RE: [Declude.JunkMail] IPBYPASS not working
Thomas, I just implemented VirusWall, but in a different configuration than you have. I think you should start by turning off the Disable insertion of InterScan Received: header when processing messages. This is on the Advanced Options of the GUI, or in the intscan.ini in the [EMail-Scan] section by setting DisabledReceivedHeader=no. Then put in an IPBYPASS for that IP, which you say is 10.0.0.14 I'll have to leave it to others to comment on how this will affect your SPAMDOMAINS test. And FWIW, the Trend Micro InterScan VirusWall SMTP module does not gateway the TCP connection. It is a normal mail relay. It behaves as a normal MTA, receiving the entire message and committing it to disk before it scans the message for a virus. The confusing bit is that it happens to have a feature that it can happily forward mail to any port you specify (instead of just tcp/25), which is a convenience for many who want to run the VirusWall on the same box as their usual MTA. More implementation notes (off topic): - Trend doesn't do a sterling job of organizing the updates to this product. I found it necessary to make several tickets with their support desk and as a result applied: - the latest VSAPI engine 6.510-1002 - isnt3.53_servicepack_au1.32_b1000.zip to get the latest ActiveUpdate software - ISNTHotFix_B1563.zip to fix the logging of the inbound message action And the following changes to the intscan.ini to turn on silently quarantining the whole message if a virus is found in an inbound message (this is documented in the readme.txt): [EMail-Scan] HoldInfectedInboundMsgs=Yes I advise turning off this restrictive behaviour to prevent false positives in Trend Micro Solution ID 13509: [EMail-Scan] AllowMultiContentType=yes (default is no) VirusWall has the default behaviour of throttling the mail if there are more than 20 bad attempts to address mail through it. You'll want to set it to whatever number you feel comfortable with (note, these entries must be created): [EMail-Scan] MaxInServerTryCount=0 (default is 20) MaxOutServerTryCount=0 (default is 20) Andrew 8) -Original Message- From: Thomas Kishel [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBYPASS not working Scott, The question here is What do you want IPBYPASS to do? We are using TrendMicro's VirusWall in front of our IMail server. It's SMTP service appears to gateway a tcp connection between the sending and receiving mail servers. Therefore, IMail sees incoming connections with the sending server representing itself with its configured host name but with the IP address of the gateway. I have configured Declude (1.75) to IPBYPASS that address, but the SPAMDOMAINS test always fails. Are my expectations unrealistic considering my environment, or is SPAMDOMAINS not honoring IPBYPASS? -- Topology: Internet - Firewall [(NAT) 208.20.231.2 - 10.0.0.2] - TrendMicro VirusWall [10.0.0.14] - Declude-IMail [10.0.0.4] -- Headers: Received: from web80703.mail.yahoo.com [10.0.0.14] by email.meridiancg.com (SMTPD32-8.00) id AD711A3011C; Wed, 06 Aug 2003 09:06:57 -0400 Message-ID: [EMAIL PROTECTED] Received: from [208.20.231.2] by web80703.mail.yahoo.com via HTTP; Wed, 06 Aug 2003 06:09:53 PDT Date: Wed, 6 Aug 2003 06:09:53 -0700 (PDT) From: Thomas Kishel [EMAIL PROTECTED] Subject: Test -- Declude Log: 08/06/2003 09:06:59 Qfd7101a3011ca7cd Msg failed SPAMDOMAINS (Spamdomain 'yahoo.com' found: Address of [EMAIL PROTECTED] sent from invalid .). Action=LOG. 08/06/2003 09:06:59 Qfd7101a3011ca7cd Subject: Test 08/06/2003 09:06:59 Qfd7101a3011ca7cd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.0.0.14 ID: -- IMail Log: SMTPD (01A3011C) [10.0.0.4] connect 10.0.0.14 port 42167 SMTPD (01A3011C) [10.0.0.14] HELO web80703.mail.yahoo.com SMTPD (01A3011C) [10.0.0.14] MAIL FROM:[EMAIL PROTECTED] SMTPD (01A3011C) [10.0.0.14] RCPT TO:[EMAIL PROTECTED] -- Thomas Kishel, Department Head - Systems Larson Texts, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
Andrew, I think you should start by turning off the Disable insertion of InterScan Received: header when processing messages. This is on the Advanced Options of the GUI, or in the intscan.ini in the [EMail-Scan] section by setting DisabledReceivedHeader=no. That is not available in the Unix version of VirusWall that we are using. InterScan v3.8 for UNIX Version Information : Scan Engine: 5.600-1011 Pattern Number: 600 SMTP version: 3.8-Build_1080 FTP version: 3.8-Build_1080 HTTP version: 3.8-Build_1080 Then put in an IPBYPASS for that IP, which you say is 10.0.0.14 That is already configured as such. And FWIW, the Trend Micro InterScan VirusWall SMTP module does not gateway the TCP connection. It is a normal mail relay. It behaves as a normal MTA, receiving the entire message and committing it to disk before it scans the message for a virus. The confusing bit is that it happens to have a feature that it can happily forward mail to any port you specify (instead of just tcp/25), which is a convenience for many who want to run the VirusWall on the same box as their usual MTA. That is true of VirusWall NT (which we used to implement), but is not true of VirusWall Linux. When you telnet to VirusWall Linux, you recieve the SMTP greeting from IMail. If IMail is not running, you cannot establish a connection to VirusWall Unix. -- Thomas Kishel, Department Head - Systems Larson Texts, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
I am using the HOP 1 setting and recently tried to use the IPBYPASS and found it did not work for me either. Declude was still using the servers I had listed as bypass for its tests. I have two separate internet connections with a NAV SMTP Gateway on each forwarding to IMail. I entered an ipbypass for each of the servers. HOP 1 had been working so when I saw IPBYPASS was messing up my tests I just went back to HOP 1 and didn't think much about it. Normally, we recommend using HOP 0 (the default setting), and using IPBYPASS lines for each backup/gateway. The HOP setting should only be used in cases where there will *always* be one or more hops before the IMail server (for example, if you have 2 gateways, and the MX record points to those 2 gateways, and not the IMail server, *and* nobody will connect directly to the IMail server to send outgoing E-mail). The HOP setting will often cause confusion. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
Scott, The question here is What do you want IPBYPASS to do? We are using TrendMicro's VirusWall in front of our IMail server. It's SMTP service appears to gateway a tcp connection between the sending and receiving mail servers. Therefore, IMail sees incoming connections with the sending server representing itself with its configured host name but with the IP address of the gateway. I have configured Declude (1.75) to IPBYPASS that address, but the SPAMDOMAINS test always fails. Are my expectations unrealistic considering my environment, or is SPAMDOMAINS not honoring IPBYPASS? -- Topology: Internet - Firewall [(NAT) 208.20.231.2 - 10.0.0.2] - TrendMicro VirusWall [10.0.0.14] - Declude-IMail [10.0.0.4] -- Headers: Received: from web80703.mail.yahoo.com [10.0.0.14] by email.meridiancg.com (SMTPD32-8.00) id AD711A3011C; Wed, 06 Aug 2003 09:06:57 -0400 Message-ID: [EMAIL PROTECTED] Received: from [208.20.231.2] by web80703.mail.yahoo.com via HTTP; Wed, 06 Aug 2003 06:09:53 PDT Date: Wed, 6 Aug 2003 06:09:53 -0700 (PDT) From: Thomas Kishel [EMAIL PROTECTED] Subject: Test -- Declude Log: 08/06/2003 09:06:59 Qfd7101a3011ca7cd Msg failed SPAMDOMAINS (Spamdomain 'yahoo.com' found: Address of [EMAIL PROTECTED] sent from invalid .). Action=LOG. 08/06/2003 09:06:59 Qfd7101a3011ca7cd Subject: Test 08/06/2003 09:06:59 Qfd7101a3011ca7cd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.0.0.14 ID: -- IMail Log: SMTPD (01A3011C) [10.0.0.4] connect 10.0.0.14 port 42167 SMTPD (01A3011C) [10.0.0.14] HELO web80703.mail.yahoo.com SMTPD (01A3011C) [10.0.0.14] MAIL FROM:[EMAIL PROTECTED] SMTPD (01A3011C) [10.0.0.14] RCPT TO:[EMAIL PROTECTED] -- Thomas Kishel, Department Head - Systems Larson Texts, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
I am using the HOP 1 setting and recently tried to use the IPBYPASS and found it did not work for me either. Declude was still using the servers I had listed as bypass for its tests. I have two separate internet connections with a NAV SMTP Gateway on each forwarding to IMail. I entered an ipbypass for each of the servers. HOP 1 had been working so when I saw IPBYPASS was messing up my tests I just went back to HOP 1 and didn't think much about it. I have used IPBYPASS successfully in the past but went back to HOP 1 because I was moving some things around HOP was simpler. Todd - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:20 AM Subject: Re: [Declude.JunkMail] IPBYPASS not working We are using TrendMicro's VirusWall in front of our IMail server. It's SMTP service appears to gateway a tcp connection between the sending and receiving mail servers. Therefore, IMail sees incoming connections with the sending server representing itself with its configured host name but with the IP address of the gateway. I have configured Declude (1.75) to IPBYPASS that address, but the SPAMDOMAINS test always fails. Unfortunately, it seems that VirusWall is broken (not RFC-compliant), and will need to be fixed. Most likely, upgrading it will take care of the problem. Are my expectations unrealistic considering my environment, or is SPAMDOMAINS not honoring IPBYPASS? The problem is that VirusWall is spammer friendly (it anonymizes the IP address of the sender of the E-mail, so it is impossible to track down the sender, except perhaps by looking at the VirusWall log file). Since VirusWall doesn't record the IP that connected to it in the headers of the E-mail, it's impossible to know the true source. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS not working
It appears that IP bypass is not working. The question here is What do you want IPBYPASS to do? Normally, it will skip over a backup/gateway mailserver, so that Declude JunkMail scans the IP that connected to the backup/gateway (instead of the IP address of the backup/gateway). IPBYPASS196.26.86.133 In this case, Declude JunkMail will skip over 196.26.86.133. However: Received: from compuserve.com [196.26.86.133] by realnet.co.sz (SMTPD32-7.07) id A083B795013E; Wed, 06 Aug 2003 07:22:11 +0200 Date: Wed, 06 Aug 2003 14:25:46 + ... There's a problem here. Whose IP is 196.26.86.133? Is that your IP? I'm guessing this is spam, because no legitimate mailserver is going to identify itself as compuserve.com. But, this E-mail came directly to you from 196.26.86.133 without passing through any other mailservers! According to the headers, the source of the spam IS 196.26.86.133. The reason the IPBYPASS option isn't working is because there are no IP addresses after 196.26.86.133. The source of this E-mail definitely, positively is 196.26.86.133. There are no gateways/backups involved. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
Now i'm confused, hopefully it's a simple clarification ... the difference between hop and hop high ??? in my global.cfg the configuration is: is this wrong or right because we DO have 2 imgate machines and MX records for mail do point to them.. thanks for the insight LOGFILE spool\dec.log LOGLEVEL HIGH HOP 0 #HOP HIGH 3 IS THE ORIGINAL FILE BY JOHN #HOPHIGH 3 HOPHIGH 1 CONSOLE ON #LOG_OK NONE - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:13 AM Subject: Re: [Declude.JunkMail] IPBYPASS not working I am using the HOP 1 setting and recently tried to use the IPBYPASS and found it did not work for me either. Declude was still using the servers I had listed as bypass for its tests. I have two separate internet connections with a NAV SMTP Gateway on each forwarding to IMail. I entered an ipbypass for each of the servers. HOP 1 had been working so when I saw IPBYPASS was messing up my tests I just went back to HOP 1 and didn't think much about it. Normally, we recommend using HOP 0 (the default setting), and using IPBYPASS lines for each backup/gateway. The HOP setting should only be used in cases where there will *always* be one or more hops before the IMail server (for example, if you have 2 gateways, and the MX record points to those 2 gateways, and not the IMail server, *and* nobody will connect directly to the IMail server to send outgoing E-mail). The HOP setting will often cause confusion. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS not working
Please help, It appears that IP bypass is not working. Below is the extract from my GLOBAL.CFG and the full headers of a sample spam message LOGFILE spool\dec.log LOGLEVELLOW HOP 0 HOPHIGH 4 # # Below are some advanced options # XINHEADER X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] #XINHEADER X-Country-Chain: %COUNTRYCHAIN% XOUTHEADER X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XSENDER ON XSPOOLNAME OFF #XINHEADER X-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). #XOUTHEADER Organization: Your Name Here IPBYPASS196.26.86.133 WHITELIST HABEAS headers of a sample spam message Received: from compuserve.com [196.26.86.133] by realnet.co.sz (SMTPD32-7.07) id A083B795013E; Wed, 06 Aug 2003 07:22:11 +0200 Date: Wed, 06 Aug 2003 14:25:46 + From: [EMAIL PROTECTED] Subject: Re: aaiiua fa To: Realimage [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1251 Content-Transfer-Encoding: 8bit X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NONENGLISH: Non-English characters found in E-mail. X-Declude-Sender: [EMAIL PROTECTED] [196.26.86.133] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, NONENGLISH [-3] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 329056252 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff (Lists) Sent: Wednesday, August 06, 2003 3:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] FW: quick question 1. If you want no e-mail going out, configure Imail SMTP to send all via a smart host, then point it at 127.0.0.1. 2. My program match can be used along with catchallmails in JM. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Tyler Jensen Sent: Tuesday, August 05, 2003 4:41 PM To: Declude. [EMAIL PROTECTED] com Subject: [Declude.JunkMail] FW: quick question Hello, I asked Scott about this and he suggested I post to the list. Please see below. I am trying to prevent some users from being able to email outside the company or domain. Any ideas would be greatly appreciated. Thanks!! Tyler Hi Scott, quick question for you Is there a way, through Junkmail I guess, to prevent certain email accounts/users from being able to email outside of our network or domain but just allow them to email to other users on the same network and domain? Blacklist these email accounts from going out somehow?? Although this is something Declude JunkMail wasn't designed to do, it might be possible. You could set up a filter test that would get triggered if an E-mail was sent to at least one local domain (by using a line such as ALLRECIPS0 CONTAINSsports-section.com in the filter file). The hard part, though, would be to find a way to block E-mail that does *not* fail that test. It might be possible by using weights. You might want to ask this on the Declude JunkMail mailing list, as there are some people there who are very creative about things like this. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
Now i'm confused, hopefully it's a simple clarification ... the difference between hop and hop high ??? HOP determines how many hops to skip (and RARELY should be used); HOPHIGH determines the last hop to scan (and also is not normally used -- it might be used if you have a lot of spam forwarded to your mailserver from legitimate mailserver). in my global.cfg the configuration is: is this wrong or right because we DO have 2 imgate machines and MX records for mail do point to them.. thanks for the insight The best thing to do in this case is use the default HOP 0 and no HOPHIGH option. Then, you IPBYPASS 192.0.2.26 and IPBYPASS 192.0.2.27 for the 2 IMGate servers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS not working
Okay.. thanks i'll try that. cause my imgate mail reports ALWAYS get flagged ( and held in spam reiview) no matter what i do.. hopefully this will fix it... thanks Sheldon - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 2:34 PM Subject: Re: [Declude.JunkMail] IPBYPASS not working Now i'm confused, hopefully it's a simple clarification ... the difference between hop and hop high ??? HOP determines how many hops to skip (and RARELY should be used); HOPHIGH determines the last hop to scan (and also is not normally used -- it might be used if you have a lot of spam forwarded to your mailserver from legitimate mailserver). in my global.cfg the configuration is: is this wrong or right because we DO have 2 imgate machines and MX records for mail do point to them.. thanks for the insight The best thing to do in this case is use the default HOP 0 and no HOPHIGH option. Then, you IPBYPASS 192.0.2.26 and IPBYPASS 192.0.2.27 for the 2 IMGate servers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.