Re: Is there a way to block invalid non delivery notifications?
On Wed, 30 Jun 2010 02:02:51 -0700 (PDT), Daniel Lemke le...@jam-software.com wrote: Are there any special rules that are able to identify this kind of spam? Its not spam, its misconfigured mailservers. Stupid people and malicious people are two different problems. Don't let bayes learn it as spam. We block them at MTA level using subject matching and http://www.backscatterer.org/ Although we block _all_ NDAs, and only whitelist some that are explicitly requested by $boss. May or may not suit your needs.
Re: ot: problem with .de root servers
On Thu, 13 May 2010 09:49:11 +1200, Jason Haar jason.h...@trimble.co.nz wrote: On 05/13/2010 01:17 AM, Timo Schoeler wrote: and the worst thing was that they sent no SERVFAIL but NXDOMAIN what will cause a lot of bounces... Yeah - I'd like to know what crappy DNS server they are running that does that. BIND. Apparently they loaded an empty zone ( i bet one of the zillion crappy perl scripts that maintain zone reloading failed ) I find it more suspicious that it took two hours to load a backup, ... They _do_ have backups, right? You think bounces are bad? I'll give you my phone for a day when it happens again.
Re: Web Proxy RBL ?
On 12/30/2009 07:18 AM, William Taylor wrote: Looking for an RBL or something to determine if a given IP is coming from a web proxy. Trying to cut down on spam coming from exploited users sites. Would like to do some logging and see if this helps. Thanks, William i like sorbs, despite all the fuss. There is also spamhaus xbl, which is said to be quite good. -- Arvid Asgaard Technologies
nonfactual fact: distrust
J.D. Falk wrote: By the by, I think I posted on this list a while ago on a similar question, as to whether we could really trust *any* whitelists, as they simply made for a *deliberate* target of botnet owners. No one made a fuss about it before, but what about now? Maybe, once again, the flaw is in having a whitelisting system that relies upon third party servers with unknown security. We're EXTREMELY concerned about this as well, and we've got a 24x7 operations staff keeping an eye on things. That's one of the reasons we charge money for the service: it lets us buy hardware and software and hire staff to keep it running smoothly, and securely. I don't trust returnpath, and i have disabled their lists. The reason being that shiny marketing websites don't convince me at all I don't know if they're good or bad, and i have no data to prove anything, neither do i trust any external data. In my eyes they're simple a comercial entitiy whichs purposes are unclear to my uneducated eyes. Personaly i like the simple hey we're having these policies and here's a list you can use if you agree kind, most blacklists are about. Also i don't trust people who make up charts. Honestly, if you want to convince people to run your lists, think about the thousand of small scale systems out there, that don't bother to look behind your shiny. I understand why no one is willing to report abusers to your list. I searched 4 minutes, and couldnt find an abuse link at all. I'm a lazy bastard easily scared away by suits and huge colorful creep, and i might not be alone with that. -- Arvid Asgaard Technologies
Re: Good reasons to dont use RBLs
Luis Daniel Lucio Quiroz wrote: Hi all, Again me, Well, in the security scope i use a principle that states that you souldnt use a lower layer solution to fix a higher one. So SPAM is a Layer 7 problem that is used to fixed with a Layer 3 solution (RBL). I'd like a brainstorm to convince that a RBL solution is not the best stoping SPAM, and we should look for L7 solution such as Bayes. SA has no effect on L3 -- Arvid Asgaard Technologies
Re: SORBS bites the dust
Michael Grant wrote: Unless I've missed a message... this is the 100th reply to this thread. This has to be one of the longest threads I've seen on this list in years. Shows there is much to discuss on this matter. Isn't there a generic spam related mailing list?
Re: SORBS bites the dust
Charles Gregory wrote: There are always exceptions. Those can send me (postmaster@) a mail (without beeing blocked) asking for whitelisting. The reject message contains a link explaining how to do that.
Re: cas...@snigelpost.org bounces?
John Hardin wrote: Is anybody else getting bounces on mail they send to the list from cas...@snigelpost.org? Yep. I wish backscatter.org had a reporting and educating form. Ie automaticaly inform the postmaster of that system of the listing incuding educational material how to fix it. Btw, somone got a webpage that has information for the most common MTAs? I started blocking some backscattering hosts and would like to inform them how to fix the issue.
Re: SORBS bites the dust
Jack Pepper wrote: How long will this go before Godwin's law finally kicks in? It already did. 1. It's 'You're' a joke - not 'your' a joke Now I'm just watching for the fun of it Try IRC :-P
backscatter (was Re: cas...@snigelpost.org bounces?)
Charles Gregory wrote: On Thu, 25 Jun 2009, Arvid Picciani wrote: I started blocking some backscattering hosts and would like to inform them how to fix the issue. I still welcome suggestions for handling the few remaining cases where my procmail chokes on a mailbox limit. Probably more of a PM question than an SA question, but seeing how the cause for concern is backscatter from 'full mailbox' DSN's I'm figuring the answer is here, if anywhere - C I didn't exactly understand which of the two possible questions you asked (yeah, not native speaker :/ ) so i'll try both: 1) your MTA bounces, becouse your users mailboxes are full. Defer (temporary reject) the message at smtp time, so the sending MTA retrys a few times and ultimatly gives up informing the REAL sender. (you could also reject permanently, if you want that) If you absolutely can't fix the MTA, at least check the SPF before bouncing. If the SPF doesn't match the sender, don't send a bounce. Same for dkim. Also don't bounce spam. Note that backscatter can actually get you blacklisted if you bounce to traps. 2) You're receiving backscatter and you get mailbox full DSNs I find it impossible to parse DSNs. There is no standard and its supposed to be human readable. For now i block mail from postmaster/bounce-*/MAILERDAMEON/... from listed (known misconfigured) hosts. I had to firewall two very aggressive hosts though (normal hosts!) This blogs legitime DSNs so it might not be the solution for everyone. Backscatter.org is far from complete, so i'm working on a trap. Thanks to one of our domain beeing joe jobbed (and not receiving legitime DSN, since we dont use it anymore) i can get around 100 hosts per day listed. Unfortunatly i lack the infrastructure to make it usefull for the public, and backscatter.org has no report form.
Re: SORBS bites the dust
serious hosting providers - I was thinking more of organisations such as 1and1, hetzner, rackspace etc. etc. whats the issue with hetzner? I'm a customer so i'd be very interested in any spam issue not beeing processed by them.
Re: SORBS bites the dust
WHAT? Sorbs and Spamhaus are polar opposites. Spamhaus is a great organization while SORBS is a POS that helped give all blacklists a bad name. I don't know if SpamAssassin has ever used it. Jeff Moss All i read is OMG THEY BANNED MY COLORFULL OPT OUT NEWSLETTER111 Sorry i trust sorbs because they shield me from crap. Thats all i want.
Re: SORBS bites the dust
It does make you wonder why they never seem to end up on any of the spamhaus lists. Perhaps they are brilliant list washers ? Same here - I see lots of these and they don't score on many lists. It might be an uneducated guess, but i also have some very annoying hosts on the radar which i started blocking manually because they are on neither spamhaus nor sorbs. Yep, that looks familiar... # The Solo Networks 8.19.136.0 - 8.19.143.255 8.19.136.0/21REJECT # The Solo Networks 67.218.160.0 - 67.218.191.255 # 67.218.164.0/24 Surpass Solutions - cybersonicview.com # 67.218.173.0/24 X3 Hosting Systems # 67.218.180.0/24 LogiTech Interactive 67.218.160.0/19REJECT My policy, I block the /24 straight away, and hits from 3 separate /24's earns a block for the whole netblock (as illustrated above). How did you indentify these blocks as spammers and why doesnt spamhaus do so? They claim to have the worst spammer organisations on their list. I've got a whole list of Ips from india and korea which are on no list but send spam regulary. Should i care to investigate and maybe reject the the entire block? I'm pretty new on hunting down sources. All I know is the whois databse which is mostly useless for that purpose. -- Arvid
spamd crash and backscatter related
Hi, i posted two independent problems, one beeing a high volume of backscatter from rushian MTAs, the other related to SA crashing a lot recently. Those are related. The mail causing the last crash was a bounce from goof.script.ru. I canno't provide the mails source since i didnt find any method of storing them at the MTA level yet, but i know its a simple bounce with arbitary spam attached. A quick google tells me this host is related to 419 scam, and lots of backscatter. So i'm not the only one beeing troubled by these hosts. I wonder why they are not on any blocking list.
Re: SORBS bites the dust
rich...@buzzhost.co.uk wrote: It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. crap ... sorbs is the only list I trust enough to have them at SMTP level. For any hosting suggestions/provision, please be aware that the 42RU space is a requirement at the moment, 42?!! way out of my league.. any alternatives? :(
Re: SORBS bites the dust
Jeremy Morton wrote: You then have to pay their tithe money to get people to start receiving your e-mail again. sorbs doesn't charge for delisting. Actually no trustworthy bl does.
anything usefull to do with a joe-jobed domain?
Hi, I'm currently convincing my boss to throw away a domain that receives so much backscatter, its useless to try filtering the legitimate mail. Could i do anything useful with it? Spamtrap won't work since 99.99% of mails are backscatter from legitimate hosts. Can't block those. Maybe a backscatter list wants them?
spamd crashing alot
Hi, I recently got a lot of crashes, any idea how I could find out why? My mail log doesn't contain anything suspicious. thanks -- Arvid
Re: spamd crashing alot
On Sun, 14 Jun 2009, Arvid Picciani wrote: I recently got a lot of crashes, any idea how I could find out why? What information *do* you have? Umm. It crashed and spamc can't connect to it anymore. So I guess the answer is none. My mail log doesn't contain anything suspicious. Does running a sample message through spamassassin and spamc manually yield any clues? No, but that was a useful hint what to do next time it crashes. Unfortunately I don't have any queue before SA, so I can't reproduce the message, but I'll check my MRA docs (exim) for something that might help. Thanks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always loopholes to absolute authority. --- 4 days until SWMBO's Birthday
Re: backscatter from dnswl
On Mon, 2009-06-08 at 15:41 +0200, Arvid Picciani wrote: Hi, i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org Has your domain got an SPF record? yes, and its valid the amount of backscatter is getting out of control. I fear our MRA might soon explode. I don't think this is noise anymore.
backscatter from dnswl
Hi, i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? thanks
Re: backscatter from dnswl
Matus UHLAR - fantomas schrieb: On 08.06.09 15:41, Arvid Picciani wrote: i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? ask for DNSWL delisting, if the backscatters are generated by dnswl hosts (if the hosts in the dnswl are the sources, not victims). Depends on interpretation of victim. I personaly don't think misconfigured hosts belong in a whitelist, no matter if the admins are well meaning.
Re: opinions on greylisting and others
thanks for your responses. unfortunatly i lost all my local mail when my laptop exploded friday :( does this list have an online archive?