Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 22:42 +0200, Benny Pedersen wrote: > On Fri, July 10, 2009 18:17, Karsten Bräckelmann wrote: > > Anyway, as I've told you before with some hastily scribbled logic, you > > seriously should read up on De Morgan's law. The above meta equals ^^^ > > ! ( __URIBL_BLACK && __URIBL_GREY ) > > are you sure this logic holds in sa ? Logic holds. No matter where. Wow. That's basic Boolean logic. You might want to get a pen and paper, and write down a trivial truth table. What you probably meant is "neither of these", which is "not (any of these)". That's !(A||B), which is NOT the same as (!A||!B), as you used. Yes, that's De Morgan's law. Mind actually reading up on the explicit and glaring hints I provide? I'll refrain from picking your remaining comments to pieces. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Never ending spam flood www.viaXX.net?
Benny Pedersen wrote: On Fri, July 10, 2009 18:17, Karsten Bräckelmann wrote: Anyway, as I've told you before with some hastily scribbled logic, you seriously should read up on De Morgan's law. The above meta equals ! ( __URIBL_BLACK && __URIBL_GREY ) are you sure this logic holds in sa ? || is imho or not and in my testing it works This is basic logic, it has nothing to do with SA. not A or not B == not ( A and B ) Either way, the condition is true if either A or B is false. -- Bowie
Re: Never ending spam flood www.viaXX.net?
On Fri, July 10, 2009 18:17, Karsten Bräckelmann wrote: > Anyway, as I've told you before with some hastily scribbled logic, you > seriously should read up on De Morgan's law. The above meta equals > > ! ( __URIBL_BLACK && __URIBL_GREY ) are you sure this logic holds in sa ? || is imho or not and in my testing it works my example was just very minimal and it can add more || to make a white, but it might be better with a plugin for uridnswl i just had to think how it would be possible to be in front of spammers heaven, and not always behind with rules, and imho this is not possible with blacklistning rules -- xpoint
Re: Never ending spam flood www.viaXX.net?
On Fri, 10 Jul 2009, Yet Another Ninja wrote: On 7/10/2009 6:30 PM, rich...@buzzhost.co.uk wrote: On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: > On Fri, 10 Jul 2009, Terry Carmen wrote: > > > All the supplied domain names have a DNS server in China. It might be > > worth it to create a rule to based on the link's DNS server's location > > (Geo IP Lookup). > > *that* might actually be a good test, and one that is safer than > resolving the offending hostname itself. You're not likely to get > poisoned by a TLD server... Which is what the Barracuda Real Time Intent engine does.. Looks up the IP for the AUTH NS, then checks that IP against B/L. and what's different to the default URIBL_SBL concept ? From the Spamhaus website: "Over 60% of spam contains URLs of spammer web sites whose webserver IPs are listed on the Spamhaus SBL." We're talking about the IP address of the URI domain's DNS server(s), not the IP address of the URI webserver itself. Checking the URI domain's DNS server(s) for geography (probably a pretty weak test, lots of legitimate sites would have DNS servers in China) or an explicit IP DNSBL (DNS servers that provide data for a lot of hostile/spammy domains might be fairly strong). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 18:44 +0200, Yet Another Ninja wrote: > On 7/10/2009 6:30 PM, rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: > >> On Fri, 10 Jul 2009, Terry Carmen wrote: > >> > >>> All the supplied domain names have a DNS server in China. It might be > >>> worth it to create a rule to based on the link's DNS server's location > >>> (Geo IP Lookup). > >> *that* might actually be a good test, and one that is safer than resolving > >> the offending hostname itself. You're not likely to get poisoned by a TLD > >> server... > >> > > Which is what the Barracuda Real Time Intent engine does.. Looks up > > the IP for the AUTH NS, then checks that IP against B/L. > > and what's different to the default URIBL_SBL concept ? I agree that the The MAN page for Mail::SpamAssassin::Plugin::URIDNSBL say it does this; "This works by analysing message text and HTML for URLs, extracting the domain names from those, querying their NS records in DNS, resolving the hostnames used therein, and querying various DNS blocklists for those IP addresses. This is quite effective." I'm not convinced it is resolving the AUTH NS IP's but I want to run some TCP dumps and tests to get a better understanding of what it does. I think where the Barracuda differs is the 'multi-level'. It will follow the links (up to five redirects is the default) checking each one on the way. In production this works pretty well if you have a half decent DNS server that can keep up. It would be nice to get SA to mimic this in it's entirety.
Re: Never ending spam flood www.viaXX.net?
On 7/10/2009 6:30 PM, rich...@buzzhost.co.uk wrote: On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: On Fri, 10 Jul 2009, Terry Carmen wrote: All the supplied domain names have a DNS server in China. It might be worth it to create a rule to based on the link's DNS server's location (Geo IP Lookup). *that* might actually be a good test, and one that is safer than resolving the offending hostname itself. You're not likely to get poisoned by a TLD server... Which is what the Barracuda Real Time Intent engine does.. Looks up the IP for the AUTH NS, then checks that IP against B/L. and what's different to the default URIBL_SBL concept ?
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: > On Fri, 10 Jul 2009, Terry Carmen wrote: > > > All the supplied domain names have a DNS server in China. It might be > > worth it to create a rule to based on the link's DNS server's location > > (Geo IP Lookup). > > *that* might actually be a good test, and one that is safer than resolving > the offending hostname itself. You're not likely to get poisoned by a TLD > server... > Which is what the Barracuda Real Time Intent engine does.. Looks up the IP for the AUTH NS, then checks that IP against B/L.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 12:40 +0200, Benny Pedersen wrote: > there is more then one way of make a white ? Not being blacklisted does not justify any shade of white. The absence of a listing is nothing more than no information. You can't deduct any inverted information. > meta URI_WHITE (!__URIBL_BLACK || !__URIBL_GREY) > > no ? No. That one is *always* true, since BLACK and GREY are mutually exclusive. For a given, single URI at least. A mail with two different URIs sure can result in multiple listings. Anyway, as I've told you before with some hastily scribbled logic, you seriously should read up on De Morgan's law. The above meta equals ! ( __URIBL_BLACK && __URIBL_GREY ) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Never ending spam flood www.viaXX.net?
On Fri, 10 Jul 2009, Terry Carmen wrote: All the supplied domain names have a DNS server in China. It might be worth it to create a rule to based on the link's DNS server's location (Geo IP Lookup). *that* might actually be a good test, and one that is safer than resolving the offending hostname itself. You're not likely to get poisoned by a TLD server... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We should endeavour to teach our children to be gun-proof rather than trying to design guns to be child-proof --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: Never ending spam flood www.viaXX.net?
> On Fri, 10 Jul 2009, Terry Carmen wrote: > >>> Because of Apache.org spam filters I can't send here my message about >>> spammers again: >> . . . >> >>> http://pastebin.com/f6a83e9fb >> >> I'm new to this list, and may be missing something obvious, but this >> looks like a great candidate for a firewall "DROP" rule. >> >> Is there any reason you don't just drop the packets instead of wasting >> time deciding if they're spam? > > Those IPs are for the website in the body URI, not the IP sending the > mail. OK, thanks. I thought the OP was receiving unwanted mail from a few IPs. All the supplied domain names have a DNS server in China. It might be worth it to create a rule to based on the link's DNS server's location (Geo IP Lookup). Terry
Re: Never ending spam flood www.viaXX.net?
On Fri, 10 Jul 2009, Terry Carmen wrote: Because of Apache.org spam filters I can't send here my message about spammers again: . . . http://pastebin.com/f6a83e9fb I'm new to this list, and may be missing something obvious, but this looks like a great candidate for a firewall "DROP" rule. Is there any reason you don't just drop the packets instead of wasting time deciding if they're spam? Those IPs are for the website in the body URI, not the IP sending the mail. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pork (n): (political) The manifestation of the principle that it is a felony to bribe a legislator, unless you are also a legislator. --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: Never ending spam flood www.viaXX.net?
Matt Kettler wrote: >>> It's no plugin I know of, but it's a feature we intentionally left out >>> of SA for security reasons. So given that it's a really bad idea I'd >>> guess barracuda did implement it themselves. >>> >>> >> Are you forgetting URIBL_SBL?? That requires the A or NS records of >> the URI to function. >> > > We do NS only. Not A. > Sorry; my bad Cheers, Steve.
Re: Never ending spam flood www.viaXX.net?
Terry Carmen pisze: >> Hi, >> >> Because of Apache.org spam filters I can't send here my message about >> spammers again: > . . . > >> http://pastebin.com/f6a83e9fb > > I'm new to this list, and may be missing something obvious, but this looks > like a great candidate for a firewall "DROP" rule. Hi Terry, You are welcome here! :) > Is there any reason you don't just drop the packets instead of wasting time > deciding if they're spam? I pasted a few IP adresses of web "drug store" with viagra and another medicaments for the men with erection issues. The spam flood advertises that "shop", but we receive unsolicited messages from infected Windows machines, compromised or buggy webmails, etc. in all the world. My best regards, Pawel
Re: Never ending spam flood www.viaXX.net?
Quoting "Terry Carmen" : Hi, Because of Apache.org spam filters I can't send here my message about spammers again: . . . http://pastebin.com/f6a83e9fb I'm new to this list, and may be missing something obvious, but this looks like a great candidate for a firewall "DROP" rule. Is there any reason you don't just drop the packets instead of wasting time deciding if they're spam? In fact, you can get fail2ban to do this automatically for IPs that create a significant number of spammy messages. Terry I like that... I'll have to check that out... I'm starting to think we should just block all PRC, NorthKorea and the continent of Africa at least for some services... ;) thanks dm
Re: Never ending spam flood www.viaXX.net?
> Hi, > > Because of Apache.org spam filters I can't send here my message about > spammers again: . . . > http://pastebin.com/f6a83e9fb I'm new to this list, and may be missing something obvious, but this looks like a great candidate for a firewall "DROP" rule. Is there any reason you don't just drop the packets instead of wasting time deciding if they're spam? In fact, you can get fail2ban to do this automatically for IPs that create a significant number of spammy messages. Terry
Re: Never ending spam flood www.viaXX.net?
Steve Freegard wrote: > Matt Kettler wrote: > >> rich...@buzzhost.co.uk wrote: >> >>> On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: >>> >>> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > Please see my initial post on Pastebin: > > http://pastebin.com/f6a83e9fb > > > If it's true that all those domains resolve to just a handful of IP addresses, then why aren't they listed in - oh wait - SURBLs don't cover IPs just the DNS names - argh! Is there a way to do SURBL lookups of the IP instead of the FQDN? >>> Is there not some kind of 'intent' plugin for SA? >>> >>> Barracuda (which steal everything else) have an intent scanner that >>> looks at links in mails and resolves the name to IP *AND* the AUTH NS. >>> Then looking the IP's found up. >>> >>> >> SA has always avoided resolving forward lookups of potentially spammer >> controlled domains to IPs. This is extremely foolish to do, as it opens >> you up to a variety of attacks against your DNS resolver. (resolver >> cache poisoning, DoS, etc) >> >> >>> I can't believe they wrote it themselves - seriously I can't! What plug >>> in is it? >>> >>> >>> >> It's no plugin I know of, but it's a feature we intentionally left out >> of SA for security reasons. So given that it's a really bad idea I'd >> guess barracuda did implement it themselves. >> >> > > Are you forgetting URIBL_SBL?? That requires the A or NS records of > the URI to function. > We do NS only. Not A.
Re: Never ending spam flood www.viaXX.net?
Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: >> On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: >> >>> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: >>> Please see my initial post on Pastebin: http://pastebin.com/f6a83e9fb >>> If it's true that all those domains resolve to just a handful of IP >>> addresses, then why aren't they listed in - oh wait - SURBLs don't cover >>> IPs just the DNS names - argh! >>> >>> Is there a way to do SURBL lookups of the IP instead of the FQDN? >>> >>> >> Is there not some kind of 'intent' plugin for SA? >> >> Barracuda (which steal everything else) have an intent scanner that >> looks at links in mails and resolves the name to IP *AND* the AUTH NS. >> Then looking the IP's found up. >> > SA has always avoided resolving forward lookups of potentially spammer > controlled domains to IPs. This is extremely foolish to do, as it opens > you up to a variety of attacks against your DNS resolver. (resolver > cache poisoning, DoS, etc) > >> I can't believe they wrote it themselves - seriously I can't! What plug >> in is it? >> >> > It's no plugin I know of, but it's a feature we intentionally left out > of SA for security reasons. So given that it's a really bad idea I'd > guess barracuda did implement it themselves. > Are you forgetting URIBL_SBL?? That requires the A or NS records of the URI to function. Regards, Steve.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 06:15 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > > > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > >> > >>> Please see my initial post on Pastebin: > >>> > >>> http://pastebin.com/f6a83e9fb > >>> > >>> > >> If it's true that all those domains resolve to just a handful of IP > >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover > >> IPs just the DNS names - argh! > >> > >> Is there a way to do SURBL lookups of the IP instead of the FQDN? > >> > >> > > Is there not some kind of 'intent' plugin for SA? > > > > Barracuda (which steal everything else) have an intent scanner that > > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > > Then looking the IP's found up. > > > SA has always avoided resolving forward lookups of potentially spammer > controlled domains to IPs. This is extremely foolish to do, as it opens > you up to a variety of attacks against your DNS resolver. (resolver > cache poisoning, DoS, etc) Whilst I can see the security concern, I'm struggling to see how any properly set up resolver would be at any greater risk than clicking on the same link in an email. With SA running on a dedicated appliance any poisoning would be local only to the appliance and the risk to anything else in the network near zero. Of course this is in combination with an appliance only implementation of BIND9 to serve it's requests, so it leaves your own DNS servers alone. Sure there is a DOS risk from a nefarious domain and how you manage this will be depend on the nature of any attack. > > I can't believe they wrote it themselves - seriously I can't! What plug > > in is it? > > > > > It's no plugin I know of, but it's a feature we intentionally left out > of SA for security reasons. So given that it's a really bad idea I'd > guess barracuda did implement it themselves. They way they have implemented it may be bad but my understanding is limited and I imagine you know far more than me Matt. In my time with them I was never aware of any resolver cache poisoning issues. That said, looking at the Perl for their 'intent' engine, it seems to be doing a great deal of parsing on flat files (via .idx) some running to nearly a million lines and includes domains, telephone numbers and full uri's. That has got to be seriously inefficient. The DNS based checks come from 'real time intent' as they call it. In principle it's a good idea to resolve links to IP's and check them out. I don't think it's foolish - but that is my opinion. The safest implementation of it is the key and how far you are prepared to go with it depends on if you want to drop the mail outright of just give it a few fractions of a point. As an aside, Barracuda have now dropped 'Bayes' by default in their version 4 spam firewall firmware. The view was spam has changed and it is not that useful in fighting it. I don't know if I agree with that or not - but I don't want to digress.
Re: Never ending spam flood www.viaXX.net?
On Fri, July 10, 2009 12:29, Yet Another Ninja wrote: > 5 minutes later.. idea buried? a frind one time said to me "anyone can hate, it cost to love" thats why i belive whitelist it a better route then blacklist is -- xpoint
Re: Never ending spam flood www.viaXX.net?
On Fri, July 10, 2009 12:29, Yet Another Ninja wrote: > 5 minutes later.. idea buried? there is more then one way of make a white ? meta URI_WHITE (!__URIBL_BLACK || !__URIBL_GREY) no ? meta URI_NOT_WHITELISTED (__HAS_ANY_URI && URI_WHITE) how many non spam domains exists really to be a big problem ? -- xpoint
Re: Never ending spam flood www.viaXX.net?
On 7/10/2009 12:20 PM, Benny Pedersen wrote: On Fri, July 10, 2009 11:58, Steve Freegard wrote: See 'uridnsbl' in Mail::SpamAssassin::Plugin::URIDNSBL its more or less a URIDNSWL plugin needed, with can reverse all black into white eg if not found on uribl_black gives -negative scores, and if its still have some uri at all give positive score until its known in a bl/wl some where that way spammers can still get new domains yes, but it will always get cougth as spam if not known as a good non spamming domain ideer comes from dnswl, lets extend it to uri ? maybe you should start collecting GLOBAL domain data get a proof of concept URI_WL with enough entries to make it worthwhile, get a plugin out there... When you reached several tens of GB of zone data, you'll have to find a bunch willing to load their rbldnsds with that ammount of data AND hold to the traffic... 5 minutes later.. idea buried?
Re: Never ending spam flood www.viaXX.net?
On Fri, July 10, 2009 11:58, Steve Freegard wrote: > See 'uridnsbl' in Mail::SpamAssassin::Plugin::URIDNSBL its more or less a URIDNSWL plugin needed, with can reverse all black into white eg if not found on uribl_black gives -negative scores, and if its still have some uri at all give positive score until its known in a bl/wl some where that way spammers can still get new domains yes, but it will always get cougth as spam if not known as a good non spamming domain ideer comes from dnswl, lets extend it to uri ? -- xpoint
Re: Never ending spam flood www.viaXX.net?
rich...@buzzhost.co.uk wrote: > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: >> >>> Please see my initial post on Pastebin: >>> >>> http://pastebin.com/f6a83e9fb >>> >>> >> If it's true that all those domains resolve to just a handful of IP >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover >> IPs just the DNS names - argh! >> >> Is there a way to do SURBL lookups of the IP instead of the FQDN? >> >> > Is there not some kind of 'intent' plugin for SA? > > Barracuda (which steal everything else) have an intent scanner that > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > Then looking the IP's found up. > SA has always avoided resolving forward lookups of potentially spammer controlled domains to IPs. This is extremely foolish to do, as it opens you up to a variety of attacks against your DNS resolver. (resolver cache poisoning, DoS, etc) > I can't believe they wrote it themselves - seriously I can't! What plug > in is it? > > It's no plugin I know of, but it's a feature we intentionally left out of SA for security reasons. So given that it's a really bad idea I'd guess barracuda did implement it themselves.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 10:58 +0100, Steve Freegard wrote: > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > >>> Please see my initial post on Pastebin: > >>> > >>> http://pastebin.com/f6a83e9fb > >>> > >> If it's true that all those domains resolve to just a handful of IP > >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover > >> IPs just the DNS names - argh! > >> > >> Is there a way to do SURBL lookups of the IP instead of the FQDN? > >> > > Is there not some kind of 'intent' plugin for SA? > > > > Barracuda (which steal everything else) have an intent scanner that > > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > > Then looking the IP's found up. > > > > I can't believe they wrote it themselves - seriously I can't! What plug > > in is it? > > > > > > See 'uridnsbl' in Mail::SpamAssassin::Plugin::URIDNSBL > > Regards, > Steve. And there was I trawling through their Perl modules, lists of millions of domains and .idx files only to be pointed to: Mail::SpamAssassin::Plugin::URIDNSBL R E S U L T ! Looks *very* interesting.
Re: Never ending spam flood www.viaXX.net?
rich...@buzzhost.co.uk wrote: > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: >>> Please see my initial post on Pastebin: >>> >>> http://pastebin.com/f6a83e9fb >>> >> If it's true that all those domains resolve to just a handful of IP >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover >> IPs just the DNS names - argh! >> >> Is there a way to do SURBL lookups of the IP instead of the FQDN? >> > Is there not some kind of 'intent' plugin for SA? > > Barracuda (which steal everything else) have an intent scanner that > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > Then looking the IP's found up. > > I can't believe they wrote it themselves - seriously I can't! What plug > in is it? > > See 'uridnsbl' in Mail::SpamAssassin::Plugin::URIDNSBL Regards, Steve.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > > Please see my initial post on Pastebin: > > > > http://pastebin.com/f6a83e9fb > > > If it's true that all those domains resolve to just a handful of IP > addresses, then why aren't they listed in - oh wait - SURBLs don't cover > IPs just the DNS names - argh! > > Is there a way to do SURBL lookups of the IP instead of the FQDN? > Is there not some kind of 'intent' plugin for SA? Barracuda (which steal everything else) have an intent scanner that looks at links in mails and resolves the name to IP *AND* the AUTH NS. Then looking the IP's found up. I can't believe they wrote it themselves - seriously I can't! What plug in is it?
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 11:01 +0200, Paweł Tęcza wrote: > Hi, > > Because of Apache.org spam filters I can't send here my message about > spammers again: > > Jul 9 22:32:07 hermes2 courieresmtp: > id=00174B77.4A5653AA.7F82,from=,addr=: > 552 spam score (15.4) exceeded threshold > Jul 9 22:32:07 hermes2 courieresmtp: > id=00174B77.4A5653AA.7F82,from=,addr=,status: > failure > [...] > Jul 10 10:48:59 hermes1 courieresmtp: > id=000B43A2.4A57005C.346D,from=,addr=: > 552 spam score (15.4) exceeded threshold > Jul 10 10:48:59 hermes1 courieresmtp: > id=000B43A2.4A57005C.346D,from=,addr=,status: > failure > > Please see my initial post on Pastebin: > > http://pastebin.com/f6a83e9fb > > My best regards, > > Pawel# >From your pastebin; 110.52.8.253 110.52.8.253 listed in multi.surbl.org. [SC] 124.42.91.162124.42.91.162 listed in multi.surbl.org. [SC] 203.93.208.86203.93.208.86 listed in multi.surbl.org. [AB] [SC] 218.75.144.6 218.75.144.6 listed in multi.surbl.org. [SC] 110.52.8.253 listed in b.barracudacentral.org. 110.52.8.253 listed in XBL NJABL 110.52.8.253 listed in SBL (SPAMHAUS) 110.52.8.253 listed in cbl.abuseat.org. 110.52.8.253 listed in no-more-funn.moensted.dk. 124.42.91.162listed in SBL (SPAMHAUS) 124.42.91.162listed in XBL NJABL 124.42.91.162listed in cbl.abuseat.org. 203.93.208.86listed in b.barracudacentral.org. 203.93.208.86listed in SBL (SPAMHAUS) 218.75.144.6 listed in b.barracudacentral.org. 218.75.144.6 listed in PBL (SPAMHAUS) 218.75.144.6 listed in SBL (SPAMHAUS) 218.75.144.6 listed in no-more-funn.moensted.dk.
Re: Never ending spam flood www.viaXX.net?
On Fri, July 10, 2009 11:01, Pawe? T?cza wrote: > http://pastebin.com/f6a83e9fb one rule: meta URI_NOT_WHITELISTED (__HAS_ANY_URI && !__LOCAL_WHITE) make a __LOCAL_WHITE list in sa eithter with rbldnsd or direct as rule in sa will stop such lammers forever :) -- xpoint
Re: Never ending spam flood www.viaXX.net?
On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > Please see my initial post on Pastebin: > > http://pastebin.com/f6a83e9fb > If it's true that all those domains resolve to just a handful of IP addresses, then why aren't they listed in - oh wait - SURBLs don't cover IPs just the DNS names - argh! Is there a way to do SURBL lookups of the IP instead of the FQDN? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Never ending spam flood www.viaXX.net?
Hi, Because of Apache.org spam filters I can't send here my message about spammers again: Jul 9 22:32:07 hermes2 courieresmtp: id=00174B77.4A5653AA.7F82,from=,addr=: 552 spam score (15.4) exceeded threshold Jul 9 22:32:07 hermes2 courieresmtp: id=00174B77.4A5653AA.7F82,from=,addr=,status: failure [...] Jul 10 10:48:59 hermes1 courieresmtp: id=000B43A2.4A57005C.346D,from=,addr=: 552 spam score (15.4) exceeded threshold Jul 10 10:48:59 hermes1 courieresmtp: id=000B43A2.4A57005C.346D,from=,addr=,status: failure Please see my initial post on Pastebin: http://pastebin.com/f6a83e9fb My best regards, Pawel