Re: [Declude.JunkMail] SpamDomains
I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Setting up local DNSBL
I have been thinking about setting up an in-house DNSBL and would appreciate it if some kind person here could point me in the right direction on getting started. I can pretty much figure out how to create a e-mail submission for the service when I want to make updates, but I'm not to sure on the DNS setup. Thanks in Advance! Jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
Would you be interested in sharing this. It looks great! Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Grotjan Sent: Thursday, November 06, 2003 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface Scot, The web interface looks good. I created something similar using ASP and a custom COM object I wrote. I uses Imail rules instead of the individual junkmail files to process the mail based on weight test. I implemented it about a month ago and so far we have over a thousand users using it and all of them are thrilled about it. I don't have a demo set up, but I have a screenshot of it if you want to see. http://www.kimbanet.com/junkmail.jpg Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP Account
Typically I only send SPAMCOP e-mails that pass through our Declude filters. The theory being that now SPAMCOP will know about that address, list it, and it won't clear Declude again. I don't see the reasoning behind sending SPAMCOP thousands of e-mails per day that are already stopped by your system. The benefit of manually sending is exactly what Kami noted below. You won't inadvertently submit good guys. Also, if you poke around SPAMCOPS site, there is a program you can get called SpamSource that plugs into Outlook. Once installed/configured, all I have to do to report spam is click on the SpamSource button, and it submits to SPAMCOP. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, October 30, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPAMCOP Account Dan.. BE VERY CAREFUL IF YOU DO THIS... We were doing this and once someone from the list sent me an email with bunch of keywords in it.. The system automatically forwarded it to the SPAMCop account. If you do this make sure you review every spam that goes into your account and approve them knowing it is a spam and not someone that just happen to send you bunch of words in your filter file. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Thursday, October 30, 2003 4:53 PM To: Declude JunkMail Subject: [Declude.JunkMail] SPAMCOP Account Hello, All, I signed up for a free Spamcop account a few weeks ago and I've been using it to submit spam via their web-based form. In addition to allowing spam submittal via a web-based form they also give you a unique e-mail address which you can forward spam to. I was thinking about setting up Declude JunkMail to send all the mail which I would normally just DELETE because of High weight to this unique e-mail address. Before I do this I had a few questions... 1) Does anyone else do what I am describing? If so, does it work well? 2) If I want to forward all mail above a certain weight, say a weight of 45, would the ROUTETO action be the correct action to use. I don't want to keep a copy of the e-mail in my HOLD directory. 3) If ROUTETO is the correct action, when the message is sent to Spamcop what will the FROM address be? Will it be the original sender's e-mail address or a special e-mail address which DJM assigns to itself? I think that's all for now. Thanks, Much! Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Happy days are here again...
So as of Monday are we going to have a new organization running the .com / .net TLDs? lol It's about time Buh Bye Verislime Jason - Original Message - From: Joshua Levitsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 03, 2003 2:12 PM Subject: [Declude.JunkMail] Happy days are here again... I could not be happier... http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
But, Kami just listed the revdns whitelists, wouldn't the spammer have to have a RDNS listing of something in her whitelist (not likely) to take advantage of the listing? Jason - Original Message - From: Keith Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 10:05 AM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Sorry, my fault for asking. Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] autowhitelist wildcard?
So the e-mail that Mr. Koehler listed yesterday afternoon about this subject is incorrect? Darn, that would be an awesome feature. His e-mail is listed below... Personal Whitelist A personal whitelist allows you to accept email messages from any email address you want no matter how many Spam tests the message actually fails. There are three options currently available in the personal whitelist feature. You can whitelist individual email addresses, whitelist all messages from a certain domain and, if you do not want the anti-Spam service at all, you can whitelist all messages sent to your address. E-mail Options - 1. [EMAIL PROTECTED] - whitelist a single email address. 2. [EMAIL PROTECTED] - whitelist all messages from a certain domain. To whitelist all messages from hotmail.com enter [EMAIL PROTECTED] For all messages from aol.com enter [EMAIL PROTECTED] 3. [EMAIL PROTECTED] - whitelist all messages from everyone (turns off Spam filtering). Enter [EMAIL PROTECTED] to whitelist all messages sent to your address. Jason - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 11:39 AM Subject: Re: [Declude.JunkMail] autowhitelist wildcard? Is there any wildcard character that can be used in the address book addresses for the autowhitelist feature. For instance, if I was subscribed to a newsletter that was sent from [EMAIL PROTECTED], where the numbers after someone are different every time, is there some way to put it in the address book without having to whitelist [EMAIL PROTECTED] No, there are no wildcards. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Death to Trustic Trustic Service Ending
Everyone, We have decided to close the Trustic service. As has become apparent recently, there are several issues with the system as it is designed. As such, we do not believe Trustic will reach the level of accuracy that we require. The issue of handling large ISPs that, for the most part, deal with spam complaints is one of the main flaws in the Trustic system for which we see no apparent solution. Registrations have been disabled on the site. Within a day the site itself will be taken down and replaced with a notice. The DNS blocklist will remain for a couple of weeks, but it will be configured to never return a match. Please reconfigure your mail servers to not query the blocklist. We remain confident that the problem of spam is a solvable problem. Thank you for your help with this great experiment. Mark -- Mark Fletcher Trustic, Inc http://www.trustic.com http://www.bloglines.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains com.
Title: Message I think that while the spamdomains test is wonderful, many people are trying to overuse it as a test. IMO it is there to protect against forgeries of the major e-mailservices, and it does that task great. It's usefullness declines when it is used in a greater fashion. For example, we stop a couple hundred e-mails that use aol, msn, hotmail, yahoo, etc, but we stop only 1-3 on smaller domains. Using this test for the smaller domains isn't worth the false positives that it produces. But again in the defense of spamdomains, this isn't "his" fault. It just wasn't mean for that... Jason -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd - Smart MailSent: Friday, August 01, 2003 6:45 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Spamdomains com. FYI Spamdomians failed this. Which it should have based on my SP entry ofcom.although it was a valid email. Its an invoice sent by someone to my client though intuits online invoicing system. What is everyone using for "com." Received: from mail2.smart-mail.net [65.16.167.134] by net.smart-mail.net (SMTPD32-7.07) id AC92AD90152; Fri, 01 Aug 2003 16:33:06 -0500Received: from sdm3.quickbooks.net ([208.240.241.110])by mail2.smart-mail.net (SAVSMTP 3.0.1.45) with SMTP id M2003080116330213145for [EMAIL PROTECTED]; Fri, 01 Aug 2003 16:33:02 -0500Received: from ipp3.qbn.ie.intuit.com (ipp3.qbn.ie.intuit.com [10.9.2.76])by sdm3.quickbooks.net (8.11.6/8.11.6) with SMTP id h71LX2V27979for [EMAIL PROTECTED]; Fri, 1 Aug 2003 14:33:02 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Fri, 1 Aug 2003 14:33:02 -0700 (PDT)From: [EMAIL PROTECTED] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'com.' found: Address of [EMAIL PROTECTED] sent from invalid sdm3.quickbooks.net. Thanks, Todd
Re: [Declude.JunkMail] New spamcop style RBL..
- Original Message - From: Matt Robertson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 28, 2003 11:32 AM Subject: RE: [Declude.JunkMail] New spamcop style RBL.. 2. To send Trustic your (confirmed!) spam (typically only that which has received very heavy weighting and you are certain contains no false positives) Use the ROUTETO command in your $default$.junkmail file. For example, if ordinarily you have a WEIGHT30 test that deletes the message, i.e. WEIGHT30 DELETE Change it to WEIGHT30 ROUTETO [EMAIL PROTECTED] Where again you replace the 'X' values with your Trustic account number When I set this up, I get the following error in my SMTP log file: 07:28 11:53 SMTP-(0470) processing C:\IMail\spool\Q54b20182006c927c.SMD 07:28 11:53 SMTP-(0470) Trying mx.trustic.com (0) 07:28 11:53 SMTP-(0470) Connect mx.trustic.com [66.151.128.22:25] (1) 07:28 11:53 SMTP-(0470) 220 w02.trustic.com ESMTP 07:28 11:53 SMTP-(0470) EHLO areatech.com 07:28 11:53 SMTP-(0470) 250-w02.trustic.com 07:28 11:53 SMTP-(0470) 250-PIPELINING 07:28 11:53 SMTP-(0470) 250 8BITMIME 07:28 11:53 SMTP-(0470) MAIL FROM:[EMAIL PROTECTED] 07:28 11:53 SMTP-(0470) 250 ok 07:28 11:53 SMTP-(0470) RCPT To:[EMAIL PROTECTED] 07:28 11:53 SMTP-(0470) rl-recv: connection reset 07:28 11:53 SMTP-(0470) 07:28 11:53 SMTP-(0470) QUIT 07:28 11:53 SMTP-(0470) rl-recv: connection reset 07:28 11:53 SMTP-(0470) 07:28 11:53 SMTP-(0470) requeuing C:\IMail\spool\Q54b20182006c927c.SMD R0 T1 07:28 11:53 SMTP-(0470) finished C:\IMail\spool\Q54b20182006c927c.SMD status=3 Thanks for the help Jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New spamcop style RBL..
All tiffs aside :), Can I get some clarity on the operation here? If I personally submit an e-mail that says 10.10.10.10 is a spammer IP, and that same address has 10 positives and 1 negative (Me). I understand that the IP will probably be trusted, but is there something in the background that when I do a lookup that returns a fail? Since I, the person asking has submitted the only negative. Conversely, a non-submitter would get a pass on that IP since they are going on what others are saying? Sorry if that is confusing Also, there is a TON of things on the documentation side of things that still need to be filled out on the site (yes I have sent them the recommendations),. Let's just hope they are responsive. And finally, this seems like it will get better with user participation Jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New spamcop style RBL..
Josh, What is the entry you have put in your config file? (If you don't mind sharing) Thanks Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Levitsky Sent: Saturday, July 26, 2003 9:11 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New spamcop style RBL.. This is kind of cool... I'm using it now as an RBL... http://www.trustic.com/ Trustic is a new solution to the problem of unsolicited email. By aggregating recommendations from its large community of members, Trustic maintains a list of email servers that can't be trusted to prevent spam. This makes Trustic more reliable, accurate, and up-to-date than other block lists. In addition, Trustic provides an appeal process for machines listed as untrusted. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude using 50% cpu
Title: RE: [Declude.JunkMail] Declude using 50% cpu Also, can we ask what hardware / OS this is running on? Jason - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 3:03 PM Subject: RE: [Declude.JunkMail] Declude using 50% cpu Where is your DNS server you are using in Imail? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark GordonSent: Thursday, July 24, 2003 12:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Declude using 50% cpu On a good day we rev 19000 local deliveries + send 8000 per day. It hits the machine hard average cpu time before was around 44% then when declude was installed it jumped to over 90% average. The version is 1.75 -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 24, 2003 3:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude using 50% cpu We are evaluating declude and have noticed a considerable increase in the cpu cycles associated with mail delivery. Is there anyway have it run in an isolated cpu instance? since there are multiple instances of declude.exe running, I would guess it would be hard to lock it down. How many E-mails do you send/receive per day? What version of Declude are you running (you can find out by typing "\IMail\Declude -diag" from a command prompt)? Are you sure that it is Declude using the extra CPU cycles (by sorting the processes in the Task Manager by the "CPU" column)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Test?
Great letter Kevin, but I recently tried to explain this to a company and their engineer said that it was by design. His explanation was that they did it for security/obscurity reasons and we were applying to strong restrictions on mail delivery. Sometimes you just can't win with these people. Jason -- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 18 Jul 2003 15:52:25 -0700 Be careful blocking solely on RDNS and HELOBOGUS. There are many legitimate mail servers out there with ignorant DNS admins. We are lucky to have Scott, Len (on the Imail list), and DNS Stuff/Report. I have taken the approach to attempt to enlighten them with the following email. Because my users recover their own email it make doing this easier. Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain acsmail1.amas.nl has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 194.151.97.18 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination unless the above so human intervention is involved to complete delivery to the final recipient. After my signiture is a message with the full headers for you to review. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. I have had great results in getting legitimate admins to fix there setups my biggest problem is with admins in China and admins that think it is a security risk for their firewall to have these entries. I also had our international department review the email so as not offend people in other countries with harsh language. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joshua Levitsky Sent: Friday, July 18, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNS Test? Think of the companies that offer spammers a haven. If you could block everything hosted by that ISP it would be wicked nice. There's no end to the mail servers these bastards can setup, but registered DNS servers is a whole other story. I don't take mail if there's no PTR, and the HELO has no A record so these people spamming me have to use DNS servers which are harder to switch constantly because it takes 24 - 48 hours for that stuff to change. -Josh - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 6:08 PM Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Nolegit test
I would like to begin using the NOLEGITCONTENT test, but the mail archives are down :(. Can someone send me the lines I need in the configs to get this going? Thanks Jason
Re: [Declude.JunkMail] Nolegit test
Thanks Scott (and Bill) We are holding on 20 right now (with very few FPs), so without divulging the details of the test, is -8 too much or too little a weight? Or should I just test test test to see what types of mail are failing/passing the test? Thanks Gents! Jason - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 27, 2003 12:16 PM Subject: Re: [Declude.JunkMail] Nolegit test I would like to begin using the NOLEGITCONTENT test, but the mail archives are down :(. Can someone send me the lines I need in the configs to get this going? You can use: NOLEGITCONTENT nolegitcontent x x 0 -8 this would go in the global.cfg file (you don't need any other lines for this test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AOL
Isn't that backwards? Firewall with Fixup - ESMTP will not work, and mail defaults to ordinary SMTP transaction Firewall without Fixup -- ESMTP works fine Jason - Original Message - From: Rick Davidson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:02 PM Subject: Re: [Declude.JunkMail] AOL Disabling the SMTP Fixup Protocol at the firewall disables ESMTP and allows only SMTP Anyone using Imail peering will not be able to disable ESMTP Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:48 PM Subject: RE: [Declude.JunkMail] AOL According to you guys its not the mail server it is the Firewallright? Correct. What needs to be changed on the Firewall I believe someone said it is the SMTP Fixup Protocol that needs to be turned off. and why is the current setup so bad? Two reasons: [1] It makes your server non-RFC-compliant [2] The security feature is broken (specifically, it is leaking information it was designed to hide) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration
Sorry to burst your bubble, but that's not a tarpit. You have a dynamic IP blocker. Tarpitting doesn't block, it slows the attack down, consuming more of their resources, and making their connection seem like it is stuck in a pit of tar (hence the name) Jason - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 7:51 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Kami, Is your DNS that IMAIL/Declude uses local to you? Or are you using an upstream DNS? That many IPV4 tests may warrant this. We noticed a large performance boost by using a DNS on the local LAN. Just a thought - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:58 PM Subject: RE: [Declude.JunkMail] Declude Processes Server Load I truly wish I could explain it.. May be I am dreaming.. But what I see is Declude does not get to 100% CPU since we moved it to IMail to do IP4r. This morning for example I saw about 10 or so Declude processes.. One at 19%.. A lot at 0% and then jumping to 10% and going away some hit 100% for 1 second and disappeared. Before we were seeing 100% CPU staying for several seconds and then each one of the waiting processes hitting 100%. We could not even more the mouse.. It would move in steps.. Now we don't have that problem. Watching this is now my favorite pass time... A cup of coffee and watching CPU Declude processes.. Have to try it with beer.. Could be more fun.. But can't imagine anything be more fun! :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, June 04, 2003 4:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude Processes Server Load Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working
RE: [Declude.JunkMail] updated spamdomains list
Rocketmail.com resolves to yahoo.com So: Rocketmail.com yahoo.com Would be a valid entry What about the following? Bigfoot.com Geocities.com Rocketmail.com Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
