[IMGate] Re: Moving away from Imail
We are a small service provider with approx 500 domains. We average 400,000 inbound emails per 24 hour cycle weekdays with about 10-12% of that ham. One domain accounts for 80-85% of that volume. Imail w/Declude on a beefy multi-processor server is no longer keeping up as well as we'd like it to. Without our IMGates, we would be dead in the water. So it's time to start migration plans. Cmd line is no problem. We are a FreeBSD house. Linux is okay, but prefer FBSD for servers. A front end GUI would be nice for the staff whose comfort level w/cmd line is low although it's not a must. One item we have been considering is a solution that allows customers to manage or at least have more control over their own spam filters. IMGate type of filtering is great for probably 90% of our customers but we've found doesn't met all customers needs. This has led us to extend/develop additional capabilities for our IMGates. It would be nice to offload some of that management onto the customer. Currently, reporting is a thin area for us. The new system should have good management and reporting capabilities. -NB
[IMGate] Re: Moving away from Imail
Thanks for the feedback and links. We use FreeBSD as well for everything. It's just so solid, stable, etc. I concur completely about Imail which is why we have decided to move away. If the "to-do" list wasn't so long, we would have done it a long time ago. Zimbra looks interesting but I don't see a native version for FBSD. -NB
[IMGate] Moving away from Imail
Has anyone on this list moved away from Imail to a complete end-to-end *nix solution? If so, what were your choices (SMTP, POP, IMAP, Webmail, etc.) and experiences? We have recently decided to do this. The only choice we are firm on is Postfix w/an IMGate type setup for SMTP. We are considering Dovecot for POP/IMAP. Webmail, dunno. Interested in your experiences. Thx. -NB
[IMGate] Re: Imail POP3 brute force attack
SmarterMail accolades aside and returning to my original question, I think I'm going to test the following: 1. Removing Imail's external interface and only utilizing an internal interface thus removing Imail from any direct outside/external connections/attacks. 2. Setting up an external FreeBSD box w/IPFW and a POP3 Proxy (I'm going to try using Courier first) 3. Utilizing IPFW to rate limit by the source IP to something reasonable My thinking is that this would allow legitimate POP3 requests but slow/frustrate brute force attacks. If this works, I would then add an open source webmail solution like Zimbra or RoundCube that utilizes IMAP calls to Imail via the internal network. I've already eliminated Imail's SMTP from public exposure by utilizing my IMGates. Obviously the proxy would need the external IP address that we use in DNS for our customers for POP3 calls. Diagrammed, it would look something like this: ||| --- External || | IMGatePOP3_ProxyWebMail_via_IMAP ||| --- Internal ||| ||| > IMail <--- Thoughts? Ideas? -NB
[IMGate] Imail POP3 brute force attack
Has anyone seen a brute force POP3 attack on their Imail in recent weeks? We have seen 2 in the last month. Each attack originates from a DSL IP address. Once from Mexico and this am from PacBell land, not that geographic location means anything. Only fix seems to be blocking the IP address at border. Imail version is 8.05. Symptoms are open socket count skyrocketing and normal POP3 calls failing for lack of sockets. Not keen on upgrading Imail due to webmail issues and other issues noted on Imail list. I have no desire to be a beta tester for IPSwitch. Been thinking of moving over to a *nix solution. Thoughts? -NB
[IMGate] Re: strange virus stats
- Original Message - Since we run SAV and greylisting, the senders are verified and the sending IPs are re-trying, meaning they are probably legit MTAs. Is anybody else seeing a lot of Bagle.?? and almost nothing of anything else? The majority of viruses that we are seeing are a mix of mytob and bagle. Overall our virus numbers are way down over a year or two ago. As for greylisted IP's resending, we are beginning to see a significant increase in the number of infected/trojaned subscriber hosts resending. Enough so that we have moved greylisting a few notches lower in our testing order. Anyone care to share the domains that you SAV? We have kept our pretty short thus far (hotmail.com and a couple of common national ISPs) but I have been thinking we might get more bang for our buck if we expanded ours. -NB
[IMGate] Re: gif image spam dropped off?
>Let us know if those two filter I posted in the previous msg catch any spam. Nothing thus far in ~8hrs. Our avg 24 hour (weekdays) Spam/Ham ratio is about 300,000/30,000. Thus far, our most effective method for blocking image spams has been to block by a subscriber IP list that we've been developing in house. -NB
[IMGate] Re: gif image spam dropped off?
>Here's the number WARNings/day for previous 8 days at one high-volume >site I admin: >mx1# zegrep -ic "suspected image" /var/log/maillog.[0-9].gz What parameters/tests are you using to flag your image spam?
[IMGate] Re: help being abused!
Omar, FWIW, I don't run SAV on all email. I only use it on domains that are frequently forged like hotmail.com, yahoo.com, etc. That keeps me from DOS'ing my IMGate and still catches a reasonably high percentage of forgeries. To help reduce SAV queries, I also whitelist VERP lists like returns.groups.yahoo.com. Otherwise, you are querying for every message from yahoogroups, etc. -NB
[IMGate] Re: Exporting users from Imail or SmarterMail and putting them to the Imgate box
I'm sure there are more than one way to do this. FWIW, I use the following: cat relay_recipients.tmp | tr -d '\015' > relay_recipients.map For more on tr do a "man tr" -NB - Original Message - From: Michael Keen To: IMGate@mgw2.MEIway.com Sent: Thursday, May 04, 2006 11:03 AM Subject: [IMGate] Re: Exporting users from Imail or SmarterMail and putting them to the Imgate box I haven't posted to this group in a couple of years because IMGATE has been serving me so reliably. Now I need some assistance. I think it's time that I start using check_recipients_maps or reject_unlisted_recipient because I'm having trouble sending email to verizon.net with their latest SAV system. I'm attempting to utilize Dan Horne's batch file on my NT box but I'm having a problem with the sed utility. Here is Dan's command: sed "s/$/ OK" imailusers.txt >relay_recipients_unsorted.txt For some reason, the resulting file has a ^M character on each line immediately after each email address and ahead of the five spaces and the "OK". I've been Googling for hours, but the documentation on sed is pretty hard to grok for my feeble mind. Once I tackle that, I'll still have to figure out what to do with .map file I've FTP to Postfix and I'll also have to figure out how to schedule Dan's script on NT, but I'll cross those bridges when I get to them. Thanks in advance for any help. Sincerely, Michael Keen President inksite inc. http://www.inksite.com 973-633-1786 Fax 973-872-8054
[IMGate] Recent Zombie Spam
Has anyone found anything to key on with the recent rash of zombie spam that is characterized by random from fields, random (usually one or two word) subject lines, random text and a .gif file that is a "text pic" of a stock market pump-and-dump type of scam? There are no hyperlinks to key on. Everything seems to random. The zombies are certainly world wide. I haven't found anything yet. For me the storm started about 3-4 days ago. Volume seems to be increasing. Hopefully someone will have a light bulb moment that I have not experienced yet about this spam storm. -NB
[IMGate] Re: href="http://www.google.com/url?
>Is it safe to block on this body content or might legitimate emails (such as >news bulletins, etc) have a link like this? This one is from a phishing Why not set a rule in your body checks to WARN? Watch it for a few days to see what you get. -NB
[IMGate] Re: Automatic Black listing
>I get a lot of spam at invalid addresses. I don't allow email that is sent to invalid recipients. It's very early in my smtpd_recipient_restrictions and is very effective. -NB
[IMGate] WMF
Anyone have a filter that will identify WMF files by their headers?
[IMGate] Re: SAV taking long time
>SAV is taking 15 to 20 minutes, sometimes longer. >How long should SAV take to verify an address? A few seconds. >How big should we let the address_verify.map.db file get? When it gets to >a couple of gig I usually delete it. We run a script nightly that will rename the address_verify.map.db file if it gets too large. But in many moons of using it, the db file has never grown large enough to trigger it. I just checked our main MX and the db file is currently about 84 megs. YMMV. I would say our server loads are moderate in volume. 24 hour avg is 100,000 to 120,000 spam and 10,000 to 15,000 ham. Our db file may be smaller than some since our SAV check running last in the smtpd_recipient_restrictions, just above the permit line. We do the cheap stuff first. Check recipient's, etc. -NB
[IMGate] Re: imailusers.exe problems?
We've been using it for about a year. Have yet to see any errors. -NB
[IMGate] Re: postfix equivalent
> that's only an SMTP client, has no SMTP server That's true. I have only used it to send an occasional email report, etc. from a windows box. It's not a SMTP server. I don't think I read Omar's request very throughly. :)
[IMGate] Re: postfix equivalent
If you are looking for a Win32 cmd line SMTP engine, I've used Blat before. http://www.blat.net/ - Original Message - From: Omar K. To: IMGate@mgw2.MEIway.com Sent: Thursday, September 15, 2005 9:29 AM Subject: [IMGate] postfix equivalent ok, maybe there really isn't an equivalent, but what would you say a is comparable SMTP engine for the windows platform? I am looking for a lightweight SMTP server, nothing fancy. Any recommendations ?
[IMGate] Changing ports
Where would I make the change so postfix will forward/relay to an IMail port other than port 25? Would an entry in transport.map like this work? domain.comsmtp:[ip.ad.dr.es]:1234 -NB
[IMGate] Re: SAV Whitelist
>sender is the MAIL FROM:, not the IP or PTR, mta_clients Okay. Makes sense. So back to my original question...where do I place them? Here? check_client_access hash:/etc/postfix/mta_clients_bw.map
[IMGate] Re: SAV Whitelist
>like any other IP or PTR Like this? smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/from_senders_bw.map
[IMGate] SAV Whitelist
I've been running SAV on my inbound IMGates for several weeks and now have a list of mail servers that I need to whitelist. I've been running with: /etc/postfix/main.cf: smtpd_recipient_restrictions = ... warn_if_reject reject_unverified_sender I want to remove the warn_if_reject but before I do, where/how do I whitelist the valid mail servers that don't honor my SAV requests? -NB
[IMGate] Re: Blocking Mytob
>/^subject: *(status|error|Notification *)$/ REJECT MYTOB 14 I'm not a regex expert so I could be wrong, but shouldn't there be a dot before the astrisk? Like: /^Subject: .*(status|error|Notification *)$/ REJECT or doesn't it matter? -NB
[IMGate] Re: Blocking Mytob
>the _mytob filter has really cut down a lot for us. My results from about 8 hours yesterday: IMGate03# egrep -Jci "mytob" /var/log/maillog.0.bz2 41 FYI: I found a FP with a subject of: Subject: IMPORTANT NOTIFICATION ABOUT eBay Item {5004477547, 5004481494, 5004492868, 5004503577, 5004576755, 5004782112, 5004793537, 5004796554, 5005126277, 5005130329} YMMV -NB
[IMGate] Re: pflogsumm update
>on postfix 2.3, pflogsumm seems out of sync with new postfix logging syntax: Yep. That's my experience also. -NB
[IMGate] Re: Deleting all blank lines w/sed tip
>sed "/^$/d" file >... doesn't look valid at all. eg, why double quote the de-limited >regex's? I never do that. That would be true on *nix. But when calling a batch file on Win2k (any Win32 OS, I think) you need the quotes. At least I have never been able to get it to work without them. -NB
[IMGate] Deleting all blank lines w/sed tip
I ran into a Win32 sed issue today while trying to use the port of sed from: http://unxutils.sourceforge.net/ While trying to delete all blank lines in a file with the following cmd: sed "/^$/d" file it refused to work. But "super-sed" from: http://www.student.northpark.edu/pemente/sed/ works perfectly using the above cmd line. -NB
[IMGate] Re: AV scanning
>> Do any of you run more than one AV scanners? Which ones? >I run uvscan (McAfee) and clamav (via its clamd daemon). On my test server, >I run uvscan, clamd, AVG (daemon), BitDefender, Sophos (via SAVI), >TrendMicro (via trophie), and F-Prot. All run very well on linux, and all Bill, Which version of AVG are you using? The "Email server edition"? I'm always leary of AV "email" products. It seems to me that AV websites often label some kind of proxy product as their "email" version, rather than a command-line version which I'm actually looking for. -NB
[IMGate] AV scanning
I haven't yet implemented AV scanning at the MX level and would like too. Any recommendations? I would assume that given the CPU "cost", a dedicated box might be better long term. Do any of you run more than one AV scanners? Which ones? Thx.
[IMGate] Re: check and remove with this header?
Bob, Seems like in main.cf you could use: smtpd_recipient_restrictions = check_helo_access hash:/etc/postfix/helo_hostnames.map, where helo_hostnames.map contains something like: $domain 554 ACL helo_hostnames localhost 554 ACL helo_hostnames localdomain 554 ACL helo_hostnames localhost.localdomain 554 ACL helo_hostnames $host.$mydomain 554 ACL helo_hostnames assuming that in main.cf: mydomain = YourDomain.com HTH, -NB
[IMGate] Re: sober header checks
Same here... IMGate03# egrep -icJ "discard:.*sober" /var/log/maillog.[0-9].bz2 /var/log/maillog.0.bz2:5 /var/log/maillog.1.bz2:171 /var/log/maillog.2.bz2:235 /var/log/maillog.3.bz2:255 /var/log/maillog.4.bz2:6
[IMGate] Sober worm/German spam
AFAICT, thx to greylisting, it would appear my IMGates have had zero problems with the recent sober/spam outbreak that I see many others have had. Bravo! In fact if it wasn't for my reading about the woes of others, I would never have known. Label me another IMGate lover. Just another day on the frontier... IMGate03# uptime 12:14AM up 7 days, 9:07, 3 users, load averages: 0.06, 0.08, 0.09 1 ACL to_local_recipients unknown recipient 1 SMTP Exceeded Hard Error Limit after CONNECT 3 RBL dynamic.rhs.mailpolice.com 3 RBL list.dsbl.org 4 DNS no A/MX for @recipient.domain 6 SMTP Exceeded Hard Error Limit after ETRN 11 RBL relays.ordb.org 13 ETRN Mail theft attempt 16 SMTP Exceeded Hard Error Limit after HELO 18 RBL korea.services.net 22 ACL Cannot find hostname 23 SMTP Exceeded Hard Error Limit after MAIL 53 ACL body checks 54 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE 145 SMTP unauthorized pipelining 158 SMTP invalid [EMAIL PROTECTED] 186 SMTP Exceeded Hard Error Limit after RSET 267 SMTP bad HELO 359 ACL unauthorized relay 503 ACL header checks 617 DNS no A/MX for @sender.domain 832 ACL helo_hostnames 950 MIME mime-error 2648 RBL block.rhs.mailpolice.com 2710 RBL sbl-xbl.spamhaus.org 13031 SMTP Exceeded Hard Error Limit after RCPT 19125 SMTP Exceeded Hard Error Limit after DATA 35449 ACL Greylisted 50436 ACL to_relay_recipients unknown recipient 127644 TOTAL
[IMGate] Re: Disk use in /var
Adolfo, While there are many ways of doing it, here's a tip from yesterday's UNIX Guru Universe list: ls -lR | grep ^- | sort -nr -k 5 | more Run it in /var and you'll find the file(s) that are using the most space. Drop the R to just do the current dir. Like: ls -l | grep ^- | sort -nr -k 5 | more BTW, here is the link to subscribe to UGU. It's one unix tip per day. Well worth your time. http://www.ugu.com/sui/ugu/show?tip.subscribe -NB
[IMGate] Re: Trouble loging into new Box
>If this machine is exposed to the outside world you really should leave >this as "PasswordAuthentication no" and allow SSH logins only via >authorized_keys. Or install a firewall and only allow ssh access from IP's that you control. For several years, I have been locking down all of my FreeBSD servers pretty tightly w/IPFW. It can be a pain, if you are trying to access it from a dynamic IP that changes often, but I sleep better at night. :) -NB
[IMGate] Re: Trouble loging into new Box
Joel, >"SecureCRT has disconnected from the server. Reason: >Unable to authenticate using any of the configured authentication methods." Here's your answer. I ran into this a month ago myself. echo "PasswordAuthentication=yes" >> /etc/ssh/sshd_config Run the above line or manually add it to /etc/ssh/sshd_config and SecureCRT will work as it used to w/4.x. Until then, set your primary auth in SecureCRT to "Keyboard Interactive" and you will be able to login using SecureCRT. Oh...after the change either reboot the box or kill and restart the sshd for it to take effect. Note: This fix only affects people running FreeBSD 5.3 with the default SSHd -- not OpenSSHd. -NB
[IMGate] Re: Greylisting is TOO good
>Greylisting is amazing. I can't believe I waited so long to implement. FWIW, a new version was released yesterday. http://isg.ee.ethz.ch/tools/postgrey/pub/postgrey-1.18.tar.gz
[IMGate] Greylisting
I am finally doing the research to add greylisting (postgrey) to my IMGates and am wondering if it is still effective or have spammers found a way around this technique?
[IMGate] Arrghhhh....
Found this note on my shopping cart @ Amazon.com: "Please note that the price of 'The Book of Postfix: State-of-the-Art Message Transport' has increased from $27.96 to $32.97 since you placed it in your Shopping Cart." Price goes up and the release date drops back to March 25, 2005.
[IMGate] Re: Stop email alerts from IMGate...
>My IMGate is running great! But I'd like to turn off all the email alerts >that it sends ... ?help? >I'm not sure where to start ... looking for direction. Edit your notify_classes. I personally use: notify_classes = resource, software http://www.postfix.org/postconf.5.html#notify_classes -NB
[IMGate] Re: map reload question
>smptd processes check the map.db timestamp and kill themselves if it has >changed. Ahh. Thx. That makes sense.
[IMGate] map reload question
When a map file is updated and indexed via postmap, is it REQUIRED to reload postfix for postfix to use the new contents? I thought I remembered reading somewhere that if a map changes all affected daemons commit suicide and restart, but I can't seem to find anything on it. -NB
[IMGate] Re: rr getting smart about PTR reverse domains
I'm also seeing: Feb 8 15:32:23 IMGate01 postfix/smtpd[79442]: warning: 68.175.192.48: address not listed for hostname cpe-68-175-192-48.stny.res.rr.com which I suspect means that their DNS is misconfigured where the PTR records have no matching A record? -NB --- "Problems are only opportunities in work clothes." -- Henry J. Kaiser
[IMGate] Re: rr getting smart about PTR reverse domains
>>I would double check your stats, as this figure counts email from/to >>"res.rr.com" Good point although this is an inbound only MX. Len's example below is more refined as the output shows. >also, smtpd dis/connect's >This would be more accurate: >egrep -ic "reject:.*res.rr.com" /var/log/maillog # egrep -ic "reject:.*res.rr.com" /var/log/maillog 68 # zgrep -ic "reject:.*res.rr.com" /var/log/maillog.[0-9].gz /var/log/maillog.0.gz:145 /var/log/maillog.1.gz:68 /var/log/maillog.2.gz:88 /var/log/maillog.3.gz:99 /var/log/maillog.4.gz:158 /var/log/maillog.5.gz:109 /var/log/maillog.6.gz:32 /var/log/maillog.7.gz:0 /var/log/maillog.8.gz:0 /var/log/maillog.9.gz:0 -NB --- "Problems are only opportunities in work clothes." -- Henry J. Kaiser
[IMGate] Re: rr getting smart about PTR reverse domains
SweetAlready starting to work here: # egrep -i "res.rr.com" /var/log/maillog | wc -l 727 # zgrep -i "res.rr.com" /var/log/maillog.[0-9].gz | wc -l 4155 -NB --- "Problems are only opportunities in work clothes." -- Henry J. Kaiser
[IMGate] Re: Exporting Domains
David, >Just keep in mind that any IMail anti-spam (v8.x) stuff is applied based on >the IP address that the mail comes in on - whose settings may or may not be >the same as the one associated with the host. Thx for the info. I'm not using any of Imail's anti-spam measures, so that should not adversely affect me although I am using Declude/Sniffer. Any idea if this applies to them in the same manner? Sorry for veering slightly off-topic, Len. -NB
[IMGate] Re: Exporting Domains
>>I was unaware of this juicy tidbit. If this is true >test it. telnet to IP for IMail domain x, and use a Sure enough. It works. :-)
[IMGate] Re: Exporting Domains
Len, >We're repeatedly mentioned Terry Fritt's imailusers.exe. The output of >that is easily adapted to transport.map. As far as I can see that app does not produce the IP addresses, but rather only the [EMAIL PROTECTED], etc. >btw, one transport.map simplification is that Imail listens on all IPs for >all domains, which simplifies transport.map, since you can send all domains >to one Imail IP (even if you use 30 different IPs in Imail). I was unaware of this juicy tidbit. If this is true, then Terry's ImailUsers.exe combined with a few sed cmd's will indeed do the trick. Thx.
[IMGate] Exporting Domains
Does anyone have an easy method of exporting Imail's domains? I'm looking for a way to easily maintain my transport.map files. Thx. Happy New year everyone. -NB
[IMGate] Re: issues with aol
> yep, if your mailbox users forward their message to AOL then use the > "report as spam" feature in their mailbox, they are reporting your server > since it was the source. And since it seems that as clueful Internet users go, AOL's customers are several rungs lower than most, this is/will be a frequent event. We've seen AOL users report personal email notes that were one-to-one communications (family member to family member), as spam. -NB
[IMGate] Re: time to update my RBL list
Andrew, My RBL looks like yours. Of note, yesterday I was getting DNS errors for dnsbl.njabl.org, but today it looks like it's back to normal. -NB --- Money, it turned out, was exactly like sex: you thought of nothing else if you didn't have it, and thought of other things if you did. - Original Message - From: Andrew P. Kaplan To: IMGate Sent: Saturday, December 18, 2004 2:44 PM Subject: [IMGate] time to update my RBL list I am using the following RBL's. Just curious to see what others are using. reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client opm.blitzed.org, reject_rbl_client bl.spamcop.net, reject_rbl_client korea.services.net, reject_rhsbl_client block.rhs.mailpolice.com, p.s. Len I removed visi and my average delivery time dropped 10 secs. (I realize this is a small sample set but . . . ) Andrew P. Kaplan www.cshore.com "To subdue the enemy without fighting is the highest skill" - Gichin Funakoshi -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
[IMGate] ireject_rhsbl_sender
Len, ireject_rhsbl_sender <-- found this in your basic imgate cfg's (main.cf) but can't seem to find anything about it. Is it a typo? I find reject_rhsbl_sender in man 8 smtpd, but no ireject_rhsbl_sender. Thx. -NB
[IMGate] Re: Need Setup Files Please
Len, I too would like the current cfg files as I'm prepping a new box for a new IMGate. Thx. NB - Original Message - From: Grant Stufft To: [EMAIL PROTECTED] Sent: Sunday, December 12, 2004 12:28 AM Subject: [IMGate] Need Setup Files Please Could I get the current setup files emailed to me or pointed to the proper place to download them? Thanks, Grant [EMAIL PROTECTED] --- [This E-mail scanned for viruses by EA Media Mail Services]
[IMGate] Postfix ver (official vs. experimental)
Does the latest official release (postfix-2.1.5) met most people's needs here? Are there good reasons or features that warrant moving to postfix-2.2.x for a production server? Thx. -NB