Re: [mailop] dnsbl.spam.fail

[Kirill Miazine via mailop]

• John Levine via mailop [2023-12-11 22:00]:

It appears that Gellner, Oliver via mailop  said:

And to add a rant to that: I don’t have much sympathy for operators that are 
trying to use their control over a MTA or DNSBL as some
kind of extortion tool or to put forward their own vendettas.


I also block most mail from Hetzner's network. It's not a vendetta,
it's not extortion, it's purely practical. My time is not unlimited,
the vast majority of the mail from that network is spam and if a tiny
bit of real mail gets lost, so be it. It is not worth my time to make
exceptions in my filtering rules.


If you're the only user on the system, then sure, fine -- your mail, 
your choice, but in my case I have "normal" users, and I don't want to 
throw my users' email away, so even OVH can't be blocked, as e.g. Migadu 
is/was using OVH. Of course, an option is making individual exception, 
as Domeneshop does here, but the trigger for the exception is that a 
non-spammer is affected by the block.



If you want people to accept your mail, act like someone who wants
people to do so, and that starts by not sending it from a network
that gushes spam.  Believe me, Hetzner's not the only one.


As a matter of fact I move my mail server to Hetzner only recently, 
until then I was using TransIP for a decade. But also a "test lab" at 
Hetzner, so I decided to just merge everything at Hetzner, as they're 
closer to me geographically, and after considering Hetzner's reputation 
for email: what has been decisive to give it a try is that a number of 
email providers seem to be using them. Initially it was a backup 
dedicated server, there were no issues at all (except one with Fastmail 
responding with 4xx instead of 5xx for a user which no longer existed, 
and reporting re-delivery attempts to senderscore, but that doesn't have 
anything to do with Hetzner).


I am still evaluating Hetzner as email source, though, and have a couple 
of hosts at Mythic Beasts, and have setup ready to let the mail flow 
through them, in case of any issues, but mostly it has been fine-ish.


I'm open for good alternatives in/close to Scandinavia. I had considered 
UpCloud, but comments on the list made me reconsider that option. Also, 
this is a personal setup, so price does indeed matter. :)


But we're getting off-topic, my initial post triggered by discovery of 
the "new" dnsbl.spam.fail list, which I never had experienced earlier, 
and that question has been answered.



R's,
John

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Changes to Validity Reputation Data Through DNS

[Tom Bartel via mailop]

Very helpful feedback Slavko, thank you, I'm sharing with the team here to
discuss.

Tom

On Mon, Dec 11, 2023 at 11:36 AM Slavko via mailop 
wrote:

> Hi,
>
> Dňa 11. decembra 2023 16:52:43 UTC používateľ Tom Bartel via mailop <
> mailop@mailop.org> napísal:
>
> >Starting March 1, 2024 we will allow up to 10,000 requests per user over a
> >30-day time period. After 10,000 requests, users must create a MyValidity
> >account to continue using this free service.
>
> You asked for feedback, here is my opinion about that limit with some
> real numbers.
>
> I have personal MTA, with <100 (usually not more than 50) incoming mails
> daily, thus 10 000 checks per 30 days seems OK. In last 30 days i see
> ~1 600 accepted mails (not IPs) and ~2 100 rejected mails/IPs and it is
> relative peaceful 30 days, I will skip MSA's login attempts counts here,
> where DBL can be usefull too, but for usual 30 days that limit will be
> enough too.
>
> But from time to time, i am target of extortion (or so) wave, it is about
> 3 000
> unique IPs in 1-2 days. I am able to indentify allmost all of them at first
> attempt and fill IPs to firewall, thus only small percentage of them gets
> chance to repeat (connect multiple times), usually no more than 3 times
> per IP. Thus i will guess about 4 000 DBL requests per one that wave.
>
> That will result with only 2 (extortion) waves + usual connections per 30
> days, and then my server becomes unprotected by this DBL...
>
> IMO if you really want to help with security of small (anonymous) MTAs,
> that limit should be applied only to NXDOMAIN (not listed)/good reputation
> responses, as no one attack's target is able to limit attack volume.
>
> regards
>
>
> --
> Slavko
> https://www.slavino.sk/
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 
Phone: 303.517.9655
Website: https://bartelphoto.com
Instagram: https://instagram.com/bartel_photo

"Life's most persistent and urgent question is, 'What are you doing for
others?'" - Martin Luther King Jr.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[John Levine via mailop]

It appears that Gellner, Oliver via mailop  said:
>And to add a rant to that: I don’t have much sympathy for operators that are 
>trying to use their control over a MTA or DNSBL as some
>kind of extortion tool or to put forward their own vendettas. 

I also block most mail from Hetzner's network. It's not a vendetta,
it's not extortion, it's purely practical. My time is not unlimited,
the vast majority of the mail from that network is spam and if a tiny
bit of real mail gets lost, so be it. It is not worth my time to make
exceptions in my filtering rules.

If you want people to accept your mail, act like someone who wants
people to do so, and that starts by not sending it from a network
that gushes spam.  Believe me, Hetzner's not the only one.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Kirill Miazine via mailop]

• Gellner, Oliver via mailop [2023-12-11 21:29]:

Even if there are a lot of addresses in that netblock that are sending
spam, Domeneshop now officially knows that at least one IP address does
not (Kirills). It would be trivial to exclude it from their blocking,


Domeneshop shall be given due credit here, as they added an exception 
for my IP very quickly.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Gellner, Oliver via mailop]

> On 11.12.2023 at 12:11 Kirill Miazine via mailop wrote:
>
> Also, Domeneshop confirmed they operate spam.fail as internal list and
> that they indeed have blacklisted Hetzner ranges because "lack of abuse
> handling":
>
> 
> The IP belongs to Hetzner which have a full lack of abuse handling.
> A broad range of IP addresses within the block the IP address you are
> requesting about s constantly being abused to spam and scam campaigns,
> and Hetzner does nothing about it.
> 
>
> Their MX, their rules...

While it‘s nice that they replied, their answer doesn’t really show any will to 
solve the problem. In this regard it’s comparable to the meaningless 
boilerplates you receive from Microsoft and the likes.

And to add a rant to that: I don’t have much sympathy for operators that are 
trying to use their control over a MTA or DNSBL as some kind of extortion tool 
or to put forward their own vendettas. Even if there are a lot of addresses in 
that netblock that are sending spam, Domeneshop now officially knows that at 
least one IP address does not (Kirills). It would be trivial to exclude it from 
their blocking, yet they apparently decided to continue to blacklist the 
server, to punish innocent bystanders, to prevent their own users from getting 
legitimate messages which they are waiting for and to generate false positives 
on full purpose. All this to push forward their own agenda in trying to force 
another service provider to act in a way Domeneshop sees as appropriate.
For a private email server, I‘m all with „their MX, their rules“, but for a 
company that offers mail services to customers I expect a little more 
professionalism.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Changes to Validity Reputation Data Through DNS

[Kirill Miazine via mailop]

Hi, Tom

• Tom Bartel via mailop [2023-12-11 17:52]:

Hello Mailops Community,

I wanted to pass along an update regarding coming changes in 2024 to 
public query access for Validity reputation data in DNS.  We're 
finalizing implementation of necessary response codes (including in Spam 
Assassin) to enable this.  It's similar to the Spamhaus DQS changes a 
while ago.  Any questions and/or feedback, LMK.

Is this correct understanding?

- DNS requests will be counted based on IP address of the client doing 
the lookup (which will mean resolver)
- If more then 10K reqs/month is required, user may create account and 
add IP addresses of their resolvers -- this will remove limits (probably 
some limits still apply?)


The question not answered is what happens with the queries when 10K are 
met and if no account is created. Will NXDOMAIN be returned in such cases?




Thanks,

Tom

Dear Mailops Community,

Validity provides free access through DNS to our reputation data, 
including Validity Certified Allowlist and Return Path Blocklist to 
allow for use with email filtering. This is commonly accessed through 
rules available in Apache SpamAssassin.


Starting March 1, 2024we will allow up to 10,000 requests per user over 
a 30-day time period.After 10,000 requests, users must create a 
MyValidityaccount to continue using this free service. At this level of 
usage, we’dsimply like to know who you are – there are no fees or 
purchases required. Upon the creation of a MyValidityaccount, you will 
receive continued access to queries (directly or through SpamAssassin).


Sign up for an account 

If you have any questions, please visit our FAQ here 
.


Best regards,

Validity Data Services


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Changes to Validity Reputation Data Through DNS

[Slavko via mailop]

Hi,

Dňa 11. decembra 2023 16:52:43 UTC používateľ Tom Bartel via mailop 
 napísal:

>Starting March 1, 2024 we will allow up to 10,000 requests per user over a
>30-day time period. After 10,000 requests, users must create a MyValidity
>account to continue using this free service. 

You asked for feedback, here is my opinion about that limit with some
real numbers.

I have personal MTA, with <100 (usually not more than 50) incoming mails
daily, thus 10 000 checks per 30 days seems OK. In last 30 days i see
~1 600 accepted mails (not IPs) and ~2 100 rejected mails/IPs and it is
relative peaceful 30 days, I will skip MSA's login attempts counts here,
where DBL can be usefull too, but for usual 30 days that limit will be
enough too.

But from time to time, i am target of extortion (or so) wave, it is about 3 000
unique IPs in 1-2 days. I am able to indentify allmost all of them at first
attempt and fill IPs to firewall, thus only small percentage of them gets
chance to repeat (connect multiple times), usually no more than 3 times
per IP. Thus i will guess about 4 000 DBL requests per one that wave.

That will result with only 2 (extortion) waves + usual connections per 30
days, and then my server becomes unprotected by this DBL...

IMO if you really want to help with security of small (anonymous) MTAs,
that limit should be applied only to NXDOMAIN (not listed)/good reputation
responses, as no one attack's target is able to limit attack volume.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Changes to Validity Reputation Data Through DNS

[Tom Bartel via mailop]

Hello Mailops Community,

I wanted to pass along an update regarding coming changes in 2024 to public
query access for Validity reputation data in DNS.  We're finalizing
implementation of necessary response codes (including in Spam Assassin) to
enable this.  It's similar to the Spamhaus DQS changes a while ago.  Any
questions and/or feedback, LMK.

Thanks,

Tom

Dear Mailops Community,



Validity provides free access through DNS to our reputation data, including
Validity Certified Allowlist and Return Path Blocklist to allow for use
with email filtering. This is commonly accessed through rules available in
Apache SpamAssassin.



Starting March 1, 2024 we will allow up to 10,000 requests per user over a
30-day time period. After 10,000 requests, users must create a MyValidity
account to continue using this free service. At this level of usage, we’d
simply like to know who you are – there are no fees or purchases required.
Upon the creation of a MyValidity account, you will receive continued
access to queries (directly or through SpamAssassin).



Sign up for an account 



If you have any questions, please visit our FAQ here
.



Best regards,



Validity Data Services
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft JMRP not sending ARF?

[Dan Malm via mailop]

Hi,

I've just updated my FBL parsing in preparation of using 
https://www.rfc-editor.org/rfc/rfc9477 and while doing that checked if 
Microsofts JMRP could send reports in ARF format instead of attachments 
so I could remove any special-case parsing just for Microsoft... But to 
my surprise in my settings it was already set to ARF but that's not the 
format I'm getting the reports in...


There are 3 different settings available with the following results when 
I change to them:

ARF - FBL reports are sent as attachments (not ARF)
Attachment - No FBL reports are sent at all
Original Message - The original message is sent to the complaint 
feedback email address


Anyone else have the same experience or am I just special? Anyone have a 
way to wrangle MS to actually send ARF?


--
BR/Mvh. Dan Malm, Systems Engineer, group.one
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> The residential address of the operator is a risk, because spamming is
> a criminal activity in most countries and spammers are sometimes
> organized like the mafia. They hate those lists and try to bring them
> down by all kinds of attacks. Not providing them more attack surface
> than necessary isn't a bad idea.

Domeneshop does not have a residential address.

They list their corporate physical address on their website.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Marco Moock via mailop]

Am 11.12.2023 um 09:26:36 Uhr schrieb Kirill Miazine:


> • Marco Moock [2023-12-11 09:13]:
> [...]
> > > 
> > > Anyone has any experience with this list or who the operator is?
> > >   
> > 
> > The latter is something they hide because spammers would threat them
> > otherwise.  
> 
> Then does it make sense to reference that list in SMTP responses at
> all?

Yes, because admins of the IP can then check that list and find out why
they were listed.

The residential address of the operator is a risk, because spamming is
a criminal activity in most countries and spammers are sometimes
organized like the mafia. They hate those lists and try to bring them
down by all kinds of attacks. Not providing them more attack surface
than necessary isn't a bad idea.
Providing a residential address means spammers and ISPs hosting them
have an easy way to abuse that address for fraudulent orders, treating
the people living there personally and other nasty stuff.

> > > Inability to do external DNS lookups makes it impossible to
> > > monitor for presence on their list.
> > 
> > Why is that impossible for your?  
> 
> Well, I *could*, but then I'd have to deploy something at them to be
> able to do lookups from their network, as the zone does not answer
> external queries. Here trying from my system:
> 
> km@stable ~ $ dig +short 125.153.108.65.dnsbl.spam.fail
> km@stable ~ $ 

Ok, interesting.
It seems the list is not public like others.

The only way to get information is their website, I was able to query
it.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Marco Moock via mailop]

Am 11.12.2023 um 12:04:44 Uhr schrieb Kirill Miazine via mailop:

> The IP belongs to Hetzner which have a full lack of abuse handling.
> A broad range of IP addresses within the block the IP address you are
> requesting about s constantly being abused to spam and scam campaigns,
> and Hetzner does nothing about it. 

That is most likely the reason it is listed. Parts of that network are
also regular listed on uceprotect level2.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> Well, yeah, not really _impossible_, but I was referring to doing
> monitoring based on DNS lookups, as is normal for DNS BL.

Of course.

> Also, Domeneshop confirmed they operate spam.fail as internal list

OK. I tried tagging them on LinkedIn; it's an automatically generated
corporate page with no owner. I tried tagging Asgeir Kristofersson, a
person who reports currently working there; the tagging was automatically
removed.

> that they indeed have blacklisted Hetzner ranges because "lack of abuse
> handling":

Bastiaan van den Berg even participates here from time to time. Not
that mailing list participation equals anything with respect to
abuse handling.

> Their MX, their rules...

Indeed, but a little bit of transparency would go a long way.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Kirill Miazine via mailop]

• Atro Tossavainen via mailop [2023-12-11 09:54]:
> > Inability to do external DNS lookups makes it impossible to monitor
> > for presence on their list.
> 
> https://spam.fail/search?ip=127.0.0.2

Well, yeah, not really _impossible_, but I was referring to doing
monitoring based on DNS lookups, as is normal for DNS BL.

As they aren't providing an API either, I ended up doing doing HTTP GET
check and string matching, along the lines of

curl -s https://spam.fail/search?ip=foo|grep -q 'is not blacklisted'||echo foo 
blacklisted

Also, Domeneshop confirmed they operate spam.fail as internal list and
that they indeed have blacklisted Hetzner ranges because "lack of abuse
handling":


The IP belongs to Hetzner which have a full lack of abuse handling.
A broad range of IP addresses within the block the IP address you are
requesting about s constantly being abused to spam and scam campaigns,
and Hetzner does nothing about it. 


Their MX, their rules...

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Marco Moock via mailop]

Am 10.12.2023 um 14:27:35 Uhr schrieb Kirill Miazine:

> • Marco Moock via mailop [2023-12-10 11:24]:
> > Am 10.12.2023 um 10:55:21 Uhr schrieb Kirill Miazine via mailop:
> >   
> >> The block is quite new, I guess spam.fail operators just took
> >> Hetzner's IP ranges and put in their lists  
> > 
> > https://spam.fail/search?ip=65.108.153.125
> > 
> > It really seems that the entire /15 IPv4 net is on the blacklist.
> > You IPv6 is not on the list.  
> 
> Anyone has any experience with this list or who the operator is?

The latter is something they hide because spammers would threat them
otherwise.

> Inability to do external DNS lookups makes it impossible to monitor
> for presence on their list.

Why is that impossible for your?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> Inability to do external DNS lookups makes it impossible to monitor
> for presence on their list.

https://spam.fail/search?ip=127.0.0.2

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop