Hi;
The FTP address is not bogus :)
I asked that you replace XYZ with the domain in my email:
ClickandPledge.com
We had this problem before where the search engines picked up our previous
location and our company was getting indexed with some interesting words.
Then we started getting complaint
We have monitored the results for this test for a long time. We have not
seen a single FP.
We now hold on that test.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
Sent: Sunday, June 15, 2003 8:51 PM
To: [EMAIL PROTECTED]
Subject:
Hi all,
Over the weekend I've configured the following ip4r-tests from Bill.B's
config file that we haven't used until now.
This are the results after 10 hours (4 hours business time) In this time
we've catched around 300 spam messages.
BLITZEDALL ip4r opm.blitzed.org * 3 0
95 positive test
We give for this test a weight of 55 points and hold on 100.
FP's occur if a client uses a sender-domain listed in the
spamdomains-file but uses another smtp-server (from his ISP) to send out
legit messages.
Another case: A message send from a web form with the sender-adress
inserted by the
Rifat,
What software are you using to do the tarpitting? Are you running it on the same
server as IMail, or on a separate box?
Bill
-Original Message-
From: Rifat Levis
Sent: Mon, 16 Jun 2003 02:01:45 +0300
Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration
Hi Bill ,
I wrote a small VB program .
--
Here is more details about the system.
I am using the KIWI syslog server software to send the logs to the SQL
You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the
same machine ,you have to stop
Thanks for the valuable info
are all the test below free and can be used by all of us ?
and, if yes, why weren't they included in the default global.cfg ?
EASYNET-PROXIESip4r proxies.blackholes.easynet.nl * 2 0
BLITZEDALLip4r opm.blitzed.org
Sorry to burst your bubble, but that's not a tarpit.
You have a dynamic IP blocker. Tarpitting doesn't block, it slows the
attack down, consuming more of their resources, and making their connection
seem like it is stuck in a pit of tar (hence the name)
Jason
- Original Message -
Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy
by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have
alot of promise. It allows you to hook into each stage of the SMTP session and apply
incremental delays or drop the
(or be run on a mail gateway that sits in front of the IMail/Declude server).
Thats what TarProxy sort of does. TarProxy accepts the inbound SMTP connections and
relays them to a backend SMTP host (imail's smtpd). What I'm saying would be great,
is if TarProxy could call Declude-like tests
Bill,
Monday, June 16, 2003 you wrote:
BB Thats what TarProxy sort of does. TarProxy accepts the
BB inbound SMTP connections and relays them to a backend SMTP
BB host (imail's smtpd). What I'm saying would be great, is if
BB TarProxy could call Declude-like tests during the SMTP
BB session...
I think Scott only included some of the more reliable ip4r tests in the
default JunkMail config file. You can find a listing of lots of available
tests on the Declude web site (www.declude.com/Junkmail/support/ip4r.htm),
and you will see in the test descriptions that most are freely available to
i am trying to explain what i did in a simple way.
n fact
On my firewall i am not really blocking but reducing the bandwith for the
specified ip address
to 33.6 Kb /sec like a dial-up connection speed .
So my Server spend more cpu time to real user than spammers.
This is a tarpitting.
I have
Markus ,
I started already doing this ,but the problem here is that when you have a
dynamic IP list
You can not change it on IMAIL on the fly
You have to stop and restart The smtp services
Thats Why i am using a firewall here.
Rifat
- Original Message -
From: Markus Gufler [EMAIL
If I end up with a negative wait, how do I configure to ignore and pass
e-mail along. Is the following correct?
Global.cfg
NEGWEIGHT weightrange x x 0 -100
Default.JunkMail
NEGWEIGHT IGNORE
Thanks.
-Don
---
[This E-mail was scanned for viruses by Declude
This approach is a bit different than IMGate because it creates a dynamic tarpit,
based on the spamminess of the email. The more tests it fails, the slower the
connection gets...IN REAL TIME! Thats that cool part. From what I understand, IMGate
can only drop the connection...it cannot slow
Bill,
Monday, June 16, 2003 you wrote:
BB The more tests it fails, the
BB slower the connection gets...IN REAL TIME!
I see now, thanks for the reply.
XMAIL has a setting like this with its CustMapsList and its
SMTP-RDNSCheck. I've used both but I didn't find it very useful.
In CustMapsList
If I end up with a negative wait, how do I configure to ignore and pass
e-mail along.
You don't need to do anything.
The way the weighting system works, you decide what weight ranges to use to
detect spam. For example, some people have it set up to HOLD E-mail based
on the WEIGHT10 test (a
All of those tests are free. The ones you list have just been added to the
default configuration files, except for IPWHOIS (which has a lot of false
positives in our testing) and SORBS (which we do not have enough
information about yet).
-Scott
At 08:50 AM
Scott, FWIW, I have had very good success with the ip4r test:
ipwhois.rfc-ignorant.org
but found lots of FP with the domain based test:
whois.rfc-ignorant.org
So I don't use that whois test any more. However, this has not been your
experience?
Bill
- Original Message -
From:
Thanks for reply and yes this is how I use weights, but what I failed to mention is
that I end up with a negative value often (i.e. -7, -1, etc.) depending on certain
mail and it gets held. You are saying it should not get held. OK I must have a hold on
a certain test that is failing even
As the subject states, is DNSstuff still having problems? Seems every time I
try a lookup I get a Page cannot be displayed error. Once in a while it
works, super-fast in fact, but seems more often than not it's down.
Just seeing what's going on.
Paul
---
[This E-mail scanned for viruses by
Charles,
Monday, June 16, 2003 you wrote:
CF I can also use XMail to slow down server responses to addresses
CF in response to a RBL
Are you using the RDNS test in XMAIL?
I felt like the time to check delayed the dialogue too long.
Terry Fritts
---
[This E-mail was scanned for
It looks like these headers tell me to add:
attbi..comcomcast.net
to the sd.txt file.
Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with
ESMTP
(SMTPD32-7.15) id A15AE91F00FC; Mon, 16 Jun 2003 10:41:46 -0700
Received: from sccrmhc13.attbi.com (unknown
Is there a way to put a copy of the string that matched the filter test into
the headers?
thanks
Harry Vanderzand
inTown Internet Computer Services
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail
As the subject states, is DNSstuff still having problems? Seems every time I
try a lookup I get a Page cannot be displayed error. Once in a while it
works, super-fast in fact, but seems more often than not it's down.
If you try re-loading the page it should work.
There is an issue with the new
Is there any way for us to be able to use the X-Spam-Prob tag as weighting? As
I understand it, the only to use this field today is to add an IMail rule to
separate / delete the mail?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from
Is there any way for us to be able to use the X-Spam-Prob tag as
weighting? As
I understand it, the only to use this field today is to add an IMail rule to
separate / delete the mail?
That's correct -- we are planning to add a test that will be based on the
information in that header.
I am noticing that often the messages I send to the Declude lists are
pending in our Exchange server queue. They are easy to spot because they
are the only messages in the queue. If I force several retrys, they will
eventually get delivered, but it can take many attempts at times.
Is anyone
Hi all,
Sorry about the subject being so generic but I was not sure how to call the
following. I have been seeing the following in the headers of some email:
Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com
The first IP is the IP of the mail server. I am not sure how to
You can set up a filter to add a weight for that IP speciffically:
HELO 10 CONTAINS 216.220.106.24
Or you could set up a filter to add a weight to any email that uses an IP as its HELO:
HELO 10 ENDSWITH 0
HELO 10 ENDSWITH 1
HELO 10 ENDSWITH 2
HELO 10 ENDSWITH 3
HELO 10 ENDSWITH
I started already doing this ,but the problem here is that
when you have a dynamic IP list You can not change it on
IMAIL on the fly You have to stop and restart The smtp
services Thats Why i am using a firewall here.
:-|
Hmmm, I understand.
Far from be realtime-friendly...
Markus
Note, that for internal email, the IP address used in SPAMDOMAINS is the
email address of the sender. So, for us, that gets translated to our ISP's
name, as only the mail server has rDNS set up (we trap on our own mail
server address in spamdomains, as that was being faked by quite a bit of
email
But, this would also subtract weight from emails that didn't fail
spamdomains. FWIW, we ADD a small amount of weight to most of these, rather
than subtract.
Karen
-Original Message-
From: Bill Landry
A better way to do this is to setup a RDNS Filter and add a
negative weight
for
I posted both of their lists here.
http://downloads.wpa.net/billb_sd.zip
http://downloads.wpa.net/sheldons_sd.zip
Both lists current as of 6/13/2003
Of course, I see this after I just responded to the other post. Frederick,
if you are going to maintain this, then I need not bother,
I decided against notifying the recipient for Vulnerabilities.
Apparently,
vulnerabilities are essentially spam - and notifying the recipient would
mean that they end up getting an unwanted message after all.
In my experience, that is true 98% of the time. That 2% percent though can
cause
Note, that for internal email, the IP address used in SPAMDOMAINS is the
email address of the sender. So, for us, that gets translated to our ISP's
name, as only the mail server has rDNS set up (we trap on our own mail
server address in spamdomains, as that was being faked by quite a bit of
... While i am preparing delude weights and
firewall blocking , i can have a look for information about
your device also .
Looks like there is a command line interface. I will ask the support and
you will hear from me.
I am really sorry for my BAD English ,
This is my 3rd language ,
Hello, All,
One of our techs put in a new server last week running Exchange 2000 and did
not secure it from being an open relay. Today I discovered about 18,000
messages on our outgoing message queue. Apparently someone found the relay
on Sunday morning. I removed the messages and then disabled
Has anyone else built a front end for JM, so the end user (in our case our
ISP customers) can configure certain aspects of Declude JM?
What we have in mind is to charge each subscriber for using JM, and also to
give some control over the actions, i.e. let them choose between IGNORE,
WARN,
40 matches
Mail list logo