Re: [Declude.JunkMail] Lost One Account - Help Please
If you use LOGLEVEL MID, the log file will show which configuration file is used. I turned on the mid level and here is one of the entries that failed, looks like it is coming tthrough my domain, my domain is the only one that is using the blacklist filter: Sorry, my mistake. It should have been LOGLEVEL HIGH (which will work on v1.65 and later). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Another easy thing you can do is use Imail Domain Processing Rules - to delete all mail from a certain domain. We use this feature by checking the From or the Sender. Some junkmail comes from different sources but has a link in the body that's the same we check for Body Contains (the link) to catch it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Glenn Brooks Sent: Thursday, July 10, 2003 5:53 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Lost One Account - Help Please I hate to continue to ask for assistance for the same problem, but I just can not figure it out. I lost a 300.00/month hosting account today due to continued spam getting through. Here is what I have: I have multiple domains. Only a couple run with their own directory within the Declude directory within the Imail Directory. The client that left for another hosting company was running off the same global.cfg file as my main domain. In the Global.cfg file I have a line of code like thes: BLACKLISTDOMAIN filter E:\IMail\Declude\domainblacklist.txt x 20 0: I do not have any other line of code associated with this test in the globla.cfg file. In the file named domainblacklist.txt I have the following lines of code (there are about 100 lines, on sep. lines): MAILFROM 20 CONTAINS hollywoodspecials.net MAILFROM 20 CONTAINS .hollywoodspecials.net Then in my junkmail file I have the following line of code: BLACKLISTDOMAIN DELETE I do not know if I am missing some code somewhere else or if I need to add something somewhere...I am just lost... and hate to lose another account, which a couple are threatening if I can not stop the spam from the same addresses. Any help or suggestions is greatly appreciated...I will even pay to have the problem solved...it's probably something I am not doing correctly. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Make sure you DO NOT whitelist your own domain, ip address, the postmaster or abuse email addresses. Most of our ignore results for spam came when one or more of these was whitelisted (especially postmaster or abuse -- real mails never seem to have problems going there, but any spam that cc's the postmaster or abuse mailboxes ends up getting whitelisted, causing huge amounts to go thru if you don't remove those settings). We block on HELO/EHLO with our domain name or IP and we also use the spamdomains test to look for any email that pretends to be from us (our domain name and requires that the sending IP actually be listed with our name (rather than whitelisting our domain). This also stopped a lot of spam that used the HELO/EHLO or return address to pretend to be us. So, in one filter file, we have (we hold at 15, the first two are our address/name): # catch attempt to pretend to be us HELO 15 CONTAINS staffingtech.com HELO 15 CONTAINS 216.111.26.34 HELO 15 CONTAINS $domain HELO 8STARTSWITH [ REVDNS 5 ENDSWITH .in-addr.arpa # prevent false positives internally (usually due to # forwarding false positives to correct person) REVDNS -100 CONTAINS staffingtech.com # mail servers with no real name HELO 10 ENDSWITH 0 HELO 10 ENDSWITH 1 HELO 10 ENDSWITH 2 HELO 10 ENDSWITH 3 HELO 10 ENDSWITH 4 HELO 10 ENDSWITH 5 HELO 10 ENDSWITH 6 HELO 10 ENDSWITH 7 HELO 10 ENDSWITH 8 HELO 10 ENDSWITH 9 # many spams with our name in the mailfrom also contain two asterisks, # never seen it in legit mail mailfrom 15 contains ** The spamdomains filter file contains: staffingtech.com esper.com amongst others (esper.com is our isp, a small local company). For most people, you would enter only your own domain name. In the global.cfg, comment out the two suggested lines: #WHITELIST TODOMAIN postmaster@ #WHITELIST TODOMAIN abuse@ If you are using AUTOWHITELIST ON, make sure users do not enter [EMAIL PROTECTED] (for your or their domain) or their own email address in the address book or all spam comes thru (been there, done that, was hard to find). I personally think a whitelist problems is biting you, as we have seen that when IGNORE was the action. Karen Oland --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Thanks ... good advice A couple of questionswhen testing for an IP address, if I want to filter a block of address what is the correct way to write this: HELO 20 CONTAINS 216.111.26. OR CAN HELO 15 CONTAINS 216.111.26.0/24 Also is there a size limit with declude for the .txt files used to list IP addresses or domains, like there is in IMail? Thanks in advance everyone...looks like our spam has really tightened up with all your suggestions... gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
A couple of questionswhen testing for an IP address, if I want to filter a block of address what is the correct way to write this: HELO 20 CONTAINS 216.111.26. OR CAN HELO 15 CONTAINS 216.111.26.0/24 You would need to use HELO 20 CONTAINS 216.111.26. (for the filters, Declude JunkMail never parses the search string in any way). Also is there a size limit with declude for the .txt files used to list IP addresses or domains, like there is in IMail? No. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
- Original Message -
From: Karen D. Oland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 11, 2003 9:12 AM
Subject: RE: [Declude.JunkMail] Lost One Account - Help Please
Make sure you DO NOT whitelist your own domain, ip address, the postmaster
I agree with everything you have stated except, whitelisting you own IP
address is fine, since that is not tied to how the HELO is presented by the
connecting mail server. The IP address of the connecting mail server is not
something that would be trivial to forge (which again has nothing to do with
the HELO string), and if you have setup you boarder router or firewall to
block spoofing attempts, then it becomes virtually impossible that any other
system could connect using your own IP address (in fact, even if they did
connect to you with you own IP address, your system would think it was
talking to itself and would most likely not send anything back to the
connecting mail server).
HELO 10 ENDSWITH 0
HELO 10 ENDSWITH 1
HELO 10 ENDSWITH 2
HELO 10 ENDSWITH 3
HELO 10 ENDSWITH 4
HELO 10 ENDSWITH 5
HELO 10 ENDSWITH 6
HELO 10 ENDSWITH 7
HELO 10 ENDSWITH 8
HELO 10 ENDSWITH 9
In addition to the above, since I do not believe that any of these
characters is legal in an e-mail address, hostname, or RDNS, why not also
add the following to your filter files:
HELO -10 CONTAINS `
HELO -10 CONTAINS ~
HELO -10 CONTAINS !
HELO -10 CONTAINS #
HELO -10 CONTAINS $
HELO -10 CONTAINS %
HELO -10 CONTAINS ^
HELO -10 CONTAINS
HELO -10 CONTAINS *
HELO -10 CONTAINS (
HELO -10 CONTAINS )
HELO -10 CONTAINS =
HELO -10 CONTAINS +
HELO -10 CONTAINS [
HELO -10 CONTAINS ]
HELO -10 CONTAINS {
HELO -10 CONTAINS }
HELO -10 CONTAINS \
HELO -10 CONTAINS |
HELO -10 CONTAINS ;
HELO -10 CONTAINS :
HELO -10 CONTAINS '
HELO -10 CONTAINS
HELO -10 CONTAINS ,
HELO -10 CONTAINS
HELO -10 CONTAINS
HELO -10 CONTAINS /
HELO -10 CONTAINS ?
-
MAILFROM 10 ENDSWITH 0
MAILFROM 10 ENDSWITH 1
MAILFROM 10 ENDSWITH 2
MAILFROM 10 ENDSWITH 3
MAILFROM 10 ENDSWITH 4
MAILFROM 10 ENDSWITH 5
MAILFROM 10 ENDSWITH 6
MAILFROM 10 ENDSWITH 7
MAILFROM 10 ENDSWITH 8
MAILFROM 10 ENDSWITH 9
MAILFROM -10 CONTAINS `
MAILFROM -10 CONTAINS ~
MAILFROM -10 CONTAINS !
MAILFROM -10 CONTAINS #
MAILFROM -10 CONTAINS $
MAILFROM -10 CONTAINS %
MAILFROM -10 CONTAINS ^
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS *
MAILFROM -10 CONTAINS (
MAILFROM -10 CONTAINS )
MAILFROM -10 CONTAINS =
MAILFROM -10 CONTAINS +
MAILFROM -10 CONTAINS [
MAILFROM -10 CONTAINS ]
MAILFROM -10 CONTAINS {
MAILFROM -10 CONTAINS }
MAILFROM -10 CONTAINS \
MAILFROM -10 CONTAINS |
MAILFROM -10 CONTAINS ;
MAILFROM -10 CONTAINS :
MAILFROM -10 CONTAINS '
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS ,
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS /
MAILFROM -10 CONTAINS ?
-
REVDNS 10 ENDSWITH 0
REVDNS 10 ENDSWITH 1
REVDNS 10 ENDSWITH 2
REVDNS 10 ENDSWITH 3
REVDNS 10 ENDSWITH 4
REVDNS 10 ENDSWITH 5
REVDNS 10 ENDSWITH 6
REVDNS 10 ENDSWITH 7
REVDNS 10 ENDSWITH 8
REVDNS 10 ENDSWITH 9
REVDNS -10 CONTAINS `
REVDNS -10 CONTAINS ~
REVDNS -10 CONTAINS !
REVDNS -10 CONTAINS #
REVDNS -10 CONTAINS $
REVDNS -10 CONTAINS %
REVDNS -10 CONTAINS ^
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS *
REVDNS -10 CONTAINS (
REVDNS -10 CONTAINS )
REVDNS -10 CONTAINS =
REVDNS -10 CONTAINS +
REVDNS -10 CONTAINS [
REVDNS -10 CONTAINS ]
REVDNS -10 CONTAINS {
REVDNS -10 CONTAINS }
REVDNS -10 CONTAINS \
REVDNS -10 CONTAINS |
REVDNS -10 CONTAINS ;
REVDNS -10 CONTAINS :
REVDNS -10 CONTAINS '
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS ,
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS /
REVDNS -10 CONTAINS ?
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
Oops, remove the minus - from all of these (that's what happens when you
copy and paste from the wrong line).
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 11, 2003 11:23 AM
Subject: Re: [Declude.JunkMail] Lost One Account - Help Please
- Original Message -
From: Karen D. Oland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 11, 2003 9:12 AM
Subject: RE: [Declude.JunkMail] Lost One Account - Help Please
Make sure you DO NOT whitelist your own domain, ip address, the
postmaster
I agree with everything you have stated except, whitelisting you own IP
address is fine, since that is not tied to how the HELO is presented by
the
connecting mail server. The IP address of the connecting mail server is
not
something that would be trivial to forge (which again has nothing to do
with
the HELO string), and if you have setup you boarder router or firewall to
block spoofing attempts, then it becomes virtually impossible that any
other
system could connect using your own IP address (in fact, even if they did
connect to you with you own IP address, your system would think it was
talking to itself and would most likely not send anything back to the
connecting mail server).
HELO 10 ENDSWITH 0
HELO 10 ENDSWITH 1
HELO 10 ENDSWITH 2
HELO 10 ENDSWITH 3
HELO 10 ENDSWITH 4
HELO 10 ENDSWITH 5
HELO 10 ENDSWITH 6
HELO 10 ENDSWITH 7
HELO 10 ENDSWITH 8
HELO 10 ENDSWITH 9
In addition to the above, since I do not believe that any of these
characters is legal in an e-mail address, hostname, or RDNS, why not also
add the following to your filter files:
HELO -10 CONTAINS `
HELO -10 CONTAINS ~
HELO -10 CONTAINS !
HELO -10 CONTAINS #
HELO -10 CONTAINS $
HELO -10 CONTAINS %
HELO -10 CONTAINS ^
HELO -10 CONTAINS
HELO -10 CONTAINS *
HELO -10 CONTAINS (
HELO -10 CONTAINS )
HELO -10 CONTAINS =
HELO -10 CONTAINS +
HELO -10 CONTAINS [
HELO -10 CONTAINS ]
HELO -10 CONTAINS {
HELO -10 CONTAINS }
HELO -10 CONTAINS \
HELO -10 CONTAINS |
HELO -10 CONTAINS ;
HELO -10 CONTAINS :
HELO -10 CONTAINS '
HELO -10 CONTAINS
HELO -10 CONTAINS ,
HELO -10 CONTAINS
HELO -10 CONTAINS
HELO -10 CONTAINS /
HELO -10 CONTAINS ?
-
MAILFROM 10 ENDSWITH 0
MAILFROM 10 ENDSWITH 1
MAILFROM 10 ENDSWITH 2
MAILFROM 10 ENDSWITH 3
MAILFROM 10 ENDSWITH 4
MAILFROM 10 ENDSWITH 5
MAILFROM 10 ENDSWITH 6
MAILFROM 10 ENDSWITH 7
MAILFROM 10 ENDSWITH 8
MAILFROM 10 ENDSWITH 9
MAILFROM -10 CONTAINS `
MAILFROM -10 CONTAINS ~
MAILFROM -10 CONTAINS !
MAILFROM -10 CONTAINS #
MAILFROM -10 CONTAINS $
MAILFROM -10 CONTAINS %
MAILFROM -10 CONTAINS ^
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS *
MAILFROM -10 CONTAINS (
MAILFROM -10 CONTAINS )
MAILFROM -10 CONTAINS =
MAILFROM -10 CONTAINS +
MAILFROM -10 CONTAINS [
MAILFROM -10 CONTAINS ]
MAILFROM -10 CONTAINS {
MAILFROM -10 CONTAINS }
MAILFROM -10 CONTAINS \
MAILFROM -10 CONTAINS |
MAILFROM -10 CONTAINS ;
MAILFROM -10 CONTAINS :
MAILFROM -10 CONTAINS '
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS ,
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS
MAILFROM -10 CONTAINS /
MAILFROM -10 CONTAINS ?
-
REVDNS 10 ENDSWITH 0
REVDNS 10 ENDSWITH 1
REVDNS 10 ENDSWITH 2
REVDNS 10 ENDSWITH 3
REVDNS 10 ENDSWITH 4
REVDNS 10 ENDSWITH 5
REVDNS 10 ENDSWITH 6
REVDNS 10 ENDSWITH 7
REVDNS 10 ENDSWITH 8
REVDNS 10 ENDSWITH 9
REVDNS -10 CONTAINS `
REVDNS -10 CONTAINS ~
REVDNS -10 CONTAINS !
REVDNS -10 CONTAINS #
REVDNS -10 CONTAINS $
REVDNS -10 CONTAINS %
REVDNS -10 CONTAINS ^
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS *
REVDNS -10 CONTAINS (
REVDNS -10 CONTAINS )
REVDNS -10 CONTAINS =
REVDNS -10 CONTAINS +
REVDNS -10 CONTAINS [
REVDNS -10 CONTAINS ]
REVDNS -10 CONTAINS {
REVDNS -10 CONTAINS }
REVDNS -10 CONTAINS \
REVDNS -10 CONTAINS |
REVDNS -10 CONTAINS ;
REVDNS -10 CONTAINS :
REVDNS -10 CONTAINS '
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS ,
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS
REVDNS -10 CONTAINS /
REVDNS -10 CONTAINS ?
Bill
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
I just hope you don't include either of the below (since that range includes are very valid email server and probably a few more). Use the single address of your own server (since the problem is people pretending to be YOU, not ME (I hope)). Karen -Original Message- From: Glenn Brooks A couple of questionswhen testing for an IP address, if I want to filter a block of address what is the correct way to write this: HELO 20 CONTAINS 216.111.26. OR CAN HELO 15 CONTAINS 216.111.26.0/24 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
I've seen connects that used our IP address as their HELO/EHLO strings. Same for using our domain name (none were able to deliver their mail, most were relay attempts). Interesting list. I may add it, after reviewing some of the mailfrom characters (I see more and more bad mailfroms, most so they can track bounces, I would assume). Karen -Original Message- From: Bill Landry I agree with everything you have stated except, whitelisting you own IP address is fine, since that is not tied to how the HELO is presented by the connecting mail server. The IP address of the connecting mail server is not something that would be trivial to forge (which again has nothing to do with the HELO string), and if you have setup you boarder router or firewall to block spoofing attempts, then it becomes virtually impossible that any other system could connect using your own IP address (in fact, even if they did connect to you with you own IP address, your system would think it was talking to itself and would most likely not send anything back to the connecting mail server). --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Aarrgh. I meant to say, that includes OUR very valid mail server in that range. What Glenn should do is block servers pretending to be HIS domain (so, he should use HIS ip address in the HELO line), not any type of range. Range blocking would be more appropriate for blocking blocks of numbers used by spammers (usually cable or dial-up). Karen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Karen D. Oland Sent: Friday, July 11, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Lost One Account - Help Please I just hope you don't include either of the below (since that range includes are very valid email server and probably a few more). Use the single address of your own server (since the problem is people pretending to be YOU, not ME (I hope)). Karen -Original Message- From: Glenn Brooks A couple of questionswhen testing for an IP address, if I want to filter a block of address what is the correct way to write this: HELO 20 CONTAINS 216.111.26. OR CAN HELO 15 CONTAINS 216.111.26.0/24 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
- Original Message - From: Karen D. Oland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 12:28 PM Subject: RE: [Declude.JunkMail] Lost One Account - Help Please I've seen connects that used our IP address as their HELO/EHLO strings. Same for using our domain name (none were able to deliver their mail, most were relay attempts). Yep, we see lots of HELO announcements using our IP addresses, as well, however, that still has nothing to do with, nor will it have any affect on, whitelisting your mail server's IP addresses. Whitelisting the IP address applies to the real IP that connected to you system, not what is announce in the HELO/EHLO string. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
OK thanks...will just use mine and very specific addresses... One other question: When adding a line to the domain list, what/when is the correct method of adding a . before a domain, for example: HELO 20 CONTAINS .gstassoc.com The from addresses usually do not show additional aliases, but when looking at the header information I usually see an aliases before the domain. thanks in advancethe spam is really down since all of you have provided me with answersthanks everyone gb At 03:33 PM 7/11/2003 -0400, you wrote: Aarrgh. I meant to say, that includes OUR very valid mail server in that range. What Glenn should do is block servers pretending to be HIS domain (so, he should use HIS ip address in the HELO line), not any type of range. Range blocking would be more appropriate for blocking blocks of numbers used by spammers (usually cable or dial-up). Karen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Karen D. Oland Sent: Friday, July 11, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Lost One Account - Help Please I just hope you don't include either of the below (since that range includes are very valid email server and probably a few more). Use the single address of your own server (since the problem is people pretending to be YOU, not ME (I hope)). Karen -Original Message- From: Glenn Brooks A couple of questionswhen testing for an IP address, if I want to filter a block of address what is the correct way to write this: HELO 20 CONTAINS 216.111.26. OR CAN HELO 15 CONTAINS 216.111.26.0/24 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Sorry, I didn't mean to imply that whitelisting my IP had anything to do with the HELO. And, yes, we do block spoofing at the router. At least one or two people in the past, however, have seemed to have problems with spam attacks that were resolved by removing their own IP's from whitelists. There should not be any real reason to whitelist your mail server anyway, however. Unless you have some type of web service on the same machine that is sending out malformed emails that the server needs to skip when processing for spam? Karen -Original Message- From: Bill Landry Yep, we see lots of HELO announcements using our IP addresses, as well, however, that still has nothing to do with, nor will it have any affect on, whitelisting your mail server's IP addresses. Whitelisting the IP address applies to the real IP that connected to you system, not what is announce in the HELO/EHLO string. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Lost One Account - Help Please
Glenn, I look up the HELO strings in the LOG*.TXT files. Most of the time you can match on IS for the IP address, instead of CONTAINS, but it does depend on the string. Some of the ones trying to relay thru us recently is http://monoin.com;, another is www.xyz34.uk.co.sg. So, it depends on what you see them trying to use. The mailfrom field may or may not be related to the HELO field. In yesterday's log, I see: 20030710 022238 127.0.0.1 SMTPD (08DE0134) [207.229.190.23] EHLO cliff.bigcitytools.com 20030710 022239 127.0.0.1 SMTPD (08DE0134) [207.229.190.23] MAIL FROM:[EMAIL PROTECTED] and 20030710 043322 127.0.0.1 SMTPD (0AFA0138) [211.218.205.189] HELO http://monoin.com 20030710 043323 127.0.0.1 SMTPD (0AFA0138) [211.218.205.189] MAIL FROM:[EMAIL PROTECTED] and 20030710 070555 127.0.0.1 SMTPD (032A0150) [218.70.150.101] EHLO www.xyz34.uk.co.sg 20030710 070556 127.0.0.1 SMTPD (032A0150) [218.70.150.101] MAIL FROM:[EMAIL PROTECTED] These were just some of the relay attempts yesterday (and monoin.com wins the persistency race for the day, with the most connects and attempts). For big spammers, first locate the message ID in the headers or DEC*.TXT log, then use the LOG*.TXT log to find the HELO (if you don't include it in your headers). More than likely, just dropping those whitelist entries will have resolved most of your problems. Karen -Original Message- From: Glenn Brooks One other question: When adding a line to the domain list, what/when is the correct method of adding a . before a domain, for example: HELO 20 CONTAINS .gstassoc.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Lost One Account - Help Please
I hate to continue to ask for assistance for the same problem, but I just can not figure it out. I lost a 300.00/month hosting account today due to continued spam getting through. Here is what I have: I have multiple domains. Only a couple run with their own directory within the Declude directory within the Imail Directory. The client that left for another hosting company was running off the same global.cfg file as my main domain. In the Global.cfg file I have a line of code like thes: BLACKLISTDOMAIN filter E:\IMail\Declude\domainblacklist.txt x 20 0: I do not have any other line of code associated with this test in the globla.cfg file. In the file named domainblacklist.txt I have the following lines of code (there are about 100 lines, on sep. lines): MAILFROM 20 CONTAINS hollywoodspecials.net MAILFROM 20 CONTAINS .hollywoodspecials.net Then in my junkmail file I have the following line of code: BLACKLISTDOMAIN DELETE I do not know if I am missing some code somewhere else or if I need to add something somewhere...I am just lost... and hate to lose another account, which a couple are threatening if I can not stop the spam from the same addresses. Any help or suggestions is greatly appreciated...I will even pay to have the problem solved...it's probably something I am not doing correctly. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
Hello Glenn , Here is what i am doing to get rid of this kind of spammers. In my global.cfg i create AtlasfilterfilterE:\IMail\Declude\atlasfilter.txt x 0 0 i create a file atlasfilter.txt in declude folder In the config file i have WEIGHT10 weight x x 10 0 WEIGHT15 weight x x 15 0 WEIGHT20 weight x x 20 0 Junkmail file WEIGHT10 WARN WEIGHT15 WARN WEIGHT20 DELETE Now that you can see weight 20 deleting the mail Write in the atlasfilter.txt helo 20 contains ommo.net helo 20 contains 212.64.200.32 etc. IT will delete the mail I put == E:\IMail\Declude\atlasfilter.txt x 0 0 zero as weight to filter because later in txt file i will add some differents weights example mailfrom 10 [EMAIL PROTECTED] Here it will just add weight 10 without deleting. I have made very few changes to real global.cfg and junkmail files i am adding everything else to my filter file which make very easy everything. example : The biggest spammer in my country sell a software and a cd with 10 millions mail address , the guys software open a connection with HELO OMMO.NET As soon as i found this unchanged field ,i added to my filter text. Good Luck Rifat Levis - Original Message - From: Glenn Brooks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 3:53 AM Subject: [Declude.JunkMail] Lost One Account - Help Please I hate to continue to ask for assistance for the same problem, but I just can not figure it out. I lost a 300.00/month hosting account today due to continued spam getting through. Here is what I have: I have multiple domains. Only a couple run with their own directory within the Declude directory within the Imail Directory. The client that left for another hosting company was running off the same global.cfg file as my main domain. In the Global.cfg file I have a line of code like thes: BLACKLISTDOMAIN filter E:\IMail\Declude\domainblacklist.txt x 20 0: I do not have any other line of code associated with this test in the globla.cfg file. In the file named domainblacklist.txt I have the following lines of code (there are about 100 lines, on sep. lines): MAILFROM 20 CONTAINS hollywoodspecials.net MAILFROM 20 CONTAINS .hollywoodspecials.net Then in my junkmail file I have the following line of code: BLACKLISTDOMAIN DELETE I do not know if I am missing some code somewhere else or if I need to add something somewhere...I am just lost... and hate to lose another account, which a couple are threatening if I can not stop the spam from the same addresses. Any help or suggestions is greatly appreciated...I will even pay to have the problem solved...it's probably something I am not doing correctly. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
In the Global.cfg file I have a line of code like thes: BLACKLISTDOMAIN filter E:\IMail\Declude\domainblacklist.txt x 20 0: I do not have any other line of code associated with this test in the globla.cfg file. That will add a weight of 20 to any E-mail that meets the criteria of the filter, but will not do anything else. In the file named domainblacklist.txt I have the following lines of code (there are about 100 lines, on sep. lines): MAILFROM 20 CONTAINS hollywoodspecials.net MAILFROM 20 CONTAINS .hollywoodspecials.net OK. Then in my junkmail file I have the following line of code: BLACKLISTDOMAIN DELETE The questions here include: [1] Is that junkmail file the one being used for E-mail to the domain in question (IE do you have any per-user or per-domain configurations)? [2] Could the E-mail to the domain in question be considered outgoing E-mail (if the E-mail is a gateway domain, that is not stored locally)? [3] If per-user or per-domain settings are being used, are there any user aliases or host aliases involved? [4] The obvious (to me) question: Do the E-mails that aren't getting deleted have hollywoodspecials.net in the return address (the X-Declude-Sender: header or the MAIL FROM line in the SMTP log file; these are often different than the From:, Reply-To:, Sender: or other similar headers)? [5] What do the log files show for this E-mail (which narrows it down to being a problem with the test, or the actions that are being used on it)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
Then in my junkmail file I have the following line of code: BLACKLISTDOMAIN DELETE The questions here include: [1] Is that junkmail file the one being used for E-mail to the domain in question (IE do you have any per-user or per-domain configurations)? Yes this file is used for the domain in question and webwize.com, the main domain [2] Could the E-mail to the domain in question be considered outgoing E-mail (if the E-mail is a gateway domain, that is not stored locally)? All email is stored locally...I do not think the email was outgoing, since it was being received by the client, and I received some as well, under the webwize.com domain. [3] If per-user or per-domain settings are being used, are there any user aliases or host aliases involved? No [4] The obvious (to me) question: Do the E-mails that aren't getting deleted have hollywoodspecials.net in the return address (the X-Declude-Sender: header or the MAIL FROM line in the SMTP log file; these are often different than the From:, Reply-To:, Sender: or other similar headers)? The email that was sent to me at this email address, [EMAIL PROTECTED] from the hollywoodspecials.net had the email in the from address, it was also in the X-Declude-Sender, they were identical for these particular emails. [5] What do the log files show for this E-mail (which narrows it down to being a problem with the test, or the actions that are being used on it)? I will have to watch for thisthe thing I noticed last night and today was the following in the declude log files, but am not sure they were for these exact emails, but I have this continually in the declude log files. 07/10/2003 20:11:42 Q0eb9c314012eb215 Msg failed BLACKLISTIP ( This is a spam IP address). Action=IGNORE. 07/10/2003 20:11:42 Q0eb9c314012eb215 Msg failed BLACKLISTDOMAIN (Message failed BLACKLISTDOMAIN test (120)). Action=IGNORE. Then a couple of lines down I will have: 07/10/2003 20:12:59 Q0f07c404012ee48a Msg failed BLACKLISTIP ( This is a spam IP address). Action=DELETE. 07/10/2003 20:12:59 Q0f07c404012ee48a Msg failed BLACKLISTDOMAIN (Message failed BLACKLISTDOMAIN test (132)). Action=DELETE. This is what has me confused, it seems to catch the tests, sometimes thanks for the help... gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
I will have to watch for thisthe thing I noticed last night and today was the following in the declude log files, but am not sure they were for these exact emails, but I have this continually in the declude log files. 07/10/2003 20:11:42 Q0eb9c314012eb215 Msg failed BLACKLISTIP ( This is a spam IP address). Action=IGNORE. 07/10/2003 20:11:42 Q0eb9c314012eb215 Msg failed BLACKLISTDOMAIN (Message failed BLACKLISTDOMAIN test (120)). Action=IGNORE. Then a couple of lines down I will have: 07/10/2003 20:12:59 Q0f07c404012ee48a Msg failed BLACKLISTIP ( This is a spam IP address). Action=DELETE. 07/10/2003 20:12:59 Q0f07c404012ee48a Msg failed BLACKLISTDOMAIN (Message failed BLACKLISTDOMAIN test (132)). Action=DELETE. This is what has me confused, it seems to catch the tests, sometimes That is the normal behavior. Declude JunkMail doesn't use the same actions for all E-mails that fail a given test. This means that the first E-mail used a configuration file that uses the IGNORE action (or those two tests weren't listed in the config files), but the second one uses the DELETE action. So some E-mails use one configuration file, sometimes there are E-mails that use another configuration file. If you use LOGLEVEL MID, the log file will show which configuration file is used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
Write in the atlasfilter.txt helo 20 contains ommo.net helo 20 contains 212.64.200.32 I will adjust mine to match this and give it a try Can I use the following for IPs helo 20 contains 212.64.200.0/24 to cover more IP addresses? Thanks for the suggestions... gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Lost One Account - Help Please
that is a great suggestion ..looks like you configuration is working so far...and setting the log to mid helps sort out the log files.when at low it showed the test ignored, while looking at it at MID set, it shows ignore and then further down the log it deletes after finishing all tasks Thanks for all your help... gb At 05:05 AM 7/11/2003 +0300, you wrote: Glen , In fact 212.64.200.32 is my server ip address. Many spammers try to fool your mail server using as hello your mail server ip address. Every mail server start talking as follow HELO(EHLO) myhostname.com But many spammers use HELO(EHLO) 212.64.200.32 212.64.200.32 is my server ip address. The remote mail server name can not be my ip address :) This is a spammer trick which can work with very old mail servers. Thats why i am deleting every mail which contains HELO(EHLO) 212.64.200.32 I am cacthing more than 20% of spam like this. And be sure this %100 spam. I have never seen a mail server using the remote mail server name. Rifat Levis - Original Message - From: Glenn Brooks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 4:50 AM Subject: Re: [Declude.JunkMail] Lost One Account - Help Please Write in the atlasfilter.txt helo 20 contains ommo.net helo 20 contains 212.64.200.32 I will adjust mine to match this and give it a try Can I use the following for IPs helo 20 contains 212.64.200.0/24 to cover more IP addresses? Thanks for the suggestions... gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
