[Declude.JunkMail] how to filter NDR's from forged mailfrom addresses in spam mails in the future?
usually spam messages doesn't contain forged mailfrom addresses. But theoretically it's possible. Specially spam comming from compromised zombie computerscan easily have real existing, forged mailfrom addresses. The german politic spam messages from yesterday are comming from such zombies (sober.g infected computers) and does have forged mailfrom addresses. And finally the spam message usually contains one real and o dozen of random generated recipient addresses. So beside the wave of spam messages now we have to fight against a big wave of useless NDR's As I can see NDR's are difficult to handle, because they come from legit mailservers, the mail headerhas nothing to do with the original mail header(beside the same message id ?) and not even they contain the original message content in the body. Some MTA's attach the original message, some others include only the original headers. In my opinion it would be a good solution to think about a new test that is able to identify -original mailheaders in the body of the NDR -eventually also part of the original but maybe truncated original body below this header -attachments of the original message in the NDR If there is any of this content or attachment in the NDR, let run all other spamtest (IP4R, text-filter, external tests, ...) or are there other (simplier) solutions for this? Markus
[Declude.JunkMail] NDR's
Hi, We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Regard's, Kevin __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] NDR's
Markus We are seeing 1 in 10 email's which are NDR's and are nothing to do with the german-politic spam messages. Look's like we have a new problem, which is growing quickly. Scott I hope you can help on this one or anyone else... Kevin -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 12:49:55 +0200 We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] NDR's
We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] American Specialties, Atlantic Continuum, etc.
We keep getting swamped with mail from: American Specialties First Advanced Altantic Continuum Pacific Alternative Gamma Coalition Alliance Advanced American Loan Gateway Crown Specialists Crown Aggregate United Coalition Commonwealth Commercial and so on all from the same source per that mail period. Lots of emails with each mailing.. These are the only Declude tests (that we have setup) that they fail X-Spam-Tests-Failed: SBL, CATCHALLMAILS [7] We ve been adding the IP s to our kill file (Imail 7.x) but of course they change with every mailing. Anybody have success in staying ahead of these varmints? TIA, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist one Country for one Domain
agreed about the body but chances are that and end user is going to base their filtering request on what they see in the body and in the case of .cz the chances of something matching that other than an email address or url are slim This is concerning order number 213.97.czae.42 Daddy, i learnedto typetheis toy.czyou today Dear Client - We have blocked everything with a country domain of .cz You never can tell what will happen. I didn't realize that the popular male drug name was in the word speCIALISt until we advertised a Security Specialist position. :) Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: RE: [Declude.JunkMail] NDR's
We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. So what we did was to set up two BSD/Postfix boxes that filter based on a list of our valid users which we update as needed. The incoming NDR's are then trashed at the BSD/Postfix level and Imail and Declude don't have to deal with them. This is kind of like Len Conrads Imgate, but it only checks for a valid username before relaying the email into the Imail box. Rich - Original Message - From: declude [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:05 AM Subject: Possible Spam: RE: [Declude.JunkMail] NDR's Markus We are seeing 1 in 10 email's which are NDR's and are nothing to do with the german-politic spam messages. Look's like we have a new problem, which is growing quickly. Scott I hope you can help on this one or anyone else... Kevin -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 12:49:55 +0200 We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Possible Spam: RE: [Declude.JunkMail] NDR's
Was there a HOWTO you found online to do this? Wouldn't mind attempting this when I get a chance.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Friday, June 11, 2004 10:33 AM To: [EMAIL PROTECTED] Subject: Re: Possible Spam: RE: [Declude.JunkMail] NDR's We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. So what we did was to set up two BSD/Postfix boxes that filter based on a list of our valid users which we update as needed. The incoming NDR's are then trashed at the BSD/Postfix level and Imail and Declude don't have to deal with them. This is kind of like Len Conrads Imgate, but it only checks for a valid username before relaying the email into the Imail box. Rich - Original Message - From: declude [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:05 AM Subject: Possible Spam: RE: [Declude.JunkMail] NDR's Markus We are seeing 1 in 10 email's which are NDR's and are nothing to do with the german-politic spam messages. Look's like we have a new problem, which is growing quickly. Scott I hope you can help on this one or anyone else... Kevin -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 12:49:55 +0200 We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: RE: [Declude.JunkMail] NDR's
I'm working on creating one, a version of what we have, it's started at http://www.kendra.com/Support/PerUser_Gateway/index.htm, I'm trying to finish it today. Rich - Original Message - From: Jeff Maze [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 8:42 AM Subject: RE: Possible Spam: RE: [Declude.JunkMail] NDR's Was there a HOWTO you found online to do this? Wouldn't mind attempting this when I get a chance.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Friday, June 11, 2004 10:33 AM To: [EMAIL PROTECTED] Subject: Re: Possible Spam: RE: [Declude.JunkMail] NDR's We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. So what we did was to set up two BSD/Postfix boxes that filter based on a list of our valid users which we update as needed. The incoming NDR's are then trashed at the BSD/Postfix level and Imail and Declude don't have to deal with them. This is kind of like Len Conrads Imgate, but it only checks for a valid username before relaying the email into the Imail box. Rich - Original Message - From: declude [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:05 AM Subject: Possible Spam: RE: [Declude.JunkMail] NDR's Markus We are seeing 1 in 10 email's which are NDR's and are nothing to do with the german-politic spam messages. Look's like we have a new problem, which is growing quickly. Scott I hope you can help on this one or anyone else... Kevin -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 12:49:55 +0200 We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Possible Spam: RE: [Declude.JunkMail] NDR's
Great.. Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Friday, June 11, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: Re: Possible Spam: RE: [Declude.JunkMail] NDR's I'm working on creating one, a version of what we have, it's started at http://www.kendra.com/Support/PerUser_Gateway/index.htm, I'm trying to finish it today. Rich - Original Message - From: Jeff Maze [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 8:42 AM Subject: RE: Possible Spam: RE: [Declude.JunkMail] NDR's Was there a HOWTO you found online to do this? Wouldn't mind attempting this when I get a chance.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Friday, June 11, 2004 10:33 AM To: [EMAIL PROTECTED] Subject: Re: Possible Spam: RE: [Declude.JunkMail] NDR's We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. So what we did was to set up two BSD/Postfix boxes that filter based on a list of our valid users which we update as needed. The incoming NDR's are then trashed at the BSD/Postfix level and Imail and Declude don't have to deal with them. This is kind of like Len Conrads Imgate, but it only checks for a valid username before relaying the email into the Imail box. Rich - Original Message - From: declude [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:05 AM Subject: Possible Spam: RE: [Declude.JunkMail] NDR's Markus We are seeing 1 in 10 email's which are NDR's and are nothing to do with the german-politic spam messages. Look's like we have a new problem, which is growing quickly. Scott I hope you can help on this one or anyone else... Kevin -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 12:49:55 +0200 We are seeing a lot of NDR's coming from ligit servers, with a spoofed user name, but a correct domain name. What would be the best way to deal with this ever growing problem. Yipiieee :-) I'm not the only one having this problem. As I can see this are NDR's from current spam messages having forged but real existing mailfrom addresses and a lot of random recipient names in combination with valid domains. (german-politic spam messages send from sober.g zombies) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.JunkMail] American Specialties, Atlantic Continuum, etc.
Why not just create a filter file that searches for those specific strings you listed and use the delete action on them. Trying to gather IPs on those types of spam runs is futile, they are probly using spam zombies and there are probly 100s of thousands of those out there. You can even use Imail message rules to search those strings. You still have to recieve the mail but you can decisively delete it or hold it. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John Moore (by way of R. Scott Perry [EMAIL PROTECTED]) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 9:53 AM Subject: [Declude.JunkMail] American Specialties, Atlantic Continuum, etc. We keep getting swamped with mail from: American Specialties First Advanced Altantic Continuum Pacific Alternative Gamma Coalition Alliance Advanced American Loan Gateway Crown Specialists Crown Aggregate United Coalition Commonwealth Commercial and so on all from the same source per that mail period. Lots of emails with each mailing.. These are the only Declude tests (that we have setup) that they fail X-Spam-Tests-Failed: SBL, CATCHALLMAILS [7] We ve been adding the IP s to our kill file (Imail 7.x) but of course they change with every mailing. Anybody have success in staying ahead of these varmints? TIA, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT IMail Backup/Restore
Hi, I think this is going to work I need to backup IMail from the C Drive, reformat the server, create D drive and then put IMail back on D Drive. I figure the way to do this is Old Server Stop all IMail services Backup IMail and all directories Make new server Install IMail on new server D Drive Patch it to same level Restore the IMail directories to D Drive Check all drive references Start Services This should move all the mail and users etc etc Obviously fix all the Declude filter paths etc. Will this work? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Possible Spam: RE: [Declude.JunkMail] NDR's
We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. Thats not the current problem. The problem are NDR's send back to real existing email addresses because the original message has had only one (or a few) valid recipient addresses but a lot of random generated name parts of the email address. (in sober.g case this are one valid recipient and 39 usualy inexistant, random generated addresses) Your gateway would filter out this type of NDRs Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT IMail Backup/Restore
When you export the imail registry hive Look at the resulting file... If there are hard references to C: Then run a search/replace all to update to D If you use SQL for user databases then you'll have to write a small sql script to update the mailbox path's for every mailbox. The physcal path is stored in each row. Other than that, its exactly what I've done many times. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 11, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT IMail Backup/Restore Hi, I think this is going to work I need to backup IMail from the C Drive, reformat the server, create D drive and then put IMail back on D Drive. I figure the way to do this is Old Server Stop all IMail services Backup IMail and all directories Make new server Install IMail on new server D Drive Patch it to same level Restore the IMail directories to D Drive Check all drive references Start Services This should move all the mail and users etc etc Obviously fix all the Declude filter paths etc. Will this work? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT IMail Backup/Restore
When you make a backup of Imail's user/domain settings, it might keep the original drive paths so check it's reg file that is created in case you need to do a find/replace -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 11, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT IMail Backup/Restore Hi, I think this is going to work I need to backup IMail from the C Drive, reformat the server, create D drive and then put IMail back on D Drive. I figure the way to do this is Old Server Stop all IMail services Backup IMail and all directories Make new server Install IMail on new server D Drive Patch it to same level Restore the IMail directories to D Drive Check all drive references Start Services This should move all the mail and users etc etc Obviously fix all the Declude filter paths etc. Will this work? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklist one Country for one Domain
heh i learned the hard way with specialist as well dont forget that declude will honor the space at the end of a filtering string, .czspace should have been used... learned the hard way on that to :-) Rick Davidson National Systems Manager North American Title Group - - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 10:40 AM Subject: Re: [Declude.JunkMail] Blacklist one Country for one Domain agreed about the body but chances are that and end user is going to base their filtering request on what they see in the body and in the case of .cz the chances of something matching that other than an email address or url are slim This is concerning order number 213.97.czae.42 Daddy, i learnedto typetheis toy.czyou today Dear Client - We have blocked everything with a country domain of .cz You never can tell what will happen. I didn't realize that the popular male drug name was in the word speCIALISt until we advertised a Security Specialist position. :) Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Off Topic? - Complaints from AOL
Title: Message How would you change the _javascript_? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 11, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Off Topic? - Complaints from AOL Change it once (either manually or by script) and also change the webmail interface to use _javascript_ to not allow @aol.com addresses in alias or account forwards. Darin. - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 1:08 PM Subject: RE: [Declude.JunkMail] Off Topic? - Complaints from AOL Is there a good and/or proper and/or easy and/or acceptable way to allow forwarding to other than AOL without having to go to each users configuration and remove the forwarding to AOL, of which would be worthless as the use would just go back in and change it back? John Tolmachoff Engineer/Consultant/Owner eServices For You
RE: Possible Spam: RE: [Declude.JunkMail] NDR's
Hi Markus, I know what you mean, just like the list below I have a customer, nst.ie, and this is what is happening to them. Kevin QD:\IMail\spool\Ddbdf01e626ff.SMD Hkadmail.co.uk WD:\Imail\kadmail_co_uk E0, S[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 18:06:41 +0200 We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. Thats not the current problem. The problem are NDR's send back to real existing email addresses because the original message has had only one (or a few) valid recipient addresses but a lot of random generated name parts of the email address. (in sober.g case this are one valid recipient and 39 usualy inexistant, random generated addresses) Your gateway would filter out this type of NDRs Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Off Topic? - Complaints from AOL
Title: Message I don't have a script to give you aswe haven'tenforced this yet, this is just a way that you could do it.You would add a _javascript_ validation routine to the page (attached to the form action) to parse the text field and present an error if the email address ends in @aol.com, otherwise submit the form. Darin. - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 12:24 PM Subject: RE: [Declude.JunkMail] Off Topic? - Complaints from AOL How would you change the _javascript_? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Friday, June 11, 2004 9:15 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Off Topic? - Complaints from AOL Change it once (either manually or by script) and also change the webmail interface to use _javascript_ to not allow @aol.com addresses in alias or account forwards. Darin. - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 1:08 PM Subject: RE: [Declude.JunkMail] Off Topic? - Complaints from AOL Is there a good and/or proper and/or easy and/or acceptable way to allow forwarding to other than AOL without having to go to each users configuration and remove the forwarding to AOL, of which would be worthless as the use would just go back in and change it back? John Tolmachoff Engineer/Consultant/Owner eServices For You
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi Markus! Getting your messages now, for me the solution was as simple as allowing email through with [declude in the subject, I don't like blocking by IP unless its a legit email marketing company who doesn't change IP addresses and with the nifty new remoteip 0 cidr filtering capability its easy to bypass the ip blocking. Odd thing is I was nailing some of your email with interbusiness.it and I don't see that anywhere in the headers of your current messages I do punish dot info and dot biz quite severely with weight, aside from your dot info domain the other 799,999 are suspect to me :-) your English is great its alot better than quite a few groups of people here in the US Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Gufler Markus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 5:45 PM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hopefully it's not because my email-address is an info domain. Over 2 years ago (march 2002) there was registered already over 80 info domains around the world. As I know on the IPSwitch website you can't subscribe to the newsletter because .info is not a valid top level domain Looks like internet is old enough now to have also some conservative people inside ;-) I assume that most of my messages will be filtered because the dynamic IP addresses of our DSL-connection is listed in more or less IP-Blacklists. This not because we're an open relay but because this are dynamic IP's and the entire class B range seems to be blacklisted (at least temporary). I can understand that most people in oversea can see more spam then legit messages comming from this IPs. And I can understand if someone decides to punish them. We also assign a small weight to any message comming from the USA because from the 26% of all messages comming from the USA only 3% are legit messages. This should not be a punishment for a country, but it's simple mathematic logic to improve our spam filters detection rate. Maybe you can see this message only because I send them - for this time - trough the webmail interface and so from a clean IP address. What I would suggest is that anyone reading messages in this list should try to whitelist declude list messages. There are several cases that declude list messages contains suspicious content: spam examples, filter definitions, or simple help request from an admin that has an IP blacklisted mailserver. If you don't whitelist declude list messages very probably you're missing some important information. As I can understand, the best way to whitelist declude messages is to whitelist the IP of the declude list server: Simply put WHITELIST IP 68.162.218.198 in your global.cfg line. Hope this helps, and you can understand my english --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] NDR's
What log file are you looking at to see these NDR's? I don't think I'm having this problem yet, but I want to make sure. Thanks Gene Sent via the WebMail system at accram.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Possible Spam: RE: [Declude.JunkMail] NDR's
looks to me that the spammer is just using a dictionary of user names and sending to them by appending on the domain name in the hopes that they may get a hit on another mailbox. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of declude Sent: Friday, June 11, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: RE: Possible Spam: RE: [Declude.JunkMail] NDR's Hi Markus, I know what you mean, just like the list below I have a customer, nst.ie, and this is what is happening to them. Kevin QD:\IMail\spool\Ddbdf01e626ff.SMD Hkadmail.co.uk WD:\Imail\kadmail_co_uk E0, S[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [EMAIL PROTECTED] R[EMAIL PROTECTED] -- Original Message -- From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 18:06:41 +0200 We've been getting upwards of 30k messages a day which are NDR's with our domain name, but with a randomly generated username. We found that although our mail server is more then capable of handling the volume, it was creating a lot of lag with POP3 accounts when the server was being hammered with the dang things. Seems this is getting to be the latest craze, spamming with legit domain names attached to a random username. Thats not the current problem. The problem are NDR's send back to real existing email addresses because the original message has had only one (or a few) valid recipient addresses but a lot of random generated name parts of the email address. (in sober.g case this are one valid recipient and 39 usualy inexistant, random generated addresses) Your gateway would filter out this type of NDRs Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ PS. This email has been securely processed by Sorting Office ] __ This email has been Processed using Sorting Office Email Services This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Sorting Office Email Filter Solution Anti-Virus | Anti-Spam For kad.co.uk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
[Declude.JunkMail] New Test Idea
Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Test Idea
This was kind of suggested when the SURBL came out.
Do you use the SURBL code.
I don't know if anyone is interested but I've got a batch file that goes through last
month's logs (it works on log level high) and pulls out all matches for a Body URL
filter. It can help trim the deadwood.
I've attached it renamed as a .txt file.
Scott Fisher
Director of IT
Farm Progress Companies
[EMAIL PROTECTED] 06/11/04 01:12PM
Would it be possible for declude to do DNS lookups on the urls in the body
of the email message and then run the IP address against an ipfile or a
filter file using remoteip? This would defeat the registering of tons of
domains that alot of times point back to the same web server. It is easy to
find the netblocks that the large discount web hosting companies use so
using the remoteip 0 cidr could be used better in the weighting system. For
example:
Servpath out of San Francisco has these netblocks, alot of legit (i hate
using that term here) email marketing spam comes from these netblocks (so
much that I block them out right because my users arent allowed to use their
email for non business purposes) but for the sake of this example weight
could be added to a message if a URL in the body translated to an IP in
these ranges.
remoteip 10 cidr 64.151.64.0/19
remoteip 10 cidr 69.59.128.0/18
It seems to me that it could be pretty effective, have it run with the DNS
tests and before the filters so it could be used in testsfailed end lines
My list of URLs is getting huge and I am sure alot of them are obsolete now.
What do you think? Doable?
Rick Davidson
National Systems Manager
North American Title Group
-
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
@echo off
rem
rem Credit for portions of this code go to [EMAIL PROTECTED]
rem
rem These settings must be done (SETTINGS section below) before the script is used:
rem v_path: path to this folder
rem v_logpath: path to the logs
rem v_maxweight: filter max weight (blank or 0 if no max weight should be used)
rem and filter entry weight (defaults to 0 if blank)
rem v_skipweight: filter skip weight (blank or 0 if filter never should be skipped)
rem v_filter: name of the Declude Filter as it appears in the log
set v_maxweight=80
set v_skipweight=240
set v_path=d:\imail\declude\fpfilters
set v_logpath=d:\logs\junkmail
set v_filter=BODYURL-KEYWORDS
rem --- Check settings and change current folder (or exit if path is incorrect): ---
set v_result=ok
if %v_maxweight%== set v_maxweight=0
if %v_skipweight%== set v_skipweight=0
if not exist %v_path%\nul (set v_result=path error) (goto :s_end)
if not exist %v_logpath%\nul (set v_result=log path error) (goto :s_end)
cd /d %v_path%
Rem --- Get the date for the Log
for /f tokens=* %%a in ('date /t') do set v_time=%%a
for /f tokens=* %%b in ('time /t') do set v_time=%v_time% %%b
Rem --- Get the previous month
for /f tokens=1-2 delims=/ %%a in ('date /t') do set v_Current_month=%%b
if %V_current_month%==01 set v_Previous_month=12
if %V_current_month%==02 set v_Previous_month=01
if %V_current_month%==03 set v_Previous_month=02
if %V_current_month%==04 set v_Previous_month=03
if %V_current_month%==05 set v_Previous_month=04
if %V_current_month%==06 set v_Previous_month=05
if %V_current_month%==07 set v_Previous_month=06
if %V_current_month%==08 set v_Previous_month=07
if %V_current_month%==09 set v_Previous_month=08
if %V_current_month%==10 set v_Previous_month=09
if %V_current_month%==11 set v_Previous_month=10
if %V_current_month%==12 set v_Previous_month=11
Rem --- Extract loglines containing Triggered Contains Filter (filter name)
if exist bodyurl.loglines.txt erase bodyurl.loglines.txt
Rem
Rem Previous Month's logs in the folder code
Rem
findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec%v_Previous_month%*.log
bodyurl.loglines.txt
Rem
Rem All logs in the folder code
Rem
Rem findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec*.log
bodyurl.loglines.txt
Rem --- Extract domain names from filter file
if exist bodyurl.domains.txt erase bodyurl.domains.txt
for /f tokens=9 %%i in ('findstr /i /r /V FILTER-BYPASS bodyurl.loglines.txt') do
echo %%i bodyurl.domains.txt
rem --- Sort the domain file
if exist bodyurl.sorted.txt erase bodyurl.sorted.txt
sort bodyurl.domains.txt /o bodyurl.sorted.txt
rem --- Dedup sorted file
if exist bodyurl.dedup.txt erase bodyurl.dedup.txt
setlocal
set infile=bodyurl.sorted.txt
set outfile=bodyurl.dedup.txt
type nul %outfile%
for /f tokens=1* delims=: %%a in (
'type %infile%
^| sort
^| findstr /n /v /c:CoLoRlEsS gReEn IdEaS'
) do call :dedup %%a %%b
endlocal
goto :Makefilter
:dedup
set curr_rec=%2
if [%curr_rec%]==[] set curr_rec=$$$blankline$$$
set
Re: [Declude.JunkMail] New Test Idea
I downloaded the surbl code but have not implemented it yet cause of all the monkey business associated with it, I am working on getting it going thanks for that batch file! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:03 PM Subject: Re: [Declude.JunkMail] New Test Idea This was kind of suggested when the SURBL came out. Do you use the SURBL code. I don't know if anyone is interested but I've got a batch file that goes through last month's logs (it works on log level high) and pulls out all matches for a Body URL filter. It can help trim the deadwood. I've attached it renamed as a .txt file. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/11/04 01:12PM Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WHITELIST TO somebody@myserver.com
If I use this option will it whitelist all incoming to a particular user or is this for outgoing mail only? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT IMail Backup/Restore
Tom, Is there more in the registry than under HKLM\Software\Ipswitch\. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Tom Baker | Netsmith Inc Sent: Friday, June 11, 2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OT IMail Backup/Restore When you export the imail registry hive Look at the resulting file... If there are hard references to C: Then run a search/replace all to update to D If you use SQL for user databases then you'll have to write a small sql script to update the mailbox path's for every mailbox. The physcal path is stored in each row. Other than that, its exactly what I've done many times. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 11, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT IMail Backup/Restore Hi, I think this is going to work I need to backup IMail from the C Drive, reformat the server, create D drive and then put IMail back on D Drive. I figure the way to do this is Old Server Stop all IMail services Backup IMail and all directories Make new server Install IMail on new server D Drive Patch it to same level Restore the IMail directories to D Drive Check all drive references Start Services This should move all the mail and users etc etc Obviously fix all the Declude filter paths etc. Will this work? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Dedicated web hosting
We are looking for a good dedicated web hosting company in France that speaks English. Any good recommendations out there? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT IMail Backup/Restore
That's all that you need -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 11, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OT IMail Backup/Restore Tom, Is there more in the registry than under HKLM\Software\Ipswitch\. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Tom Baker | Netsmith Inc Sent: Friday, June 11, 2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OT IMail Backup/Restore When you export the imail registry hive Look at the resulting file... If there are hard references to C: Then run a search/replace all to update to D If you use SQL for user databases then you'll have to write a small sql script to update the mailbox path's for every mailbox. The physcal path is stored in each row. Other than that, its exactly what I've done many times. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 11, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT IMail Backup/Restore Hi, I think this is going to work I need to backup IMail from the C Drive, reformat the server, create D drive and then put IMail back on D Drive. I figure the way to do this is Old Server Stop all IMail services Backup IMail and all directories Make new server Install IMail on new server D Drive Patch it to same level Restore the IMail directories to D Drive Check all drive references Start Services This should move all the mail and users etc etc Obviously fix all the Declude filter paths etc. Will this work? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist that in addres book
Starting to get some spoofed from email address and these addresses are in the users address book. Because they are in the address book they are whitelisted therefore delivered. So far the spoofed from email address used are from the same domain. Is they anyway around this problem? Thanks, Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] trivial question
All the lines. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of serge Sent: Friday, June 11, 2004 6:29 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] trivial question but i had a tough week, so bare with me if a mail matches different lines in a filter, it will get the total weight of all matched lines, or the first matced line weight ? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] trivial question
I believe it will get a total of the matched lines. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Friday, June 11, 2004 6:29 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] trivial question but i had a tough week, so bare with me if a mail matches different lines in a filter, it will get the total weight of all matched lines, or the first matced line weight ? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] trivial question
but i had a tough week, so bare with me if a mail matches different lines in a filter, it will get the total weight of all matched lines, or the first matced line weight ? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
