Re: [Declude.JunkMail] Off topic - Ldap
> The example I am following uses LDAP://servername/ou=zzz,o=xxx) If > Imail isn't using a tree structure, what would the ou and o be set > to? In your LDAP URL, try using the base domainName=example.com using your actual domain in place of example.com, of course. IMail's LDAP server is extremely...idiosyncratic, shall we say? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo
I am on a RIM device, so I apologize in advance for not being able to address all of your issues immediately. All abuse@ complaints are read by me and are not forwarded to the sender. The only case in which I would do this, is if you requested that I do so, or if you processed them through spamcop and selected boxes indicating that you wanted the message forwarded. We do not show people detailed complaint information in the dashboard. I will be happy to figure out a way to give you access so that you may see this yourself. I urge you to send complaints. This is the best way for us to tell that something is wrong with a bonded sender. Also, I would be happy to provide anyone here my emergency contact information. Let me know if you need it. Cyan -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Sun Jan 18 13:54:03 2004 To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo Cyan, Please forgive me for being brash here. I will not use your abuse system because of the following reason: http://www.bondedsender.com/commercial.jsp Get real-time data on deliverability measures. Bonded Sender provides a free personalized dashboard to monitor your complaint levels and alert you if you have been added to one of the 15 most widely deployed blacklists. I do not want to participate in a system that will share my abuse reports with a known spam house. I neither want to give Virtumundo the benefit of this knowledge, nor do I want to expose myself any more than I already have because spam houses have been known to seek retribution, regardless of how slim that possibility may be. IronPort has something like 10,000 mail gateways in service from which you collect real-time data, much of this data is exposed through your SenderBase site, along with Google's newsgroup archives, and even Virtumundo's own site, it shouldn't take but a second to confirm the true nature of the company in question. I will provide a zip of the full messages in private only if it is not to be shared with this client, though I can't imagine why that would be necessary. My expectation here is that Bonded Sender should have all it needs without my involvement to do the right thing, and in the future, be more proactive in signing on clients of this sort. Again, please excuse my tone, but what I am trying to do here is force a change by voicing my honest opinion in a public forum, for whatever effect that may have. If others feel that I am wrong to do so, I would encourage them to voice their opinions as well. Thanks, Matt Cyan Callihan wrote: Please send all of your complaints about virtumundo to [EMAIL PROTECTED] I will investigate. Cyan -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Sun Jan 18 10:49:12 2004 To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo Orin, I found a total of 8 bonded messages from Virtumundo in my capture accounts in the last 5 days (all to the same user). It's likely that some others were passed, or even deleted considering, so the total was probably 12-16 messages from this one source to this one user in all (passed entries were missed for two days). Those IP's are as follows: vl208-45.vmlocal.com [216.21.208.45] - Turn the email on your screen into a fax in their hand. vl208-44.vmlocal.com [216.21.208.44] - Make your windows as pretty as the view. vl208-52.vmlocal.com [216.21.208.52] - Too many shoes? Never heard of such a thing. vl208-54.vmlocal.com [216.21.208.54] - Get help, and get out of debt. vl208-67.vmlocal.com [216.21.208.67] - Answer all questions with a DNA test. vl208-75.vmlocal.com [216.21.208.75] - When it comes to refinancing, there really is no time like the present. vm208-78.adknow-net.com [216.21.208.78] - Low interest credit cards to get you back on your feet. vm208-66.adknow-net.com [216.21.208.66] - Need student loan consolidation? There's two things to note here; 1) the first 6 were held because I have a filter from Kami that tracked the REVDNS entry, but not the last two, 2) these are posted in order of being received, and they clearly were moving up their list of IP's in order to avoid detection, and then they changed their reverse DNS name as well (which worked in totality when bonded on my system). My point really is that if Bonded Sender really cared about "guaranteed legitimate E-mail", they would have done 10 minutes of due diligence and figured out what Virtumundo really was before ever listing them in the first place. The Bonded Sender site in fact reads like a brochure for bulk-mailers talking about how many systems they are whitelisted on, but they then turn around and protect companies like Virtumundo, either by design, or by a lack of quality control. Either way, they need to seriously rethink their business strategy because if the
[Declude.JunkMail] Off topic - Ldap
I tried this on the normal Imail list with no answers, so I figured since this list is more of the imail power users I'd try here I'm trying to write a vb.net program to query the ldap and create a 3 different files from it. one is a standard csv file, next is an ldif file for importing into Win Addr Book, and 3rd is a format compatible to the alias.txt file in users directories. This program runs nightly. The problem I'm running into is you call Ldap : / / xx.xx.xx.xx / ou=orgunit, o=org (space intentional so I don't get a link) since Imail's ldap is flat not a tree, I'm not sure what to put for the part ou=orgunit, o=org Any idea's? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisted?
That's one of those Habeas header emails. Whitelisting them lately has been a very bad idea. It's nice though that they always seem to mark their spam with a low priority. I just sort by priority and I can select all the offenders and forward them to spamcop. --Joshua Levitsky, MCSE, CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - From: Todd To: [EMAIL PROTECTED] Sent: Sunday, January 18, 2004 5:33 PM Subject: [Declude.JunkMail] Whitelisted? I have spam that is getting through. The headers show Whitelisted (0) . From: "Terrell Vann" <[EMAIL PROTECTED]> Reply-To: "Terrell Vann" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: LOw Cost Som@, X(a)[EMAIL PROTECTED], Valï(u)m, Viagr@ Di3t Pills Many M3ds kyrqbxh Date: Sun, 18 Jan 2004 10:26:02 +0500 X-Mailer: PIPEX NetMail 2.2.0-pre13 X-Declude-Sender: [EMAIL PROTECTED] [67.172.213.160] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: Whitelisted [0] X-Note: This E-mail was sent from c-67-172-213-160.client.comcast.net ([67.172.213.160]). I only have one Whitelist entry in by Declude config besides the default and I generally do not use whitelists. Since I dont use them I not up on what may be causing this. WHITELIST HABEASWHITELIST FROM @i360.netCan anyone shed some light?Thanks,Todd Hunter--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelisted?
I have spam that is getting through. The headers show Whitelisted (0) . From: "Terrell Vann" <[EMAIL PROTECTED]> Reply-To: "Terrell Vann" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: LOw Cost Som@, X(a)[EMAIL PROTECTED], Valï(u)m, Viagr@ Di3t Pills Many M3ds kyrqbxh Date: Sun, 18 Jan 2004 10:26:02 +0500 X-Mailer: PIPEX NetMail 2.2.0-pre13 X-Declude-Sender: [EMAIL PROTECTED] [67.172.213.160] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: Whitelisted [0] X-Note: This E-mail was sent from c-67-172-213-160.client.comcast.net ([67.172.213.160]). I only have one Whitelist entry in by Declude config besides the default and I generally do not use whitelists. Since I dont use them I not up on what may be causing this. WHITELIST HABEAS WHITELIST FROM @i360.net Can anyone shed some light? Thanks, Todd Hunter --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo
Cyan, Please forgive me for being brash here. I will not use your abuse system because of the following reason: http://www.bondedsender.com/commercial.jsp Get real-time data on deliverability measures. Bonded Sender provides a free personalized dashboard to monitor your complaint levels and alert you if you have been added to one of the 15 most widely deployed blacklists. I do not want to participate in a system that will share my abuse reports with a known spam house. I neither want to give Virtumundo the benefit of this knowledge, nor do I want to expose myself any more than I already have because spam houses have been known to seek retribution, regardless of how slim that possibility may be. IronPort has something like 10,000 mail gateways in service from which you collect real-time data, much of this data is exposed through your SenderBase site, along with Google's newsgroup archives, and even Virtumundo's own site, it shouldn't take but a second to confirm the true nature of the company in question. I will provide a zip of the full messages in private only if it is not to be shared with this client, though I can't imagine why that would be necessary. My expectation here is that Bonded Sender should have all it needs without my involvement to do the right thing, and in the future, be more proactive in signing on clients of this sort. Again, please excuse my tone, but what I am trying to do here is force a change by voicing my honest opinion in a public forum, for whatever effect that may have. If others feel that I am wrong to do so, I would encourage them to voice their opinions as well. Thanks, Matt Cyan Callihan wrote: Please send all of your complaints about virtumundo to [EMAIL PROTECTED]. I will investigate. Cyan -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Sun Jan 18 10:49:12 2004 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo Orin, I found a total of 8 bonded messages from Virtumundo in my capture accounts in the last 5 days (all to the same user). It's likely that some others were passed, or even deleted considering, so the total was probably 12-16 messages from this one source to this one user in all (passed entries were missed for two days). Those IP's are as follows: vl208-45.vmlocal.com [216.21.208.45] - Turn the email on your screen into a fax in their hand. vl208-44.vmlocal.com [216.21.208.44] - Make your windows as pretty as the view. vl208-52.vmlocal.com [216.21.208.52] - Too many shoes? Never heard of such a thing. vl208-54.vmlocal.com [216.21.208.54] - Get help, and get out of debt. vl208-67.vmlocal.com [216.21.208.67] - Answer all questions with a DNA test. vl208-75.vmlocal.com [216.21.208.75] - When it comes to refinancing, there really is no time like the present. vm208-78.adknow-net.com [216.21.208.78] - Low interest credit cards to get you back on your feet. vm208-66.adknow-net.com [216.21.208.66] - Need student loan consolidation? There's two things to note here; 1) the first 6 were held because I have a filter from Kami that tracked the REVDNS entry, but not the last two, 2) these are posted in order of being received, and they clearly were moving up their list of IP's in order to avoid detection, and then they changed their reverse DNS name as well (which worked in totality when bonded on my system). My point really is that if Bonded Sender really cared about "guaranteed legitimate E-mail", they would have done 10 minutes of due diligence and figured out what Virtumundo really was before ever listing them in the first place. The Bonded Sender site in fact reads like a brochure for bulk-mailers talking about how many systems they are whitelisted on, but they then turn around and protect companies like Virtumundo, either by design, or by a lack of quality control. Either way, they need to seriously rethink their business strategy because if they keep slipping up like this, they won't be able to claim any value to their paying customers. Personally, I feel like I was scammed. No big deal, it was easy enough to fix. I might suggest that some consideration be made to Declude's default inclusion and/or weighting of this test (scored at -20 currently). Matt Orin Wells wrote: Forgive me if this has been addressed before, but I would like to hear from Cyan what the policy and procedures are for de-listing a Bonded Sender when it is apparent they have disseminated spam. If I were running the show I would not only de-list them immediately, but I would bar the company from ever re-gaining certification under any name. Of course it has to be investigated to make sure the origin had not been spoofed to protect the innocent from false spamming charges. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and t
Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo
Please send all of your complaints about virtumundo to [EMAIL PROTECTED] I will investigate. Cyan -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Sun Jan 18 10:49:12 2004 To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo Orin, I found a total of 8 bonded messages from Virtumundo in my capture accounts in the last 5 days (all to the same user). It's likely that some others were passed, or even deleted considering, so the total was probably 12-16 messages from this one source to this one user in all (passed entries were missed for two days). Those IP's are as follows: vl208-45.vmlocal.com [216.21.208.45] - Turn the email on your screen into a fax in their hand. vl208-44.vmlocal.com [216.21.208.44] - Make your windows as pretty as the view. vl208-52.vmlocal.com [216.21.208.52] - Too many shoes? Never heard of such a thing. vl208-54.vmlocal.com [216.21.208.54] - Get help, and get out of debt. vl208-67.vmlocal.com [216.21.208.67] - Answer all questions with a DNA test. vl208-75.vmlocal.com [216.21.208.75] - When it comes to refinancing, there really is no time like the present. vm208-78.adknow-net.com [216.21.208.78] - Low interest credit cards to get you back on your feet. vm208-66.adknow-net.com [216.21.208.66] - Need student loan consolidation? There's two things to note here; 1) the first 6 were held because I have a filter from Kami that tracked the REVDNS entry, but not the last two, 2) these are posted in order of being received, and they clearly were moving up their list of IP's in order to avoid detection, and then they changed their reverse DNS name as well (which worked in totality when bonded on my system). My point really is that if Bonded Sender really cared about "guaranteed legitimate E-mail", they would have done 10 minutes of due diligence and figured out what Virtumundo really was before ever listing them in the first place. The Bonded Sender site in fact reads like a brochure for bulk-mailers talking about how many systems they are whitelisted on, but they then turn around and protect companies like Virtumundo, either by design, or by a lack of quality control. Either way, they need to seriously rethink their business strategy because if they keep slipping up like this, they won't be able to claim any value to their paying customers. Personally, I feel like I was scammed. No big deal, it was easy enough to fix. I might suggest that some consideration be made to Declude's default inclusion and/or weighting of this test (scored at -20 currently). Matt Orin Wells wrote: Forgive me if this has been addressed before, but I would like to hear from Cyan what the policy and procedures are for de-listing a Bonded Sender when it is apparent they have disseminated spam. If I were running the show I would not only de-list them immediately, but I would bar the company from ever re-gaining certification under any name. Of course it has to be investigated to make sure the origin had not been spoofed to protect the innocent from false spamming charges. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BONDEDSENDER, spam hit on Virtumundo
Orin, I found a total of 8 bonded messages from Virtumundo in my capture accounts in the last 5 days (all to the same user). It's likely that some others were passed, or even deleted considering, so the total was probably 12-16 messages from this one source to this one user in all (passed entries were missed for two days). Those IP's are as follows: vl208-45.vmlocal.com [216.21.208.45] - Turn the email on your screen into a fax in their hand. vl208-44.vmlocal.com [216.21.208.44] - Make your windows as pretty as the view. vl208-52.vmlocal.com [216.21.208.52] - Too many shoes? Never heard of such a thing. vl208-54.vmlocal.com [216.21.208.54] - Get help, and get out of debt. vl208-67.vmlocal.com [216.21.208.67] - Answer all questions with a DNA test. vl208-75.vmlocal.com [216.21.208.75] - When it comes to refinancing, there really is no time like the present. vm208-78.adknow-net.com [216.21.208.78] - Low interest credit cards to get you back on your feet. vm208-66.adknow-net.com [216.21.208.66] - Need student loan consolidation? There's two things to note here; 1) the first 6 were held because I have a filter from Kami that tracked the REVDNS entry, but not the last two, 2) these are posted in order of being received, and they clearly were moving up their list of IP's in order to avoid detection, and then they changed their reverse DNS name as well (which worked in totality when bonded on my system). My point really is that if Bonded Sender really cared about "guaranteed legitimate E-mail", they would have done 10 minutes of due diligence and figured out what Virtumundo really was before ever listing them in the first place. The Bonded Sender site in fact reads like a brochure for bulk-mailers talking about how many systems they are whitelisted on, but they then turn around and protect companies like Virtumundo, either by design, or by a lack of quality control. Either way, they need to seriously rethink their business strategy because if they keep slipping up like this, they won't be able to claim any value to their paying customers. Personally, I feel like I was scammed. No big deal, it was easy enough to fix. I might suggest that some consideration be made to Declude's default inclusion and/or weighting of this test (scored at -20 currently). Matt Orin Wells wrote: Forgive me if this has been addressed before, but I would like to hear from Cyan what the policy and procedures are for de-listing a Bonded Sender when it is apparent they have disseminated spam. If I were running the show I would not only de-list them immediately, but I would bar the company from ever re-gaining certification under any name. Of course it has to be investigated to make sure the origin had not been spoofed to protect the innocent from false spamming charges. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] Joe-jobs and nobody aliases (again)
I made a determination last week that joe-jobs present a much bigger problem currently than dictionary attacks on my system, and soon I will be gatewaying off of a different machine which should solve the dictionary attack problem anyway (by accepting all messages). Because of this, I have been removing all of the nobody aliases for the domains that I host, though some of course are taking a little extra time because we're not totally sure what advertised addresses might have been used in some cases, or what dead accounts were being captured in this way as opposed to setting them up as aliases and redirected somewhere. Last week once client that still had nobody active received about 150 bounce messages from AOL to addresses that didn't exist on this local domain (randomized). AOL wasn't bouncing any content which could be scored, and every last one of these messages landed in the manager's account. Obviously this was a big problem and as soon as we became aware of it, we got rid of the nobody alias. This fixed their immediate problem, though it doesn't fix problems where the address is forged to be a real account (there's a mix of this going on). I've also just started building some spamtraps on some unused domains that I own. One account that I created last night is being used exclusively to unsubscribe to garbage that I get in a Web mail account of mine as well as subscribing to contest sites. To my astonishment, within 12 hours of creating this account, someone joe-jobbed it in a piece of spam sent to some account that didn't exist, and it was clearly spam that was sent with this from address. There is no way that this account was randomly guessed. The preventive actions that I'm taking to help protect from such things besides removing the nobody alias is to create a filter that checks for the null sender. I'm capturing all hits to this filter and I am also scoring it at 50% of my fail weight, though that may rise. I figure that the bounces that contain spam content will have an easier time getting held, and for the most part, bounce messages are only failing CMDSPACE, so this isn't stopping messages that don't contain spam content (so far). There was a suggestion by someone that a system be made that tracked repeated bounces, such as the AOL one described above. I feel that this may be the best way long term to maintain bounce functionality in the face of a problem that will likely get much worse over time. For now at least, the issue is mostly mitigated since most such things utilize fake users on joe-jobbed domains. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
