Re: The nice thing about standards (was Re: Legit Yahoo mail servers list)
>From: Dianne Skoll >On Mon, 30 Jan 2017 09:06:34 -0500 >Rob McEwen wrote: >> On 1/30/2017 8:54 AM, Matus UHLAR - fantomas wrote: >> > they do and it has been mentioned: >> > https://help.yahoo.com/kb/SLN23997.html >Yahoo Outbound IP addresses | Yahoo Help - SLN23997 >help.yahoo.com >Yahoo Outbound IP addresses. If you're looking for a list of IP addresses that >Yahoo Mail sends emails from, we >have them for you below. Just click a link >below to ... Quick and dirty (I know there are many different ways to do this so I am not saying this is the only way -- no flaming please.): elinks -dump https://help.yahoo.com/kb/SLN23997.html | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?' | awk '{print $1}' >Cool. So Yahoo uses an HTML page that's a pain to process by >computer. Microsoft has >https://support.content.office.net/en-us/static/O365IPAddresses.xml, >which at least is XML. And Google, so far as I can see, can be mined by >recursively expanding _spf.google.com. Everyone else that I have needed to whitelist in postcreen with postwhite will work fine by recursively expanding out their TXT SPF record which is exactly what postwhite does.
The nice thing about standards (was Re: Legit Yahoo mail servers list)
On Mon, 30 Jan 2017 09:06:34 -0500 Rob McEwen wrote: > On 1/30/2017 8:54 AM, Matus UHLAR - fantomas wrote: > > they do and it has been mentioned: > > https://help.yahoo.com/kb/SLN23997.html Cool. So Yahoo uses an HTML page that's a pain to process by computer. Microsoft has https://support.content.office.net/en-us/static/O365IPAddresses.xml, which at least is XML. And Google, so far as I can see, can be mined by recursively expanding _spf.google.com. Yay standards... Regards, Dianne.
Re: Legit Yahoo mail servers list
On Mon, 30 Jan 2017 13:40:26 + David Jones wrote: > My goal in whitelisting Yahoo servers is to make sure these > messages get to MailScanner where they are not whitelisted > and are scores based more on content by Spamassassin rather > than sender reputation (DNSBLs). OK, understood now. I would always err on the side of more flexible filtering rather than conserving server resources, and I'd use a filter flexible enough to a avoid an RBL lookup on an SPF "pass" for yahoo.com. But I understand that others have different optimization goals. Regards, Dianne.
Re: Legit Yahoo mail servers list
On 1/30/2017 8:54 AM, Matus UHLAR - fantomas wrote: they do and it has been mentioned: https://help.yahoo.com/kb/SLN23997.html I wasn't aware of this page. If it was mentioned before in this thread, I missed it. Thanks! -- Rob McEwen
Re: Legit Yahoo mail servers list
On Mon, 30 Jan 2017 04:47:18 +0100 Reindl Harald wrote: > on postscreen level there is no SPF And that's relevant... how? You use a proper filter to do proper filtering. Regards, Dianne.
Re: Legit Yahoo mail servers list
On Sat, 28 Jan 2017 16:33:24 + David Jones wrote: [deleted] Read back through this thread. I never said their SPF record is invalid. All I said is their SPF record is not common and it makes it very hard for anyone to know what the official Yahoo outbound mail servers are. I have read this thread from start. You have said that their list is not good, called that a lazy approach and called yahoo people incompetent, only because others are doing it other way. On 1/29/2017 7:42 PM, Dianne Skoll wrote: [deleted] Can't you just whitelist the domain yahoo.com if and only if it hits SPF "pass"? not at postscreen level. postscreren is lightweight smtpd frontend for postfix, designed to filter out bots/zombies - it can score DNSBL blacklists and whitelists, temporarily blacklist hosts (similar to greylisting, but only at source IP level) and the only way to avoid that is having the local whitelist of cidr ranges. The OP wants to get CIDR ranges of Yahoo to avoid potscreen checks and blames Yahoo for not having the IP ranges in SPF records, because he uses SW named postwhite that extracts such lists from SPF records of given domains, and it can't be used with yahoo.com because of their SPF. On 29.01.17 23:40, Rob McEwen wrote: [deleted] I know you mentioned that Yahoo may want to have the flexibility to change their IPs. But instead of providing a list, they could also provide a link to a web page listing the IPs (like what Comcast does) - and then just update that web page whenever their IPs change. This isn't rocket science. they do and it has been mentioned: https://help.yahoo.com/kb/SLN23997.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: Legit Yahoo mail servers list
>From: Rob McEwen >Sent: Sunday, January 29, 2017 10:40 PM >On 1/29/2017 7:42 PM, Dianne Skoll wrote: >> On Sat, 28 Jan 2017 16:33:24 + >> David Jones wrote: >> >>> Read back through this thread. I never said their SPF record is >>> invalid. All I said is their SPF record is not common and it makes it >>> very hard for anyone to know what the official Yahoo outbound mail >>> servers are. >> >> Why is that important? Can't you just whitelist the domain yahoo.com if >> and only if it hits SPF "pass"? See next response below about the 2 different levels of MailScanner checks. Postfix postscreen is doing the majority of the DNSBL checks and is not integrated with SPF checks. It uses IPs or CIDRs. >> >>> We have to work very hard to get our MTAs to whitelist >>> them. It's in their own best interest to make this information >>> easily available to the Internet since so much spam comes out of >>> their platform. >> >> Then why would you whitelist them? >> Rob is correct below. I do not have a complete whitelist of Yahoo email. Maybe the confusion is due to how MailScanner works. As I also said in this thread previously, MailScanner is not directly tied to the MTA like amavis-new and others. I have to whitelist at the MTA level (Postfix/postscreen) to get past the first level of checks primarily DNSBL related. Then the second level is MailScanner with Spamassassin plus some other unique checks. My goal in whitelisting Yahoo servers is to make sure these messages get to MailScanner where they are not whitelisted and are scores based more on content by Spamassassin rather than sender reputation (DNSBLs). >Dianne, >I can't speak for David, but most or all of your answers don't apply to >my own anti-spam blacklist's attempt to try to avoid blacklisting Yahoo >IPs that are both known for sending much spam, but which also would have >a very high rate of collateral damage if blacklisted. (recognizing that >some very good DNSBLs, which are more aggressive, are more willing to >blacklist Yahoo IPs, and that isn't always a bad thing) Exactly. I would get too much collateral damage if I didn't whitelist Yahoo IPs from DNSBL checks. I have several dozen different DNSBLs combined to do a very good job of blocking the junk before it has to get to SA when you exclude Yahoo and other large hosting providers. The best RBL by far is the Invaluement RBL feed that Rob runs. Well worth the low price. It will save any sysadmin's time easily paying for itself many times over. >Also, when David said "whitelist", I can take an educated guess that he >isn't allowing Yahoo-sent messages free unfiltered access to the inbox - >he is probably just trying to avoid DNSBL checking of those particular >IPs - but then he'll probably STILL do other content filtering of those >messages. That would be my educated guess. And this would be a SMART >strategy. Yes. It does work well. Dave