Re: Scoring by registrar?

[Grant Taylor]

On 7/1/19 4:32 PM, Sean Lynch wrote:
I think fast flux came up in reference to a speculation I'd made 
regarding why the spammers were using their own nameservers rather than 
Namecheap's.


Ah.

I don't think it's particularly off-base to refer to rapid registration 
of new domains as fast flux.


I can't agree to that.

Fast Flux is a technique used within a given domain name.  Not something 
that is done across domain names.


Infoblox has a good article that refers to changing IPs behind a domain. 
 This is decidedly not multiple domain names.


Link - What is a Fast Flux?
 - https://www.infoblox.com/glossary/fast-flux/

As for rapidly registering domains, I'm seeing an average of 106,608 new 
domains registered a day.  So, even if a bad actor registers 1,000 new 
domains, that's only 1% of the overall daily registration.


In fact, I'm pretty sure support for this, and slowness in taking down 
domains (though they do often take them down eventually at least), 
are why Namecheap is so popular.


That may very well be the case.  But I think that "fast flux" is the 
wrong term for it.


As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the 
domains. Fortunately, since they're actually using their own servers and 
not a botnet, blocking their netblock catches the rest, though it's not 
my preference since it will cause collateral damage (even though 
registering with dnswl.org is an easy way around that), it's manual, and 
it only helps my 3 users. Incentivizing Namecheap to move faster on 
these would benefit a lot more people.


ACK



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Scoring by registrar?

[Sean Lynch]

On 7/1/19 3:13 PM, Grant Taylor wrote:

On 7/1/19 6:44 AM, micah anderson wrote:

This sounds like Fast Flux


How is this fast flux?

I thought fast flux was rapidly updating A records on the DNS server 
(for a given qname) or updating NS records with the registrar for a 
single given domain.


It sounds to me like Sean was talking about wanting to identify which of 
many domains were had a common registrar.  This doesn't sound like fast 
flux—as I understand it—to me.



Having such a list would be very helpful for dealing with fast flux.


How is what the OP's talking about related to fast flux?


I think fast flux came up in reference to a speculation I'd made 
regarding why the spammers were using their own nameservers rather than 
Namecheap's. I don't think it's particularly off-base to refer to rapid 
registration of new domains as fast flux. In fact, I'm pretty sure 
support for this, and slowness in taking down domains (though they do 
often take them down eventually at least), are why Namecheap is so popular.


As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the 
domains. Fortunately, since they're actually using their own servers and 
not a botnet, blocking their netblock catches the rest, though it's not 
my preference since it will cause collateral damage (even though 
registering with dnswl.org is an easy way around that), it's manual, and 
it only helps my 3 users. Incentivizing Namecheap to move faster on 
these would benefit a lot more people.

Re: Scoring by registrar?

[Grant Taylor]

On 7/1/19 6:44 AM, micah anderson wrote:

This sounds like Fast Flux


How is this fast flux?

I thought fast flux was rapidly updating A records on the DNS server 
(for a given qname) or updating NS records with the registrar for a 
single given domain.


It sounds to me like Sean was talking about wanting to identify which of 
many domains were had a common registrar.  This doesn't sound like fast 
flux—as I understand it—to me.



Having such a list would be very helpful for dealing with fast flux.


How is what the OP's talking about related to fast flux?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Scoring by registrar?

[Paul Stead]

On Mon, 1 Jul 2019 at 16:17, RW  wrote:

>
> On the site they have:
>
> Query   ResponseNameMeaning
> domain  127.2.0.2   fresh   Domain registered in last 7 days
> domain  127.2.0.14  fresh14 Domain registered in last 7-14 days
>
> there's no mention of the 127.2.0.28 result, but from the previous line
> it looks like NEWDOM28 would be 14-28.
>
>
This. I've updated the site to reflect the 127.2.0.28 return (NEWDOM28)

Paul

Re: Scoring by registrar?

[RW]

On Mon, 01 Jul 2019 07:45:23 -0700
Sean Lynch wrote:

> On July 1, 2019 7:22:58 AM PDT, micah anderson 
> wrote:
> >Sean Lynch  writes:
> >  
> >>>Having such a list would be very helpful for dealing with fast
> >>>flux.  
> >>
> >> SA already has this. It used fresh.fmb.la to detect domains  
> >registered within the past couple of weeks.
> >
> >It does? Do I need to enable something to get that?  
> 
> I got the test via sa-update, and it's a network check so they have
> to be enabled. Its the FROM_FMBLA_NEWDOM, FROM_FMBLA_NEWDOM14, and
> FROM_FMBLA_NEWDOM28 rules. Though since fresh.fmb.la only returns 0-7
> days and 7-14 days and I've only seen NEWDOM and NEWDOM28 fire I
> think NEWDOM28 may actually mean 7-14 days. Or the fresh.fmb.la docs
> are out of date. The maintainer is on this list and can probably
> comment.

On the site they have:

Query   ResponseNameMeaning
domain  127.2.0.2   fresh   Domain registered in last 7 days
domain  127.2.0.14  fresh14 Domain registered in last 7-14 days

there's no mention of the 127.2.0.28 result, but from the previous line
it looks like NEWDOM28 would be 14-28.

Re: Scoring by registrar?

[John Hardin]

On Mon, 1 Jul 2019, micah anderson wrote:


Grant Taylor  writes:

As a Namecheap customer, you are making me want to move. That is good,
but its also something you should consider, before you block the entire
registrar: there are a significant number of non-spamming Namecheap
customers that you would be cutting off if you did this. I understand
you want to put pressure on Namecheap, but the flip side of that is you
will be cutting yourself off from those domains in the process.


Note: I don't think "poison pill" treatment is being advocated here, just 
"another spam sign along with the rest"...



I think there are also lists of domains that have been recently
registered.  Which might help if the single use domains were recently
registered.


Having such a list would be very helpful for dealing with fast flux.


Day Old Bread et. al.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The yardstick you should use when considering whether to support a
  given piece of legislation is "what if my worst enemy is chosen to
  administer this law?"
---
 3 days until the 243rd anniversary of the Declaration of Independence

Re: Scoring by registrar?

[Sean Lynch]

On July 1, 2019 7:22:58 AM PDT, micah anderson  wrote:
>Sean Lynch  writes:
>
>>>Having such a list would be very helpful for dealing with fast flux.
>>
>> SA already has this. It used fresh.fmb.la to detect domains
>registered within the past couple of weeks.
>
>It does? Do I need to enable something to get that?

I got the test via sa-update, and it's a network check so they have to be 
enabled. Its the FROM_FMBLA_NEWDOM, FROM_FMBLA_NEWDOM14, and 
FROM_FMBLA_NEWDOM28 rules. Though since fresh.fmb.la only returns 0-7 days and 
7-14 days and I've only seen NEWDOM and NEWDOM28 fire I think NEWDOM28 may 
actually mean 7-14 days. Or the fresh.fmb.la docs are out of date. The 
maintainer is on this list and can probably comment.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Scoring by registrar?

[micah anderson]

Sean Lynch  writes:

>>Having such a list would be very helpful for dealing with fast flux.
>
> SA already has this. It used fresh.fmb.la to detect domains registered within 
> the past couple of weeks.

It does? Do I need to enable something to get that?
-- 
micah

Re: Scoring by registrar?

[Sean Lynch]

On July 1, 2019 5:44:37 AM PDT, micah anderson  wrote:
>Grant Taylor  writes:
>
>>> A very large number (nearly all, in fact) of the spams I receive
>these 
>>> days involve domains registered with Namecheap. I've received
>hundreds 
>>> of spams involving .icu domains from what appear to be the same
>spammer. 
>>> I also receive a large number of scams impersonating Bitmain, again 
>>> using domains involving Namecheap.
>>
>> Is Namecheap just the registrar?  Or are they also hosting the DNS
>service?
>
>As a Namecheap customer, you are making me want to move. That is good,
>but its also something you should consider, before you block the entire
>registrar: there are a significant number of non-spamming Namecheap
>customers that you would be cutting off if you did this. I understand
>you want to put pressure on Namecheap, but the flip side of that is you
>will be cutting yourself off from those domains in the process.

Like all SA rules, registrar would be just one of many signals, so Namecheap 
customers would only be cut off if their emails or IPs seem spammy in other 
ways. And there's always the option of registering with dnswl.org.

>>> While Namecheap does suspend at least some domains within days of
>their 
>>> being used in a campaign, it's clear that these are being treated as
>
>>> single-use domains, so this has very little impact on the spammers.
>
>This sounds like Fast Flux - and it is not something that happens only
>on Namecheap.
>
>> I think there are also lists of domains that have been recently 
>> registered.  Which might help if the single use domains were recently
>
>> registered.
>
>Having such a list would be very helpful for dealing with fast flux.

SA already has this. It used fresh.fmb.la to detect domains registered within 
the past couple of weeks.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Scoring by registrar?

[micah anderson]

Grant Taylor  writes:

>> A very large number (nearly all, in fact) of the spams I receive these 
>> days involve domains registered with Namecheap. I've received hundreds 
>> of spams involving .icu domains from what appear to be the same spammer. 
>> I also receive a large number of scams impersonating Bitmain, again 
>> using domains involving Namecheap.
>
> Is Namecheap just the registrar?  Or are they also hosting the DNS service?

As a Namecheap customer, you are making me want to move. That is good,
but its also something you should consider, before you block the entire
registrar: there are a significant number of non-spamming Namecheap
customers that you would be cutting off if you did this. I understand
you want to put pressure on Namecheap, but the flip side of that is you
will be cutting yourself off from those domains in the process.

>> While Namecheap does suspend at least some domains within days of their 
>> being used in a campaign, it's clear that these are being treated as 
>> single-use domains, so this has very little impact on the spammers.

This sounds like Fast Flux - and it is not something that happens only
on Namecheap.

> I think there are also lists of domains that have been recently 
> registered.  Which might help if the single use domains were recently 
> registered.

Having such a list would be very helpful for dealing with fast flux.

-- 
micah

Re: Scoring by registrar?

[Paul Stead]

On Mon, 1 Jul 2019 at 06:38, Sean Lynch  wrote:

> It's pretty useful already. If you're able to get the name of the
> registrar from that service, I think it might make a useful spam signal
> since some registrars seem to be a lot more popular with spammers than
> others.
>

Not really, essentially it's access to the zonefile, so no more information
available that doing an "NS" DNS lookup

Re: Scoring by registrar?

[Sean Lynch]

On 6/30/19 9:41 PM, Paul Stead wrote:
On Sun, 30 Jun 2019 at 19:46, Sean Lynch > wrote:



On 6/30/19 11:40 AM, Grant Taylor wrote:
> On 6/30/19 12:05 PM, John Hardin wrote:
>> There's really no infrastructure for it. Somebody would have to
hook
>> into the registrar data feeds to collect it and publish it in a
>> usable form, and nobody has done so that I am aware of.
>
> Whois Domain Search has some information.
>
> Link - Whois Domain Search
>  - http://whoisds.com/
>
> They provide an API and an ability to download copies of their
database.
>
> I'm downloading their free newly registered domain list.  It's
only a
> list of domains registered in the last day and they have 10 (?)
days
> worth available for download.

I wonder if that's the list fresh.fmb.la  uses?


fresh.fmb.la  uses the CZDS service from ICANN to 
create the fresh list - is there anything I could do to make the BL 
more useful?


It's pretty useful already. If you're able to get the name of the 
registrar from that service, I think it might make a useful spam signal 
since some registrars seem to be a lot more popular with spammers than 
others.

Re: Scoring by registrar?

[Paul Stead]

On Sun, 30 Jun 2019 at 19:46, Sean Lynch  wrote:

>
> On 6/30/19 11:40 AM, Grant Taylor wrote:
> > On 6/30/19 12:05 PM, John Hardin wrote:
> >> There's really no infrastructure for it. Somebody would have to hook
> >> into the registrar data feeds to collect it and publish it in a
> >> usable form, and nobody has done so that I am aware of.
> >
> > Whois Domain Search has some information.
> >
> > Link - Whois Domain Search
> >  - http://whoisds.com/
> >
> > They provide an API and an ability to download copies of their database.
> >
> > I'm downloading their free newly registered domain list.  It's only a
> > list of domains registered in the last day and they have 10 (?) days
> > worth available for download.
>
> I wonder if that's the list fresh.fmb.la uses?
>

fresh.fmb.la uses the CZDS service from ICANN to create the fresh list - is
there anything I could do to make the BL more useful?

Paul

Re: Scoring by registrar?

[John Hardin]

On Sun, 30 Jun 2019, Sean Lynch wrote:


On June 30, 2019 11:20:33 AM PDT, John Hardin  wrote:


...and if the same IP address is a regular abuser that never sends any
legitimate traffic, tarpit them:

   http://www.impsec.org/~jhardin/antispam/spammer-firewall


I do like the idea of tarpitting spammers, because I want to drive up 
the cost of spamming. I haven't been able to find even anecdotal 
evidence that it causes them any genuine pain beyond just sleeping 
though since they tend to have very aggressive timeouts.


Anectodal tarpit evidence from a *very* small MTA:

25/tcp (smtp): 5 host(s), 98 connection(s)
  1 185.16.204.92
  6 193.56.28.33
 10 185.234.219.100
 20 37.72.168.198
 61 193.169.252.171

If enough people were doing this I believe it would have an impact.

postscreen's short sleep during its two-line greeting seems to cause a 
lot of spammers to hang up, or they try saying HELO too early and 
postscreen blocks them.


I do that, too. :)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 4 days until the 243rd anniversary of the Declaration of Independence

Re: Scoring by registrar?

[John Hardin]

On Sun, 30 Jun 2019, Grant Taylor wrote:


On 6/30/19 12:05 PM, John Hardin wrote:
There's really no infrastructure for it. Somebody would have to hook into 
the registrar data feeds to collect it and publish it in a usable form, and 
nobody has done so that I am aware of.


Whois Domain Search has some information.

Link - Whois Domain Search
- http://whoisds.com/

They provide an API and an ability to download copies of their database.

I'm downloading their free newly registered domain list.  It's only a list of 
domains registered in the last day and they have 10 (?) days worth available 
for download.


A decade ago I wrote a plugin that used whois to try to do this as an 
experiment. The big drawback is: actually doing this could easily be 
considered abuse of the whois system and could easily get you blacklisted. 
This is *not* recommended for production use.


   http://www.impsec.org/~jhardin/antispam/registrar_scoring/

This is just for illustration. I *strongly* discourage using this in 
anything other than a limited test environment (assuming it even still 
works).


Interesting.  I'll have to read and assimilate your work.  I'm sure I'll 
learn many things.  Thank you for sharing.  :-)


If I were ever to implement something like this, I would NOT blindly do the 
Whois query directly for each incoming email.  I would query a local service 
that cached information (as in committed to disk) and have that service fetch 
information about domains that it didn't have information on.


Which is what that does.

I might even make such a system periodically check to see if things like DNS 
servers had changed and then refresh the cache on demand as necessary.


I don't remember if I implemented cache expiry.

I agree that blindly and directly doing a Whois query for each and every 
incoming email would cause some people to get upset.  Not to mention the 
performance and latency implications.


Well, for each domain not seen [yet|recently].

If you had access to the registrar feeds you might be able to write 
something that used that data which would not be considered abusive.


I think that's exactly the type of data that Whois Domain Search is selling, 
and why they are selling it.


Right. I neglected to mention above that the data *was* available for $$$, 
as I presumed we were discussing this in the context of a free service.


Is there anybody in the SA user community who does have access to the raw 
registrar feeds?


I don't.  But I think Whois Domain Search offers trial options.

No, I'm not affiliated with Whois Domain Search.  I simply download their 
free list of domains registered yesterday each day.  }:-)  Not that I've 
actually done anything with that data yet.  But that's a different problem.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 4 days until the 243rd anniversary of the Declaration of Independence

Re: Scoring by registrar?

[Sean Lynch]

On June 30, 2019 11:20:33 AM PDT, John Hardin  wrote:
>On Sun, 30 Jun 2019, Grant Taylor wrote:
>
>> On 6/30/19 10:51 AM, Martin Gregorie wrote:
>>> If you don't mind a delay in receiving mail from hosts you've never
>seen
>>> before, why not implement a greylister?
>>> 
>>> https://en.wikipedia.org/wiki/Greylisting
>>
>> I see your GreyListing and raise you NoListing:
>>
>> https://en.wikipedia.org/wiki/Nolisting
>>
>> TL;DR:  NoListing works by having an MX record that either does not
>respond 
>> to TCP connections for SMTP, or sends TCP Resets.  Thus causing RFC
>compliant 
>> DNS servers to move on to the next priority MX in short order.

NoListing concerns me for two reasons: first, it causes everyone to have to try 
twice regardless of reputation. Second, Bad Things will happen if I do anything 
punitive on the highest preference MX and my primary and secondary go down. 
With greylisting, I can at least whitelist anyone registered with dnswl.org, 
etc. A greylist server could also whitelist an entire domain once any of its 
servers passes, if SPF is set up.

>
>...and if the same IP address is a regular abuser that never sends any 
>legitimate traffic, tarpit them:
>
>http://www.impsec.org/~jhardin/antispam/spammer-firewall

I do like the idea of tarpitting spammers, because I want to drive up the cost 
of spamming. I haven't been able to find even anecdotal evidence that it causes 
them any genuine pain beyond just sleeping though since they tend to have very 
aggressive timeouts. postscreen's short sleep during its two-line greeting 
seems to cause a lot of spammers to hang up, or they try saying HELO too early 
and postscreen blocks them.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Scoring by registrar?

[Sean Lynch]

On 6/30/19 11:40 AM, Grant Taylor wrote:

On 6/30/19 12:05 PM, John Hardin wrote:
There's really no infrastructure for it. Somebody would have to hook 
into the registrar data feeds to collect it and publish it in a 
usable form, and nobody has done so that I am aware of.


Whois Domain Search has some information.

Link - Whois Domain Search
 - http://whoisds.com/

They provide an API and an ability to download copies of their database.

I'm downloading their free newly registered domain list.  It's only a 
list of domains registered in the last day and they have 10 (?) days 
worth available for download.


I wonder if that's the list fresh.fmb.la uses?



A decade ago I wrote a plugin that used whois to try to do this as an 
experiment. The big drawback is: actually doing this could easily be 
considered abuse of the whois system and could easily get you 
blacklisted. This is *not* recommended for production use.


   http://www.impsec.org/~jhardin/antispam/registrar_scoring/

This is just for illustration. I *strongly* discourage using this in 
anything other than a limited test environment (assuming it even 
still works).


Interesting.  I'll have to read and assimilate your work.  I'm sure 
I'll learn many things.  Thank you for sharing.  :-)


If I were ever to implement something like this, I would NOT blindly 
do the Whois query directly for each incoming email.  I would query a 
local service that cached information (as in committed to disk) and 
have that service fetch information about domains that it didn't have 
information on.


I might even make such a system periodically check to see if things 
like DNS servers had changed and then refresh the cache on demand as 
necessary.


I agree that blindly and directly doing a Whois query for each and 
every incoming email would cause some people to get upset.  Not to 
mention the performance and latency implications.


If you had access to the registrar feeds you might be able to write 
something that used that data which would not be considered abusive.


I think that's exactly the type of data that Whois Domain Search is 
selling, and why they are selling it.


Is there anybody in the SA user community who does have access to the 
raw registrar feeds?


I don't.  But I think Whois Domain Search offers trial options.

No, I'm not affiliated with Whois Domain Search.  I simply download 
their free list of domains registered yesterday each day.  }:-)  Not 
that I've actually done anything with that data yet.  But that's a 
different problem.


With fresh.fmb.la, the raw data is a little less useful unless you want 
better resolution than a week at a time. It might be useful for finding 
and reporting Bitmain lookalike domains before they get used in spam blasts.


I might find it worth it to sign up for one of their services if I can 
use it to offer some useful service such as a DNSBL to others. I'll need 
to check their subscriber agreement. Thanks for pointing it out!

Re: Scoring by registrar?

[Grant Taylor]

On 6/30/19 12:05 PM, John Hardin wrote:
There's really no infrastructure for it. Somebody would have to hook 
into the registrar data feeds to collect it and publish it in a usable 
form, and nobody has done so that I am aware of.


Whois Domain Search has some information.

Link - Whois Domain Search
 - http://whoisds.com/

They provide an API and an ability to download copies of their database.

I'm downloading their free newly registered domain list.  It's only a 
list of domains registered in the last day and they have 10 (?) days 
worth available for download.


A decade ago I wrote a plugin that used whois to try to do this as an 
experiment. The big drawback is: actually doing this could easily be 
considered abuse of the whois system and could easily get you 
blacklisted. This is *not* recommended for production use.


   http://www.impsec.org/~jhardin/antispam/registrar_scoring/

This is just for illustration. I *strongly* discourage using this in 
anything other than a limited test environment (assuming it even still 
works).


Interesting.  I'll have to read and assimilate your work.  I'm sure I'll 
learn many things.  Thank you for sharing.  :-)


If I were ever to implement something like this, I would NOT blindly do 
the Whois query directly for each incoming email.  I would query a local 
service that cached information (as in committed to disk) and have that 
service fetch information about domains that it didn't have information on.


I might even make such a system periodically check to see if things like 
DNS servers had changed and then refresh the cache on demand as necessary.


I agree that blindly and directly doing a Whois query for each and every 
incoming email would cause some people to get upset.  Not to mention the 
performance and latency implications.


If you had access to the registrar feeds you might be able to write 
something that used that data which would not be considered abusive.


I think that's exactly the type of data that Whois Domain Search is 
selling, and why they are selling it.


Is there anybody in the SA user community who does have access to the 
raw registrar feeds?


I don't.  But I think Whois Domain Search offers trial options.

No, I'm not affiliated with Whois Domain Search.  I simply download 
their free list of domains registered yesterday each day.  }:-)  Not 
that I've actually done anything with that data yet.  But that's a 
different problem.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Scoring by registrar?

[Sean Lynch]

On 6/30/19 11:05 AM, John Hardin wrote:

On Sun, 30 Jun 2019, Sean Lynch wrote:

A very large number (nearly all, in fact) of the spams I receive 
these days involve domains registered with Namecheap.


I'd like to add a spam score to any message using a domain registered 
with them.


Does such functionality already exist in SpamAssassin? Is there an 
RHSBL or some other simple mechanism I could use to look up the 
registrar for a domain?


There's really no infrastructure for it. Somebody would have to hook 
into the registrar data feeds to collect it and publish it in a usable 
form, and nobody has done so that I am aware of.


A decade ago I wrote a plugin that used whois to try to do this as an 
experiment. The big drawback is: actually doing this could easily be 
considered abuse of the whois system and could easily get you 
blacklisted. This is *not* recommended for production use.


  http://www.impsec.org/~jhardin/antispam/registrar_scoring/

This is just for illustration. I *strongly* discourage using this in 
anything other than a limited test environment (assuming it even still 
works).
I've been wary of just querying whois for precisely this reason. Maybe 
rate-limited queries along with greylisting to give time to do the lookup?


If you had access to the registrar feeds you might be able to write 
something that used that data which would not be considered abusive.


Is there anybody in the SA user community who does have access to the 
raw registrar feeds?


This would be lovely. Turning it into a DNS-based service would be even 
better!


Thanks for the response!

Re: Scoring by registrar?

[Sean Lynch]

On 6/30/19 11:00 AM, Grant Taylor wrote:

On 6/30/19 10:08 AM, Sean Lynch wrote:
Hi, everyone! I used to run my own mail servers back in the mid '90s 
and even worked as the postmaster for a regional ISP and worked on 
mail servers for some large corporations and even a small national 
ISP as a consultant. After a hiatus where I drank the hosted email 
kool-aid, I'm back to hosting my own email.


Welcome back to the fray.  :-)

At the moment I'm using a combination of SMTP-time DNSBL and other 
checks and SpamAssassin at delivery time for spam filtering. Very few 
spams are even making it to SpamAssassin, but many that do make it 
all the way through into my inbox.


:-(

A very large number (nearly all, in fact) of the spams I receive 
these days involve domains registered with Namecheap. I've received 
hundreds of spams involving .icu domains from what appear to be the 
same spammer. I also receive a large number of scams impersonating 
Bitmain, again using domains involving Namecheap.


Is Namecheap just the registrar?  Or are they also hosting the DNS 
service?


Ah, I should have mentioned that. Unfortunately, they're just the 
registrar. I suspect the spammers use DNS servers they can update 
quickly, but since it's slower to update NS records and glue records, 
the nameserver IPs and names might make interesting extra signals to 
score on.




While Namecheap does suspend at least some domains within days of 
their being used in a campaign, it's clear that these are being 
treated as single-use domains, so this has very little impact on the 
spammers. Since for whatever reason they're so attractive to spammers 
that they seem to be a nearly universal choice, at least for spams I 
get, I'd like to add a spam score to any message using a domain 
registered with them.


Does such functionality already exist in SpamAssassin? Is there an 
RHSBL or some other simple mechanism I could use to look up the 
registrar for a domain?


I'm not sure how to check for Namecheap as the domain registrar. I 
think it should be relatively easy to check if the Namecheap is being 
used for the DNS service by checking what DNS servers are used.  
Perhaps you could alter the score that way.


I think you could likely take this a step further and use something 
like BIND's features to alter responses to DNS queries based on the 
DNS server the information comes from.  Meaning you could break email 
from domains using specific DNS servers.  }:-) This means that you 
could configure your MTA to require valid DNS (which it should be 
doing anyway).  Thus your email server would not accept email from 
domains that use Namecheap DNS servers. }:-D


I think there are also lists of domains that have been recently 
registered.  Which might help if the single use domains were recently 
registered.


I do plan to set up a DNS server at some point in order to implement my 
own DNSBLs among other things.


About 1/3 of both the .icu and Bitmain spams do hit one of the 
FROM_FMBLA_NEWDOM rules. I've bumped the scores up for those so that any 
recently-registered .icu domain will always go to my junk folder.


One of my goals is to incentivize Namecheap to make themselves less 
attractive to spammers. Having one person use their being the registrar 
as a spam signal doesn't accomplish that, but inspiring many people to 
might.


Even better would be to use signals like that as an SMTP-time test so 
that senders will (hopefully) see a bounce message that says they need 
to register with dnswl.org if they want to be able to send email from a 
Namecheap-registered domain. I should probably investigate mtpolicyd a 
little more closely; right now I just use policyd-spf-python to reject 
any messages that fail SPF, but that catches almost nothing because the 
spammers who are able to get past the DNSBLs I use typically have set up 
all the right records for their throwaway domains, including SPF and DKIM.

Re: Scoring by registrar?

[John Hardin]

On Sun, 30 Jun 2019, Grant Taylor wrote:


On 6/30/19 10:51 AM, Martin Gregorie wrote:

If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?

https://en.wikipedia.org/wiki/Greylisting


I see your GreyListing and raise you NoListing:

https://en.wikipedia.org/wiki/Nolisting

TL;DR:  NoListing works by having an MX record that either does not respond 
to TCP connections for SMTP, or sends TCP Resets.  Thus causing RFC compliant 
DNS servers to move on to the next priority MX in short order.


...and if the same IP address is a regular abuser that never sends any 
legitimate traffic, tarpit them:


   http://www.impsec.org/~jhardin/antispam/spammer-firewall

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The focus of our education system is
  the transfer of tax dollars between politicians and unions.
  Educating children is its waste product.   -- Frank Fleming
---
 4 days until the 243rd anniversary of the Declaration of Independence

Re: Scoring by registrar?

[Grant Taylor]

On 6/30/19 10:51 AM, Martin Gregorie wrote:

If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?

https://en.wikipedia.org/wiki/Greylisting


I see your GreyListing and raise you NoListing:

https://en.wikipedia.org/wiki/Nolisting

TL;DR:  NoListing works by having an MX record that either does not 
respond to TCP connections for SMTP, or sends TCP Resets.  Thus causing 
RFC compliant DNS servers to move on to the next priority MX in short order.


I find that this cuts out a LOT of crap without most (if not all) of the 
problems generally associated with GreyListing.


 · It's stateless
 · It doesn't care where the retries come from
 · It's RFC compliant, no grey area
 · It allows fast retries.
· Nothing prevents the same server from trying the next MX immediately.
 · There aren't issues with "You must wait X number of minutes".
· There is no mechanism in SMTP to indicate how long to wait.
· Servers can try the next MX immediately

I also highly recommend something like Junk Email Filter's Project 
Tar(baby) as a high order MX.


Link - Project Tar
 - http://wiki.junkemailfilter.com/index.php/Project_tarbaby

While you're at it, consider using Junk Email Filter's Spam DNS Lists to 
filter bad actors learned via Project Tar.


Link - Spam DNS Lists
 - http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Scoring by registrar?

[John Hardin]

On Sun, 30 Jun 2019, Sean Lynch wrote:

A very large number (nearly all, in fact) of the spams I receive these days 
involve domains registered with Namecheap.


I'd like to add a spam score to any message using a domain registered 
with them.


Does such functionality already exist in SpamAssassin? Is there an RHSBL or 
some other simple mechanism I could use to look up the registrar for a 
domain?


There's really no infrastructure for it. Somebody would have to hook into 
the registrar data feeds to collect it and publish it in a usable form, 
and nobody has done so that I am aware of.


A decade ago I wrote a plugin that used whois to try to do this as an 
experiment. The big drawback is: actually doing this could easily be 
considered abuse of the whois system and could easily get you blacklisted. 
This is *not* recommended for production use.


  http://www.impsec.org/~jhardin/antispam/registrar_scoring/

This is just for illustration. I *strongly* discourage using this in 
anything other than a limited test environment (assuming it even still 
works).


If you had access to the registrar feeds you might be able to write 
something that used that data which would not be considered abusive.


Is there anybody in the SA user community who does have access to the raw 
registrar feeds?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If Microsoft made hammers, everyone would whine about how poorly
  screws were designed and about how they are hard to hammer in, and
  wonder why it takes so long to paint a wall using the hammer.
---
 4 days until the 243rd anniversary of the Declaration of Independence

Re: Scoring by registrar?

[Grant Taylor]

On 6/30/19 10:08 AM, Sean Lynch wrote:
Hi, everyone! I used to run my own mail servers back in the mid '90s and 
even worked as the postmaster for a regional ISP and worked on mail 
servers for some large corporations and even a small national ISP as a 
consultant. After a hiatus where I drank the hosted email kool-aid, I'm 
back to hosting my own email.


Welcome back to the fray.  :-)

At the moment I'm using a combination of SMTP-time DNSBL and other 
checks and SpamAssassin at delivery time for spam filtering. Very 
few spams are even making it to SpamAssassin, but many that do make 
it all the way through into my inbox.


:-(

A very large number (nearly all, in fact) of the spams I receive these 
days involve domains registered with Namecheap. I've received hundreds 
of spams involving .icu domains from what appear to be the same spammer. 
I also receive a large number of scams impersonating Bitmain, again 
using domains involving Namecheap.


Is Namecheap just the registrar?  Or are they also hosting the DNS service?

While Namecheap does suspend at least some domains within days of their 
being used in a campaign, it's clear that these are being treated as 
single-use domains, so this has very little impact on the spammers. 
Since for whatever reason they're so attractive to spammers that they 
seem to be a nearly universal choice, at least for spams I get, I'd like 
to add a spam score to any message using a domain registered with them.


Does such functionality already exist in SpamAssassin? Is there an RHSBL 
or some other simple mechanism I could use to look up the registrar for 
a domain?


I'm not sure how to check for Namecheap as the domain registrar.  I 
think it should be relatively easy to check if the Namecheap is being 
used for the DNS service by checking what DNS servers are used.  Perhaps 
you could alter the score that way.


I think you could likely take this a step further and use something like 
BIND's features to alter responses to DNS queries based on the DNS 
server the information comes from.  Meaning you could break email from 
domains using specific DNS servers.  }:-)  This means that you could 
configure your MTA to require valid DNS (which it should be doing 
anyway).  Thus your email server would not accept email from domains 
that use Namecheap DNS servers.  }:-D


I think there are also lists of domains that have been recently 
registered.  Which might help if the single use domains were recently 
registered.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Scoring by registrar?

[Sean Lynch]

On 6/30/19 9:51 AM, Martin Gregorie wrote:

On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote:

A very large number (nearly all, in fact) of the spams I receive
these days involve domains registered with Namecheap. I've received
hundreds of spams involving .icu domains from what appear to be the
same spammer.


Write a local rule that adds points for mails from .icu


Such a rule already exists. I've bumped up its score already.




I also receive a large number of scams impersonating Bitmain, again
using domains involving Namecheap.


As above, but for Bitmain.


Thanks. I'm aware I can do this.




While Namecheap does suspend at least some domains within days of
their being used in a campaign, it's clear that these are being
treated as single-use domains, so this has very little impact on the
spammers. Since for whatever reason they're so attractive to spammers
that they seem to be a nearly universal choice, at least for spams I
get, I'd like to add a spam score to any message using a domain
registered with them.


If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?

https://en.wikipedia.org/wiki/Greylisting


Thanks. I'm aware of greylisting already.



Does such functionality already exist in SpamAssassin?

Defining local rules has always been possible.


Thanks. I'm aware of this. I was asking what functionality exists, if 
any, for determining who a domain's registrar is.




Greylisters are used to front end your MTA, so work independently of
Spamassassin.

I find combinations of rules can be surprisingly specific, e.g. to catch
sales spam:

- write a rule that contains a list of selling terms with a very small
   positive score (0.001)
- write another rule that contains a list of products pushed by
   spammers, again with a very small positive score
- write a meta rule the triggers only when both the previous rules
   are hit and give it a significant score
   
If you avoid sales terms and product names/descriptions that are in

common use the meta rule will cause few false positives.


Thanks. As I said, been using SpamAssassin (and generally fighting spam) 
for years, so I'm already aware of this.


  
Martin

Re: Scoring by registrar?

[Martin Gregorie]

On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote:
> A very large number (nearly all, in fact) of the spams I receive
> these days involve domains registered with Namecheap. I've received
> hundreds of spams involving .icu domains from what appear to be the
> same spammer.
>
Write a local rule that adds points for mails from .icu  

> I also receive a large number of scams impersonating Bitmain, again 
> using domains involving Namecheap.
> 
As above, but for Bitmain.

> While Namecheap does suspend at least some domains within days of
> their being used in a campaign, it's clear that these are being
> treated as single-use domains, so this has very little impact on the
> spammers. Since for whatever reason they're so attractive to spammers
> that they seem to be a nearly universal choice, at least for spams I
> get, I'd like to add a spam score to any message using a domain
> registered with them.
> 
If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?   

https://en.wikipedia.org/wiki/Greylisting

Does such functionality already exist in SpamAssassin?

>
Defining local rules has always been possible.

Greylisters are used to front end your MTA, so work independently of
Spamassassin.

I find combinations of rules can be surprisingly specific, e.g. to catch
sales spam:

- write a rule that contains a list of selling terms with a very small
  positive score (0.001)
- write another rule that contains a list of products pushed by
  spammers, again with a very small positive score
- write a meta rule the triggers only when both the previous rules
  are hit and give it a significant score
  
If you avoid sales terms and product names/descriptions that are in
common use the meta rule will cause few false positives.
 
Martin

Scoring by registrar?

[Sean Lynch]

Hi, everyone! I used to run my own mail servers back in the mid '90s and 
even worked as the postmaster for a regional ISP and worked on mail 
servers for some large corporations and even a small national ISP as a 
consultant. After a hiatus where I drank the hosted email kool-aid, I'm 
back to hosting my own email. At the moment I'm using a combination of 
SMTP-time DNSBL and other checks and SpamAssassin at delivery time for 
spam filtering. Very few spams are even making it to SpamAssassin, but 
many that do make it all the way through into my inbox.


A very large number (nearly all, in fact) of the spams I receive these 
days involve domains registered with Namecheap. I've received hundreds 
of spams involving .icu domains from what appear to be the same spammer. 
I also receive a large number of scams impersonating Bitmain, again 
using domains involving Namecheap.


While Namecheap does suspend at least some domains within days of their 
being used in a campaign, it's clear that these are being treated as 
single-use domains, so this has very little impact on the spammers. 
Since for whatever reason they're so attractive to spammers that they 
seem to be a nearly universal choice, at least for spams I get, I'd like 
to add a spam score to any message using a domain registered with them.


Does such functionality already exist in SpamAssassin? Is there an RHSBL 
or some other simple mechanism I could use to look up the registrar for 
a domain?