Re: Spam Rats - does anyone know them?
On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. On Thu, 2009-04-09 at 15:55 -0400, Neil Schwartzman wrote: Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. On 09.04.09 15:06, McDonald, Dan wrote: I won't block on it alone, but if someone wants a whitelist entry, they have to have rDNS correct. And preferably an SPF or DKIM policy seems not just correct but even satifsying some kind of best practices which means not to mention your ISP, and apparently containing some mail, firewall or gateway prefix. Good to know for companies that host their MX pools by other providers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Spam Rats - does anyone know them?
What I am complaining about is that the IP is reported to be dynamic because it does not have hostname that follows kind of sick rules. On 09.04.09 01:28, Mark wrote: Their rules DO seem a mite odd: Also remember, according to Best Practises, having a reverse DNS that appears to be part of your upstream provider is not good enough for an email server. adsl.23.204.205.upstream.com means that it is an IP address they are responsible for. 'Having a reverse DNS that appears to be part of your upstream provider' as opposed to what exactly? HELO? That's fixed easily enough. :) What they seem to say, if I read them correctly, is that they'll reject when it looks to be from a dynamic pool belonging to upstream.com. Well, there's no adsl, no part of IP, nothing that would indicate the address being dynamic. Generic, maybe. Dynamic, no way. And if I'd send mail from a0.fantomas.cust.gts.sk, would it? Well, that's the thing, ain't it? As opposed to what? If your PTR were 'a0.fantomas.cust.gts.sk' and you sent mail with HELO 'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust' part, or the digits. Their page does not say anything about the HELO string. The IP (of the format above, ok, let's say it's a0.fantomas.ba.cust.gts.sk) is now registered as dynamic and does not follow the reverse hostname naming convention. Even if that record would be listed in SPF? SPF checks against the envelope-from domain part (or HELO, in certain circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk' to send mail on behalf of 'fantomas.sk', but that will not prevent Spam Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part of your upstream provider; so they'd probably reject the connection anyway. That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: Spam Rats - does anyone know them?
On Wed, 2009-04-08 at 23:49 +0200, mouss wrote: Matus UHLAR - fantomas a écrit : Even if that record would be listed in SPF? SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF record. you know about fast flux, right? You are thinking of SPF at the wrong layer. It is a non-repudiation tool. When I create an SPF record, I am asserting that anything that matches that policy is my responsibility. Whether you might want to whitelist (or blacklist!) anything matching that policy is a function of my perceived reputation to you. But at least it gives me a clue. There is no reason to send a DSN in response to a message that fails SPF. And there is no reason to accept a message on a whitelist if it fails SPF. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Spam Rats - does anyone know them?
On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
BWA HAHAHAHA Someone here isn't just using SA. Got a bounce saying I said a bad word. For the record, it wasn't me. Microsoft Antigen for SMTP found a message matching a filter. The message is currently Purged. Message: Re_ Spam Rats _ does anyone know them_ Filter name: KEYWORD= profanity: bitch;sexual discrimination: bitch Sent from: Neil Schwartzman Folder: SMTP Messages\Inbound Location: psp/TRACYSV05 On 09/04/09 3:55 PM, Neil Schwartzman neil.schwartz...@returnpath.net wrote: On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
On Thu, 2009-04-09 at 15:55 -0400, Neil Schwartzman wrote: On 09/04/09 2:35 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. Well there certainly has been some discussion on the MAAWG senders' list about naming conventions and clarity or rDNS resolution HELO, and so on and it is something *we* recommend to our certified and safelisted clients (beyond FQ rDSN which is a requirement), but blocking on something that is far far far from an industry standard? I'd suggest that is silly at best, but do tell us how that works out for you as the phrase goes. I won't block on it alone, but if someone wants a whitelist entry, they have to have rDNS correct. And preferably an SPF or DKIM policy -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Spam Rats - does anyone know them?
On 09/04/09 4:06 PM, McDonald, Dan dan.mcdon...@austinenergy.com wrote: I won't block on it alone, but if someone wants a whitelist entry, they have to have rDNS correct. And preferably an SPF or DKIM policy Well, an Sender ID-compliant SPF record has long been a requirement for our Certified and Safelist whitelists, and we are rolling out DKIM as a requirement sometime this year. -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Spam Rats - does anyone know them?
McDonald, Dan a écrit : On Wed, 2009-04-08 at 23:49 +0200, mouss wrote: Matus UHLAR - fantomas a écrit : Even if that record would be listed in SPF? SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF record. you know about fast flux, right? You are thinking of SPF at the wrong layer. No, I am not. I was saying that the fact that one sets up SPF record doesn't mean he can use generic hostnames. maybe I was too concise. It is a non-repudiation tool. When I create an SPF record, I am asserting that anything that matches that policy is my responsibility. Unfortunately, this is not the general case. or more precisely, people claim responsibility too easily. yes, I do use SPF statically (static whitelisting of IPs after I checked their infos, or via whitelist_from_* in SA). Whether you might want to whitelist (or blacklist!) anything matching that policy is a function of my perceived reputation to you. But at least it gives me a clue. There is no reason to send a DSN in response to a message that fails SPF. And there is no reason to accept a message on a whitelist if it fails SPF. I don't check SPF at smtp time. so it is theoritically possible that I return a bounce (disk full or so) but this shouldn't happen. and if it does, it will be fixed, without regard to SPF. the rationale is: - bad bounces shouldn't be sent even if the domain has no SPF record - if things are done right, bad bounces should rarely occur.
Re: Spam Rats - does anyone know them?
Matus UHLAR - fantomas a écrit : What I am complaining about is that the IP is reported to be dynamic because it does not have hostname that follows kind of sick rules. On 09.04.09 01:28, Mark wrote: Their rules DO seem a mite odd: Also remember, according to Best Practises, having a reverse DNS that appears to be part of your upstream provider is not good enough for an email server. adsl.23.204.205.upstream.com means that it is an IP address they are responsible for. 'Having a reverse DNS that appears to be part of your upstream provider' as opposed to what exactly? HELO? That's fixed easily enough. :) What they seem to say, if I read them correctly, is that they'll reject when it looks to be from a dynamic pool belonging to upstream.com. Well, there's no adsl, no part of IP, nothing that would indicate the address being dynamic. Generic, maybe. Dynamic, no way. And if I'd send mail from a0.fantomas.cust.gts.sk, would it? Well, that's the thing, ain't it? As opposed to what? If your PTR were 'a0.fantomas.cust.gts.sk' and you sent mail with HELO 'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust' part, or the digits. Their page does not say anything about the HELO string. The IP (of the format above, ok, let's say it's a0.fantomas.ba.cust.gts.sk) is now registered as dynamic and does not follow the reverse hostname naming convention. Even if that record would be listed in SPF? SPF checks against the envelope-from domain part (or HELO, in certain circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk' to send mail on behalf of 'fantomas.sk', but that will not prevent Spam Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part of your upstream provider; so they'd probably reject the connection anyway. That's the question. I do not object against listing of a spammer, but dynamic? naming convention? Will they block host if it spams, if it sends mail from gmail com and the hostname is qw-out-1920.google.com which looks like their upstream provider? OK, I don't want to bitch, I'm searching for some valid informations, mostly about their best practices. the thing is: use your own name. avoid a name that may be used by a spammer. lte's take an example. look at: mon75-10-82-239-111-76.fbx.proxad.net. This is a generic IP. such names are used both for static and dynamic IPs. and spam gets out of such hosts, be them static or dynamic (it really doesn't matter). In short, the fact that it is dynamic or not is irrelevant. now, if you get spam from such hosts, you want to get infos about the host. if it is 82.239.111.75, you do $ host 82.239.111.75 75.111.239.82.in-addr.arpa domain name pointer ouzoud.netoyen.net. you could either contact me or block my domain. but if you get mail from *.$isp, you can contact the isp (good luck) or block a large part (IP or domain). BTW google for ennemies list. it is used by some sites. (but it should be safer than magiclinux...)
Re: Spam Rats - does anyone know them?
Matus, Dropping mail outright because you can't reverse-resolve the mail server is bad, of course. And it /will/ drop messages from legitimate mail servers, especially those on private networks behind mail proxies as many older exchange installations are configured. And those installations aren't configured wrongly, in the strictest sense. Unfortunately, determining which messages are spam is a hard problem. What's more unfortunate is that a lot of admins refuse to deal with hard problems and want an easy solution. Dropping messages outright that don't reverse-resolve is one such easy solution. You are ultimately forced to follow rules like these if you want to mitigate the risks of your mail being classified as spam. Even in the case where spamassassin users assign a value to mail that arrives from machines that don't have reverse DNS, you'll want to ensure that your mail is coming from hosts that have proper reverse DNS entries. Best, Jesse Matus UHLAR - fantomas wrote: Hello, our customrer reported being listed in SpamRats blacklist. I would accept this if they were spamming, however it means that SpamRats have braindead method to detect dynamic IP addresses and requirements for removing them. http://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html Is anyone familiar to that blacklist?
Re: Spam Rats - does anyone know them?
On 08.04.09 10:45, Jesse Stroik wrote: Dropping mail outright because you can't reverse-resolve the mail server is bad, of course. And it /will/ drop messages from legitimate mail servers, especially those on private networks behind mail proxies as many older exchange installations are configured. And those installations aren't configured wrongly, in the strictest sense. Just FYI, the IP _does_ have _correct_ reverse DNS entry. I wouldn't complain if it would not. Yes, the entry is generic, however _not_ dynamic in any way. However you know the What I am complaining about is that the IP is reported to be dynamic because it does not have hostname that follows kind of sick rules. If I send mail from host fantomas.fantomas.sk, does it follow the rules? If I send mail from fantomas.test.nextra.sk, does it follow the rules? If I send mail from smtp.nextra.sk, does it? And if I'd send mail from a0.fantomas.cust.gts.sk, would it? Even if that record would be listed in SPF? I guess that marking address as dynamic just because the hostname does not start with firewall, mail or WTF is braindead. Unfortunately, determining which messages are spam is a hard problem. I know there are problems defining if messages are spam. However this way spamrats is creating another problemm. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
Re: Spam Rats - does anyone know them?
Matus UHLAR - fantomas wrote: our customrer reported being listed in SpamRats blacklist. What was that IP? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Spam Rats - does anyone know them?
Matus UHLAR - fantomas a écrit : On 08.04.09 10:45, Jesse Stroik wrote: Dropping mail outright because you can't reverse-resolve the mail server is bad, of course. And it /will/ drop messages from legitimate mail servers, especially those on private networks behind mail proxies as many older exchange installations are configured. And those installations aren't configured wrongly, in the strictest sense. Just FYI, the IP _does_ have _correct_ reverse DNS entry. I wouldn't complain if it would not. Yes, the entry is generic, however _not_ dynamic in any way. devil advocate and why not set an identifiable name? I mean, I could also send mail that triggers a lot of SA rules and come complain that it gets blocked while it is not spam... /!$1 If I never get ham from ns\d+\.ovh\.net and get a lot of junk from some of such hosts, what do you think I am going to do? Anyway, can you disclose the IP so that we see if the name is really bad? However you know the What I am complaining about is that the IP is reported to be dynamic because it does not have hostname that follows kind of sick rules. If I send mail from host fantomas.fantomas.sk, does it follow the rules? If I send mail from fantomas.test.nextra.sk, does it follow the rules? If I send mail from smtp.nextra.sk, does it? And if I'd send mail from a0.fantomas.cust.gts.sk, would it? linuxmagic.com is commercial. so we have no idea how they really do their stuff. just ignore it. complain to the admin who blocked your mail instead. Even if that record would be listed in SPF? SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF record. you know about fast flux, right? I guess that marking address as dynamic just because the hostname does not start with firewall, mail or WTF is braindead. their terminology is wrong. what they probably mean is generic name, not dynamic. Unfortunately, determining which messages are spam is a hard problem. I know there are problems defining if messages are spam. However this way spamrats is creating another problemm.
RE: Spam Rats - does anyone know them?
-Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: woensdag 8 april 2009 18:00 To: users@spamassassin.apache.org Subject: Re: Spam Rats - does anyone know them? What I am complaining about is that the IP is reported to be dynamic because it does not have hostname that follows kind of sick rules. Their rules DO seem a mite odd: Also remember, according to Best Practises, having a reverse DNS that appears to be part of your upstream provider is not good enough for an email server. adsl.23.204.205.upstream.com means that it is an IP address they are responsible for. 'Having a reverse DNS that appears to be part of your upstream provider' as opposed to what exactly? HELO? That's fixed easily enough. :) What they seem to say, if I read them correctly, is that they'll reject when it looks to be from a dynamic pool belonging to upstream.com. If I send mail from host fantomas.fantomas.sk, does it follow the rules? As mouss already said, with knowing what the PTR in question is, it's hard to answer this. Looking at your email, I'd say 'fantomas.fantomas.sk' should be okay. It neatly resolves to your IP address, and back; and it's how you identify yourself in HELO. And if I'd send mail from a0.fantomas.cust.gts.sk, would it? Well, that's the thing, ain't it? As opposed to what? If your PTR were 'a0.fantomas.cust.gts.sk' and you sent mail with HELO 'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust' part, or the digits. Even if that record would be listed in SPF? SPF checks against the envelope-from domain part (or HELO, in certain circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk' to send mail on behalf of 'fantomas.sk', but that will not prevent Spam Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part of your upstream provider; so they'd probably reject the connection anyway. - Mark