Re: [Declude.JunkMail] SURBL as RHSBL
Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_ABrhsblmulti.surbl.org127.0.0.3210SURBL_JPrhsblmulti.surbl.org127.0.0.6410SURBL_OBrhsblmulti.surbl.org127.0.0.1610SURBL_PHrhsblmulti.surbl.org127.0.0.810SURBL_SCrhsblmulti.surbl.org127.0.0.210SURBL_WSrhsblmulti.surbl.org127.0.0.410 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing" list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this?SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0Markus---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org127.0.0.2 1 0 Which will require six different queries if you want to use all SURBL lists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice Fraud list data MailSecurity Phishing list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blocking Dictionary Attacks
Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blocking Dictionary Attacks
A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the real primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Hi Bill, You seem to always be one of the first to share new blacklists. Where do you find this info? Is there another list that would be worth joining? Thanks, man. Darin. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:04 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org127.0.0.2 1 0 Which will require six different queries if you want to use all SURBL lists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice Fraud list data MailSecurity Phishing list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
Don't you want to be using fpcmd anyway? That's the recommended scanner to use with Declude. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
They certainly could have made it more noticeable, but From the Release Notes: The DOS scanner is now no longer installed on NT/2000/XP/2003. If version 3.16 is installed as an upgrade then the previous DOS version is removed. The DOS scanner is not suitable for use on the NTFS file system, now more popular as the result of increased use of Windows XP. The Command-Line Scanner (fpcmd.exe) should be used instead of the DOS scanner. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking Dictionary Attacks
OK, I am going to jump in here as I would like to know how to tell the server to only accept email from the gateway, but also still allow users to send if they authenticate. I know this might be obvious, but I have not found a way to do this. Thanks, Grant Griffith EI8HT LEGS, A Division of ETC (877)483-3393 (812)933-5390 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 23, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the real primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
According to Declude Virus manual states f-prot.exe in their example. I did not know or see that recommendation? -Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:00 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe Don't you want to be using fpcmd anyway? That's the recommended scanner to use with Declude. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blocking Dictionary Attacks
Thanks for reply. One thing I found this morning on IMail list recent post was BlackIce settings whereas will auto-block IP for 3 failed non-existent user attempts within 30 seconds. The BlackIce documentation is poor on this subject and never figured it out myself over the years we have been using, but an IMail poster posted good instructions from a fellow who wrote the manual on Blackice apparently. Anyhoo... I set-up this morning and have been monitoring. It is working well so far and at least I am only seeing only 3 log entries now in Imail logs on non-existent users vs. hundreds per IP. I am still very concerned that I may end up blocking legitimate IP's via zombies and going to watch closely for awhile. The other trade off is BlackIce may be working harder now and seeing 4-6% on CPU, but think this was typical anyway. BlackIce also does a decent job on other things like infected Zip signatures and attached exe's etc. I feel comfortable with it as another security layer. For example on our SQL server, we use it to block the hundreds probing our port 1433 daily. We handle light email volume in comparison to others here and I am sure if someone out there floods us hard, the IMail box and BlackIce would not hold up. But on limited volume and budget this may be the ticket for us now. I know the gateway is the best way to go. Thanks for the feedback - most appreciated and always learning here. -Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:59 AM Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the real primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
I missed that in the release notes - ouch! So... the fpcmd.exe should be used as Darin stated. I did not notice in the Declude Virus manual when reviewing this morning, just double checked and sure is there as one of the 2 choices depending on version. All back to normal and thanks guys. -Don - Original Message - From: Jeff Pereira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:57 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe They certainly could have made it more noticeable, but From the Release Notes: The DOS scanner is now no longer installed on NT/2000/XP/2003. If version 3.16 is installed as an upgrade then the previous DOS version is removed. The DOS scanner is not suitable for use on the NTFS file system, now more popular as the result of increased use of Windows XP. The Command-Line Scanner (fpcmd.exe) should be used instead of the DOS scanner. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blocking Dictionary Attacks
IMail Administrator, SMTP Service, Security tab, Control Access button. Darin. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:14 AM Subject: RE: [Declude.JunkMail] Blocking Dictionary Attacks OK, I am going to jump in here as I would like to know how to tell the server to only accept email from the gateway, but also still allow users to send if they authenticate. I know this might be obvious, but I have not found a way to do this. Thanks, Grant Griffith EI8HT LEGS, A Division of ETC (877)483-3393 (812)933-5390 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 23, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the real primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blocking Dictionary Attacks
Yep...only problem is it won't help against distributed attacks that send one message per IP, but it sounds like your problem was not as distributed. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:24 AM Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks Thanks for reply. One thing I found this morning on IMail list recent post was BlackIce settings whereas will auto-block IP for 3 failed non-existent user attempts within 30 seconds. The BlackIce documentation is poor on this subject and never figured it out myself over the years we have been using, but an IMail poster posted good instructions from a fellow who wrote the manual on Blackice apparently. Anyhoo... I set-up this morning and have been monitoring. It is working well so far and at least I am only seeing only 3 log entries now in Imail logs on non-existent users vs. hundreds per IP. I am still very concerned that I may end up blocking legitimate IP's via zombies and going to watch closely for awhile. The other trade off is BlackIce may be working harder now and seeing 4-6% on CPU, but think this was typical anyway. BlackIce also does a decent job on other things like infected Zip signatures and attached exe's etc. I feel comfortable with it as another security layer. For example on our SQL server, we use it to block the hundreds probing our port 1433 daily. We handle light email volume in comparison to others here and I am sure if someone out there floods us hard, the IMail box and BlackIce would not hold up. But on limited volume and budget this may be the ticket for us now. I know the gateway is the best way to go. Thanks for the feedback - most appreciated and always learning here. -Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:59 AM Subject: Re: [Declude.JunkMail] Blocking Dictionary Attacks A gateway is the only solution I know of for distributed dictionary attacks. Since the attacks are coming from all over the place, there's no IP to block. All the gateway does is move the brunt of the attack off of the primary mail server to the gateway server. The gateway server should then become your primary MX record, replacing your existing server, and the real primary should be locked down to only receive SMTP traffic from your gateway. That way attackers who cache your MX records won't be able to continue to hit it. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:20 AM Subject: [Declude.JunkMail] Blocking Dictionary Attacks Are there any new strategies for blocking dictionary attacks with Declude? Our log files are growing and mostly due to the following stacking up it seems a zillion times over... ERR MAIL.DOMAIN.NET invalid user We have used BlackIce for years and helps a lot for those that try X number SMTP fails in X seconds, but does not handle all these invalid user attempts. I searched archives and found good thread back in March this year How do they do it? and Scott replied a Declude solution may be possibly forthcoming. We only handle about 15k messages a day and small shop. Len's IMgate or another Postfix gateway solution I know would be best - but not affordable for us right now installing and managing a separate Linux box. It is difficult for me to keep up-to-date with daily posts, so wondering if any new strategies I might have missed. Thanks! -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
Hmmm...I don't know why that would be there...Scott, can you comment? Anyway, here's what we use: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /AI /PACKED /SERVER /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 Note that we use the /AI, /PACKED, and /SERVER switches, which some might not want to use. Also, we identify suspicious files with VIRUSCODE 8, which some may not want to do. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:14 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe According to Declude Virus manual states f-prot.exe in their example. I did not know or see that recommendation? -Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:00 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe Don't you want to be using fpcmd anyway? That's the recommended scanner to use with Declude. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
I would rather not add six new tests to my config. Would you recommend a single SURBL test? Which one seems to work better? Regards, Jason - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:02 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Hi Bill, You seem to always be one of the first to share new blacklists. Where do you find this info? Is there another list that would be worth joining? Thanks, man. Darin. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:04 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org127.0.0.2 1 0 Which will require six different queries if you want to use all SURBL lists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice Fraud list data MailSecurity Phishing list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL as RHSBL
I would rather not add six new tests to my config. Would you recommend a single SURBL test? Which one seems to work better? I've running it now on my servers and can report the first results after 24 hours. I'll let you know how much and how accurate all 6 tests will perform. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
How are the results stacking up against your other RHSBL tests? Very promising. Near the top of the class for RHSBL tests. Here are my results: From 11/11/2004 throught 11/22: CatchallMails 53741 total 40835 spam (76%) AHBL-Domains 4580 total4188 spam (91.4%) Mailpolice Bulk 10629 total 10558 spam (99.3%) Mailpolice Porn 20 total20 spam (100%) RFCI badwhois domain 1326 total 1105 spam (83.3%) RFCI badwhois tld2228 total 1705 spam (76.5%) RFCI bogus mx 816 total752 spam (92.3%) RFCI DSN 2312 total 2282 spam (98.7%) RFCI No abuse 8187 total 6578 spam (80.4%) RFCI No postmaster 5915 total 5225 spam (88.4%) SecuritySage 1731 total1652 spam (95.5%) Sorbs BadConf191 total 191 spam (100%) Sorbs Nomail 0 total SURBL Multi 7957 total7921 spam (99.5%) Looking at the .5% of the SURBL-Multi that fell under my hold category, the bulk of these 36 definitely fall into the grey area of could be spam, might be legit. E-mail promoting training, surveys, compliance seminars and such. None of the .5% looks to be solidly legit. Starting 11/20 I broke out the tests and was looking at them individual... From 11/20 Noonish through 11/22: SURBL Multi 1741 total1733 spam (99.6%) SURBL Abuse Butler 11 total11 spam (100%) SURBL Bigevil 1585 total1577 spam (99.5%) SURBL Spamcop 46 total46 spam (100%) SURBL Outblaze 928 total 928 spam (100%) I don't believe the Jon Wein and the Phish are testable on their own. I haven't received an hits on jp.surbl.org. I did download Jon Wein's domains and Mailfrom's from his website and put them into my DNS for rhsbl and mfbl testing. Yesterday since 10 AM I had Jon Wein Domain 573 total 573 spam (100%) Jon Wein Mailfrom1 total 1 spam (100%) - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 6:12 PM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Hmmm, that could possibly render some decent results if spammers use the same domain in the MAIL FROM: address in the SMTP envelope as they us in the URI listed in the body of the message. How are the results stacking up against your other RHSBL tests? Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 2:59 PM Subject: [Declude.JunkMail] SURBL as RHSBL I know it is not the intended use of the SURBL list, but is anyone else using the SURBL test as a RHSBL test? I just figured if the URL is used for spam, do I really want to be receiving e-mail from that domain? So far it has been 99.5% effective. I'm just curious to see if anyone else has tried it? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
It's info gleaned from several different lists. I always try to report anything new to this list anyway... Bill - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 6:02 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Hi Bill,You seem to always be one of the first to share new blacklists. Where doyou find this info? Is there another list that would be worth joining?Thanks, man.Darin.- Original Message - From: "Bill Landry" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 5:04 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBLModification, since I was not thinking, but Declude JunkMail does notsupport bitmasked responses. So instead of using the multi zone, you willneed to use:SURBL_AB rhsbl ab.surbl.org 127.0.0.2 1 0SURBL_JP rhsbl jp.surbl.org 127.0.0.2 1 0SURBL_OB rhsbl ob.surbl.org 127.0.0.2 1 0SURBL_PH rhsbl ph.surbl.org 127.0.0.2 1 0SURBL_SC rhsbl sc.surbl.org 127.0.0.2 1 0SURBL_WS rhsbl ws.surbl.org 127.0.0.2 1 0Which will require six different queries if you want to use all SURBL lists.Bill- Original Message - From: Bill LandryTo: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 12:47 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBLMarkus, if you want to test against all of the SURBLs, since it's only asingle query to the multi zone, use:SURBL_AB rhsbl multi.surbl.org 127.0.0.32 1 0SURBL_JP rhsbl multi.surbl.org 127.0.0.64 1 0SURBL_OB rhsbl multi.surbl.org 127.0.0.16 1 0SURBL_PH rhsbl multi.surbl.org 127.0.0.8 1 0SURBL_SC rhsbl multi.surbl.org 127.0.0.2 1 0SURBL_WS rhsbl multi.surbl.org 127.0.0.4 1 0AB = AbuseButler dataJP = Combination of Prolocation data Joe Wein's SpamSpy dataOB = OutBlaze dataPH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing"list dataSC = SpamCop top 200 hits dataWS = William Stearns submitter dataI have been testing this for about an hour, and am getting a few hits.We'll see how it goes over the next 24 hours...Bill- Original Message - From: Markus GuflerTo: [EMAIL PROTECTED]Sent: Monday, November 22, 2004 11:41 PMSubject: RE: [Declude.JunkMail] SURBL as RHSBLIs this the correct configruation line for doing this?SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0Markus---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
- Original Message - From: Scott Fisher I don't believe the Jon Wein and the Phish are testable on their own. I haven't received an hits on jp.surbl.org. Yep, that does appear to be the case for the JP list - it was the last list added to SURBL, and since it was added after the creation of the MULTI bitmasked setup, it was apparently never setup as a separate zone. The PH list has a very low hit rate anyway, since it only contains a few hundred domains. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
WS is the heaviest hitter. You could add all of these lists as a single test which will hit on any response from any of the lists: SURBL rhsbl multi.surbl.org * 1 0 Bill - Original Message - From: Jason @ AreaTech To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 7:15 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL I would rather not add six new tests to my config. Would you recommend asingle SURBL test? Which one seems to work better?Regards,Jason- Original Message - From: "Darin Cox" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 8:02 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBL Hi Bill, You seem to always be one of the first to share new blacklists. Where do you find this info? Is there another list that would be worth joining? Thanks, man. Darin. - Original Message - From: "Bill Landry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:04 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org 127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org 127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org 127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org 127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org 127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org 127.0.0.2 1 0 Which will require six different queries if you want to use all SURBLlists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org 127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org 127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org 127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org 127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org 127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org 127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing" list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Folks, apparently the PH and JP lists were never setup as separate SURBL zones, so I would recommend not querying those lists as you will never get a response from them until Declude JunkMail supports bitmasked responses. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 7:32 AM Subject: RE: [Declude.JunkMail] SURBL as RHSBL I would rather not add six new tests to my config. Would you recommend a single SURBL test? Which one seems to work better?I've running it now on my servers and can report the first results after 24hours. I'll let you know how much and how accurate all 6 tests will perform.Markus---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] More SPAM
yep...we saw this starting last Tuesday. The extra load seems to have come from zombie PCs, probably due to a recent spate of viruses. We're down from about a tenfold increase on 11/16 and 11/17 to about a 3-fold increase (by 11/20). Upping CMDSPACE and SNIFFER to hold weights, and some other minor tweaks, cut down significantly on the spam that made it through...upping our catch rates from 99% to between 99.5% and 99.9%, depending on the day. Darin. - Original Message - From: Richard Farris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 11:53 AM Subject: [Declude.JunkMail] More SPAM All of a sudden, my spamreview has gone from about 500 messages a day to almost 1500is there just that more coming in...most of it in spamreview is indeed spamvery few false positives Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL as RHSBL
thanks for pointing that out. Looking at the first hourly results from MDLP I can see some hits for WS. (around 15 per hour) OB, SC and AB has only one up to 4 hits per hour. The SURBL filter file has between 300 and 400 hits in the same time ranges. There was no SH result (SURBL says it's Spam but final weight say it's Ham) Nearly all messages catched by SURBL_xx has already a final weight above 200% of my hold weight. So don't expect too much, from SURBL - RHSBL lookups Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Tuesday, November 23, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] SURBL as RHSBL Folks, apparently the PH and JP lists were never setup as separate SURBL zones, so I would recommend not querying those lists as you will never get a response from them until Declude JunkMail supports bitmasked responses. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 7:32 AM Subject: RE: [Declude.JunkMail] SURBL as RHSBL I would rather not add six new tests to my config. Would you recommend a single SURBL test? Which one seems to work better?I've running it now on my servers and can report the first results after 24hours. I'll let you know how much and how accurate all 6 tests will perform.Markus---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe
Hi Darin, Should you not be using the /ARCHIVE=5 to tell it how many levels to scan? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 23, 2004 9:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F- Prot.exe Hmmm...I don't know why that would be there...Scott, can you comment? Anyway, here's what we use: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /AI /PACKED /SERVER /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 Note that we use the /AI, /PACKED, and /SERVER switches, which some might not want to use. Also, we identify suspicious files with VIRUSCODE 8, which some may not want to do. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:14 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe According to Declude Virus manual states f-prot.exe in their example. I did not know or see that recommendation? -Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 9:00 AM Subject: Re: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe Don't you want to be using fpcmd anyway? That's the recommended scanner to use with Declude. Darin. - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 8:49 AM Subject: [Declude.JunkMail] F-Prot Windows 3.16 Update Missing F-Prot.exe I posted this to Declude.Virus, but apparently no longer subscribed and wanted to give folks a heads up here. Yesterday upgraded to most recent version of F-Prot Windows (fp-win_316_m) and this morning by chance I checked my declude virus log and noticed a bunch of Your virus scanner DOES NOT EXIST ... entries. Sure enough was missing F-Prot.exe file. I rolled back to version fp-win_315b_m and all back to normal including install of F-Prot.exe. Wish the folks at F-Prot let us know about this! Performing full scan now to see what may have slipped through last 36 hours. -Don --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.