[sniffer] Re: Help
Stop using the silly WHITELIST TODOMAIN for one thing. What is the IP address they are coming from? Could be a compromised client? John T eServices For You "Seek, and ye shall find!" -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Thursday, July 27, 2006 9:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Help Whese: #= WHITELISTS === #WHITELIST HABEAS PREWHITELIST ON WHITELIST AUTH #WHITELIST LOCAL #(PRO version only) enables addresses in the web address book to automatically be white listed. #AUTOWHITELIST ON # - Domain Example -> WHITELIST FROM @declude.com # - User Example -> WHITELIST FROM [EMAIL PROTECTED] # - IP Example - #WHITELIST IP 63.246.13.90 # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ WHITELIST TO [EMAIL PROTECTED] WHITELIST TO [EMAIL PROTECTED] WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain Filippo At 18:06 27/07/2006, you wrote: *** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
It sure sounds like a server issue to me and not a spam filtering issue. However, on that issue, wouldn’t WHITELIST TODOMAIN @mydomain whitelist all email going to your domain? It’s been a while since I’ve run declude but that seems like it shouldn’t be right. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Thursday, July 27, 2006 9:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Help Whese: #= WHITELISTS === #WHITELIST HABEAS PREWHITELIST ON WHITELIST AUTH #WHITELIST LOCAL #(PRO version only) enables addresses in the web address book to automatically be white listed. #AUTOWHITELIST ON # - Domain Example -> WHITELIST FROM @declude.com # - User Example -> WHITELIST FROM [EMAIL PROTECTED] # - IP Example - #WHITELIST IP 63.246.13.90 # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ WHITELIST TO [EMAIL PROTECTED] WHITELIST TO [EMAIL PROTECTED] WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain Filippo At 18:06 27/07/2006, you wrote: *** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
Don't you have your mail server set to require login to send mail? This is not a sniffer/declude issue but a mail server setup issue. Herb Filippo Palmili wrote: Hello Pete, my Ipswitch IMail Server is under attack since yesterday. It relays emails coming from an external host. The sender of these mails is a random name @ the ip address of my mail server (for example [EMAIL PROTECTED]) and is automatically whitelisted by the declude server. Do you know anything about these attacks? Is there a way to stop it? Until now I banned the generating ip address and manually delete the queue, but the generating address changes. Ad example of mail: Received: from ameillpu-7jat6i [200.127.81.225] by odino.logos.it with ESMTP (SMTPD32-8.05) id AB60DC5500D0; Thu, 27 Jul 2006 17:27:28 +0200 From: "bjsytb" <[EMAIL PROTECTED]> Subject: =?GB2312?B?usN+zsR+ubJ+yc0=?= To: [EMAIL PROTECTED] Content-Type: TEXT/HTML Date: Thu, 27 Jul 2006 23:27:23 +0800 X-Mailer: AOL 7.0 for Windows US sub 118 Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [200.127.81.225] X-Declude-Spoolname: DDB60DC5500D0D472.SMD X-Declude-Scan: Score [0] at 17:28:19 on 27 Jul 2006 X-Declude-Tests: Whitelisted Please let me know. Filippo Logos S.p.A. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Help
Whese: #= WHITELISTS === #WHITELIST HABEAS PREWHITELIST ON WHITELIST AUTH #WHITELIST LOCAL #(PRO version only) enables addresses in the web address book to automatically be white listed. #AUTOWHITELIST ON # - Domain Example -> WHITELIST FROM @declude.com # - User Example -> WHITELIST FROM [EMAIL PROTECTED] # - IP Example - #WHITELIST IP 63.246.13.90 # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ WHITELIST TO [EMAIL PROTECTED] WHITELIST TO [EMAIL PROTECTED] WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain Filippo At 18:06 27/07/2006, you wrote: *** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
*** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
My mail server have the relay activated only for certain IP address and networks. Filippo At 17:44 27/07/2006, you wrote: *** Do you know anything about these attacks? Is there a way to stop it? Until now I banned the generating ip address and manually delete the queue, but the generating address changes. *** You must select No Mail Relay or Relay Mail for Addresses on the SMTP security tab to prevent this type of attack. Any users that are not local will have to select "my server requires authentication" in order to be able use your servers. Good luck, Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
*** Do you know anything about these attacks? Is there a way to stop it? Until now I banned the generating ip address and manually delete the queue, but the generating address changes. *** You must select No Mail Relay or Relay Mail for Addresses on the SMTP security tab to prevent this type of attack. Any users that are not local will have to select "my server requires authentication" in order to be able use your servers. Good luck, Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Help
Hello Pete, my Ipswitch IMail Server is under attack since yesterday. It relays emails coming from an external host. The sender of these mails is a random name @ the ip address of my mail server (for example [EMAIL PROTECTED]) and is automatically whitelisted by the declude server. Do you know anything about these attacks? Is there a way to stop it? Until now I banned the generating ip address and manually delete the queue, but the generating address changes. Ad example of mail: Received: from ameillpu-7jat6i [200.127.81.225] by odino.logos.it with ESMTP (SMTPD32-8.05) id AB60DC5500D0; Thu, 27 Jul 2006 17:27:28 +0200 From: "bjsytb" <[EMAIL PROTECTED]> Subject: =?GB2312?B?usN+zsR+ubJ+yc0=?= To: [EMAIL PROTECTED] Content-Type: TEXT/HTML Date: Thu, 27 Jul 2006 23:27:23 +0800 X-Mailer: AOL 7.0 for Windows US sub 118 Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [200.127.81.225] X-Declude-Spoolname: DDB60DC5500D0D472.SMD X-Declude-Scan: Score [0] at 17:28:19 on 27 Jul 2006 X-Declude-Tests: Whitelisted Please let me know. Filippo Logos S.p.A.