Re: Detecting very recently registered domain names

2013-12-19 Thread Robert Schetterer
Am 19.12.2013 19:49, schrieb Matus UHLAR - fantomas:
 Sender Policy Framework (SPF) - SPF is an anti-spam approach in which
>>> the Internet domain ...
> 
>> Am 19.12.2013 19:28, schrieb Kevin A. McGrail:
>>> Will clarify but I wouldn't be shocked if that was the description on
>>> wikipedia from a year or so ago.  This compendium has been written over
>>> many years.
> 
> On 19.12.13 19:39, Robert Schetterer wrote:
>> not a big problem at all ,in your case, but some "marketing people"
>> promote spf/dkim/dmarc as some jedi wonder tool against spam, which
>> simply isnt true
> 
> ... and so we see other marketing people telling
> 
> "we don't use SPF, becausei t's useless - there are spammers using SPF"
> 
> ohh f...

i think their main message will be ever "trust in me and gimme your
money" *g


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

Kevin A. McGrail skrev den 2013-12-19 20:14:

On 12/19/2013 1:47 PM, Matus UHLAR - fantomas wrote:
ok, so this is again one site that should be corrected... spf is NOT 
an
anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged 
but

the info above is still wrong...

Kevin, please fix that info...

Definitely will mark it as anti-forgery not anti-spam.


if marketing begin to say we dont use ip since spammers are using ips, 
then i will have respect for there knowledge, maybe there money contains 
forged ips ? :)


adsp and ip-blacklist is more or less not usefull anymore

domain blacklist is, since a ham domain can still send from a ip that is 
blacklisted


antispam should know this, hoppefully marketing learns


Re: Detecting very recently registered domain names

2013-12-19 Thread Kevin A. McGrail

On 12/19/2013 1:47 PM, Matus UHLAR - fantomas wrote:

ok, so this is again one site that should be corrected... spf is NOT an
anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged but
the info above is still wrong...

Kevin, please fix that info...

Definitely will mark it as anti-forgery not anti-spam.

Regards,
KAM


Re: Detecting very recently registered domain names

2013-12-19 Thread Matus UHLAR - fantomas

Sender Policy Framework (SPF) - SPF is an anti-spam approach in which

the Internet domain ...



Am 19.12.2013 19:28, schrieb Kevin A. McGrail:

Will clarify but I wouldn't be shocked if that was the description on
wikipedia from a year or so ago.  This compendium has been written over
many years.


On 19.12.13 19:39, Robert Schetterer wrote:

not a big problem at all ,in your case, but some "marketing people"
promote spf/dkim/dmarc as some jedi wonder tool against spam, which
simply isnt true


... and so we see other marketing people telling

"we don't use SPF, becausei t's useless - there are spammers using SPF"

ohh f...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer


Re: Detecting very recently registered domain names

2013-12-19 Thread Matus UHLAR - fantomas

On 12/19/2013 1:17 PM, Robert Schetterer wrote:

couldnt read that all ,but looks nice
spf. dkim, dmarc are not antispam mechs, however they may help sometimes
in "some" spam cases, so do not mix it up with antispam and confuse users



Am 19.12.2013 19:21, schrieb Kevin A. McGrail:

Good point.  I'll add a caveat because mail administrators need to know
about these topics but this is an email and anti-spam compendium not
just an anti-spam.


On 19.12.13 19:26, Robert Schetterer wrote:

see

https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium

...
Sender Policy Framework (SPF) - SPF is an anti-spam approach in which
the Internet domain


ok, so this is again one site that should be corrected... spf is NOT an
anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged but
the info above is still wrong...

Kevin, please fix that info...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.


Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

Robert Schetterer skrev den 2013-12-19 19:39:


not a big problem at all ,in your case, but some "marketing people"
promote spf/dkim/dmarc as some jedi wonder tool against spam, which
simply isnt true


so what is true ?

i really hate ignorants




Re: Detecting very recently registered domain names

2013-12-19 Thread Robert Schetterer
Am 19.12.2013 19:28, schrieb Kevin A. McGrail:
>> Sender Policy Framework (SPF) - SPF is an anti-spam approach in which
> the Internet domain ...
> 
> Will clarify but I wouldn't be shocked if that was the description on
> wikipedia from a year or so ago.  This compendium has been written over
> many years.
> 
> Regards,
> KAM

not a big problem at all ,in your case, but some "marketing people"
promote spf/dkim/dmarc as some jedi wonder tool against spam, which
simply isnt true

> 
> -- 
> *Kevin A. McGrail*
> President
> 
> Peregrine Computer Consultants Corporation
> 3927 Old Lee Highway, Suite 102-C
> Fairfax, VA 22030-2422
> 
> http://www.pccc.com/
> 
> 703-359-9700 x50 / 800-823-8402 (Toll-Free)
> 703-359-8451 (fax)
> kmcgr...@pccc.com 
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


Re: Detecting very recently registered domain names

2013-12-19 Thread Kevin A. McGrail

  
  
> Sender Policy Framework (SPF) - SPF is an anti-spam approach in
which
the Internet domain
...


Will clarify but I wouldn't be shocked if that was the description
on wikipedia from a year or so ago.  This compendium has been
written over many years.

Regards,
KAM

-- 
  Kevin A. McGrail
  President
  
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
  
http://www.pccc.com/
  
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
kmcgr...@pccc.com
  
  
  

  



Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

Kevin A. McGrail skrev den 2013-12-19 19:21:

On 12/19/2013 1:17 PM, Robert Schetterer wrote:

couldnt read that all ,but looks nice

Thanks.
spf. dkim, dmarc are not antispam mechs, however they may help 
sometimes
in "some" spam cases, so do not mix it up with antispam and confuse 
users


Good point.  I'll add a caveat because mail administrators need to
know about these topics but this is an email and anti-spam compendium
not just an anti-spam.


spf/dkim/dmarc help sort out who to complain to, it can still be spam or 
not spam


rule i self follow is if spf/dkim/dmarc pass, report spam to auth 
domains that its sent from, if possitive feed back then its done, if 
negative feedback i can safely blacklist sender domain local


but maybe its just me :(



Re: Detecting very recently registered domain names

2013-12-19 Thread Robert Schetterer
Am 19.12.2013 19:21, schrieb Kevin A. McGrail:
> On 12/19/2013 1:17 PM, Robert Schetterer wrote:
>> couldnt read that all ,but looks nice
> Thanks.
>> spf. dkim, dmarc are not antispam mechs, however they may help sometimes
>> in "some" spam cases, so do not mix it up with antispam and confuse users
> 
> Good point.  I'll add a caveat because mail administrators need to know
> about these topics but this is an email and anti-spam compendium not
> just an anti-spam.
> 
> Regards,
> KAM

see

https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium

...
Sender Policy Framework (SPF) - SPF is an anti-spam approach in which
the Internet domain
...

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


Re: Detecting very recently registered domain names

2013-12-19 Thread Kevin A. McGrail

On 12/19/2013 1:17 PM, Robert Schetterer wrote:

couldnt read that all ,but looks nice

Thanks.

spf. dkim, dmarc are not antispam mechs, however they may help sometimes
in "some" spam cases, so do not mix it up with antispam and confuse users


Good point.  I'll add a caveat because mail administrators need to know 
about these topics but this is an email and anti-spam compendium not 
just an anti-spam.


Regards,
KAM


Re: Detecting very recently registered domain names

2013-12-19 Thread Robert Schetterer
Am 19.12.2013 18:48, schrieb Kevin A. McGrail:
> On 12/19/2013 10:13 AM, Alex wrote:
>> Isn't that where Kevin works too? Couldn't you just walk down the hall
>> and ask him? lol
> :-) I'm trying to get more people involved in the project.
> 
> Speaking of which, I published the crash course on email / spam at
> https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium 

couldnt read that all ,but looks nice

if
> anyone has any comments.  I know I need to add some about DMARC but a
> lot of people have contributed to this.  I'm going to get the ability to
> comment, etc. soon but I want it to be a general resource for new system
> admins or people coming up to speed on the spam battle to use as a crash
> course.

spf. dkim, dmarc are not antispam mechs, however they may help sometimes
in "some" spam cases, so do not mix it up with antispam and confuse users

see

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
...
DomainKeys Identified Mail (DKIM) is a method for associating a domain
name with an email message
...

see

http://en.wikipedia.org/wiki/Sender_Policy_Framework
..
Sender Policy Framework (SPF) is an email validation system designed to
prevent email spam by detecting email spoofing
..

Dmarc goes on top of DKIM and SPF

Anyone may have right spf,dkim,dmarc stuff

i got tons of spam passing spf, dkim, dmarc checks, mostly from hacked
big freemailer accounts, "at the end" its always the content which makes
a mail spammy

> 
> You can also see all the framework I'm working on for an RBL for the SA
> Project.
> 
> Regards,
> KAM
> 
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


Re: Detecting very recently registered domain names

2013-12-19 Thread Kevin A. McGrail

On 12/19/2013 10:13 AM, Alex wrote:

Isn't that where Kevin works too? Couldn't you just walk down the hall
and ask him? lol

:-) I'm trying to get more people involved in the project.

Speaking of which, I published the crash course on email / spam at 
https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium if 
anyone has any comments.  I know I need to add some about DMARC but a 
lot of people have contributed to this.  I'm going to get the ability to 
comment, etc. soon but I want it to be a general resource for new system 
admins or people coming up to speed on the spam battle to use as a crash 
course.


You can also see all the framework I'm working on for an RBL for the SA 
Project.


Regards,
KAM




Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

John Hardin skrev den 2013-12-19 18:31:


You shouldn't have to do that.


one should not complain either :)

hard to be right :(






Re: Detecting very recently registered domain names

2013-12-19 Thread John Hardin

On Thu, 19 Dec 2013, Benny Pedersen wrote:


Marcin Mirosław skrev den 2013-12-19 17:47:

 I've noticed false positives in last days in this rule.

   1.5 URIBL_RHS_DOB  Contains an URI of a new domain (Day Old
 Bread)
  [URIs: imageshack.us]


add this domain to uribl_skip_domains


You shouldn't have to do that.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 6 days until Christmas

Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

Marcin Mirosław skrev den 2013-12-19 17:47:

I've noticed false positives in last days in this rule.

  1.5 URIBL_RHS_DOB  Contains an URI of a new domain (Day Old 
Bread)

 [URIs: imageshack.us]


add this domain to uribl_skip_domains

dont be fool :)




Re: Detecting very recently registered domain names

2013-12-19 Thread Benny Pedersen

Joe Quinn skrev den 2013-12-19 16:02:

We are noticing a lot of spam coming from domains that are less than
two months old. Is there a good way to detect this automatically?

We've thought about whois, but do not want to get blocked for looking
like we are harvesting information.


maybe make a rule that match any domain, then use uribl_skip_domains to 
whitelist the ones that does not spam ?


spammers know there domain will be blacklisted if seen in spam, thats 
why thay got new problems each day :=)


but if thay need to get whitelisted for not spamming thay would try to 
keep there problem


uribl_skip_domains example.org example.net
uri ANY_DOMAIN /./
describe ANY_DOMAIN domain not skipped
score ANY_DOMAIN 0.1

then uri rule will not hit on example.org and example.net

untested, but i think its the way to solve it



Re: Detecting very recently registered domain names

2013-12-19 Thread Marcin Mirosław
W dniu 19.12.2013 16:13, Alex pisze:
> Hi,

Hi,

> On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn  wrote:
> 
> Isn't that where Kevin works too? Couldn't you just walk down the hall
> and ask him? lol
> 
>> We are noticing a lot of spam coming from domains that are less than two
>> months old. Is there a good way to detect this automatically?
> 
> Two months? That's already ancient.
> 
> Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should
> be hitting that.

I've noticed false positives in last days in this rule.

  1.5 URIBL_RHS_DOB  Contains an URI of a new domain (Day Old Bread)
 [URIs: imageshack.us]




Re: Detecting very recently registered domain names

2013-12-19 Thread Steve Freegard

On 19/12/13 15:50, Joe Quinn wrote:

According to this thread of five years ago, that RBL is not very well
maintained. I wonder if that's still the case?
(http://spamassassin.1065346.n5.nabble.com/New-Day-old-Bread-list-trick-td52989.html)


There also don't appear to be any alternative RBLs that provide a
similar list. I might have to chalk this one up as "not worth the
effort". :(



See SEM-FRESH: http://spameatingmonkey.com/lists.html

Regards,
Steve.




Re: Detecting very recently registered domain names

2013-12-19 Thread Joe Quinn
According to this thread of five years ago, that RBL is not very well 
maintained. I wonder if that's still the case?

(http://spamassassin.1065346.n5.nabble.com/New-Day-old-Bread-list-trick-td52989.html)

There also don't appear to be any alternative RBLs that provide a 
similar list. I might have to chalk this one up as "not worth the 
effort". :(


On 12/19/2013 10:13 AM, Alex wrote:

Hi,

On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn  wrote:

Isn't that where Kevin works too? Couldn't you just walk down the hall
and ask him? lol


We are noticing a lot of spam coming from domains that are less than two
months old. Is there a good way to detect this automatically?

Two months? That's already ancient.

Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should
be hitting that.

Best,
Alex




Re: Detecting very recently registered domain names

2013-12-19 Thread Alex
Hi,

On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn  wrote:

Isn't that where Kevin works too? Couldn't you just walk down the hall
and ask him? lol

> We are noticing a lot of spam coming from domains that are less than two
> months old. Is there a good way to detect this automatically?

Two months? That's already ancient.

Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should
be hitting that.

Best,
Alex


Detecting very recently registered domain names

2013-12-19 Thread Joe Quinn
We are noticing a lot of spam coming from domains that are less than two 
months old. Is there a good way to detect this automatically?


We've thought about whois, but do not want to get blocked for looking 
like we are harvesting information.


Regards,
JMQ