[Declude.JunkMail] GLOBAL.BAK No Longer Shared?
Kami, I noticed that your current GLOBAL.BAK file is 0 bytes. Are you no longer sharing the contents of that file with others? Just Curious, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BLARS Entries
Hello, All, Would anyone who is using the BLARS DNSBL extensively be willing to share their GLOBAL.CFG entries with me? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GLOBAL.BAK No Longer Shared?
Oh Oh... We are... I just wasn't aware of it.. Let me check.. Check back in a minute.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, February 24, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GLOBAL.BAK No Longer Shared? Kami, I noticed that your current GLOBAL.BAK file is 0 bytes. Are you no longer sharing the contents of that file with others? Just Curious, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT Plaxo.com
Any one have any comments on them, good or bad? A client is asking about it. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT Plaxo.com
No problems here. I use it, not extensively. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, February 24, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT Plaxo.com Any one have any comments on them, good or bad? A client is asking about it. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT Plaxo.com
John, If I knew then (when I first tried Plaxo) what I know now (when I discovered some bothersome issues and have since uninstalled) I would never have installed Plaxo. The 2 things that leap to mind: 1) Plaxo installs a stub program on your computer which constantly runs in the background. It used an excessive amount of system resources and it seemed like poor programming practices to even have the stub program running in the first place. 2) When you sign up for Plaxo they make a copy of all of your Outlook contacts in a web-based account that they setup for you. This is supposed to be a convenience I guess. The thing is once my trial ended and even though I no longer wanted to have my contacts on a web-based account with them I cannot get them to remove that account. Every month or so I come back and try my logon to their web account for me and it's still functioning and they won't delete it even after repeated requests to cancel my trial membership. I won't say their Evil but they are at least Chaotic Neutral. Dan - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 11:40 AM Subject: [Declude.JunkMail] OT Plaxo.com > Any one have any comments on them, good or bad? > > A client is asking about it. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT Plaxo.com
- Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 11:40 AM Subject: [Declude.JunkMail] OT Plaxo.com > Any one have any comments on them, good or bad? > > A client is asking about it. We ban them at work. Seems to us like a scam to get people to give them tons of contact information, and their TOS says they won't share the info but if they are bought by another company then of course the TOS goes out the window. Which is more reasonable? They are out to be a good company and help the Internet or that they are harvesting data to make themselves attractive to buy in order to obtain that data? -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Outlook & Cmdspace
Scott: I just noticed that some Outlook clients are triggering CMDSPACE. === X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165Importance: NormalX-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . This is from Outlook 2000. Regards, Kami
Re: [Declude.JunkMail] Outlook & Cmdspace
I just noticed that some Outlook clients are triggering CMDSPACE. Yes, it does appear that some mail clients are triggering CMDSPACE. However, if local users are whitelisted, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT Plaxo.com
- Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 12:31 PM Subject: Re: [Declude.JunkMail] OT Plaxo.com > If I knew then (when I first tried Plaxo) what I know now (when I discovered > some bothersome issues and have since uninstalled) I would never have > installed Plaxo. > I won't say their Evil but they are at least Chaotic Neutral. Oh I'd call them evil; http://www.plaxo.com/css/support/plaxo_privacy.pdf "In the event Plaxo goes through a business transition, such as a merger, acquisition or the sale of a portion of its assets, The User's Information and his/her membership in the Plaxo Contact NetworksT will, in most instances, be part of the assets transferred. The user will be notified of an ownership change pursuant to Notification of Changes section of the privacy statement." -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Is it better to ...
I know it is best to handle mail based on test results, but ... for those FROM addresses we wish to block (the Flowgo's and the like), is it better to: 1 - put in the Imail kill file and return the 501 message, or 2 - accept the message, but then delete before delivery and not send the 501 message. More crudely put, do I put the dead body on the front porch for the spammer to see or invite it in and throw the body in the backyard. (Do you see what I think of spammers to have me writing in these terms?) My thoughts are no. 2. The bandwidth has already been consumed getting the message - there is no getting it back; why waste more returning the 501; I don't care if they know I'm blocking, but they might change addressing to get around the block. Or does no.2 invite more spam? Thoughts??? John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOP HIGH / Spam Tests
We are setup currently using "HOPHIGH 1". With using a HOPHIGH setting of 1. What we are seeing is an increase in messages that are gettng caught with XBL, DSBL, SORBS, and other tests along this line on the second HOP even though they were legit messages that were sent through normal ISP servers. How many folks are using HOPHIGH 1? Also, for tests like XBL, DSBL, and others along this line are you changing them to XBL-DUL to only work on the first HOP? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT Plaxo.com
What concerns me is how they intend to make money. Consider the fact that they aren't making it directly from their software, hopefully there's a plan there that first requires acceptance and mass, though whether or not that would go over will with those here is a different story. I wouldn't use it for the very fact that their money making plan isn't yet known and that will likely impact all of their users at some point, for better or worse, if they survive. Why commit to leaving your address book in someone else's hands when they don't even charge you? If they charged, I would feel differently, because that would show a legitimate way to make money, and a desire not to piss off paying customers. I'm not at all concerned though about them selling anyone's address, though some 'Partner Spam' delivered by them would be expected. FYI: http://www.plaxo.com/support/it Matt Joshua Levitsky wrote: - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 12:31 PM Subject: Re: [Declude.JunkMail] OT Plaxo.com If I knew then (when I first tried Plaxo) what I know now (when I discovered some bothersome issues and have since uninstalled) I would never have installed Plaxo. I won't say their Evil but they are at least Chaotic Neutral. Oh I'd call them evil; http://www.plaxo.com/css/support/plaxo_privacy.pdf "In the event Plaxo goes through a business transition, such as a merger, acquisition or the sale of a portion of its assets, The User's Information and his/her membership in the Plaxo Contact NetworksT will, in most instances, be part of the assets transferred. The user will be notified of an ownership change pursuant to Notification of Changes section of the privacy statement." -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Is it better to ...
Actually with the kill.lst, you don't waste the bandwidth, you do on the envelope rejection, but it is a fraction of what it would be if you just accepted the message. We had them in the kill.lst, but after seeing thousands of these per day, even after they get the reject notice, we ended up putting them in our black ice block file, and now the mail server doesn't even have to reject it. Guess what, black ice still blocks thousands of these a day. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, February 24, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Is it better to ... I know it is best to handle mail based on test results, but ... for those FROM addresses we wish to block (the Flowgo's and the like), is it better to: 1 - put in the Imail kill file and return the 501 message, or 2 - accept the message, but then delete before delivery and not send the 501 message. More crudely put, do I put the dead body on the front porch for the spammer to see or invite it in and throw the body in the backyard. (Do you see what I think of spammers to have me writing in these terms?) My thoughts are no. 2. The bandwidth has already been consumed getting the message - there is no getting it back; why waste more returning the 501; I don't care if they know I'm blocking, but they might change addressing to get around the block. Or does no.2 invite more spam? Thoughts??? John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example: # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA) ip4rbl.spamcop.net 127.0.0.240 SPAMCOP(ALL) ip4rbl.spamcop.net 127.0.0.220 XBL(DYNA) ip4rsbl-xbl.spamhaus.org127.0.0.460 XBL(ALL) ip4rsbl-xbl.spamhaus.org127.0.0.420 The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass. I've suggested before that extra columns be added to Declude for such tests so that we can control the score they give according to the hop that they hit on. The full description of this suggestion is in the recent archives. Note that negative weight tests need to be kept exclusively to the last hop because they do get spoofed in forged headers, and also, RHSBL tests are not hop aware since they pull a domain from the MAILFROM instead of the hops, so you don't need to do anything special with these tests. Matt DLAnalyzer Support wrote: We are setup currently using "HOPHIGH 1". With using a HOPHIGH setting of 1. What we are seeing is an increase in messages that are gettng caught with XBL, DSBL, SORBS, and other tests along this line on the second HOP even though they were legit messages that were sent through normal ISP servers. How many folks are using HOPHIGH 1? Also, for tests like XBL, DSBL, and others along this line are you changing them to XBL-DUL to only work on the first HOP? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
Matt, Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop? Darrell Matt writes: You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example: # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA) ip4rbl.spamcop.net 127.0.0.240 SPAMCOP(ALL) ip4rbl.spamcop.net 127.0.0.220 XBL(DYNA) ip4rsbl-xbl.spamhaus.org127.0.0.460 XBL(ALL) ip4rsbl-xbl.spamhaus.org127.0.0.420 The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass. I've suggested before that extra columns be added to Declude for such tests so that we can control the score they give according to the hop that they hit on. The full description of this suggestion is in the recent archives. Note that negative weight tests need to be kept exclusively to the last hop because they do get spoofed in forged headers, and also, RHSBL tests are not hop aware since they pull a domain from the MAILFROM instead of the hops, so you don't need to do anything special with these tests. Matt DLAnalyzer Support wrote: We are setup currently using "HOPHIGH 1". With using a HOPHIGH setting of 1. What we are seeing is an increase in messages that are gettng caught with XBL, DSBL, SORBS, and other tests along this line on the second HOP even though they were legit messages that were sent through normal ISP servers. How many folks are using HOPHIGH 1? Also, for tests like XBL, DSBL, and others along this line are you changing them to XBL-DUL to only work on the first HOP? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log question
I've noticed the tests HOUR and IPNOTINMX are preceded by an n in mylogs, such as nHOUR and nIPNOTINMX. 02/23/2004 00:00:39 Q97050a10012a50e6 CBL:6 DSBL:6 XBL:7 SORBS-DUHL:5 SPAMCOP:9 NOABUSE:2 NOPOSTMASTER:1 CMDSPACE:8 nHOUR:1 SUBJECTCHARS:1 SNIFFER-SNAKEOIL:13 . Total weight = 59. 02/23/2004 00:01:36 Q973c0a1b012a2741 AHBL:6 SBL:7 SPAMCOP:9 MAILPOLICE-BULK:7 nHOUR:1 nIPNOTINMX:-3 SNIFFER-PORN:13 GIBBERISH:3 RECIPIENT-KEYWORDS:35 . Total weight = 78. from my global.cfg HOURhour6 20 0 1 IPNOTINMX ipnotinmx x x 0 -3 Scott Fisher Director of IT Farm Progress Companies --- [This E-mail scanned for viruses by Farm Progress Companies using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log question
I've noticed the tests HOUR and IPNOTINMX are preceded by an n in mylogs, such as nHOUR and nIPNOTINMX. That means that the a weight was applied because an E-mail did *not* fail the test. HOURhour6 20 0 1 IPNOTINMX ipnotinmx x x 0 -3 These tell Declude JunkMail to add 1 point to the weight for E-mails that do not fail the HOUR test, and subtract 3 points for E-mails that do not fail the IPNOTINMX test. The IPNOTINMX test is designed to work that way, but for the HOUR test, you most likely want: HOURhour6 20 -1 0 This will subtract 1 point from the weight of E-mail that comes in between 6AM and 8:59PM. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Yahoo, Sendmail to test antispam system
Anyone have any comments on how effective this will be (or not...)? http://news.com.com/2100-1032_3-5164279.html?tag=nefd_top Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Yahoo, Sendmail to test antispam system
Kinda brakes forwarding doesn't it? Isn't this that SPF stuff? ~Rick > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Sheldon Koehler > Sent: Tuesday, February 24, 2004 4:31 PM - FamHost > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Yahoo, Sendmail to test antispam system > > > Anyone have any comments on how effective this will be (or not...)? > http://news.com.com/2100-1032_3-5164279.html?tag=nefd_top Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
As long as DYNA, DUL or DUHL (v1.78) appears anywhere in the name, Declude will only use that test on the last hop scanned. I chose to name my DUL tests with DUL and reserved the DYNA marker for this use so that it was easier for me to understand. Note that if you are using any whitelists, i.e. BONDEDSENDER or AHBL-EXEMPT, you absolutely should add DYNA to their names in order to prevent spammers from forging headers to get credit on prior hops. They have most definitely been doing this. I use neither test, for one, BONDEDSENDER has trusted spammers in the past, and AHBL-EXEMPT includes large ISP mail servers which do get spam relayed through them from zombified clients. Matt DLAnalyzer Support wrote: Matt, For the dyna/dul tests I though the test name had to end with either DYNA or DUL. I noticed you use (DYNA) - does it (declude) just look for the work dyna or dul to limit it to one hop? Darrell Matt writes: I basically came up with a rule where the (DYNA) test gets 3/4 to 2/3 of the points, and the (ALL) test gets 1/4 to 1/3 of the points. To air on the side of caution, I would step the points up on the (DYNA) test until it reached 3/4 and then I would add another point to the (ALL) test, i.e. 3 = 2 & 1 4 = 3 & 1 5 = 4 & 1 6 = 4 & 2 7 = 5 & 2 8 = 6 & 2 9 = 7 & 2 10 = 7 & 3 Here's my current list of split tests, the hardest part is understanding which ones qualify, and that can take some reading: # Relay Lists (staggered scoring per hop) AHBL-PROXIES(DYNA)ip4rdnsbl.ahbl.org127.0.0.3 30 AHBL-PROXIES(ALL)ip4rdnsbl.ahbl.org127.0.0.3 10 BLITZEDALL(DYNA)ip4ropm.blitzed.org*50 BLITZEDALL(ALL)ip4ropm.blitzed.org* 20 DSBL(DYNA)ip4rlist.dsbl.org127.0.0.250 DSBL(ALL)ip4rlist.dsbl.org127.0.0.220 FIVETEN-MISC(DYNA)ip4rblackholes.five-ten-sg.com 127.0.0.930 FIVETEN-MISC(ALL)ip4rblackholes.five-ten-sg.com 127.0.0.910 FIVETEN-MULTI(DYNA)ip4rblackholes.five-ten-sg.com 127.0.0.530 FIVETEN-MULTI(ALL)ip4rblackholes.five-ten-sg.com 127.0.0.510 NJABL-RELAYS(DYNA)ip4rdnsbl.njabl.org127.0.0.2 30 NJABL-RELAYS(ALL)ip4rdnsbl.njabl.org127.0.0.2 10 ORDB(DYNA)ip4rrelays.ordb.org*50 ORDB(ALL)ip4rrelays.ordb.org*20 SORBS-HTTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.2 40 SORBS-HTTP(ALL)ip4rdnsbl.sorbs.net 127.0.0.220 SORBS-MISC(DYNA)ip4rdnsbl.sorbs.net127.0.0.4 40 SORBS-MISC(ALL)ip4rdnsbl.sorbs.net 127.0.0.420 SORBS-SMTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.5 40 SORBS-SMTP(ALL)ip4rdnsbl.sorbs.net 127.0.0.520 SORBS-SOCKS(DYNA)ip4rdnsbl.sorbs.net127.0.0.3 40 SORBS-SOCKS(ALL)ip4rdnsbl.sorbs.net127.0.0.3 20 NJABL-PROXIES(DYNA)ip4rdnsbl.njabl.org 127.0.0.960 NJABL-PROXIES(ALL)ip4rdnsbl.njabl.org127.0.0.9 20 NJABL-MULTI(DYNA)ip4rdnsbl.njabl.org127.0.0.5 30 NJABL-MULTI(ALL)ip4rdnsbl.njabl.org127.0.0.5 10 # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA)ip4rbl.spamcop.net127.0.0.2 40 SPAMCOP(ALL)ip4rbl.spamcop.net127.0.0.2 20 XBL(DYNA)ip4rsbl-xbl.spamhaus.org127.0.0.460 XBL(ALL)ip4rsbl-xbl.spamhaus.org127.0.0.420 It's of course ugly, but I believe it makes the most sense to do it this way. I did this at the same time that I moved over to multiple hop testing (I test the last 4 hops since my server can handle it currently and that helps with forwarding). I've only seen a few FP's as a result of tagged zombies sending legit E-mail, maybe a couple a week and always just barely failing. Note that all of these scored are based on a hold weight of 10 or 13. Matt DLAnalyzer Support wrote: Matt, Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop? Darrell Matt writes: You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example: # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA) ip4rbl.spamcop.net 127.0.0.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
Matt, For the dyna/dul tests I though the test name had to end with either DYNA or DUL. I noticed you use (DYNA) - does it (declude) just look for the work dyna or dul to limit it to one hop? Darrell Matt writes: I basically came up with a rule where the (DYNA) test gets 3/4 to 2/3 of the points, and the (ALL) test gets 1/4 to 1/3 of the points. To air on the side of caution, I would step the points up on the (DYNA) test until it reached 3/4 and then I would add another point to the (ALL) test, i.e. 3 = 2 & 1 4 = 3 & 1 5 = 4 & 1 6 = 4 & 2 7 = 5 & 2 8 = 6 & 2 9 = 7 & 2 10 = 7 & 3 Here's my current list of split tests, the hardest part is understanding which ones qualify, and that can take some reading: # Relay Lists (staggered scoring per hop) AHBL-PROXIES(DYNA)ip4rdnsbl.ahbl.org127.0.0.33 0 AHBL-PROXIES(ALL)ip4rdnsbl.ahbl.org127.0.0.310 BLITZEDALL(DYNA)ip4ropm.blitzed.org*50 BLITZEDALL(ALL)ip4ropm.blitzed.org*20 DSBL(DYNA)ip4rlist.dsbl.org127.0.0.250 DSBL(ALL)ip4rlist.dsbl.org127.0.0.220 FIVETEN-MISC(DYNA)ip4rblackholes.five-ten-sg.com127.0.0.93 0 FIVETEN-MISC(ALL)ip4rblackholes.five-ten-sg.com127.0.0.91 0 FIVETEN-MULTI(DYNA)ip4rblackholes.five-ten-sg.com127.0.0.5 30 FIVETEN-MULTI(ALL)ip4rblackholes.five-ten-sg.com127.0.0.51 0 NJABL-RELAYS(DYNA)ip4rdnsbl.njabl.org127.0.0.23 0 NJABL-RELAYS(ALL)ip4rdnsbl.njabl.org127.0.0.21 0 ORDB(DYNA)ip4rrelays.ordb.org*50 ORDB(ALL)ip4rrelays.ordb.org*20 SORBS-HTTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.240 SORBS-HTTP(ALL)ip4rdnsbl.sorbs.net127.0.0.22 0 SORBS-MISC(DYNA)ip4rdnsbl.sorbs.net127.0.0.440 SORBS-MISC(ALL)ip4rdnsbl.sorbs.net127.0.0.42 0 SORBS-SMTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.540 SORBS-SMTP(ALL)ip4rdnsbl.sorbs.net127.0.0.52 0 SORBS-SOCKS(DYNA)ip4rdnsbl.sorbs.net127.0.0.34 0 SORBS-SOCKS(ALL)ip4rdnsbl.sorbs.net127.0.0.320 NJABL-PROXIES(DYNA)ip4rdnsbl.njabl.org127.0.0.96 0 NJABL-PROXIES(ALL)ip4rdnsbl.njabl.org127.0.0.92 0 NJABL-MULTI(DYNA)ip4rdnsbl.njabl.org127.0.0.53 0 NJABL-MULTI(ALL)ip4rdnsbl.njabl.org127.0.0.510 # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA)ip4rbl.spamcop.net127.0.0.240 SPAMCOP(ALL)ip4rbl.spamcop.net127.0.0.220 XBL(DYNA)ip4rsbl-xbl.spamhaus.org127.0.0.460 XBL(ALL)ip4rsbl-xbl.spamhaus.org127.0.0.420 It's of course ugly, but I believe it makes the most sense to do it this way. I did this at the same time that I moved over to multiple hop testing (I test the last 4 hops since my server can handle it currently and that helps with forwarding). I've only seen a few FP's as a result of tagged zombies sending legit E-mail, maybe a couple a week and always just barely failing. Note that all of these scored are based on a hold weight of 10 or 13. Matt DLAnalyzer Support wrote: Matt, Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop? Darrell Matt writes: You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example: # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA) ip4rbl.spamcop.net 127.0.0.24 0 SPAMCOP(ALL) ip4rbl.spamcop.net 127.0.0.22 0 XBL(DYNA) ip4rsbl-xbl.spamhaus.org127.0.0.46 0 XBL(ALL) ip4rsbl-xbl.spamhaus.org127.0.0.42 0 The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass. I've suggested before that extra colum
RE: [Declude.JunkMail] Yahoo, Sendmail to test antispam system
Provided you do not turn off the firewall once SP2 is applied. That is correct, turn off. SP2 is purported to turn on the firewall by default. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support > Sent: Tuesday, February 24, 2004 8:43 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Yahoo, Sendmail to test antispam system > > Actually, Bill announced today at the RAS conference that Windows XP SP2 > should fix the virus issue. > > "Beyond the Windows service release, Gates also showed off ``active > protection technologies'' that will gird Windows computers against attacks > by sensing changes in the network that indicate virus activity. If a > problem > is detected, the computer's firewall will dynamically ratchet up > defenses." > > It's all under control now :) > > Darrell > > > Matt writes: > > > Web scripts come to mind as an obvious exception that probably won't be > > covered by this. > > > > I'm not concerned about this though...Bill Gates said that he would > solve > > the spam problem by 2005...right after they figure out how to stop > viruses > > of course... > > > > Matt > > > > > > > > > > Matt Robertson wrote: > > > >>> Anyone have any comments on how effective this will be (or not...)? > >>> > >>> > >> > >> What good is this if *everyone* doesn't use it? > >> > >> > >> Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. > >> http://mysecretbase.com > >> > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > >> > >> > >> > > > > -- > > = > > MailPure custom filters for Declude JunkMail Pro. > > http://www.mailpure.com/software/ > > = > > > > > > > Check Out DLAnalyzer a comprehensive reporting tool for > Declude Junkmail Logs - http://www.dlanalyzer.com > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What's up with the logging in v1.78i3?
I thought I would try out Declude v1.78i3 and what a drastic change there is to the logging, at least at the "high" level. It outputs to one long space delimited line. Scott, is that an intentional change? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Yahoo, Sendmail to test antispam system
Web scripts come to mind as an obvious exception that probably won't be covered by this. I'm not concerned about this though...Bill Gates said that he would solve the spam problem by 2005...right after they figure out how to stop viruses of course... Matt Matt Robertson wrote: Anyone have any comments on how effective this will be (or not...)? What good is this if *everyone* doesn't use it? Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] What's up with the logging in v1.78i3?
I thought I would try out Declude v1.78i3 and what a drastic change there is to the logging, at least at the "high" level. It outputs to one long space delimited line. Scott, is that an intentional change? Doesn't it look better that way? :) Seriously, though, v1.78i4 at http://www.declude.com/interim fixes this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Yahoo, Sendmail to test antispam system
>Anyone have any comments on how effective this will be (or not...)? What good is this if *everyone* doesn't use it? Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
I basically came up with a rule where the (DYNA) test gets 3/4 to 2/3 of the points, and the (ALL) test gets 1/4 to 1/3 of the points. To air on the side of caution, I would step the points up on the (DYNA) test until it reached 3/4 and then I would add another point to the (ALL) test, i.e. 3 = 2 & 1 4 = 3 & 1 5 = 4 & 1 6 = 4 & 2 7 = 5 & 2 8 = 6 & 2 9 = 7 & 2 10 = 7 & 3 Here's my current list of split tests, the hardest part is understanding which ones qualify, and that can take some reading: # Relay Lists (staggered scoring per hop) AHBL-PROXIES(DYNA)ip4rdnsbl.ahbl.org127.0.0.330 AHBL-PROXIES(ALL)ip4rdnsbl.ahbl.org127.0.0.310 BLITZEDALL(DYNA)ip4ropm.blitzed.org*50 BLITZEDALL(ALL)ip4ropm.blitzed.org*20 DSBL(DYNA)ip4rlist.dsbl.org127.0.0.250 DSBL(ALL)ip4rlist.dsbl.org127.0.0.220 FIVETEN-MISC(DYNA)ip4rblackholes.five-ten-sg.com127.0.0.9 30 FIVETEN-MISC(ALL)ip4rblackholes.five-ten-sg.com127.0.0.9 10 FIVETEN-MULTI(DYNA)ip4rblackholes.five-ten-sg.com 127.0.0.530 FIVETEN-MULTI(ALL)ip4rblackholes.five-ten-sg.com127.0.0.5 10 NJABL-RELAYS(DYNA)ip4rdnsbl.njabl.org127.0.0.230 NJABL-RELAYS(ALL)ip4rdnsbl.njabl.org127.0.0.210 ORDB(DYNA)ip4rrelays.ordb.org*50 ORDB(ALL)ip4rrelays.ordb.org*20 SORBS-HTTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.240 SORBS-HTTP(ALL)ip4rdnsbl.sorbs.net127.0.0.2 20 SORBS-MISC(DYNA)ip4rdnsbl.sorbs.net127.0.0.440 SORBS-MISC(ALL)ip4rdnsbl.sorbs.net127.0.0.4 20 SORBS-SMTP(DYNA)ip4rdnsbl.sorbs.net127.0.0.540 SORBS-SMTP(ALL)ip4rdnsbl.sorbs.net127.0.0.5 20 SORBS-SOCKS(DYNA)ip4rdnsbl.sorbs.net127.0.0.340 SORBS-SOCKS(ALL)ip4rdnsbl.sorbs.net127.0.0.320 NJABL-PROXIES(DYNA)ip4rdnsbl.njabl.org127.0.0.9 60 NJABL-PROXIES(ALL)ip4rdnsbl.njabl.org127.0.0.920 NJABL-MULTI(DYNA)ip4rdnsbl.njabl.org127.0.0.530 NJABL-MULTI(ALL)ip4rdnsbl.njabl.org127.0.0.510 # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA)ip4rbl.spamcop.net127.0.0.240 SPAMCOP(ALL)ip4rbl.spamcop.net127.0.0.220 XBL(DYNA)ip4rsbl-xbl.spamhaus.org127.0.0.460 XBL(ALL)ip4rsbl-xbl.spamhaus.org127.0.0.420 It's of course ugly, but I believe it makes the most sense to do it this way. I did this at the same time that I moved over to multiple hop testing (I test the last 4 hops since my server can handle it currently and that helps with forwarding). I've only seen a few FP's as a result of tagged zombies sending legit E-mail, maybe a couple a week and always just barely failing. Note that all of these scored are based on a hold weight of 10 or 13. Matt DLAnalyzer Support wrote: Matt, Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop? Darrell Matt writes: You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example: # Spam Traps (staggered scoring per hop) SPAMCOP(DYNA) ip4rbl.spamcop.net 127.0.0.2 40 SPAMCOP(ALL) ip4rbl.spamcop.net 127.0.0.2 20 XBL(DYNA) ip4rsbl-xbl.spamhaus.org127.0.0.4 60 XBL(ALL) ip4rsbl-xbl.spamhaus.org127.0.0.4 20 The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass. I've suggested before that extra columns be added to Declude for such tests so that we can control the score they give according to the hop that they hit on. The full description of this suggestion is in the recent archives. Note that negative weight tests need to be kept ex
Re: [Declude.JunkMail] Yahoo, Sendmail to test antispam system
Actually, Bill announced today at the RAS conference that Windows XP SP2 should fix the virus issue. "Beyond the Windows service release, Gates also showed off ``active protection technologies'' that will gird Windows computers against attacks by sensing changes in the network that indicate virus activity. If a problem is detected, the computer's firewall will dynamically ratchet up defenses." It's all under control now :) Darrell Matt writes: Web scripts come to mind as an obvious exception that probably won't be covered by this. I'm not concerned about this though...Bill Gates said that he would solve the spam problem by 2005...right after they figure out how to stop viruses of course... Matt Matt Robertson wrote: Anyone have any comments on how effective this will be (or not...)? What good is this if *everyone* doesn't use it? Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fw: [Full-Disclosure] Scans for IPSwitch IMail LDAP vuilnerability
Please everyone be sure to patch your IMail 8 installations with the hotfix for the LDAP vulnerability. - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 11:19 AM Subject: [Full-Disclosure] Scans for IPSwitch IMail LDAP vuilnerability > Information was received from Kaspersky Labs, there is increased > activity on TCP/389 (LDAP) port. Analysis of captured packet > demonstrates attempt to exploit IPSwitch IMail LDAP vulnerability. > Packet contains universal reverse shell shellcode. Trojan is installed > on owned host (listens on TCP/21 and pretends to be wu-ftpd). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.