RE: [Declude.JunkMail] **OT** Intrusion Detection Software
http://www.snort.org/ Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Subject: [Declude.JunkMail] **OT** Intrusion Detection Software I have been asked to research Intrusion Detection Software. Anyone have any suggestions? Sharyn --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] **OT** Intrusion Detection Software
Snort... darrell Sharyn Schmidt writes: I have been asked to research Intrusion Detection Software. I have done a Google search, but most of what I see is an actual appliance. All I am looking for is software that will notify me when something suspicious attempts to hit our network. Anyone have any suggestions? Sharyn Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] **OT** Intrusion Detection Software
http://www.snort.org/ Thanks! Checking it out as we speak. Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IMail Forum] Continuous statistical filter updates?
thread originally from imal list Scott - others regarding SpamAssassin In your opinion: Correct. That's why for statistical filtering to be effective, you need to have very small groups that receive similar E-mails. Ideally, each user will have their own statistical database. If not, per-domain can sometimes be acceptable. Server-wide statistical databases fare worse. I have baynesian filtering enabled on Sandy's implimentation of SpamAssassin server wide. Am I just wasting cpu cycles/decreasing SA effectiveness by including this? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Option Request
Is it possible that in a Store/Forward scenario that when a WEIGHT20 test is reached to insert a X-Note in the Header, much like we take action with RouteTo or Mailbox? Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] **OT** Intrusion Detection Software
Title: Message Anyone rig Win version of Snort to work with Declude for dictionary attacks??? To flag an IP with a dictionary attack profile and let Declude or iMail refuse the traffic for a period of time. We have one domain with just 350 e-mail acccounts being pounded daily with dictionary attacks by different sources resulting in about 10k spam messages. Even though they are often listed in Spamcop or ORDB each message still needs to processed. Michael JaworskiPuget Sound Network, Inc.(206)217-0400(800)599-9485
RE: [Declude.JunkMail] Option Request
Use the action of WARN. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, February 04, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Option Request Is it possible that in a Store/Forward scenario that when a WEIGHT20 test is reached to insert a X-Note in the Header, much like we take action with RouteTo or Mailbox? Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Is DRCI Inc. a spamhouse?
Anyone know anything about DRCI Inc. (www.drci.us)? I have a hosting customer who signed up with them (without my knowledge) to send out a mailing to a supposedly opt-in list. The testemailslooked pretty suspiciouswith the two-domain pattern (tin*eil*.com and getgre*atstuff*.com ... asterisks added in case of filter triggers) we've seen recently, and the sendingaddress (mail1.mrlchm.com [64.124.100.148]) is listed in SBL and SORBS-SPAM. Also, the initial response I got from them when I mentioned they were in some of the major lists was "tell me which domains were listed...we can switch those". They didn't understand it wasn't the domains in the HTML, but the sender IP, so I didn't bother explaining, but even more red flags went up. Thoughts? Darin.
RE: [Declude.JunkMail] Option Request
John, Can this WARN have a specific custom Header line only applied to this domain? Keith -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Option Request Use the action of WARN. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, February 04, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Option Request Is it possible that in a Store/Forward scenario that when a WEIGHT20 test is reached to insert a X-Note in the Header, much like we take action with RouteTo or Mailbox? Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT? Best Plattform?
Hello, what is the better Plattform for Imail / Declude? Windows 2000 oder Windows 2003? Just Imail Declude, Spamcheck, AVG, F-Prot. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [IMail Forum] Continuous statistical filte r updates?
It is more precise to say that Bayesian filters are best suited to individual mailboxes, and on the opposite scale they are not effective when the message base is random. Bayesian filters need to be trained, and for that you need a corpus of messages that is spam and another that is ham. The better the training, the better the result, and the reverse is true: garbage in, garbage out. Likewise, you need something or someone to keep feeding the algorithm: what were the false positives and what were the false negatives. This makes Bayes ideal for a single user yet makes it poorly suited to an ISP. If you want to implement Bayes for a corporation, you will do better, because more messages will be on topic and more and more we are all receiving similar spam. The catch is in training. You may find that Bayes is not worth using, but that the filters in SpamAssassin are worth keeping. Andrew 8) -Original Message- From: Nick Hayer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 8:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [IMail Forum] Continuous statistical filter updates? thread originally from imal list Scott - others regarding SpamAssassin In your opinion: Correct. That's why for statistical filtering to be effective, you need to have very small groups that receive similar E-mails. Ideally, each user will have their own statistical database. If not, per-domain can sometimes be acceptable. Server-wide statistical databases fare worse. I have baynesian filtering enabled on Sandy's implimentation of SpamAssassin server wide. Am I just wasting cpu cycles/decreasing SA effectiveness by including this? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is DRCI Inc. a spamhouse?
Darin, This company is actually a front for Pexicom which is currently one of the highest volume spammers around. If you reverse DNS query this address and the others around it, you will find the standard Pexicom results where it returns two name servers and then 6 sequentially numbered mail servers. Then there's the fact that SenderBase shows this stuff to belong to Pexicom: http://www.senderbase.org/search?searchString=64.124.100.148 This stuff if worthy of deletion, in fact, it's not even close. While there is often good reason to think twice about what SORBS might list, don't think twice about what SBL lists, and if you feel compelled to do so, at least look at their evidence file. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13718 Pexicom is definitely ROKSO-bound. They have address blocks all over the place and have been tracked by SenderBase sending volumes of spam that exceed 1 million messages a day from a single IP address. Matt Darin Cox wrote: Anyone know anything about DRCI Inc. (www.drci.us)? I have a hosting customer who signed up with them (without my knowledge) to send out a mailing to a supposedly opt-in list. The testemailslooked pretty suspiciouswith the two-domain pattern (tin*eil*.com and getgre*atstuff*.com ... asterisks added in case of filter triggers) we've seen recently, and the sendingaddress (mail1.mrlchm.com [64.124.100.148]) is listed in SBL and SORBS-SPAM. Also, the initial response I got from them when I mentioned they were in some of the major lists was "tell me which domains were listed...we can switch those". They didn't understand it wasn't the domains in the HTML, but the sender IP, so I didn't bother explaining, but even more red flags went up. Thoughts? Darin. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] OT? Best Plattform?
2000. The newer version is hardly mature, and it appears that just like XP made the 2000 core unstable, 2003 also repeats many of the same mistakes. 2003 is of course fancier, but the apps you are looking to use make little use of what the newer version might provide. Matt Hirthe, Alexander wrote: Hello, what is the better Plattform for Imail / Declude? Windows 2000 oder Windows 2003? Just Imail Declude, Spamcheck, AVG, F-Prot. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Option Request
John, Thanks again, found it in the manual. Thanks for your time. Keith -Original Message- From: Keith Johnson Sent: Wednesday, February 04, 2004 12:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Option Request John, Can this WARN have a specific custom Header line only applied to this domain? Keith -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Option Request Use the action of WARN. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, February 04, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Option Request Is it possible that in a Store/Forward scenario that when a WEIGHT20 test is reached to insert a X-Note in the Header, much like we take action with RouteTo or Mailbox? Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to Block overseas domains
Does any one know how to block overseas domains? Like UK, DE, NL etc Thanks Kyle
RE: [Declude.JunkMail] [IMail Forum] Continuous statistical filte r updates?
Thanks Andrew - Nick From: Colbeck, Andrew [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] [IMail Forum] Continuous statistical filte r updates? Date sent: Wed, 4 Feb 2004 09:21:04 -0800 Send reply to: [EMAIL PROTECTED] It is more precise to say that Bayesian filters are best suited to individual mailboxes, and on the opposite scale they are not effective when the message base is random. Bayesian filters need to be trained, and for that you need a corpus of messages that is spam and another that is ham. The better the training, the better the result, and the reverse is true: garbage in, garbage out. Likewise, you need something or someone to keep feeding the algorithm: what were the false positives and what were the false negatives. This makes Bayes ideal for a single user yet makes it poorly suited to an ISP. If you want to implement Bayes for a corporation, you will do better, because more messages will be on topic and more and more we are all receiving similar spam. The catch is in training. You may find that Bayes is not worth using, but that the filters in SpamAssassin are worth keeping. Andrew 8) -Original Message- From: Nick Hayer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 8:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [IMail Forum] Continuous statistical filter updates? thread originally from imal list Scott - others regarding SpamAssassin In your opinion: Correct. That's why for statistical filtering to be effective, you need to have very small groups that receive similar E-mails. Ideally, each user will have their own statistical database. If not, per-domain can sometimes be acceptable. Server-wide statistical databases fare worse. I have baynesian filtering enabled on Sandy's implimentation of SpamAssassin server wide. Am I just wasting cpu cycles/decreasing SA effectiveness by including this? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is DRCI Inc. a spamhouse?
Thanks, Matt. I had followed the links to see the link to Pexicom and the large IP blocks. Hadn't checked Senderbase yet, though. Also, thanks for the insight into SBL. I guessa flip side of the question might be...are there any legit, truly opt-in,commercial bulkmailers out there? You might say, almost by definition, that there aren't...the only legit mass senders being companies maintaining their own customer lists for newsletters, etc. Anyone have any other opinions/experiences? Darin. - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:20 PM Subject: Re: [Declude.JunkMail] Is DRCI Inc. a spamhouse? Darin,This company is actually a front for Pexicom which is currently one of the highest volume spammers around. If you reverse DNS query this address and the others around it, you will find the standard Pexicom results where it returns two name servers and then 6 sequentially numbered mail servers. Then there's the fact that SenderBase shows this stuff to belong to Pexicom: http://www.senderbase.org/search?searchString=64.124.100.148This stuff if worthy of deletion, in fact, it's not even close. While there is often good reason to think twice about what SORBS might list, don't think twice about what SBL lists, and if you feel compelled to do so, at least look at their evidence file. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13718Pexicom is definitely ROKSO-bound. They have address blocks all over the place and have been tracked by SenderBase sending volumes of spam that exceed 1 million messages a day from a single IP address.MattDarin Cox wrote: Anyone know anything about DRCI Inc. (www.drci.us)? I have a hosting customer who signed up with them (without my knowledge) to send out a mailing to a supposedly opt-in list. The testemailslooked pretty suspiciouswith the two-domain pattern (tin*eil*.com and getgre*atstuff*.com ... asterisks added in case of filter triggers) we've seen recently, and the sendingaddress (mail1.mrlchm.com [64.124.100.148]) is listed in SBL and SORBS-SPAM. Also, the initial response I got from them when I mentioned they were in some of the major lists was "tell me which domains were listed...we can switch those". They didn't understand it wasn't the domains in the HTML, but the sender IP, so I didn't bother explaining, but even more red flags went up. Thoughts? Darin. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] Mailfrom?
Hi; Should this not have triggered Mailfrom.. look at the email used: X-Note: SMTP Sender: ben.@aol.com Kami == Date: Wed, 4 Feb 2004 07:54:02 + Message-ID: [EMAIL PROTECTED] From: Carmelita Hipolito[EMAIL PROTECTED] To: Subject: [49~]Good news Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f]. X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: FALSE-AOL: Message failed FALSE-AOL test (line 2, weight 3) X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 117, weight 5) X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 130, weight 2) X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed FILTER-BODY-GIBBERISH test (line 411, weight 14) (weight capped at 4) X-RBL-Warning: SPAMDOMAINS: Spamdomain 'aol.com' found: Address of ben.@aol.com sent from invalid host202.cisp.cc. X-Declude-Sender: ben.@aol.com [65.196.203.202] X-Declude-Spoolname: Da51e1cac01107186.SMD X-Note: == X-Note: Spam Score: 49 [BLOCKED ON 20+ DELETED ON 50+] X-Note: Scan Time: 02:54:27 on 02/04/2004 X-Note: Spool File: Da51e1cac01107186.SMD X-Note: Server Name: nocmailsvc002.allthesites.org X-Note: SMTP Sender: ben.@aol.com X-Note: Reverse DNS IP: host202.cisp.cc [65.196.203.202] X-Note: Recipient(s): X-Note: Country Chain: KOREA-KR-UNITED STATES-destination X-Note: == X-Note: This E-mail was scanned filtered by Declude [1.77i26] for SPAM virus. X-Note: Spam and virus blocking services provided by ClickandPledge.com X-Note: == X-Declude-Date: 02/04/2004 07:54:02 [0] X-RCPT-TO: * Status: U X-UIDL: 331475858 == --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mailfrom?
Should this not have triggered Mailfrom.. No. look at the email used: X-Note: SMTP Sender: ben.@aol.com aol.com is a valid domain with an MX record, so it passes the MAILFROM test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is DRCI Inc. a spamhouse?
For every 1 legit company, there are probably 100 illegit ones. DRCI makes no bones about it on their home page: "Data Resource Consulting, (DRC) provides leads, permission based e-mail list rentals and accompanying marketing strategies to both the off-line and online direct marketing communities as well as individual companies seeking such services." Companies like Dart Mail and Cheetah Mail have much higher standards. Companies like Big Foot Interactive tend to have a mix of legit newsletters and subversive opt-in advertising that most would consider to be spam regardless of how the got the E-mail address. Companies like Experian/exactis.com seem to specialize in this low-quality subversive opt-in stuff, and then of course there's the spam houses that don't really care where the E-mail addresses came from, and they will even "rent" you a list just like the DRCI site says. I'm in the process of moving to a system where I block first, whitelist later (as recommended by Message Sniffer's Grey rulebase). Since advertising sources tend to have a lot of problems with RBL's regardless of whether or not they are legit, this seems to be a good way to do it. I've built myself a simple Web app that allows me to store information about a problematic sender in a database, and from which I export a pseudo-whitelist file (negatively weighted). This will make administration much easier, and allow me to block the 90% of the garbage that Experian sends, while allowing through the 10% that's legit on the second try. I'm not really trying to "block first" in reality, I'm just going to raise the scores of some tests like MailPolice, FiveTen Bulk, Sniffer Gray, Sniffer General and some others that I've been dropping due to such issues, but I'm not going to raise them to the point where every message will fail. Dirty sources like Big Foot Interactive and Experian will likely already fail, and the others that do pass, are susceptible to getting SpamCopped on occasion, which means they need some extra protection due to a combination of tests. I also have set up some rules for inclusion in this list. The sender much be sending relevant information to a direct subscriber, i.e. no third-party trash allowed. They must provide an easily accessible opt-out mechanism with a link and no password required, if they don't, I may consider allowing some sources through based on how I perceive the company as a whole. They must not sell addressees to third parties, and I will also exclude from consideration sources that don't practice good list management, for instance, Sprint PCS sends out a fairly low quality newsletter every month to a bunch of their subscribers, but I just found the other day that one domain was still getting these newsletters over a year after they dropped Sprint for another provider. My goal here is to not be in the business of making decisions for my customers as to what they do want and what they don't want when it comes to advertising/newsletter content. I would prefer to let them unsubscribe from such sources if they don't want it. There is some real borderline stuff, but after looking at these things for several months, some of it becomes obvious. I will let through Orbitz and Travelocity ads because it's obvious that they only to to their customers and they have a proper opt-out mechanism. Personally I find them annoying and too frequent, however some might not agree and I'd rather give them the choice. Matt Darin Cox wrote: Thanks, Matt. I had followed the links to see the link to Pexicom and the large IP blocks. Hadn't checked Senderbase yet, though. Also, thanks for the insight into SBL. I guessa flip side of the question might be...are there any legit, truly opt-in,commercial bulkmailers out there? You might say, almost by definition, that there aren't...the only legit mass senders being companies maintaining their own customer lists for newsletters, etc. Anyone have any other opinions/experiences? Darin. - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:20 PM Subject: Re: [Declude.JunkMail] Is DRCI Inc. a spamhouse? Darin, This company is actually a front for Pexicom which is currently one of the highest volume spammers around. If you reverse DNS query this address and the others around it, you will find the standard Pexicom results where it returns two name servers and then 6 sequentially numbered mail servers. Then there's the fact that SenderBase shows this stuff to belong to Pexicom: http://www.senderbase.org/search?searchString=64.124.100.148 This stuff if worthy of deletion, in fact, it's not even close. While there is often good reason to think twice about what SORBS might list, don't think twice about what SBL lists, and if you feel compelled to do so, at least look at their evidence file. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13718 Pexicom is definitely
RE: [Declude.JunkMail] How to Block overseas domains
Please don't forget .it domains. So I can't write or replyanymore to anyone into your education center. My opinion: Never block for a single test result With Declude Junkmail Pro you can create a filter file and add lines like COUNTRIES5CONTAINSit This will add 5 points to any message comming or traveling trough Italy. If you want to add points for messages having a mailfrom adress ending with .it, .uk, ... you can use the same type of filter files and add lines like MAILFROM 5 ENDSWITH .it If you want you can set up a "KillerTLD" filter and block everything comming from outside of US. But on my server this will block less the 10% of all incomming spam because the resting 90% are comming... YES from the US. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle FisherSent: Wednesday, February 04, 2004 6:47 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] How to Block overseas domains Does any one know how to block overseas domains? Like UK, DE, NL etc Thanks Kyle
[Declude.JunkMail] Off topic - iis, web servers and txt files
Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
RE: [Declude.JunkMail] Off topic - iis, web servers and txt files
In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
Re: [Declude.JunkMail] Off topic - iis, web servers and txt files
That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
Re: [Declude.JunkMail] Off topic - iis, web servers and txt files
Change the MIME type in IIS to something that isn't text or otherwise displayable in the browser window. I would guess that choosing an application type would be best, and on your own system, make sure that you don't set up something like a text application to automatically open the extension. http://www.onlineworkshop.net/misc/MIME_Types_in_IIS.htm Matt Doug Anderson wrote: That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Doug Anderson Sent: Wednesday, February 04, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Off topic - iis, web servers and txt files
Title: Message Mess around with the mime maps for your IIS server, define that file extension as anything other than clear-text, I think that will tell the browser to treat it as an attachment and not open it up in the browser. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 9:25 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Off topic - iis, web servers and txt files That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
Re: [Declude.JunkMail] Off topic - iis, web servers and txt files
Doug- This sounds like it could be solved by setting up a customMIME type for .ldif files.If a MIME type is not prsent, the browser resports to plain text. I don't have a clue what you would change it to, however. -Dave Doherty Skywaves, Inc. - Original Message - From: Doug Anderson To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:06 PM Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
RE: [Declude.JunkMail] Mailfrom?
Hi Scott: Thanks ... A while back I was suggesting a simple test that can at least validate the format of the sender email. This is a perfect example.. This email is not valid and although it failed a lot of other tests but it should also be easy to add more weight to wrong addresses. Of course if there is an RFC addendum that says ben.@aol.com is a valid email then my argument is totally off base. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, February 04, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Mailfrom? Should this not have triggered Mailfrom.. No. look at the email used: X-Note: SMTP Sender: ben.@aol.com aol.com is a valid domain with an MX record, so it passes the MAILFROM test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Off topic - iis, web servers and txt files
That is default behavior for Internet Explorer. To display a text file. You could zip it on the server side so when they click the link it asks them to download the zip file. Or if I actually answer your origional post You could add your own mime type for your .ldif. If the browser does not recognize it it will ask to download the file. Do it on the HTTP Headers tab. Add the mime type extension - ldif Content type (MIME): x-ldif Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:25 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Off topic - iis, web servers and txt files That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
RE: [Declude.JunkMail] OT? Best Plattform?
2003. It's MUCH more secure than 2000 because many services are not enabled by default which is the case in 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, February 04, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT? Best Plattform? 2000. The newer version is hardly mature, and it appears that just like XP made the 2000 core unstable, 2003 also repeats many of the same mistakes. 2003 is of course fancier, but the apps you are looking to use make little use of what the newer version might provide. Matt Hirthe, Alexander wrote: Hello, what is the better Plattform for Imail / Declude? Windows 2000 oder Windows 2003? Just Imail Declude, Spamcheck, AVG, F-Prot. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Mailfrom?
Of course if there is an RFC addendum that says ben.@aol.com is a valid email then my argument is totally off base. It's valid but extremely uncommon to have quotes in an address (used for escaping by definition), and periods are also allowed. A legitimate address that ends in a period would probably benefit from being escaped to confirm intent. Nonetheless, I wouldn't think that you'd see these two used together in a substantive amount of legit e-mail. But whether it's worth a filter is questionable. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mailfrom?
Kami, If you start mixing different tests for MAILFROM, then you run the risk of weakening the test. While this was spam, I could see a user making a mistake like this by putting information in the wrong fields. You have Web forms, just take a look at what the typical bonehead AOL user "thinks" their E-mail address is. Maybe a different test would be better, though, maybe this is just as reliable as the existing MAILFROM tests...but I doubt it. Matt Kami Razvan wrote: Hi Scott: Thanks ... A while back I was suggesting a simple test that can at least validate the format of the sender email. This is a perfect example.. This email is not valid and although it failed a lot of other tests but it should also be easy to add more weight to wrong addresses. Of course if there is an RFC addendum that says "ben."@aol.com is a valid email then my argument is totally off base. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, February 04, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Mailfrom? Should this not have triggered Mailfrom.. No. look at the email used: X-Note: SMTP Sender: "ben."@aol.com aol.com is a valid domain with an MX record, so it passes the MAILFROM test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] OT? Best Plattform?
I don't think that makes it more secure, I think that means the admin is allowed to be more lazy. With regards to using 2k3 vs 2k as a mail server, I don't really thing security is a huge concern. You should be locking down ntfs on either platform, you shouldnt need any services except the bare necessities, etc. You'll never have local users, nor should you ever use the console for anything, so term service/etc security is useless, as is IE security, etc. The stack itself is, of course, more robust in some respects, but you're probably filtering for common attacks upstream anyway. Nutsehell, I'd say there are some performance benefits on 2k3, especially on larger hardware .. but overall, your install *should* be so tweaked, that it really doesn't matter. Jonathan At 02:56 PM 2/4/2004, you wrote: 2003. It's MUCH more secure than 2000 because many services are not enabled by default which is the case in 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, February 04, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT? Best Plattform? 2000. The newer version is hardly mature, and it appears that just like XP made the 2000 core unstable, 2003 also repeats many of the same mistakes. 2003 is of course fancier, but the apps you are looking to use make little use of what the newer version might provide. Matt Hirthe, Alexander wrote: Hello, what is the better Plattform for Imail / Declude? Windows 2000 oder Windows 2003? Just Imail Declude, Spamcheck, AVG, F-Prot. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log Error
I received the following error in the log file and subsequently the email did not ROUTETO although it was listed on the WEIGHT20 line, it went on to the main mailbox of the customer un-routed. Is there any reason for the Error? I checked the log and only had one other instance of this for the day. 02/04/2004 14:57:17 Q4e8f9b2b005cae1c Msg failed WEIGHT20 (Weight of 61 reaches or exceeds the limit of 20.). Action=ROUTETO. 02/04/2004 14:57:17 Q4e8f9b2b005cae1c ERROR: Could not open recip file F:\IMail\spool\_4e8f9b2b005cae1c.~MD [2] Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT? Best Plattform?
Anyone that runs a server that sits on the Internet should go through the various services and shut them down when unnecessary, regardless of whether or not they might present a security issue. Firewalling the unnecessary ports is also a fabulous idea as well as other security measures like dummifying the administrator account, installing URLScan (for IIS) and even running L0pht against a dump of your encrypted passwords. I'm sure there are a lot of other things that you could do as well. Just because MS doesn't default enable some problematic services doesn't mean that it's more secure, it's just got better default settings. I'm guessing that most of us aren't the people to install things with the default settings anyway. The real issues with 2003 are the bugs, and it appears that there are real issues with stability at high loads with DNS and/or the TCP/IP stack. I'm sure there are a ton of little issues that are also apparent. Microsoft also always claims better performance with newer versions, but in reality the code is always more bloated and chances are that common tasks will in fact be slower due to the added overhead. There's probably a good chance that NT4 could run IMail more efficiently than a 2000 server despite the lack of support for newer technologies. I think 2003 will remain bleeding edge for high-reliability production environments for another year or so. I still consider XP Pro to be a step backwards, my 2000 Pro just simply wouldn't crash, and XP can't even handle keeping Windows Explorer functional after cutting and pasting from a mapped drive, and it's been what, two years since it was released? Matt Mark Smith wrote: 2003. It's MUCH more secure than 2000 because many services are not enabled by default which is the case in 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, February 04, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT? Best Plattform? 2000. The newer version is hardly mature, and it appears that just like XP made the 2000 core unstable, 2003 also repeats many of the same mistakes. 2003 is of course fancier, but the apps you are looking to use make little use of what the newer version might provide. Matt Hirthe, Alexander wrote: Hello, what is the better Plattform for Imail / Declude? Windows 2000 oder Windows 2003? Just Imail Declude, Spamcheck, AVG, F-Prot. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] Distributed Dictionary Attack
Hi, everyone- I've seen dictionary attacks before, but this one is impressive! I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seeminglyoriginatingfrommore than 10,000 IP addresses. The content is random everyday spams, with nothing in particular in common. Of course, there are many dupes, but I can find nothing that looks like a common source for this.Most of the "to" addresses are or could be names, apparently not random sequences of letters and numbers. Examples - aaronj, aaronp, aaronv, ctuck, ctucker, ctuna, etc. I have placed this domain on adedicated box that is handling it just fine by rejecting the messages withinvalid usererrors, and I wrote a quick little utility that parses the logs into SQL Server and tells me how many of these we're getting and where they seem to be coming from. As of 4PM today: 275,000 messages to 42,000 addresses at this domain, from 14,000 IPs. I've been blocking the worst offenders in the system before they get to the mail server, but it's hardly making a dent since the worst offender in yesterday's log sent about 5,000 messages, and the top ten combined sent only about 25,000. My hope is that we will figure out a common source that is spoofing all these IPs.So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real"IP as opposed to the "spoofed" IP work? All suggestions are greatly appreciated. I understand that we all have secret stuffwe do to protect our systems, so feel free to contact me off-list at [EMAIL PROTECTED]if you thinkthat is more appropriate. And my thanks to Scott Perry and Pete McNeil, who have been very helpful in combatting this already. Thanks! Dave Doherty Skywaves, Inc.
Re: [Declude.JunkMail] Log Error
Maybe I'm missing something, but why is IMail handing Declude a file named with an underscore and tilde? This is a locked file according to Ipswitch. Naturally this might be standard for IMail and Declude, but I thought the full and unmodified name/file was used??? Matt Keith Johnson wrote: Scott, I am running 8.05hf1 and the 1.77beta of Declude (no interims). I just needed to give an explanation to one of our customers on this. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 04, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Log Error 02/04/2004 14:57:17 Q4e8f9b2b005cae1c ERROR: Could not open recip file F:\IMail\spool\_4e8f9b2b005cae1c.~MD [2] That means that the spool file wasn't there when Declude went to modify it. This usually occurs if IMail "steals" the file from Declude. If you are running IMail v8, you should upgrade to the latest release if you have not yet done so. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] OT: Domain Registrar recommendation
Keith, I have been working with BulkRegister for over 18 months and have seen no indication that they support spammers. Dan Geiser [EMAIL PROTECTED] - Original Message - From: Keith Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 31, 2004 12:33 PM Subject: RE: [Declude.JunkMail] OT: Domain Registrar recommendation The following registrars are known to support spammers, either by giving large discounts for mass domain registrations, or they have common financial backing with major spam organizations, or were founded by spam organizations in order to get access to unlimited, free domain registrations. Bulk Register Go Daddy Mad Dog Domains Secure Server (.Net) Wild West Domains I personally don't like to support companies that support spammers. There are plenty of registrars. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Todd Sent: Friday, January 30, 2004 11:05 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Domain Registrar recommendation Anyone using a registrar that they like? I want to get some of my clients accounts off of NetSol. I have some registered at www.dotearth.com but I would like a registrar that I can maintain multiple domains from a central interface like at NetSol. Thanks, Todd Hunter --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
Dave, I've noticed that on my box with only about 60 domains, there's several distributed dictionary attacks every day. They seem to be controlled from a central location because the order is roughly the same across the different IP addresses they use. Mine have been spaced out and fairly low in volume, and I've seen them do this to domains with only one account. These attacks use mostly real names, although the Joe-Jobs using our domains and directed at large ISP's seemingly use more of a hacking sort of attack, trying every combination and lasting for weeks at times. I've found that many of these attacks originate from North Korea and China, and there's a good chance that there's someone on this side of the Ocean that is typing in the commands. #1 ROKSO spammer Alan Ralsky seems to be Asia's largest spam customer, and he enables a lot of this stuff. I wouldn't be surprised if someone connected to him was responsible for the viruses that have been used to create spam zombies. He certainly profits from the use of these machines. This is also the guy that has involvement in the recent Habeas spoofing for that drug site (the payload was hosted on his IP space in China). This stuff either comes from zombies controlled by IP's in unfriendly countries, or it comes from unfriendly countries. Good luck serving a warrant. It might be a better idea to look at the payloads and figure out what the connections are. SBL probably tracks much of that stuff if you simply resolve the domain name to an IP address and look for patterns. BTW, was this a large domain that's being attacked, or do these guys just simply stupid abusive idiots (as opposed to smart abusive idiots I guess)? Matt Dave Doherty wrote: Hi, everyone- I've seen dictionary attacks before, but this one is impressive! I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seeminglyoriginatingfrommore than 10,000 IP addresses. The content is random everyday spams, with nothing in particular in common. Of course, there are many dupes, but I can find nothing that looks like a common source for this.Most of the "to" addresses are or could be names, apparently not random sequences of letters and numbers. Examples - aaronj, aaronp, aaronv, ctuck, ctucker, ctuna, etc. I have placed this domain on adedicated box that is handling it just fine by rejecting the messages withinvalid usererrors, and I wrote a quick little utility that parses the logs into SQL Server and tells me how many of these we're getting and where they seem to be coming from. As of 4PM today: 275,000 messages to 42,000 addresses at this domain, from 14,000 IPs. I've been blocking the worst offenders in the system before they get to the mail server, but it's hardly making a dent since the worst offender in yesterday's log sent about 5,000 messages, and the top ten combined sent only about 25,000. My hope is that we will figure out a common source that is spoofing all these IPs.So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real"IP as opposed to the "spoofed" IP work? All suggestions are greatly appreciated. I understand that we all have secret stuffwe do to protect our systems, so feel free to contact me off-list at [EMAIL PROTECTED]if you thinkthat is more appropriate. And my thanks to Scott Perry and Pete McNeil, who have been very helpful in combatting this already. Thanks! Dave Doherty Skywaves, Inc. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Distributed Dictionary Attack
I've seen dictionary attacks before, but this one is impressive! I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seemingly originating from more than 10,000 IP addresses. Another possibility is that this isn't a dictionary attack -- but instead, the nobody alias was enabled in the past at a time that a dictionary attack occurred, and the spammer was dumb (surprise!) and thought that all the addresses existed. If that is the case, now they are just sending spam to the addresses they think are valid. It would also account for the huge number of IPs sending the spam -- it is quite common for the organized spammers to do that. My hope is that we will figure out a common source that is spoofing all these IPs. So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the real IP as opposed to the spoofed IP work? It would be nice if it were that easy. Unfortunately (fortunately?), spoofed IPs are extremely rare. What that means is that these are probably compromised servers sending the spam, and therefore they have the spammer's program on them. The spammer doesn't want you knowing his IP, so it isn't available anywhere. What surprises me is that law enforcement agencies haven't gone after perhaps a few dozen compromised servers, run a packet sniffer, and checked to see what IP(s) are controlling the compromised servers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log Error
Maybe I'm missing something, but why is IMail handing Declude a file named with an underscore and tilde? This is a locked file according to Ipswitch. Naturally this might be standard for IMail and Declude, but I thought the full and unmodified name/file was used??? That is normally the case, but there are cases where IMail will steal the file, even if it is locked. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log Error
I am running 8.05hf1 and the 1.77beta of Declude (no interims). I just needed to give an explanation to one of our customers on this. There isn't an easy explanation. What I can give you is the very technical answer: Declude went to access the (locked) recipient file, but Windows reported that the file was not there. Determining how the file disappeared would be anywhere from difficult to impossible, depending on what happened (unless the problem repeats itself, in which case it could probably be traced). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log Error
Scott, Thanks for your aid, it is always appreciated. I passed a similar explanation on to our customer. I'll watch our logs for any patterns. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:27 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Log Error I am running 8.05hf1 and the 1.77beta of Declude (no interims). I just needed to give an explanation to one of our customers on this. There isn't an easy explanation. What I can give you is the very technical answer: Declude went to access the (locked) recipient file, but Windows reported that the file was not there. Determining how the file disappeared would be anywhere from difficult to impossible, depending on what happened (unless the problem repeats itself, in which case it could probably be traced). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Off topic - iis, web servers and txt files
Title: Message I tried mime types for the "web site" and that wasn't working. one of the emails mentioned the onlineworkshop...I forgot about setting it for all of IIS. Now it downloads. Thanks for all the help! Soon to be published...ldaplst - an ldap reader / file creator. I'll post it here when ready..I'm just fine tuning and error proofing right now. - Original Message - From: Omar K. To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:21 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files Mess around with the mime maps for your IIS server, define that file extension as anything other than clear-text, I think that will tell the browser to treat it as an attachment and not open it up in the browser. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 9:25 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Off topic - iis, web servers and txt files That's what I'm trying to get away from. Actually have it pop up to open or download. my users have problems understanding right click. Plus I'm rewriting it so that have to enter username and password to get to the link. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:16 PM Subject: RE: [Declude.JunkMail] Off topic - iis, web servers and txt files In internet explorer right click your link and choose "Save Target As" Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Doug AndersonSent: Wednesday, February 04, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Off topic - iis, web servers and txt files Ok, I'm running IIS 5.0 on my imail server. I've written a program to read the ldap and create a ldif file. I put the ldif file (xxx.ldif)in a sub directory on the web server and when I put a link to it, it displays it directly in the browser. I want it to download, not display as text. Any ideas on how to config IIS to make it download? P.S. Once I get this program fully functional I'll put it out on my personal web site for download if anyone wants it. It's a console app made with .net that will create: csv, ldif, alias, or list-lst/txt files from the ldap.
Re: [Declude.JunkMail] Distributed Dictionary Attack
R. Scott Perry wrote: What surprises me is that law enforcement agencies haven't gone after perhaps a few dozen compromised servers, run a packet sniffer, and checked to see what IP(s) are controlling the compromised servers. The reason is probably because these machines are generally hijacked from countries where you would have a real hard time serving the IP owners with papers. When I moved to scanning on multiple hops, my SBL hits increased by about 33%, probably because of zombies being controlled from such space and where the zombie is simply relaying instead of being directly hacked (therefore exposing the previous hops). Just guessing of course. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] **OT** Intrusion Detection Software
Title: **OT** Intrusion Detection Software I have been asked to research Intrusion Detection Software. I have done a Google search, but most of what I see is an actual appliance. All I am looking for is software that will notify me when something suspicious attempts to hit our network. Anyone have any suggestions? Sharyn
Re: [Declude.JunkMail] **OT** Intrusion Detection Software
At 10:02 AM 2/4/2004, Sharyn Schmidt wrote: I have been asked to research Intrusion Detection Software. I have done a Google search, but most of what I see is an actual appliance. All I am looking for is software that will notify me when something suspicious attempts to hit our network. Anyone have any suggestions? Sharyn As other's have already suggested, Snort. It is by far the best. It will easily run on either *nix or windows. I ran it on windows for about 6 months, and then decided it would be easier to keep updated on a *nix platform. I found FreeBSD to be the best option for me. YMMV. -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [Declude.Virus] **OT** Intrusion Detection Software
Title: Message I can also recommend snort. There is a full windows version put out by Engagesecurity.com The product is called EagleX and is a single install of all needed components for Snort to operate on a Windows platform. For those of you running Snort, please give me what you feel are the minimum requirements to adequately run this software on a win2k platform. I have been looking over the documentation and all it says is "lots of ram", " a big harddrive" , "a p3 or greater" and a high performance NIC". Thanks, Sharyn
Re: [Declude.JunkMail] Slightly OT: calculating bandwidth
Do you have read access to the router's snmp community? if you doMRTG gives some great stats - Original Message - From: Omar K. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 9:26 PM Subject: [Declude.JunkMail] Slightly OT: calculating bandwidth Hello list, Im trying to figure out how much bandwidth my imail server sends/receives, I know its best to do this on the router level, but I don't have access to these. Is this information stored in any log file ? Thanks, --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Distributed Dictionary Attack
Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Distributed Dictionary Attack
The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. Why would you ever run Declude on messages for unknown users? Even considering that as an option makes me cringe. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
My own experience, and what appears to be David's, is that this stuff doesn't generally come in waves from just one machine. Collecting the IP's might be useful for blacklisting at a router level, but the list would be very long. Like Scott said earlier, this probably is just a spammer using a bad list of addresses that they gathered from attacking a domain with the nobody alias. Dave, I'm just wondering how much load it is to be rejecting these messages at the HELO, provided that you have the nobody alias turned off. That's definitely a ton of load, but if IMail hangs up on it before the message is sent, I'm thinking that the resource hit won't be that bad. If you want to save yourself some time, and don't get any legit Chinese or Korean traffic, there's a site that has this data in Cisco ACL format as well as others: http://www.okean.com/asianspamblocks.html Blackholes.us has text files for other countries, Taiwan for instance, but you would need to code this up for your router from what they provide. Matt Jason wrote: Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Distributed Dictionary Attack
Hi Sandy- Somebody suggested using SBL or one of the blacklists, I forget which. I'm looking at ways to do that without involving the mail server. -Dave - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Dave Doherty [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:31 AM Subject: Re[2]: [Declude.JunkMail] Distributed Dictionary Attack The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. Why would you ever run Declude on messages for unknown users? Even considering that as an option makes me cringe. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
That sounds like a great idea, Jason. Do you think it will stand up to this volume? -d - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:09 AM Subject: RE: [Declude.JunkMail] Distributed Dictionary Attack Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPNOTINMX, NOLEGITCONTENT
I recently turned on the IPNOTINMX and NOLEGITCONTENT filters to see how they work. They seem to do more harm than good, for instance I weight 10 SPAMCOP since that service works well for me, but these filters lowered the weight so that spamcop (only) spams get through. I do understand that they solve an issue of server generated emails, one email that was getting marked as spam was a system report from a firewalled server, IP 10.1.1.something. This email is now not spam, as it shouldn't be, but I'm not sure about the tradeoff. Are other people using these filters successfully? Is it better to keep them with a low negative weight or disable them altogether and just rely on positive tests? Thanks for your input. Robert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.