Re: Declude Hijack Alert
Question asked by Hemen Shah - 1/2/2016 at 6:59 AM
Unanswered
Hi,
 
I am using declude setup with hijack and all of sudden alert mails have stopped, i do see that declude is running fine based on logs but when some user is crossing the hijack threshold of 50/100 mails then it not throwing alert at the same time SM is doing the job based on events configured.
 
any advise here..
 
Thanks    

4 Replies

Reply to Thread
0
Hemen Shah Replied
Anyone using hijack here can advise !!
0
Martin Schaible Replied
I'm quite familiary with declude and hijack. Could you please post, how your configuration file for hijack looks like?
 
0
Hemen Shah Replied
Hi Martin,

Thanks for your response, below is by default how it looks, no changes, does this needs authentication for sending alert mails ?

LOGFILE declude\logs\hi####.log
LOGLEVEL LOW

#Send out notification using HijackNotify.eml when HiJack Threshold 2 reached
HIJNOTIFY ON

#Use individual addresses rather than IP as the counter
HIJADDR ON

# The following options -- RELAYTHRESHOLD1 and RELAYTHRESHOLD2 -- determine the two threshold levels.
# RELAYTHRESHOLD1 determines how many E-mails someone can send out before their mail is held temporarily.
# RELAYTHRESHOLD2 determines how many E-mails someone can send out before their mail is held permanently (a spammer).
#
# The first number indicates the time period in MINUTES, and the second number indicates the number of outgoing E-mails
# that can be sent out in the time period. For example, "RELAYTHRESHOLD1 10 50" would allow the user to send out 50
# E-mails in 10 minutes before his mail was held temporarily.

RELAYTHRESHOLD1 10 50
RELAYTHRESHOLD2 30 100

# An ALLOWIP line will let an IP address send unlimited E-mail.
# An ALLOWADDR line will let an email address send unlimited E-mail.

#EXAMPLE
#ALLOWADDR user@domain.com
ALLOWIP 127.0.0.1
0
Martin Schaible Replied
Hi
 
Your configuration is okay.
Declude sends you an E-Mail if the second threshold was reached. Hijack moves now all sending mails from the affected IP-Address to the folder spam\hold2. To release the IP-Address, the service of Declude needs to be restarted, which is a bit boring.
 
So you get one E-Mail per captured IP-Address. To be honest, i never had the case, that several IP-Addresses where be captured on one day. Therefore i can't confirm, that you get a warning for the following attacks.

Hope this helps.
 
Cheers
 

Reply to Thread