RE: [Declude.JunkMail] Clam Antivirus

[Michael Cummins]

Working good.  I see a virus in my /virus/ directory that Message Sniffer put 
there:

X-MessageSniffer-Identifier: \Spool\proc\work\778871245675.eml
X-GBUdb-Analysis: 0, XXX.XXX.XXX.XXX, Ugly c=1 p=0.0736094 Source Normal
X-MessageSniffer-Scan-Result: 55
X-MessageSniffer-Rules:
55-5553430-0-32767-f

...and now I see in report.txt and in the declude virus log that ClamD is 
looking at things, too.

I feel better about not having AVG, but I wish there was a way to get the 
COmmTouch I already paid for.

Anyone reach out to CommTouch yet?


- Michael Cummins



-Original Message-
From: Michael Cummins [mailto:mich...@i-magery.com]
Sent: Thursday, April 18, 2013 8:26 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Clam Antivirus


Sorry, I just saw Matt's e-mail from yesterday.  Thanks, Matt!  I'll give it a 
whirl.

Very Respectfully,

Michael E. Cummins






-Original Message-----
From: Michael Cummins [mailto:mich...@i-magery.com]
Sent: Thursday, April 18, 2013 8:21 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Clam Antivirus


So AVG and CommTouch can't be used anymore, right?  I have Message Sniffer 
configured to run externally, and I've been told that it catches viruses, but I 
don't know the particulars and don't have full conifence that I'm protecting my 
customers as well as I used to.

I went to download ClamAV, but the only thing I can find on their website is 
that Immunet 3.0 product.

Anyone recently download and configure ClamAV for use with Declude?

- Michael Cummins





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Clam Antivirus

[Michael Cummins]

Sorry, I just saw Matt's e-mail from yesterday.  Thanks, Matt!  I'll give it a 
whirl.

Very Respectfully,

Michael E. Cummins



-Original Message-----
From: Michael Cummins [mailto:mich...@i-magery.com]
Sent: Thursday, April 18, 2013 8:21 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Clam Antivirus


So AVG and CommTouch can't be used anymore, right?  I have Message Sniffer 
configured to run externally, and I've been told that it catches viruses, but I 
don't know the particulars and don't have full conifence that I'm protecting my 
customers as well as I used to.

I went to download ClamAV, but the only thing I can find on their website is 
that Immunet 3.0 product.

Anyone recently download and configure ClamAV for use with Declude?

- Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Clam Antivirus

[Michael Cummins]

So AVG and CommTouch can't be used anymore, right?  I have Message Sniffer 
configured to run externally, and I've been told that it catches viruses, but I 
don't know the particulars and don't have full conifence that I'm protecting my 
customers as well as I used to.

I went to download ClamAV, but the only thing I can find on their website is 
that Immunet 3.0 product.

Anyone recently download and configure ClamAV for use with Declude?

- Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Michael Cummins]

Thanks for that.  Mine is now down too, and I am paid up until the end of the 
year with CommTouch, etc.

Very Respectfully,

Michael E. Cummins


-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?


Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Michael Cummins]

David and Linda have always provided outstanding service.

- Michael Cummins




-Original Message-
From: Katie La Salle-Lowery [mailto:ka...@centric.net]
Sent: Tuesday, April 09, 2013 11:15 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?


David has helped me with a Declude issue quite recently as well.  I have always 
received good support from David and Linda and look forward to continuing to do 
business with them and wish them the best of luck in their new venture!


Katie LaSalle-Lowery
ka...@centric.net
1120 S. Russell; Ste B
Missoula, MT 59801
ph (406)549-3337
fax (406)541-9338


-Original Message-
From: declude [mailto:decl...@mail.net1media.com]
Sent: Monday, April 08, 2013 5:59 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Sadly, no one from Declude has ever gotten back to me.  On the plus side, my 
credit card was never charged.

In a very gracious move, David Barker reached out to me.  He and Linda spent 
their own time and got my problem resolved!  They have started a new business, 
Mails Best Friend.  It is new and they are still working out the details.  He 
can be contacted at  david.bar...@mailsbestfriend.com.  With this kind of 
service, I expect to see great things from them.

Don


-- Original Message --
From: "SM Admin" 
Reply-To: Declude.JunkMail@declude.com
Date:  Mon, 8 Apr 2013 16:10:57 -0700

>So, has no one still heard nothing from Declude? This is my favorite anti-spam 
>service and I would hate to lose them.
>
>Ben
>  - Original Message -
>  From: declude
>  To: Declude.JunkMail@declude.com
>  Sent: Wednesday, April 03, 2013 10:21 AM
>  Subject: [Declude.JunkMail] No one at Declude?
>
>
>  Last Wednesday (3/27/2013), I renewed my Declude and Messaage Sniffer 
> service agreements.  A full week later, they both still come up as expired.  
> All phone calls and emails have gone unanswered.  I left voice mails for Tech 
> support, Sales and the phone number previously listed on this list for John.  
> I emailed both support at declude and jprovost at declude.com.
>
>  I don't know where to go from here.
>
>  A very sad time for Declude.
>
>  Don
>
>
>
>
>  
>  Sent via the WebMail system at net1media.com
>
>
>
>
>
>
>  ---
>  This E-mail came from the Declude.JunkMail mailing list.  To
>  unsubscribe, just send an E-mail to imail...@declude.com, and
>  type "unsubscribe Declude.JunkMail".  The archives can be found
>  at http://www.mail-archive.com.
>
>
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to imail...@declude.com, and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
>






Sent via the WebMail system at net1media.com






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: Web analytics

[Michael Cummins]

I use them together:



Log Based Analytics == SmarterStats

Code Based Analytics == Google Analytics



Both offer different views of the clickstream and have complementary strengths 
and weaknesses.



Pricing for SmarterStats:

http://www.smartertools.com/smarterstats/pricing.aspx



Google Analytics is free.

http://www.google.com/analytics/







Very Respectfully,



Michael E. Cummins



From: Robert Grosshandler [mailto:r...@igive.com]
Sent: Monday, April 11, 2011 3:53 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] OT: Web analytics



We count as an old-timer.



Smarterstats from smartertools for log reading.  They have a cheap / free 
version, I think.  We don’t use them.



Or



Google analytics for javascript-based analytics.  Definitely free and powerful. 
 Basically, it requires an include on every web page to make it easy to deploy. 
 Only real downside I can think of is that things that are served from your 
site that don’t result in a page view (think images, downloads) are not easily 
tracked.



We use goog analytics.







Rob



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Monday, April 11, 2011 2:43 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] OT: Web analytics



I know this is way off topic, but I’d love to hear if anybody wants to throw 
out an opinion.



We’ve been using HitList Commerce 4.0 since, I don’t know, maybe 2000? to 
generate web statics reports for our clients’ domains.  It was a simple system 
that produced decent reports emails in a single .RTF file.  Recently, however, 
it broke and I can’t seem to repair it.  The makers of HitList, Marketwave, 
have undergone many changes of ownership over the years and focus now only on 
very expensive products and services (it was a few hundred dollars when we 
bought it).  So I’m looking at getting something modern.



The truth is that I only have a handful of domains who care about this, so I’m 
looking for something free or very cheap.  I’d prefer it to read our IIS logs 
and then send out emails, but I guess we could adapt to something that just 
displays a web page.  The question is: what’s cheap or free, suitable for 
hosters (as opposed to end-users) and simple?



I’m looking right now at something called JawStats (open source) and also 
Google Analytics, but I don’t know what’s involved.  Any old-timers here with 
suggestions?



Thanks,



Ben




--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Imail vs. Smartermail

[Michael Cummins]

I was about to upgrade my SmarterMail server this evening.  What kind of
issues are they having with 7?

 

- MEC

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert
Grosshandler
Sent: Saturday, August 28, 2010 1:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Imail vs. Smartermail

 

Yup, sub folders, but not really.  We accept mail to
blah-xxx...@member.igive.com as valid, and then process it, without actually
putting it into sub-folders (basically, it's bounces from our newsletters to
our members).  Smartermail would reject that address.

 

We ended up going the iMail route, as it was by far the easiest solution in
the short run.  Plus, it looks like Smartertools is having their own bad
experience with version 7 of Smartermail right now.

 

We do run Smartertrack and we're quite happy with it, so I'm sure
Smartertools come through the issues just fine.

 

We're looking forward to rejecting at the connection level, that would be so
efficient.  

 

Thanks again,

 

Rob

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, August 28, 2010 8:48 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Imail vs. Smartermail

 

What is blah- vs. blah+ for incoming mails?

 

Are you referring to subfolders/submailboxes that Imail automatically
generates?

 

If Imail does DomainKeys and has the mailbox handling you need, why drop it?

The next update to Imail will allow dropping connections for certain spam
checks (we'll see which ones they are starting with.)  I've been asking for
that for 10 years - so hopefully I'll be able to reject (some) spam outright
during the SMTP conversation.


Best Regards
Andy Schmidt

 

Tel. +1 201-934-9411, x20
Fax +1 201-934-9206

 

From: Eddie   

Sent: Saturday, August 28, 2010 7:00 AM

To: declude.junkmail@declude.com 

Subject: RE: [Declude.JunkMail] Imail vs. Smartermail

 

I am not sure about this.  So I am opening this up for discussion..

 

What would happen if you just ran Smartermail as an Outbound email gateway.
Wouldn't Domainkeys/Dkim still work without needing to change everyone's
email address?

 

Cheers,

Eddie

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert
Grosshandler
Sent: Friday, August 27, 2010 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Imail vs. Smartermail

 

Hi All -

 

We're currently using Imail v2006.  We had no need to upgrade and the iMail
versions until this year didn't support some features we needed (primariy
DomainKey / DKIM signing of outbound mail. )  We'd considered moving to
Smartermail, but it didn't (and doesn't) support a feature we needed
(blah-x...@igive.com) formatting of incoming mail.  Smartermail does
(blah+x...@igive.com) and we'd have to get 250,000 folks to change the
e-mail address we assigned them.

 

Pricing between the two for our needs is almost the same (Smartermail would
be slightly cheaper in the long run).

 

I know that people left iMail in droves over the past several years.  Any
current info on Ipswitch that should make me go through the pain of a switch
to Smartermail?

 

Thanks ahead of time.

 

Rob

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Outbound Mail

[Michael Cummins]

In this case, the outbound Smartermail gateway whitelists the IP addresses
of numerous exchange servers that relay through it.  The virus problem we
had a couple weeks ago was one of our client's local users was infected on
one of the networks that hosts the exchange server.  It pumped the mail out
through the exchange server (which is locked down to only communicate with
our smtp server) but that didn't matter here.  It was an authorized local
user, so the path was clear.

 

The overall problem though is that, since mail programs, as far as I know
for the most part, bind themselves to a single IP, then all of your
customers on that box are dependent on that IP's reputation.  If it sours at
all, then everyone else is also affected.  Sure, you can change that IP
pretty quick, but we work hard to keep the regular relationship with AOL
Postmaster, Yahoo Postmaster, etc, which I think is desirable, yes?  I don't
want to be a fly by night relay operator.

 

How do you compete with people like Google's Postini, who will let you relay
through them, thus limiting the risk/reward to a single customer?

 

I'm feeling a little pressure to abandon the whole SmarterMail / Declude /
INVURIBL / MessageSniffer / INVALUEMENT model I currently use (soon, with
Alligate!) and just go with Postini, etc.

 

I'm a long, long way from seriously considering it, because I can react to
problems much much faster and more surgically than a big service, but when I
face problems like this outbound list thing (I ended up on Symantec's
Brightmail list for about 8 hours and I can't get anyone to tell me why) I
simply don't know what to do to protect my customers.

 

Which is why I thought I'd ask about what other people do J

 

 

 

Very Respectfully, 

 

Michael Cummins

http://www.cummins.us | mich...@cummins.us

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Chuck
Schick
Sent: Wednesday, June 16, 2010 3:11 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Outbound Mail

 

Do you require SMTP authentication?  We enforce SMTP authentication and port
587 for SMTP outbound.  So far, I have not seen a virus or worm that uses
SMTP authentication.  

 

 

Chuck

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, June 16, 2010 11:54 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Outbound Mail

 

This is off topic for the list, but I thought this group might be able to
give me some direction.

 

How do you handle outbound mail?

 

I really try to keep a lid on spam and my clients aren't shady, but  if
something happens to 1 client, then all the clients are affected when
something goes wrong.

 

.I had one a few weeks back that got infected by a virus; we clamped down on
it pretty quickly, but it's amazing how fast those things get the mail out.
I'm still seeing fresh complaints, weeks later.  

 

.I can't put hijack on my customers, because almost all of them have their
own private mailing lists, etc.

 

Is outbound mail an issue for you?  

 

How do you address it?

 

Thanks for your patience and kind direction!

 

-- Michael Cummins


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Outbound Mail

[Michael Cummins]

This is off topic for the list, but I thought this group might be able to
give me some direction.

 

How do you handle outbound mail?

 

I really try to keep a lid on spam and my clients aren't shady, but  if
something happens to 1 client, then all the clients are affected when
something goes wrong.

 

.I had one a few weeks back that got infected by a virus; we clamped down on
it pretty quickly, but it's amazing how fast those things get the mail out.
I'm still seeing fresh complaints, weeks later.  

 

.I can't put hijack on my customers, because almost all of them have their
own private mailing lists, etc.

 

Is outbound mail an issue for you?  

 

How do you address it?

 

Thanks for your patience and kind direction!

 

-- Michael Cummins



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fine tuning Declude

[Michael Cummins]

It's good all around discussion, too.  I imagine it's quite topical for
anyone that uses Declude ; these things affect our environment.

 

Thanks lots!

 

I guess I'll review my Alligate history and give Brian a shout.

 

 

Very Respectfully, 

 

Michael Cummins

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 4:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

Hi Darin,

 

I have been fortunate that my customers (or their network consultants) were
able to open the LDAP port and add a user without trouble. Either they were
big enough to have their own IT staff, or small enough to have an external
IT consultant. But I understand that this might be different for everyone
else. 

 

As far as adding/deleting accounts - this script is designed to add/delete
records in the live database (that is actively used by ORF) - instead of
deleting and then "refreshing" the entire list. This way, there is no
downtime.  Of course, if your gateway does not support ODBC lookups (ORF
supports ODBC, LDAP and AD lookups), then you're out of luck.

 

Anyway - I'm just sharing the code in case it helps Michael.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin
Cox
Sent: Wednesday, May 12, 2010 4:32 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Fine tuning Declude

 

This is about 1/3 of the process to sync the servers.  Then there's the
processing of the file on the gateway to add/delete accounts as needed, and
the minor Exchange config changes to accept mail from a subdomain.

 

In our implementations, and due to often insufficient access/knowledge on
the part of most customers, it's a two-part batch sync.  I like the
all-in-one process you have by connecting through the firewall, Andy, but
it's been hard enough getting access to customer servers to place the
extraction script. Trying to get access to LDAP through firewalls for an
external process would take a lot longer to coordinate on a per-customer
basis.


Darin.

 

 

- Original Message - 

From: Andy Schmidt <mailto:andy_schm...@hm-software.com>  

To: declude.junkmail@declude.com 

Sent: Wednesday, May 12, 2010 4:05 PM

Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

Not sure that this list supports attachments - but here it is.

 

Here's how I launch it every half hour:

 

cscript //Nologo ExtractLDAP.wsf 70.255.255.84 "ou=Their
Staff,dc=TheirCompany,dc=local" logon.u...@theircompany.local mypassword
"domainalias1.com domainalias2.com domainalias3.com" TheirCompany

 

I usually use the LDAP Explorer tool to make sure I can connect to their
LDAP port through their firewall, that they have set up a valid
user/password for me, etc. Then I navigate through their LDAP hierarchy to
determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users.
Once that succeeds I can simply take that info and use it as the parameters
to my script.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 3:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

That sounds like it would be fun to review, regardless.  I can dig up my old
script and post it, too.  Mine is pretty primitive: spew and parse.

 

Does it reach out to LDAP from the internet side of things, through a
properly configured firewall, I imagine?  Mine was a local script that
uploaded.  I like your idea better, if I am reading it right.  With your
idea, I provide minimum requirements instead of installation steps.

 

 

Very Respectfully, 

 

Michael Cummins 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fine tuning Declude

[Michael Cummins]

That sounds like it would be fun to review, regardless.  I can dig up my old
script and post it, too.  Mine is pretty primitive: spew and parse.

 

Does it reach out to LDAP from the internet side of things, through a
properly configured firewall, I imagine?  Mine was a local script that
uploaded.  I like your idea better, if I am reading it right.  With your
idea, I provide minimum requirements instead of installation steps.

 

 

Very Respectfully, 

 

Michael Cummins

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 3:07 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

Hi Michael:

 

I have a Windows script that I use with a whole bunch of different Exchange
customers to pull their email addresses from their servers and dump them
into a small JET (.mdb = Access) Database.  It does have a few input
parameters where you configure the LDAP path to the mail domain (because
many Exchange customers have different schemes), the LDAP user/pwd, and
which alias domain names to generate.

 

I uses that list in a SQL query that my ORF gateway uses to block invalid
email address and outright terminate connections that have too many invalid
email addresses. If you have any use for it, I'll be happy to let you have
it. Instead of outputting database rows, you could certainly expand the
script to output a flat file instead or add "alias" items to the IMAIL
registry, etc.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 2:14 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

I wrote a batch file once on a number of the exchange servers that used VBS
and LDAP to generate a list of valid exchange recipients and then FTP them
to the server where a CF script parsed it clean.  I didn't quite know what
to do with them when they got there though (I was originally going to use
them in Alligate, but never got that up and going) and I don't have the full
"granular" cooperation of all the Exchange network peeps, only most of them,
so it was difficult to implement a one-size-fits-all policy regardless.

 

I'll put my thinking cap on.  

 

Another one of the problems is that most all of my clients don't want to
disable NDRs with whatever solution I come up with, which makes it fairly
impossible to avoid backscatter.  It goes in me one way, and out another :p

 

 

Very Respectfully, 

 

Michael Cummins 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fine tuning Declude

[Michael Cummins]

I wrote a batch file once on a number of the exchange servers that used VBS
and LDAP to generate a list of valid exchange recipients and then FTP them
to the server where a CF script parsed it clean.  I didn't quite know what
to do with them when they got there though (I was originally going to use
them in Alligate, but never got that up and going) and I don't have the full
"granular" cooperation of all the Exchange network peeps, only most of them,
so it was difficult to implement a one-size-fits-all policy regardless.

 

I'll put my thinking cap on.  

 

Another one of the problems is that most all of my clients don't want to
disable NDRs with whatever solution I come up with, which makes it fairly
impossible to avoid backscatter.  It goes in me one way, and out another :p

 

 

Very Respectfully, 

 

Michael Cummins

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin
Cox
Sent: Wednesday, May 12, 2010 10:55 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Fine tuning Declude

 

Hi Michael,

 

I may be able to help with this.  You mention doing gateway filtering for
Exchange servers.  We also do that, but instead of accepting any address
with the domain, we have accounts set up on our server and refuse
connections that don't go to one of those accounts.

 

Now your next comment is probably that you don't want the extra management
of setting up accounts on both servers.  Well we've handled that by using a
sync process we developed to extract the list of accounts from the Exchange
server, ship that up to the gateway server, and check to see what accounts
need to be added or deleted.  We've been using this process for a couple of
years with perfect success.

 

Since it is a batch process, it is scheduled to run every few minutes, so
there could be a few minute delay when new accounts are added, but it has
worked flawlessly for a couple of years.  There are checks in place to make
sure incomplete transfers don't result in accounts being deleted or
incorrect accounts getting added to the gateway, and notifications are sent
every time accounts are added or deleted.

 

Currently it runs as a script on the destination Exchange or IMail server,
and a scheduled process on a SQL database on our mail gateway server. Also,
our gateway is an IMail server, but we could easily adapt it to use the
account creation command line utilities I assume SmarterMail has.

 

One other comment about the implementation.  We maintain a hosts file for
forwarding to the destination mail server, and use a subdomain to forward
the mail for routing purposes, so the destination mail server is configured
to accept mail for the subdomain.  That's a simple change in Exchange to add
an SMTP alias, and can be added to the default policy in Exchange so it is
automatically added when an account is created.

 

Anyway, if you have any interest, let me know.  I know we wouldn't be able
to survive if we were accepting email for any address in a domain, so I feel
your pain.

 

Best,


Darin Cox
4C Web
A division of 4C Design Technology Corp.
(813) 413-4883  Tampa Bay, FL
(919) 533-5000  Research Triangle, NC

 

 

 

 

- Original Message - 

From: Michael Cummins <mailto:mich...@i-magery.com>  

To: declude.junkmail@declude.com 

Sent: Wednesday, May 12, 2010 9:25 AM

Subject: [Declude.JunkMail] Fine tuning Declude

 

So this past week has been fairly hellish for me, buried in the thick of
Botnet Spam storms.  (Quite a number of people seem to be experiencing them,
at least as reported over on the [SNIFFER] list)

 

My implementation of Declude seems to be pressed to its limits to handle the
volume.

 

1)  Dedicated SmarterMail 6.8

2)  Declude, Invaluement RBLs added, running off a SimpleDNSPlus install
on another local machine

3)  INVURIBL with Invaluement and SpamEatingMonkey added

4)  SNIFFER, integrated with Declude

 

This is the root of my volume issues: this box is a dedicated Incoming
Gateway for several dozen Exchange servers for SMBs, which means it accepts
ALL mail for those domains.  It's not like my other mail server that rejects
bad addresses right off the bat.  When the spam storms hit, it's like a
hurricane.  My usual Sniffer-measured rate of about 150-200k messages per
day kick up as high as 850k.  I don't really handle that much mail, but
that's the rate when it storms.  My regular SmarterMail server that dishes
out POP/IMAP handles a more appropriate level of 50k messages per day.

 

1)  If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to
the top of THREADS and crash when the storms hit.  I currently find that 45
is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER
running, but in a bad storm, even that is too low, and sometimes I have to
drop it back to 60 or 65; but then it's just keeping up with th

RE: [Declude.JunkMail] Fine tuning Declude

[Michael Cummins]

I actually paid for Alligate a couple of years ago, but then had to
repurpose the hardware for a casualty before I could install it and trial
it.  I never got around to putting it together after that (I'm not a big
company, and I don't have a huge budget).  It expired, and now every year
Alligate contacts me asking me if I want to renew, and I write them back
asking them if I simply lost my money, and they never respond again until
the following year.  It's like a bad game now.

 

I don't have a lot of confidence in them.  Which is sad.  I hear it's a fine
product.

 

-- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Wednesday, May 12, 2010 9:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Fine tuning Declude

 

I put an alligate server in front of Declude. It kills about 95% of incoming
connections.
Declude Intercepter incorporates this

Sent via BlackBerry by AT&T

  _____  

From: "Michael Cummins"  

Date: Wed, 12 May 2010 09:25:57 -0400

To: 

Subject: [Declude.JunkMail] Fine tuning Declude

 

So this past week has been fairly hellish for me, buried in the thick of
Botnet Spam storms.  (Quite a number of people seem to be experiencing them,
at least as reported over on the [SNIFFER] list)

 

My implementation of Declude seems to be pressed to its limits to handle the
volume.

 

1)  Dedicated SmarterMail 6.8

2)  Declude, Invaluement RBLs added, running off a SimpleDNSPlus install
on another local machine

3)  INVURIBL with Invaluement and SpamEatingMonkey added

4)  SNIFFER, integrated with Declude

 

This is the root of my volume issues: this box is a dedicated Incoming
Gateway for several dozen Exchange servers for SMBs, which means it accepts
ALL mail for those domains.  It's not like my other mail server that rejects
bad addresses right off the bat.  When the spam storms hit, it's like a
hurricane.  My usual Sniffer-measured rate of about 150-200k messages per
day kick up as high as 850k.  I don't really handle that much mail, but
that's the rate when it storms.  My regular SmarterMail server that dishes
out POP/IMAP handles a more appropriate level of 50k messages per day.

 

1)  If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to
the top of THREADS and crash when the storms hit.  I currently find that 45
is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER
running, but in a bad storm, even that is too low, and sometimes I have to
drop it back to 60 or 65; but then it's just keeping up with things, and
it's difficult to reduce the backlog that swelled during the crash.

2)  If I keep WAITBETWEENTHREADS too high, like around 100, Declude is
stable as a rock, but can't keep up with the mail load when times get tough.

3)  When things get bad, I go into GLOBAL.CFG and comment out INVURIBL
and/or the many SNIFFER tests.  

 

Does anyone have any useful advice for beefing up or streamlining this
process? 

 

What hardware choices have the biggest impact on Declude?

 

As an aside, I imagine that you could prevent a lot of Declude crashes if
WAITBETWEENTRHEADS was a dynamic setting, derived from the mail rate.  Yes?
No?

 

On a related note, I've been building a Declude Management interface in
ColdFusion that makes excellent use of Mark Russinovich's Sysinternals suite
of tools, most specifically PsList and PsKill, so I can keep a careful eye
on DecludeProc on my two machines, and using the Microsoft FSO to keep an
eye on file counts.

 

Sysinternals

http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

 

FSO

http://msdn.microsoft.com/en-us/library/z9ty6h50(VS.85).aspx

 

I really recommend those tools.  FSO is really responsive when inspecting
large file counts, for keeping an eye on /spool/  /proc/ and /review/.  You
can write a parse the results of PsList to keep an eye on the number of
Threads that Declude is spawning, and even detect a crash.

 

Oh, and I have to compliment Linda and David for their relentless and
professional service.  They are a fantastic and responsive team.  BZ!

 

-- Michael Cummins

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Fine tuning Declude

[Michael Cummins]

So this past week has been fairly hellish for me, buried in the thick of
Botnet Spam storms.  (Quite a number of people seem to be experiencing them,
at least as reported over on the [SNIFFER] list)

 

My implementation of Declude seems to be pressed to its limits to handle the
volume.

 

1)  Dedicated SmarterMail 6.8

2)  Declude, Invaluement RBLs added, running off a SimpleDNSPlus install
on another local machine

3)  INVURIBL with Invaluement and SpamEatingMonkey added

4)  SNIFFER, integrated with Declude

 

This is the root of my volume issues: this box is a dedicated Incoming
Gateway for several dozen Exchange servers for SMBs, which means it accepts
ALL mail for those domains.  It's not like my other mail server that rejects
bad addresses right off the bat.  When the spam storms hit, it's like a
hurricane.  My usual Sniffer-measured rate of about 150-200k messages per
day kick up as high as 850k.  I don't really handle that much mail, but
that's the rate when it storms.  My regular SmarterMail server that dishes
out POP/IMAP handles a more appropriate level of 50k messages per day.

 

1)  If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to
the top of THREADS and crash when the storms hit.  I currently find that 45
is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER
running, but in a bad storm, even that is too low, and sometimes I have to
drop it back to 60 or 65; but then it's just keeping up with things, and
it's difficult to reduce the backlog that swelled during the crash.

2)  If I keep WAITBETWEENTHREADS too high, like around 100, Declude is
stable as a rock, but can't keep up with the mail load when times get tough.

3)  When things get bad, I go into GLOBAL.CFG and comment out INVURIBL
and/or the many SNIFFER tests.  

 

Does anyone have any useful advice for beefing up or streamlining this
process? 

 

What hardware choices have the biggest impact on Declude?

 

As an aside, I imagine that you could prevent a lot of Declude crashes if
WAITBETWEENTRHEADS was a dynamic setting, derived from the mail rate.  Yes?
No?

 

On a related note, I've been building a Declude Management interface in
ColdFusion that makes excellent use of Mark Russinovich's Sysinternals suite
of tools, most specifically PsList and PsKill, so I can keep a careful eye
on DecludeProc on my two machines, and using the Microsoft FSO to keep an
eye on file counts.

 

Sysinternals

http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

 

FSO

http://msdn.microsoft.com/en-us/library/z9ty6h50(VS.85).aspx

 

I really recommend those tools.  FSO is really responsive when inspecting
large file counts, for keeping an eye on /spool/  /proc/ and /review/.  You
can write a parse the results of PsList to keep an eye on the number of
Threads that Declude is spawning, and even detect a crash.

 

Oh, and I have to compliment Linda and David for their relentless and
professional service.  They are a fantastic and responsive team.  BZ!

 

-- Michael Cummins

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Michael Cummins]

That's odd.  This is what I already configured it for on my first guess:

 

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120

 

But I haven't gotten any hits yet.

 

Is there any way to test this from a command prompt, like you can with the
invaluement RBLs and nslookup?

 

- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins" 
Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Michael Cummins]

I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Examining Test Effectiveness

[Michael Cummins]

Here is yesterday's (4/29/10) report, after adding the Spam Eating Monkey
into the mix.  

 

How much does this vary, amongst Declude users?   Do you get similar results
from these tests, or different ones?

 

 

Overall Server Test Summary Report

 

Total Messages Processed: 183,417

Messages That Failed Defined Test(s): 171,145

Percentage That Failed Defined Test(s): 93.31%

Average Message Weight: 56

Average Message Weight/Failed: 61

 

TEST   # FAILED   Percentage

WEIGHT10144,929...79.02%

WEIGHT15143,843...78.42%

WEIGHT20142,891...77.90%

WEIGHT25142,021...77.43%

 

BARRACUDA...103,943...56.67%

ZEN..97,021...52.90%

HOSTKARMA-BLACK..94,109...51.31%

SNIFFER-SNAKEOIL.87,631...47.78%

UCEPROTECT-2.83,627...45.59%

SNFIPCAUTION.83,418...45.48%

DYNHELO..80,473...43.87%

UCEPROTECT-3.77,550...42.28%

FILTER-SPAM..58,435...31.86%

UCEPROTECT-1.50,103...27.32%

HELOBOGUS46,577...25.39%

CBL..44,887...24.47%

SPFPASS..44,730...24.39%

NOABUSE..44,589...24.31%

SPAMMONKEY-BLACK.43,204...23.56%

CMDSPACE.41,066...22.39%

INV-URIBL38,354...20.91%

NOPOSTMASTER.36,258...19.77%

FROMNOMATCH..35,509...19.36%

FILTER-MEDICAL...33,097...18.04%

SENDERSCORE..30,081...16.40%

SUBCHARS-55..28,317...15.44%

SUBCHARS-60..23,145...12.62%

SIP-INVALUEMENT..22,885...12.48%

MAILPOLICE-DYNAMIC...22,758...12.41%

BADHEADERS...21,894...11.94%

HAM-INDICATOR21,795...11.88%

SNIFFER-GENERAL..21,724...11.84%

SORBS-RECENT.19,768...10.78%

SUBCHARS-65..19,644...10.71%

SNFIPTRUNCATE19,585...10.68%

SIP24-INVALUEMENT19,355...10.55%

URIBL-BLACK..18,388...10.03%

SURBL16,9669.25%

FILTER-DRUGS.16,4198.95%

SPAMCOP..16,3668.92%

SORBS16,1198.79%

REVDNS...15,6738.55%

WDDX-FILTER..15,3828.39%

WPBL.14,8748.11%

SUBSPACE-12..13,5017.36%

SNFTRUNCATE..12,3576.74%

SPAMMONKEY-FRESH15...11,9586.52%

FILTER-NOSENDER..10,2295.58%

FILTER-BACKSCATTER8,8214.81%

SPAMCANNIBAL..8,4414.60%

MAILPOLICE-REVWEBMAIL.7,9914.36%

FILTER-ADULT..7,6994.20%

SPFFAIL...7,5854.14%

SUBSPACE-15...6,7683.69%

IMP-SPAM..6,6723.64%

SORBS-DUL.6,1423.35%

GOOD-REVDNS...6,1403.35%

ROUTING...5,9543.25%

MAILFROM..5,4592.98%

UBL...5,0842.77%

BADWHOIS..4,5092.46%

DSN...4,3622.38%

SUBSPACE-17...4,1072.24%

SPAMMONKEY-NETBLACK...4,0892.23%

SPAMRATS..3,5451.93%

SIZE-300K.3,4411.88%

SORBS-NEW.3,0671.67%

SNIFFER-CREDIT2,6131.42%

SPAMHEADERS...2,4351.33%

SNIFFER-SCHEME2,3811.30%

NONENGLISH2,3511.28%

SNIFFER-SPAM..1,9101.04%

NJABL.1,7770.97%

SNIFFER-SCAMS.1,7260.94%

BASE641,6280.89%

BASURA1,5540.85%

SNIFFER-INSURANCE.1,5470.84%

SIZE-500K.1,4650.80%

DNSBL.1,3570.74%

BONDEDSENDER..1,0670.58%

SNIFFER-PORN..1,0670.58%

SNIFFER-TRAVEL1,0360.56%

BOGUSMX...1,0030.55%

SNIFFER-WAREZ...9650.53%

SIZE-1MB9020.49%

SNFIPBLACK..8890.48%

IPREPUTATION8890.48%

SNIFFER-OBFUSCATION.8080.44%

SNIFFER-ADVERTISING.4600.25%

SNIFFER-GAMBLING3710.20%

AHBL-DOMAINS2370.13%

MAILPOLICE-DOMAIN...2190.12%

MAILPOLICE-BLOCK2190.12%

SNIFFER-MALWARE.2160.12%

MAILPOLICE-HELO..970.05%

MAILPOLICE-REVDNS970.05%

COMMENTS.630.03%

SNIFFER-IP-RULES.32...

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Michael Cummins]

Thanks!

I'll add this and then watch it over the weekend, let you know how it did
compared to the others early next week.  :)

-- Michael Cummins


-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL tests

[Michael Cummins]

I'll give those a try and see how they rate in the spam reports over the
weekend.  Thanks!

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Wednesday, April 28, 2010 2:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests

SPAMMONKEY-BLACKip4rbl.spameatingmonkey.net *
10  0
SPAMMONKEY-FRESH15  rhsbl   fresh15.spameatingmonkey.net*
50  0
SPAMMONKEY-NETBLACK ip4rnetbl.spameatingmonkey.net  *
50  0

Subject tag at 100/hold at 200/ delete at 300


I also use fresh15.spameatingmonkey.net and urired.spameatingmonkey.net in
my invuribl config



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, April 28, 2010 12:31 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests


Do you implement any of the spameatingmonkey tests with your declude?

Which ones have impressed you?

Thanks for the feedback and discussion!

-- Michael Cummins


-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Monday, April 26, 2010 11:53 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests

I like some of the ideas coming out of:
http://spameatingmonkey.com/lists.html







---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL tests

[Michael Cummins]

Do you implement any of the spameatingmonkey tests with your declude?

Which ones have impressed you?

Thanks for the feedback and discussion!

-- Michael Cummins


-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Monday, April 26, 2010 11:53 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests

I like some of the ideas coming out of:
http://spameatingmonkey.com/lists.html







---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL tests

[Michael Cummins]

I recently audited my list of Declude IP4R/RHSBL/DNSBL tests and thought it
might be productive to bounce it off the list.  (I took out some of the
private tests I use)

Because I made so many changes, I'll audit this list again in about a week
to review the effectiveness of each test and then comment some of them out,
or adjust their respective weights.  I'll be happy to post the results if
anyone is interested.  In my configuration, I rewrite subject lines at
WEIGHT 10 and delete mail at WEIGHT 25.

In the mean time, I was curious:  

What tests do you configure your Declude Junkmail to use?

Have you omitted any of these tests yourself?

Have you found some of them to be far more effective than others?

I'd love to hear your feedback.  Thanks!

-- Michael Cummins



#===
===#
# RBL IP4R TESTS
#
#===
===#

AHBL-DULIP4Rdnsbl.ahbl.org
127.0.0.920
BARRACUDA   IP4Rb.barracudacentral.org
127.0.0.230
BASURA  IP4Rbl.emailbasura.org*
40
CBL IP4Rcbl.abuseat.org
127.0.0.260
FIVETEN-DUL IP4Rblackholes.five-ten-sg.com
127.0.0.320
HABEAS-VIOLATOR IP4Rsa-hil.habeas.com *
50
HIL IP4Rhil.habeas.com
127.0.0.250
HOSTKARMA-BLACK IP4Rhostkarma.junkemailfilter.com
127.0.0.250
IMP-SPAMIP4Rspamrbl.imp.ch
127.0.0.550
MSRBL   IP4Rcombined.rbl.msrbl.net
127.0.0.260
MXRATE-BLOCKIP4Rsub.mxrate.net
127.0.0.270
MXRATE-SUSPICIOUS   IP4Rsub.mxrate.net
127.0.0.420
NJABL   IP4Rdnsbl.njabl.org   *
30
NJABL-DUL   IP4Rdnsbl.njabl.org
127.0.0.320
RU-DUL  IP4Rdul.ru
127.0.0.250
SENDERSCORE IP4Rbl.score.senderscore.com
127.0.0.670
SIP-INVALUEMENT IP4Rsip.invaluement.local *
10   0
SIP24-INVALUEMENT   IP4Rsip24.invaluement.local   *
70
SORBS   IP4Rdnsbl.sorbs.net   *
70
SORBS-DUL   IP4Rdnsbl.sorbs.net
127.0.0.10   30
SORBS-NEW   IP4Rnew.spam.dnsbl.sorbs.net
127.0.0.630
SORBS-NOMAILIP4Rnomail.rhsbl.sorbs.net
127.0.0.12   10   0
SORBS-RECENTIP4Rrecent.spam.dnsbl.sorbs.net
127.0.0.630
SPAMCANNIBALIP4Rbl.spamcannibal.org
127.0.0.220
SPAMCOP IP4Rbl.spamcop.net
127.0.0.270
SPAMRATSIP4Rspam.spamrats.com *
40
TQMCUBE-TRAPIP4Rspam.tqmcube.com
127.0.0.340
UBL IP4Rubl.unsubscore.com
127.0.0.240
UCEPROTECT-1IP4Rdnsbl-1.uceprotect.net
127.0.0.240
UCEPROTECT-2IP4Rdnsbl-2.uceprotect.net
127.0.0.220
UCEPROTECT-3IP4Rdnsbl-3.uceprotect.net
127.0.0.220
WPBLIP4Rdb.wpbl.info
127.0.0.220
ZEN IP4Rzen.spamhaus.org  *
70


#===
===#
# IP4R HAM TESTS
#
#===
===#

BONDEDSENDERIP4Rquery.bondedsender.org
127.0.0.10   -3   0
MXRATE-ALLOWIP4Rsub.mxrate.net
127.0.0.3-3   0
IADBIP4Riadb.isipp.com
127.0.0.1-3   0


#===
===#
# RHSBL TESTS
#
#===
===#

AHBL-DOMAINSRHSBL   RHSBL.ahbl.org
127.0.0.210   0
BADWHOISRHSBL   whois.rfc-ignorant.org
127.0.0.530
BOGUSMX RHSBL   bogusmx.rfc-ignorant.org
127.0.0.810
DNSBL   RHSBL   in.dnsbl.org  *
20  
DSN RHSBL   dsn.rfc-ignorant.org
127.0.0.230
MAILPOLICE-BLOCKRHSBL   block.rhs.mailpolice.com
127.0.0.250
MAILPOLICE-FRAUDRHSBL   fraud.rhs.mailpolice.com
127.0.0.250
NOABUSE RHSBL   abuse.rfc-ignorant.org
127.0.0.420
NOPOSTMASTERRHSBL   postmaster.rfc-ignorant.org
127.0.0.310
SURBL   RHSBL   multi.surbl.org   *
70
URIBL-BLACK RHSBL   black.uribl.com
127.0.0.210   0


#===
===#
# 

[Declude.JunkMail] Prioritizing Tests

[Michael Cummins]

I seem to recall that somewhere in Declude, in a custom filter if I remember
correctly (and do not profess to) that you can tell Declude to not process
any further if it has already accumulated a certain weight.

Can you do that with RBLs and the like?

That would cut down on the DNS traffic, wouldn't it?  If I could process my
third party tests like Sniffer and INVURIBL and decide whether or not it is
even necessary to even make scores of RBL checks, for example...

-- Michael





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re[2]: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

Actually, I was reading this when I thought of it, and thinking of how
INVURIBL reads the links

inside of an e-mail and then compares them to a configured RBL, like the
recommended Invaluement paid subscription.

 

http://www.blue-quartz.com/rbl/

 

It would be much more efficient to store large numbers of IPs in DNS than it
would a plain text blacklist, wouldn't it - or am I wrong about that?

 

This is the relevant quote from this page:

 

If a blacklisted IP address is in your rbl database it will "exist" in the
DNS system.

 

For example:

 

if you blacklisted IP 89.40.1.32

 

then doing a regular DNS lookup like this:

 

nslookup test.rbl.mydomain.com

nslookup 32.1.40.89.rbl.mydomain.com

 

should result in a match of 127.0.0.2

 

I haven't figured out how to get the e-mail harvesting IP blocks out of
SmarterMail yet, but if I could, then if I could script-insert them into DNS
and then use that as a local RBL, do you think that would be an effective
tool?  Those are the spammers that are banging on my door, right?

 

-- Michael Cummins

 

 

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford
Whiteman
Sent: Saturday, July 11, 2009 3:09 AM
To: Michael Cummins
Subject: Re[2]: [Declude.JunkMail] Cutting down on DNS

 

> Probably a crazy question, but if I wrote a script to harvest the current

> blocks (for e-mail harvesting) out of SmarterMail (if such a thing could
be

> done) would that make a good or a bad local URI?

 

Are  you  talking  about  turning  a  list  of  IPs  into  a  list  of

dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense.

 

--Sandy

 

 



Sanford Whiteman, Chief Technologist

Broadleaf Systems, a division of

Cypress Integrated Systems, Inc.

e-mail: sa...@cypressintegrated.com

 

SpamAssassin plugs into Declude!

 
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release
/

 

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!

 
http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa
d/release/

 
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re
lease/

 

 

 

---

This E-mail came from the Declude.JunkMail mailing list.  To

unsubscribe, just send an E-mail to imail...@declude.com, and

type "unsubscribe Declude.JunkMail".  The archives can be found

at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

> The product is basically the conduit from the URI in the email to the 
> list.  In fact if you wanted to you could host your own URI list 
> internally and add domains as you see fit.  We have many customers that 
> do this.

I understand now.  

What does a record for URI look like in DNS?  How do you add IP addresses?
rDNS?  Is there a sample somewhere I could use as a guide?



Probably a crazy question, but if I wrote a script to harvest the current
blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be
done) would that make a good or a bad local URI?

Good people don't ever end up on that list, do they?


Thanks again for the discussion!

-- Michael Cummins





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re[6]: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

> There are some advantages to Simple DNS when it comes to 
> integration and replication of an entire server, but I've made up those 
> deficiencies with scripting around the DNSCMD utility in the Windows
Server 
> Resource Kit..

Thanks, Darin!  

I've written scripts using DNSCMD before; I guess I should see what is
involved in RNSYNCing that UCEPROTECT zone for starters.

SimpleDNS seems to come with a handy HTTP interface though; I could write
some custom Cold Fusion Components to manage the whole process.  I already
use a bunch of Cold Fusion scripts to parse DLAnalyzer reports every night
and drop them into SQL.  (DLAnalyzer is fantastic; just thought that should
be said again)

Should I post my notes here, or is this old hat for everyone on this list?

-- Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

> invURIBL is extremely effective for me even more so now that 
> (personally) I am using the invaluement lists which haven been 
> absolutely terrific.

Wow.  That blindsided me.  I was completely ignorant of how the product
worked.  I thought that Invariant Systems maintained their own list, and
that's what I was paying for.

I look to the bottom of the config file, and I see:





















I had no idea that's how it worked, shame on me!  I'll have to look into
those invalument lists; I Googled them up and found this website:

http://dnsbl.invaluement.com/


Just glancing around their website, I see that they recommend RSYNC to
RBLDNSD formatted files.  The Invaluement people here recommend Simple DNS
Plus as a replacement for Windows DNS.  Would most people here make the same
recommendation?

It looks like it would cost me about $300 a year to subscribe to this.  This
stuff really adds up quick!

Thanks for the discussion :)

-- Michael Cummins





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re[6]: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

> Note  that  the  resulting  downoaded file is in RBLDNS format. So you
> would convert it to a standard zone file. What DNS server do you use?

I'm using The MS DNS that comes on 2003 Server.  I have it installed on both
of the SmarterMail/Declude/Sniffer/INVURIBL boxes.

Is that a bad, or a good idea?

> UCEPROTECT is free to replicate locally (HTTP or RSYNC)
> http://www.uceprotect.net/en/index.php?m=6&s=0

Thanks, I'll look into that!

It seems a few people here already do this.  What DNS servers do you use to
do this?  Do you use separate dedicated servers to do this, or do you do it
on your Declude server? 

Thanks for the discussion!

-- Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re[4]: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

How does this work then, if you don't mind me asking stupid questions...?

...Declude just does a DNS lookup on the defined server and checks to see if
it returns an authoritative or non-authoritative response for the host name
of the e-mail address, and then pass/fails on that?

I Googled a few of the more useful RBLs on my list.  So far, they all want
you to contact them for pricing.  That sounds scary.  Does anyone know how
much this kind of thing usually runs?  

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford
Whiteman
Sent: Friday, July 10, 2009 3:20 PM
To: Michael Cummins
Subject: Re[4]: [Declude.JunkMail] Cutting down on DNS

*unsticks Ctrl key*

> How does one go about replicating a zone locally to begin with?

2  ways, depending on the BL. They could let you use standard DNS zone
transfer, or they could make you do an "out-of-band" HTTP/FTP download
of the zone.

--Sandy





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re[2]: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

> And my other recommendation stands -- look into which BLs will let you
> replicate their zone/s locally.

Thank you for your advice.

Among other things, I've been reviewing the spam tests I've enabled.  I
thought I might share my observations with the list here, as a sounding
board.  Perhaps I will help someone, perhaps I will expose a poor decision.

I deactivated the following tests, because my DLAnalyzer told me that they
fetched less than 3% positives over the last 9 days (an arbitrary
selection):

AHBL 
AHBL-DOMAINS
DNSBL
IADB
LNG
MAILPOLICE-BLOCK
MAILPOLICE-DOMAIN
MAILPOLICE-FRAUD
MAILPOLICE-HELO
MAILPOLICE-REVDNS
MAILPOLICE-REVWEBMAIL
MXRATE-SUSPICIOUS
NJABL
VIRBL

I noticed that these tests had returned the largest number of hits (for this
type of test), so I thought I'd mention them:

BARRACUDA
HOSTKARMA-BLACK
ZEN
UCEPROTECT-2
UCEPROTECT-3
CBL 
SORBS 
UCEPROTECT-1
SPAMCOP
MXRATE-BLOCK

How does one go about replicating a zone locally to begin with?  Can you
replicate multiple zones locally?  Should you do this on the machine that is
hosting SmarterMail/Declude, or on another?

Sniffer is my best test.  INVURIBL used to be fantastic, but it doesn't fare
quite as well these days.  Does anyone recommend anything else?


Thanks for the discussion!

-- Michael Cummins





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

Humans notice, because the traffic runs through a perimeter firewall that
checks port 53 traffic against its Intrusion Protection profiles (amongst
other things).  Lately, during periods of heavy activity it's been ramping
up the CPU and memory of the perimeter firewall.  I've noticed moments of
sluggishness as a result.

My two declude servers probably handle about 250k messgaes per day, but
around 90% of that is eliminated as waste. This waste still consumes
bandwidth and DNS connections.

During those periods of heavy activity, there are about 30k connections
through the firewall, and it seems that half of them, I'm guessing, are
wasted DNS lookups.  I'm guessing this because filtering the connections
reveals heavy port 53 activity on the Declude servers.

Yes, I run local DNS on the Declude Machines, but I've notcied that the
caching isn't all that effective.  To the perimeter firewall, a lookup is a
lookup, not matter what resource asked for it.

...unless I just don't understand, in which case I welcome being tapped into
place.

-- Michael



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford
Whiteman
Sent: Monday, July 06, 2009 8:49 PM
To: Michael Cummins
Subject: Re: [Declude.JunkMail] Cutting down on DNS

> My declude boxes are really driving DNS traffic up, loads.

As  in  "humans  notice" or as in "my SNMP monitors notice"... is this
actually negatively impacting performance of DNS or any other service?

Do you run local caching DNS (I hope so)? The other thing to look into
is zone transfers for eligible BLs.

--Sandy





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Cutting down on DNS

[Michael Cummins]

My declude boxes are really driving DNS traffic up, loads.

Is there any general advice on improving the efficiency of the various
declude checks to reduce the number of DNS hits?

Thanks!  

-- Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SNMP / Smarter Mail 4

[Michael Cummins]

I'll probably get ridiculed but I recently discovered the joys of SNMP and I
found myself thinking "wouldn't it be cool if I could use SNMP to keep track
Declude performance?"

You know: queue sizes, number of threads, memory used, all that.

I already steal and parse the handy information out of the persistent
sniffer text file every few minutes, but doing an SNMP GET on a Declude OID
would be really handy.

...or am I just a greedy kid in a candy store?

-- Michael Cummins



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Valid Senders - Best Declude Practices

[Michael Cummins]

> 5XXSink  is  a  connection-time  event  sink  for  MS SMTP

This sounds like an interesting tool.  What if I can only apply it to some
domains though?  If I set this up on the same box as SmarterMail, and used
the MS SMTP to forward to SmarterMail (what, on a different port I guess?)
then am I correct in guessing that I have to have a comprehensive list of
all recipients?  I don't think I'll be able to get all the Exchange Servers
I service to play nice right away.

> OTOH, if you  were  using  IMail  as  the  MTA wrapper for Declude, it
> would be possible  to do all this stuff natively within IMail by using
> a "smart store-and-forward"  setup  and some sync scripts for your 
> S&F domains.
> 
> The same logic seems possible for SM, and would certainly be the "best
> way"  in  theory;  but if you've already probed their forums, I assume
> there's no established "cookbook" from that side.

I'm pretty sure that Declude processes the traffic before the IMail product,
so I need to nab it before it gets to Declude if I'm going to trim my
resources.  I'm not sure about SmarterMail, but I suspect the same.  MSG
gets handed to Declude, which calls up Sniffer and invURIBL, and then tosses
it back into the MTA queue for mail handling.

Unless I'm wrong, in which case I'll get tapped back in line.  :)  

In iMail you set up Store and Forward by entering the IP in the SMTP
security, and then making an entry in the Windows Host file.  In SmarterMail
you just enter the IP/domain name in "Domain Forwarding" - no place to
really put any e-mail addresses for either product, that I know of anyway.
:(

You know, Declude Pro handles a whitelist.txt and a blacklist.txt on a per
domain config.  It might be nice to have a validRecipients.txt file too.
Yeah, it's sort of useless for POP/IMAP domains but it would sure be handy
for store and forward relay.  It would really cut down on my resource load
if that could be one of the first tests processed, so all the other little
engines don't have to waste their time.

> --Sandy

Thanks for your input, Sandy!  You too, Markus, Mark and Herb. Alligate
looks like an impressive gateway product, I'll keep it in mind - and I'm
thinking of upgrading the hardware on that box now as well.  It wasn't all
that shabby to begin with though.  

-- Michael Cummins



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
 
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release
/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!
 
http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa
d/release/
 
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re
lease/



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Valid Senders - Best Declude Practices

[Michael Cummins]

> I can strongly consider Alligate in front of Declude. 

So let's say I build a dedicated Alligate box to live in front of my two
Declude enabled servers.  How much of a load would it be able to handle?  I
would need it to handle close to 250k messages per day (current combined
load) with room to grow, and it looks like Alligate is
yet-another-thousand-dollar-thing-that-will-need-yearly-subscriptions-of-hun
dreds-of-dollars.

I'd be happier if I could just send my money to one company.  So would
Declude, I'm sure.  But hey.  If that's what you gotta do.

I was thinking of using a home built postfix gateway to go in front of the
boxen, and if I need more I was just going to add more identical postfix
boxen a la round robin DNS.

Bad idea?  Good idea?

But my customers could use some help today, which is why I was thinking of
using Declude to do some recipient verification.  Conceptually, that would
cut down the work load considerably, right?  I've been having trouble with
my Message Sniffer (in persistent mode) going into a cascading failure
during peak periods because of the volume; so I leave it off most of the
time, which is a huge waste.  

I'm just wondering how to go about using Declude to do this.

Thanks for all the feedback!  I've got an open mind.

-- Michael Cummins



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Valid Senders - Best Declude Practices

[Michael Cummins]

In this case, all of the domains are simply listed in the "Domain
Forwarding" portion of the SmarterMail config, and Declude operates with
Outbound Scanning on.  

The SmarterMail server is not actually the hosting server, it is just
forwarding the mail to the Exchange servers, so no domains or e-mail
addresses are set up there.

I run an IMail 2006.1 server for my POP/IMAP needs, but I am taking a closer
and closer look at SmarterMail for that, too.

Since I haven't used SmarterMail for POP/IMAP, I can only guess that it
handles Aliases like any other POP/IMAP server.

-- Michael Cummins




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)
Sent: Thursday, December 28, 2006 5:27 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Valid Senders - Best Declude Practices

Does SmarterMail allow you to create aliases for a domain, such as
[EMAIL PROTECTED] is an alias for [EMAIL PROTECTED]

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Valid Senders - Best Declude Practices

[Michael Cummins]

OK.

I have a box that I use as an incoming relay for about 30 or so Exchange
servers that all live out in the wild.  I run Smarter Mail, Declude, Message
Sniffer, INVURIBL, F-Prot and all kinds of good stuff before I pass it along
to the Exchange server with SmarterMail domain forwarding.

I am getting my ass kicked by volume because the mail server accepts any
address and forwards it along; most of which of course are addresses that
don't exist.

I'm building a gateway box in the near future, which will help keep the
incoming fluff down a bit, I'm sure, but what I really need to do is to
implement some kind of valid recipient list.  I doubt that I'll be able to
LDAP all over God's green earth with any kind of reliability or speed.

Since the gateway won't be implemented for a few weeks, I'm been playing
with things to get ready for it, namely, how to get valid sender lists from
such a disparate group of Exchange servers.

So.

I patched together this VBscript that exports a list of exchange addresses
using LDAP into a text file.

It runs as a WinCron job.

I created a batch file that uploads it to one of my Cold Fusion servers.

That runs as a WinCron job, too.

I wrote a Cold Fusion script that looks for these silly text files every so
many minutes and then parses the crappy, cluttered thing into a nice clean
CSV for me, and now I can do anything I want with it.  I imagine that
someday I'll use it in conjunction with the gateway, but hey, I have this
information right now.  

What would be the best way to use this information with Declude?

Ideally, it should be implemented on a per domain basis, in case I can't get
some Exchange servers to play nice with me.  Eventually I suppose it will be
mandatory, I'm sure, but not right now when I am coming up with best
practices, eh?

So do I set up each text file for each domain as a separate filter?  And
then only use it in the applicable per domain junkmail file?

Is that the best way to do it?

Or am I making Declude work too hard?

I would really love any suggestions you might have.  Thanks!

-- Michael Cummins



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SOX

[Michael Cummins]

SOX only affects publicly traded companies, right?

Rumors abound right now about changes in the rules.

-- Michael Cummins


> We are required to archive ALL incoming mail. 
> The Sarbanes-Oxley Act does not differentiate 
> between legitimate mail and spam :)



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] method for reducing CPU load

[Michael Cummins]

I think this would be fantastic.  Twice now this week I've had to comment
out sniffer and invuribl because the proc folder was swelling.  Some of my
customers are grumbling because the service I've provided for years isn't as
good anymore.  Right now I'm thinking of putting a PirateFish type postfix
server in front of my two declude powered mail servers to try and lessen the
work they do.

Anyone here use PirateFish?

Anyway, this idea would probably help out a great deal.

-- Michael Cummins


> Matt:
> This is exactly what I have wanted Declude to do for over two 
> years now all the way down to the spec. 

>> Scott Fisher wrote: 
>> I've been mulling this one over as I watch my spam filtering CPU 
>> time slowly taking over the email server. And I don't expect the 
>> number of emails to go down.
>>  
>> For external programs and filters I think it would be a good idea to 
>> add two optional fields to the global.cfg definition line: a 
>> minweight and a maxweight. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude and Bayesian Filtering

[Michael Cummins]

Sadly, no.  I think that I would be considered an ISP, I manage about 250
domains or so.  I saw a warning on the DECLUDE site about that, so I never
really looked any further.

-- Michael Cummins



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Bilbee
Sent: Friday, November 17, 2006 12:09 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude and Bayesian Filtering

Have you looked at the Commtouch ZEROHOUR add in. It has done wonders for
us.


Kevin Bilbee





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude and Bayesian Filtering

[Michael Cummins]

I'd really like to get into Bayesian filtering.  Declude / Message Sniffer /
invURIBL just aren't catching enough for me.

...are there any plans to include it in the Declude product?  

...any third-party products available?

I suppose I could do it with a gateway concept like PirateFish or IMGate,
and I know that SmarterMail and iMail both offer options (I have a mix of
both kinds in my network) but I'd really like to see something offered at
the Declude level so I can have more uniform / better control over the whole
process.

Any ideas?  Feel free to hit me with a clue bat.  :)

-- Michael Cummins



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] What works for me so far; how can I improve?

[Michael Cummins]

Greetings all,

I thought I would put this out here as an offering, both to show what is
working for me and to leave myself open for feedback on how to improve
things.  I still hear complaints about receiving spam, but I imagine that
will always be the case no matter how I tweak the system.

These statistics are for two of my servers (thank you DLAnalyzer): one does
only relay mail (via Smarter Mail 3.x) for MS Exchange servers (inbound and
outbound) and the other does only POP mail (I-Mail 2006.1)

I delete at a weight of 20, and rewrite the subject at 10.  If I read the
statistics correctly, then out of 433,849 messages inspected, 327,466 were
immediately discarded, 47,981 remaining messages had the subject line
rewritten leaving 58,402 messages delivered to my users unmolested.


Total Messages Processed:433,849
Messages That Failed Defined Test(s):422,264
Percentage That Failed Defined Test(s):  97.33%
Average Message Weight:  37
Average Message Weight/Failed:   38

TEST  WEIGHT  # FAILED  PERCENTAGE 
WEIGHT10   375,44786.54% 
WEIGHT15   350,00280.67% 
WEIGHT20   327,46675.48% 
INV-URIBL   8  197,05345.42% 
FIVETEN-SRC 7  181,61141.86% 
CBL 6  168,30338.79% 
SNIFFER 10 157,71936.35% 
SORBS-DUHL  6  143,89433.17% 
SPAMCOP 8  133,21430.71% 
DYNHELO 5  124,06828.60% 
MXRATE-BLOCK7  123,99328.58% 
HELOBOGUS   5  120,92327.87% 
FROMNOMATCH 3  106,31024.50% 
UCEPROTECT-18   89,49620.63% 
REVDNS  10  80,40918.53% 
UCEPROTECT-32   77,76217.92% 
UCEPROTECT-27   64,08014.77% 
NOABUSE 2   57,17713.18% 
NOPOSTMASTER1   46,74010.77% 
SUBCHARS-50 3   43,190 9.96% 
CMDSPACE8   35,655 8.22% 
DSBL-CONFIRMED  6   29,369 6.77% 
SUBCHARS-55 3   27,404 6.32%

I do a lot more tests (83 total) but those were the top hitters.

Thanks for your time and feedback.


Michael Cummins




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.