Re: Heads up for users of spamhaus
The order was to ICANN regarding the domain name. It is a curious situation though. Waitman James Turnbull wrote: Matt Sergeant wrote: http://wordtothewise.com/Spamhaus_ICANN_order.html If you're using sbl-xbl, consider temporarily switching to cbl until this blows over. The order is essentially meaningless though isn't it? The associated judgement is unenforceable because Spamhaus isn't under the jurisdiction of US law - it's a UK entity. If Linhardt wants to stop them he is going to have to file the same case in a UK court and the laws regarding spam in the UK are considerably different. Regards James Turnbull
Re: [Waitman] Re: my plugin - comments requested
Peter J. Holzer wrote: There are quite a few people who rent a server in a different country (bandwidth is still a lot cheaper in the US or Germany than in Austria, for example) or who have registered domains in different countries because they look cooler (e.g. the .to top level domain). Good point. But I do like the SPF idea - that should fix this. Whitelist if you have SPF set up for your domain, and if your mail is coming from where you say it is supposed to be coming from. The country match thingy is just an attempt to seperate the bogus bs mail. I don't mind getting email that is genuine, even if it is trying to sell something - or otherwise commercial. I really hate email that forged, or otherwise deceptive. I personally don't see alot of this coming out of the better part of europe, and this issue hadn't occured to me. I honestly don't want to get to whitelisting/blacklisting specific geographic locations, that isn't my intention. And 500 before data is essential. Sticking the scrap mail in a separate folder isn't very exciting. Will have to think about it. 2. Keep track of ips that send multiple from domains. And black-list those. This is true for just about any ISP. Even my private server (which has only one user) sends mail with 3 or 4 different from domains. hp Exactly. I am in the same boat. I don't necessarily block everything that has multiple domains. And automating this would be difficult. But I do look at multiple domains per IP and the ones that are obviously _not_ legitimate I add to the list. This currently accounts for less than 1% of my spam. Waitman
Re: [Waitman] Re: dnsbl lists Was: my plugin - comments requested
James Craig Burley wrote: Isn't SPF dependent on DNS? If so, it's not really decentralized, is it? Hmmm, well I suppose the root nameservers are centralized. These are the master phone books that tell clients where to go to lookup the number, etc. However, the DNS record for each domain itself is manageable by anyone who has a domain. There are large records spread out over multiple networks via delegation, and small records that are handled by a primary and secondary host. If one chooses to allow their ISP or some other service to manage their DNS record, that is an option. Before I got my hands dirty with DNS it seemed large and complicated and difficult. But it really isn't all that complicated. Especially for just a single domain that might have a few records. Absolutely there are larger more complicated setups, especially when you have several networks under one domain, and perhaps even dislocated subnets on non-octet boundaries, and you want to delegate forward and reverse authority to various departments, customers, etc. For SPF: As long as you identify potential mx hosts and publish this information in the TXT record then life will be swell. If you have a web site on a domain that is not used for email, then you can specify that NO hosts are allowed to send email from that domain. Having mail that relies on DNS isn't worrysome. The thing has to figure out where to route it anyhow - it is already dependent on DNS. There are already multiple queries performed per processed email. If speed is an issue then it is usually wise to run a cacheing server on the mail host. IMHO. One potential bottleneck using DNS has to do with the fact that DNS uses UDP. If you stuff a lot of TXT info in your record this can cause an issue. But that issue is as old as the hills, perhaps may never change. It is true that SPF use isn't widespread. But ISPs with large consumer bases such as AOL and Earthlink have set it up. And thousands of other domains have it. Soon they will actually use it to determine if mail will pass through. They _may_ be using it now to (partially?) assign a spam score, that is not documented anywhere that I currently know about. To date, I have not seen a more elegant solution to curb domain hijacking. - a form of identity theft IMHO. It really doesn't reduce SPAM, but it does reduce SPAM from bogus addresses sent from unauthorized hosts. I am not sure how false-positives would be an issue, but I am not discounting the potential. When a message comes in, the source ip and the from address are known. Or perhaps there is no from address at all (ie bounce), and the helo domain (would/could) be used. SPF either doesn't exist, it exists and the host is valid, or it exists and the host is invalid. There are a few other possibilities for status. It is up to the receiving mail server to decide whether or not to process the mail - or perhaps handle it differently - based on this information. So, from my point of view, this is a system that gives domain owners a choice to publish and what to publish, and people with mail servers a choice whether or not (and how to) use the information. Best regards Waitman
Re: [Waitman] Re: dnsbl lists Was: my plugin - comments requested
Waitman Gobble wrote: SRS doesn't appear to me to be that exciting at the moment. It is an attempt to encrypt the return path so that legit bounce-backs get passed through. The problem is that it appears to me that the encrypted return path doesn't change. So if you know the SRS header is [EMAIL PROTECTED] you can send me a whole bunch of pretend bounce backs. And basically this header will definitely be available on every newsgroup and message board. From what I understand, they realize this issue and are working it out. I was wrong about that. I just read over the document regarding SRS. It includes the timestamp in the encrypted part, so bounces would only come in within a configured time frame. If you set you limit to 8 days, and a spammer gets ahold of you SRS address, they could send you fake bounce-backs for a maximum of 8 days. I had mistakenly thought that only the source address was used to generate the encrypted part, and further misunderstood a reply I received this morning about it. Waitman
Re: [Waitman] Re: my plugin - comments requested
Hello, It isn't perfect. And it is just tinkering. I make sure to put my name and phone number on the error messages. When I ran the test earlier this year, one person called. He said he was trying to send me an advertisement ;-) and that the company was located in New Zealand or Australia however he was working out of San Diego. The biggest flaw right now is that it uses the host name (from the email address) to determine the IP. It really needs to look up the MX record and use that for the domain check. I am pretty sure I had it set that way when I built the first version. However it seems I overlooked that on this go-around. One example where it doesn't work is prodigy.net - they don't have an A record for prodigy.net. Somebody pointed me to SPF. http://spf.pobox.com - This really looks good. I hope people start using it, would be a good solution. I am adding SPF check to the plugin, right now it will just collect data. To see what kind of results I get. Here are the latest stats from my this test: Total 3,187 Country Mismatch (#1) 1,658 52.02 % Well Known Mismatch (#3) 590 18.51 % Blacklisted (#2) 18 0.56 % Total Blocked 2,266 71.10 % Take care Waitman Skaag Argonius wrote: While I like number 2 and 3, I know for sure that number 1 is absolutely flawed. You can't run a production mail server with this method without losing customers for loss of important emails. Skaag
Re: [Waitman] Re: my plugin - comments requested
exactly. my next tinker toy with qpsmtpd will be an smtp based accounting (money) system. Waitman Ask Bjørn Hansen wrote: On Jun 1, 2004, at 12:46 PM, Waitman Gobble wrote: Yesterday I ran across QPSMTPD and decided that it would be much better to implement my ideas in a plugin. The best thing is that I don't need three servers to do the work, like my original server. That's great! That it makes it easy to experiment with new things is exactly what's the most fun about qpsmtpd. (That all the plugins people have made makes a really good spamkilller is merely a useful sideeffect ;-) ) - ask
Re: [Waitman] Re: dnsbl lists Was: my plugin - comments requested
[EMAIL PROTECTED] wrote: I pretty much agree with you. But please don't discount the importance of a thing such as SPF. This thing is a decentralized, self-configured way to protect yourself from those nasty f's that blow out a bunch of spam using your domain. Every time I get a litterbox full of ndr bounces I feel like making my first trip outside north america for some heavy-action baseball bat educating. Of course, I always convince myself otherwise - but I have from time to time used babelfish to translate every foul language word I can think of and email it to the responsible sys admins. Waitman My personal philosophy is that spam control should not be dependent on anyone else. That means no dnsbl lists at all. It also means that whatever I do, I have to guarantee that legit email can get through. On top of that, it also means that I don't approve of SPF, DCC, greylisting, Domain Keys, and everything else that penalizes legitimate users.
my plugin - comments requested
Hello
Back in February 2004 I had some ideas of blocking SPAM. Not sure if
other people have had the same ideas, but it seems to work pretty good.
I originally hacked together my own SMTP server in C++, however it
wasn't exactly production quality. I pointed some domains at it and ran
a test with about 70,000 emails. It blocked about 70% of the crap
before allowing DATA.
Yesterday I ran across QPSMTPD and decided that it would be much better
to implement my ideas in a plugin. The best thing is that I don't need
three servers to do the work, like my original server.
I am not a super expert at PERL, and QPSMTPD is new stuff for me. So
please let me know if I have done something terribly wrong. After 1400
emails it appears to be working properly.
Here are my ideas
1. Compare the country of the originating IP address to the country of
the domain in the from address. Basically want to dump email that
claims to be from a US company/domain but originates out of China,
etc. and vice-versa.
2. Keep track of ips that send multiple from domains. And black-list
those.
3. If the from address is a well-known mail service such as yahoo,
hotmail, msn, aol, etc. Then the connecting IP has to be on their network.
Right now the black list thingy is somewhat manual, I made a simple PHP
script that shows me ips that have sent messages with from addresses
of multiple domains in the past 24 hours. Then I decide whether or not
to block the ip. But this could be automated down the road I suppose.
My plugin uses MySQL / DBI and GeoIP from maxmind.com
Below is my code, etc.
Best Regards
Waitman Gobble
EMK Design
http://emkdesign.com/
714 522 2528
SQL table structure
#
#
# Table structure for table `blocker`
#
CREATE TABLE `blocker` (
`idx` int(10) unsigned NOT NULL auto_increment,
`ip` char(32) NOT NULL default '',
`sequence` datetime NOT NULL default '-00-00 00:00:00',
PRIMARY KEY (`idx`)
) TYPE=MyISAM;
#
#
# Table structure for table `checks`
#
CREATE TABLE `checks` (
`idx` int(10) unsigned NOT NULL auto_increment,
`mail_from` char(128) NOT NULL default '',
`ip` char(32) NOT NULL default '',
`reverse_dns` char(128) NOT NULL default '',
`country_from` char(2) NOT NULL default '',
`country_ip` char(2) NOT NULL default '',
`approval` tinyint(3) unsigned NOT NULL default '0',
`bulk_check` tinyint(3) unsigned NOT NULL default '0',
`blist` tinyint(3) unsigned NOT NULL default '0',
`sequence` datetime NOT NULL default '-00-00 00:00:00',
PRIMARY KEY (`idx`)
) TYPE=MyISAM;
the plugin plugins/check_country
use DBI;
use Geo::IP;
sub register {
my ($self, $qp) = @_;
$self-register_hook(mail, check_country);
}
sub check_country {
my ($self, $transaction, $sender) = @_;
my $host = lc $sender-host;
my $client_ip = $self-qp-connection-remote_ip;
my @numbers = split(/\./, $client_ip);
my $ip_number = pack(C4, @numbers);
my ($hostname) = (gethostbyaddr($ip_number, 2))[0];
if ($hostname eq ) { $hostname=unknown;}
#check to see if from large email provider (msn, aol, yahoo, hotmail)
my $allowed=1;
if ($host =~ /aol.com/)
{
if ($hostname =~ /aol.com/)
{
#
} else {
$allowed=0;
}
}
if ($host =~ /msn.com/)
{
if ($hostname =~ /msn.com/)
{
#
} else {
$allowed=0;
}
}
if ($host =~ /yahoo.com/)
{
if ($hostname =~ /yahoo.com/)
{
#
} else {
$allowed=0;
}
}
if ($host =~ /hotmail.com/)
{
if ($hostname =~ /hotmail.com/)
{
#
} else {
$allowed=0;
}
}
my $gi = Geo::IP-open(/usr/local/share/GeoIP/GeoIP.dat, GEOIP_STANDARD);
my $country = $gi-country_code_by_name($client_ip);
my $checkcountry = $gi-country_code_by_name($host);
if ($country eq ) { $country='UN'; }
if ($checkcountry eq ) { $checkcountry='XX'; }
my $compare= ($country eq $checkcountry);
my $dbh = DBI-connect(dbi:mysql:mailer:localhost, username,
password);
my $sth= $dbh-prepare (qq/
SELECT idx FROM blocker WHERE ip=?
/);
$sth-execute($client_ip);
my $rv = $sth-rows;
$sth= $dbh-prepare(qq/
INSERT INTO checks
(mail_from,ip,reverse_dns,country_from,country_ip,approval,bulk_check,blist,sequence)
VALUES (?,?,?,?,?,?,?,?,NOW())
/);
$sth-execute($host,$client_ip,$hostname,$checkcountry,$country,$compare,$allowed,$rv);
$dbh-disconnect();
if ($compare!=0 $allowed==1 $rv1)
{
return (OK) ;
} else {
return (DENY);
}
}
NOTE add check_country to config/plugins after check_earlytalker
and before count_unrecognized_commands
mailstats.php
table border=1 cellspacing=0 cellpadding=3
?php
$conn=mysql_connect('localhost','username','password');
$db=mysql_select_db('mailer');
if (strlen($_REQUEST['bl'])0)
{
$sql = INSERT INTO blocker (idx,ip,sequence) VALUES
