Re: Bogus day old domains from RRPPROXY.NET
On March 13, 2015 7:36:21 PM David B Funk wrote: # dig -t ns hardinskinrestore.com. dig +trace example.com spam domains just need ns for there own subdomains, if its dns delegated, back to basic if comal is so hard :)
Re: Bogus day old domains from RRPPROXY.NET
On 3/13/15, 2:47 PM, "Kevin A. McGrail" wrote: >On 3/13/2015 3:16 PM, David B Funk wrote: >>Your 'been there - got bitten', is that a reference to the temptation >>or the actual case of no NS records? >Axb's sister was once bitten by a M00se. She was Karving her initials on the m00se with the sharpened end of an interspace t00thbrush given her by Svenge -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com
Re: Bogus day old domains from RRPPROXY.NET
On 3/13/2015 3:16 PM, David B Funk wrote: Your 'been there - got bitten', is that a reference to the temptation or the actual case of no NS records? Axb's sister was once bitten by a M00se.
Re: Bogus day old domains from RRPPROXY.NET
On Friday 13/03/2015 at 2:17 pm, David B Funk wrote: On Fri, 13 Mar 2015, Axb wrote: On 03/13/2015 07:54 PM, John Hardin wrote: On Fri, 13 Mar 2015, David B Funk wrote: Except that the rrpproxy.net people have figured out a way to cirumvent this. They now register spammer domains and don't list -any- NS records in the zone. Is *that* a useful spam sign? Remember, SA is not an RFC compliance validation tool. If a few legit admins do that, and lots of spammers do it, then it's useful for detecting spam. Even if it's very tempting, it's not safe to use. (been there - got bitten) Your 'been there - got bitten', is that a reference to the temptation or the actual case of no NS records? Not listing NS records goes against DNS best-practices, I'm not even sure how that kind of zone hosting works. IIRC, every zone must have two records miniumu: an SOA record and 1 NS record. If a policy can't find an NS record for @sender.domain, I would reject with at least a 4xx. Len
Re: Bogus day old domains from RRPPROXY.NET
On Fri, 13 Mar 2015, Axb wrote: On 03/13/2015 07:54 PM, John Hardin wrote: On Fri, 13 Mar 2015, David B Funk wrote: Except that the rrpproxy.net people have figured out a way to cirumvent this. They now register spammer domains and don't list -any- NS records in the zone. Is *that* a useful spam sign? Remember, SA is not an RFC compliance validation tool. If a few legit admins do that, and lots of spammers do it, then it's useful for detecting spam. Even if it's very tempting, it's not safe to use. (been there - got bitten) Your 'been there - got bitten', is that a reference to the temptation or the actual case of no NS records? Not listing NS records goes against DNS best-practices, I'm not even sure how that kind of zone hosting works. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bogus day old domains from RRPPROXY.NET
On 03/13/2015 07:54 PM, John Hardin wrote: On Fri, 13 Mar 2015, David B Funk wrote: Except that the rrpproxy.net people have figured out a way to cirumvent this. They now register spammer domains and don't list -any- NS records in the zone. Is *that* a useful spam sign? Remember, SA is not an RFC compliance validation tool. If a few legit admins do that, and lots of spammers do it, then it's useful for detecting spam. Even if it's very tempting, it's not safe to use. (been there - got bitten)
Re: Bogus day old domains from RRPPROXY.NET
On Fri, 13 Mar 2015, David B Funk wrote: Except that the rrpproxy.net people have figured out a way to cirumvent this. They now register spammer domains and don't list -any- NS records in the zone. Is *that* a useful spam sign? Remember, SA is not an RFC compliance validation tool. If a few legit admins do that, and lots of spammers do it, then it's useful for detecting spam. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- There is no better measure of the unthinking contempt of the environmentalist movement for civilization than their call to turn off the lights and sit in the dark.-- Sultan Knish --- Tomorrow: Albert Einstein's 136th Birthday
Re: Bogus day old domains from RRPPROXY.NET
On Wed, 11 Mar 2015, Axb wrote: I don't quite understand your logic/language but yes, that's the point of such a list. You list the NS and all domains on that NS get scored. for example see: URIBL's "Extra Datasets via Datafeed Service" http://uribl.com/datasets.shtml black_ns.txt - This file contains nameservers we have identified as bad, and in turn proactively lists all domains registered against them to Gold and lists reactive hits to URIBL Black. # Example black_ns zone data .. ns1.gdlpdlvrydirect.net :127.0.0.2:black_ns $ added on 2008-07-13 23:12:53 ns1.panamans.com :127.0.0.2:black_ns $ added on 2008-07-14 04:16:18 ns1.easyquickdebts.com:127.0.0.2:black_ns $ added on 2008-07-14 08:01:41 ns0.holidaynicegood.com :127.0.0.2:black_ns $ added on 2008-07-14 08:02:18 .. # Example SpamAssassin Rule usage # - urifullnsrhssub is a SpamAssassin 3.3 SVN feature only and will # not work in currently released versions of SpamAssassin! # - Change blackns.your-domain.tld to the host you have this data loaded in # - Rescore from 0.01 after testing effectiveness on your mail flow urifullnsrhssub BLACK_NSblackns.your-domain.tld. A 2 bodyBLACK_NSeval:check_uridnsbl('BLACK_NS') tflags BLACK_NSnet score BLACK_NS0.01 Theres a also a rather large number of such private lists. Trust me, it's highly efficient... Except that the rrpproxy.net people have figured out a way to cirumvent this. They now register spammer domains and don't list -any- NS records in the zone. # dig -t ns hardinskinrestore.com. ; <<>> DiG 9.9.6-P1 <<>> -t ns hardinskinrestore.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26749 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1024 ;; QUESTION SECTION: ;hardinskinrestore.com. IN NS ;; AUTHORITY SECTION: hardinskinrestore.com. 10800 IN SOA ns1.rrpproxy.net. tech.rrpproxy.net. 2015031300 10800 3600 604800 28800 ;; Query time: 111 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 13 13:16:18 CDT 2015 ;; MSG SIZE rcvd: 107 May be worth hacking the urifullnsrhssub code to use the NS field from the SOA record if there's no answers to the NS query. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bogus day old domains from RRPPROXY.NET
On 03/11/2015 01:49 PM, Gibbs, David wrote: On 3/10/2015 5:08 PM, Reindl Harald wrote: for postfix there is "check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf" with the advantage of logging and a proper reject cat /etc/postfix/blacklist_ns.cf ns1.sedoparking.com REJECT Domain is parked at sedo.com ns2.sedoparking.com REJECT Domain is parked at sedo.com Has anyone come up with a SA rule or plugin that does the same thing? I'd love to block mail from parked domains, but I use sendmail and can't find a way to block like postfix can. david try a urifullnsrhssub rule checking "header" instead of "body" or bend AskDNS to do it. In any case you'll need to be running a DNS BL to query.
Re: Bogus day old domains from RRPPROXY.NET
On 3/10/2015 5:08 PM, Reindl Harald wrote: for postfix there is "check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf" with the advantage of logging and a proper reject cat /etc/postfix/blacklist_ns.cf ns1.sedoparking.com REJECT Domain is parked at sedo.com ns2.sedoparking.com REJECT Domain is parked at sedo.com Has anyone come up with a SA rule or plugin that does the same thing? I'd love to block mail from parked domains, but I use sendmail and can't find a way to block like postfix can. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 62 miles) in the 2015 American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://email.diabetessucks.net. My goal is $5800 but any amount is appreciated. See where I get my donations from ... visit http://email.diabetessucks.net/mapdonations.php for an interactive map (it's a geeky thing).
Re: Bogus day old domains from RRPPROXY.NET
On 03/11/2015 10:57 AM, Benny Pedersen wrote: Axb skrev den 2015-03-11 10:41: RPZ zones are domain lists - NOT nameservers lists nameservers is domain aswell imho :=) if anything using rbldnsd :-) here is just see domain not found if rpz listed, and i dont plan to list my dns hoster for being free and good no matter how many bad domain is using it as nameserver if the nameserver is rpz listed, all the dns hosted domains is vanished test: dig +trace rpzdomain where does it stop ? :=) FTR: Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall". https://dnsrpz.info/ this has NOTHING to do with SA's urifullnsrhssub lookups.
Re: Bogus day old domains from RRPPROXY.NET
On 03/11/2015 10:57 AM, Benny Pedersen wrote: Axb skrev den 2015-03-11 10:41: RPZ zones are domain lists - NOT nameservers lists nameservers is domain aswell imho :=) if anything using rbldnsd :-) here is just see domain not found if rpz listed, and i dont plan to list my dns hoster for being free and good no matter how many bad domain is using it as nameserver if the nameserver is rpz listed, all the dns hosted domains is vanished test: dig +trace rpzdomain where does it stop ? :=) I don't quite understand your logic/language but yes, that's the point of such a list. You list the NS and all domains on that NS get scored. for example see: URIBL's "Extra Datasets via Datafeed Service" http://uribl.com/datasets.shtml black_ns.txt - This file contains nameservers we have identified as bad, and in turn proactively lists all domains registered against them to Gold and lists reactive hits to URIBL Black. # Example black_ns zone data .. ns1.gdlpdlvrydirect.net :127.0.0.2:black_ns $ added on 2008-07-13 23:12:53 ns1.panamans.com :127.0.0.2:black_ns $ added on 2008-07-14 04:16:18 ns1.easyquickdebts.com:127.0.0.2:black_ns $ added on 2008-07-14 08:01:41 ns0.holidaynicegood.com :127.0.0.2:black_ns $ added on 2008-07-14 08:02:18 .. # Example SpamAssassin Rule usage # - urifullnsrhssub is a SpamAssassin 3.3 SVN feature only and will # not work in currently released versions of SpamAssassin! # - Change blackns.your-domain.tld to the host you have this data loaded in # - Rescore from 0.01 after testing effectiveness on your mail flow urifullnsrhssub BLACK_NSblackns.your-domain.tld. A 2 bodyBLACK_NSeval:check_uridnsbl('BLACK_NS') tflags BLACK_NSnet score BLACK_NS0.01 Theres a also a rather large number of such private lists. Trust me, it's highly efficient...
Re: Bogus day old domains from RRPPROXY.NET
Axb skrev den 2015-03-11 10:41: RPZ zones are domain lists - NOT nameservers lists nameservers is domain aswell imho :=) if anything using rbldnsd :-) here is just see domain not found if rpz listed, and i dont plan to list my dns hoster for being free and good no matter how many bad domain is using it as nameserver if the nameserver is rpz listed, all the dns hosted domains is vanished test: dig +trace rpzdomain where does it stop ? :=)
Re: Bogus day old domains from RRPPROXY.NET
On 03/11/2015 10:20 AM, Benny Pedersen wrote: Kevin Miller skrev den 2015-03-10 23:01: FWIW, I put on my BOFH hat, and just blocked those name servers at the filewall. They're based in Germany so it's a pretty safe bet that I'm not going to see legitimate mail from any of the legitimate domains hosted by them. That may not be the case for others. sure, its URLS, not client sender addresses, so if you have bind9 rpz it works google bind9 rpz, spamassassin must check that domain is not rpz listed RPZ zones are domain lists - NOT nameservers lists if anything using rbldnsd In rbldnsd setup: urinsbl.example.net:dnset:black_ns.txt black_ns.txt # Default response... :127.0.0.2:black_ns # 10 min TTL $TTL 600 ns1.swimmer-size.biz :127.0.0.2:black_ns $ detected: 2015-02-24 17:39:13 and create a SA rule like: urifullnsrhssub YOUR_URI_NS_BL urinsbl.example.net. A 2 bodyYOUR_URI_NS_BL eval:check_uridnsbl('YOUR_URI_NS_BL') describeYOUR_URI_NS_BL URL NS domain listed in Your NS BL tflags YOUR_URI_NS_BL net score YOUR_URI_NS_BL 1.0
RE: Bogus day old domains from RRPPROXY.NET
Kevin Miller skrev den 2015-03-10 23:01: FWIW, I put on my BOFH hat, and just blocked those name servers at the filewall. They're based in Germany so it's a pretty safe bet that I'm not going to see legitimate mail from any of the legitimate domains hosted by them. That may not be the case for others. sure, its URLS, not client sender addresses, so if you have bind9 rpz it works google bind9 rpz, spamassassin must check that domain is not rpz listed
Re: Bogus day old domains from RRPPROXY.NET
On 03/10/2015 11:01 PM, Kevin Miller wrote: -Original Message- From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Sent: Tuesday, March 10, 2015 1:31 PM To: Kevin Miller; users@spamassassin.apache.org Subject: Re: Bogus day old domains from RRPPROXY.NET On 2/19/2015 2:50 PM, Kevin Miller wrote: Is there a way to reject or up the score on anything that is served up by that name server or registar? I was thinking maybe putting the rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it doesn't resolve the message will be rejected at the MTA level. Hi Kevin, I thought there was a feature for this, perhaps AskDNS. From https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6518, askdns L_URI_NXDOMAIN_NS _URIDOMAINS_ NS [NXDOMAIN] But you might need an RBL server to query. Mark, any input on how best to block a URI that ties to a namserver like these? Name Server: NS1.RRPPROXY.NET Name Server: NS2.RRPPROXY.NET Name Server: NS3.RRPPROXY.NET FWIW, I put on my BOFH hat, and just blocked those name servers at the filewall. They're based in Germany so it's a pretty safe bet that I'm not going to see legitimate mail from any of the legitimate domains hosted by them. That may not be the case for others. My spam level dropped significantly. Thse NS are run by Key-Systems, a german registrar. If this is a personal server, ok, but if you have more users than your family, I wouldn't hard block using that NS. omain Name: rrpproxy.net Registry Domain ID: 69690466_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.rrpproxy.net Registrar URL: http://www.key-systems.net Updated Date: 2014-01-31T09:26:14.0Z Creation Date: 2001-04-19T18:39:15.0Z Registrar Registration Expiration Date: 2023-04-19T18:39:15.0Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: ab...@key-systems.net Registrar Abuse Contact Phone: +49.68949396850 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: Alexander Siffrin Registrant Organization: Key-Systems GmbH Registrant Street: Im Oberen Werk 1 Registrant City: St. Ingbert Registrant State/Province: Registrant Postal Code: 66386 Registrant Country: DE Registrant Phone: +49.68949396850 Registrant Phone Ext: Registrant Fax: +49.68949396851 Registrant Fax Ext: Registrant Email: bill...@key-systems.net Registry Admin ID: Admin Name: Alexander Siffrin Admin Organization: Key-Systems GmbH Admin Street: Im Oberen Werk 1 Admin City: St. Ingbert Admin State/Province: Admin Postal Code: 66386 Admin Country: DE Admin Phone: +49.68949396850 Admin Phone Ext: Admin Fax: +49.68949396851 Admin Fax Ext: Admin Email: bill...@key-systems.net Registry Tech ID: Tech Name: Alexander Siffrin Tech Organization: Key-Systems GmbH Tech Street: Im Oberen Werk 1 Tech City: St. Ingbert Tech Postal Code: 66386 Tech State/Province: Tech Country: DE Tech Phone: +49.68949396850 Tech Phone Ext: Tech Fax: +49.68949396851 Tech Fax Ext: Tech Email: bill...@key-systems.net Name Server: ns1.p20.dynect.net Name Server: ns2.p20.dynect.net Name Server: ns3.p20.dynect.net Name Server: ns4.p20.dynect.net DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2015-03-11T07:53:28.0Z <<< Registry Billing ID: Billing Name: Alexander Siffrin Billing Organization: Key-Systems GmbH Billing Street: Im Oberen Werk 1 Billing City: St. Ingbert Billing State/Province: Billing Postal Code: 66386 Billing Country: DE Billing Phone: +49.68949396850 Billing Phone Ext: Billing Fax: +49.68949396851 Billing Fax Ext: Billing Email: bill...@key-systems.net
Re: Bogus day old domains from RRPPROXY.NET
Am 10.03.2015 um 23:01 schrieb Kevin Miller: -Original Message- From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Sent: Tuesday, March 10, 2015 1:31 PM To: Kevin Miller; users@spamassassin.apache.org Subject: Re: Bogus day old domains from RRPPROXY.NET On 2/19/2015 2:50 PM, Kevin Miller wrote: Is there a way to reject or up the score on anything that is served up by that name server or registar? I was thinking maybe putting the rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it doesn't resolve the message will be rejected at the MTA level. Hi Kevin, I thought there was a feature for this, perhaps AskDNS. From https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6518, askdns L_URI_NXDOMAIN_NS _URIDOMAINS_ NS [NXDOMAIN] But you might need an RBL server to query. Mark, any input on how best to block a URI that ties to a namserver like these? Name Server: NS1.RRPPROXY.NET Name Server: NS2.RRPPROXY.NET Name Server: NS3.RRPPROXY.NET FWIW, I put on my BOFH hat, and just blocked those name servers at the filewall. They're based in Germany so it's a pretty safe bet that I'm not going to see legitimate mail from any of the legitimate domains hosted by them. That may not be the case for others. My spam level dropped significantly for postfix there is "check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf" with the advantage of logging and a proper reject cat /etc/postfix/blacklist_ns.cf ns1.sedoparking.com REJECT Domain is parked at sedo.com ns2.sedoparking.com REJECT Domain is parked at sedo.com ns1.fastpark.net REJECT Domain is parked at namedrive.com ns2.fastpark.net REJECT Domain is parked at namedrive.com a.ns.ultsearch.comREJECT Domain is parked at a.ns.ultsearch.com b.ns.ultsearch.comREJECT Domain is parked at b.ns.ultsearch.com buy.internettraffic.com REJECT Domain is parked at buy.internettraffic.com sell.internettraffic.com REJECT Domain is parked at sell.internettraffic.com signature.asc Description: OpenPGP digital signature
RE: Bogus day old domains from RRPPROXY.NET
> -Original Message- > From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] > Sent: Tuesday, March 10, 2015 1:31 PM > To: Kevin Miller; users@spamassassin.apache.org > Subject: Re: Bogus day old domains from RRPPROXY.NET > > On 2/19/2015 2:50 PM, Kevin Miller wrote: > > Is there a way to reject or up the score on anything that is served up > by that name server or registar? I was thinking maybe putting the > rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it > doesn't resolve the message will be rejected at the MTA level. > Hi Kevin, > > I thought there was a feature for this, perhaps AskDNS. > > From https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6518, > > askdns L_URI_NXDOMAIN_NS _URIDOMAINS_ NS [NXDOMAIN] > > But you might need an RBL server to query. > > Mark, any input on how best to block a URI that ties to a namserver like > these? > > Name Server: NS1.RRPPROXY.NET > Name Server: NS2.RRPPROXY.NET > Name Server: NS3.RRPPROXY.NET FWIW, I put on my BOFH hat, and just blocked those name servers at the filewall. They're based in Germany so it's a pretty safe bet that I'm not going to see legitimate mail from any of the legitimate domains hosted by them. That may not be the case for others. My spam level dropped significantly. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
Re: Bogus day old domains from RRPPROXY.NET
On 2/19/2015 2:50 PM, Kevin Miller wrote: Is there a way to reject or up the score on anything that is served up by that name server or registar? I was thinking maybe putting the rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it doesn't resolve the message will be rejected at the MTA level. Hi Kevin, I thought there was a feature for this, perhaps AskDNS. From https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6518, askdns L_URI_NXDOMAIN_NS _URIDOMAINS_ NS [NXDOMAIN] But you might need an RBL server to query. Mark, any input on how best to block a URI that ties to a namserver like these? Name Server: NS1.RRPPROXY.NET Name Server: NS2.RRPPROXY.NET Name Server: NS3.RRPPROXY.NET regards, KAM