Re: Constant .info domain spam
On 2:59 PM, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. dot info domains hadn't crossed my radar, but I decided to look anyway and found that my logs agree with your notion that 99% (100%?) of dot info From: addresses are spam. Roughly 75% of mine are caught at the door by RBL's at the MTA level. Of the ones that get through, another 75% score above my reject threshold. A simple rule to bump the points of any dot info From: address has now pushed everything to the tag level, and even many of the tags to rejects. For what it's worth, the ones making it past the RBL's in the MTA do not match any stock RCVD_IN_* rules. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Constant .info domain spam
On 10/14/2010 8:26 PM, Julian Yap wrote: On Thu, Oct 14, 2010 at 4:24 AM, Jason Bertochja...@i6ix.com wrote: On 2:59 PM, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. dot info domains hadn't crossed my radar, but I decided to look anyway and found that my logs agree with your notion that 99% (100%?) of dot info From: addresses are spam. Roughly 75% of mine are caught at the door by RBL's at the MTA level. Of the ones that get through, another 75% score above my reject threshold. A simple rule to bump the points of any dot info From: address has now pushed everything to the tag level, and even many of the tags to rejects. For what it's worth, the ones making it past the RBL's in the MTA do not match any stock RCVD_IN_* rules. I think I'm going to write my own logic and block things at the MTA level. Implement my own local RBL based on some algorithms. For what it's worth, the rule I'm using is: # .info domains 99% spam (100%?) header JB_FROM_INFO_TLD From:addr =~ /\...@*\.info$/i describe JB_FROM_INFO_TLD From: address in .info TLD score JB_FROM_INFO_TLD .01 Although broad rules such as this are generally discouraged, a score of 3 has proven effective based on my mail flow. /Jason
Re: Constant .info domain spam
Hello Julian Yap, Am 2010-10-12 10:32:39, hacktest Du folgendes herunter: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. I get more then 600.000 DOT INFO spams per day... Are people using automated IP blacklists or something like that? NO, I block ANY DOT INFO domains and whitelist only a handfull of them. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Constant .info domain spam
NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. Are people using automated IP blacklists or something like that? Some examples, today I am being bombed by: laura_hurtbis...@treebluff dot info - 217.23.6.209 go.longer@peterosey dot info - 204.45.150.196 alert@woodghost dot info - 64.32.6.4 bankruptcy.upda...@bestetroqu dot info - 173.234.224.131 n...@maracaoonline dot info - 184.107.29.11 l...@feeloffers dot info - 72.55.165.139 b...@briesie dot info - 67.159.50.131 claudia_lau...@redpinesales dot info - 174.37.134.225 The HELO is usally something like: uri225.redpinesales dot info rjwi4.woodghost dot info lvhi11.maracaoonline dot info esi139.feeloffers dot info yyi131.bestetroqu dot info So I'm thinking it's the same spammer/spam network/spam program you buy off the shelf. Any thoughts on combating this onslaught? - Julian
Re: Constant .info domain spam
On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Constant .info domain spam
How are RCVD_IN_* rules implemented Karsten? I have similar spam being sent from such addresses as bidwars.uy...@trgide.soldiersupplywell.net and I dont see that rule in the matching rules Running mailwatch for mailscanner with spamassassin Thanks peter -Original Message- From: Karsten Bräckelmann [mailto:guent...@rudersport.de] Sent: Wednesday, 13 October 2010 10:05 a.m. To: users@spamassassin.apache.org Subject: Re: Constant .info domain spam On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote: How are RCVD_IN_* rules implemented Karsten? They are generally DNS BL checks, some of which do (and are safe for) deep header parsing. Most of them are checked against the handing-over relay's IP only, though. They are enabled (by default) by the skip_rbl_checks option, set to 0. If they have not been disabled deliberately or erroneously, missing of such rule hits indicates a DNS problem. (If you are using your ISPs DNS directly or as a forwarder, a local caching non-forwarding DNS usually solves it.) Of course, your trusted and internal networks must be correct. SA is good at guessing them in most cases, but a more complicate setup might need tweaking. I mentioned it specifically, because you stated the reported IPs to send a lot of spam. Thus, they are most likely to be listed with some of the RBLs. Can't say more, because you didn't include any information regarding your environment. I have similar spam being sent from such addresses as bidwars.uy...@trgide.soldiersupplywell.net and I don’t see that rule in the matching rules The sender frequently is forged, or registered for abusive purposes with a freemail provider. The left-hand part after the dot looks suspiciously like a forgery. Anyway, the sender address is irrelevant in the context of relay IP checks. Like the submitting host's IP, as you mentioned. What I am missing is an answer to my question, if you are seeing *ANY* of such rule hits -- and if so, which, and how frequently. Running mailwatch for mailscanner with spamassassin Please do not top-post, and remove unnecessary parts of the quote. Answering each question right below where it was asked would show you quickly what's missing. Like, the actual answer to my previous question. -Original Message- From: Karsten Bräckelmann [mailto:guent...@rudersport.de] Sent: Wednesday, 13 October 2010 10:05 a.m. To: users@spamassassin.apache.org Subject: Re: Constant .info domain spam On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Constant .info domain spam
I confirm that on revisiting, RCVD_IN_* rules are implemented - thanks for your help Peter -Original Message- From: Karsten Bräckelmann [mailto:guent...@rudersport.de] Sent: Wednesday, 13 October 2010 11:41 a.m. To: users@spamassassin.apache.org Subject: Re: Constant .info domain spam On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote: How are RCVD_IN_* rules implemented Karsten? They are generally DNS BL checks, some of which do (and are safe for) deep header parsing. Most of them are checked against the handing-over relay's IP only, though. Stuff removed
Re: Constant .info domain spam
2010/10/12 Karsten Bräckelmann guent...@rudersport.de: On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. Many of the don't trigger the RCVD_IN_* rules. Does anyone implement their own private DNS black list? Here's a latest one: From: Juice Up My Income a...@parkrasive dot info Subject:Sometimes timing is everything Date Received: Oct 12, 2010 13:43 PM Rules triggers: 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 1.2 HOST_EQ_STATIC HOST_EQ_STATIC -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 1.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.5 MY_OBFUX RAW: X with unusual chars 0.3 MY_OBFU_MISC RAW: Misc unusual chars together 0.3 HOST_MISMATCH_COM HOST_MISMATCH_COM 0.3 MIME_8BIT_HEADER Message header contains 8-bit character 1.4 HELO_MISMATCH_INFO HELO_MISMATCH_INFO 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING 0.0 T_REMOTE_IMAGE Message contains an external image
RE: Constant .info domain spam
On Wed, 2010-10-13 at 12:28 +1300, Peter Lowish wrote: I confirm that on revisiting, RCVD_IN_* rules are implemented - thanks for your help *sigh* -Original Message- From: Karsten Bräckelmann [mailto:guent...@rudersport.de] Sent: Wednesday, 13 October 2010 11:41 a.m. To: users@spamassassin.apache.org Subject: Re: Constant .info domain spam On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote: How are RCVD_IN_* rules implemented Karsten? They are generally DNS BL checks, some of which do (and are safe for) deep header parsing. Most of them are checked against the handing-over relay's IP only, though. Stuff removed ^ I did *not* write that. What I did write, however, was an explicit request to not top-post. Moreover, I clearly asked for *which* RCVD_IN_* rules hit, and an estimate frequency number. Take a guess, if I have a reason for that. Not all of the DNS BLs have a query threshold. Yes, it is possible to get such hits, but still miss some of the most important ones. But hey, you ignored and snipped my questions and the information how to fix it (unless you are a seriously heavy load), so I only can assume it doesn't apply to you. *shrug* Well, if the above answers all your questions, glad to help. Otherwise, I guess we need the information I asked for. BTW, since you got my hint to strip the quote (although not limiting to unnecessary parts) -- there's no need to send a copy directly. I do read the list. I wouldn't have answered to your OP otherwise... -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote: 2010/10/12 Karsten Bräckelmann guent...@rudersport.de: On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: Doh! Upon re-reading, I just realized that you are the OP of this thread, not Peter. So, please, Julian, think of most (if not all) my questions being directed at you, too. Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. Many of the don't trigger the RCVD_IN_* rules. Does anyone implement their own private DNS black list? Many of what? Anyway, yes, some *few* people are using private DNS BLs. Some (a lot more) users are using DNS BLs not used by SA by default -- courtesy of the version, of course. [Added after re-reading: Same request. Which ones do hit, optionaly which ones don't?] Here's a latest one: From: Juice Up My Income a...@parkrasive dot info Subject:Sometimes timing is everything Date Received: Oct 12, 2010 13:43 PM Rules triggers: 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] That is a rather drastic score, and generally not advised. However, overall it passed your spam threshold by far, no!? 1.2 HOST_EQ_STATIC HOST_EQ_STATIC -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 1.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.5 MY_OBFUX RAW: X with unusual chars 0.3 MY_OBFU_MISC RAW: Misc unusual chars together 0.3 HOST_MISMATCH_COM HOST_MISMATCH_COM 0.3 MIME_8BIT_HEADER Message header contains 8-bit character 1.4 HELO_MISMATCH_INFO HELO_MISMATCH_INFO 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING 0.0 T_REMOTE_IMAGE Message contains an external image -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
2010/10/12 Karsten Bräckelmann guent...@rudersport.de: On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote: 2010/10/12 Karsten Bräckelmann guent...@rudersport.de: On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: Are people using automated IP blacklists or something like that? Yes. SA even uses them by default. What do your SA rules triggered look like? Check your identified spam. Do you see RCVD_IN_* rules? If not, you are having DNS problems, or deliberately disabled those network checks. Many of the don't trigger the RCVD_IN_* rules. Does anyone implement their own private DNS black list? Many of what? Many of the .info emails. I guess because they are not listed on any RDNSBL's. Here's a latest one: From: Juice Up My Income a...@parkrasive dot info Subject: Sometimes timing is everything Date Received: Oct 12, 2010 13:43 PM Rules triggers: 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] That is a rather drastic score, and generally not advised. However, overall it passed your spam threshold by far, no!? Yes, but my issue I guess is the the volume. Perhaps, this is a more 'general' thread to the overall .info domain issue. Just wanted to see if there were general ideas of how people combat this problem. Perhaps others do not see the volumes of spam that I do to notice the issue. - Julian
Re: Constant .info domain spam
On Tue, 2010-10-12 at 14:22 -1000, Julian Yap wrote: 2010/10/12 Karsten Bräckelmann guent...@rudersport.de: On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote: Many of the don't trigger the RCVD_IN_* rules. Does anyone implement their own private DNS black list? Many of what? Many of the .info emails. I guess because they are not listed on any RDNSBL's. Here's a latest one: From: Juice Up My Income a...@parkrasive dot info Subject:Sometimes timing is everything Date Received: Oct 12, 2010 13:43 PM Rules triggers: 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] That is a rather drastic score, and generally not advised. However, overall it passed your spam threshold by far, no!? Yes, but my issue I guess is the the volume. Perhaps, this is a more 'general' thread to the overall .info domain issue. Just wanted to see if there were general ideas of how people combat this problem. Perhaps others do not see the volumes of spam that I do to notice the issue. What I am (again!) missing, is the actual list of RCVD_IN_* rules hit. Or, in other words, the DNS BL list providers that do result in a hit. Absence of a few ones will show if your DNS is blocked. So, which of these rules do trigger? How often? And, again, there's no need to send a private copy. On-list only is sufficient. I do read this list, no reason you would want to end up on-list *and* in my Inbox, right? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
On 10/12/2010 8:14 PM, Karsten Bräckelmann wrote: [Added after re-reading: Same request. Which ones do hit, optionaly which ones don't?] For the IPs mentioned: 217.23.6.209 204.45.150.196 64.32.6.4 173.234.224.131 184.107.29.11 72.55.165.139 67.159.50.131 174.37.134.225 ...here is a tally of *which* DNSBLs blacklisted these IPs, and how many of these IPs were blacklisted by each DNSBL: (see analysis below this list) NOTE: There were 8 different IPs. So the highest possible score was an 8 out of 8. # of hits blacklist name 7 ivmSIP 7 FIVETEN 6 BARRACUDA 6 Tiopan 5 PSBL 4 ivmSIP/24 3 NIXSPAM 3 OSPAM 2 BURNT-TECH 2 EMAILBASURA 2 KEMPTBL 2 SORBS 2 SWINOG 2 WPBL 1 AHBL 1 RATS-Dyna 1 SPAMCANNIBAL 1 SPAMCOP 1 UCEPROTECT1 I tallied this by checking each of those IPs on the mxtoolbox.com web site (one of the more popular free DNSBL looks sites), and gave credit for each hit. Keep in mind that this ranking does NOT take into account the FP rates of each of the lists. For example, ivmSIP and FIVETEN tied for first place. But, of course, ivmSIP is order of magnitudes a higher quality blacklist compared to FiveTen when you factor in a DNSBL's ability to avoid False Positives. Therefore, the BEST lists are the ones which scored high on this list --AND-- which also have low FPs. (for example, the one IP that ivmSIP missed really is a heavily abused IP... but one that also has MUCH legitimate use because it is used by one of the most popular dating sites for Latinos, which has 8 million subscribers. Therefore, MUCH collateral damage might occur from the blacklisting of this IP. Still, this can be a judgment call because sometimes enough is enough with some heavily abused IPs that have some legit uses!) Regarding that one IP, the DNSBLs which blacklisted 67.159.50.131 include FiveTen, Ospam, PSBL, and SORBS. Personally, I consider this to be the only False Positive of all the IPs submitted. And, for anyone who agrees with that analysis, this makes ivmSIP the /*only*/ list with a perfect 7 out of 7 score. But, again, considering 67.159.50.131 to be a FP is somewhat of a judgment call. NOTE: What this list is missing are DNSBLs like Zen. Obviously, the reason Zen is missing is because the person who submitted this list of IPs for missed spams probably ALREADY uses Zen--so those spam /blocked/ by Zen won't show up on his list of /missed/ spams. And other DNSBLs may be in the same situation. For example, I suspect this mail system also uses SpamCop. So why the one SpamCop hit in the tally above? Probably because that one IP may not have been in SpamCop at the time the message arrived. (perhaps the same is true for UCE-1 and SORBS?--and would explain their 1 or 2 hits?) Along the same lines, some other DNSBLs that this mail system uses are not going to show up on that list at all, even if very good blacklists, like Zen--due to those DNSBLs already being used for outright blocking on that mail server where these spams were missed. That is the reason some lists are missing or under-represented. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032