Re: What countries to block ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrzej Adam Filip writes: >Bowie Bailey wrote: >> From: Andrzej Adam Filip [mailto:[EMAIL PROTECTED] >> >>>Have you tried to use AS scoring instead of (or together with) >>>country scoring? [AS = Autonoumous (Routing) System] >>> >>>IMHO it is not a bad idea to give incetives to good ISP in a bad >>>countries. >> >> That's an interesting idea. Is there a plugin for it? > >I have not heard. > >IMHO the best path will be to >1) create tool for converting ris projects dumps (aggregated BGP routers >data) into rbldnsd files >2) creating SA plugin similar to Mail::SpamAssassin::Plugin::RelayCountry >getting IP->AS via TXT DNS query > >I am ready to create working prototype of point 1 tool if a few people would >like to use/test it. FWIW, I would suggest mailing Karsten M. Self -- http://kmself.home.netcom.com/ -- about this, too. He's been working on a form of that idea for quite a while, and would probably be very interested in collaboration... - --j. >Comments: >ris dumps as they are now will not deliver "full coverage" but sufficiently >high to start with > >URL(s): >http://www.ris.ripe.net/dumps/ > >-- >[en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] >http://anfi.homeunix.net/ Netcraft Site Rank: 469320 >All that is necessary for the triumph of evil is that good men do nothing > -- Edmund Burke, 18th century > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFDeOAzMJF5cimLx9ARAuPMAKCYyYW9Fmk29q66oCPMcqk9iksgowCfRxXp I/jYPnZ71WnR+s2c4TQN86E= =DlN2 -END PGP SIGNATURE-
Re: What countries to block ?
Bowie Bailey wrote: From: Andrzej Adam Filip [mailto:[EMAIL PROTECTED] Have you tried to use AS scoring instead of (or together with) country scoring? [AS = Autonoumous (Routing) System] IMHO it is not a bad idea to give incetives to good ISP in a bad countries. That's an interesting idea. Is there a plugin for it? I have not heard. IMHO the best path will be to 1) create tool for converting ris projects dumps (aggregated BGP routers data) into rbldnsd files 2) creating SA plugin similar to Mail::SpamAssassin::Plugin::RelayCountry getting IP->AS via TXT DNS query I am ready to create working prototype of point 1 tool if a few people would like to use/test it. Comments: ris dumps as they are now will not deliver "full coverage" but sufficiently high to start with URL(s): http://www.ris.ripe.net/dumps/ -- [en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ Netcraft Site Rank: 469320 All that is necessary for the triumph of evil is that good men do nothing -- Edmund Burke, 18th century
RE: What countries to block ?
From: Andrzej Adam Filip [mailto:[EMAIL PROTECTED] > Have you tried to use AS scoring instead of (or together with) > country scoring? [AS = Autonoumous (Routing) System] > > IMHO it is not a bad idea to give incetives to good ISP in a bad > countries. That's an interesting idea. Is there a plugin for it? Bowie
Re: What countries to block ? and detectng Trojan attachments?
> That's fun, we're blocking each other! Most spam here in the Netherlands > comes from the US. Most spam in the US comes from the US too; it's a matter of blocking countries that rarely or never send us legitimate email. After all, if my only purpose were to never receive spam I'd just unplug my mail server. I don't block *.nl, or any of western Europe, based on country, but they do get a +2 on the SA score. It seems to work in my specific situation, which is all I can ask for. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com A computer lets you make more mistakes faster than any invention in human history with the possible exceptions of handguns and tequila.
Re: What countries to block ? and detectng Trojan attachments?
> Currently I am blocking all mails from = *.nl *.br *.ch etc.. That's fun, we're blocking each other! Most spam here in the Netherlands comes from the US.. We block almost everything from China, Korea and Taiwan in postfix based on domain-name and on ip-range (mostly complete B-classes). But also a lot of other domains/ips are blocked like comcast, rr, verizon, brasialian ips, dynamic*, dialup*, indeed some .jp domains, etcetera. And all dynamic/dialup addresses in dynablock.njabl.org and dul.dnsbl.sorbs.net are blocked. The spamstats from spamcop.net shows the popular spam ip-ranges: http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt Regards Menno van Bennekom
Re: What countries to block ?
Dave Pooser a écrit : One other caveat: if you're going to be preemptively blocking whole geographic swaths, make sure that your blacklist reject message reflects that. In my case I changed "your host $HOST is blacklisted" to "your host $HOST is on a network from which we do not normally accept email" to avoid adding insult to injury, and to minimize confusion. Also do not send mail to networks that you block. I find it really annoying to get rejected by say verizon.net (not even able to reach their abuse/postmaster/... addresses), but still getting mail from them.
Re: What countries to block ?
Matt Kettler wrote: Pierre Thomson wrote: Backing up about a light year here, and ignoring all philosophical arguments, I'll offer my list of _scored_ (not blocked) countries. This is, of course, specific to our situation: CN TW RU UA BR I use the RelayCountry plugin for this, and assign it a rather low score. It DOES help. I do a lot of that too. I even have a few in there with 0.01 scores just for informational purposes. (GB, ES, FR, DE, etc) Of the rules with scores >0.1, I'm currently seeing the most spam activity from CN and KR, followed by IL, PL, JP, RU, RO,and BR, in that order. CN and KR are both higher than all the others by a factor of at least 2. Some quick Short term spam/ham counts (These numbers are for my site, YMMV greatly depending on userbase): CN = 240/2 KR = 155/0 IL = 61/2 PL = 56/5 JP = 46/1 RU = 43/2 RO = 42/4 BR = 30/9 Since I do often see mailing list posts from people in these countries, especially BR, so I can't be heavy-handed with the scoring. However, a little 0.5 to 1.0 nudge is helpful, and RelayCountry is low-overhead (not DNS based) Here's a handful of rules I'm using atm: [...] Have you tried to use AS scoring instead of (or together with) country scoring? [AS = Autonoumous (Routing) System] IMHO it is not a bad idea to give incetives to good ISP in a bad countries. -- [en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ Netcraft Site Rank: 466219 All that is necessary for the triumph of evil is that good men do nothing -- Edmund Burke, 18th century
Re: What countries to block ?
Pierre Thomson wrote: > Backing up about a light year here, and ignoring all philosophical arguments, > I'll offer my list of _scored_ (not blocked) countries. This is, of course, > specific to our situation: > > CN TW RU UA BR > > I use the RelayCountry plugin for this, and assign it a rather low score. It > DOES help. > I do a lot of that too. I even have a few in there with 0.01 scores just for informational purposes. (GB, ES, FR, DE, etc) Of the rules with scores >0.1, I'm currently seeing the most spam activity from CN and KR, followed by IL, PL, JP, RU, RO,and BR, in that order. CN and KR are both higher than all the others by a factor of at least 2. Some quick Short term spam/ham counts (These numbers are for my site, YMMV greatly depending on userbase): CN = 240/2 KR = 155/0 IL = 61/2 PL = 56/5 JP = 46/1 RU = 43/2 RO = 42/4 BR = 30/9 Since I do often see mailing list posts from people in these countries, especially BR, so I can't be heavy-handed with the scoring. However, a little 0.5 to 1.0 nudge is helpful, and RelayCountry is low-overhead (not DNS based) Here's a handful of rules I'm using atm: # informational, mostly for statistical purposes header RELAY_ES X-Relay-Countries=~/\bES\b/ describe RELAY_ES Relayed through Spain score RELAY_ES 0.01 header RELAY_UK X-Relay-Countries=~/\bGB\b/ describe RELAY_UK Relayed through Brittan score RELAY_UK 0.01 header RELAY_FR X-Relay-Countries=~/\bFR\b/ describe RELAY_FR Relayed through France score RELAY_FR 0.01 header RELAY_DE X-Relay-Countries=~/\bDE\b/ describe RELAY_DE Relayed through Germany score RELAY_DE 0.01 header RELAY_AT X-Relay-Countries=~/\bAT\b/ describe RELAY_AT Relayed through Austria score RELAY_AT 0.01 # countries prone to abuse and low legit mail volume # can't count these as spam outright as there is legitamate mail here # but a slight bias is in order for countries with high spam:ham ratios header RELAY_TW X-Relay-Countries=~/\bTW\b/ describe RELAY_TW Relayed through Taiwan score RELAY_TW 0.5 header RELAY_JP X-Relay-Countries=~/\bJP\b/ describe RELAY_JP Relayed through Japan score RELAY_JP 0.5 header RELAY_AR X-Relay-Countries=~/\bAR\b/ describe RELAY_AR Relayed through Argentina score RELAY_AR 0.5 header RELAY_BR X-Relay-Countries=~/\bBR\b/ describe RELAY_BR Relayed through Brazil score RELAY_BR 0.5 header RELAY_RU X-Relay-Countries=~/\bRU\b/ describe RELAY_RU Relayed through Russia score RELAY_RU 0.5 header RELAY_RO X-Relay-Countries=~/\bRO\b/ describe RELAY_RO Relayed through Romania score RELAY_RO 0.5 header RELAY_PL X-Relay-Countries=~/\bPL\b/ describe RELAY_PL Relayed through Poland score RELAY_PL 0.5 header RELAY_IL X-Relay-Countries=~/\bIL\b/ describe RELAY_IL Relayed through Israel score RELAY_IL 0.5 header RELAY_HU X-Relay-Countries=~/\bHU\b/ describe RELAY_HU Relayed through Hungary score RELAY_HU 1.0 header RELAY_NG X-Relay-Countries=~/\bNG\b/ describe RELAY_NG Relayed through Nigeria score RELAY_NG 0.5 header RELAY_PK X-Relay-Countries=~/\bPK\b/ describe RELAY_PK Relayed through Pakistan score RELAY_PK 0.5 header RELAY_KP X-Relay-Countries=~/\bKP\b/ describe RELAY_KP Relayed through North Korea score RELAY_KP 0.5 #more severe cases of the same.. header RELAY_CN X-Relay-Countries=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.0 header RELAY_KR X-Relay-Countries=~/\bKR\b/ describe RELAY_KR Relayed through Korea score RELAY_KR 1.0
Re: What countries to block ?
> We are getting a lot of spam mail from countries outside of the US. Anyone > have a list of what country domain extensions are fairly Ok to block? That depends entirely on your business model. For $DAYJOB I have a long list of countries from which we never expect to receive legitimate email; they're rejected with a message that tells them to email a blacklist-admin unfiltered role account. There's another list of countries from which we rarely receive email; they get scored at +2 in SpamAssassin. (Since I'm using a rather limited MTA, SA processes mail after it's been received, and spammy messages are dropped in a bucket for me to sort through as a last line of defense against FPs. Once I upgrade to Exim, sufficiently spammy messages will get the same treatment as blacklisted addresses, i.e.: reject with message pointing to pinhole.) So far, I've had to whitelist one remote server, and that wasn't a business customer but a personal correspondent. In my case I use a script to download country blacklists from blackholes.us and concatenate them (along with various additions) into a local blacklist and a local yellowlist. It works pretty well, though I've had some problems with DNS lookups recently that I may raise in another post. One other caveat: if you're going to be preemptively blocking whole geographic swaths, make sure that your blacklist reject message reflects that. In my case I changed "your host $HOST is blacklisted" to "your host $HOST is on a network from which we do not normally accept email" to avoid adding insult to injury, and to minimize confusion. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "NOTHING says love like a monkey. It's a fuzzy screeching bundle of tenderness!" -- QueenOfWands.net
RE: What countries to block ?
Backing up about a light year here, and ignoring all philosophical arguments, I'll offer my list of _scored_ (not blocked) countries. This is, of course, specific to our situation: CN TW RU UA BR I use the RelayCountry plugin for this, and assign it a rather low score. It DOES help. Pierre -Original Message- From: Jerry [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 12:11 PM To: spam Subject: What countries to block ? and detectng Trojan attachments? We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Also, Is there a special rule to detect messages like the one below? Thanks
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 > Here's another way to look at the issue. Lets say that you knew > that a state/county/province in your own country had an inordinately low > signal/attack ratio. Would you ban that region? 1st, afaik, there are no IP block lists by "state/county/province in your own country". 2nd, it would not meet stated business criteria. client does business in the US .. all of it. not in CN-KR. in ~10 years, not a single email to/from CN-KR. any/all clients that HAVE been in/through CN-KR have communicated via legit providers in the US. problem solved for them. 3rd, entire IP block bans ARE in place for known, seriously offending blocks, due specifically to "inordinately low signal/attack ratio". > Can you ever be sure enough that you'll _never_ get a legitimate > mail from that region? NOTHING is ever for certain. especially managing business risk. > If you unconditionally blocked mail from .nl > and .br, you'd have respectively blocked 688 and 258 (out of 56,910) > posts from this list alone. hence, searchable mailing list archives are a 'good thing' ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN08soACgkQm/Q3NoilZ44nHQCfdwxSmqIcawavzy7NAVrveljf Ic0An2brSl9vAYiEtbRmKwQOXihdrSi2 =hoVD -END PGP SIGNATURE-
Re: What countries to block ? and detectng Trojan attachments?
Good afternoon, all, On Fri, 11 Nov 2005, OpenMacNews wrote: Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: I heard that same argument from a respected coworker; he asked the company owner whether we could _possibly_ do business with "Country S" now or in the future. Given an answer of "no" and the fact that we were receiving sustained attacks from Country S, he blocked the entire country. A few years later I found myself teaching a perimeter security course _in the capital of Country S_, explaining to a classroom full of paying students that we banned the entire country for a number of months because - *gulp* - there was no possible way we'd ever do business with that country. Here's another way to look at the issue. Lets say that you knew that a state/county/province in your own country had an inordinately low signal/attack ratio. Would you ban that region? Can you ever be sure enough that you'll _never_ get a legitimate mail from that region? I've got one counter-example above If you really do believe you've got some political area with a sufficiently low signal/noise ratio, I'd suggest making an SA rule to _raise the score_, instead of an unconditional block. One last note, Jerry. If you unconditionally blocked mail from .nl and .br, you'd have respectively blocked 688 and 258 (out of 56,910) posts from this list alone. One of which might someday have an answer you need. :-) Cheers, - Bill --- Boucher's Observation: He who blows his own horn always plays the music several octaves higher than originally written. (Courtesy of "Brett W. McCoy" <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
RE: What countries to block ? and detectng Trojan attachments?
On Fri, 11 Nov 2005, [EMAIL PROTECTED] wrote: But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. Who are you to dictate to an end user what mail they _must_ receive? Their hardware. Their network. Their equipment. Their property. Not yours. What's next, mandating people _must_ answer all phone calls, any time of the day or night, telemarketer or not, because one of them _might_ be a legitimate call? FWIW it's simpler for me to block on encodings. I don't read chinese or korean or russian, there is no reason for me to ever receive chinese or korean or russian language emails, so anything BIG5 or EUC-KR or KOI8 encoding with high-ascii chars in the body is instantly binned. -Dan
RE: What countries to block ? and detectng Trojan attachments?
Matthew.van.Eerde wrote: > Elmer Kogan /isn't/ s/Elmer Kogan/Alma Cogan/ (sorry) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: What countries to block ? and detectng Trojan attachments?
[EMAIL PROTECTED] wrote: > Living in a country outside the US (realistically, all countries > inthe world, with just one exception, are outside the US) I must say > that I get spam from many places ... including said united states. > > Why wouldn't just everybody - in every country - block mails from > anywhere else? I live in the US, and I'm philosophically opposed to blocking emails from a particular country. Gr(a|e)ylisting I'm fine with. But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. I cannot prove this... but it /is/... in the same sense that Mt. Everest /is/, or that Elmer Kogan /isn't/. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote: > >>> Also, Is there a special rule to detect messages like the one below? >> >> >> Yeah, it's called a virus scanner. That's a mytob variant virus message. >> > > My virus scanner cleans the attachment, but still get people emailing > and calling about their accounts when they receive these messages. Well, then that's a problem with your virus scanner setup.. Mine tags the subject line with {VIRUS} so my users never bother me about them...
Re: What countries to block ? and detectng Trojan attachments?
>> We are getting a lot of spam mail from countries outside of the US. Anyone >> have a list of what country domain extensions are fairly Ok to block? We >> don't have a lot of users whoreceive mail from outside the US. We'd like to >> cut down onspam/spoof/virus messages. >> >> Currently I am blocking all mails from = *.nl *.br *.ch etc.. >> Living in a country outside the US (realistically, all countries inthe world, with just one exception, are outside the US) I must say that I get spam from many places ... including said united states. Why wouldn't just everybody - in every country - block mails from anywhere else? Wolfgang Hamann
Re: What countries to block ? and detectng Trojan attachments?
Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message. My virus scanner cleans the attachment, but still get people emailing and calling about their accounts when they receive these messages.
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote: > We are getting a lot of spam mail from countries outside of the US. > Anyone have a list of what country domain extensions are fairly Ok to > block? We don't have a lot of users whoreceive mail from outside the > US. We'd like to cut down onspam/spoof/virus messages. > > Currently I am blocking all mails from = *.nl *.br *.ch etc.. Personally, I find it unreasonable to outright block any country. The problem being if you post on a list like say, users@spamassassin.apache.org an off-list reply can come to you with help from *anywhere* in the world. For example you might think it safe to block Ireland, not knowing anyone from there. However, if Justin Mason emailed you off-list about a SA problem you'd be blocking him. Unless you can prove you strictly don't ever communicate with anyone from a given country (including mailing lists), and never want to use any OSS with any developers in that country, you're pretty much not-safe blocking it. That said, I do use ACLs in milter-greylist to greylist all of apnic and lacnic, as well as a variety of DUL networks in the US and EU, as well as any host with no RDNS. The greylist takes care of a lot of the spam without blocking legitimate mail, although there are a couple of legitimate messages hit each week, they only get delayed not dropped. Thus far this week 10,181 messages were greylisted by my setup. Of those 376 retried and were delivered. Of those, 316 were tagged as spam by SA, and 51 were not. A few of the 51 were SA FNs, but none of the 316 appear to be SA FPs. > Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message.
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 hi, >> Anyone have a list of what country domain extensions are fairly Ok to >> block? > > There's a politically charged question. > FWIW, most spam still comes from the US. > imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: cn-kr.blackholes.us, before their usual RBL list of: sbl-xbl.spamhaus.org, relays.ordb.org, relays.mail-abuse.org, list.dsbl.org has had a huge effect on reducing spam ... even though the total volume orig'ing in the US may be higher, the % of legit email is much higher, and the 'other' RBL do well enuf ... so, to your question: "... fairly OK ... ? " is simply an operational issue. cheers, richard - -- /"\ \ / ASCII Ribbon Campaign X against HTML email, vCards / \ & micro$oft attachments [GPG] OpenMacNews at gmail dot com fingerprint: 780A 5C81 D446 C616 B113 AA3A 9BF4 3736 88A5 678E -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN01doACgkQm/Q3NoilZ44jLQCghC3stzCDjPBziZXEPdm9IhSo MDEAoJQjen+q3e9Dn5kG4T+AtUPiaNAR =TZp3 -END PGP SIGNATURE-
RE: What countries to block ? and detectng Trojan attachments?
Jerry wrote: > Anyone have a list of what country domain extensions are fairly Ok to > block? There's a politically charged question. FWIW, most spam still comes from the US. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer