Re: What countries to block ? and detectng Trojan attachments?
Currently I am blocking all mails from = *.nl *.br *.ch etc.. That's fun, we're blocking each other! Most spam here in the Netherlands comes from the US.. We block almost everything from China, Korea and Taiwan in postfix based on domain-name and on ip-range (mostly complete B-classes). But also a lot of other domains/ips are blocked like comcast, rr, verizon, brasialian ips, dynamic*, dialup*, indeed some .jp domains, etcetera. And all dynamic/dialup addresses in dynablock.njabl.org and dul.dnsbl.sorbs.net are blocked. The spamstats from spamcop.net shows the popular spam ip-ranges: http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt Regards Menno van Bennekom
Re: What countries to block ? and detectng Trojan attachments?
That's fun, we're blocking each other! Most spam here in the Netherlands comes from the US. Most spam in the US comes from the US too; it's a matter of blocking countries that rarely or never send us legitimate email. After all, if my only purpose were to never receive spam I'd just unplug my mail server. I don't block *.nl, or any of western Europe, based on country, but they do get a +2 on the SA score. It seems to work in my specific situation, which is all I can ask for. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com A computer lets you make more mistakes faster than any invention in human history with the possible exceptions of handguns and tequila.
RE: What countries to block ? and detectng Trojan attachments?
Jerry wrote: Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 hi, Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: cn-kr.blackholes.us, before their usual RBL list of: sbl-xbl.spamhaus.org, relays.ordb.org, relays.mail-abuse.org, list.dsbl.org has had a huge effect on reducing spam ... even though the total volume orig'ing in the US may be higher, the % of legit email is much higher, and the 'other' RBL do well enuf ... so, to your question: ... fairly OK ... ? is simply an operational issue. cheers, richard - -- /\ \ / ASCII Ribbon Campaign X against HTML email, vCards / \ micro$oft attachments [GPG] OpenMacNews at gmail dot com fingerprint: 780A 5C81 D446 C616 B113 AA3A 9BF4 3736 88A5 678E -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN01doACgkQm/Q3NoilZ44jLQCghC3stzCDjPBziZXEPdm9IhSo MDEAoJQjen+q3e9Dn5kG4T+AtUPiaNAR =TZp3 -END PGP SIGNATURE-
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote: We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Personally, I find it unreasonable to outright block any country. The problem being if you post on a list like say, users@spamassassin.apache.org an off-list reply can come to you with help from *anywhere* in the world. For example you might think it safe to block Ireland, not knowing anyone from there. However, if Justin Mason emailed you off-list about a SA problem you'd be blocking him. Unless you can prove you strictly don't ever communicate with anyone from a given country (including mailing lists), and never want to use any OSS with any developers in that country, you're pretty much not-safe blocking it. That said, I do use ACLs in milter-greylist to greylist all of apnic and lacnic, as well as a variety of DUL networks in the US and EU, as well as any host with no RDNS. The greylist takes care of a lot of the spam without blocking legitimate mail, although there are a couple of legitimate messages hit each week, they only get delayed not dropped. Thus far this week 10,181 messages were greylisted by my setup. Of those 376 retried and were delivered. Of those, 316 were tagged as spam by SA, and 51 were not. A few of the 51 were SA FNs, but none of the 316 appear to be SA FPs. Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message.
Re: What countries to block ? and detectng Trojan attachments?
Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message. My virus scanner cleans the attachment, but still get people emailing and calling about their accounts when they receive these messages.
Re: What countries to block ? and detectng Trojan attachments?
We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Living in a country outside the US (realistically, all countries inthe world, with just one exception, are outside the US) I must say that I get spam from many places ... including said united states. Why wouldn't just everybody - in every country - block mails from anywhere else? Wolfgang Hamann
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote:
Also, Is there a special rule to detect messages like the one below?
Yeah, it's called a virus scanner. That's a mytob variant virus message.
My virus scanner cleans the attachment, but still get people emailing
and calling about their accounts when they receive these messages.
Well, then that's a problem with your virus scanner setup.. Mine tags the
subject line with {VIRUS} so my users never bother me about them...
RE: What countries to block ? and detectng Trojan attachments?
[EMAIL PROTECTED] wrote: Living in a country outside the US (realistically, all countries inthe world, with just one exception, are outside the US) I must say that I get spam from many places ... including said united states. Why wouldn't just everybody - in every country - block mails from anywhere else? I live in the US, and I'm philosophically opposed to blocking emails from a particular country. Gr(a|e)ylisting I'm fine with. But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. I cannot prove this... but it /is/... in the same sense that Mt. Everest /is/, or that Elmer Kogan /isn't/. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: What countries to block ? and detectng Trojan attachments?
Matthew.van.Eerde wrote: Elmer Kogan /isn't/ s/Elmer Kogan/Alma Cogan/ (sorry) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: What countries to block ? and detectng Trojan attachments?
On Fri, 11 Nov 2005, [EMAIL PROTECTED] wrote: But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. Who are you to dictate to an end user what mail they _must_ receive? Their hardware. Their network. Their equipment. Their property. Not yours. What's next, mandating people _must_ answer all phone calls, any time of the day or night, telemarketer or not, because one of them _might_ be a legitimate call? FWIW it's simpler for me to block on encodings. I don't read chinese or korean or russian, there is no reason for me to ever receive chinese or korean or russian language emails, so anything BIG5 or EUC-KR or KOI8 encoding with high-ascii chars in the body is instantly binned. -Dan
Re: What countries to block ? and detectng Trojan attachments?
Good afternoon, all, On Fri, 11 Nov 2005, OpenMacNews wrote: Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: I heard that same argument from a respected coworker; he asked the company owner whether we could _possibly_ do business with Country S now or in the future. Given an answer of no and the fact that we were receiving sustained attacks from Country S, he blocked the entire country. A few years later I found myself teaching a perimeter security course _in the capital of Country S_, explaining to a classroom full of paying students that we banned the entire country for a number of months because - *gulp* - there was no possible way we'd ever do business with that country. Here's another way to look at the issue. Lets say that you knew that a state/county/province in your own country had an inordinately low signal/attack ratio. Would you ban that region? Can you ever be sure enough that you'll _never_ get a legitimate mail from that region? I've got one counter-example above If you really do believe you've got some political area with a sufficiently low signal/noise ratio, I'd suggest making an SA rule to _raise the score_, instead of an unconditional block. One last note, Jerry. If you unconditionally blocked mail from .nl and .br, you'd have respectively blocked 688 and 258 (out of 56,910) posts from this list alone. One of which might someday have an answer you need. :-) Cheers, - Bill --- Boucher's Observation: He who blows his own horn always plays the music several octaves higher than originally written. (Courtesy of Brett W. McCoy [EMAIL PROTECTED]) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Here's another way to look at the issue. Lets say that you knew that a state/county/province in your own country had an inordinately low signal/attack ratio. Would you ban that region? 1st, afaik, there are no IP block lists by state/county/province in your own country. 2nd, it would not meet stated business criteria. client does business in the US .. all of it. not in CN-KR. in ~10 years, not a single email to/from CN-KR. any/all clients that HAVE been in/through CN-KR have communicated via legit providers in the US. problem solved for them. 3rd, entire IP block bans ARE in place for known, seriously offending blocks, due specifically to inordinately low signal/attack ratio. Can you ever be sure enough that you'll _never_ get a legitimate mail from that region? NOTHING is ever for certain. especially managing business risk. If you unconditionally blocked mail from .nl and .br, you'd have respectively blocked 688 and 258 (out of 56,910) posts from this list alone. hence, searchable mailing list archives are a 'good thing' ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN08soACgkQm/Q3NoilZ44nHQCfdwxSmqIcawavzy7NAVrveljf Ic0An2brSl9vAYiEtbRmKwQOXihdrSi2 =hoVD -END PGP SIGNATURE-
