Re: blacklist based on authoritative nameservers of sender domain
On 08/22/2011 04:13 PM, Noah Meyerhans wrote: > I've recently observed a fair amount of spam from domains that all > share the same set of authoritative nameservers. It occurred to me > that it might be nice to be able to blacklist mail from all domains > sharing these nameservers, or maybe to simply have that trait count > toward the spam score. You can't do whois en-masse (I'd love that, but ...), so this means an NS host lookup. To determine if they are authoritative, that's another lookup (which I don't believe is necessary). A blocklist would also be another lookup (if using a BL, it could check the authoritativeness), but I don't think that's completely necessary either. Your plugin should create enough information for bayes and rules to access the data, say through a pseudoheader that can be explicitly added via template tags. Thus, you'd be able to write a rule that checks the pseudoheader for a problematic name server. Here's a mockup pseudoheader and matching rule for an email that links spamassassin.org and example.net: X-Spam-Uri-NS: [ dom=spamassassin.org ns=c.auth-ns.sonic.net ns=ns.hyperreal.org ns=b.auth-ns.sonic.net ns=a.auth-ns.sonic.net ] [ dom=example.net ns=b.iana-servers.net. ns=a.iana-servers.net ] header LOCAL_USES_DNS_EXAMPLE_NET X-Spam-Uri-NS =~ / ns=[ab].iana-servers\.net / I left out NS server IPs because that's even more DNS lookups. URIs are in order of appearance. NS order is not predictable (though I suppose we could asciibetize). > I don't believe there's currently a plugin to allow this sort of > thing. Is that correct? If so, would anybody be interested in one > if I was to write it? Or am I missing something obvious that makes > this not worth doing? I realize that the potential for collateral > damage is high, so I don't think it'd be wise to try and publish any > sort of data for such a plugin, but it seems like the plugin itself > might be occasionally useful... It might be useful, but we'd have to test it to know. signature.asc Description: OpenPGP digital signature
Re: blacklist based on authoritative nameservers of sender domain
On 08/22, Adam Katz wrote: > > this not worth doing? I realize that the potential for collateral > > damage is high, so I don't think it'd be wise to try and publish any > > sort of data for such a plugin, but it seems like the plugin itself > > might be occasionally useful... > > It might be useful, but we'd have to test it to know. I just wanted to point out we have the infrastructure for testing this, via mass-checks: http://wiki.apache.org/spamassassin/NightlyMassCheck You create the plugin and a blacklist, open a bug to get somebody to add it to trunk (the development branch of spamassassin), it gets run with mass-check, not only collecting stats on its effectiveness, but also calculating an optimal score to use for it. The ASRG (anti-spam research group) may or may not be useful to talk to about new ways to deal with spam. -- "The most elementary and valuable statement in science, the beginning of wisdom is: 'I do not know'." - Data, ST:TNG 2x2 Where Silence Has Lease http://www.ChaosReigns.com
Re: blacklist based on authoritative nameservers of sender domain
On 8/22/11 7:13 PM, Noah Meyerhans wrote: I've recently observed a fair amount of spam from domains that all share the same set of authoritative nameservers. postfix: check_sender_ns_access -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: blacklist based on authoritative nameservers of sender domain
On 2011-08-23 2:21, dar...@chaosreigns.com wrote: On 08/22, Adam Katz wrote: this not worth doing? I realize that the potential for collateral damage is high, so I don't think it'd be wise to try and publish any sort of data for such a plugin, but it seems like the plugin itself might be occasionally useful... It might be useful, but we'd have to test it to know. I just wanted to point out we have the infrastructure for testing this, via mass-checks: http://wiki.apache.org/spamassassin/NightlyMassCheck You create the plugin and a blacklist, open a bug to get somebody to add it to trunk (the development branch of spamassassin), it gets run with mass-check, not only collecting stats on its effectiveness, but also calculating an optimal score to use for it. The ASRG (anti-spam research group) may or may not be useful to talk to about new ways to deal with spam. create plugin? It's been in the URIBL plugin for quite a white URIBL.com makes use of it: "URIBL_BLACK_NS" http://www.uribl.com/usage.shtml
Re: blacklist based on authoritative nameservers of sender domain
On Mon, 22 Aug 2011 16:13:03 -0700, Noah Meyerhans wrote: I've recently observed a fair amount of spam from domains that all share the same set of authoritative nameservers. 1: make the plugin 2: add whitelist/skiplist could ideally be urlbl_skip_domain that are used commit code to sandbox testing or custom plugins page for me i just think AS tracking number is more usefull, but lets see :) how would the plugin work compared to freemail ?
Re: blacklist based on authoritative nameservers of sender domain
On Tue, 23 Aug 2011 01:38:08 -0400, Michael Scheidell wrote: On 8/22/11 7:13 PM, Noah Meyerhans wrote: I've recently observed a fair amount of spam from domains that all share the same set of authoritative nameservers. postfix: check_sender_ns_access if outright blocking is wanted (its stupid)
Re: blacklist based on authoritative nameservers of sender domain
On 2011-08-23 7:38, Michael Scheidell wrote: On 8/22/11 7:13 PM, Noah Meyerhans wrote: I've recently observed a fair amount of spam from domains that all share the same set of authoritative nameservers. postfix: check_sender_ns_access SA has this already... and more. read into URIDNSBL.pm and AskDNS.pm you can LOTS of magic with them.
Re: blacklist based on authoritative nameservers of sender domain
At 16:52 22-08-2011, Adam Katz wrote: You can't do whois en-masse (I'd love that, but ...), so this means an NS host lookup. To determine if they are authoritative, that's another lookup (which I don't believe is necessary). A blocklist would also be another lookup (if using a BL, it could check the authoritativeness), but I don't think that's completely necessary either. You don't need to use Whois. You already have the data: ; ANSWER SECTION: apache.org. 1800IN A 140.211.11.131 ;; AUTHORITY SECTION: apache.org. 86398 IN NS ns2.no-ip.com. apache.org. 86398 IN NS ns1.eu.bitnames.com. apache.org. 86398 IN NS ns2.surfnet.nl. apache.org. 86398 IN NS ns1.us.bitnames.com. It's been a while since I tested this. If I recall correctly, it was prone to false positives. You might be able to do some scoring instead of blacklisting. Regards, -sm