RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> > This is a personal mail server, so I know exactly who sends mail on > it, and "we" don't have a spam problem (unless you mean all the spam > we're fighting to keep out). Of course, since it's a dynamic address, > I can't be certain that other users of this address haven't sent spam, > but as others have pointed out, the only other blacklists 70.112.27.10 > is listed on are dynamic or dialup lists only, so there's no > indication that it's been a previous spam source. > > So, unless you're intending to block dynamic IPs as part of your > method, I'd say this is a false-positive situation. > > -- > Public key #7BBC68D9 at| Shane Williams > http://pgp.mit.edu/| System Admin - UT iSchool Shane, I realize this is a few days old... dig -x 70.112.27.10 \ ;; QUESTION SECTION: ;10.27.112.70.in-addr.arpa. IN PTR ;; ANSWER SECTION: 10.27.112.70.in-addr.arpa. 3600 IN PTR cpe-70-112-27-10.austin.res.rr.com. For a mail server, why don't you migrate from a RBL listed dynamic ip to a non-RBL listed static ip (or another transit solution) and if you cannot afford it, ill bet you could afford some hosting. Unless you are relaying that email from this server to your upstream, I think this implementation is flawed for real world work in general - rh
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
John Rudd wrote: If you're going to do this, I would suggest that instead of counting to X hits on your low priority MX's and then blacklisting the IP, do this: Count on all of your MX's, and look for a ratio between "hits on low priority MX's and hits on high priority MX's". IFF the high priority MX hit rate is 0, then just do a simple count on the hits against the low priority MX's. IF the highr priority MX hit rate is > 0, then do (low priority hit rate) / (high priority hit rate), and look for a number >= something like 10. That way, senders that might sequentially try your servers, due to problems, or even just because they roll through the servers over time, wont get tagged. OK - I've implemented an interesting trick that solves the problem. I'm using the Exim RateLimit logic that only allows 1 hit per 20 seconds to be counted. Thus if a high priority MX is hit then that creates a 20 second window where hitting my fake MX records don't count. I've noticed in my logs that most servers will zip through all MX records (now 10) in less than a second or two. This trick also prevents multiple hits on fake MX records from being counted multiple times. With this new trick along with a few others I no longer get any bot spam at all. I'm still tweaking and testing but this is looking really good.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
At 06:18 AM 6/18/2007, Shane Williams wrote: So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Our mail and web server is on a business dynamic address, has been for years and serves several domains. We block (554 error) dynamic servers trying to connect to us and would expect the same from anyone we tried to directly connect to. ALL our outgoing mail is relayed through our ISP's mail server using AUTH. Each domain has an SPF record that lists our ISP as the only valid source of mail from us. Works fine except for the short time Internic started deep-scanning headers and message bodies with Zen, then they blocked lots of people they shouldn't have. We used to use several RBLs, but Zen seems pretty good and saves time. The few dynamic addresses that get by Zen seem to be caught by SA. Good work guys! -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Rick Cooper wrote: I am probably over sensitive to blacklists of this nature because of past problems. I had an issue where someone could not deliver a reply to a customer once and when I investigated I found the (actually two) server was on a blacklist I had never heard of. I let our ISP know that apparently their entire address space was on the list and the owner (someone I have known since the early eighties) investigated and found the entire att address space (their carrier) was on this black list and att knew all about it. Apparently this person wanted them to pay him $50,000 to be removed in less than one year. Granted few people probably use the list but it still worries me when some one uses a list maintained by "a guy" and even more so if it's fully automated. Personally a relatively few mails on our servers make it to RBL portion (I also use exim) and get dumped for other reasons, right now the biggest is probably non FQDN (or bracketed dotted quad) helo. I would say number two is attempting to send mail heloing as part of our domain space when the host is not part of our network, and three is attempting to send mail to our addresses from a host not allowed to send mail from our addresses. I also seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would like to see a lot more hardfail SPF hits and less SPF none. I still believe there are too many people who (subconsciously or otherwise) get a thrill out of "fighting spam" and the world would be much better off to move to taking responsibility for the mails they send. DKIM is about the closest thing to what I would like. You can have all the anti-spam laws in the world but proving responsibility is always the biggest problem. I would like to see a light weight service similar to DNS used to validate emails, quick and simple. It could be distributed like DNS and do you approve this mail, yes or no, like sender verification only without the smtp overhead. Last one that touches it is responsible, through the chain. The current, base, smtp spec simply wasn't developed in a time where anyone considered today's enviroment. There has to be a better way than trying to catch spam as that does nothing toward trying to stop it. Rick Rick - I totally understand where you are coming from. I've had similar problems with people blacklisting my servers. But what I'm trying to do here is develop new tricks for fighting spam. I've found my most accurate methods of detecting spam is based on differences in the behaviour of spammers as compared to normal email. When I see something that's a clear difference I try to find a way to use it. That's what I'm doing here.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Monday, June 18, 2007 10:00 AM > To: Rick Cooper > Cc: users@spamassassin.apache.org > Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? > > > > Rick Cooper wrote: > > I don't know what his reason is but had I attempted to > send mail to your > > server last Friday I could easily have ended up hitting > one of your higher > > MXs. I had a problem with Verizon where I would loose my > connection for > > seconds to a min and everything would be fine for seconds > to a min or two. > > This went on for hours, it was like someone flicking a > light switch. If exim > > couldn't connect to your lower mx servers during one of > these episodes it > > would have rolled up the list as it should since Verizon > has yet to inform > > my mail server they are having transient network problems > and to consider > > any connection issues to be temporary and please try again. > > > > Rick > > > > > > Rick, it does take multiple hits to get listed and I did add > code that > if you hit all the high ones in sucession that it only > counts as one. > However, having said that, this is experimental and there's a > possibility that it's just not going to work. I do believe > that there's > information to be had by looking at hosts who hit high numbered MX > records when low numbered MX servers are available. I'm just > trying to > figure out how to extract this information. > > So - I ask the question - I think we can all agree that there's > information to be had. How do we extract this in a useful > form an avoid > false positives? > I am probably over sensitive to blacklists of this nature because of past problems. I had an issue where someone could not deliver a reply to a customer once and when I investigated I found the (actually two) server was on a blacklist I had never heard of. I let our ISP know that apparently their entire address space was on the list and the owner (someone I have known since the early eighties) investigated and found the entire att address space (their carrier) was on this black list and att knew all about it. Apparently this person wanted them to pay him $50,000 to be removed in less than one year. Granted few people probably use the list but it still worries me when some one uses a list maintained by "a guy" and even more so if it's fully automated. Personally a relatively few mails on our servers make it to RBL portion (I also use exim) and get dumped for other reasons, right now the biggest is probably non FQDN (or bracketed dotted quad) helo. I would say number two is attempting to send mail heloing as part of our domain space when the host is not part of our network, and three is attempting to send mail to our addresses from a host not allowed to send mail from our addresses. I also seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would like to see a lot more hardfail SPF hits and less SPF none. I still believe there are too many people who (subconsciously or otherwise) get a thrill out of "fighting spam" and the world would be much better off to move to taking responsibility for the mails they send. DKIM is about the closest thing to what I would like. You can have all the anti-spam laws in the world but proving responsibility is always the biggest problem. I would like to see a light weight service similar to DNS used to validate emails, quick and simple. It could be distributed like DNS and do you approve this mail, yes or no, like sender verification only without the smtp overhead. Last one that touches it is responsible, through the chain. The current, base, smtp spec simply wasn't developed in a time where anyone considered today's enviroment. There has to be a better way than trying to catch spam as that does nothing toward trying to stop it. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
John Rudd wrote: If you're going to do this, I would suggest that instead of counting to X hits on your low priority MX's and then blacklisting the IP, do this: Count on all of your MX's, and look for a ratio between "hits on low priority MX's and hits on high priority MX's". IF the high priority MX hit rate is 0, then just do a simple count on the hits against the low priority MX's. IF the highr priority MX hit rate is > 0, then do (low priority hit rate) / (high priority hit rate), and look for a number >= something like 10. That way, senders that might sequentially try your servers, due to problems, or even just because they roll through the servers over time, wont get tagged. That's a good suggestion. You have me thinking. I'm using Exim and it has the RateLimit logic. Rather than a ratio I could maybe create a time window where if they hit the proper MX then it bypasses the improper MX tests for a fixed number of seconds.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Marc Perkel wrote: Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives? If you're going to do this, I would suggest that instead of counting to X hits on your low priority MX's and then blacklisting the IP, do this: Count on all of your MX's, and look for a ratio between "hits on low priority MX's and hits on high priority MX's". IFF the high priority MX hit rate is 0, then just do a simple count on the hits against the low priority MX's. IF the highr priority MX hit rate is > 0, then do (low priority hit rate) / (high priority hit rate), and look for a number >= something like 10. That way, senders that might sequentially try your servers, due to problems, or even just because they roll through the servers over time, wont get tagged.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives?
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: This is a personal mail server, so I know exactly who sends mail on it, and "we" don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Shane, I found the bug and fixed it. It was dynamic IP related where I was returning temp errors in certian cases. Your IP has been removed also and sorry about that but this is still something I'm testing.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Monday, June 18, 2007 9:31 AM > To: Shane Williams > Cc: Daryl C. W. O'Shea; users@spamassassin.apache.org > Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? > > > > Shane Williams wrote: > > On Sun, 17 Jun 2007, Marc Perkel wrote: > > > >> Shane Williams wrote: > >>> [...] > > Shane - your listing has nothing to do with dynamic IPs. The > way you got > listed is that your server hit my high MX records when all > of my lower > MX records were working. What I'm still investigating is why that > happened. And it's a problem I intend to fix because I don't > want any > false positives in the list. Is there any reason your server > would try > MX records in an unusual order? > I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Mon, 18 Jun 2007, Marc Perkel wrote: Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order? As others have mentioned, there are reasons (internet congestion, for instance), but I gather what you really want to know is whether there's something unusual about my configuration that would cause this to happen. The answer to that is no. I'm running sendmail on a gentoo server. No crazy configs, I don't run my own DNS, and frankly I don't know why my sendmail would try high MXs before low ones, but apparently it does. I'd say any system that requires you to investigate to this extent with blocked senders on a one-on-one basis has problems, and I would once again recommend that you test any system by tagging mails before actually rejecting them so that you learn about false-positives rather than assuming there aren't any unless someone reports it (which would be hard to do, since you're blocking them). Since this is now way OT for the SA list, I'm not going to respond on the list anymore, and since you're blacklist rejects my emails, I'm guessing this is the end of the conversation for me. Good luck. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: Here's the "failed for the last 4 hours" message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: <<< 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: <<< 451 Temporary local problem - please try later <[EMAIL PROTECTED]>... Deferred: 451 Temporary local problem - please try later ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. This is a personal mail server, so I know exactly who sends mail on it, and "we" don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order?
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: Here's the "failed for the last 4 hours" message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: <<< 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: <<< 451 Temporary local problem - please try later <[EMAIL PROTECTED]>... Deferred: 451 Temporary local problem - please try later ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. This is a personal mail server, so I know exactly who sends mail on it, and "we" don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Hi! ... while talking to mx.junkemailfilter.com.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: <<< 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: <<< 451 Temporary local problem - please try later <[EMAIL PROTECTED]>... Deferred: 451 Temporary local problem - please try later http://openrbl.org/client/#70.112.27.10 ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. You also had a look WHY they were listed? ASPEWS = crap, i dont even count that one. Wonder why they even still list ASPEWS at all Spamhaus = ZEN = Dynamic space, correct. SORBS = Dynamic space, correct NJABL = Dynamic space, correct I think i would be wise to check your OWN list and and let us know why it ended up there, i didnt see any good reason yet in the information provided why YOU would list it. Its your list, you offered to let people test it so you tell us whats wrong please. And not say 'you have a spam problem'. Marc, YOU have a problem with this list. And i truely hope people will not start blocking mail with this, like someone else stated allready. OTOH, this is not really a topic for the spamassassin list is it ? Bye, Raymond.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Monday, June 18, 2007 12:21 AM > To: Shane Williams > Cc: Daryl C. W. O'Shea; users@spamassassin.apache.org > Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? ok - that's a different IP and that IP is blocked on my list > and 4 other > lists. Based on your logs it doesn't look like it give up after a 550 > error. I think you have a spam problem. > Aside from yours, 2 other 'dynamic ip' lists and one sorbs list marked 'don't use this list', there are no entries I think you have a problem with your list and you should stop before someone actually tries to use it. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Monday, June 18, 2007 12:55 AM > To: Michael Scheidell > Cc: users@spamassassin.apache.org > Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? > > > > > Michael Scheidell wrote: > > Buy, before you use it, I suggest you google for > 'blocked.secnap.net' > > (you will see a 2003 set of posts announcing this list). > > > > > > Odd - I only get 15 list when I google it. > What has that got to do with anything? Did you misread me to say there were QUANTITY2003 ? Should I be more specific and give you a DATE in 2003 when I started it? And what about this: http://search.cpan.org/src/LUISMUNOZ/Mail-Abuse-1.025/bin/scan Someone decided to put 'blocked.secnap.net' in their 'mail abuse' scanner, without ever reading what it was about. > (I guess I should have said 2003 AD, or more correctly, now that I google myself, it was 2002AD) Here is a post to the amavisd-new list last year which might explain why I am opposed to people starting up unregulated blacklists: http://archive.netbsd.se/?ml=amavis-user&a=2006-04&t=1952182 _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Robert - eLists [mailto:[EMAIL PROTECTED] > Sent: Monday, June 18, 2007 12:24 AM > To: users@spamassassin.apache.org > Subject: RE: My Newly Expanded DNS Blacklist - Who wants to try it? > > Michael, > > Them's scrappin words partner.:-| > > Maybe you could specifically tell us why it is such a bad > idea instead of just slamming Perkel based on a few other > slam Perkel posts to the list. > > Are you drunk or what? > Noop, but stupid ideas deserve to be shot down. > I went to your website http://www.secnap.com/aboutus.php?pg=8 > and it says that you are Chairman of the Board, President, & > CTO and tells how great and wonderful you have been for the > last 25 years. > > Based upon your reply to the list... I think if you have half > a clue, please make sure to purchase the other half to go with it. In the real world, things don't work like Mark wants them do. In the real world, legitmate email servers WILL contact his secondary mx records. The reasons are as varied as traffic on the internet and include congestion at HIS site, congestion at the ORIGINATING site, congestion at any point in the patch between the sender and him which would make the very documented failover of the connection to the primary try the secondary. The proof is the sites who he has already blacklisted. How long have I been doing this? You google far back enough and you will see that in the early days of commercialization of the internet, I was already tracking back and stopping international spammers and hackers. I was in charge of the local (fl.*) Usenet groups before netcom's and globals helped ruin Usenet. I am mentioned in at least one FAQ dealing with Usenet spam. Better than that, there are at least 10 'I hate scheidell for blocking my spam' web site. Yes, I have been involved in discussions like this one before, where someone drags out a tired stupid idea, something that has been hashed to death years ago, and thinks he is the first one to think about it. The next thing that happens is some overzealous email admin uses that list and legitmate traffic is blocked. You google for 'blocked.secnap.net' yet? You see the discussions about abusing blacklists? Unregulated blacklists, who's only use is to screw up the internet? Now you have another one. > > ;-) > > The general *idea* or *ideas* does/do have some basic promise > in the fight against spam. > Not in the real world. Sure, the RFC's say that this is the way things work, but they don't. The RFC's also say you must send an 'ndr' if you don't deliver the email. We know that doesn't work. We also know that several sites still set up their anti-virus to 'bounce' the virus back to the sender. (which is perfectly legal and mandated by RFC's) But, the real world doesn't work like that. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Michael Scheidell wrote: Buy, before you use it, I suggest you google for 'blocked.secnap.net' (you will see a 2003 set of posts announcing this list). Odd - I only get 15 list when I google it.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> on 6/17/2007 Michael Scheidell of SECNAP.NET babbled: > > And you were told, in original thread, what a stupid idea this is, and > why it's a stupid idea, and why using this blacklist is a stupid idea, > but I suppose if you want to block all the spam, I have a better list, > 100% guarenteed to block spam: the DNS blacklist is > 'blocked.secnap.net'. It is as accurate as yours is. > > Buy, before you use it, I suggest you google for 'blocked.secnap.net' > (you will see a 2003 set of posts announcing this list). > > You will also see why it is way more accurate than yours for blocking > spam. > > If you had half a clue as to how email works you would know why your > blacklist is a stupid idea, so this is not being cc'd to you since > several people already told you how stupid your idea is and why. > > This is a warning to anyone who knows even less then you about how email > works and might be fooled into trying your list (and start bouncing > legitimate email). > Michael, Them's scrappin words partner.:-| Maybe you could specifically tell us why it is such a bad idea instead of just slamming Perkel based on a few other slam Perkel posts to the list. Are you drunk or what? I went to your website http://www.secnap.com/aboutus.php?pg=8 and it says that you are Chairman of the Board, President, & CTO and tells how great and wonderful you have been for the last 25 years. Based upon your reply to the list... I think if you have half a clue, please make sure to purchase the other half to go with it. ;-) The general *idea* or *ideas* does/do have some basic promise in the fight against spam. Notice I said the *idea* or *ideas* and not any specific implementation(s)... I can think of several possible real world implementions... - rh
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: On Sun, 17 Jun 2007, Marc Perkel wrote: Daryl C. W. O'Shea wrote: Shane Williams wrote: > On Sat, 16 Jun 2007, Marc Perkel wrote: > > > Using my new ideas here's my raw blacklist file. It has about 80k IP > > addresses and is updated every 10 minutes. > > > > http://iplist.junkemailfilter.com/black.txt > > > > Here's instructions on how to use it with SpamAssassin and Exim. > > > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples > > > > I'd like to get some feedback on how well it's working. > > This filter blocked my last response to you, as I suspect it will > for this one. As such, I looked at your wiki to determine why I was > listed, but couldn't find a clear reason. The documentation says that > only known spam sources are blocked, but if I had to guess, I'd say > it's because I'm on a dynamic cable IP address (which I didn't see > any text about when I looked on Friday). > > Mind you, I've gotten used to the idea that places are going to block > me because I'm on a Cablemodem, so that doesn't really bother me much. > It's just that your documentation didn't mention this as a possible > reason for listing, and gave me no real idea as to why I was listed. You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27]) that isn't on a cable connection, though, right? That's true when I send to an apache.org list, because at some point it blocked me. By and large I send direct-to-MX from cable-modem, adding exceptions to my mailertable entry as necessary (Nor will yours when I reply to this, so we'll see what happens). Blocking because someone uses a cable modem, but isn't delivering direct-to-MX from that cable connection, is asinine. True, but I don't think that's what Marc is doing, since his server doesn't have a mailtertable entry on my end. I definitely want to figure out what the problem is. Any false positive isn't acceptable. However that IP isn't blocked. If you can post the error you got I'd like to see it. Here's the "failed for the last 4 hours" message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: <<< 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: <<< 451 Temporary local problem - please try later <[EMAIL PROTECTED]>... Deferred: 451 Temporary local problem - please try later ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Sun, 17 Jun 2007, Marc Perkel wrote: Daryl C. W. O'Shea wrote: Shane Williams wrote: > On Sat, 16 Jun 2007, Marc Perkel wrote: > > > Using my new ideas here's my raw blacklist file. It has about 80k IP > > addresses and is updated every 10 minutes. > > > > http://iplist.junkemailfilter.com/black.txt > > > > Here's instructions on how to use it with SpamAssassin and Exim. > > > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples > > > > I'd like to get some feedback on how well it's working. > > This filter blocked my last response to you, as I suspect it will > for this one. As such, I looked at your wiki to determine why I was > listed, but couldn't find a clear reason. The documentation says that > only known spam sources are blocked, but if I had to guess, I'd say > it's because I'm on a dynamic cable IP address (which I didn't see > any text about when I looked on Friday). > > Mind you, I've gotten used to the idea that places are going to block > me because I'm on a Cablemodem, so that doesn't really bother me much. > It's just that your documentation didn't mention this as a possible > reason for listing, and gave me no real idea as to why I was listed. You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27]) that isn't on a cable connection, though, right? That's true when I send to an apache.org list, because at some point it blocked me. By and large I send direct-to-MX from cable-modem, adding exceptions to my mailertable entry as necessary (Nor will yours when I reply to this, so we'll see what happens). Blocking because someone uses a cable modem, but isn't delivering direct-to-MX from that cable connection, is asinine. True, but I don't think that's what Marc is doing, since his server doesn't have a mailtertable entry on my end. I definitely want to figure out what the problem is. Any false positive isn't acceptable. However that IP isn't blocked. If you can post the error you got I'd like to see it. Here's the "failed for the last 4 hours" message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: <<< 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com <<< 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: <<< 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: <<< 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: <<< 451 Temporary local problem - please try later <[EMAIL PROTECTED]>... Deferred: 451 Temporary local problem - please try later -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Sunday, June 17, 2007 8:27 PM > To: Shane Williams; Spamass > Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? > As to what I'm doing I talked about it in a different thread. > The idea > is that I have 3 working servers on low numbered MX records. I have a > number of high numbered MX IPs that should never be hit. However > spammers don't follow the rules and try the high numbered MX > looking to > get in the back door. So in theory only spammers will hit the high > numbered MX. > > The idea is that after about 10 hits on the high numbered MX > I add them > to the blacklist. It seems to be working but I'm still testing this > idea. I'm convinced that this method or something similar might be an > affective way to catch spammers and I'm testing it out. But - > it has to > actually work in the real world and when it does, maybe > someone who is a > better programmer than me will really do it right. > And you were told, in original thread, what a stupid idea this is, and why it's a stupid idea, and why using this blacklist is a stupid idea, but I suppose if you want to block all the spam, I have a better list, 100% guarenteed to block spam: the DNS blacklist is 'blocked.secnap.net'. It is as accurate as yours is. Buy, before you use it, I suggest you google for 'blocked.secnap.net' (you will see a 2003 set of posts announcing this list). You will also see why it is way more accurate than yours for blocking spam. If you had half a clue as to how email works you would know why your blacklist is a stupid idea, so this is not being cc'd to you since several people already told you how stupid your idea is and why. This is a warning to anyone who knows even less then you about how email works and might be fooled into trying your list (and start bouncing legitimate email). _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: On Sat, 16 Jun 2007, Marc Perkel wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Here's instructions on how to use it with SpamAssassin and Exim. http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples I'd like to get some feedback on how well it's working. This filter blocked my last response to you, as I suspect it will for this one. As such, I looked at your wiki to determine why I was listed, but couldn't find a clear reason. The documentation says that only known spam sources are blocked, but if I had to guess, I'd say it's because I'm on a dynamic cable IP address (which I didn't see any text about when I looked on Friday). Mind you, I've gotten used to the idea that places are going to block me because I'm on a Cablemodem, so that doesn't really bother me much. It's just that your documentation didn't mention this as a possible reason for listing, and gave me no real idea as to why I was listed. I would suggest that if you really want to know how well it's working you should, for some time, accept mail that it would drop, filter it to a special place, and then visually inspect for ham/spam ratio. I don't see any better method for gathering hard data on it's success rate. Shane, post the error you got to this list in case I don't get it direct. I haven't documented my new trick in the wiki yet because I'm still testing it to see if it works, If it doesn't work then I'll have to give up on it. The wiki give instructions on how to use the black list. As to what I'm doing I talked about it in a different thread. The idea is that I have 3 working servers on low numbered MX records. I have a number of high numbered MX IPs that should never be hit. However spammers don't follow the rules and try the high numbered MX looking to get in the back door. So in theory only spammers will hit the high numbered MX. The idea is that after about 10 hits on the high numbered MX I add them to the blacklist. It seems to be working but I'm still testing this idea. I'm convinced that this method or something similar might be an affective way to catch spammers and I'm testing it out. But - it has to actually work in the real world and when it does, maybe someone who is a better programmer than me will really do it right.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Daryl C. W. O'Shea wrote: Shane Williams wrote: On Sat, 16 Jun 2007, Marc Perkel wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Here's instructions on how to use it with SpamAssassin and Exim. http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples I'd like to get some feedback on how well it's working. This filter blocked my last response to you, as I suspect it will for this one. As such, I looked at your wiki to determine why I was listed, but couldn't find a clear reason. The documentation says that only known spam sources are blocked, but if I had to guess, I'd say it's because I'm on a dynamic cable IP address (which I didn't see any text about when I looked on Friday). Mind you, I've gotten used to the idea that places are going to block me because I'm on a Cablemodem, so that doesn't really bother me much. It's just that your documentation didn't mention this as a possible reason for listing, and gave me no real idea as to why I was listed. You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27]) that isn't on a cable connection, though, right? Blocking because someone uses a cable modem, but isn't delivering direct-to-MX from that cable connection, is asinine. I definitely want to figure out what the problem is. Any false positive isn't acceptable. However that IP isn't blocked. If you can post the error you got I'd like to see it.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: On Sat, 16 Jun 2007, Marc Perkel wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Here's instructions on how to use it with SpamAssassin and Exim. http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples I'd like to get some feedback on how well it's working. This filter blocked my last response to you, as I suspect it will for this one. As such, I looked at your wiki to determine why I was listed, but couldn't find a clear reason. The documentation says that only known spam sources are blocked, but if I had to guess, I'd say it's because I'm on a dynamic cable IP address (which I didn't see any text about when I looked on Friday). Mind you, I've gotten used to the idea that places are going to block me because I'm on a Cablemodem, so that doesn't really bother me much. It's just that your documentation didn't mention this as a possible reason for listing, and gave me no real idea as to why I was listed. You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27]) that isn't on a cable connection, though, right? Blocking because someone uses a cable modem, but isn't delivering direct-to-MX from that cable connection, is asinine. Daryl
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Sat, 16 Jun 2007, Marc Perkel wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Here's instructions on how to use it with SpamAssassin and Exim. http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples I'd like to get some feedback on how well it's working. This filter blocked my last response to you, as I suspect it will for this one. As such, I looked at your wiki to determine why I was listed, but couldn't find a clear reason. The documentation says that only known spam sources are blocked, but if I had to guess, I'd say it's because I'm on a dynamic cable IP address (which I didn't see any text about when I looked on Friday). Mind you, I've gotten used to the idea that places are going to block me because I'm on a Cablemodem, so that doesn't really bother me much. It's just that your documentation didn't mention this as a possible reason for listing, and gave me no real idea as to why I was listed. I would suggest that if you really want to know how well it's working you should, for some time, accept mail that it would drop, filter it to a special place, and then visually inspect for ham/spam ratio. I don't see any better method for gathering hard data on it's success rate. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Bart Schaefer wrote: On 6/16/07, Marc Perkel <[EMAIL PROTECTED]> wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Just glancing through the list and reversing an IP address whose first two quads I recognize, I see you've blacklisted Red Condor (redcondor.com), a network security and anti-phishing service provider (64.84.16.173). So either they've got a problem they ought to be made aware of, or you do ... OK - I'll have to look into that.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On 6/16/07, Marc Perkel <[EMAIL PROTECTED]> wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Just glancing through the list and reversing an IP address whose first two quads I recognize, I see you've blacklisted Red Condor (redcondor.com), a network security and anti-phishing service provider (64.84.16.173). So either they've got a problem they ought to be made aware of, or you do ...
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Jari Fredriksson wrote: Marc Perkel wrote: Using my new ideas here's my raw blacklist file. It has about 80k IP addresses and is updated every 10 minutes. http://iplist.junkemailfilter.com/black.txt Here's instructions on how to use it with SpamAssassin and Exim. http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples I'd like to get some feedback on how well it's working. Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list? The wiki link has it somewhat documented but I'm trying something new and I'm still testing it so I'm not going to document it for a while till I know it works. But - the simple explanation is this. On the lower numbered MX records I have 3 mail servers any one of which can carry the whole load in an emergency. I have on higher numbered MX about 10 dummy IP addresses that normal email should never hit. Spammers however, especially spam bots have been hitting random MX records instead of figuring out the proper order. The idea is that the backup servers might have less spam filtering than the main server. So any hits on these fake MX records are counted as spam hits. Every 10 minutes I count up the spam and ham hits per IP and generate my black, white, and yellow lists. To make the black list there has to be enough hits to be worth counting and has to be 99% spam. The high MX records always return a 421 error but counts as a spam hit. Some of the details are a little more complex. I process SA determined spam hits differently than spammer trick spam not only in scoring but in the time that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham lives 7 days. Every 6 hours I shift the log data own creating a new file and deleting the oldest file. If this works out it could be done on a more massive community scale and it could totally wipe out all spambot spam. Right now I have no spambot spam at all making it through the system using this and other tricks. Most of my filtering is done using Exim rules but I still use SA for the remaining 1% or so. I'm also feeding spam to several block list services who are using my data to add to blocking spam everywhere.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Marc Perkel wrote: > Using my new ideas here's my raw blacklist file. It has about 80k IP > addresses and is updated every 10 minutes. > > http://iplist.junkemailfilter.com/black.txt > > Here's instructions on how to use it with SpamAssassin and Exim. > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples > > I'd like to get some feedback on how well it's working. Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list?
