Re: Spamd - whitelisting round robin mail servers?
On 2008-09-04, Jeff Simmons <[EMAIL PROTECTED]> wrote: > Yeah, that covers Google, all right. And then somebody called > Websitewelcome.com gives me major grief. Is the only way to do this to wait > for someone to complain that mail isn't going through? No, you can also tell from spamdb output.
Re: Spamd - whitelisting round robin mail servers?
Daniel Ouellet wrote: Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. For google, why not get it from the source itself? Example: # dig txt _spf.google.com | grep spf ; <<>> DiG 9.3.4 <<>> txt _spf.google.com ;_spf.google.com. IN TXT _spf.google.com.187 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all" Here's a script I use. It handles includes by using recursion, which is a bit dangerous if there's an endless loop of includes out in the world, but it's worked for me so far. It will also do DNS lookups for hosts that are specified by name instead of an IP address and handles sites that don't put in a FQDN in for the hostname. The output can be fed to pfctl such as: pfctl -t local-white -T replace -f /etc/spamd/whitelist.txt The output from my script for google is: (I actually have a list of # ./extract_spf spf_hosts.txt # google.com # Additional spf: include:_netblocks.google.com # == # Recursing for additional spf records # == # _netblocks.google.com 216.239.32.0/19 64.233.160.0/19 66.249.80.0/20 72.14.192.0/18 209.85.128.0/17 66.102.0.0/20 74.125.0.0/16 64.18.0.0/20 207.126.144.0/20 For Hotmail... # ./extract_spf spf_hosts.txt > /tmp/x vi # vi /tmp/x # cat /tmp/x # microsoft.com # Additional spf: include:_spf-a.microsoft.com # Additional spf: include:_spf-b.microsoft.com # Additional spf: include:_spf-c.microsoft.com # Additional spf: include:_spf-ssg-a.microsoft.com # == # Recursing for additional spf records # == # _spf-a.microsoft.com 216.99.5.67 216.99.5.68 202.177.148.100 203.122.32.250 202.177.148.110 213.199.128.139 213.199.128.145 207.46.50.72 207.46.50.82 # dns lookup delivery.pens.microsoft.com # dns lookup mh.microsoft.m0.net # _spf-b.microsoft.com # dns lookup delivery2.pens.microsoft.com # dns lookup delivery.smtp.microsoft.com 131.107.65.22 131.107.65.131 131.107.1.101 131.107.1.102 217.77.141.52 217.77.141.59 # _spf-c.microsoft.com 203.32.4.25 213.199.138.181 213.199.138.191 207.46.52.71 207.46.52.79 131.107.1.18 131.107.1.19 131.107.1.20 131.107.70.12 131.107.70.16 86.61.88.25 # _spf-ssg-a.microsoft.com 207.68.169.173/30 207.68.176.1/26 207.46.132.129/27 207.68.176.97/27 65.55.238.129/26 207.46.222.193/26 207.46.116.135/29 65.55.178.129/27 213.199.161.129/27 65.55.33.70/28 # = # DNS Lookups # = # delivery.pens.microsoft.com 207.46.248.68 207.46.248.69 207.46.248.64 207.46.248.65 207.46.248.66 207.46.248.67 # mh.microsoft.m0.net 209.11.164.116 # delivery2.pens.microsoft.com 207.46.248.41 207.46.248.42 207.46.248.43 207.46.248.40 # delivery.smtp.microsoft.com 207.46.22.98 207.46.22.101 207.46.248.70 207.46.248.71 #!/bin/sh if [ $# -ne 1 ]; then echo "Usage: `basename $0` hostlist_file" exit 1 fi if [ ! -f "$1" ]; then echo "Unable to locate: $1" exit 1 fi > /tmp/spf_lookup.$$ > /tmp/more_spf.$$ cat $1 | while read host; do echo "# $host" dig $host TXT +short | sed 's/"//g' | \ awk '$1 == "v=spf1" { num=split($0,stuff," ") for (i=1;i<=num;i++){ if (substr(stuff[i],1,4)=="ip4:") { print substr(stuff[i],5) } else { if (substr(stuff[i],1,2)=="a:") { _tmp=substr(stuff[i],3) _octet=split(_tmp,_tmpsplit,".") if (_octet==1) { printf("%s.%s\n", substr(stuff[i],3), host) >> lookup printf("# dns lookup %s.%s\n", substr(stuff[i],3), host ) } else { print substr(stuff[i],3) >> lookup printf("# dns lookup %s\n", substr(stuff[i],3) ) } } else { if (substr(stuff[i],1,8)=="include:") { printf("# Additional spf: %s\n", stuff[i],0) print substr(stuff[i],9) >> spf } } } } }' host=$host lookup="/tmp/spf_lookup.$$" spf="/tmp/more_spf.$$" done if [ -s /tmp/spf_lookup.$$ ]; then echo "# =" echo "# DNS Lookups" echo "# =" while read host; do echo "# $host" dig $host A +short | grep -v '^;;' done < /tmp/spf_lookup.$$ fi if [ -s /tmp/more_spf.$$ ]; then echo "# ==" echo "# Recursing for additional spf records" echo "# ==" $0 /tmp/more_spf.$$ fi rm -f /tmp/spf_lookup.$$ /tmp/more_spf.$$ exit 0
Re: Spamd - whitelisting round robin mail servers?
Yeah, that covers Google, all right. And then somebody called Websitewelcome.com gives me major grief. Is the only way to do this to wait for someone to complain that mail isn't going through? I know how to query for netblocks and such. What I don't know is how many fraking commercial mail servers are doing this, and who they all are. There's spam blacklists all over the place, and a lot of people are doing greylisting nowadays. Isn't anybody collating these guys? On Wednesday 03 September 2008 20:57, Marco S Hyman wrote: > Jeff Simmons writes: > > all out of date, and the link to the cvs list is broken. Anyone know of > > any uptodate compilations? > > $ host -ttxt google.com > google.com descriptive text "v=spf1 include:_netblocks.google.com ~all" > $ host -ttxt _netblocks.google.com > _netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 > ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 > ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 > ip4:207.126.144.0/20 ?all" > > That should cover google, no? > > // marc -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. Here is a little script that would help you to create your own lists. I use it and run it in cronjob once a month. Then it plug right into pf and update my table for spf records. Just modify it for your own needs and add new spf source as you see fit. I used this script that I found long ago and it works very well for this purpose. Best, Daniel #!/bin/sh FILE=spamd-spf.txt rm -f $FILE touch $FILE for domain in \ aol.com \ apple.com \ amazon.com \ gmx.net \ _spf.google.com \ spf-a.hotmail.com \ spf-b.hotmail.com \ spf-c.hotmail.com \ spf-d.hotmail.com \ _spf-a.microsoft.com \ _spf-b.microsoft.com \ _spf-c.microsoft.com \ mynethost.com \ spf.postini.com do echo \#$domain >> $FILE; dig $domain TXT +short | tr "\ " "\n" | grep ^ip4: | cut -d: -f2 >> $FILE; done
Re: Spamd - whitelisting round robin mail servers?
On Wed, 3 Sep 2008 20:26:25 -0700, Jeff Simmons wrote: >So I just set up a nice spamd for a client, and then watched Google's Postini >try to resend a single email message from just about every IP they own. > >There are some whitelists for commercial servers available, mainly one at >http://projects.puremagic.com/greylisting/, but from what I can see they are >all out of date, and the link to the cvs list is broken. Anyone know of any >uptodate compilations? > There are 17 /24s and a /20 for postini listed in dnswl.org's list. STFA (very recent) for a thread subject= odd greyscanner behaviour I sent a message dated 31/8 refining a script posted by another Jeff to use that list to whitelist various levels of dnswl. I only use the two most reliable levels and that suits my purpose. Other's MMV. R/ (Reply on-list or to the reply-to:, others to sender: are tarpitted) Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. And for postini, get it there too: # dig txt spf.postini.com | grep spf ; <<>> DiG 9.3.4 <<>> txt spf.postini.com ;spf.postini.com. IN TXT spf.postini.com.14400 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:204.14.232.0/22 ip4:63.146.199.13/32 ip4:63.146.199.14/32 ip4:68.123.185.46/32 ip4:67.114.133.222/32 ip4:63.71.11.123/32 ip4:63.71.11.124/32 ip4:208.111.151.5/32 ip4:208.74.204.5/32 -all"
Re: Spamd - whitelisting round robin mail servers?
On Wed, Sep 03, 2008 at 08:26:25PM -0700, Jeff Simmons wrote: > So I just set up a nice spamd for a client, and then watched Google's Postini > try to resend a single email message from just about every IP they own. > > There are some whitelists for commercial servers available, mainly one at > http://projects.puremagic.com/greylisting/, but from what I can see they are > all out of date, and the link to the cvs list is broken. Anyone know of any > uptodate compilations? i think one such list (as well as some other alternative methods) was mentioned in the longish thread here just super recently ago that shows up if you search archives for 'google spamd' -- jared
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons wrote: So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. For google, why not get it from the source itself? Example: # dig txt _spf.google.com | grep spf ; <<>> DiG 9.3.4 <<>> txt _spf.google.com ;_spf.google.com. IN TXT _spf.google.com.187 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
Re: Spamd - whitelisting round robin mail servers?
Jeff Simmons writes: > all out of date, and the link to the cvs list is broken. Anyone know of any > uptodate compilations? $ host -ttxt google.com google.com descriptive text "v=spf1 include:_netblocks.google.com ~all" $ host -ttxt _netblocks.google.com _netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all" That should cover google, no? // marc
Spamd - whitelisting round robin mail servers?
So I just set up a nice spamd for a client, and then watched Google's Postini try to resend a single email message from just about every IP they own. There are some whitelists for commercial servers available, mainly one at http://projects.puremagic.com/greylisting/, but from what I can see they are all out of date, and the link to the cvs list is broken. Anyone know of any uptodate compilations? -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult