OT: Re: [Mimedefang] Adding support for learning our addresses
On Tue, Jan 31, 2006 at 05:16:58PM -0600, Sean Ware wrote: They'd have to, or the TCP session would break. That's what I was thinking. I was just trying to determine How Evil they actually were. Or if some other TCP magic was going on in the round-robin. -- At least some small shred of my sanity is retained. That shred of sanity would quickly wash away once you actually use one of those devices and tried to trouble shoot problems with it - especially if loadbalanced boxes are trying to contact another virtual service that's really serviced by another box but on the same network. The silent changes to TCP headers are almost impossible to comprehend. Been there, done that, got the straightjacket. That said, having a bunch of sendmail/MD/SA boxes behind a loadbalancer behaves quite good. If one machine accidentally starts eating itself because some poor schmuck uploaded an mp3 file as .procmailrc, which procmail always seems to see as an instruction to start forkbombing and maillooping itself to oblivion, then one box goes down, but nobody suffers because the machine will be taken out of the pool, and the service as a whole just continues to run. (Well, you'd have to remove the erroneous .procmailrc file before this user gets more mail and takes more boxes down). -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
-Original Message- From: Philip Prindeville On the other hand, if, like me, your local address *is* unroutable, then it means that you're behind a firewall, and need to do a gethostbyname() on your own name to figure out what your outside address is (i.e. what the address of your firewall is that proxies for you). That wouldn't work on my system, and many others. If you do a gethostbyname() you'll get the local unroutable address back - since the internal and external DNS for my namespace are maintained on separate servers. If you are using NAT, then in order to accept mail to [EMAIL PROTECTED] (see RFC1123 Section 5.2.17), you'll need to include [ip.add.re.ss] in /etc/mail/local-host-names. Why not read that file? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
On Mon, 30 Jan 2006, David F. Skoll wrote: If I did that, I'd end up blocking Hotmail and MSN's servers more-or-less permanently. Are you having that problem too? I used to never get spam from Hotmail/MSN but a couple of months ago it started and I get several per day. Any idea what's up with that? Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Jim McCullars wrote: Are you having that problem too? I used to never get spam from Hotmail/MSN but a couple of months ago it started and I get several per day. Any idea what's up with that? I guess lots of spammers have just decided to abuse Hotmail. See: http://www.roaringpenguin.com/canit/showtrap.php?f=hotmailfr=cstatus=spam (Login demo/demo) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
Replying to myself... I think the reason lots of spammers are abusing Hotmail is this note in our incident report: SPF query returned 'pass' Hotmail publishes SPF records, and I guess spammers hope that a pass will help their mail get through. I've evolved my thinking on SPF so I use it as follows: - For domains that I do not control, I add 5 points for fail and 2 for softfail. I never subtract points; I think it's highly dangerous to subtract points unless you control the domain. - For domains that I do control, I subtract 2 points for pass. I don't add points for fail or softfail, though I guess that wouldn't be dangerous. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
DFS wrote on 01/31/2006 09:57:58 AM: Replying to myself... I think the reason lots of spammers are abusing Hotmail is this note in our incident report: SPF query returned 'pass' But wouldn't it be in Microsoft's best interest to prevent their servers from being used to spam? Even from the economic standpoint of reducing the load/number of servers required. Not to mention protecting their reputation? Run outbound mail through the same tests they use for MSN, or isn't filtering that very good? It would seem that they would see high levels of traffic coming from bots that they could throttle/reject. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
[EMAIL PROTECTED] wrote: But wouldn't it be in Microsoft's best interest to prevent their servers from being used to spam? Maybe, but how would they do it? Hotmail must have over 60 million subscribers. Their outgoing mail volume has to be on the order of a billion a day. Filtering that volume of e-mail, or even examining it for trends, poses some pretty extreme technical difficulties. Even from the economic standpoint of reducing the load/number of servers required. It's a heck of a lot cheaper to relay a billion messages than to filter them. It would seem that they would see high levels of traffic coming from bots that they could throttle/reject. I wouldn't be surprised if more sophisticated bots use zombie networks to log on to Hotmail and send mail via their Web interface. I think it would be pretty hard to notice an anomaly against all their regular traffic. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
On Tue, 2006-01-31 at 09:54, David F. Skoll wrote: It would seem that they would see high levels of traffic coming from bots that they could throttle/reject. I wouldn't be surprised if more sophisticated bots use zombie networks to log on to Hotmail and send mail via their Web interface. I think it would be pretty hard to notice an anomaly against all their regular traffic. They may be learning to distribute the load across a large number of hosts to keep it low enough to stay undetected. I've noticed something similar with ssh dictionary attacks for a while. Any newly exposed address is hit fairly quickly but only gets a few attempts per hour. -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
DFS wrote on 01/31/2006 09:53:34 AM: http://www.roaringpenguin.com/canit/showtrap.php?f=hotmailfr=cstatus=spam Interesting to note that most look like scam spam. No enhancement pills, no cheap software, no porno sites coming from hotmail. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Hotmail spam (was Re: [Mimedefang] Adding support for learning our addresses)
[EMAIL PROTECTED] wrote: Interesting to note that most look like scam spam. No enhancement pills, no cheap software, no porno sites coming from hotmail. Yes, I've noticed that. I don't know if it's just luck, or perhaps the Nigerian scammers have cheap enough labour that they actually send their stuff out by hand, thereby evading whatever detection tools Hotmail uses. :-) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
--On Tuesday, January 31, 2006 10:54 -0500 [EMAIL PROTECTED] wrote: But wouldn't it be in Microsoft's best interest to prevent their servers from being used to spam? Tangent inspired by the above question: Consider this host, which sends mail from Microsoft employees: Received: from smtphost1.microsoft.com ([131.107.3.116]) by mx.gmail.com with ESMTP id 8si3854684wrl.2006.01.27.18.04.33; Fri, 27 Jan 2006 18:04:33 -0800 (PST) No reverse DNS. HELO smtphost1.microsoft.com, but that's the name of 131.107.1.101. So, it looks like scam mail supposedly from Microsoft. But 131.107.3.116 is in their _spf-a.microsoft.com SPF record. Oh, I get it. We use SPF or our filter misfires. Pretty risky stance for them to take with their own employees' mail. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Hotmail spam (was Re: [Mimedefang] Adding support for learning our addresses)
David F. Skoll [EMAIL PROTECTED] wrote: the Nigerian scammers have cheap enough labour that they actually send their stuff out by hand, This is exactly what I have thought for a long time. It would explain why you never see two of them exactly alike. If it was automated it would look more like other spam where you get batches of the identical message. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Damrose, Mark wrote: That wouldn't work on my system, and many others. If you do a gethostbyname() you'll get the local unroutable address back - since the internal and external DNS for my namespace are maintained on separate servers. Not if you query one of the root name servers... If you are using NAT, then in order to accept mail to [EMAIL PROTECTED] (see RFC1123 Section 5.2.17), you'll need to include [ip.add.re.ss] in /etc/mail/local-host-names. Why not read that file? Gak. Then we're relying on its format staying the same, and second that we need to be able to parse the file. Or we could arrange to export $=R... -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: Damrose, Mark wrote: If you are using NAT, then in order to accept mail to [EMAIL PROTECTED] (see RFC1123 Section 5.2.17), you'll need to include [ip.add.re.ss] in /etc/mail/local-host-names. Why not read that file? Gak. Then we're relying on its format staying the same, and second that we need to be able to parse the file. Or how about parsing the output of: echo '$=w' | sendmail -bt At least that format is likely to stay the same, and you can be guaranteed that your filter and Sendmail will both agree on the meaning of local. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
-Original Message- From: Philip Prindeville Damrose, Mark wrote: since the internal and external DNS for my namespace are maintained on separate servers. Not if you query one of the root name servers... Ignoring for the moment, that even if the root name servers would do DNS resolution for you (they won't), that would be an abusive use of them. If you mean change /etc/resolv.conf to use a DNS resolver that knows about the external name space, my mail server knows about my internal name space for a reason. In fact there are about 2000 reasons - whose name to IP address mapping I am not about to put into a public version of DNS, but my mail server needs to know about. If you mean use Net::DNS and force it to query a server that knows about the outside name space, I was under the impression that your goal was to be portable across systems with no changes, and to publish it as such for others to use. If you have to do those kinds of customization, I don't see why my $ipaddress='ip.add.re.ss'; is a huge problem. in /etc/mail/local-host-names. Why not read that file? Gak. Then we're relying on its format staying the same, It has for a number of versions of sendmail. and second that we need to be able to parse the file. # starts a comment domain name or [ip.add.re.ss], one per line. You'd be hard pressed to find anything simpler to parse. If you accept mail for more than one domain locally, you need to customize this file anyway. RFC (and the STD that incorporates it) state you must accept mail at the domain literal. If you NAT, you must customize this file to do that. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
Mark Damrose wrote: -Original Message- From: Philip Prindeville On the other hand, if, like me, your local address *is* unroutable, then it means that you're behind a firewall, and need to do a gethostbyname() on your own name to figure out what your outside address is (i.e. what the address of your firewall is that proxies for you). That wouldn't work on my system, and many others. If you do a gethostbyname() you'll get the local unroutable address back - since the internal and external DNS for my namespace are maintained on separate servers. Hence services like www.whatismyip.com What I think would be really nice is a new kind of DNS record... something like WHOAMI... that provides this kind of a service. So for example dig -t WHOAMI your-friendly-neighborhood-dns-server.example.com would return (in the ANSWER section) the IP address that your-friendly-neighborhood-dns-server sees the request coming from. So if I'm on a 10. intranet cloud, and the DNS server is too, then I'll get back my 10. IP address. Or if I ask a DNS server on the other end of an 192.168. IP-mapped VPN connection, I'll get back the 192.168. IP address it was mapped to. Or if I ask my ISP's server on the internet (but beyond my firewall) I'll get my firewall's routable IP address. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
-Original Message- From: [EMAIL PROTECTED] the internal and external DNS for my namespace are maintained on separate servers. Hence services like www.whatismyip.com http runs through a proxy server, so I would get a different public IP than SMTP sessions use to reach the mail server. Not that I would have any significant filter logic rely on a service whose format, existence, and reachability could change at any time. There's so much to set up on a new server, that I have a hard time seeing the benefit of jumping through a lot of hoops to have the same filter run unmodified on several at once. I suppose that if you wanted to push out changes to a cluster of mimedefang boxes and have some filter logic that knows your own IP, then put it in /etc/mail/mimedefang-filter-local, and source it as a library. What I think would be really nice is a new kind of DNS record... something like WHOAMI... that provides this kind of a service. So for example dig -t WHOAMI your-friendly-neighborhood-dns-server.example.com That has some interesting possibilities. NAT aside, it would be nice to know sometimes - even on a multi-homed server which address was used for a particular connection. I don't necessarily agree that DNS is the place to fit this, but it's an idea that's worth developing. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
[EMAIL PROTECTED] ([EMAIL PROTECTED]) @ 2006.01.31 11:21:47 -0800: Hence services like www.whatismyip.com What I think would be really nice is a new kind of DNS record... something like WHOAMI... that provides this kind of a service. So for example dig -t WHOAMI your-friendly-neighborhood-dns-server.example.com would return (in the ANSWER section) the IP address that your-friendly-neighborhood-dns-server sees the request coming from. I think this would probably just yield the public IP address of your DNS resolver, unless you queried the service's own DNS server directly. Because if I just did this: dig -t WHOAMI your-friendly-neighborhood-dns-server.example.com One of the following conditions would need to be true: 1) My normal DNS server(s) as listed in /etc/resolv.conf would need to understand the WHOAMI query type and adjust for it when it sent the query up the DNS recursion string. 2) You'd need to replace your DNS server in /etc/resolv.conf with the WHOAMI service provider's DNS servers, and do all of your DNS query types against it. Otherwise you're probably going to get a response like this: ; DiG 9.2.1 whoami your-friendly-neighborhood-dns-server.example.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 28667 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 0 ;; QUESTION SECTION: ;your-friendly-neighborhood-dns-server.example.com. ;; ANSWER SECTION: WHOAMI 300 IN A 216.239.32.10 ;; Query time: 49 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Tue Jan 31 14:53:30 2006 ;; MSG SIZE rcvd: 196 Something like: dig -t WHOAMI what.is.my.ip.address @whoami.dns.example.com Might be useful. Still need to modify dig (or some other DNS-related tool) to do WHOAMI queries, although I suppose an A-record query would work just as well in this instance. Maybe I'm overthinking the idea. -- Is there a particular reason why you'd prefer this to be a DNS-based service than HTTP? Sean -- Sean Ware Midway Amusement Games, LLC Senior Network Engineer 2727 W. Roscoe Street Information Technology Department Chicago, IL 60618-5909 [EMAIL PROTECTED] (773) 961-2000 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
On Tue, 2006-01-31 at 15:18, [EMAIL PROTECTED] wrote: I think this would probably just yield the public IP address of your DNS resolver, unless you queried the service's own DNS server directly. Good point. Still useful if /etc/resolv.conf is nameserver 127.0.0.1 but less generally useful than I had thought. If you are behind NAT, especially if you are multi-homed or going through clustered or failover proxies or gateways there may not be any way to find all of the possible public addresses you might use. It's bad enough if you are just multi-homed. -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll ([EMAIL PROTECTED]) @ 2006.01.31 17:59:34 -0500: Sean Ware wrote: Oh man! -- I assume such devices at least keep the translations open for the length of a TCP session? They'd have to, or the TCP session would break. That's what I was thinking. I was just trying to determine How Evil they actually were. Or if some other TCP magic was going on in the round-robin. -- At least some small shred of my sanity is retained. Thanks! -- Sean Ware Midway Amusement Games, LLC Senior Network Engineer 2727 W. Roscoe Street Information Technology Department Chicago, IL 60618-5909 [EMAIL PROTECTED] (773) 961-2000 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
On Saturday, January 28, 2006 12:18 AM -0500 Kevin A. McGrail [EMAIL PROTECTED] wrote: If you would like to use the system, email me your daily mail volume and I'll forward your request. If approved, I'll send you the MD code and SA rule files. Why not add it to the wiki? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Alexander Dalloz wrote: BTW: my SpamAssassin pukes at use_terse_report 1. What version does that apply to? Pre SA 3.x You may now use remove_header all Report to remove the verbose report. Someone want to update the HOWTO installation instructions? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: One other thing I thought about: what about detecting spammers, and then looking up the CIDR block that their address belongs to, and adding it to a blacklist automatically in filter_relay()? Too many false-positives. We own a measly 8 IP addresses where our colo box sits. If you block us because someone on our class C was bad, that's unfair. Ok, how about this proposal: Rather than blocking the entire network (CIDR block) automatically, at least blacklisting the individual address for 3-5 days? I see a lot of cases where I'll reject email from ratware, and then 20 minutes or an hour or a day later, they reconnect and try to send it again (I'm sending them a 5xx and not a 45x response, too). -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: Rather than blocking the entire network (CIDR block) automatically, at least blacklisting the individual address for 3-5 days? If I did that, I'd end up blocking Hotmail and MSN's servers more-or-less permanently. While I might not think that's a Bad Thing, it's probably not acceptable for most MIMEDefang users. Unfortunately, the mapping between spammer and IP address is rather tenuous, from the extreme of many spammers per IP address (Hotmail) to many IP addresses per spammer (your average zombie spam-run.) What I do on my server is ban an IP address for an hour if I detect a dictionary attack (too many invalid recipients). That seems to work pretty well. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
This is what I came up with. It's been tested on both 32-bit and 64-bit Linux (amd64). If you call IfAddrs::get() and you only get a single interface name/address pair, test it via isunroutable(). If the address ISN'T unroutable, then you shouldn't be seeing anyone connecting to you with this address as the helo (i.e. it's yours and unique). On the other hand, if, like me, your local address *is* unroutable, then it means that you're behind a firewall, and need to do a gethostbyname() on your own name to figure out what your outside address is (i.e. what the address of your firewall is that proxies for you). -Philip myips.pm Description: Perl program ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: From Perl? But the whole thing's pretty silly anyway -- unless your server is very unusual, you can hard-code its IP address(es) in your filter. (1) it makes it turn-key so that neophytes can use it more easily; Neophytes shouldn't attempt to use MIMEDefang. Anything that pretends to make MIMEDefang usable by neophytes is a bug, not a feature, IMO. :-) (2) you can run the same config on a cluster of servers unmodified; On a server whos IP address does not change, you can extract it in filter_initialize. It's only invoked once per slave, so the performance overhead is negligible. (3) mobile users with dynDNS can use it. Users on dynDNS are likely doing so little e-mail traffice that the performance hit of running ifconfig per message isn't an issue. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
I subscribe to ip2location.com, which provides geolocation services by IP address. The info is downloaded on nightly from their web servers and put into a database. I check the IP addresses contained in the message against the database and if it's from a foreign country, I block it. You can allow some foreign countries through if you choose... it just takes a little coding. -- Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Prindeville Sent: Friday, January 27, 2006 7:46 PM To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Adding support for learning our addresses David F. Skoll wrote: Philip Prindeville wrote: From Perl? But the whole thing's pretty silly anyway -- unless your server is very unusual, you can hard-code its IP address(es) in your filter. Well, there are a few reasons: (1) it makes it turn-key so that neophytes can use it more easily; (2) you can run the same config on a cluster of servers unmodified; (3) mobile users with dynDNS can use it. I'm not sure, actually... I never checked. Let's see: $ whois 206.191.13.82 OrgName:Magma Communications Ltd. [...] NetRange: 206.191.0.0 - 206.191.63.255 CIDR: 206.191.0.0/18 Nope; I guess not. Hmmm. I was hoping to be able to blacklist certain countries, etc. like Romania, China, Thailand, etc. that aren't identifiable by rDNS. I suppose a way to manually reset a blacklisting could be done. Or do apply it per a criteria. BTW: my SpamAssassin pukes at use_terse_report 1. What version does that apply to? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
Another thing to check out are bogons. Bogons are networks that have not been allocated by IANA, which means you should never see them as they technically constitute a non-routable address space. http://www.cymru.com/Bogons -- Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Prindeville Sent: Saturday, January 28, 2006 12:40 AM To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Adding support for learning our addresses This is what I came up with. It's been tested on both 32-bit and 64-bit Linux (amd64). If you call IfAddrs::get() and you only get a single interface name/address pair, test it via isunroutable(). If the address ISN'T unroutable, then you shouldn't be seeing anyone connecting to you with this address as the helo (i.e. it's yours and unique). On the other hand, if, like me, your local address *is* unroutable, then it means that you're behind a firewall, and need to do a gethostbyname() on your own name to figure out what your outside address is (i.e. what the address of your firewall is that proxies for you). -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David Nelson wrote: I subscribe to ip2location.com, which provides geolocation services by IP address. The info is downloaded on nightly from their web servers and put into a database. I check the IP addresses contained in the message against the database and if it's from a foreign country, I block it. Isn't that a little draconian? After all, most spam originates in the US and Canada. (And we couldn't possibly implement such a policy; about 90% of our customers and 95% of our revenue are from a foreign country. :-)) You can also get a free (but probably less accurate) database mapping IP address to country from http://ip-to-country.webhosting.info/ We use it on our Web site; if someone fills in a form claiming to be from Canada, but their IP address says Moldova, we treat the request with a little extra skepticism. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
Draconian? Yeah probably... I agree there's a lot of spam generated within the US, but I can filter out Canada! ;) In my instance, I get a ton of foreign (outside the US) mail and 99% of it is spam. This methodology ultimately helps me cut down the noise. Besides, if I do need to allow foreign mail inside, I can either whitelist the address/domain or allow the entire country in. I guess the moral here is: your mileage may vary. -- Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll Sent: Saturday, January 28, 2006 9:31 AM To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Adding support for learning our addresses David Nelson wrote: I subscribe to ip2location.com, which provides geolocation services by IP address. The info is downloaded on nightly from their web servers and put into a database. I check the IP addresses contained in the message against the database and if it's from a foreign country, I block it. Isn't that a little draconian? After all, most spam originates in the US and Canada. (And we couldn't possibly implement such a policy; about 90% of our customers and 95% of our revenue are from a foreign country. :-)) You can also get a free (but probably less accurate) database mapping IP address to country from http://ip-to-country.webhosting.info/ We use it on our Web site; if someone fills in a form claiming to be from Canada, but their IP address says Moldova, we treat the request with a little extra skepticism. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: Neophytes shouldn't attempt to use MIMEDefang. Anything that pretends to make MIMEDefang usable by neophytes is a bug, not a feature, IMO. :-) Well, you can know something about email, even Perl scripting, and not know of a better way to get IP addresses than grepping out ifconfig -a ... (2) you can run the same config on a cluster of servers unmodified; On a server whos IP address does not change, you can extract it in filter_initialize. It's only invoked once per slave, so the performance overhead is negligible. We're talking crossed purposes. I'm saying that embedding the address explicitly into the config means that you can't have an identical config running on a pool of mail servers. You're saying that the overhead of determining the address once at startup is acceptable. Both are true, but unrelated. (3) mobile users with dynDNS can use it. Users on dynDNS are likely doing so little e-mail traffice that the performance hit of running ifconfig per message isn't an issue. Probably, but it's still a cooler way of figuring it out. ;-) -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Cool. Too bad no one has written an XML way of retrieving it and parsing it out. -Philip David Nelson wrote: Another thing to check out are bogons. Bogons are networks that have not been allocated by IANA, which means you should never see them as they technically constitute a non-routable address space. http://www.cymru.com/Bogons -- Dave ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
From: David Nelson Sent: Saturday, January 28, 2006 9:13 AM I subscribe to ip2location.com, which provides geolocation services by IP address. The info is downloaded on nightly from their web servers and put into a database. I check the IP addresses contained in the message against the database and if it's from a foreign country, I block it. We use spfilter to build a large sendmail access list file: http://sourceforge.net/docman/display_doc.php?docid=14634group_id=49927 We run it nightly to update the access list, and then rebuild access.db. Spfilter can produce the lists in many different formats. Here's the block lists currently available: http://spfilter.openrbl.org/code/xml-view.php We run with SPAM_SAFE,COUNTRY,CBL as well as our own local overrides. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Ok, so who wants to cooperate on a Perl module to map IP addresses to CIDR blocks, provider names, and country codes? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Adding support for learning our addresses
From: Philip Prindeville Sent: Saturday, January 28, 2006 10:43 AM Cool. Too bad no one has written an XML way of retrieving it and parsing it out. They have. See BOGO below: http://spfilter.openrbl.org/code/xml-view.php BOGO INTERVAL=7 TYPE=cidr/3 MAZSIZE=2 OPTION=notext home http://www.cymru.com/Documents/bogon-list.html url http://mirror.bliab.com/bogo/BOGO.cidr.aggreg.gz url http://www.cymru.com/Documents/bogon-bn-agg.txt url http://www.cymru.com/Documents/bogon-bn-nonagg.txt tag BOGON ROUTE append - http://openrbl.org/whois?i= ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
While it is true that a majority of it originates within the US, UK and Canada, it is also true that the majority of open relays and shoddy servers and open networks are overseas.. I do not advocate blocking the netblocks of entire countries... but so much comes from Korea, Japan and other Asian countries where broadband is exploding in the homes (and by comes from I mean these are the servers that are owned, exploited, etc) that we seriously considered it. Not to mention you ever try and get an administrator in China to cooperate (or even respond) when trying to track back an attack?... Jim David F. Skoll wrote: Isn't that a little draconian? After all, most spam originates in the US and Canada. (And we couldn't possibly implement such a policy; about 90% of our customers and 95% of our revenue are from a foreign country. :-)) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Sure you can, I think you are over complicating it as well, it would cost less to read in an external config file once that contains these 'variables.' It can even be something as simple as a cfg file in /etc/mail/ with one IP per line or some such... we tie to a hashed db config file (ours does more than set IPs) for this type of thing all the time and it does simplify bringing up a new server quite a bit. Something else unrelated to note... if your server talks to MUAs then you will want to exempt any user from your helo stuff that authenticates (we also exempt based on the senders IP if we are certain of the IP and it is ours). Jim Philip Prindeville wrote: We're talking crossed purposes. I'm saying that embedding the address explicitly into the config means that you can't have an identical config running on a pool of mail servers. You're saying that the overhead of determining the address once at startup is acceptable. Both are true, but unrelated. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Except that if you're using filter_helo(), you haven't yet seen authentication information at that point... AUTH happens after HELO. -Philip James Ebright wrote: Something else unrelated to note... if your server talks to MUAs then you will want to exempt any user from your helo stuff that authenticates (we also exempt based on the senders IP if we are certain of the IP and it is ours). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: Hmmm I was wondering if we might want to call ioctl(..., SIOCGIFCONF...) followed by SIOCGIFADDR to get the list of our IP addresses... So we can do some filtering on people claiming to be us. http://search.cpan.org/~tpaba/Net-Ifconfig-Wrapper-0.09/ I.e. if someone connects to me and says helo 71.36.29.88 then I know for a fact that they aren't me... That is a very popular test: http://www.mimedefang.org/kwiki/index.cgi?UseHeloToCatchSpam2 One other thing I thought about: what about detecting spammers, and then looking up the CIDR block that their address belongs to, and adding it to a blacklist automatically in filter_relay()? Too many false-positives. We own a measly 8 IP addresses where our colo box sits. If you block us because someone on our class C was bad, that's unfair. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: http://search.cpan.org/~tpaba/Net-Ifconfig-Wrapper-0.09/ Too heavy weight. Requires a fork/exec for each iteration. Easier to just do some ioctl()'s. Too many false-positives. We own a measly 8 IP addresses where our colo box sits. If you block us because someone on our class C was bad, that's unfair. And your farm facility doesn't allocate individual CIDR information for clients? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: Philip Prindeville wrote: From Perl? But the whole thing's pretty silly anyway -- unless your server is very unusual, you can hard-code its IP address(es) in your filter. Well, there are a few reasons: (1) it makes it turn-key so that neophytes can use it more easily; (2) you can run the same config on a cluster of servers unmodified; (3) mobile users with dynDNS can use it. I'm not sure, actually... I never checked. Let's see: $ whois 206.191.13.82 OrgName:Magma Communications Ltd. [...] NetRange: 206.191.0.0 - 206.191.63.255 CIDR: 206.191.0.0/18 Nope; I guess not. Hmmm. I was hoping to be able to blacklist certain countries, etc. like Romania, China, Thailand, etc. that aren't identifiable by rDNS. I suppose a way to manually reset a blacklisting could be done. Or do apply it per a criteria. BTW: my SpamAssassin pukes at use_terse_report 1. What version does that apply to? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Am Sa, den 28.01.2006 schrieb Philip Prindeville um 4:46: BTW: my SpamAssassin pukes at use_terse_report 1. What version does that apply to? Pre SA 3.x You may now use remove_header all Report to remove the verbose report. -Philip Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 05:45:09 up 54 days, 10:22, load average: 0.24, 0.28, 0.24 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
On a bit more sophisticated level (ok a lot more sophisticated level), a guy named A.J. Fasano has developed a fantastic system that has one part of it that does the type of lookups you are referring to. He calls it relayregistry.org and it's fantastic. One of the things he focuses very well on doing is helping ham get through which is something I think is often forgotten in the anti-spam world. If you would like to use the system, email me your daily mail volume and I'll forward your request. If approved, I'll send you the MD code and SA rule files. BTW, anyone out there doing any REALLY scary mail volumes like 100Million+ daily emails? Really like to discuss if SA and MD can handle this type of volume and what type of hardware requirements, etc. Sincerely, KAM One other thing I thought about: what about detecting spammers, and then looking up the CIDR block that their address belongs to, and adding it to a blacklist automatically in filter_relay()? We could set a threshold for the number of offenses before they get added in. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang