Re: Spamd - whitelisting round robin mail servers?
On 2008-09-04, Jeff Simmons <[EMAIL PROTECTED]> wrote: > Yeah, that covers Google, all right. And then somebody called > Websitewelcome.com gives me major grief. Is the only way to do this to wait > for someone to complain that mail isn't going through? No, you can also tell from spamdb output.
Re: Spamd - whitelisting round robin mail servers?
Daniel Ouellet wrote:
Jeff Simmons wrote:
So I just set up a nice spamd for a client, and then watched Google's
Postini try to resend a single email message from just about every IP
they own.
For google, why not get it from the source itself?
Example:
# dig txt _spf.google.com | grep spf
; <<>> DiG 9.3.4 <<>> txt _spf.google.com
;_spf.google.com. IN TXT
_spf.google.com.187 IN TXT "v=spf1
ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20
ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20
ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
Here's a script I use. It handles includes by using recursion, which is
a bit dangerous if there's an endless loop of includes out in the world,
but it's worked for me so far. It will also do DNS lookups for hosts
that are specified by name instead of an IP address and handles sites
that don't put in a FQDN in for the hostname. The output can be fed to
pfctl such as:
pfctl -t local-white -T replace -f /etc/spamd/whitelist.txt
The output from my script for google is: (I actually have a list of
# ./extract_spf spf_hosts.txt
# google.com
# Additional spf: include:_netblocks.google.com
# ==
# Recursing for additional spf records
# ==
# _netblocks.google.com
216.239.32.0/19
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
209.85.128.0/17
66.102.0.0/20
74.125.0.0/16
64.18.0.0/20
207.126.144.0/20
For Hotmail...
# ./extract_spf spf_hosts.txt > /tmp/x
vi # vi /tmp/x
# cat /tmp/x
# microsoft.com
# Additional spf: include:_spf-a.microsoft.com
# Additional spf: include:_spf-b.microsoft.com
# Additional spf: include:_spf-c.microsoft.com
# Additional spf: include:_spf-ssg-a.microsoft.com
# ==
# Recursing for additional spf records
# ==
# _spf-a.microsoft.com
216.99.5.67
216.99.5.68
202.177.148.100
203.122.32.250
202.177.148.110
213.199.128.139
213.199.128.145
207.46.50.72
207.46.50.82
# dns lookup delivery.pens.microsoft.com
# dns lookup mh.microsoft.m0.net
# _spf-b.microsoft.com
# dns lookup delivery2.pens.microsoft.com
# dns lookup delivery.smtp.microsoft.com
131.107.65.22
131.107.65.131
131.107.1.101
131.107.1.102
217.77.141.52
217.77.141.59
# _spf-c.microsoft.com
203.32.4.25
213.199.138.181
213.199.138.191
207.46.52.71
207.46.52.79
131.107.1.18
131.107.1.19
131.107.1.20
131.107.70.12
131.107.70.16
86.61.88.25
# _spf-ssg-a.microsoft.com
207.68.169.173/30
207.68.176.1/26
207.46.132.129/27
207.68.176.97/27
65.55.238.129/26
207.46.222.193/26
207.46.116.135/29
65.55.178.129/27
213.199.161.129/27
65.55.33.70/28
# =
# DNS Lookups
# =
# delivery.pens.microsoft.com
207.46.248.68
207.46.248.69
207.46.248.64
207.46.248.65
207.46.248.66
207.46.248.67
# mh.microsoft.m0.net
209.11.164.116
# delivery2.pens.microsoft.com
207.46.248.41
207.46.248.42
207.46.248.43
207.46.248.40
# delivery.smtp.microsoft.com
207.46.22.98
207.46.22.101
207.46.248.70
207.46.248.71
#!/bin/sh
if [ $# -ne 1 ]; then
echo "Usage: `basename $0` hostlist_file"
exit 1
fi
if [ ! -f "$1" ]; then
echo "Unable to locate: $1"
exit 1
fi
> /tmp/spf_lookup.$$
> /tmp/more_spf.$$
cat $1 | while read host; do
echo "# $host"
dig $host TXT +short | sed 's/"//g' | \
awk '$1 == "v=spf1" {
num=split($0,stuff," ")
for (i=1;i<=num;i++){
if (substr(stuff[i],1,4)=="ip4:") {
print substr(stuff[i],5)
} else {
if (substr(stuff[i],1,2)=="a:") {
_tmp=substr(stuff[i],3)
_octet=split(_tmp,_tmpsplit,".")
if (_octet==1) {
printf("%s.%s\n", substr(stuff[i],3), host) >> lookup
printf("# dns lookup %s.%s\n", substr(stuff[i],3), host )
} else {
print substr(stuff[i],3) >> lookup
printf("# dns lookup %s\n", substr(stuff[i],3) )
}
} else {
if (substr(stuff[i],1,8)=="include:") {
printf("# Additional spf: %s\n", stuff[i],0)
print substr(stuff[i],9) >> spf
}
}
}
}
}' host=$host lookup="/tmp/spf_lookup.$$" spf="/tmp/more_spf.$$"
done
if [ -s /tmp/spf_lookup.$$ ]; then
echo "# ="
echo "# DNS Lookups"
echo "# ="
while read host; do
echo "# $host"
dig $host A +short | grep -v '^;;'
done < /tmp/spf_lookup.$$
fi
if [ -s /tmp/more_spf.$$ ]; then
echo "# =="
echo "# Recursing for additional spf records"
echo "# =="
$0 /tmp/more_spf.$$
fi
rm -f /tmp/spf_lookup.$$ /tmp/more_spf.$$
exit 0
Re: Spamd - whitelisting round robin mail servers?
Yeah, that covers Google, all right. And then somebody called Websitewelcome.com gives me major grief. Is the only way to do this to wait for someone to complain that mail isn't going through? I know how to query for netblocks and such. What I don't know is how many fraking commercial mail servers are doing this, and who they all are. There's spam blacklists all over the place, and a lot of people are doing greylisting nowadays. Isn't anybody collating these guys? On Wednesday 03 September 2008 20:57, Marco S Hyman wrote: > Jeff Simmons writes: > > all out of date, and the link to the cvs list is broken. Anyone know of > > any uptodate compilations? > > $ host -ttxt google.com > google.com descriptive text "v=spf1 include:_netblocks.google.com ~all" > $ host -ttxt _netblocks.google.com > _netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 > ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 > ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 > ip4:207.126.144.0/20 ?all" > > That should cover google, no? > > // marc -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. Here is a little script that would help you to create your own lists. I use it and run it in cronjob once a month. Then it plug right into pf and update my table for spf records. Just modify it for your own needs and add new spf source as you see fit. I used this script that I found long ago and it works very well for this purpose. Best, Daniel #!/bin/sh FILE=spamd-spf.txt rm -f $FILE touch $FILE for domain in \ aol.com \ apple.com \ amazon.com \ gmx.net \ _spf.google.com \ spf-a.hotmail.com \ spf-b.hotmail.com \ spf-c.hotmail.com \ spf-d.hotmail.com \ _spf-a.microsoft.com \ _spf-b.microsoft.com \ _spf-c.microsoft.com \ mynethost.com \ spf.postini.com do echo \#$domain >> $FILE; dig $domain TXT +short | tr "\ " "\n" | grep ^ip4: | cut -d: -f2 >> $FILE; done
Re: Spamd - whitelisting round robin mail servers?
On Wed, 3 Sep 2008 20:26:25 -0700, Jeff Simmons wrote: >So I just set up a nice spamd for a client, and then watched Google's Postini >try to resend a single email message from just about every IP they own. > >There are some whitelists for commercial servers available, mainly one at >http://projects.puremagic.com/greylisting/, but from what I can see they are >all out of date, and the link to the cvs list is broken. Anyone know of any >uptodate compilations? > There are 17 /24s and a /20 for postini listed in dnswl.org's list. STFA (very recent) for a thread subject= odd greyscanner behaviour I sent a message dated 31/8 refining a script posted by another Jeff to use that list to whitelist various levels of dnswl. I only use the two most reliable levels and that suits my purpose. Other's MMV. R/ (Reply on-list or to the reply-to:, others to sender: are tarpitted) Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. And for postini, get it there too: # dig txt spf.postini.com | grep spf ; <<>> DiG 9.3.4 <<>> txt spf.postini.com ;spf.postini.com. IN TXT spf.postini.com.14400 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:204.14.232.0/22 ip4:63.146.199.13/32 ip4:63.146.199.14/32 ip4:68.123.185.46/32 ip4:67.114.133.222/32 ip4:63.71.11.123/32 ip4:63.71.11.124/32 ip4:208.111.151.5/32 ip4:208.74.204.5/32 -all"
Re: Spamd - whitelisting round robin mail servers?
On Wed, Sep 03, 2008 at 08:26:25PM -0700, Jeff Simmons wrote: > So I just set up a nice spamd for a client, and then watched Google's Postini > try to resend a single email message from just about every IP they own. > > There are some whitelists for commercial servers available, mainly one at > http://projects.puremagic.com/greylisting/, but from what I can see they are > all out of date, and the link to the cvs list is broken. Anyone know of any > uptodate compilations? i think one such list (as well as some other alternative methods) was mentioned in the longish thread here just super recently ago that shows up if you search archives for 'google spamd' -- jared
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. For google, why not get it from the source itself? Example: # dig txt _spf.google.com | grep spf ; <<>> DiG 9.3.4 <<>> txt _spf.google.com ;_spf.google.com. IN TXT _spf.google.com.187 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons writes: > all out of date, and the link to the cvs list is broken. Anyone know of any > uptodate compilations? $ host -ttxt google.com google.com descriptive text "v=spf1 include:_netblocks.google.com ~all" $ host -ttxt _netblocks.google.com _netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all" That should cover google, no? // marc
Spamd - whitelisting round robin mail servers?
So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. There are some whitelists for commercial servers available, mainly one at http://projects.puremagic.com/greylisting/, but from what I can see they are all out of date, and the link to the cvs list is broken. Anyone know of any uptodate compilations? -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult
