Re: [Declude.JunkMail] Hijack Not working on internal customers
On 22 Jun 2004 at 7:07, Jeffrey M Donley wrote: Hi Jeff, So in your hijack.cfg file you have ALLOWIP xxx.xxx.xxx.xxx and in the HOLDx dir hijack is retaining emails from the allowip addresses? If that is the case I suggest stopping and restarting declude console to reset hijack; if that doesn't help review your hijack logs and email Scott... -Nick Hayer I have had a continuing problem with Hijack. I have several business customers with 25 plus work stations, these customers are getting caught in hijack on outgoing mails. I have added ALLOWIP entries for all the customers with no success. It seems as though declude reads hijack cfg for a certain number of ALLOWIP entries then gives up on the last few entries. I am using 1.75 with IMail 7.15. Any suggestions? -jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack Not working on internal customers
I have had a continuing problem with Hijack. I have several business customers with 25 plus work stations, these customers are getting caught in hijack on outgoing mails. I have added ALLOWIP entries for all the customers with no success. It seems as though declude reads hijack cfg for a certain number of ALLOWIP entries then gives up on the last few entries. I am using 1.75 with IMail 7.15. Any suggestions? v1.75 only allows you to have a maximum of 20 ALLOWIP lines -- if you upgrade to the latest beta, it allows you to have up to 100. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack Not Working ?
Wait, the DAISYCHAIN option has a big effect on any one hosting lots of users using Web Mail. Anyone thinking about this needs to consider the following: If you have 1000 users using web mail, it is very likely that just normal usage of those users will trigger the hold values. If you are going to do this, you will have to adjust the values upwards significantly so as not to trap normal usage. Correct, or am I off my rocker? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Not Working ?
I've made the changes, but did not make the registry change. I'll let you guys know what happens. In regards to the web messaging possible trap, Do I really need to up the limits for hijack? It's always been my understanding that web messaging shouldn't send out as much email as frequently than an email client (Outlook, etc.) Thoughts? Thanks. b -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Hijack Not Working ? Importance: High Wait, the DAISYCHAIN option has a big effect on any one hosting lots of users using Web Mail. Anyone thinking about this needs to consider the following: If you have 1000 users using web mail, it is very likely that just normal usage of those users will trigger the hold values. If you are going to do this, you will have to adjust the values upwards significantly so as not to trap normal usage. Correct, or am I off my rocker? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Not Working ?
In regards to the web messaging possible trap, Do I really need to up the limits for hijack? It's always been my understanding that web messaging shouldn't send out as much email as frequently than an email client (Outlook, etc.) It depends on how many Web Mail users you have. If you are an ISP with 5000 Web Mail users, it is quite possible for 100 of those to send 1 message each with a 30 minute time period, there by tripping hold 2 and effectively black listing the server IP address. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack Not Working ?
Anyone thinking about this needs to consider the following: If you have 1000 users using web mail, it is very likely that just normal usage of those users will trigger the hold values. That is a good point -- I don't know offhand how IMail handles this situation (specifically, what Received: headers it will add to the original E-mail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
Really dumb questions? Is the syntax of renamed files case sensitive? Does the Daisychain call go within the hijack.cfg file or another config file? Does the Daisychain call need quotes or simply just a call out? Sorry for the dumb questions, but these spammers keep creating new accounts (found another one this morning). We're killing their IP's, but they keep coming in from other systems. I would be awesome if I could get hijack to work with web messaging. Sandy, do you have this config working on your Imail system? If so, what version of Imail are you running? Thanks again. b -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 2:06 AM To: Brian Cunningham Subject: Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ? I made these changes and restarted services. But then I stopped receiving emails. Try implementing the DAISYCHAIN function as follows: (a) COPY SMTP32.EXE to SMTP32.EXB (this step just for backup) (b) RENAME SMTP32.EXE to IPSMTP32.EXE (c) COPY DECLUDE.EXE to SMTP32.EXE (d) Add the DAISYCHAIN directive as described earlier In other words, do *not* make the Registry change, nor rename DECLUDE.EXE. I do not believe these steps were part of the standard procedure (and I was the person who originally suggested DAISYCHAIN, so I do have lots of experience implementing it). -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Not Working ?
Should I be using the SMTP32.exe or the SMTPd32.exe for this process? It *must* be SMTP32.exe (SMTPd32.exe is the SMTP Daemon, the service which accepts incoming E-mail, as opposed to the process that delivers the E-mail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
Really dumb questions? Is the syntax of renamed files case sensitive? No. Does the Daisychain call go within the hijack.cfg file or another config file? It can go in any of the Declude .cfg files. Does the Daisychain call need quotes or simply just a call out? It should not have any quotes in them. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Not Working ?
Anyone thinking about this needs to consider the following: If you have 1000 users using web mail, it is very likely that just normal usage of those users will trigger the hold values. That is a good point -- I don't know offhand how IMail handles this situation (specifically, what Received: headers it will add to the original E-mail). Looks like a problem. Imail does not add the IP to the header, even on a outgoing. First is local to local. Second is local to yahoo forwarded to local. Date: Thu, 27 Mar 2003 09:46:08 -0800 Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Support Reliance.Net [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Test X-Mailer: IMail v7.15 Status: U X-UIDL: 321662842 Received: from mta193.mail.scd.yahoo.com [66.218.86.109] by mail.reliance.net (SMTPD32-7.15) id A97E12D006E; Thu, 27 Mar 2003 09:48:46 -0800 Received: from mta193.mail.scd.yahoo.com for [EMAIL PROTECTED]; Mar 27 09:47:38 2003 -0800 X-Rocket-Track: -40 X-Yahoo-Forwarded: from [EMAIL PROTECTED] to [EMAIL PROTECTED] Received: from 67.94.227.37 (EHLO mail.reliance.net) (67.94.227.37) by mta193.mail.scd.yahoo.com with SMTP; 27 Mar 2003 09:47:38 -0800 (PST) Date: Thu, 27 Mar 2003 09:48:25 -0800 Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Support Reliance.Net [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Test X-Mailer: IMail v7.15 X-CYBERsitter-SpamManager-In: Passed - Adult: 0 (Req: 18) Spam: 2 (Req: 18) Tot: 2 (Req: 22) X-CYBERsitter-SpoolFile: D397e012d006ec848.SMD X-CYBERsitter-Sender: [EMAIL PROTECTED] [66.218.86.109] X-RBL-Warning: HOSTEDDOMAINS: Message failed HOSTEDDOMAINS test (5) X-Declude-Sender: [EMAIL PROTECTED] [66.218.86.109] X-Declude-Spoolname: D397e012d006ec848.SMD X-RBL-Warning: Total weight: -40 X-Tests-Failed: IPNOTINMX, HOSTEDDOMAINS X-Note: This E-mail was sent from mta193.mail.scd.yahoo.com ([66.218.86.109]). X-Note: This e-mail was scanned by RelianceSoft, Inc for Viruses and SPAM. X-Note: To report any issues, please goto http://support.reliance.net/help.html X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 329274612 John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Not Working ?
I gotcha. That could be a problem. We do have about 5000 + web mail users. Could this explain why when I make the changes email stops being delivered? I've checked the hold(s) and there is nothing being held, but maybe the processing is delaying delivery? b -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Hijack Not Working ? In regards to the web messaging possible trap, Do I really need to up the limits for hijack? It's always been my understanding that web messaging shouldn't send out as much email as frequently than an email client (Outlook, etc.) It depends on how many Web Mail users you have. If you are an ISP with 5000 Web Mail users, it is quite possible for 100 of those to send 1 message each with a 30 minute time period, there by tripping hold 2 and effectively black listing the server IP address. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
I've been using SMTP32.exe (not the daemon). I just wanted to check because every time I make the change it stops delivery (even after I roll the SMTP service within Imail, which does start up successfully). The key here is that both IMail and Declude must be set up properly: [1] IMail needs to know the delivery mechanism (normally declude.exe, or smtp32.exe if Declude is not being used). This means that the registry key must be set up, and the IMail SMTP service stopped/restarted to recognize the change. [2] Declude must know what program to call after it is finished, which is done through the DAISYCHAIN option. If either one of those isn't set up properly, E-mail delivery could be stopped. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
We've got a locked down public Imail server where anyone can register for a free email, but all users have to authenticate before relaying mail. We've also got Declude with HiJack in order to stop spammers from using our system But somehow we've got registered users sending hundreds of messages through us and bypassing HiJack. Why isn't the email being trapped by HiJack? The first thing to do is make sure that Declude Hijack is running (you can type \IMail\Declude -diag, *without* making any changes, and you should see a line Declude Hijack Status: Registered). Next, you would want to check your \IMail\Declude\hijack.cfg file to make sure that the settings are reasonable (the default settings are RELAYTHRESHOLD1 10 20 and RELAYTHRESHOLD230 80, which allow up to 80 E-mails to be sent within 30 minutes). Finally, you would check the Declude Hijack log file to see what it says about the E-mails. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Not Working ?
I've checked, and the Hijack is registered. The config is set to: RELAYTHRESHOLD1 10 20 RELAYTHRESHOLD2 30 60 And the log files have not held anything today. Everything went through as OK with juat a couple not local users. But I see that [EMAIL PROTECTED] now has about 300 outgoing spam messages in the queue. Help! Thanks. b -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HiJack Not Working ? We've got a locked down public Imail server where anyone can register for a free email, but all users have to authenticate before relaying mail. We've also got Declude with HiJack in order to stop spammers from using our system But somehow we've got registered users sending hundreds of messages through us and bypassing HiJack. Why isn't the email being trapped by HiJack? The first thing to do is make sure that Declude Hijack is running (you can type \IMail\Declude -diag, *without* making any changes, and you should see a line Declude Hijack Status: Registered). Next, you would want to check your \IMail\Declude\hijack.cfg file to make sure that the settings are reasonable (the default settings are RELAYTHRESHOLD1 10 20 and RELAYTHRESHOLD230 80, which allow up to 80 E-mails to be sent within 30 minutes). Finally, you would check the Declude Hijack log file to see what it says about the E-mails. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Not Working ?
And the log files have not held anything today. Everything went through as OK with juat a couple not local users. Note that Declude Hijack allows unlimited E-mail to local users, and doesn't count that towards a user's quota. But I see that [EMAIL PROTECTED] now has about 300 outgoing spam messages in the queue. Do you have any ALLOWIP lines in your hijack.cfg file? Is the user sending these E-mails via SMTP, or web messaging (which would not be scanned by default)? Could you E-mail me the log file (off-list to [EMAIL PROTECTED])? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
I checked the W log files and it looks like they are coming in through web messaging (god knows how they are sending that much email through web messaging) under several IP's ranging from Nigeria to Israel. I blocked those IP's within Imail Control Access. Ah, that explains what is going on. That's the first time I've seen serious spammers try to send E-mail through web messaging. How can I make Hijack work with webmessaging? It is possible to do this, by having the declude.exe file act as the smtp32.exe file, so that Declude can intercept the web messaging E-mail. This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the hijack.cfg file. Then, you need to use regedit to change the HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point to smtp32.exe instead of declude.com, and finally stop/restart the IMail SMTP service so that IMail will recognize the change -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack Not Working ?
I've got you up until the DAISYCHAIN ipsmtp.exe point. Do you want me to rename the two files and then add the daisychain line above to the config file of hijack? That is correct. Will renaming declude.exe to smtp32.exe cause problems with junkmail or virus? No. Do I need to rename or make a copy of declude.exe as renamed? It's best to rename it, just to make sure there isn't any confusion. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
