Re: blacklists

[Christian Storch]

On Sa, 11.12.2004, 01:18, Michael Loftis wrote:
...
 Actually as it turns out I can't send mail directly to you, something
 about
 my @modwest.com address is apprently offensive to your mailserver... 550
 Sender access denied for [EMAIL PROTECTED] -- I sent a second one from
 my
 home address but it won't get delivered or bounced for a while since I'm
 not likely being blocked at your firewall ;)


JAMM (I think it's much too agressive to use it) said:
Result for 216.220.25.60:  Sent a notice to the ISP that owns the block
containing this IP. They have not yet provided the information requested.

Christian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 11:18:16PM -0700, Michael Loftis wrote:
 --On Friday, December 10, 2004 16:43 +1100 Craig Sanders
 [EMAIL PROTECTED] wrote:

 DoS is a huge exaggeration. a few smtpd processes waiting to timeout
 does not constitute a DoS. neither does a few dozen.

 I had about 800 waiting around in just a few minutes on the one server
 I began testing it on, but this is a large installation. And this
 isn't peak time...It's holding at around 1000 blocked hosts, most of
 them for blacklist infractions.

i certainly wouldn't recommend running it on a large installation. i'm
surprised you even tried.

i run it on my home system at the moment. i wouldn't run it at work.

i experiment with lots of things on my home system that i wouldn't even
think of doing at work. some of them, very few, actually turn out to be
worthwhile and safe enough to use at work.


try dropping only SYN smtp packets if you still want to experiment with
it, adding --syn to the end of the iptables args in the scripts. that
should stop the hanging processes.

 But when you've got a lot of mail (and a number of customer domains
 that just tend to attract junk) it's easy to get a lot of processes
 hanging around.

unfortunately, my domain seems to attract a lot of junk. i've had my
domain for over 10 years, and kept the same email address all along.
and i've been joe-jobbed many times over the last decade by spammers
who don't like me (or my anti-spam methods, or the fact that i share
them openly), and i've had thousands of bogus, non-existant addresses in
my domain added to spam lists also by spammers who don't like me. the
current crop of spammers probably don't even notice or care, but in the
early days of spam it was different. spammers got very offended and took
it personally...which, of course, was excellent incentive to keep on
blocking them :)

i pissed off quite a few in the very early days, when spammers didn't
hide their identities and hadn't yet learned not to use their own
address. one of the things i wrote was a script which i could bounce
spam to. it would then parse the sender addresses and add it to a
database of spammersand sent copies of each spam to a random subset
of the database. that infuriated them and amused me no end. my intention
was to annoy them at least as much as their MMF or green card or
whatever spam had annoyed me. unfortunately that stopped being a viable
tactic fairly quickly, and it certainly wouldn't scale to anything like
the spam load of today (back then 1 or 2 spams every few days was a lot.
now i wouldn't even notice it).

craig

ps: anyone know if MMF spams still happen? i haven't seen one for years.  could
be my body checks rules block them all, or maybe they've just given up since
419 scams are more lucrative.

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: EHLO/HELO [was blacklists]

[Russell Coker]

On Friday 10 December 2004 00:39, Mark Bucciarelli [EMAIL PROTECTED] 
wrote:
 I've recently turned on EHLO/HELO validation and am encouraged by how
 effective it is.  WIth RBL's (spamcop and dnsbl) and SpamAssassin 3, only
 88% of spam was stopped.  So far, it's 100%.  (This is a _very_ small

What exactly do you mean by EHLO/HELO validation?

In my postfix configuration I have:
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, 
reject_non_fqdn_hostname, reject_unknown_sender_domain

I tried out reject_unknown_hostname but had to turn it off, too many 
machines had unknown hostnames.

For example a zone foo.com has a SMTP server named postfix1 and puts 
postfix1.foo.com in the EHLO command but has an external DNS entry of 
smtp.foo.com.  Such a zone is moderately well configured and there are too 
many such zones to block them all.  The other helo restrictions get enough 
non-spam traffic.

Using reject_unknown_hostname would get close to blocking 100% of spam, but 
that's because it would block huge amounts of non-spam email.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: EHLO/HELO [was blacklists]

[Craig Sanders]

On Fri, Dec 10, 2004 at 11:08:53PM +1100, Russell Coker wrote:
 I tried out reject_unknown_hostname but had to turn it off, too many
 machines had unknown hostnames.

 For example a zone foo.com has a SMTP server named postfix1 and puts
 postfix1.foo.com in the EHLO command but has an external DNS entry of
 smtp.foo.com. Such a zone is moderately well configured and there are
 too many such zones to block them all. The other helo restrictions get
 enough non-spam traffic.

actually, it's not moderately well configured. it's trivial to add a DNS
entry for postfix1.foo.com (preferably an A record and not a CNAME - doesn't
matter for HELO/EHLO but it does matter for $myorigin). it's even more trivial
to make the postfix server announce itself with a real hostname, one that
actually exists in the DNS - smtp.foo.com would be perfect. that's all it
takes to get past reject_unknown_hostname.

it's unusual to see this level of cluelessness with someone running a
unix MTA - i thought it was reserved to Exchange and Groupwise users.

 Using reject_unknown_hostname would get close to blocking 100% of
 spam,

nowhere near that much. it helps a little, but it's not even remotely close to
the final solution to spam.

 but that's because it would block huge amounts of non-spam email.

that's not the case in my experience (but that depends on exactly what kind of
mail traffic is received).

but it's your server, you get to choose what rules are on it.

craig

ps: yes, this is another rule i use at home but not at work. there are
lots of windows MTAs out there run by the clueless. fortunately, at home
i don't need or have to communicate with them, but at work there are
many people who might.

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: EHLO/HELO [was blacklists]

[Mark Bucciarelli]

[CC'ing Bill Taroli who has been helping me with this on courier-user]

On Friday 10 December 2004 07:08, Russell Coker wrote:
 On Friday 10 December 2004 00:39, Mark Bucciarelli
 [EMAIL PROTECTED]

 wrote:
  I've recently turned on EHLO/HELO validation and am encouraged by how
  effective it is.  WIth RBL's (spamcop and dnsbl) and SpamAssassin 3,
  only 88% of spam was stopped.  So far, it's 100%.  (This is a _very_
  small

 What exactly do you mean by EHLO/HELO validation?

The courier man page just says verify the hostname provided in the ESTMP 
EHLO/HELO statement.

From reading the code, here's what it does:

(0) If connecting IP addresses is in the checkhelo whitelist
 -- PASS

(1) If SPF HELO checking is on and lookup matches connecting IP
 -- PASS

(2) If HELO host name is a numeric IP and it matches connecting IP
 -- PASS

(3) Lookup MX records for HELO hostname.  If one matches connecting IP
 -- PASS

(4) Lookup A records for hostname.  If one matches connecting IP
 -- PASS

Otherwise, return 517 HELO $hostname does not match $remote-ip

If there is an RFC1035_MX_HARDERR or RFC1035_MX_BADDNS when looking up the 
MX record, return a 517.

If the MX or A DNS lookup fails, return a 417.

 In my postfix configuration I have:
 smtpd_helo_restrictions = permit_mynetworks, 
 reject_non_fqdn_hostname, reject_unknown_sender_domain

 I tried out reject_unknown_hostname but had to turn it off, too many
 machines had unknown hostnames.

I find it interesting that postfix defaults the response code to 450 
instead of a 5XX for this failure.  This is along the lines that I have 
been thinking.

 For example a zone foo.com has a SMTP server named postfix1 and puts
 postfix1.foo.com in the EHLO command but has an external DNS entry of
 smtp.foo.com.  Such a zone is moderately well configured and there are
 too many such zones to block them all.  The other helo restrictions get
 enough non-spam traffic.

 Using reject_unknown_hostname would get close to blocking 100% of spam,
 but that's because it would block huge amounts of non-spam email.

So I guess the questions are:

(1) Given a log entry (hostname and connecting IP) of an EHLO reject, can I 
reliably figure out if the host was valid?

(2) Can I do this quickly enough that my whitelist will be updated before 
their MTA stops retrying and customers start complaining?

(3) Will the whitelist stabilize enough over time to make this worth it.

(4) Would it be possible to build a secure data pool where a group of 
like-minded and trusted admins could share whitelisted connecting IP's.

Regards,

Mark

Re: blacklists

[Michael Loftis]

--On Friday, December 10, 2004 22:48 +1100 Craig Sanders [EMAIL PROTECTED] 
wrote:

On Thu, Dec 09, 2004 at 11:18:16PM -0700, Michael Loftis wrote:
--On Friday, December 10, 2004 16:43 +1100 Craig Sanders
[EMAIL PROTECTED] wrote:
 DoS is a huge exaggeration. a few smtpd processes waiting to timeout
 does not constitute a DoS. neither does a few dozen.
I had about 800 waiting around in just a few minutes on the one server
I began testing it on, but this is a large installation. And this
isn't peak time...It's holding at around 1000 blocked hosts, most of
them for blacklist infractions.
i certainly wouldn't recommend running it on a large installation. i'm
surprised you even tried.
Well, we're very anti-spam, and willing ot try anything to help...I had to 
disable it after we got around ~8K rules in the tables on that box, that 
ended up causing the system CPU time to go through the roof.  Though it was 
very effective. :)

i run it on my home system at the moment. i wouldn't run it at work.
I've made a few modifications already, including making everything 
persistent and making it purge SEEN entries after not seeing a host for 
24hrs (this also effectively caps any block time to being 24hrs).  I might 
just set it so that it only watches our MailScanner and blocks the IPs it 
reports as sending virii.  That would probably help to shrink the number of 
reports a lot, and help with my virus load.  That'd be a good site-wide 
table to share (we use central mysql maps a lot).


i experiment with lots of things on my home system that i wouldn't even
think of doing at work. some of them, very few, actually turn out to be
worthwhile and safe enough to use at work.
Same here.
try dropping only SYN smtp packets if you still want to experiment with
it, adding --syn to the end of the iptables args in the scripts. that
should stop the hanging processes.
Yeah.  Last night when I wrote back my brain was a bit mushy, couldn't 
think of the right option so I just said it should probably be changed :)

unfortunately, my domain seems to attract a lot of junk. i've had my
domain for over 10 years, and kept the same email address all along.
and i've been joe-jobbed many times over the last decade by spammers
who don't like me (or my anti-spam methods, or the fact that i share
them openly), and i've had thousands of bogus, non-existant addresses in
my domain added to spam lists also by spammers who don't like me. the
current crop of spammers probably don't even notice or care, but in the
early days of spam it was different. spammers got very offended and took
it personally...which, of course, was excellent incentive to keep on
blocking them :)
I'm glad you share them.  Spammers are criminals, pure and simple, they're 
stealing our time, resources, and our users time and resources and money. 
They have no place in the world.  Heck, I'm all for capitol(or is it al?  I 
can't remember) punishment for spammers.  (see short disclaimer.h at the 
bottom of this message)

i pissed off quite a few in the very early days, when spammers didn't
hide their identities and hadn't yet learned not to use their own
address. one of the things i wrote was a script which i could bounce
spam to. it would then parse the sender addresses and add it to a
database of spammersand sent copies of each spam to a random subset
of the database. that infuriated them and amused me no end. my intention
was to annoy them at least as much as their MMF or green card or
whatever spam had annoyed me. unfortunately that stopped being a viable
tactic fairly quickly, and it certainly wouldn't scale to anything like
the spam load of today (back then 1 or 2 spams every few days was a lot.
now i wouldn't even notice it).
Now that's a heck of a tactic LOL :)  too bad I didn't' think of it back 
then...although I had a firewall setup for the longest time at home that 
automatically did counter-recon of offenders, and if it determined common 
open holes would get in and attempt shut the system off.  It was always 
satisfying to watch a zombie get halfway through a portscan, then just 
disappear.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Fri, Dec 10, 2004 at 11:20:28AM -0700, Michael Loftis wrote:
 i certainly wouldn't recommend running it on a large installation.
 i'm surprised you even tried.

 Well, we're very anti-spam, and willing ot try anything to help...I
 had to disable it after we got around ~8K rules in the tables on that
 box, that ended up causing the system CPU time to go through the roof.
 Though it was very effective. :)

i guess what it needs is something that can merge addresses into a CIDR range.

e.g. if it sees x.y.z.1 through to .8, it should merge them all into a /29.
delete the individual /32 rules and replace them with the /29.

managing that would get fairly complicated, especially when it has to later
merge a few /29s and /32s into larger blocks. but it should be doable.  if i
get time, i'll think about how that might be implemented.

the simpler thing is to just uncomment the /24 stuff that's already in there,
and block the entire /24 rather than just the offending host.  heavy-handed
but it should reduce the number of entries in iptables.

hmmm. one useful optimisation here would be to use Net::DNS to find out whether
the IP is in a DUL - and if it is, then block the entire /24. i reject all mail
direct from dynamic/dialups anyway so it wouldn't hurt anything.  (and remember
to add your own dialup pools to @whitelist :)




another thing it should do is add the rules to a SPAMMERS table, rather than to
the main INPUT table.  that would be a trivial change, only a few minutes work.

...done.

new version now published:

# v1.8  - changed to use SPAMMERS table rather than INPUT.
# use --syn when adding iptables rules, to avoid hanging smtpd processes
#
# the SPAMMERS table should be set up like this (BEFORE this script is run):
#
# # create SPAMMERS table
# iptables -F SPAMMERS
# iptables -X SPAMMERS
# iptables -N SPAMMERS
#
# # send all INPUT  FORWARD packets to the SPAMMERS table
# iptables -I INPUT -j SPAMMERS
# iptables -I FORWARD -j SPAMMERS
# 
# FORWARD rule needed only on gateway/router boxes, not normal hosts.
#
# you could optionally create a SPAMDROP table too, which logged the packet
# with a SPAMMERS prefix before dropping itbut that kind of defeats the
# purpose of this script which is to remove spammer noise from the logs.



 I've made a few modifications already, including making everything
 persistent and making it purge SEEN entries after not seeing a host
 for 24hrs (this also effectively caps any block time to being 24hrs).
 I might just set it so that it only watches our MailScanner and blocks
 the IPs it reports as sending virii. That would probably help to
 shrink the number of reports a lot, and help with my virus load.
 That'd be a good site-wide table to share (we use central mysql maps a
 lot).

diff -u ???


 one of the things i wrote was a script which i could bounce spam to.
 it would then parse the sender addresses and add it to a database of
 spammersand sent copies of each spam to a random subset of the
 database. that infuriated them and amused me no end. my intention

 Now that's a heck of a tactic LOL :)

oh yes, i forgot the most amusing thing about it.  it not only sent it to a
subset of the spammer database, it also used random addresses out of that db as
the envelope and header sender addresses, so that they'd complain at each
other.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Friday, December 10, 2004 17:01 -0700 Michael Loftis 
[EMAIL PROTECTED] wrote:


--On Saturday, December 11, 2004 10:50 +1100 Craig Sanders
[EMAIL PROTECTED] wrote:
diff -u ???
I'll attach privately the diff's from your version ( CVS)
Actually as it turns out I can't send mail directly to you, something about 
my @modwest.com address is apprently offensive to your mailserver... 550 
Sender access denied for [EMAIL PROTECTED] -- I sent a second one from my 
home address but it won't get delivered or bounced for a while since I'm 
not likely being blocked at your firewall ;)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Saturday, December 11, 2004 10:50 +1100 Craig Sanders [EMAIL PROTECTED] 
wrote:

diff -u ???
I'll attach privately the diff's from your version ( CVS)
Now that's a heck of a tactic LOL :)
oh yes, i forgot the most amusing thing about it.  it not only sent it to
a subset of the spammer database, it also used random addresses out of
that db as the envelope and header sender addresses, so that they'd
complain at each other.
So it's your fault they figured out the forged MAIL FROM trick!  Bad craig, 
no donut! ;)

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: EHLO/HELO [was blacklists]

[Mark Bucciarelli]

On Friday 10 December 2004 09:36, Mark Bucciarelli wrote:

 (1) If SPF HELO checking is on and lookup matches connecting IP
  -- PASS
[..]
 Otherwise, return 517 HELO $hostname does not match $remote-ip

Sorry to reply to myself, but this sequence is more complicated if SPF 
checking is turned on and the SPF lookup fails.  You can choose to 
softfail (417) or hardfail (517).  I wanted to set the record straight.

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michelle Konzack]

Am 2004-12-09 19:04:49, schrieb Richard Zuidhof:
 Michelle Konzack wrote:

 cbl.abuseat.org is included in xbl.spamhaus.org so it is not needed to
 use both. If you use sbl.spamhaus.org I do not see why not to use 

sbl-xbl.spamhaus.org had never FP

 bl.spamcop.net as well. Both have some collateral damage and false 

I had used spamcop.net but gotten to much FP.

 Richard

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: blacklists

[Craig Sanders]

On Fri, Dec 10, 2004 at 05:01:33PM -0700, Michael Loftis wrote:
 So it's your fault they figured out the forged MAIL FROM trick! Bad
 craig, no donut! ;)

no, many of them already knew that.  it was obvious anyway.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Ian Forbes]

On Thursday 09 December 2004 00:42, Michael Loftis wrote:

 See my just prior response on this thread, most people don't
 understand bounces.  Yes it could be argued a bounce needs to be
 reformatted so the humans can read it easier, but it's not my system
 generating the bounce message, I'm just telling the attempter. 
 Whether it's permanent or temporary doesn't matter.

We reject a huge amount of mail with RBL's. A very small percentage of 
it is false positive. A very small percentage of those false positives 
end up as complaints with our help desk. 

However a significant portion of those who complain are business people, 
company directors, IT support staff etc, and if they are complaining to 
us they are either one of our customers or they are transacting with 
one of our customers. (This does not mean they understand the bounce 
message). 

By treating these complaints with a little care we have managed to swing 
(or keep) a number of large business clients, or at least establish a 
relationship with them which will ensure they remain our clients for a 
long while.

We have a simple policy for handling RBL related complaints. 

- If the rejecting list was Spamcop, we whitelist the IP and e-mail the 
sender to say their mail will be accepted. Spamcop is not an exact 
science, whitelisting a few bona-fida mail servers is quicker than 
explaining our motivation for using it in the first place.

- For any other list we send a standard messages to the sender and copy 
to the original intended recipient explaining that their mail is being 
sent from an open relay. The message has some technical info and links 
and a suggestion to forward the message to a technically competent 
administrator. (This involves copy and pasting two e-mail addresses and 
the IP of listed server into a pre-formated e-mail.)

 Answer: find their spammers, and squash them.  This puts the support
 load on the offender, not on me.  Which is where it should be.  If
 they user sender gets frustrated enough and finally calls us, emails
 us via alternate channels (maybe via the recipient) or whatever,

People who conduct business with e-mail notice very quickly when their 
mail disappears into a black hole. They get very frustrated very 
quickly and are not shy to change ISP's, even if they never understand 
the problem nor have any idea who is at fault. We have found that a 
little informed feedback in this situation is very cost effective 
marketing. 

But back to the subject. I prefer a 5xx permanent error or that results 
in an immediate bounce message.


Regards

Ian




-- 
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P. O. Box 46827, Glosderry, 7702, South Africa


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

EHLO/HELO [was blacklists]

[Mark Bucciarelli]

On Tuesday 07 December 2004 17:55, Michael Loftis wrote:
 --On Wednesday, December 08, 2004 08:47 +1100 Craig Sanders

 [EMAIL PROTECTED] wrote:
  Now I reject by 554 code...  should I change to 4xx?
 
  if it suits your needs.  i wouldn't.

 I have to agree with that statement.  For us it suits our needs very
 well. I don't mind handling the extra retry traffic if it means
 legitimate mail on a 'grey/pink' host is just temporarily rejected or
 delayed while they clean up, in fact this is far more desireable for us.
  Complaints of 'lost' mail went up when we were using permanent fatal
 codes as an experiment. Yes legitimate hosts get blacklisted, but
 legitimate hosts will retry, and if they don't well, it's their problem,
 not ours.  We're telling them 454 listed on spamciop see URL of whatever
 (I'm obviously paraphrasing)

I've been following this thread with great interest.

I'm wondering if the same 4XX technique could apply to EHLO/HELO 
checks--with automatic whitelisting thrown in.

If spammers never retry, couldn't you watch the logs and when you see a 
retry, add that IP to EHLO/HELO whitelist?  (And generate a report so you 
can check up on this later.)  Folks on the courier-user list have reported 
that the EHLO/HELO whitelist becomes quite stable after a while.

I've recently turned on EHLO/HELO validation and am encouraged by how 
effective it is.  WIth RBL's (spamcop and dnsbl) and SpamAssassin 3, only 
88% of spam was stopped.  So far, it's 100%.  (This is a _very_ small 
sample--one email account for one day, but the change is dramatic from my 
perspective.)

And what's to stop spammers from starting to retry?  Does it double their 
cost of doing business?  If I then require a second retry, does it triple 
their cost?

If I want to hack the courier backport package to force an invalid EHLO to 
get a 4XX instead of the hardcoded 517, are these the correct steps (taken 
from Debian Quick Reference, Ch. 3):

apt-get source courier
dpkg-source courier.dsc
cd courier-0.47
... edit source
dpkg-buildpackage -rfakeroot -us -uc
su -c dpkg -i courier-mta.deb

Is that correct?

How do I change the newly-built package name, and what do I change it to so 
apt-get update/upgrade will find a new release uploaded to backports.org?

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Richard Zuidhof]

Michelle Konzack wrote:
I have tested in sequenz:
sbl-xbl.spamhaus.org cbl.abuseat.org relays.ordb.org opm.blitzed.org 
list.dsbl.org dul.dnsbl.sorbs.org blackholes.mail-abuse.org 
dialups.mail-abuse.org

But now I have removed all exept the first two.  spamhaus catchs
more then 50% of my spams and abuseat around 10%. The rest is done
by Blacklists and spamassassin.
cbl.abuseat.org is included in xbl.spamhaus.org so it is not needed to
use both. If you use sbl.spamhaus.org I do not see why not to use 
bl.spamcop.net as well. Both have some collateral damage and false 
positives but still prove to be very useful. I can also advise to use 
list.dsbl.org.

To see some statistics on the hit rate of various blacklists see:
http://cgi.monitor.nl/popstats.html
http://www.sdsc.edu/~jeff/spam/cbc.html
I you use Spamassassin be sure to use SURBL. That is a very effective 
blacklist with virtually no false positives.

Richard
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 07:04:49PM +0100, Richard Zuidhof wrote:
 To see some statistics on the hit rate of various blacklists see:
 http://cgi.monitor.nl/popstats.html
 http://www.sdsc.edu/~jeff/spam/cbc.html

or if you run postfix and want to compare RBLs against the client IPs in your
mail.log, then download http://taz.net.au/postfix/scripts/compare-rbls.pl

notes: 

1. you will also need to download openlogfile.pl from the same place
and put it in the same directory as compare-rbls.pl

2. i wrote it several years ago, so it has several very old and now defunct
RBLs listed in it.  change the @dnsrbls array to list only the ones you
want to check.

for example, change this:

my @dnsrbls = qw(blackholes.mail-abuse.org relays.mail-abuse.org
 dialups.mail-abuse.org
 relays.osirusoft.com 
 inputs.orbz.org outputs.orbz.org
 or.orbl.org
 relays.ordb.org);

to this:

my @dnsrbls = qw(cn-kr.blackholes.us
 taiwan.blackholes.us
 brazil.blackholes.us
 hongkong.blackholes.us
 list.dsbl.org
 sbl-xbl.spamhaus.org
 dul.dnsbl.sorbs.net
 dnsbl.sorbs.net
 Dynablock.njabl.org
 relays.ordb.org 
);

BTW, except for dnsbl.sorbs.net (which i don't use because i don't like their
de-listing policy - but i do use their DUL list), these are the RBLs i am
currently using.

3. i just updated the script to use the @dnsrbls array as shown abovebut
it's still useful to know how to configure it.

4. it is very slow.  it has do to one DNS lookup per RBL per IP address seen.
this is fairly slow, anyway, and it uses Net::DNS, which is not noted for it's
speed.

if you want to trial it on a small subset, do something like this:

tail -1000 /var/log/mail.log /tmp/small.log
compare-rbls.pl /tmp/small.log | less

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Thursday, December 09, 2004 12:22 +1100 Craig Sanders [EMAIL PROTECTED] 
wrote:

On Thu, Dec 09, 2004 at 11:27:27AM +1100, Russell Coker wrote:
On Thursday 09 December 2004 01:12, Craig Sanders [EMAIL PROTECTED] wrote:
 the log file noise issue is important to me - i've recently started
 monitoring mail.log and adding iptables rules to block smtp connections
 from client IPs that commit various spammish-looking crimes against my
 system.
Interesting.  Do you plan to package it for Debian?
nope, it's just a trivial script - and one that's probably dangerous to
use if you don't understand what it's doing, and i don't plan on
documenting it beyond comments in the script itself.  in short, it's a
toy for me.
if you want to see it, look in http://taz.net.au/postfix/scripts/
it's called watch-maillog.pl
there's a bunch of other postfix related scripts in there.

One little note about that script, the DROP needs to be changed since 
basically you're DoSing yourself by hanging a bunch of connections because 
you suddenly start dropping their inbound packets while still 'in-flight' 
as it were.  postfix's default timeouts are about 300s, so you'll want to 
turn those down (300s seems too generous to me for most of them anyway)

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 10:22:24PM -0700, Michael Loftis wrote:
 if you want to see it, look in http://taz.net.au/postfix/scripts/
 
 it's called watch-maillog.pl

 One little note about that script, the DROP needs to be changed since
 basically you're DoSing yourself by hanging a bunch of connections

DoS is a huge exaggeration.  a few smtpd processes waiting to timeout does not
constitute a DoS.  neither does a few dozen. 

 because you suddenly start dropping their inbound packets while still
 'in-flight' as it were. postfix's default timeouts are about 300s, so
 you'll want to turn those down (300s seems too generous to me for most
 of them anyway)

aside from the DoS exaggeration, that is true, but i don't careor more
accurately, i care more about spammer noise in my logs and the bandwidth that
spammers waste.  i have more than enough smtpd processes, ram, and cpu power
available to cope with a few (or even several dozen) smtpds waiting to time
out.  

i can also cope with the eventual dropped connection messages in the logs -
instead of vaguely annoying me like the spam rejects do, they give me a feeling
of satisfaction that i have in some small way slowed down the spamware by
silently dropping their packets.




the first workable fix i can think of is to DROP only smtp packets with SYN
set, rather than all smtp packets.

alternatively, i could extract the PID of the smtpd process and send it a HUP
at the same time as i created the iptables rule.

if it ever bothered me, i'd do one or the otherbut, as i said, it's not
something i care much about.

craig

ps: watch-maillog.pl is a toy that i wrote for my own amusement.  if you like
it, run it or adapt it for your own needs.  if you don't, then ignore it.  i
don't claim that it's good software or even that it's useful.  i wrote it more
as a proof of concept than anything else.

pps: it also monitors TLS connection failures and adds them to
/etc/postfix/tls_per_site (which doesn't seem to be really necessary now, but
they were quite common a few years ago, mainly due to a particularly broken
version of communigate) and it does basic pop-before-smtp (dovecot only because
that's what i run).  these two features are actually useful :)

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Friday, December 10, 2004 16:43 +1100 Craig Sanders [EMAIL PROTECTED] 
wrote:

DoS is a huge exaggeration.  a few smtpd processes waiting to timeout
does not constitute a DoS.  neither does a few dozen.
I had about 800 waiting around in just a few minutes on the one server I 
began testing it on, but this is a large installation.  And this isn't peak 
time...It's holding at around 1000 blocked hosts, most of them for 
blacklist infractions.

because you suddenly start dropping their inbound packets while still
'in-flight' as it were. postfix's default timeouts are about 300s, so
you'll want to turn those down (300s seems too generous to me for most
of them anyway)
aside from the DoS exaggeration, that is true, but i don't careor more
accurately, i care more about spammer noise in my logs and the bandwidth
that spammers waste.  i have more than enough smtpd processes, ram, and
cpu power available to cope with a few (or even several dozen) smtpds
waiting to time out.
I suppose my advisory is more for larger sites, on my home system I'd have 
never noticed it nor even thought about it.  But when you've got a lot of 
mail (and a number of customer domains that just tend to attract junk) it's 
easy to get a lot of processes hanging around.

i can also cope with the eventual dropped connection messages in the logs
- instead of vaguely annoying me like the spam rejects do, they give me a
feeling of satisfaction that i have in some small way slowed down the
spamware by silently dropping their packets.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Russell Coker]

On Wednesday 08 December 2004 09:55, Michael Loftis [EMAIL PROTECTED] 
wrote:
 I have to agree with that statement.  For us it suits our needs very well.
 I don't mind handling the extra retry traffic if it means legitimate mail
 on a 'grey/pink' host is just temporarily rejected or delayed while they
 clean up, in fact this is far more desireable for us.  Complaints of 'lost'
 mail went up when we were using permanent fatal codes as an experiment.
 Yes legitimate hosts get blacklisted, but legitimate hosts will retry, and
 if they don't well, it's their problem, not ours.  We're telling them 454
 listed on spamciop see URL of whatever (I'm obviously paraphrasing)

How would I configure Postfix to do this?

Craig, why do you think it's undesirable to do so?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Wed, Dec 08, 2004 at 07:51:13PM +1100, Russell Coker wrote:
 On Wednesday 08 December 2004 09:55, Michael Loftis [EMAIL PROTECTED] 
 wrote:
  I have to agree with that statement. For us it suits our needs very
  well. I don't mind handling the extra retry traffic if it means
  legitimate mail on a 'grey/pink' host is just temporarily rejected
  or delayed while they clean up, in fact this is far more desireable
  for us.

 How would I configure Postfix to do this?

probably maps_rbl_reject_code = 450

 Craig, why do you think it's undesirable to do so?

because i dont want the extra retry traffic.  i want spammers to take FOAD as
an answer, and i dont want to welcome them with a pleasant please try again
later message.  i think it is a sin to be polite or pleasant to a spammer :)

even on my little home system, at the end of an adsl line, i reject nearly
10,000 spams per day (and climbing all the time).  i would expect that to at
least double or triple if i 4xx-ed them rather than 5xx, depending on how much
came from open relays or spamhaus rather than dynamic/DUL.


i can see why some might want to do this, but not me.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[daniele becchi]

Michael Loftis wrote:

--On Monday, December 06, 2004 09:34 +0100 Adrian 'Dagurashibanipal' 
von Bidder [EMAIL PROTECTED] wrote:


Various AOL mailservers, the Debian mailservers, and other servers
sending  out lots of regular mail get listed in spamcop regularly, so my
recommendation (and that of spamcop.net themselves, btw) is not to use
bl.spamcop.net for blacklisting.  Use it in spamassassin to score 
points.

Odd, since we don't see this.  And when it does happen to 'big' mail 
senders it's never AOL for one (they're on the whitelist).  And it's 
totally automatic so if they do end up on it's usually for less than a 
day.
And how to deal with legitimate email sent via webmail (eg. yahoo) where 
the IP of the sender is inside a RBL, typicall for dsl or dialup ip-classes?
This is part of the headers from a mail i received:

Mon, 29 Nov 2004 19:12:38 +0100 (CET)
Received: from web60309.mail.yahoo.com (web60309.mail.yahoo.com 
[216.109.118.120])
by -snip- (Postfix) with SMTP id 474D8249E74
for snip; Mon, 29 Nov 2004 19:12:38 +0100 (CET)
Received: (qmail 47653 invoked by uid 60001); 29 Nov 2004 18:12:36 -
Message-ID: [EMAIL PROTECTED]
Received: from [217.226.195.183] by web60309.mail.yahoo.com via HTTP; Mon, 29 
Nov 2004 19:12:36 CET
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=4.2 tagged_above=0.0 required=4.5 tests=BAYES_50,
RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_SORBS,
RCVD_IN_SORBS_HTTP, RCVD_IN_SORBS_SOCKS
if i would have used rbl checks in postfix instead of spamassim i would 
never receive that mail, right?
the tracked ip is of course 217.226.195.186 and not the yahoo ip 
216.109.118.120.
Or i didn't understand? :(

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Wednesday, December 08, 2004 10:32 +0100 daniele becchi 
[EMAIL PROTECTED] wrote:


if i would have used rbl checks in postfix instead of spamassim i would
never receive that mail, right?
the tracked ip is of course 217.226.195.186 and not the yahoo ip
216.109.118.120.
Or i didn't understand? :(
First RBL checks inside of postfix *ONLY* operate ont he host connecting to 
you, NOT on anything else.  Second, I recommend using a 4xx (temprorary 
failure) code too, third, I'm implying that you use the up-front to augment 
SpamAssassin, not replace it.  It GREATLY reduces the amount of load on 
mailservers handilg large quantities of email to use reliable, well 
maintained, and well run lists aligning closely to your sites policies for 
SPAM as early as possible to save you the CPU, Disk and associated costs of 
carrying the crap.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Russell Coker]

On Wednesday 08 December 2004 20:32, daniele becchi 
[EMAIL PROTECTED] wrote:
  Odd, since we don't see this.  And when it does happen to 'big' mail
  senders it's never AOL for one (they're on the whitelist).  And it's
  totally automatic so if they do end up on it's usually for less than a
  day.

 And how to deal with legitimate email sent via webmail (eg. yahoo) where
 the IP of the sender is inside a RBL, typicall for dsl or dialup
 ip-classes? This is part of the headers from a mail i received:

Yahoo server IP address space should not be in a dialup class.  If that 
happens then notify the person maintaining the dialup-list that you use that 
they have an inaccuracy.

  Mon, 29 Nov 2004 19:12:38 +0100 (CET)
 Received: from web60309.mail.yahoo.com (web60309.mail.yahoo.com
 [216.109.118.120]) by -snip- (Postfix) with SMTP id 474D8249E74
  for snip; Mon, 29 Nov 2004 19:12:38 +0100 (CET)
 Received: (qmail 47653 invoked by uid 60001); 29 Nov 2004 18:12:36 -
 Message-ID: [EMAIL PROTECTED]
 Received: from [217.226.195.183] by web60309.mail.yahoo.com via HTTP; Mon,
 29 Nov 2004 19:12:36 CET Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 X-Spam-Status: No, hits=4.2 tagged_above=0.0 required=4.5 tests=BAYES_50,
  RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_SORBS,
  RCVD_IN_SORBS_HTTP, RCVD_IN_SORBS_SOCKS

 if i would have used rbl checks in postfix instead of spamassim i would
 never receive that mail, right?
 the tracked ip is of course 217.226.195.186 and not the yahoo ip
 216.109.118.120.
 Or i didn't understand? :(

Most people use DNSBLs for the IP address that's the source of the port 25 
connection and don't use them on the addresses in the Received headers.  Such 
use won't have a problem with this.

Yahoo don't seem to police their TOS well so they tend to get on black-lists 
(among other things they don't even have a functional abuse address).  So if 
you want email from yahoo you probably have to white-list them anyway.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Russell Coker]

On Wednesday 08 December 2004 20:16, Craig Sanders [EMAIL PROTECTED] wrote:
  Craig, why do you think it's undesirable to do so?

 because i dont want the extra retry traffic.  i want spammers to take FOAD
 as an answer, and i dont want to welcome them with a pleasant please try
 again later message.  i think it is a sin to be polite or pleasant to a
 spammer :)

I agree that we don't want to be nice to spammers.  But there is also the 
issue of being nice in the case of false-positives.

The extra traffic shouldn't be that great (the message body and headers are 
not being transmitted).  When a legit user accidentally gets into a 
black-list their request to get the black-list adjusted can often be 
processed within the time that their mail server is re-trying the message.

 even on my little home system, at the end of an adsl line, i reject nearly
 10,000 spams per day (and climbing all the time).  i would expect that to
 at least double or triple if i 4xx-ed them rather than 5xx, depending on
 how much came from open relays or spamhaus rather than dynamic/DUL.

30,000 rejections per day is only one every three seconds.  Not a huge load.

I am not trying to convince you to change your system (I'm not entirely 
convinced to change mine at this time).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 12:00:42AM +1100, Russell Coker wrote:
 On Wednesday 08 December 2004 20:16, Craig Sanders [EMAIL PROTECTED] wrote:
   Craig, why do you think it's undesirable to do so?
 
  because i dont want the extra retry traffic.  i want spammers to take FOAD
  as an answer, and i dont want to welcome them with a pleasant please try
  again later message.  i think it is a sin to be polite or pleasant to a
  spammer :)
 
 I agree that we don't want to be nice to spammers.  But there is also the 
 issue of being nice in the case of false-positives.

if it's a false positive, the sender will get a bounce from their MTA and they
can fix the problem or route around it.  IMO, that's far nicer to legit senders
than them not knowing that their mail isn't being delivered because it's stuck
in their MTA's queue rather than bouncing back to them - the former means it's
probably 5 days before they know there is a problem, while the latter gives
them instant feedback.

 The extra traffic shouldn't be that great (the message body and headers are 
 not being transmitted).  

it's still MY bandwidth being used by spamming vermin, even if it's not much (i
begrudge those bastards even a single bit) and it still generates huge amounts
of noise in my mail.log files.

the log file noise issue is important to me - i've recently started monitoring
mail.log and adding iptables rules to block smtp connections from client IPs
that commit various spammish-looking crimes against my system.  some crimes get
blocked for 60 seconds, some for 10 minutes, some for an hour.  each time the
same IP address is seen committing a crime, the time is doubled.  i am doing
this not because i'm worried that spammers will get their junk through my
anti-spam rules but because a) i don't want their noise in my mail.log, and b)
it was an interesting programming project that amused me for a few days of part
time perl hacking.

 When a legit user accidentally gets into a black-list their request
 to get the black-list adjusted can often be processed within the time
 that their mail server is re-trying the message.

similarly, they can resend the message themselves when they know the problem
has been fixed, WITHOUT flooding my logs with crap i don't want to see AND
they'll have had immediate feedback about the problem with their mail system.
everyone wins.

if it's important, they'll resend it.  if the sender doesn't think it's
important enough to bother resending, then why should i care?


  even on my little home system, at the end of an adsl line, i reject
  nearly 10,000 spams per day (and climbing all the time). i would
  expect that to at least double or triple if i 4xx-ed them rather
  than 5xx, depending on how much came from open relays or spamhaus
  rather than dynamic/DUL.

 30,000 rejections per day is only one every three seconds. Not a huge
 load.

the important factor here is that it's one every 3 seconds that I DON'T WANT.
i don't want the ~10,000 per day that i currently get and i see no reason to
take any action that will increase that number.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Ian Forbes]

On Wednesday 08 December 2004 15:00, Russell Coker wrote:

 I agree that we don't want to be nice to spammers.  But there is also
 the issue of being nice in the case of false-positives.

I think, that a permanent error is the best response for a 
false-positive.

The sender will then receive a bounce message and he will know that his 
communication has not been received by the other party. He can then 
make another plan - like sending a fax or changing ISP.

If you give a temporary error, it will depend on the rules in the mail 
server one-hop before the one generating the false positive on when the 
sender will get a bounce or a warning - this could take hours or even 
days. 

The server where the mail gets queued is likely to be an outgoing relay 
server for a large ISP. The sender would have no access to such a 
server and little opportunity to talk to the persons responsible for 
managing it so he would have a tricky job establishing what happened to 
the mail.

Support staff's nightmare:

I sent an e-mail but it just never arrived ...(long story about how 
important that particular message was)... 
Did you get a bounce or an error message?
No, the mail just vanished - what are you going to do to fix your 
servers!


Regards

Ian

-- 
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P. O. Box 46827, Glosderry, 7702, South Africa


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Philipp Kern]

On Wed, 2004-12-08 at 15:30 +0100, Michelle Konzack wrote:
 sbl-xbl.spamhaus.org
 opm.blitzed.org
 But now I have removed all exept the first two.  spamhaus
 catchs more then 50% of my spams and abuseat around 10%.
 The rest is done by Blacklists and spamassassin.

Spamhaus XBL incorporates e.g. Blitzed OPM and others. That's why the
composite blocking list catches so much. But with the size the
possiblity of false positives increases.

Regards,
Philipp Kern


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Philipp Kern]

On Wed, 2004-12-08 at 23:56 +1100, Russell Coker wrote:
 Yahoo server IP address space should not be in a dialup class.  If that 
 happens then notify the person maintaining the dialup-list that you use that 
 they have an inaccuracy.

This is incorrect when you look at the headers.

  Received: from [217.226.195.183] by web60309.mail.yahoo.com via HTTP; Mon,
  29 Nov 2004 19:12:36 CET Content-Type: text/plain; charset=iso-8859-1

SpamAssassin looks at all the headers. If this is a good choice or not
is debatable. The MTA would only judge by the IP that connects to him
which was in fact a Yahoo IP.

This IP [217.226.195.183] is a valid dialup out of Germany which Yahoo
adds as a trace from where the webmail request came.

Regards,
Philipp Kern


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Thursday, December 09, 2004 01:12 +1100 Craig Sanders [EMAIL PROTECTED] 
wrote:

if it's a false positive, the sender will get a bounce from their MTA and
they can fix the problem or route around it.  IMO, that's far nicer to
legit senders than them not knowing that their mail isn't being delivered
because it's stuck in their MTA's queue rather than bouncing back to them
- the former means it's probably 5 days before they know there is a
problem, while the latter gives them instant feedback.
You massively over estimate the intelligence of email users.  Far far 
over-estimate it.  When we were doing 5xx returns, about a dozen bounces a 
day were reported as SPAM to my abuse address.  Further more, most people 
do not understand bounce messages, at all.  For us it's far cheaper to let 
the mailservers deal with it, and delay and bounce later, than involve a 
human for all the people who just don't get it, but get unlisted before 
they even READ the bounce.

When a legit user accidentally gets into a black-list their request
to get the black-list adjusted can often be processed within the time
that their mail server is re-trying the message.
similarly, they can resend the message themselves when they know the
problem has been fixed, WITHOUT flooding my logs with crap i don't want
to see AND they'll have had immediate feedback about the problem with
their mail system. everyone wins.
If they ever get the bounce message, increasingly I'm seeing the owrrying 
trend that bounce messages from MTAs end up as SPAM or just /dev/null-ed.

if it's important, they'll resend it.  if the sender doesn't think it's
important enough to bother resending, then why should i care?
If the sender even understands that it wasn't sent at all.  Many, if not 
most, don't.  Your average @aol.com-er doesn't.  For a busines it might be 
acceeptable, for an ISP doing 5xx is hard to justify, atleast in our case.

Anyway there certainly ARE merits to both sides, and I can and do 
understand and see your point.  I don't like the log chatter but that's 
easy to deal with compared to our L1 support time when we 5xx.  People get 
stupidly angry sometimes too 'you have no right to bounce my mail!'  that's 
like saying the post office has to deliver all bombs, but logic has nothing 
to do with most people :)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Wednesday, December 08, 2004 16:04 +0200 Ian Forbes 
[EMAIL PROTECTED] wrote:

On Wednesday 08 December 2004 15:00, Russell Coker wrote:
I agree that we don't want to be nice to spammers.  But there is also
the issue of being nice in the case of false-positives.
I think, that a permanent error is the best response for a
false-positive.
The sender will then receive a bounce message and he will know that his
communication has not been received by the other party. He can then
make another plan - like sending a fax or changing ISP.
See my just prior response on this thread, most people don't understand 
bounces.  Yes it could be argued a bounce needs to be reformatted so the 
humans can read it easier, but it's not my system generating the bounce 
message, I'm just telling the attempter.  Whether it's permanent or 
temporary doesn't matter.

...
I sent an e-mail but it just never arrived ...(long story about how
important that particular message was)...
Did you get a bounce or an error message?
No, the mail just vanished - what are you going to do to fix your
servers!
Answer: find their spammers, and squash them.  This puts the support load 
on the offender, not on me.  Which is where it should be.  If they user 
sender gets frustrated enough and finally calls us, emails us via alternate 
channels (maybe via the recipient) or whatever, we'll gladly explain the 
problem, and helpfully suggest they contact their ISP, if that's not 
working we suggest they switch ISPs, if they're local we also take the time 
to offer our own ISP service ;)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Wed, Dec 08, 2004 at 07:41:12PM +0100, Philipp Kern wrote:
   Received: from [217.226.195.183] by web60309.mail.yahoo.com via HTTP; Mon,
   29 Nov 2004 19:12:36 CET Content-Type: text/plain; charset=iso-8859-1
 
 SpamAssassin looks at all the headers. If this is a good choice or not
 is debatable. The MTA would only judge by the IP that connects to him
 which was in fact a Yahoo IP.

i turn off DUL checking in SpamAssassin.  i use DULs in postfix RBL checks, but
it makes no sense to do DUL checking in SA on mail received from a real MTA -
almost all mail will originate from a dialup/dynamic IP.

in local.cf, that looks like this:

# ignore DUL
score RCVD_IN_DYNABLOCK 0.0

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Wed, Dec 08, 2004 at 03:38:36PM -0700, Michael Loftis wrote:
 --On Thursday, December 09, 2004 01:12 +1100 Craig Sanders [EMAIL 
 PROTECTED] 
 wrote:
 
 if it's a false positive, the sender will get a bounce from their MTA and
 they can fix the problem or route around it.  IMO, that's far nicer to
 legit senders than them not knowing that their mail isn't being delivered
 because it's stuck in their MTA's queue rather than bouncing back to them
 - the former means it's probably 5 days before they know there is a
 problem, while the latter gives them instant feedback.
 
 You massively over estimate the intelligence of email users.  Far far 
 over-estimate it.  

no, it's just that i don't give a damn about the dumb ones.  if they're too
dumb to figure it out, then they're too dumb to be using the net.

i'd rather provide help  useful information to the smart ones than spoonfeed
dumb users.  no matter how much you spoonfeed dumb users, they'll still cause
you problems and cost you time  money.  best of all, providing useful
information also gives a potentially educational experience to all, with a
small but real chance of starting them on the path towards being a smart user.

(in short, my unshakably firm belief about tech support has always been that
education is far better than spoonfeeding.  education works in the long run,
spoonfeeding is just begging for an eternal problem)


 When we were doing 5xx returns, about a dozen bounces a day were  
 reported as SPAM to my abuse address. 

never happened to me.  if it ever did, i'd probably just ignore it.  at most,
i'd reply this is not spam, it's a bounce, and include a URL to a page with
information about how mail works.  i certainly wouldn't waste much time on it.


 Further more, most people do not understand bounce messages, at all.  

yes, i've seen that thousands of times.  the common occurence is some idiot
user forwarding you the bounce message that clearly states user unknown or
similar and asking you why did this bounce?

if i'm in a bad mood, i'll reply and say something like 'User unknown' means
that the user is unknown.  

or if i'm feeling particularly helpful, i may expand on that and give them some
suggestions on what to do or try.

either way, in any reply i'll *always* point out that the answer to their
question was right there in front of them - all they had to do was make the
trivial effort to read it.

 If they ever get the bounce message, increasingly I'm seeing the owrrying 
 trend that bounce messages from MTAs end up as SPAM or just /dev/null-ed.

you're not responsible for the stupid things that other people do.

 Anyway there certainly ARE merits to both sides, and I can and do 
 understand and see your point.  I don't like the log chatter but that's 
 easy to deal with compared to our L1 support time when we 5xx.  People get 
 stupidly angry sometimes too 'you have no right to bounce my mail!'  that's 
 like saying the post office has to deliver all bombs, but logic has nothing 
 to do with most people :)

yes, i've seen that too.  the obvious response is that the post office can't
deliver misaddressed mail either.  if you send a snail-mail letter with the
wrong address on it, the post office can't magically correct it.  if you're
lucky, you'll get it returned back to you.  most likely, it will just sit on
the hall-stand of the wrong address along with all the other misaddressed mail
and mail for people who used to live there that they receive.

just because they're angry doesn't make them right.  if they won't listen to
reason, then ignore them.  you've done your best, that's all that can be asked
of you.


craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Russell Coker]

On Thursday 09 December 2004 01:12, Craig Sanders [EMAIL PROTECTED] wrote:
 the log file noise issue is important to me - i've recently started
 monitoring mail.log and adding iptables rules to block smtp connections
 from client IPs that commit various spammish-looking crimes against my
 system.  some crimes get blocked for 60 seconds, some for 10 minutes, some
 for an hour.  each time the same IP address is seen committing a crime, the
 time is doubled.  i am doing this not because i'm worried that spammers
 will get their junk through my anti-spam rules but because a) i don't want
 their noise in my mail.log, and b) it was an interesting programming
 project that amused me for a few days of part time perl hacking.

Interesting.  Do you plan to package it for Debian?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 11:27:27AM +1100, Russell Coker wrote:
 On Thursday 09 December 2004 01:12, Craig Sanders [EMAIL PROTECTED] wrote:
  the log file noise issue is important to me - i've recently started
  monitoring mail.log and adding iptables rules to block smtp connections
  from client IPs that commit various spammish-looking crimes against my
  system.  
 
 Interesting.  Do you plan to package it for Debian?

nope, it's just a trivial script - and one that's probably dangerous to use if
you don't understand what it's doing, and i don't plan on documenting it beyond
comments in the script itself.  in short, it's a toy for me.

if you want to see it, look in http://taz.net.au/postfix/scripts/

it's called watch-maillog.pl

there's a bunch of other postfix related scripts in there.

you may also like qvmenu.pl, a curses-based postfix queue browser that i wrote.
it allows you to pipe queued messages into less or urlview, select multiple
messages and delete, hold, unhold or re-queue them (i.e. a wrapper around
postsuper).  pretty simple to add new features...as with most of my scripts, i
write for readability rather than optimised speed.

i work on this occasionally, and add new stuff as i need ite.g. there's a
half-implemented bounce to sa-spam/sa-ham alias featurethat's because i
have a header_checks rule to HOLD all mail with an SA score over 10.  this is
the reason i wrote qvmenu.pl in the first place.  false-positives i just
unhold.  spam, i usually view  urlview them to get fodder for my SA 
body_checks rules, then delete them.  i also want to be able to bounce them to
sa-spam or sa-ham (sa-learn aliases on my system).   i'll finish that off when
i get time.

because it calls mailq to get the queue listing, it's probably too slow to use
on any system with thousands of messages in the queue.  i've used it on systems
with hundreds, and found it to be OK.  actually, i doubt if it would be much
faster even if it trawled the queue directories itself - mailq isn't exactly
inefficient and bloated.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Thu, Dec 09, 2004 at 11:27:27AM +1100, Russell Coker wrote:
 On Thursday 09 December 2004 01:12, Craig Sanders [EMAIL PROTECTED] wrote:
  the log file noise issue is important to me - i've recently started
  monitoring mail.log and adding iptables rules to block smtp connections

i also wrote another trivial script which fetches a named blackholes.us text
file and creates iptables rules to match.  not sure if this is a worthwhile
experiment - if for no other reason than the fact that iptables doesn't seem to
cope well with thousands of rules in a chain (could probably work around that
with a chain per country...but i'm probably not going to bother since i'm
pretty sure that this is NOT a good thing to do).

i'm currently running with korea.blackholes.us completely filtered out as a
test.  (korea is where most of my spam attempts come from).  so far it has
blocked over 16000 packets from korea.  since all *I* ever get from there is
spam and probes from script-kiddies and viruses, that's a Good Thingtm.  it
probably wouldn't be a good thing anywhere other than on my home gateway.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Monday, December 06, 2004 09:34 +0100 Adrian 'Dagurashibanipal' von 
Bidder [EMAIL PROTECTED] wrote:


Various AOL mailservers, the Debian mailservers, and other servers
sending  out lots of regular mail get listed in spamcop regularly, so my
recommendation (and that of spamcop.net themselves, btw) is not to use
bl.spamcop.net for blacklisting.  Use it in spamassassin to score points.
Odd, since we don't see this.  And when it does happen to 'big' mail 
senders it's never AOL for one (they're on the whitelist).  And it's 
totally automatic so if they do end up on it's usually for less than a day.

We don't (obviously) use a 5xx response because the failure isn't 
permanent.  In any event we watch pretty carefully for problems, and aren't 
seeing any in the year (or more) that we've been using bl.spamcop.net.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Monday, December 06, 2004 09:34 +0100 Adrian 'Dagurashibanipal' von 
Bidder [EMAIL PROTECTED] wrote:


Various AOL mailservers, the Debian mailservers, and other servers
sending  out lots of regular mail get listed in spamcop regularly, so my
recommendation (and that of spamcop.net themselves, btw) is not to use
bl.spamcop.net for blacklisting.  Use it in spamassassin to score points.
Sorry about double replies, but also, you have to remember we're an ISP, 
not a small shop.  By doing this we cut our incoming mail in *HALF* or 
less.  That's because there is that much spam out there.  Spamcop is fair, 
well run, and FULLY dynamic.  Not subjet to human policies, or delay in 
listing, or unlisting.  They are also not subject to arbitrary policy 
decisions that many of the other lists are subject to because they are 
automated.  And because it is based on submitted spam, seen email, and 
honeypots or traps it is very accurate, far more so than many of the 
others, with far less collateral damage.

When you're handling LOTS of email every day, we're in excess of about 3/4 
a million envelopes a day, and far more recipients than that -- and that's 
just the main mail servers, doesn't include the Mailman server, you're 
going to do everything you can to not have to handle total junk, and to 
keep SA, and virus scanning, two VERY expensive processes, from hitting the 
email.  We estimate we'd roughly have to double the amount of mail servers 
just in order to handle the SPAM that nobody wants.

I'm sorry, but for us the tiny amount of collateral damage, is perfectly 
acceptable.  Metrics have it at, and probably far below, 1%.  If a false 
positive is encountered the 4xx code will cause the legitimate mailservers 
to just retry later, and usually the length of time that they're retry is 
more than adequate to get them unlisted IF the administrators are 
responsive to their SPAM problem.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Marek Podmaka]

Hello Michael,

  You mean you reject spam only temporarily? By setting
  maps_rbl_reject_code in postfix to 4xx? What value exactly?

  My question is - does the spam software (or whatever is used for
  sending majority of spams) try to re-send it? How often and for how
  long? Now I reject by 554 code... should I change to 4xx?

  thanks

Tuesday, December 7, 2004, 21:56:43, you wrote:

ML I'm sorry, but for us the tiny amount of collateral damage, is
ML perfectly acceptable. Metrics have it at, and probably far below,
ML 1%. If a false positive is encountered the 4xx code will cause the
ML legitimate mailservers to just retry later, and usually the length
ML of time that they're retry is more than adequate to get them
ML unlisted IF the administrators are responsive to their SPAM
ML problem.

-- 
  bYE, Marki


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Craig Sanders]

On Tue, Dec 07, 2004 at 10:18:28PM +0100, Marek Podmaka wrote:
   My question is - does the spam software (or whatever is used for
   sending majority of spams) try to re-send it? 

most (if not all) spamware and viruses won't.  open relays and spamhaus sites
and other real MTAs will.

 How often 

impossible to say, depends on many factors on the sending host - how it is
configured, what software it is running, how busy it is, how many items in the
queue, etc etc.could be every few seconds, could be several hours between
delivery attempts.

many mail servers implement an exponential backoff strategy.  they will try
again very quickly to start with and, on each failure, increase the delay (e.g.
doubling the time) between attempts until it reaches a maximum delay.

 and for how long? 

until the queue lifetime expires (usually 5 days, although it could be 
anything).

 Now I reject by 554 code...  should I change to 4xx?

if it suits your needs.  i wouldn't.

craig

-- 
craig sanders [EMAIL PROTECTED]   (part time cyborg)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Tuesday, December 07, 2004 22:18 +0100 Marek Podmaka [EMAIL PROTECTED] 
wrote:

Hello Michael,
  You mean you reject spam only temporarily? By setting
  maps_rbl_reject_code in postfix to 4xx? What value exactly?
We use either 450 or 454, don't remember the value exactly.  And I'm not 
sure what the 'Correct' RFC value would be since there's no obvious choice.

  My question is - does the spam software (or whatever is used for
  sending majority of spams) try to re-send it? How often and for how
  long? Now I reject by 554 code... should I change to 4xx?
Rarely, if ever, does the spam ratware retry, and even if it does it's FAR 
less resource intensive to just keep saying 4xx to RCPT commands rather 
than taking the mail, reading it, sending it through Virus Scanning and/or 
Spam Assassin/spam scanning.  Far, far, far faster.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Michael Loftis]

--On Wednesday, December 08, 2004 08:47 +1100 Craig Sanders 
[EMAIL PROTECTED] wrote:


Now I reject by 554 code...  should I change to 4xx?
if it suits your needs.  i wouldn't.
I have to agree with that statement.  For us it suits our needs very well. 
I don't mind handling the extra retry traffic if it means legitimate mail 
on a 'grey/pink' host is just temporarily rejected or delayed while they 
clean up, in fact this is far more desireable for us.  Complaints of 'lost' 
mail went up when we were using permanent fatal codes as an experiment. 
Yes legitimate hosts get blacklisted, but legitimate hosts will retry, and 
if they don't well, it's their problem, not ours.  We're telling them 454 
listed on spamciop see URL of whatever (I'm obviously paraphrasing)

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Adrian 'Dagurashibanipal' von Bidder]

On Sunday 05 December 2004 11.31, Michael Loftis wrote:
 we use bl.spamcop.net up front at the SMTP level before taking any
 messages from a site.

Hmm.

Various AOL mailservers, the Debian mailservers, and other servers sending 
out lots of regular mail get listed in spamcop regularly, so my 
recommendation (and that of spamcop.net themselves, btw) is not to use 
bl.spamcop.net for blacklisting.  Use it in spamassassin to score points.

-- vbi

-- 
featured product: vim - http://vim.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Russell Coker]

On Monday 06 December 2004 19:34, Adrian 'Dagurashibanipal' von Bidder 
[EMAIL PROTECTED] wrote:
 Various AOL mailservers, the Debian mailservers, and other servers sending
 out lots of regular mail get listed in spamcop regularly, so my
 recommendation (and that of spamcop.net themselves, btw) is not to use
 bl.spamcop.net for blacklisting.  Use it in spamassassin to score points.


Received: from johnny.adanco.com (151.adsl.as8758.net [212.25.16.151])
 by murphy.debian.org (Postfix) with ESMTP id B42442DED6
 for [EMAIL PROTECTED]; Mon,  6 Dec 2004 02:34:01 -0600 (CST)
Received: from humphrey.adanco.local (humphrey.adanco.local [172.18.10.16])
 by johnny.adanco.com (Postfix) with ESMTP id 24E4B2C6D
 for [EMAIL PROTECTED]; Mon,  6 Dec 2004 09:34:01 +0100 (CET)

The Debian servers correctly preserve the Received: path.  This is used by 
Spamcop to assign blame to the correct server.  Above are the original 
Received: headers from your message to the list, if your message was reported 
to Spamcop then it would send a complaint to [EMAIL PROTECTED] about IP 
address 212.25.16.151.

If your message was reported to spamcop it would not list a Debian server, it 
would list 212.25.16.151.

I doubt that Debian servers get listed regularly.  I use the spamcop DNSBL and 
it doesn't get in the way of Debian mailing lists.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Kadmos]

Marek Podmaka wrote:
  which blacklists do you use to block spam emails on production
  boxes? I use relays.ordb.org and list.dsbl.org and now I have read
  about Spamhaus SBL and XBL on their website. What are your
  experiences with it?
From what I understand XBL is a *private* list not for public use, I 
have heard that it cuts a rather wide path through uunet for example.

Spamhaus is about as upstanding as they come. IIRC think they even 
provide corporate support if your needs are that significant.

You might want to try plugging those addresses (spamhaus.org, 
relays.ordb.org and XBL into google groups news.admin.net-abuse.email 
(http://groups.google.com.au/groups?hl=enlr=client=firefox-aq=XBLbtnG=Searchmeta=group%3Dnews.admin.net-abuse.email) 
and see what comes out.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: blacklists

[Christian Storch]

On So, 5.12.2004, 10:54, Marek Podmaka sagte:
 Hello debian-isp,

   which blacklists do you use to block spam emails on production
   boxes? I use relays.ordb.org and list.dsbl.org and now I have read
   about Spamhaus SBL and XBL on their website. What are your
   experiences with it?


Have a look at http://www.dnsstuff.com/tools/ip4r.ch?ip=1.2.3.4
and check it.

Christian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]