RE: [Declude.Virus] Declude using CBL to block users sending mail?????
Here ya go Matt. The Headers as they come out of the email. It's like the pitcher covering his mouth with his glove when talking on the mound. Old habits die hard G Thank you for the detailed info. It is appreciated. This is the IP that had been in CBL 216.74.167.74. And you will see in my later reply that this IP was listed incorrectly. IE no virus was ever on that machine and the mail it detected and determined was a virus smtp engine was in fact a valid mail verifier program. (But can you really say that Is there such a thing as a VALID Mail verifier? I think not now) Return-Path: [EMAIL PROTECTED] Sun Jun 12 19:02:39 2005 Received: from photoadmin1.photograsupport.com [64.15.255.100] by photoimail1.photogra.com with SMTP; Sun, 12 Jun 2005 19:02:39 -0400 Received: from mail.inetservers.com [64.15.252.17] by photoadmin1.photograsupport.com with SMTP; Sun, 12 Jun 2005 19:02:06 -0400 Received: from UnknownHost [216.74.167.74] by mail.inetservers.com with SMTP; Sun, 12 Jun 2005 16:00:38 -0400 From: douglas cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Test inetservers Date: Sun, 12 Jun 2005 16:00:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcVviWNwVbHTbsZpSuy0Fh8yTDTA0w== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Declude-Sender: [EMAIL PROTECTED] [216.74.167.74] X-Declude-Spoolname: 37291275.EML X-Declude-Scan: Score [10] at 16:00:47 on 12 Jun 2005 X-Declude-Fail: CBL, WEIGHT10 X-Country-Chain: UNITED STATES-destination X-SmarterMail-Spam: SPF_None X-Rcpt-To: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, June 13, 2005 9:14 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude using CBL to block users sending mail? Andrew, Just to clear up any confusion, this message was sent by Doug through his own SmarterMail/Declude server, so his IP was the connecting hop and the DYNA/hop limiting tricks won't have an effect here. I think it might be valuable if people resisted the temptation of removing IP's from headers when shared because those that might help out would often benefit from this information. Sometimes it doesn't really matter of course, and Doug did give enough information to figure this out, but the three received headers were confusing without a careful read. Matt Colbeck, Andrew wrote: Doug, you're probably scoring on multiple hops by setting your HOPHIGH in global.cfg ... If you don't want RBLs to score on multiple hops, just comment out that HOPHIGH line. Alternatively, rename your CBL test to CBL-DYNA (don't forget to change the global.cfg definition plus the action line wherever it appears in your configuration files (e.g. CBL WARN to CBL-DYNA WARN). Andrew 8) p.s. Is your own machine's address on the Internet, or was CBL listing an internal, non-routable IP address like 192.168.1.1 ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Monday, June 13, 2005 5:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Declude using CBL to block users sending mail? My desktop IP was erroneously listed on CBL. It seems that declude is checking autheticated users sending mail for CBL and according to CBL this is wrong. SEE below Here is the header showing what went on with the actual Ips removed to proect the innocent (ME). But it sure seems that my desktop machine is the one being checked and shown as on CBL. Had 10 points been enough I would not have been able to send mail. The ONLY address within the below HEADER that was actually listed in the CBL is the HOST machine sending the email. NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender. Why would declude check an authenticated sender on the CBL list? This all started because Smartermails SPAM does NOT check the authenticated senders and this is what confused me intially. IE I thought Smartermails SPAM was not working properly on another server where I do NOT have declude ANTISPAM installed. BUT as you see according to CBL it should NOT detect CBL on an autheticated senders IP. According to CBL this is not how the list is designed. Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005 Received: from forwardeddestinationmailserver [123.123.123.123] by forwardeddestinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:56 -0400 Received: from decludesmtpserver [456.456.456.456] by destinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:20 -0400 Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with SMTP; Sun, 12 Jun 2005 18:34:59 -0400 From: douglas cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Test cbl Date: Sun, 12 Jun 2005 18:34:52 -0400 MIME-Version: 1.0 Content-Type:
RE: [Declude.Virus] Declude using CBL to block users sending mail?????
I read all the replies and do understand. Now to explain how my IP got in the CBL and from a completely different reason in SPEWS, the most useless list on the planet. I have a public IP on my home office desktop which I work from extensively. I am behind a Netscreen firewall running in transparent mode. I need a public ip because of the management chores I have. Not every machine I use has a public IP of course. This one is and it is quite secure. I run Mcafee Enterprice AV 8.0 and always keep it current and run a nightly full scan. I ran Adaware Professional and AD-Watch. I run the Nvidia Firewall as well which is a hardware firewall sort off as it is based within the Nvidia chipset. So the chances of me getting a virus or even spyware on this machine are extremely slim. There I practically no way a mass mailing worm could run since Mcafee is set to disallow outbound mail on port 25. EXCEPT --- I did run a utility the other day as a test called Advanced maillist verify and I added it to the whitelist on Mcafee. This tool ran against our list of opted in users. That list has over 250,000 email addresses. I let it run overnight as a test before running it at the data center where our public servers reside. I figured if anything would occur let it happen to my machine (and it did). So after several emails with the CBL people they agree that I am probably one of the very few false positives. That is I was running a legit process and they added me to their list. Now what is scary is the fact that SPEWS has my Ips on their list as well but completely erroneously. To the point if you do a Rwhois on my block it returns a completely different response than the listing they show. Basically because they show their list as a /24 when the list they should be blocking is a /25. I have a /28 for my T1. So SPEWS and CBL had me listed at the same time for a few days. Hard to work when they do that G As you stated CBL is easy to remove but being super anal about the stability and security of my personal management stations (since I get on peoples corporate networks all the time) I had to make sure. I used Barts PE CD (booted directly from it) to run a full Mcafee scan first. It was clean. Then while back on my machine logged on normally I ran rootkitrevealer and several other sysinternals utils along with process explorer for a few days just to be sure. I then checked my Mcafee logs and got nervous cause I found that they showed I had a trojan. UH OH I thought. But then I learned that Mcafee sigs DAT 4511 had some issue with INNO installer. (Generic BackDoor.dr(Trojan)). This deleted about six programs from my system. Quite annoying to say the least. https://knowledgemap.nai.com/phpclient/viewKDoc.aspx?externalID=VIL_103069s essionID=Anonymous1775561400sliceID=docID=KC.VIL_103069url=vil/vil_103069 .xmldialogID=14262402docType=DOC_VILiterationID=1docName=Virus%20Name:%2 0Generic%20BackDoor.dr This was scary. Here I am hassling the CBL people and then I see a backdoor trojan on my system. What really got me was the warning on the CBL site but I see now what is happening and I am testing against the Smartermail responses anyway not decludes. And it is working satisfactorily combined with Spam Bayes in Outlook. See my next email for my real issue. And thanks Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, June 13, 2005 8:26 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude using CBL to block users sending mail? Doug, IP's should not be in CBL unless they were found sending E-mail to a spam trap, and seemed to be residential in nature or lacked reverse DNS entries. So the primary issue that I see is that your IP was found to have sent E-mail to a spam trap. CBL allows for removal without confirmation, so if this problem is no longer there, removal should fix it. SmarterMail does not presently allow a method for Declude to verify what has successfully authenticated. This is probably the biggest shortcoming of a SmarterMail/Declude setup at this time. SmarterMail has indicated that they will likely provide a method for Declude to verify AUTH in their 3.0 release due in Q4. If your user's IP's aren't exclusive to your company, and aren't in a fixed range, then there is little that can be done about whitelisting authenticated users for the time being. CBL was correct in saying that you don't want to be looking up authenticated E-mail on such lists, but it is a common enough practice, and that fact alone didn't create the condition where your IP became listed. To work around this in the mean time, you might want drop the scores of tests that are fed from spamtraps like CBL and SpamCop. While CBL is very accurate, you don't want a such tests to be trapping your own users on legitimate E-mail, so being a little more conservative might help. Adding Sniffer would be a great way to allow you to
RE: [Declude.Virus] Declude using CBL to block users sending mail?????
Now to my final question and the reason all of this happened. Imagine you work for developers that have an opted in mailing list with close to a million email addresses. Valid opted in users. When someone opts out they are removed. They can email opt out, they can even call the office and opt out, all legit. BUT over the years none of the bunk email addresses were ever cleaned from the list. (As I said opt outs are removed). Additionally in the early days email formation validity was not even checked so there may be addresses without an @ sign or addresses with @@@ etc etc etc. So the goal was two fold. 1. Correct the process so future newsletters that are sent process the bounces properly and remove any email addresses associated with hard bounces. 2. Run the current list through some kind of email verification program to avoid sending 1,000,00 extra emails over the course of the next few months as additional newsletters go out. They do NOT go out often, maybe 6 or 8 per year which helps the list remain valid. They are not spammers. Hence the issue. How do you clean such a list? I tried Advanced maillist verifier AMV). Advanced Email verifier (AEV) and BulkVerifier. Now all of these programs seem like they may work but they get your ips in trouble. Furthermore what struck me as very odd is all of them are at least 2 years old at a minimum and no further dev has been done on them since. This led me to believe the obvious. You simply cannot use these programs anymore in today's environment. That said I would like something that could at least look at the address and verify that it indeed created correctly and then verify that the domain is a valid mail domain. I played with DIG and DIG does return the info for you to determine if the domain is valid but it requires a lot of work to write a routine that would correctly validate the domains. I was using Dig domainame MX The problem is the return codes are not very easy to work with. It's not like I get a different errorlevel returned based on whether the domain has a valid MX record or not (which would be nice). Any ideas are appreciated. Regards Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, June 13, 2005 11:34 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude using CBL to block users sending mail? - Original Message - From: Matt So it would be possibly useful in this case, but again, solving the issue that created the CBL listing is the most direct route, and less dependencyon any particular test by adding something like Sniffer and reducing weights on such things I think is still the best overall solution. Not to mention that anything done to reduce the weight of messages into you own system does nothing to control how others may be using CBL to weight or block spam coming into their systems. So as Matt said, the best thing to do is correct whatever issue got you listed in the first place, and then focus your efforts on getting the listing removed. Bill --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.