain the following header (or something similar): | | Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP | (SMTPD-9.20) | | The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. | | Are there any legit mailers that would send something in this form? | | If not, what's the best way to score this over my delete weight? | | Thanks, | | Rob | | | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type "unsubscribe Declude.JunkMail". The archives can be found | at http://www.mail-archive.com. | | --- | [This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] | | --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ever legit?
Robert, you would use a filter file for this, e.g. #First, escape this file if the source is on your own network REMOTEIP END CIDR 208.100.26.0/24 REMOTEIP END CIDR 192.168.0.0/24 #Skip this whole test if we are already above a hold weight of 20 SKIPIFWEIGHT 25 #Apply a maximum total weight of 20 points MAXWEIGHT 20 #These three penalty weights were constructed to prevent #false positives where you are penalizing a hypothetical #legitimate host, e.g. outbound.forgive.com #Apply a penalty if the forged HELO is your exact domain name HELO 20 IS igive.com #Apply a penalty if the forged HELO contains a host in your domain name HELO 20 ENDSWITH .igive.com #Apply a tiny penalty if the HELO, forged or not, contains your domain HELO 3 ENDSWITH give.com I suggest that you always make the weights heavy enough to hold the message, because if you delete it and it was a false positive, you can't recover it. A variation of this would be to get rid of the third test, and only keep the first two. Then set the weight to say, a single point instead of 20. Then in your global.cfg or your domain specific file, specify an action of HOLD. Declude gives you a lot of flexibility to design the test you want, but this scratches this surface. I hope that helps, Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Grosshandler > Sent: Thursday, April 26, 2007 1:45 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Ever legit? > > Hi > > > We get e-mails that contain the following header (or > something similar): > > Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP > (SMTPD-9.20) > > The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is > never ours. > > Are there any legit mailers that would send something in this form? > > If not, what's the best way to score this over my delete weight? > > Thanks, > > Rob > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Ever legit?
A little more of the headers would be helpful. It's a zombie of some flavor. 71.250.241.101 = static-71-250-241-101.nwrknj.east.verizon.net. You could use a filter with HELO 10 IS IGIVE.COM - Original Message - From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: Sent: Thursday, April 26, 2007 3:45 PM Subject: [Declude.JunkMail] Ever legit? Hi We get e-mails that contain the following header (or something similar): Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP (SMTPD-9.20) The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. Are there any legit mailers that would send something in this form? If not, what's the best way to score this over my delete weight? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ever legit?
You could try using a filter like this: #Remote mail hosts connecting and announcing your IP addresses HELO 10 CONTAINS 208.100.26.91 #Remote mail hosts connection and announcing your hostnames HELO 10 ENDSWITH igive.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, April 26, 2007 4:45 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Ever legit? Hi We get e-mails that contain the following header (or something similar): Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP (SMTPD-9.20) The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. Are there any legit mailers that would send something in this form? If not, what's the best way to score this over my delete weight? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Ever legit?
Hi We get e-mails that contain the following header (or something similar): Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP (SMTPD-9.20) The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. Are there any legit mailers that would send something in this form? If not, what's the best way to score this over my delete weight? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.