Re: Backscatter.org used as RBL??

2009-08-08 Thread d . hill 

Quoting LuKreme :


On 5-Aug-2009, at 10:53, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:

Is Backscatter.org   used by any
rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't  
accept the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up  
rejecting legitimate email. Here, I have the zones rsync to  
rbldnsd locally and have SA rules test the last external IP.


If you do it right, you are very unlikly to lose legitimate bounces.


I wasn't referring to legitimate bounces. I was referring to  
legitimate messages (non bounce). If I started using the  
backscatterer.org RBL's at STMP time, guarantee I will get calls  
and several email messages asking why a message was rejected.


No, not if you do it right. I've posted here before, but you only  
check backscatter.org's RBL to check bounce messages.


I stand corrected. After reviewing my configuration, I am doing it the  
very same way you are with your latter Postfix example. I just haven't  
touched the configuration in a while and had forgotten.

Re: Backscatter.org used as RBL??

2009-08-08 Thread Ralf Hildebrandt 
* LuKreme :
> On 5-Aug-2009, at 11:33, spamassas...@nro.ca wrote:
> >If anyone has an example config for sendmail to use the backscatter
> >rbl at
> >smtp time please send it. I take a beating from backscatterers.
> 
> This is what I do in postfix. Perhaps you can adapt it?
> 
> main.cf:
> smtpd_data_restrictions =
> reject_unauth_pipelining,
> reject_multi_recipient_bounce,
> check_sender_access hash:$config_directory/backscatter
> permit
> 
> backscatter:
> <> reject_rbl_client ips.backscatterer.org, reject_rbl_client
> bl.spamcannibal.org
> 
> This checks both backscatter and spamcannibal, but only for null
> senders (Bounces)

Nice one!

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Backscatter.org used as RBL??

2009-08-08 Thread Mike Cardwell 

Matus UHLAR - fantomas wrote:


I've read the "sender callouts" page and I don't see any evidence that it
mentions the SAV problem.


On 07.08.09 15:33, Mike Cardwell wrote:
I went to the front page, and then clicked "Sender Callouts" ... The  
very first line says:


"Sendercallouts (Sender Verify / SAV) - Why it is abusive"

The second line says:

"This is for all persons who think SENDER CALLOUTS are viable."

The third line says:

"We will explain why we consider sender callouts abusive."

The rest of the page describes in detail the problems with SAV.

Yet you can't see that it even mentions the SAV problem?


the title (not ) is the only place it mentions SAV. all the rest
mentions "sender callouts" which is imho not clear.


"Sendercallouts (Sender Verify / SAV) - Why it is abusive" says that in 
the context of the page, the 3 names are being used in an 
interchangeable manner.


If it said "Why they are abusive" instead of "Why it is abusive" you 
might be forgiven for thinking that it was providing a list of three 
separate things.



Especially the part that mentions bidirectional verify, expecting that the
provided rcpt will be used for SAV sender (many SAV implementations use mail
from:<>)


I think it mentions the mailing back, not the SAV,
and I'm interested if the backscatterer.org blacklists IPs with SAV or only
those that send real mails...
It does both. The minimal amount of text on the front page couldn't be  
clearer about that ...


I think it could


I think this must be a language barrier thing. "Every IP which 
backscatters or does sender callouts" is a quite clear statement that 
the list contains two things:


1.) IPs which originate backscatter
2.) IPs which perform sender callouts

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Backscatter.org used as RBL??

2009-08-08 Thread LuKreme 

On 5-Aug-2009, at 11:33, spamassas...@nro.ca wrote:
If anyone has an example config for sendmail to use the backscatter  
rbl at

smtp time please send it. I take a beating from backscatterers.


This is what I do in postfix. Perhaps you can adapt it?

main.cf:
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce,
check_sender_access hash:$config_directory/backscatter
permit

backscatter:
<> reject_rbl_client ips.backscatterer.org, reject_rbl_client  
bl.spamcannibal.org


This checks both backscatter and spamcannibal, but only for null  
senders (Bounces)



--
Well, I've wrestled with reality for 35 years, Doctor, and I'm happy  
to state I finally won out over it.

Re: Backscatter.org used as RBL??

2009-08-08 Thread LuKreme 

On 5-Aug-2009, at 10:53, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:
Is Backscatter.org    
used by any

rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't  
accept the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up  
rejecting legitimate email. Here, I have the zones rsync to  
rbldnsd locally and have SA rules test the last external IP.


If you do it right, you are very unlikly to lose legitimate bounces.


I wasn't referring to legitimate bounces. I was referring to  
legitimate messages (non bounce). If I started using the  
backscatterer.org RBL's at STMP time, guarantee I will get calls and  
several email messages asking why a message was rejected.


No, not if you do it right. I've posted here before, but you only  
check backscatter.org's RBL to check bounce messages.


--
The other cats just think he's a tosser. --Neil Gaiman

Re: Backscatter.org used as RBL??

2009-08-08 Thread Michelle Konzack 
Good Morning Marc,

Am 2009-08-06 15:37:46, schrieb Marc Perkel:
> This might be an advanced concept for you but what I meant was -  
> deliberately send spam. Everyone doing sender verification is someone  
> who is trying to BLOCK spam, and therefore are the good guys. I also  
> track SAV calls and I use it as a WHITE list.

Good Guys?  --  Maybe of thre point of view, but I get several  100  per
day from E-Mails I do not know and  99.9%  are  unknown.  I  know  this,
because I am running statistics over my incoming mails including the 125
mailinglists where I am subscribed.

My database has now over 340.000 E-Mails captured from business contacts
and mailinglists and the have never spamed.

The second database contain currently arround 180.000.000  E-Mails which
where used to spam my systems.

I have captured the stuff it in the last 9 years...

ANY backscatter sender are considered as spamer here.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: Backscatter.org used as RBL??

2009-08-07 Thread Matus UHLAR - fantomas 
> Matus UHLAR - fantomas wrote:
>> I've read the "sender callouts" page and I don't see any evidence that it
>> mentions the SAV problem.

On 07.08.09 15:33, Mike Cardwell wrote:
> I went to the front page, and then clicked "Sender Callouts" ... The  
> very first line says:
>
> "Sendercallouts (Sender Verify / SAV) - Why it is abusive"
>
> The second line says:
>
> "This is for all persons who think SENDER CALLOUTS are viable."
>
> The third line says:
>
> "We will explain why we consider sender callouts abusive."
>
> The rest of the page describes in detail the problems with SAV.
>
> Yet you can't see that it even mentions the SAV problem?

the title (not ) is the only place it mentions SAV. all the rest
mentions "sender callouts" which is imho not clear.

Especially the part that mentions bidirectional verify, expecting that the
provided rcpt will be used for SAV sender (many SAV implementations use mail
from:<>)

>> I think it mentions the mailing back, not the SAV,
>> and I'm interested if the backscatterer.org blacklists IPs with SAV or only
>> those that send real mails...
>
> It does both. The minimal amount of text on the front page couldn't be  
> clearer about that ...

I think it could
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: [sa] Re: Backscatter.org used as RBL??

2009-08-07 Thread Charles Gregory 

On Fri, 7 Aug 2009, Matus UHLAR - fantomas wrote:

I hope those "good" SAV users are also using some good filtering policy
(reject machines w/o DNS, machines in blacklists, SPF fails) before they are
doing SAV, otherwise they just DoS the victims...


(nod) These arguments (on this list :) convinced me to STOP using SAV on 
my mail server. Yes, a tiny bit more spam gets through, but really,

not enough to justify the performance cost on all our legitimate mail.
:)

- C

Re: Backscatter.org used as RBL??

2009-08-07 Thread Mike Cardwell 

Matus UHLAR - fantomas wrote:


Do you say that backscatterer list contains IPs of servers that do _not_
send backscatter but are doing SAV? Do you have any proofs about that?


The proof is on the front page of http://www.backscatterer.org/ in big  
red letters: "Every IP which backscatters or does sender callouts"



I've read the "sender callouts" page and I don't see any evidence that it
mentions the SAV problem.


I went to the front page, and then clicked "Sender Callouts" ... The 
very first line says:


"Sendercallouts (Sender Verify / SAV) - Why it is abusive"

The second line says:

"This is for all persons who think SENDER CALLOUTS are viable."

The third line says:

"We will explain why we consider sender callouts abusive."

The rest of the page describes in detail the problems with SAV.

Yet you can't see that it even mentions the SAV problem?


I think it mentions the mailing back, not the SAV,
and I'm interested if the backscatterer.org blacklists IPs with SAV or only
those that send real mails...


It does both. The minimal amount of text on the front page couldn't be 
clearer about that ...


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Backscatter.org used as RBL??

2009-08-07 Thread Matus UHLAR - fantomas 
On 07.08.09 06:55, Marc Perkel wrote:

Oh, please, why html only?

>> On 06.08.09 15:37, Marc Perkel wrote:
>>> This might be an advanced concept for you but what I meant was -
>>> deliberately send spam. Everyone doing sender verification is someone
>>> who is trying to BLOCK spam, and therefore are the good guys. I also
>>> track SAV calls and I use it as a WHITE list.

>Matus UHLAR - fantomas wrote:
>>  How do you differ between people doing SAV and people sending backscatter?

> The backscatter list mixes these so it mixes SAV with people who have
> poorly configured rejection system. SAV doesn't go into the DATA phase so
> if they do QUIT without DATA then it's SAV. And if they are doing SAV then
> they are one of the good guys and get, in my system, NOBL listed. NOBL
> means don't blacklist.

Yes, but the others on list are those who accept-then-bounce, who should
be blocked asap.

>>  Do you say that backscatterer list contains IPs of servers that do _not_
>>  send backscatter but are doing SAV? Do you have any proofs about that?

> Actually the history of the backscatter list is that UCEprotect had them
> in their regular black list and do to pressure and complaints and false
> positives they separated them out. Their UCEProtect lists are better but
> still have a lot of false positives. But separating them was a move
> forward.
> 
> What they should do is return different codes to indicate what got them on
> the list. SAV is not backscatter. So if it is from <> and there is DATA
> then it's someone who is sending bad bounce messages to faked sender
> addresses. But if there is nod DATA then it's SAV. These should be
> processed separately.

While I think that SAV is bad thing, I agree that it should be separated,
potionally to different list too...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.

Re: Backscatter.org used as RBL??

2009-08-07 Thread Matus UHLAR - fantomas 
> * Matus UHLAR - fantomas :
> > On 06.08.09 15:37, Marc Perkel wrote:
> > > This might be an advanced concept for you but what I meant was -  
> > > deliberately send spam. Everyone doing sender verification is someone  
> > > who is trying to BLOCK spam, and therefore are the good guys. I also  
> > > track SAV calls and I use it as a WHITE list.
> > 
> > How do you differ between people doing SAV and people sending backscatter?

On 07.08.09 15:35, Ralf Hildebrandt wrote:
> The former never enter the DATA stage, the latter do.

Yes, but this can be done only when we come to the DATA phase, in which case
it's very hard to reject without patched mailserver.

He called backscatterer the worst blacklist, so I'm curious if he does
differ between them somehow, or simply accepts backscatter and whitelists
all IPs on backscatter blacklist because "SAV is good".

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

Re: Backscatter.org used as RBL??

2009-08-07 Thread Rick Macdougall 

Marc Perkel wrote:


What they should do is return different codes to indicate what got them 
on the list. SAV is not backscatter. So if it is from <> and there is 
DATA then it's someone who is sending bad bounce messages to faked 
sender addresses. But if there is nod DATA then it's SAV. These should 
be processed separately.




Errr, if it's an invalid email address it will never get to the DATA 
stage, at least on my servers, it's out right rejected with a 553 - 
Invalid user.


How do you tell the difference between SAV and bounce backs in that case ?

Rick

Re: Backscatter.org used as RBL??

2009-08-07 Thread Matus UHLAR - fantomas 
> Matus UHLAR - fantomas wrote:
>
>> Do you say that backscatterer list contains IPs of servers that do _not_
>> send backscatter but are doing SAV? Do you have any proofs about that?

On 07.08.09 14:37, Mike Cardwell wrote:
> The proof is on the front page of http://www.backscatterer.org/ in big  
> red letters: "Every IP which backscatters or does sender callouts"

I've read the "sender callouts" page and I don't see any evidence that it
mentions the SAV problem. I think it mentions the mailing back, not the SAV,
and I'm interested if the backscatterer.org blacklists IPs with SAV or only
those that send real mails...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

Re: Backscatter.org used as RBL??

2009-08-07 Thread Marc Perkel 






Matus UHLAR - fantomas wrote:

  On 06.08.09 15:37, Marc Perkel wrote:
  
  
This might be an advanced concept for you but what I meant was -  
deliberately send spam. Everyone doing sender verification is someone  
who is trying to BLOCK spam, and therefore are the good guys. I also  
track SAV calls and I use it as a WHITE list.

  
  
How do you differ between people doing SAV and people sending backscatter?
  

The backscatter list mixes these so it mixes SAV with people who have
poorly configured rejection system. SAV doesn't go into the DATA phase
so if they do QUIT without DATA then it's SAV. And if they are doing
SAV then they are one of the good guys and get, in my system, NOBL
listed. NOBL means don't blacklist.

  
The whole point of using backscatterer BL was to block bounces from machines
that send much of them, e. g. are using accept-then-bounce method.
(well, someone may want to block all mail from such machines)

Do you say that backscatterer list contains IPs of servers that do _not_
send backscatter but are doing SAV? Do you have any proofs about that?

I hope those "good" SAV users are also using some good filtering policy
(reject machines w/o DNS, machines in blacklists, SPF fails) before they are
doing SAV, otherwise they just DoS the victims...

  


Actually the history of the backscatter list is that UCEprotect had
them in their regular black list and do to pressure and complaints and
false positives they separated them out. Their UCEProtect lists are
better but still have a lot of false positives. But separating them was
a move forward.

What they should do is return different codes to indicate what got them
on the list. SAV is not backscatter. So if it is from <> and
there is DATA then it's someone who is sending bad bounce messages to
faked sender addresses. But if there is nod DATA then it's SAV. These
should be processed separately.

Re: Backscatter.org used as RBL??

2009-08-07 Thread Mike Cardwell 

Matus UHLAR - fantomas wrote:


Do you say that backscatterer list contains IPs of servers that do _not_
send backscatter but are doing SAV? Do you have any proofs about that?


The proof is on the front page of http://www.backscatterer.org/ in big 
red letters: "Every IP which backscatters or does sender callouts"


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Backscatter.org used as RBL??

2009-08-07 Thread Ralf Hildebrandt 
* Matus UHLAR - fantomas :
> On 06.08.09 15:37, Marc Perkel wrote:
> > This might be an advanced concept for you but what I meant was -  
> > deliberately send spam. Everyone doing sender verification is someone  
> > who is trying to BLOCK spam, and therefore are the good guys. I also  
> > track SAV calls and I use it as a WHITE list.
> 
> How do you differ between people doing SAV and people sending backscatter?

The former never enter the DATA stage, the latter do.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Backscatter.org used as RBL??

2009-08-07 Thread Matus UHLAR - fantomas 
On 06.08.09 15:37, Marc Perkel wrote:
> This might be an advanced concept for you but what I meant was -  
> deliberately send spam. Everyone doing sender verification is someone  
> who is trying to BLOCK spam, and therefore are the good guys. I also  
> track SAV calls and I use it as a WHITE list.

How do you differ between people doing SAV and people sending backscatter?

The whole point of using backscatterer BL was to block bounces from machines
that send much of them, e. g. are using accept-then-bounce method.
(well, someone may want to block all mail from such machines)

Do you say that backscatterer list contains IPs of servers that do _not_
send backscatter but are doing SAV? Do you have any proofs about that?

I hope those "good" SAV users are also using some good filtering policy
(reject machines w/o DNS, machines in blacklists, SPF fails) before they are
doing SAV, otherwise they just DoS the victims...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

Re: Backscatter.org used as RBL??

2009-08-06 Thread d . hill 

Quoting "McDonald, Dan" :


On Wed, 2009-08-05 at 10:34 -0600, LuKreme wrote:

On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:

> Quoting LuKreme :
>
>> On 3-Aug-2009, at 18:36, Dennis G German wrote:
>
> If you use the lists as an RBL to reject at SMTP, you will end up
> rejecting legitimate email. Here, I have the zones rsync to rbldnsd
> locally and have SA rules test the last external IP.

If you do it right, you are very unlikly to lose legitimate bounces.


I thought I'd test a few rules on it, but I'm having trouble getting
rbldnsd to deal with the zones.  Does anyone have a sample config that
works?  I've gotten other zones to load via rbldnsd, so I'm sure it's
something stupid on my part, or maybe it just doesn't like - in
zonenames...


service rbldnsd restart
Stopping rbldnsd: invaluement   [  OK  ]
Starting rbldnsd: invaluement   [  OK  ]
Stopping rbldnsd: uceprotect[  OK  ]
Starting rbldnsd: uceprotect[  OK  ]
Starting rbldnsd:
dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net rbldnsd:
no zone(s) to service specified (-h for help)
[FAILED]
Starting rbldnsd:
dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net rbldnsd:
no zone(s) to service specified (-h for help)
[FAILED]
Stopping rbldnsd: uceprotect4   [  OK  ]
Starting rbldnsd: uceprotect4   [  OK  ]

The relevant stanza is

uceprotect -r/var/lib/rbldnsd -q -b127.0.0.1/5354 \
dnsbl-1.uceprotect.net:ip4set:uceprotect/dnsbl-1.uceprotect.net \
dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net \
dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net \



Once I get that running I'll try to tackle a meta rule for blank from:
and


It appears you are trying to load the zones from within a directory  
called uceprotect within the chrooted /var/lib/rbldnsd. Perhaps  
/var/lib/rbldnsd/uceprotect doesn't contain any zone files.

Re: Backscatter.org used as RBL??

2009-08-06 Thread Marc Perkel 



Mike Cardwell wrote:

Marc Perkel wrote:

Backscatter.org is the worst RBL on the planet. If you use it you 
will get a lot of false positives.


Lets compare backscatterer's recommended usage of their list in your 
favourite MTA against your own recommendation for usage of your 
hostkarma RBL in your favourite MTA:


1.) HostKarma:

deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2

2.) BackScatterer:

deny senders = :
 dnslists= ips.backscatterer.org
 log_message = $sender_host_address listed at $dnslist_domain
 message = Backscatter: $dnslist_text

I would argue, and I expect few would disagree, that you're more 
likely to get a false positive from the first than the second.


Or were you ignoring the large bright red warning signs and usage 
information on http://www.backscatterer.org/ ?


I'll disagree with that.


Of course you will. It's your list I was talking about.


A lot of the backscatterer list is sender address verification calls.
If someone is doing sender address verification then they are
filtering spam and those who filter spam are not sending spam.


"Those who filter spam are not sending spam" - I can't remember the 
last time I used this abbreviation... lol ... gmail? hotmail? yahoo?



On my  system people doing SAV get white listed - not black listed.


Is that why your whitelist is much worse than the dnswl.org one? I 
have a user who gets about 2000 spams a day. I keep a copy of that 
spam in a folder for a week. 14 of the emails in there have JMF_W tags 
on them at the moment and none of them have DNSWL tags.


That's pretty poor considering both lists fire on about the same 
number of emails:


r...@haven:~# zgrep JMF_W /var/log/mail.log.[1234567].gz|wc -l
908
r...@haven:~# zgrep DNSWL /var/log/mail.log.[1234567].gz|wc -l
803
r...@haven:~#

One of the emails was from:

122.56.213.81 (122-56-213-81.mobile.telecom.co.nz)

Although that IP has now graduated from your whitelist to the 
yellowlist. Amazing that an IP like that got into the whitelist in the 
first place. You must have some faulty automated system for populating 
the list.



This might be more accurate:

accept !senders = :
  dnslists= ips.backscatterer.org


I see. You think "Host sends backscatter" therefore "Host never sends 
spam". An interesting hypothesis.




This might be an advanced concept for you but what I meant was - 
deliberately send spam. Everyone doing sender verification is someone 
who is trying to BLOCK spam, and therefore are the good guys. I also 
track SAV calls and I use it as a WHITE list.

Re: Backscatter.org used as RBL??

2009-08-06 Thread McDonald, Dan 
On Wed, 2009-08-05 at 10:34 -0600, LuKreme wrote:
> On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:
> 
> > Quoting LuKreme :
> >
> >> On 3-Aug-2009, at 18:36, Dennis G German wrote:
> >
> > If you use the lists as an RBL to reject at SMTP, you will end up  
> > rejecting legitimate email. Here, I have the zones rsync to rbldnsd  
> > locally and have SA rules test the last external IP.
> 
> If you do it right, you are very unlikly to lose legitimate bounces.

I thought I'd test a few rules on it, but I'm having trouble getting
rbldnsd to deal with the zones.  Does anyone have a sample config that
works?  I've gotten other zones to load via rbldnsd, so I'm sure it's
something stupid on my part, or maybe it just doesn't like - in
zonenames...


service rbldnsd restart
Stopping rbldnsd: invaluement   [  OK  ]
Starting rbldnsd: invaluement   [  OK  ]
Stopping rbldnsd: uceprotect[  OK  ]
Starting rbldnsd: uceprotect[  OK  ]
Starting rbldnsd:
dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net rbldnsd:
no zone(s) to service specified (-h for help)
[FAILED]
Starting rbldnsd:
dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net rbldnsd:
no zone(s) to service specified (-h for help)
[FAILED]
Stopping rbldnsd: uceprotect4   [  OK  ]
Starting rbldnsd: uceprotect4   [  OK  ]

The relevant stanza is 

uceprotect -r/var/lib/rbldnsd -q -b127.0.0.1/5354 \
dnsbl-1.uceprotect.net:ip4set:uceprotect/dnsbl-1.uceprotect.net \ 
dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net \ 
dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net \ 



Once I get that running I'll try to tackle a meta rule for blank from:
and 

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: Backscatter.org used as RBL??

2009-08-06 Thread J.D. Falk 

Marc Perkel wrote:


If someone is doing sender address
verification then they are filtering spam and those who filter spam are
not sending spam.


Do you have any stats on that?

--
J.D. Falk
Return Path Inc
http://www.returnpath.net/

Re: Backscatter.org used as RBL??

2009-08-06 Thread Mike Cardwell 

Marc Perkel wrote:

Backscatter.org is the worst RBL on the planet. If you use it you 
will get a lot of false positives.


Lets compare backscatterer's recommended usage of their list in your 
favourite MTA against your own recommendation for usage of your 
hostkarma RBL in your favourite MTA:


1.) HostKarma:

deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2

2.) BackScatterer:

deny senders = :
 dnslists= ips.backscatterer.org
 log_message = $sender_host_address listed at $dnslist_domain
 message = Backscatter: $dnslist_text

I would argue, and I expect few would disagree, that you're more 
likely to get a false positive from the first than the second.


Or were you ignoring the large bright red warning signs and usage 
information on http://www.backscatterer.org/ ?


I'll disagree with that.


Of course you will. It's your list I was talking about.


A lot of the backscatterer list is sender address verification calls.
If someone is doing sender address verification then they are
filtering spam and those who filter spam are not sending spam.


"Those who filter spam are not sending spam" - I can't remember the last 
time I used this abbreviation... lol ... gmail? hotmail? yahoo?



On my  system people doing SAV get white listed - not black listed.


Is that why your whitelist is much worse than the dnswl.org one? I have 
a user who gets about 2000 spams a day. I keep a copy of that spam in a 
folder for a week. 14 of the emails in there have JMF_W tags on them at 
the moment and none of them have DNSWL tags.


That's pretty poor considering both lists fire on about the same number 
of emails:


r...@haven:~# zgrep JMF_W /var/log/mail.log.[1234567].gz|wc -l
908
r...@haven:~# zgrep DNSWL /var/log/mail.log.[1234567].gz|wc -l
803
r...@haven:~#

One of the emails was from:

122.56.213.81 (122-56-213-81.mobile.telecom.co.nz)

Although that IP has now graduated from your whitelist to the 
yellowlist. Amazing that an IP like that got into the whitelist in the 
first place. You must have some faulty automated system for populating 
the list.



This might be more accurate:

accept !senders = :
  dnslists= ips.backscatterer.org


I see. You think "Host sends backscatter" therefore "Host never sends 
spam". An interesting hypothesis.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Backscatter.org used as RBL??

2009-08-06 Thread Marc Perkel 



Mike Cardwell wrote:

Marc Perkel wrote:

Backscatter.org is the worst RBL on the planet. If you use it you 
will get a lot of false positives.


Lets compare backscatterer's recommended usage of their list in your 
favourite MTA against your own recommendation for usage of your 
hostkarma RBL in your favourite MTA:


1.) HostKarma:

deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2

2.) BackScatterer:

deny senders = :
 dnslists= ips.backscatterer.org
 log_message = $sender_host_address listed at $dnslist_domain
 message = Backscatter: $dnslist_text

I would argue, and I expect few would disagree, that you're more 
likely to get a false positive from the first than the second.


Or were you ignoring the large bright red warning signs and usage 
information on http://www.backscatterer.org/ ?




I'll disagree with that. A lot of the backscatterer list is sender 
address verification calls. If someone is doing sender address 
verification then they are filtering spam and those who filter spam are 
not sending spam. On my system people doing SAV get white listed - not 
black listed.


This might be more accurate:

accept !senders = :
  dnslists= ips.backscatterer.org

Re: Backscatter.org used as RBL??

2009-08-05 Thread Mike Cardwell 

Marc Perkel wrote:

Backscatter.org is the worst RBL on the planet. If you use it you will 
get a lot of false positives.


Lets compare backscatterer's recommended usage of their list in your 
favourite MTA against your own recommendation for usage of your 
hostkarma RBL in your favourite MTA:


1.) HostKarma:

deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2

2.) BackScatterer:

deny senders = :
 dnslists= ips.backscatterer.org
 log_message = $sender_host_address listed at $dnslist_domain
 message = Backscatter: $dnslist_text

I would argue, and I expect few would disagree, that you're more likely 
to get a false positive from the first than the second.


Or were you ignoring the large bright red warning signs and usage 
information on http://www.backscatterer.org/ ?


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Backscatter.org used as RBL??

2009-08-05 Thread Marc Perkel 



d.h...@yournetplus.com wrote:

Quoting LuKreme :


On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:
Is Backscatter.org   used 
by any

rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't accept 
the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up 
rejecting legitimate email. Here, I have the zones rsync to rbldnsd 
locally and have SA rules test the last external IP.


If you do it right, you are very unlikly to lose legitimate bounces.


I wasn't referring to legitimate bounces. I was referring to 
legitimate messages (non bounce). If I started using the 
backscatterer.org RBL's at STMP time, guarantee I will get calls and 
several email messages asking why a message was rejected.



Backscatter.org is the worst RBL on the planet. If you use it you will 
get a lot of false positives.

Re: Backscatter.org used as RBL??

2009-08-05 Thread SpamAssassin 
If anyone has an example config for sendmail to use the backscatter rbl at
smtp time please send it. I take a beating from backscatterers.

I would think you could do this with a macro that checks "mail from" and
triggers an rbl check on the ip. Sounds simple but my cf skills are barely
above trial and error.

Thanks,
Sean

Re: Backscatter.org used as RBL??

2009-08-05 Thread Ralf Hildebrandt 
* Chris Owen :

> We've had machines listed in that list that don't even accept email.

Still, these can send out backscatter (send only boxes)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Backscatter.org used as RBL??

2009-08-05 Thread Chris Owen 

On Aug 5, 2009, at 11:53 AM, d.h...@yournetplus.com wrote:

I wasn't referring to legitimate bounces. I was referring to  
legitimate messages (non bounce). If I started using the  
backscatterer.org RBL's at STMP time, guarantee I will get calls and  
several email messages asking why a message was rejected.


Yea, no way can backscatterer.org be used at SMTP time without serious  
FPs.  We use it but score it pretty low.


We've had machines listed in that list that don't even accept email.

Chris

-
Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
President  - Wichita (316) 858-3000 -A stupidity tax
Hubris Communications Inc  www.hubris.net
-

Re: Backscatter.org used as RBL??

2009-08-05 Thread d . hill 

Quoting LuKreme :


On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:

Is Backscatter.org   used by any
rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't  
accept the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up  
rejecting legitimate email. Here, I have the zones rsync to rbldnsd  
locally and have SA rules test the last external IP.


If you do it right, you are very unlikly to lose legitimate bounces.


I wasn't referring to legitimate bounces. I was referring to  
legitimate messages (non bounce). If I started using the  
backscatterer.org RBL's at STMP time, guarantee I will get calls and  
several email messages asking why a message was rejected.

Re: Backscatter.org used as RBL??

2009-08-05 Thread LuKreme 

On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:


Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:
Is Backscatter.org   used  
by any

rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't accept  
the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up  
rejecting legitimate email. Here, I have the zones rsync to rbldnsd  
locally and have SA rules test the last external IP.


If you do it right, you are very unlikly to lose legitimate bounces.

Re: Backscatter.org used as RBL??

2009-08-04 Thread d . hill 

Quoting LuKreme :


On 3-Aug-2009, at 18:36, Dennis G German wrote:

Is Backscatter.org   used by any
rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't accept  
the backscatter in the first place.


If you use the lists as an RBL to reject at SMTP, you will end up  
rejecting legitimate email. Here, I have the zones rsync to rbldnsd  
locally and have SA rules test the last external IP.

Re: Backscatter.org used as RBL??

2009-08-03 Thread LuKreme 

On 3-Aug-2009, at 18:36, Dennis G German wrote:
Is Backscatter.org   used by  
any

rules?


Pretty sure not. The way to use that RBL is as an RBL. Don't accept  
the backscatter in the first place.



--
I got a question. If you guys know so much about women, how come
you're here at like the Gas 'n' Sip on a Saturday night
completely alone drinking beers with no women anywhere?