[Declude.JunkMail] Interesting Spamming Technique
Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting Spamming Technique
Absolutely! Once we installed a Postix gateway and updated the mx records for a particular domain under constant dictionary attacks we dramatically cut down the network flood of unknown users. However that domain is still getting a smaller flood of unknown user spam at the old location. We suspect they are doing a port scan and or just trying mail.domanname.tld which was the original. Our next step is to get all our customers for that domain to move to a different domain name SMTP and POP addresses. Would love to bypass the process of elimination and go to the heart of the spammer bypass. Michael Jaworski [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Thursday, November 18, 2004 7:32 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Interesting Spamming Technique Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting Spamming Technique
I've seen about 4 different spammers, 3 zombie spammers/gangs and one static porn spammer, cache old MX records for indefinite periods of time. It appears that they load their machines with a table containing the IP of the domain in question, and they don't often refresh such records, and maybe not at all. Locking down port 25 on the router or the MTA software on the customer's end to only accept non-AUTHed E-mail has worked so far as I can tell. There's no reason that this shouldn't work if done properly. Try a telnet connection to test send E-mail from your PC and that should verify if they are in fact locked down. Matt Dan Geiser wrote: Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting Spamming Technique
Michael, If you can't lock down the mail server, just change the IP once all of the MX records no longer point to that box. As far as I can tell, they don't cache the MX records, they only cache the IP that the old MX records resolved to. I was concerned about the possibility of spammers guessing mail.domain.tld, but I have found only evidence of old IP's being cached so far. Matt Michael Jaworski wrote: Absolutely! Once we installed a Postix gateway and updated the mx records for a particular domain under constant dictionary attacks we dramatically cut down the network flood of unknown users. However that domain is still getting a smaller flood of unknown user spam at the old location. We suspect they are doing a port scan and or just trying mail.domanname.tld which was the original. Our next step is to get all our customers for that domain to move to a different domain name SMTP and POP addresses. Would love to bypass the process of elimination and go to the heart of the spammer bypass. Michael Jaworski [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Thursday, November 18, 2004 7:32 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Interesting Spamming Technique Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting Spamming Technique
Hi Dan, What we do for out store and forward customers is to lock down their firewall to only accept port 25 traffic from our IPs. Instant end to the end-around problem. I moved a MX record about a week ago for a domain and I am still seeing about 1000 messages per day still hitting the old IP address and 98% of them are WEIGHT10 + Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Thursday, November 18, 2004 10:32 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Interesting Spamming Technique Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Erroneous whltelisting
We're having a problem with some spam being whitelisted when it shouldn't be. Here's the situation: [EMAIL PROTECTED] is an alias that redirects to account@domain2.com domain1.com is whitelisted, domain2.com isn't. For all other domains this is working fine (whitelisted or not), and mail isfiltered since domain2.com is not whitelisted. However,for this one domainthe forwarded email is suddenly being whitelisted. I've checked and rechecked the whitelist and it is specified properly (domain1 whitelisted/domain2 not whitelisted)...just don't know why we're suddenly not getting filtering on domain2.com. Any ideas? Darin.
Re: [Declude.JunkMail] Erroneous whltelisting
Message header and logs both show whitelisted: X-Note: Spam Tests Failed: Whitelisted Log (loglevel high) shows 11/18/2004 15:19:18 Q03614e0103e09e9d SNIFFER:125 AHBL:42 CSMA-SBL:35 PSBL:14 SBL:49 SPAMCOP:100 UCEPROTECTL2:21 MAILPOLICE-BULK:105 AHBLPROXIES:35 NJABLPROXIES:35 SPAMHEADERS:21 . Total weight = 582. 11/18/2004 15:19:18 Q03614e0103e09e9d E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 11/18/2004 15:19:18 Q03614e0103e09e9d L1 Message OK 11/18/2004 15:19:18 Q03614e0103e09e9d Subject: Re: You'll be so excited you won't be able to sleep 11/18/2004 15:19:18 Q03614e0103e09e9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 66.63.173.35 ID: hoi9de050u4e 11/18/2004 15:19:18 Q03614e0103e09e9d Tests failed [weight=0]: CATCHALLMAILS=IGNORE 11/18/2004 15:19:18 Q03614e0103e09e9d Last action = IGNORE. Again, [EMAIL PROTECTED] is an alias forwarding to [EMAIL PROTECTED] domain2.com is NOT whitelisted, as is verified by other mail to that domain. So, we see this should have been toast, but for some reason filtering wasn't enforced on domains2.com. We delete at 250, so this one should have been deleted and never reached [EMAIL PROTECTED] Thoughts? Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 4:31 PM Subject: Re: [Declude.JunkMail] Erroneous whltelisting We're having a problem with some spam being whitelisted when it shouldn't be. Here's the situation: What does the X-Spam-Tests-Failed: header show? What does the Declude JunkMail log file show? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
Log (loglevel high) shows 11/18/2004 15:19:18 Q03614e0103e09e9d E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 11/18/2004 15:19:18 Q03614e0103e09e9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 66.63.173.35 ID: hoi9de050u4e Again, [EMAIL PROTECTED] is an alias forwarding to [EMAIL PROTECTED] domain2.com is NOT whitelisted, as is verified by other mail to that domain. So, we see this should have been toast, but for some reason filtering wasn't enforced on domains2.com. We delete at 250, so this one should have been deleted and never reached [EMAIL PROTECTED] Are you using SWITCHRECIPS ON? Declude is seeing the recipient as domain1.com, per the To: log file entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 10-fold increase in spam today
Looks like it settled down to only a 6x increase over 24 hours. Seems to be sustained, though...across all domains. Good thing is with some simple tweaks we're not seeing any more than normal slip through, so our catch rate looks to be 99.5% or betterand no more false positives than normal, so that % goes down correspondingly.to well under 0.5% of held or deleted potential spambut it's still a lot more to review manually...we'll probably quit that if it keeps up much longer. I see the spike never really materialized on your end. Anyone else see a spike in zombie spam? Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 4:27 PM Subject: Re: [Declude.JunkMail] 10-fold increase in spam today On Wednesday, November 17, 2004, 3:22:00 PM, Darin wrote: DC We're seeing a 10-fold increase in zombie spam today. DC DC ~90% of what slips through triggers either CMDSPACE or DC SNIFFER, so we've upped both of those to hold weights. DC DC Anyone else seeing this? We're seeing what could be a spike in the making. http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp 0504 * Note done with today yet. 1729 * 2543 3532 4581 5467 _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] exchange2aliases for dummies
We have a few customers with multiple OU's that contain employees (i.e. by Departments). Is there a way to include all the OU's on a single LDAP:// parameter line or do I need to just run it several times for each OU and not use the -nc flag except on the very first run. Thanks again, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
Ahh...you mean SWITCHRECIP ON grin Yes, we are...have been for quite a while. I see where you're going with this...but then I'm curious as to why it would suddenly start whitelisting this when it didn't previously. We have a number of other domains that don't have filtering, but use alias forwarding from the postmaster account, and don't receive anything from them. In any case, will Declude still use domain1.com if we set up an account in domain1 that forwards to domain2? In other words, would Declude see [EMAIL PROTECTED], [EMAIL PROTECTED], or [EMAIL PROTECTED] as the recipient with SWITCHRECIP ON? Thanks, Scott. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 4:59 PM Subject: Re: [Declude.JunkMail] Erroneous whltelisting Log (loglevel high) shows 11/18/2004 15:19:18 Q03614e0103e09e9d E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 11/18/2004 15:19:18 Q03614e0103e09e9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 66.63.173.35 ID: hoi9de050u4e Again, [EMAIL PROTECTED] is an alias forwarding to [EMAIL PROTECTED] domain2.com is NOT whitelisted, as is verified by other mail to that domain. So, we see this should have been toast, but for some reason filtering wasn't enforced on domains2.com. We delete at 250, so this one should have been deleted and never reached [EMAIL PROTECTED] Are you using SWITCHRECIPS ON? Declude is seeing the recipient as domain1.com, per the To: log file entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] 10-fold increase in spam today
We are definitely seeing something... 10 fold - no, but something is definitely there. 0464 1654 2728 3543 4532 34: 537.5 12: 691 ~ 22% --- that's something. _M On Thursday, November 18, 2004, 5:06:53 PM, Darin wrote: DC Looks like it settled down to only a 6x increase over 24 hours. Seems to be DC sustained, though...across all domains. DC Good thing is with some simple tweaks we're not seeing any more than normal DC slip through, so our catch rate looks to be 99.5% or betterand no more DC false positives than normal, so that % goes down correspondingly.to well DC under 0.5% of held or deleted potential spambut it's still a lot more to DC review manually...we'll probably quit that if it keeps up much longer. DC I see the spike never really materialized on your end. Anyone else see a DC spike in zombie spam? DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: Darin Cox [EMAIL PROTECTED] DC Sent: Wednesday, November 17, 2004 4:27 PM DC Subject: Re: [Declude.JunkMail] 10-fold increase in spam today DC On Wednesday, November 17, 2004, 3:22:00 PM, Darin wrote: DC We're seeing a 10-fold increase in zombie spam today. DC DC ~90% of what slips through triggers either CMDSPACE or DC SNIFFER, so we've upped both of those to hold weights. DC DC Anyone else seeing this? DC We're seeing what could be a spike in the making. DC http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp DC 0504 * Note done with today yet. DC 1729 * DC 2543 DC 3532 DC 4581 DC 5467 DC _M DC --- DC [This E-mail was scanned for viruses by Declude Virus DC (http://www.declude.com)] DC --- DC This E-mail came from the Declude.JunkMail mailing list. To DC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC type unsubscribe Declude.JunkMail. The archives can be found DC at http://www.mail-archive.com. DC --- DC [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] DC --- DC This E-mail came from the Declude.JunkMail mailing list. To DC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC type unsubscribe Declude.JunkMail. The archives can be found DC at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
Ahh...you mean SWITCHRECIP ON grin That would do it -- that tells Declude JunkMail to use the intended recipient (the one the E-mail was sent to) rather than the actual recipient (the one the alias points to) for the config file. Yes, we are...have been for quite a while. I see where you're going with this...but then I'm curious as to why it would suddenly start whitelisting this when it didn't previously. Unfortunately, I can't explain why it would have worked before -- but what you are seeing is the intended behavior, with SWITCHRECIP ON. In any case, will Declude still use domain1.com if we set up an account in domain1 that forwards to domain2? In other words, would Declude see [EMAIL PROTECTED], [EMAIL PROTECTED], or [EMAIL PROTECTED] as the recipient with SWITCHRECIP ON? With forwarding (regardless of your Declude settings), Declude will look at the actual user (the one with the mailbox on the server), not the E-mail address that it gets forwarded to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Is it smart to do this
Hi all, I am not sure if I really want to do this but: I have a BYPASS filter that looks at headers and if there is an attached PDF, XLS etc it will make my expensive BODY filters be bypassed. So should I add: BODY 0 CONTAINS Content-Type: image/jpeg I see a lot of SPAM that has links to JPGs but I have not seen SPAM with JPGs in it. So is it a good idea to BYPASS on this? I suspect not but wanted to check. Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
Hmmm... With forwarding (regardless of your Declude settings), Declude will look at the actual user (the one with the mailbox on the server), not the E-mail address that it gets forwarded to. It actually comes in to an alias (postmaster), and I'm proposing alias forwarding to an account in that domain, then account forwarding from there to an account in a filtered domain. Would Declude always see the original recipient with SWITCHRECIP, no matter what forwarding or account routing is used on a single mail server? Push comes to shove we could do the forwarding with a gateway server, resulting in scanning at the appropriate domain, but I'd like to handle it at the main server if possible, leaving SWITCHRECIP ON. Thanks Scott. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 5:45 PM Subject: Re: [Declude.JunkMail] Erroneous whltelisting Ahh...you mean SWITCHRECIP ON grin That would do it -- that tells Declude JunkMail to use the intended recipient (the one the E-mail was sent to) rather than the actual recipient (the one the alias points to) for the config file. Yes, we are...have been for quite a while. I see where you're going with this...but then I'm curious as to why it would suddenly start whitelisting this when it didn't previously. Unfortunately, I can't explain why it would have worked before -- but what you are seeing is the intended behavior, with SWITCHRECIP ON. In any case, will Declude still use domain1.com if we set up an account in domain1 that forwards to domain2? In other words, would Declude see [EMAIL PROTECTED], [EMAIL PROTECTED], or [EMAIL PROTECTED] as the recipient with SWITCHRECIP ON? With forwarding (regardless of your Declude settings), Declude will look at the actual user (the one with the mailbox on the server), not the E-mail address that it gets forwarded to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
With forwarding (regardless of your Declude settings), Declude will look at the actual user (the one with the mailbox on the server), not the E-mail address that it gets forwarded to. It actually comes in to an alias (postmaster), and I'm proposing alias forwarding to an account in that domain, then account forwarding from there to an account in a filtered domain. To avoid confusion, it's best to use account to refer to a user account that has a password (as opposed to an alias), and forward to refer to an E-mail going from a user account to another account (again, as opposed to an alias), and points to to refer to an E-mail going from an alias to a user account. In this case, Declude should scan based on the settings for domain1, regardless of the SWITCHRECIP option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Erroneous whltelisting
To avoid confusion, it's best to use account to refer to a user account that has a password (as opposed to an alias), and forward to refer to an E-mail going from a user account to another account (again, as opposed to an alias), and points to to refer to an E-mail going from an alias to a user account. Right. That's exactly how I was using it. Thanks for the clarification on when the scanning occurs for Declude, and the fact that it never reoccurs during the email routing process within a single server. Can't figure out why it's working the way we'd like for all other domains that don't have filtering, though. I'll do some testing and let you know. Thanks, Scott. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 7:55 PM Subject: Re: [Declude.JunkMail] Erroneous whltelisting With forwarding (regardless of your Declude settings), Declude will look at the actual user (the one with the mailbox on the server), not the E-mail address that it gets forwarded to. It actually comes in to an alias (postmaster), and I'm proposing alias forwarding to an account in that domain, then account forwarding from there to an account in a filtered domain. To avoid confusion, it's best to use account to refer to a user account that has a password (as opposed to an alias), and forward to refer to an E-mail going from a user account to another account (again, as opposed to an alias), and points to to refer to an E-mail going from an alias to a user account. In this case, Declude should scan based on the settings for domain1, regardless of the SWITCHRECIP option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2003 Server DNS Declude
You will be able to get this hotfix for free. They do not charge for issues like this. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Kyle Fisher To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 11:19 PM Subject: [Declude.JunkMail] 2003 Server DNS Declude I am having a problem with 2003 Std. DNS and Decludes queries. It is not Declude but actually MS DNS. I finally found two articles from Microsoft saying it is a memory leak do to excessive queries and to contact them for the hot fix, but there is nowhere to download it without contacting MS. I was wondering if anyone else has had this problem and maybe you already have the hot fix. There is actually two. If I do have to contact MS do you have to pay for the hot fix even though it is their problem? I probably will be switching to BIND but I have to learn it first and I need a quick fix. Right now I have a batch file restarting the DNS Service every hour. "Server Responsiveness Degrades and Queries Time Out When You Run the DNS Server Service" http://support.microsoft.com/?kbid=830381 "DNS Intermittently Stops Resolving Some Host Names" http://support.microsoft.com/?kbid=830905 Thanks Kyle
RE: [Declude.JunkMail] 2003 Server DNS Declude
Ok thanks. I will try and find one of the millions of phone numbers to contact them and get the fix. Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, November 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 2003 Server DNS Declude You will be able to get this hotfix for free. They do not charge for issues like this. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Kyle Fisher To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 11:19 PM Subject: [Declude.JunkMail] 2003 Server DNS Declude I am having a problem with 2003 Std. DNS and Decludes queries. It is not Declude but actually MS DNS. I finally found two articles from Microsoft saying it is a memory leak do to excessive queries and to contact them for the hot fix, but there is nowhere to download it without contacting MS. I was wondering if anyone else has had this problem and maybe you already have the hot fix. There is actually two. If I do have to contact MS do you have to pay for the hot fix even though it is their problem? I probably will be switching to BIND but I have to learn it first and I need a quick fix. Right now I have a batch file restarting the DNS Service every hour. Server Responsiveness Degrades and Queries Time Out When You Run the DNS Server Service http://support.microsoft.com/?kbid=830381 DNS Intermittently Stops Resolving Some Host Names http://support.microsoft.com/?kbid=830905 Thanks Kyle
Re: [Declude.JunkMail] Interesting Spamming Technique
Hi, Dan- Is the IP of the POP server nowhere to be found in DNS? It seems to me that would be unlikely unless the end users are entering IP addresses into their mail client software - a very bad idea from a system management perspective. It is a simple matter to port scan all addresses in a DNS record looking for a response on port 25. Goran's suggestion should be the cure. Block port 25 at the client's firewall for all IPs except the store-and-forward server(s), then the only way for someone outside the system to deliver mail is through your store/forward server(s). Matt's suggestion to change the IP of the POP server should also work unless you publish the IP somewhere in DNS, which you probably do as a convenience to the end users. -d - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 10:31 AM Subject: [Declude.JunkMail] Interesting Spamming Technique Hello, All, In addition to doing spam filtering for some of our IMail hosting customers we also do Store and Forward filtering for a few domains. In the past day or so I've had complaints from Store and Forward customers about an increase in spam. When I check the headers of the e-mail they are sending to me I don't see any indication that they e-mail was routed through us and NOT picked up as spam. Instead it looks like the mail was delivered directly to their e-mail servers and did the end around our Store and Forward. The thing is I have no idea how the spammer even knew the direct IP addresses of our customers because those don't show up anywhere in their DNS records. Although I guess they could just be running port scans and checking for responses on port 25 and attempting delivery of spam that way without using DNS lookups. But part of the IMail Store and Forward documentation involves locking down the SMTP server to only accept e-mail of the relaying IP address. I'm 99% sure that we had the customers lock down their incoming e-mail to only accept connections from us but I need to confirm that. In the meantime has anyone noticed an increase in this direct delivery method which basically ignores the current DNS system? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is it smart to do this
I see a lot of SPAM that has links to JPGs but I have not seen SPAM with JPGs in it. There has been both spam and viruses that use picture files. I have seen spam with a picture file, which is the message. Of course, that is not the smartest thing as what ever link is there is not clickable, but it could be porn also. Viruses, even corrupted ones, are known to have a picture attached which is the password. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2003 Server DNS Declude
Hi, Phone MS Tech Adv (WinNT) 800-936-4900 Tell them the KB article number and tell them to e-mail you the link. You will not be charged. One of two things will happen. Most probably you will spend a bunch of time answering questions and then they will e-mail you the link. Sometime the dispatch people do not have access to the hotfix and they will put you through to tech support. In both cases you will get an SRX number etc. Now if you are a bit persistent and you say that you want to talk to the tech before you apply the hotfix you can usually be put through to a tech support person and they will discuss the patch with you and what it may or may not do. You can review your symptoms with them and query them if this is really going to fix it or not. The techs are quite willing to talk to you once you get to them. You cannot branch out and try to cover some other topic. Good Luck Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Fisher Sent: Thursday, November 18, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] 2003 Server DNS Declude Ok thanks. I will try and find one of the millions of phone numbers to contact them and get the fix. Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, November 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 2003 Server DNS Declude You will be able to get this hotfix for free. They do not charge for issues like this. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: Kyle Fisher To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 11:19 PM Subject: [Declude.JunkMail] 2003 Server DNS Declude I am having a problem with 2003 Std. DNS and Decludes queries. It is not Declude but actually MS DNS. I finally found two articles from Microsoft saying it is a memory leak do to excessive queries and to contact them for the hot fix, but there is nowhere to download it without contacting MS. I was wondering if anyone else has had this problem and maybe you already have the hot fix. There is actually two. If I do have to contact MS do you have to pay for the hot fix even though it is their problem? I probably will be switching to BIND but I have to learn it first and I need a quick fix. Right now I have a batch file restarting the DNS Service every hour. Server Responsiveness Degrades and Queries Time Out When You Run the DNS Server Service http://support.microsoft.com/?kbid=830381 DNS Intermittently Stops Resolving Some Host Names http://support.microsoft.com/?kbid=830905 Thanks Kyle image001.gif
[Declude.JunkMail] 2003 Server DNS Declude
I am having a problem with 2003 Std. DNS and Decludes queries. It is not Declude but actually MS DNS. I finally found two articles from Microsoft saying it is a memory leak do to excessive queries and to contact them for the hot fix, but there is nowhere to download it without contacting MS. I was wondering if anyone else has had this problem and maybe you already have the hot fix. There is actually two. If I do have to contact MS do you have to pay for the hot fix even though it is their problem? I probably will be switching to BIND but I have to learn it first and I need a quick fix. Right now I have a batch file restarting the DNS Service every hour. Server Responsiveness Degrades and Queries Time Out When You Run the DNS Server Service http://support.microsoft.com/?kbid=830381 DNS Intermittently Stops Resolving Some Host Names http://support.microsoft.com/?kbid=830905 Thanks Kyle