Re: New DNS Black list, White List, Yellow List
Chris Santerre wrote: Aren't we dealing with a boolean data set? Its either spam or ham. Which you train your software to look for doesn't really matter. Actually not. I look at email differently. I process 4 different grades of spam and 3 grades of ham. As to my Black/White/yellow listing there are 3 kinds of email. Ham, Spam, and yet to be determined. You pass on the ham, block the spam, and send the rest on to the next process to further evaluate it. Ultimately there are emails that end up undermined and you pass them on to the end user. But in my mind there's a big difference between a message determined to be ham and a message that fails to be determined as spam.
RE: New DNS Black list, White List, Yellow List
Title: RE: New DNS Black list, White List, Yellow List > -Original Message- > From: Ramprasad [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 24, 2006 7:08 AM > To: Marc Perkel > Cc: John Andersen; spamassassin-users > Subject: Re: New DNS Black list, White List, Yellow List > > > > > > > An ISP wpuld never be whitelisted anyhow. Whitelisting is for things > > like banks and other institutions and organizations that produce no > > spam. Yellowlisting is for ISPs so that they don't accidentally get > > blacklisted. SPF is useless because few are using it due to the fact > > that it just doesn't work. > > I too agree with your idea that we should start looking for > ham in mails > rather than looking for spam. This approach would help us tackle spam > much more aggressively. Aren't we dealing with a boolean data set? Its either spam or ham. Which you train your software to look for doesn't really matter. Speaking from URIBL work: 1) Yes you need logins to identify users. And you need a group of great people in the project. 2) Certain listings do need expiration times. 3) Delist request take up FAR more time then listings. Be ready to handle those. 4) The word "White" sends spammers frothing at the mouth. They will attempt to game your setup. 5) You need a whole infrastructure of mirrors if it goes real world live. 6) The hatred of the NY Yankees by Red Sox fans is ever increasing. I wish you the best of luck in the project. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
RE: New DNS Black list, White List, Yellow List
> -Original Message- > From: Graham Murray [mailto:[EMAIL PROTECTED] > Sent: Monday, July 24, 2006 7:44 AM > To: users@spamassassin.apache.org > Subject: Re: New DNS Black list, White List, Yellow List > > > Ramprasad <[EMAIL PROTECTED]> writes: > > > A lot of banks/legitimate bulk email senders change their relay > > server. Many reasons for that. The most common is that they use a > > third party to relay their mails and these would keep changing > > Especially for banks and other high risk phishing targets, it > would be much better if they did not do this. If all banks > etc sent mail from a server whose IP address whose rDNS is > xxx.bank.com and where xxx.bank.com resolves to the IP > address from which the mail is sent, then it would > considerably easier to detecting phishing and greatly improve > the security for their customers. Even if the banks used spf hardfail, it would at least stop phishing to ISP's ans servers that knew about SPF. (you could bump SPF_HARDFAIL score to 15, or use spf to block offending connection right in postfix!)
Re: New DNS Black list, White List, Yellow List
Ramprasad <[EMAIL PROTECTED]> writes: > A lot of banks/legitimate bulk email senders change their relay > server. Many reasons for that. The most common is that they use a third > party to relay their mails and these would keep changing Especially for banks and other high risk phishing targets, it would be much better if they did not do this. If all banks etc sent mail from a server whose IP address whose rDNS is xxx.bank.com and where xxx.bank.com resolves to the IP address from which the mail is sent, then it would considerably easier to detecting phishing and greatly improve the security for their customers.
Re: New DNS Black list, White List, Yellow List
> > An ISP wpuld never be whitelisted anyhow. Whitelisting is for things > like banks and other institutions and organizations that produce no > spam. Yellowlisting is for ISPs so that they don't accidentally get > blacklisted. SPF is useless because few are using it due to the fact > that it just doesn't work. I too agree with your idea that we should start looking for ham in mails rather than looking for spam. This approach would help us tackle spam much more aggressively. But IMHO SPF works great and is much cleaner. A lot of banks/legitimate bulk email senders change their relay server. Many reasons for that. The most common is that they use a third party to relay their mails and these would keep changing You would have to delist your whitelisted ip before some spammer gets those. And since the whitelist is exposed there is a greater potential for abuse here. Thanks Ram
Re: New DNS Black list, White List, Yellow List
On Sunday 23 July 2006 16:53, Marc Perkel wrote: > . SPF is useless because few are using it due to the fact > that it just doesn't work. And how would your project fair under those evaluation rules? Actually I find SPF starting to be used by some of my banks. -- _ John Andersen pgpdTbOKZ6sJv.pgp Description: PGP signature
Re: New DNS Black list, White List, Yellow List
It *could* be an interesting project, but how long does an IP remain blacklisted? The other problem is that although you may think the whitelist is where the accuracy is going to be there will be plenty of clueless sysadmins who will blindly block based on the blacklist regardless of how accurate it may or may not be -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: New DNS Black list, White List, Yellow List
John Andersen wrote: On Sunday 23 July 2006 07:25, Brent Kennedy wrote: But based on its current setup, spammers who probably read this list, will most likely just feed good feedback about their mail servers through those servers and corrupt the data. And spammers already sign up with every isp they can find and forward a few clean messages thru each one, then dump a huge load of spam till they get caught, and simply walk away from the account (usually with an unpaid bill). Ask any ISP abuse admin. That will serve to poison the whitelist, leaving it with nothing but a few corporate mailers, as every general purpose ISP will fall into the yellow list in short order. Similarly, the blacklist will be fairly useless, because the companies that specialize in spam-safe hosting can get an new IP in a heartbeat, and can rent IPs all over the world. When they move on, (and they move rather quickly) you are left with a list of IPs that "at one time" may have been used by a spammer. Finally, the blacklist does not solve any problem not already handled by SURBL, and the other black hole lists. The white list is fairly well handled by SPF. The Yellowlist is what you need SA for now, and this is unlikely to reduce that need in any significant way. To the extent there is any merit in it, it should be merged with SURBL. An ISP wpuld never be whitelisted anyhow. Whitelisting is for things like banks and other institutions and organizations that produce no spam. Yellowlisting is for ISPs so that they don't accidentally get blacklisted. SPF is useless because few are using it due to the fact that it just doesn't work.
Re: New DNS Black list, White List, Yellow List
On Sunday 23 July 2006 07:25, Brent Kennedy wrote: > But based on its current setup, spammers who probably > read this list, will most likely just feed good feedback about their mail > servers through those servers and corrupt the data. And spammers already sign up with every isp they can find and forward a few clean messages thru each one, then dump a huge load of spam till they get caught, and simply walk away from the account (usually with an unpaid bill). Ask any ISP abuse admin. That will serve to poison the whitelist, leaving it with nothing but a few corporate mailers, as every general purpose ISP will fall into the yellow list in short order. Similarly, the blacklist will be fairly useless, because the companies that specialize in spam-safe hosting can get an new IP in a heartbeat, and can rent IPs all over the world. When they move on, (and they move rather quickly) you are left with a list of IPs that "at one time" may have been used by a spammer. Finally, the blacklist does not solve any problem not already handled by SURBL, and the other black hole lists. The white list is fairly well handled by SPF. The Yellowlist is what you need SA for now, and this is unlikely to reduce that need in any significant way. To the extent there is any merit in it, it should be merged with SURBL. -- _ John Andersen pgpqnYqKh0DLe.pgp Description: PGP signature
Re: New DNS Black list, White List, Yellow List
Brent Kennedy wrote: I like the idea.. But based on its current setup, spammers who probably read this list, will most likely just feed good feedback about their mail servers through those servers and corrupt the data. You would need to have some sort of login and a way to track what was put in the database so if you determined that one of the users was corrupting the data, you could reverse what they did. Plus I don't see any method in there for people who have been blacklisted by mistake(I know its rare) to get themselves off. I also think there should be some way to validate a user that's hard to cheat but not as hard on the host to verify. Maybe instead of a login, you could give them a hash that they put in their submission script that is then input into the mysql db. Just quickly validate the hash and drop that in the row next to the entry. -Brent Anyone can use the lists but I'm only going to allow selected people to feed data into the database and those prople will not include spammers. As to getting off the list, I'm working on that. For now they can email me. The biggest benefit of this system isn't the black list. It's the white list and yellow list. The white list is what I think is going to be more accurate than the black list. Once a site is whitelisted then you don't have to run it through SA. That saves false positives and processor time. Right now about 1/3 of my incoming good email is whitelisted. With more data it could be 80% or more. And - the yellow listing reduces false positives in all black lists. Once you see it's yellow listed you skip all blacklist tests. You still have to check it for spam, but it reduces FP on sites who are wrongly blacklisted. I'm trying to promote a new mindset - not just looking for spam - but also looking for ham. You look for ham, you look for spam - and you run what's left through SA.
RE: New DNS Black list, White List, Yellow List
I like the idea.. But based on its current setup, spammers who probably read this list, will most likely just feed good feedback about their mail servers through those servers and corrupt the data. You would need to have some sort of login and a way to track what was put in the database so if you determined that one of the users was corrupting the data, you could reverse what they did. Plus I don't see any method in there for people who have been blacklisted by mistake(I know its rare) to get themselves off. I also think there should be some way to validate a user that's hard to cheat but not as hard on the host to verify. Maybe instead of a login, you could give them a hash that they put in their submission script that is then input into the mysql db. Just quickly validate the hash and drop that in the row next to the entry. -Brent Quote: "Have you ever sneezed so hard your arms hurt?" -Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: Saturday, July 22, 2006 9:53 PM To: users@spamassassin.apache.org Subject: Re: New DNS Black list, White List, Yellow List On Saturday 22 July 2006 09:03, Marc Perkel wrote: > Looking for people to try this out and for people who want to > participate in this new project. These lists do block spam, but more > importantly that are used to actively detect nonspam and reduce false > positives. Here's the details. I'm looking for some partners to help > feed data into the system as wel as people to use it and let me know > how well it works. > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists Quoting: Unfortunately EFF can't get beyond listening to themselves echo their own opinion to understand that the concepts behind AOL/Goodmail are at least partially sound. The idea is to get the good email through. --enequote. Talk about echoing one's own opinion If your system is as well thought out as your championing of AOL it's unlikely to be worth my time. -- _ John Andersen
Re: New DNS Black list, White List, Yellow List
John Andersen wrote: On Saturday 22 July 2006 09:03, Marc Perkel wrote: Looking for people to try this out and for people who want to participate in this new project. These lists do block spam, but more importantly that are used to actively detect nonspam and reduce false positives. Here's the details. I'm looking for some partners to help feed data into the system as wel as people to use it and let me know how well it works. http://wiki.ctyme.com/index.php/Spam_DNS_Lists Quoting: Unfortunately EFF can't get beyond listening to themselves echo their own opinion to understand that the concepts behind AOL/Goodmail are at least partially sound. The idea is to get the good email through. --enequote. Talk about echoing one's own opinion If your system is as well thought out as your championing of AOL it's unlikely to be worth my time. I'm not defending AOL. I'm trying to eliminate the need for paid mail. And - I used to be EFFs sysadmin and I still support them and they are usually right on a lot of things but when it cones to spam - they are clueless.
Re: New DNS Black list, White List, Yellow List
On Saturday 22 July 2006 09:03, Marc Perkel wrote: > Looking for people to try this out and for people who want to > participate in this new project. These lists do block spam, but more > importantly that are used to actively detect nonspam and reduce false > positives. Here's the details. I'm looking for some partners to help > feed data into the system as wel as people to use it and let me know how > well it works. > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists Quoting: Unfortunately EFF can't get beyond listening to themselves echo their own opinion to understand that the concepts behind AOL/Goodmail are at least partially sound. The idea is to get the good email through. --enequote. Talk about echoing one's own opinion If your system is as well thought out as your championing of AOL it's unlikely to be worth my time. -- _ John Andersen pgpfm1wIdpwX6.pgp Description: PGP signature