MySQL server died. fixed
Len
Another tactic is to put everything from aim.com on postfix HOLD, then check it
every couple hours and manually delete the spam, and release the legit, while
threatening aim.com to block everything until they fix their problem.
postcat to look at the hold/ dir msgs
postsuper -d queue_id to
I have noticed a huge drop in mail to my Imgate box, nothing has
changed. In the week prior to December 5, average number of incoming
messages was 22,000. After December 5 and continuing through today the
average number of incoming mail was 8,000.
Of course I am not complaining, but very very
Spam on rise after brief reprieve
In the world of spam, what goes down must come up.
Two weeks after the shutdown of web hosting firm McColo, which saw a two-thirds
drop in spam worldwide, spam numbers are creeping up again.
Industry experts disagree on the degree to which spam has
http://news.cnet.com/8301-1009_3-10095730-83.html?part=rsssubj=newstag=2547-1_3-0-5
We'll see if this really holds up, or whether others step into the gap.
Len
__
IMGate OpenSource Mail Firewall www.IMGate.net
I hope too :)
Pete McNeil on the sniffer list says there has been some dropoff.
I think we all know that it's whack-a-mole game.
There so much money involved that the spammers and criminals will pop up again.
Len
The servers are owned by McColo Corp, a Web hosting company that has emerged
as a major U.S. base of operations for a host of international cyber-crime
syndicates, involved in everything from the remote management of millions of
compromised PCs to the sale of counterfeit pharmaceuticals and
Spammers are turning a profit despite only getting one response for every 12.5m
e-mails they send
http://news.bbc.co.uk/2/hi/technology/7719281.stm
Len
November 10, 2008
Internet Attacks Grow More Potent and Complex
By
http://topics.nytimes.com/top/reference/timestopics/people/m/john_markoff/index.html?inline=nyt-perJOHN
MARKOFF
SAN FRANCISCO Attackers bent on shutting down large Web sites even the
operators that run the backbone of
October 15, 2008
Authorities Shut Down Spam Ring
By
http://topics.nytimes.com/top/reference/timestopics/people/s/brad_stone/index.html?inline=nyt-perBRAD
STONE
An
http://topics.nytimes.com/top/news/national/usstatesterritoriesandpossessions/illinois/index.html?inline=nyt-geoIllinois
From today, IMGate Advanced 09 adds the content-filtering option of ARM
Research's Message Sniffer.
For details, visit:
http://www.imgate.net/?page_id=101
http://www.imgate.net/?page_id=111
Len
http://www.barracudacentral.org/rbl
AN IMGate clients has just started using this RBL.
Feedback on your results appreciated
Len
IMGate Background
=
The emphasis of IMgate has always been envelope rejection, before the
SMTP DATA command and avoiding expensive queuing to disk. This
approach has now become Postfix designer's own preference, that the
envelope stage is where defensive policies should be
Here's IMGate Adavanced 09's RBL hits for Tuesday:
50677 pub.mxrate.net
14447 bl.spamcop.net
5313 dnsbl.sorbs.net
2239 dnsbl.njabl.org
879 dnsbl.ahbl.org
These are RBL hits applied to msgs with non-suspect HELO and PTR. For
the day, 74K msgs of 250K msgs with good PTR + HELO had 2 RBL hits.
Here's IMGate Adavanced 09's RBL hits for Tuesday:
50677 pub.mxrate.net
14447 bl.spamcop.net
5313 dnsbl.sorbs.net
2239 dnsbl.njabl.org
879 dnsbl.ahbl.org
for mxrate, that's the query for pub.mxrate.net/127.0.0.2
Len
Hello IMGators,
I've been out of the loop for while, but I'm back in the saddle again.
I've been developing and testing a major expansion of IMGate
Advanced, for immediate delivery, announced with this email.
IMGate.MEIway.com web site is being totally revised to reflect IMGate
Advanced 09
header_size_limit =3D 256
years ago, spammers used to put 10s of adressess in the cc: and to: headers,
while 99%+ of legit mail put 1 or a few. 256 helped reject the worst spammers.
I increase this directive to 998 as RFC 2822 says:
header_size_limit = 998
spammers don't play by RFC rules
I changed the reject_unverified_recipient in the main.cf and that cleared =
the outgoing queue on our internal mail server
That's not efficient, but whatever
and send an email back to =
the sender. That seems to be the key.
OK for a low-volume MX to generate those unnecessary
Does that mean then there is no way to play nicer with my internal mail =
server so this particular message could be sent back to the sender on the =
1st attempt? =20
you can comment out reject_unverified_recipient and all
undeliverable msgs will pile up postfix queue, cause postfix to
http://www.pcworld.com/article/id,140420-pg,1/article.html
Spammers Giving Up? Google Thinks So
http://www.wired.com/services/feedback/letterstoeditorBy Betsy
Schiffman 11.28.07 | 7:00 PM
Bill Gates was wildly optimistic when he said in 2004 that the
problem of spam would be solved by 2006. The volume of junk e-mail
transmitted worldwide is still
Len
The only problem I see with this is I get a lot of emails from clients
referencing their domain name in the subject. These days the 15+ char
domains are common.
fully qualified domain names contain ., which excludes them from the filter:
postmap -q subject: .*domain.domain.tld
http://www.news.wisc.edu/14380
I sure hope this is something they make available for free.
Len
http://www.news.com/Report-PDF-files-used-to-attack-computers/2100-7349_3-6215656.html?tag=nefd.top
Len
http://blogs.pcworld.com/staffblog/archives/005775.html
Len
http://www.pcmag.com/article2/0,1759,2192520,00.asp?kc=PCRSS05079TX1K992
Let's hope that other large network operators start monitoring and
out-bound-blocking infected
machines on their networks.
Len
verify (SAV) is an abusive technique.
to each his own opinion.
In our imgate server we have reject_unverified_sender directive. Is
it safe deleting this directive?
Count how many SAV rejected yesterday and see if you have other ways
to stop that traffic:
zegrep -ic sender address rejected:
Is there a place that I can list their domains in the Postfix system so that
it ignores the transport map
there's no way to bypass transport.map. It's part of the domain
resolution process of transport.map, hosts, DNS
and relay_recipients restrictions
whitelist the domain before
I would think the next logical
thing would be to try and add the domains I want to the transport map after
its exported from IMail. Or is there another way to do this?
you can have mutlitple files input to
transport_maps =
hash:/path/to/file1
hash:/path/to/file2
they are searched in
I'm seeing a lot of the airlines (southwest as of yesterday), getting
stopped by the greylisting ... I think it's their automatic reservation
system.
They have at least two sending machines.
The advertising stuff isn't retried, but the electronic ticket emails
are retried.
Len
Any have a newer postgrey_exceptions.map?
Mine is from 12/2005 ... I'm sure there have been updates since then.
sure, but each admin adds his own items. People can post their .map
here and we can consolidate them.
Len
This won't catch a lot, but it could give you IPs or Class C's to
block. I noted some stuff getting through to me where a header was:
x: ZRlJFRUtJVEBCUkVOREFTQ1JJVkVORVIuQ09NZ
probably some kind of spam tracking code.
and FROM: was illegal stuff (carat is illegal in sender field):
Do you really think this would effect the IMGate setup?
The BINDs I setup have queries limited to trusted IPs. If one of
those IPs is compromised and is attacking the vulnerability, then the
cache could be poisoned.
Len
Users of the widely-used addressing system software are urged to
update to Bind 9.2.
http://www.pcworld.com/article/id,136832/article.html?tk=nl_dnxnws
End of Life has been announced for BIND8.
A strange urging!?!?!
... because current version is here ftp://ftp.isc.org/isc/bind9/9.4.1-P1
http://news.com.com/8301-10784_3-9769724-7.html?part=rsssubj=newstag=2547-1_3-0-5
August 31, 2007 9:51 AM PDT
Court tosses $11 million judgment against Spamhaus
Posted by
http://news.com.com/8300-10784_3-7.html?authorId=102tag=authorAnne Broache
At least for now, Spamhaus, the popular
]
On Behalf Of Len Conrad
Sent: Tuesday, August 14, 2007 2:36 PM
To: IMGate@mgw2.MEIway.com
Subject: [IMGate] Re: is MSN and ATT one and the same
No sav.
then they must be blocking you for sending the bad content, OR
infected machine are sending large numbers of bad recips (just like SAV
does)
Len
http://www.pcworld.com/article/id,135936/article.html?tk=nl_dnxnws
When we asked why we were told we were sending a large volume of spam.
When I asked to see the complaints I was told that there were none and
that it is a result of their spam filtering software scanning all mail
inbound and rating it as spam. So all of our users forwarding all of
their spam to
I have messages in my postfix queue going to an old server instead
of the new one (forgot to update the transport file before begining
with the migration.
Is this possible? Here is a log entry:
delivery temporarily suspended: connect to x.75[x.75]
I want to change the the .75 to .35 for
Thanks Len.
I actually did that (postsuper -r ALL) but the log still says its
trying to connect to the old mail server. Any other suggestion?
No, I've done it a few times, and it always worked.
Len
At 11:14 AM 8/8/2007, you wrote:
ATT continues to block me without offering any evidence. I have tried
following some of your commands and they helped. But I am curious how
stuff like these gets through. I can't find the originating IP. Any
suggestions would be appreciated.
imgate1# egrep -c
This is all I get.
imgate1# grep
[EMAIL PROTECTED] /var/log/maillog
Aug 8 06:22:53 imgate1 postfix/cleanup[36092]: 87A0818CC7C:
message-id=2007080 [EMAIL PROTECTED]
the smtpd connect from domain.name[ip.ad.re.ss] is logged before
msg-id and queue-id lines.
and I think postfix-originated
http://www.pcworld.com/article/id,135646/article.html?tk=nl_dnxnws
I've been saying this for years. Spamvertize a site, and it gets blocked.
Len
I am still wrestling with ATT. Looks like they are blocking me again.
Below is the email they send. Why can't they send info from THEIR logs.
I can't find a phone number let alone an email address that goes to a
human.
have you looked at all connects to ATT IPs? maybe something on your
side
have you looked at all connects to ATT IPs? maybe something on your
side really is screwing up.
Yikes, how would I do that. Keep running netstat and then grep for ATT
ip's.
well, should block at your edge route all connections from you IPs to
port 25, except for IPs you know are legit
Guys, appears our IMGate is having some issues receiving these Google
Alerts and I am not finding a real reason why.
never heard of it.
As always, what's in the logs?
My guess is that these alerts are entertainment type stuff that
aren't retried after 450 grey-list rejection.
If IMGate is
Looks like that might be what is happening. I thought it was strange
that it never retried at all after seeing this in the logs...
May 30 06:56:54 mx1 postfix/smtpd[5547]: NOQUEUE: reject: RCPT from
wr-out-0708.google.com[64.233.184.243]: 450 4.7.1 [EMAIL PROTECTED]:
Recipient address rejected:
http://reviews.cnet.com/4520-3513_7-6725188-1.html?tag=nl.e404
Has anybody seen this, yet?
Len
PCWorld reports that four antivirus had a quick reaction to the new Storm
Worm variant that has recently started spreading:
A huge virus surge of a new Storm Worm variant is flooding email inboxes
and evading many antivirus programs. In my tests of 31 programs, only four
reported a virus.
I already have reject_unlisted_recipient in my smtpd restrictions as the
second restriction, does that mean its not working properly ?
do you have a
relay_recipient_maps =
... main.cf ?
Len
The IP address doing this is not in my relay list, I have very few servers
talking to IMGATE.
I had recently disabled SAV, and maybe forgotten to restart postfix after
that, so maybe this is why we are still seeing this SAV behavior ?
SAV doesn't use MAILER-DAEMON as the SAV sender.
How is
Thank you len for your detailed reply.
So, from what your saying, I got blocked by hotmail not because of SAV, but
because of postfix sending email address does not exist bounce messages to
non-existent hotmail accounts.
aka, backscatter
So adding reject_unverified_recipient would make postfix
I got an email from hotmail.com saying that my IMGATE machine is being used
to harvest hotmail account, I looked at my queue file and found a ton of
these entries:
7B9E23EB5E*5650 Sat Apr 7 04:58:52 MAILER-DAEMON
[EMAIL PROTECTED]
7FE143EB1B*
timed out while performing the EHLO handshake
Has anyone seen this before
sure, I've seen just timeouts at just about every step of the SMTP dialog
I upgraded my imgate box and with certain
mail servers I keep getting this error and the other side reports they
are getting this message did
Hello,
I am about to implement to implement graylisting on imgate (Postgrey). I
will be using these setups:
http://postgrey.schweikert.ch/
http://portsmon.freebsd.org/portoverview.py?category=mailportname=postgrey
Or is it as straight forward as it seems ?
Yes, it's pretty straightforward
I received a message from IOC Mail Admins [EMAIL PROTECTED]
concerning us blocking mal from shaw.ca. I did find multiple lines in the
mta_clients_b.map (we are using it) that list shawcable.com.
the specifi server ip that's being blocked is 64.59.134.9
should I allow this server? This file came
Any updates on modifications to PolicyD? I know a few months ago you
were working with some developers to add some features. Anything new?
no, I'm still negotiating with a couple of developers.
Len
I have finally decided to move to the latest version of SmarterMail from
imail v6. What are some of the things I need to look at or take into
account when doing the switch in regards to imgate setup ?
nothing, except the Windows script for exporting Smartermail users to Imgate.
Len
The serial number of the SOA record - usually in the format MMDDNN
That is an informal convention that conveniently fits into the serial
number, but it is not required by RFC, and, eg, BIND never requires
or verifies that a serial number is in that format.
RFC requires only that the zone
I think it can take up to 48 hours with some registrars. Others like Dotster
update more often (hourly) although I think the root servers only update 1-2
times a day anyway.
Nit: we're not talking about the *.root-servers.net but about the
*.gTLD-servers.net, which are the .com domain parents.
promise
2 days to customers..
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Len Conrad
Sent: Saturday, March 24, 2007 3:04 PM
To: IMGate@mgw2.MEIway.com
Subject: [IMGate] Re: how long for host records to arrive in TLD-servers?
I think it can
teaching grandmother to suck eggs
Teach not thy parent's mother to extract
The embryo juices of the bird by suction.
The good old lady can that feat enact,
Quite irrespective of your kind instruction.
- Anon
dig @f.tld-servers.net ns1.whatever.com
... enacts the feat precisely and
Sorry for quadruplicate posts.
Our Imail was accepting mail, but was not sending it to our A-V
gateway. Finally something happended to Imail and it released all
the mail, including my 4 attempts.
Len
Queuemgr trouble?
I don't know. the people in Paris rebooted and all was ok. But they
said their was nothing in Imail queue (although no msgs left Imail
for several hours), which might be a symptom of Imail qmgr screwing up.
thanks,
Len
Ping.
Somebody made a config error to the mgw2, killed the list. sorry. fixed.
Len
Hi List!
New viruses, spam, etc. are being smarter than most anti-spam/virus technics
nowadays.
I am facing some kind of trojans that infect many clients computers with
broadband connection, and start sending a lot of emails to yahoo.com.tw or
tiscali.it for example.
As always, when you increase
Hi List!
New viruses, spam, etc. are being smarter than most anti-spam/virus technics
nowadays.
I am facing some kind of trojans that infect many clients computers with
broadband connection, and start sending a lot of emails to yahoo.com.tw or
tiscali.it for example.
As always, when you increase
Hi List!
New viruses, spam, etc. are being smarter than most anti-spam/virus technics
nowadays.
I am facing some kind of trojans that infect many clients computers with
broadband connection, and start sending a lot of emails to yahoo.com.tw or
tiscali.it for example.
As always, when you increase
Hi List!
New viruses, spam, etc. are being smarter than most anti-spam/virus technics
nowadays.
I am facing some kind of trojans that infect many clients computers with
broadband connection, and start sending a lot of emails to yahoo.com.tw or
tiscali.it for example.
As always, when you increase
January 7, 2007
Attack of the Zombie Computers Is Growing Threat
By JOHN MARKOFF nytimes
In their persistent quest to breach the Internet's defenses, the bad
guys are honing their weapons and increasing their firepower.
With growing sophistication, they are taking advantage of programs
that
As for greylisted IP's resending, we are beginning to see a
significant increase in the number of infected/trojaned subscriber
hosts resending.
I haven't seen this.
Enough so that we have moved greylisting a few notches lower in our
testing order.
I always run greylising high.
Anyone care
A shifting landscape for e-mail security
By Joris Evers
http://news.com.com/A+shifting+landscape+for+e-mail+security/2100-7350_3-6147760.htmlhttp://news.com.com/A+shifting+landscape+for+e-mail+security/2100-7350_3-6147760.html
Story last modified Mon Jan 08 12:05:01 PST 2007
Cisco
For what it's worth I have been using the barracuda box, along with a
couple of Imgates, it's a nice robust GUI interface alternative to
Imgate but still has shortcomings, reports, hardware expense etc.
In the same way IMGate has succeeded so well the MX front-end for in
tandem with
Agreed in the old days a person would build a Imgate box to offload the
work of their expensive windoze box. Now they can use an Imgate box to
save thousands of dollars and put it infront of a cudda 400 (cost
$4,000) instead of buying a 600 ($9000). That leaves lots of money to
give to Len for
January 7, 2007
Attack of the Zombie Computers Is Growing Threat
By
http://topics.nytimes.com/top/reference/timestopics/people/m/john_markoff/index.html?inline=nyt-perJOHN
MARKOFF
In their persistent quest to breach the Internet's defenses, the bad
guys are honing their weapons and
We used to see a small variety of viruses caught, only 3 -5
/day after we started SAV and greylisting, both of which combined to
greatly reduce the number of viruses caught.
But, for many weeks now, we've been seeing almost exclusively what
Kaspersky calls:
Email-Worm.Win32.Bagle.gt
Cyber Crime Hits the Big Time in 2006
Experts Say 2007 Will Be Even More Treacherous
By Brian Krebs
washingtonpost.com Staff Writer
Friday, December 22, 2006; 9:51 AM
Call it the year of computing dangerously.
Computer security experts say 2006 saw an unprecedented spike in junk
e-mail and
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Date: Mon, 18 Dec 2006 11:34:23 -0500
From: Victor Duchovni [EMAIL PROTECTED]
x To: [EMAIL PROTECTED]
x Subject: FYI: ordb.org is dead
x Reply-To: [EMAIL PROTECTED]
x X-RCPT-TO: [EMAIL PROTECTED]
http://www.ordb.org/news/?id=38
What are the latest recommended FreeBSD versions for use with IMgate as
Len's imgate.meiway.com page still recommends vs. 4.2/4.3?
6.1-Release
I have one client who is running 2 machines on 6.1-RC1 Patch 2 or something.
As always, IMgate runs on postfix, not the OS, so the OS version
doesn't
IMHO spam will continue to grow out of control in the next few years, I
am like the smart little pig and staring to prepare for the wolf of spam
that's coming soon. I am doubling the current horsepower of all my spam
boxes.
You need very little horsepower on the MXs to reject. And if you
have
December 6, 2006
Spam Doubles, Finding New Ways to Deliver Itself
By BRAD STONE
Hearing from a lot of new friends lately? You know, the ones that
write It's me, Esmeralda, and tip you off to an obscure stock that
is poised to explode or a great deal on prescription drugs.
You're not the
First of all, what's this? see:
http://www.iana.org/faqs/abuse-faq.htm#FAQonBlackholeServers
I admin a high-volume site that runs its IMGate boxes on RFC1918
IPs. postfix, sshd, etc do a PTR query for every connecting
IP. Over the weekend, IANA's blackhole NSs started acting like
For those of you running postgrey, here's a couple commands.
egrep -i ': delayed' /var/log/maillog | awk '{c++; a=substr($7,1);
t+=a ; print a,t/c}'
will give the avg postgrey delay for all triplets retried.
==
This command will show you the number of msgs per tranche of 100
Here's the number WARNings/day for previous 8 days at one high-volume
site I admin:
mx1# zegrep -ic suspected image /var/log/maillog.[0-9].gz
What parameters/tests are you using to flag your image spam?
just looking at headers and trying to Whack-a-Mole with strings that
seem to match.
I
http://www.pcworld.com/article/127801-1/article.html?tk=nl_dnxnws
Let us know if those two filter I posted in the previous msg catch any spam.
Len
Here's the number WARNings/day for previous 8 days at one high-volume
site I admin:
mx1# zegrep -ic suspected image /var/log/maillog.[0-9].gz
/var/log/maillog.0.gz:1567
/var/log/maillog.1.gz:29057
/var/log/maillog.2.gz:24178
/var/log/maillog.3.gz:61723
/var/log/maillog.4.gz:52861
What do you think of the list?
The one that stood out was dul.dnsbl.sorbs.net as one I hadn't seen
mentioned recently. I tried it on one high-volume site in WARN mode
and got tons of hits in one hour.
Put it in WARN mode for a few days at the end of your restriction
list and then see
These were posted to the postfix users list today:
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rbl_client spamsources.fabel.dk,
Did this work for you?
yes, I tried it on various high-volume sites and WARNed quite few,
but I left with the sites themselves to decide to themselves whether
to move it from WARN to REJECT or HOLD.
Len
Len,
which one specifcally did you use?
/^subject: =.Windows/ HOLD Imail vulnerability
today, :
mx1# egrep -ic imail vuln /var/log/maillog
15
while there were a couple 1000 Friday. my guess is that this
attack didn't work very well (Imail severs weren't vulnerable and/or
the MX blocked
mx1# tail -f -n 10 /var/log/maillog | egrep -i vulnerability
Oct 27 12:13:23 mx1 postfix/cleanup[98940]: 89F4E10325A: hold: header
Subject:
=?windows-1251?B?wMLIwCwgxi3ELCDAwtLOLe/l8OXi7ufq4CDj8PPn7uIu?= from
relay1.macomnet.ru[195.128.64.2]; from= to= proto=ESMTP
mpack is an mailer for converting attached files to MIME, like
mailing a big report as a zip file.
On fbsd 6.1, mpack installed a fbsd pkg, mpack fails to find the file
to attach to the msg.
mpack -s this is the subject /path/to/file.zip [EMAIL PROTECTED]
Either inside a script or on the
anybody using this with IMGate?
http://www.mxrate.com/lookup/dns.htm
comments?
Len
ime, this program has worked flawlessly for years.
Now, I have new IMGate client reporting the program is exporting only
aliases but only on some domains. I suspect something's rotten in
his registry.
Anybody seen this or other problem with imailusers.exe?
In case we can't fix it, is anybody
1) show us your RBL servers
2) Also, anybody find a way, without going all the way to
spamassassin or similar, of blocking stock/drugs image/gif spam?
Len
I would like to clear out our postgrey database
what would that accomplish?
... I think I might have a file
have a what?
as a lot of spam is getting by IMGate in the last two days. Any
other files I should remove and let rebuild?
The only file that used to need zeroing was the SAV hash:
Clear out the postgrey pass list? - I believe this expires after some time
limit, but I'm unsure what that is.
90+% of greylist passed records will be passed again very quickly.
... I think I might have a file
have a what?
I was thinking I had a file with some type of lock, as the server
I am trying an IMgate box in front of my Imail server and when I look in
the headers of email, it shows that the imgate server (named rocket) has
an IP of 127.0.0.1. Where is the setting to change this on the imgate
machine? Here is an example of the headers.
=20
=20
Received: from
http://www.foxnews.com/wires/2006Aug16/0,4670,SpammerapossGold,00.html
My current queue lifetime is 2hours, however, this is too short for ETRN
customers when their box dies.
Is there some way I can create a different transport section in
master.cf and give it a longer queue time just for my etrn domains.
you aren't subbed with the address you posted from.
have
1 - 100 of 304 matches
Mail list logo