http://www.snort.org/
Jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Subject: [Declude.JunkMail] **OT** Intrusion Detection Software
I have been asked to research Intrusion Detection Software.
Anyone have any suggestions?
Sharyn
Snort...
darrell
Sharyn Schmidt writes:
I have been asked to research Intrusion Detection Software.
I have done a Google search, but most of what I see is an actual
appliance.
All I am looking for is software that will notify me when something
suspicious attempts to hit our network.
http://www.snort.org/
Thanks!
Checking it out as we speak.
Sharyn
We are the worldwide producer and marketer of the award winning Cruzan
Single Barrel Rum, judged Best in the World at the annual
San Francisco Wine and Spirits Championships. For
more information, please click (go to) htmla
thread originally from imal list
Scott - others regarding SpamAssassin
In your opinion:
Correct. That's why for statistical filtering to be effective, you
need to have very small groups that receive similar E-mails.
Ideally, each user will have their own statistical database. If not,
Is it possible that in a Store/Forward scenario that when a WEIGHT20
test is reached to insert a X-Note in the Header, much like we take
action with RouteTo or Mailbox?
Thanks,
Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from
Title: Message
Anyone
rig Win version of Snort to work with Declude for dictionary attacks??? To
flag an IP with a dictionary attack profile and let Declude or iMail refuse the
traffic for a period of time. We have one domain with just 350 e-mail acccounts
being pounded daily with
Use the action of WARN.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Wednesday, February 04, 2004 8:16 AM
To: [EMAIL PROTECTED]
Subject:
Anyone know anything about DRCI Inc. (www.drci.us)?
I have a hosting customer who signed up with them
(without my knowledge) to send out a mailing to a supposedly opt-in list.
The testemailslooked pretty suspiciouswith the two-domain
pattern (tin*eil*.com and getgre*atstuff*.com ...
John,
Can this WARN have a specific custom Header line only applied to
this domain?
Keith
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 04, 2004 11:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Option Request
Hello,
what is the better Plattform for Imail / Declude? Windows 2000 oder Windows
2003?
Just Imail Declude, Spamcheck, AVG, F-Prot.
Alex
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
It is more precise to say that Bayesian filters are best suited to
individual mailboxes, and on the opposite scale they are not effective when
the message base is random.
Bayesian filters need to be trained, and for that you need a corpus of
messages that is spam and another that is ham. The
Darin,
This company is actually a front for Pexicom which is currently one of
the highest volume spammers around. If you reverse DNS query this
address and the others around it, you will find the standard Pexicom
results where it returns two name servers and then 6 sequentially
numbered mail
2000.
The newer version is hardly mature, and it appears that just like XP
made the 2000 core unstable, 2003 also repeats many of the same
mistakes. 2003 is of course fancier, but the apps you are looking to
use make little use of what the newer version might provide.
Matt
Hirthe, Alexander
John,
Thanks again, found it in the manual. Thanks for your time.
Keith
-Original Message-
From: Keith Johnson
Sent: Wednesday, February 04, 2004 12:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Option Request
John,
Can this WARN have a specific custom
Does any one know how to block overseas domains? Like UK,
DE, NL etc
Thanks
Kyle
Thanks Andrew -
Nick
From: Colbeck, Andrew [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject:RE: [Declude.JunkMail] [IMail Forum] Continuous statistical
filte
r updates?
Date sent: Wed, 4 Feb 2004
Thanks, Matt. I had followed the links to see
the link to Pexicom and the large IP blocks. Hadn't checked Senderbase
yet, though.
Also, thanks for the insight into SBL.
I guessa flip side of the question might
be...are there any legit, truly opt-in,commercial bulkmailers out
there? You
Hi;
Should this not have triggered Mailfrom.. look at the email used:
X-Note: SMTP Sender: ben.@aol.com
Kami
==
Date: Wed, 4 Feb 2004 07:54:02 +
Message-ID: [EMAIL PROTECTED]
From: Carmelita Hipolito[EMAIL PROTECTED]
To:
Should this not have triggered Mailfrom..
No.
look at the email used:
X-Note: SMTP Sender: ben.@aol.com
aol.com is a valid domain with an MX record, so it passes the MAILFROM test.
-Scott
---
Declude JunkMail: The advanced anti-spam solution
For every 1 legit company, there are probably 100 illegit ones. DRCI
makes no bones about it on their home page:
"Data Resource Consulting, (DRC)
provides leads, permission based e-mail list rentals and accompanying
marketing strategies to both the off-line and online direct marketing
Please don't forget .it domains. So I can't write or
replyanymore to anyone into your education center.
My opinion: Never block for a
single test result
With Declude Junkmail Pro you can create a filter file and
add lines like
COUNTRIES5CONTAINSit
This will add 5 points to any message
Ok, I'm running IIS 5.0 on my imail server. I've written a
program to read the ldap and create a ldif file.
I put the ldif file (xxx.ldif)in a sub directory on the
web server and when I put a link to it, it displays it directly in the
browser.
I want it to download, not display as text.
In
internet explorer right click your link and choose "Save Target
As"
Kevin
Bilbee
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Doug
AndersonSent: Wednesday, February 04, 2004 11:06 AMTo:
[EMAIL PROTECTED]Subject: [Declude.JunkMail]
That's what I'm trying to get away from. Actually have it pop
up to open or download. my users have problems understanding right
click.
Plus I'm rewriting it so that have to enter username and
password to get to the link.
- Original Message -
From:
Kevin Bilbee
To: [EMAIL
Change the MIME type in IIS to something that isn't text or otherwise
displayable in the browser window. I would guess that choosing an
application type would be best, and on your own system, make sure that
you don't set up something like a text application to automatically
open the extension.
Title: Message
Mess
around with the mime maps for your IIS server, define that file extension as
anything other than clear-text, I think that will tell the browser to treat it
as an attachment and not open it up in the browser.
-Original Message-From:
[EMAIL PROTECTED]
Doug-
This sounds like it could be solved by setting up a
customMIME type for .ldif files.If a MIME type is not prsent, the
browser resports to plain text. I don't have a clue what you
would change it to, however.
-Dave Doherty
Skywaves, Inc.
- Original Message -
From:
Hi Scott:
Thanks ... A while back I was suggesting a simple test that can at least
validate the format of the sender email.
This is a perfect example.. This email is not valid and although it failed
a lot of other tests but it should also be easy to add more weight to wrong
addresses.
Of
That
is default behavior for Internet Explorer. To display a text file. You could zip
it on the server side so when they click the link it asks them to download the
zip file.
Or if
I actually answer your origional post
You
could add your own mime type for your .ldif. If the browser
2003.
It's MUCH more secure than 2000 because many services are not enabled by
default which is the case in 2000.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, February 04, 2004 12:24 PM
To: [EMAIL PROTECTED]
Subject: Re:
Of course if there is an RFC addendum that says ben.@aol.com is a
valid email then my argument is totally off base.
It's valid but extremely uncommon to have quotes in an address (used
for escaping by definition), and periods are also allowed. A
legitimate address that ends in a
Kami,
If you start mixing different tests for MAILFROM, then you run the risk
of weakening the test. While this was spam, I could see a user making
a mistake like this by putting information in the wrong fields. You
have Web forms, just take a look at what the typical bonehead AOL user
I don't think that makes it more secure, I think that means the admin is
allowed to be more lazy.
With regards to using 2k3 vs 2k as a mail server, I don't really thing
security is a huge concern. You should be locking down ntfs on either
platform, you shouldnt need any services except the
I received the following error in the log file and subsequently the
email did not ROUTETO although it was listed on the WEIGHT20 line, it
went on to the main mailbox of the customer un-routed. Is there any
reason for the Error? I checked the log and only had one other instance
of this for the
Anyone that runs a server that sits on the Internet should go through
the various services and shut them down when unnecessary, regardless of
whether or not they might present a security issue. Firewalling the
unnecessary ports is also a fabulous idea as well as other security
measures like
Hi, everyone-
I've seen dictionary attacks before, but this one is
impressive!
I have a customer who has eight email addresses and some
aliases on his single domain. We have an ongoing problem
with a distributed dictionary attack again this domain, and I'm talking a
serious attack here -
Maybe I'm missing something, but why is IMail handing Declude a file
named with an underscore and tilde? This is a locked file according to
Ipswitch. Naturally this might be standard for IMail and Declude, but
I thought the full and unmodified name/file was used???
Matt
Keith Johnson
Keith,
I have been working with BulkRegister for over 18 months and have seen no
indication that they support spammers.
Dan Geiser
[EMAIL PROTECTED]
- Original Message -
From: Keith Anderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, January 31, 2004 12:33 PM
Subject: RE:
Dave,
I've noticed that on my box with only about 60 domains, there's several
distributed dictionary attacks every day. They seem to be controlled
from a central location because the order is roughly the same across
the different IP addresses they use. Mine have been spaced out and
fairly low
I've seen dictionary attacks before, but this one is impressive!
I have a customer who has eight email addresses and some aliases on his
single domain. We have an ongoing problem with a distributed dictionary
attack again this domain, and I'm talking a serious attack here - over
half a
Maybe I'm missing something, but why is IMail handing Declude a file named
with an underscore and tilde? This is a locked file according to
Ipswitch. Naturally this might be standard for IMail and Declude, but I
thought the full and unmodified name/file was used???
That is normally the case,
I am running 8.05hf1 and the 1.77beta of Declude (no interims).
I just needed to give an explanation to one of our customers on this.
There isn't an easy explanation.
What I can give you is the very technical answer: Declude went to access
the (locked) recipient file, but Windows
Scott,
Thanks for your aid, it is always appreciated. I passed a
similar explanation on to our customer. I'll watch our logs for any
patterns.
Keith
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 04, 2004 6:27 PM
To: [EMAIL
Title: Message
I tried mime types for the "web site" and that
wasn't working. one of the emails mentioned the onlineworkshop...I forgot about
setting it for all of IIS. Now it downloads.
Thanks for all the help!
Soon to be published...ldaplst - an ldap reader /
file creator. I'll post it
R. Scott Perry wrote:
What surprises me is that law enforcement agencies haven't gone after
perhaps a few dozen compromised servers, run a packet sniffer, and
checked to see what IP(s) are controlling the compromised servers.
The reason is probably because these machines are generally
Title: **OT** Intrusion Detection Software
I have been asked to research Intrusion Detection Software.
I have done a Google search, but most of what I see is an actual appliance.
All I am looking for is software that will notify me when something suspicious attempts to hit our network.
At 10:02 AM 2/4/2004, Sharyn Schmidt wrote:
I have been asked to research Intrusion Detection Software.
I have done a Google search, but most of what I see is an actual appliance.
All I am looking for is software that will notify me when something
suspicious attempts to hit our network.
Title: Message
I can also recommend
snort. There is a full windows version put out by
Engagesecurity.com The product is called EagleX and is a single
install of all needed components for Snort to operate on a Windows
platform.
For those of you running Snort, please give me what
Do you have read access to the router's snmp community? if you doMRTG
gives some great stats
- Original Message -
From: Omar K. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 04, 2004 9:26 PM
Subject: [Declude.JunkMail] Slightly OT: calculating bandwidth
Hello
The interesting thing about these messages is that the ones I've seen
generally don't have multi-hop trails. They look like a zombie connecting
directly to the mail server.
The blocklists are great, but at that volume, I can't run Declude on the
messages without killing the server. So I seem to
Try running Black ICE on the server. It does a pretty decent job of
auto blocking dictionary attacks. We have it set to close and block a
connection after 6 invalid users from an ip in 30 seconds
Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
The blocklists are great, but at that volume, I can't run Declude on
the messages without killing the server.
Why would you ever run Declude on messages for unknown users? Even
considering that as an option makes me cringe.
--Sandy
Sanford
My own experience, and what appears to be David's, is that this stuff
doesn't generally come in waves from just one machine. Collecting the
IP's might be useful for blacklisting at a router level, but the list
would be very long. Like Scott said earlier, this probably is just a
spammer using
Hi Sandy-
Somebody suggested using SBL or one of the blacklists, I forget which. I'm
looking at ways to do that without involving the mail server.
-Dave
- Original Message -
From: Sanford Whiteman [EMAIL PROTECTED]
To: Dave Doherty [EMAIL PROTECTED]
Sent: Thursday, February 05, 2004
That sounds like a great idea, Jason. Do you think it will stand up to this
volume?
-d
- Original Message -
From: Jason [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 05, 2004 12:09 AM
Subject: RE: [Declude.JunkMail] Distributed Dictionary Attack
Try running Black
I recently turned on the IPNOTINMX and NOLEGITCONTENT filters to see how
they work. They seem to do more harm than good, for instance I weight 10
SPAMCOP since that service works well for me, but these filters lowered
the weight so that spamcop (only) spams get through.
I do understand that they
56 matches
Mail list logo
