Re: [Declude.JunkMail] HELO contains
We are seeing a case where the mail server will connect to itself. Check out the DNS for this spammer's domain: hotoptions.net It has no MX record, but an A record pointing to: 127.0.0.1 If an email from this domain is bounced due to a full mailbox, this will cause Imail to attempt to deliver the email to 127.0.0.1 which causes a mail loop. After 5 loops Imail kills it. Is there a Declude test we can use to block these based on the MX/A that the domain name resolves to? If not, perhaps the MAILFROM test could be modified to count this as a bad domain. The MAILFROM test will detect this in the next release. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELO contains
Question.. I see more and more spams that is coming where the senders MTA is claiming to be the localhost As for example one of my servers is called imail.fament.com Latest spam that slipped through had following header Received: from imail.fament.com [66.81.201.98] by imail.fament.com (SMTPD32-7.13) id A7F38560150; Wed, 12 Mar 2003 16:42:59 -0600 Note that 66.81.201.98 is the spammers ip and do NOT belong to me. SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO contains
SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] HELO contains
Alright. Great. No the other mailserver identifies itself as backup.fament.com which I don't have declude on. On the other hand there. My backup mx server only forward mail. Do I have to get the Pro version of Declude or would Standard be enough ? I did throw out Webshield because it records the headers so badly that so much junkmail came in that direction. / Eje Wednesday, March 12, 2003, 5:17:33 PM, you wrote: SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? RSP That will work fine, just so long as you don't have any other mailservers RSP that identify themselves as imail.fament.com. If your IMail server is RSP the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! RSP Correct. There might be odd cases where the IMail server would connect to RSP itself, but if that happens, you've got another problem on your hands (as RSP it would cause a mail loop). RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. RSP --- RSP [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] HELO contains
Alright. Great. No the other mailserver identifies itself as backup.fament.com which I don't have declude on. On the other hand there. My backup mx server only forward mail. Do I have to get the Pro version of Declude or would Standard be enough ? The Standard version will work fine in this case. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO contains
Scott, We are seeing a case where the mail server will connect to itself. Check out the DNS for this spammer's domain: hotoptions.net It has no MX record, but an A record pointing to: 127.0.0.1 If an email from this domain is bounced due to a full mailbox, this will cause Imail to attempt to deliver the email to 127.0.0.1 which causes a mail loop. After 5 loops Imail kills it. Is there a Declude test we can use to block these based on the MX/A that the domain name resolves to? If not, perhaps the MAILFROM test could be modified to count this as a bad domain. Bill -Original Message- From: R. Scott Perry Sent: Wed, 12 Mar 2003 18:17:33 -0500 Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
