Re: Spamd - whitelist of mis-behaving SMTP server POOLS
Steve Williams wrote: Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams I've found that some servers retry too quickly, such as Yahoo. Spamd ignores retries that come too quickly, so I ended up lowering the passtime parameter from the default of 25 minutes to 5 minutes because I saw yahoo servers retrying a few times every 7 minutes. I have no idea how wise this is, but it works for me so far.
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
On Oct 20, 2006, at 8:42 AM, Will H. Backman wrote: Steve Williams wrote: Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? I have been running spamd for several years now, and have found that it works quite well for my company mail server, which receives about 5 emails per day. That said, I have had to maintain a list of misbehaving mailservers which bypass spamd. The following list started as the list from greylisting.org, and contains some additions of my own. For the most part, though, I never have to intervene, and I use the default greylist settings. Steve 12.4.226.0/28 # console energy 12.5.136.141 # Southwest Airlines (unique sender, no retry) 12.5.136.142 # Southwest Airlines (unique sender, no retry) 12.107.209.244 # kernel.org mailing lists (high traffic, unique sender per mail) 12.107.209.250 # sourceware.org mailing lists (high traffic, unique sender per mail) 12.129.227.0/24 # gibsondunn.com 38.119.108.120 # best places to work survey 38.119.108.121 # best places to work survey 63.82.37.110 # SLmail 63.172.244.133 # kenexa.com 63.251.135.74 #constant contact 63.251.135.75 #constant contact 63.251.135.94 #constant contact 63.251.135.95 #constant contact 63.251.135.96 #constant contact 63.251.135.97 #constant contact 63.251.135.98 #constant contact 63.251.135.103 #constant contact 63.251.135.107 #constant contact 63.251.135.109 #constant contact 63.251.135.114 #constant contact 63.251.135.115 #constant contact 64.7.153.18 # sentex.ca (common pool) 64.12.137.0/24 # AOL (common pool) - http://postmaster.aol.com/ servers/imo.html 64.12.138.0/24 # AOL (common pool) 64.95.46.224/27 # sothebys realty 64.95.77.162 # constant contact 64.95.77.163 # constant contact 64.95.77.164 # constant contact 64.95.77.166 # constant contact 64.95.77.167 # constant contact 64.95.77.168 # constant contact 64.124.204.39/32 # moveon.org (unique sender per attempt) 64.125.132.254/32 # collab.net (unique sender per attempt) 64.202.165.0/24 # 66.100.210.82 # Groupwise? 66.135.209.0/24 # Ebay (for time critical alerts) 66.135.197.0/24 # Ebay (common pool) 66.150.191.0/24 # gibsondunn.com 66.151.184.35 # constant contact 66.151.184.36 # constant contact 66.151.184.37 # constant contact 66.151.184.38 # constant contact 66.151.234.150 # constant contact 66.151.234.151 # constant contact 66.151.234.152 # constant contact 66.151.234.153 # constant contact 66.151.234.154 # constant contact 66.249.64.0/19 # Google 66.162.216.166 # Groupwise? 66.206.22.82 # PLEXOR 66.206.22.83 # PLEXOR 66.206.22.84 # PLEXOR 66.206.22.85 # PLEXOR 66.218.66.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.67.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.69.0/24 # Yahoo Groups servers (common pool, no retry) 68.142.192.0/18 # Yahoo 68.160.78.224/28 69.214.162.192/26 74.8.36.5 # arnoldmagnetics 74.8.36.7 # arnoldmagnetics 192.80.128.0/18 # thomson financial 195.224.48.0/24 # thomaspreston.co.uk 203.196.189.112/28 # kenexa 204.139.85.180 # ahss.org 204.139.85.181 # ahss.org 204.139.85.182 # ahss.org 206.16.56.0/24 # gibsondunn.com 207.67.8.0/24 # Milwaukee Bucks 207.170.16.74 # boelter.com 207.170.16.75 # boelter.com 207.241.31.46 # Goldberg Kohn 209.120.244.0/25 # kenexa 216.163.76.80/28 # Neorx.com
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
GREY|205.152.59.67... GREY|205.152.59.68... GREY|205.152.59.72... Unless it's changed since I asked, the policy of the list on greylisting.org is not to list common queue sender pools from a /24 or smaller block because it's intended to be used with milter-greylist which masks out the last byte of the address. These addresses aren't on their list.
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? http://www.greylisting.org/whitelisting.shtml -Bob
Re: THANKS!! Spamd - whitelist of mis-behaving SMTP server POOLS
Steve Williams wrote: Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams Thank you everyone, quite a wealth of information! It is interesting that a google for whitelist doesn't return greylisting.org, within the first 1000 hits, while a google for whitelistING returns it in the top 10. I guess I failed miserably on my google incantations last night. Thanks again everyone! Cheers, Steve Williams
Spamd - whitelist of mis-behaving SMTP server POOLS
Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
On 10/19/06, Steve Williams [EMAIL PROTECTED] wrote: I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. greylisting.org ? Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? I whitelist the block manually after someone notices. Sometimes it's obvious (your example was a simple /24), sometimes it takes a few tries because the pool is so large. The list from greylisting.org fixes the well-known mail pools. -- Jon
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
On Thu, Oct 19, 2006 at 06:23:20PM -0600, Steve Williams wrote: Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams I have the same issue with certain pools. I added a bit to my pf.conf: -- table mywhite persist file /etc/mail/whitelist.txt # place this BEFORE rdr rules for spamd no rdr inet proto tcp from mywhite to any port smtp -- Then I manually add certain pools to whitelist.txt. Sometimes you get lucky and find SPF entries, like for gmail. Otherwise you have to make a guess. FYI, host -ttxt bellsouth.net returns 205.152.58.0/23 for spf. Oh, I also use whitelist.txt in spamd-setup, though it's not really needed since the no rdr bypasses all that anyway. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
On 10/19/06, Steve Williams [EMAIL PROTECTED] wrote: Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams As seen on undeadly: http://home.xnet.com/~ansible/openbsd_spamd_conf.html contains a tutorial on setting up spamd on OpenBSD. It is helpful as it shows an example script that creates a whitelist by looking at SPF DNS records in a list of domains. Also, as someone else mentioned, greylisting.org has an excellent whitelist in a CVS repository here: http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt Kevin