OT: Postscreen and scoring/blocking by ISP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: Postscreen and scoring/blocking by ISP

Charles Sprickman
Hi all,

I was looking through a few lists of RBLs and I’m not finding quite what I want.

I have quite a bit of my spam blocking working fairly well, but I’m seeing quite a bit of “snowshoe spam” from a few providers. Rather than look up their netblocks and outright block them, I’d like to incorporate them into the postscreen scoring process.  As time goes on, I’m sure I’ll find others, but I do see ColoCrossing and Limestone Networks as pretty consistent sources.

Are there any RBLs that exclusively deal with blocking by netblock/owner that I’m missing? Or am I better off just setting up a local RBL with the things I want to cover?  And while I’m asking, any interesting RBLs you folks use that are based on non-standard criteria (country-based RBLs, lists of RFC-ignorant hosts, etc.)?

Thanks,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Charles Sprickman
Hi David (and re-adding the list in case we say something interesting),

“Snowshoe spam”, as I understand it is basically a spammer sending batches from a list of “clean” IPs - not too many emails per IP, but lots of hosts to send from.  By the time an IP is blacklisted, it’s already done spamming.

Another theory I have is these folks work alphabetically, as the client I have the most issues with has a domain starting with “b” and they just see way more spam. Could just be random, or that it’s a very old domain (20+ years).

Anyhow, I have my own list of hosting operations that seem to just keep being used for this and I’d like to start them off at 4-5 points in my postscreen config.

My typical filtering setup is Postscreen with a bunch of RBLs, and generally I need 3-4 of the reliable RBLs to hit a sending IP before it hits the threshold. After that, the mail moves to SpamAssassin. It scores most of the missed emails around 2-3 points, almost exclusively via Bayes.

Thanks,

Charles

> On May 20, 2019, at 8:49 PM, David Mehler <[hidden email]> wrote:
>
> Hello,
>
> I don't know about the netblocks your looking for, but what is
> snowshoe spam? What does your spam blocking configuration look like? I
> can send you mine if you think it would help.
>
> Dave.
>
>
> On 5/20/19, Charles Sprickman <[hidden email]> wrote:
>> Hi all,
>>
>> I was looking through a few lists of RBLs and I’m not finding quite what I
>> want.
>>
>> I have quite a bit of my spam blocking working fairly well, but I’m seeing
>> quite a bit of “snowshoe spam” from a few providers. Rather than look up
>> their netblocks and outright block them, I’d like to incorporate them into
>> the postscreen scoring process.  As time goes on, I’m sure I’ll find others,
>> but I do see ColoCrossing and Limestone Networks as pretty consistent
>> sources.
>>
>> Are there any RBLs that exclusively deal with blocking by netblock/owner
>> that I’m missing? Or am I better off just setting up a local RBL with the
>> things I want to cover?  And while I’m asking, any interesting RBLs you
>> folks use that are based on non-standard criteria (country-based RBLs, lists
>> of RFC-ignorant hosts, etc.)?
>>
>> Thanks,
>>
>> Charles

Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

allenc

There is an RBL, zz.countries.nerd.dk, which will return a code based on country
of origin - or if you substitute a country code (eg uk.countries.nerd.dk) it
will return 127.0.0.1 if the host "belongs" to that country; it can be used to
load the final RBL score for an individual country.  I don't know how robust
these people are, but they are certainly sufficient for a domestic server.

Currently, I am using a CIDR access-control-list to block (in PostScreen) hosts
from certain "nuisance" countries.  A weekly script derives the netblocks from
the zone lists published by http://www.ipdeny.com

Allen C

On 30/05/2019 21:40, Charles Sprickman wrote:

> Hi David (and re-adding the list in case we say something interesting),
>
> “Snowshoe spam”, as I understand it is basically a spammer sending batches from a list of “clean” IPs - not too many emails per IP, but lots of hosts to send from.  By the time an IP is blacklisted, it’s already done spamming.
>
> Another theory I have is these folks work alphabetically, as the client I have the most issues with has a domain starting with “b” and they just see way more spam. Could just be random, or that it’s a very old domain (20+ years).
>
> Anyhow, I have my own list of hosting operations that seem to just keep being used for this and I’d like to start them off at 4-5 points in my postscreen config.
>
> My typical filtering setup is Postscreen with a bunch of RBLs, and generally I need 3-4 of the reliable RBLs to hit a sending IP before it hits the threshold. After that, the mail moves to SpamAssassin. It scores most of the missed emails around 2-3 points, almost exclusively via Bayes.
>
> Thanks,
>
> Charles
>
>> On May 20, 2019, at 8:49 PM, David Mehler <[hidden email]> wrote:
>>
>> Hello,
>>
>> I don't know about the netblocks your looking for, but what is
>> snowshoe spam? What does your spam blocking configuration look like? I
>> can send you mine if you think it would help.
>>
>> Dave.
>>
>>
>> On 5/20/19, Charles Sprickman <[hidden email]> wrote:
>>> Hi all,
>>>
>>> I was looking through a few lists of RBLs and I’m not finding quite what I
>>> want.
>>>
>>> I have quite a bit of my spam blocking working fairly well, but I’m seeing
>>> quite a bit of “snowshoe spam” from a few providers. Rather than look up
>>> their netblocks and outright block them, I’d like to incorporate them into
>>> the postscreen scoring process.  As time goes on, I’m sure I’ll find others,
>>> but I do see ColoCrossing and Limestone Networks as pretty consistent
>>> sources.
>>>
>>> Are there any RBLs that exclusively deal with blocking by netblock/owner
>>> that I’m missing? Or am I better off just setting up a local RBL with the
>>> things I want to cover?  And while I’m asking, any interesting RBLs you
>>> folks use that are based on non-standard criteria (country-based RBLs, lists
>>> of RFC-ignorant hosts, etc.)?
>>>
>>> Thanks,
>>>
>>> Charles
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

allenc

On 30/05/2019 22:21, Allen Coates wrote:
> Currently, I am using a CIDR access-control-list to block (in PostScreen) hosts
> from certain "nuisance" countries.  A weekly script derives the netblocks from
> the zone lists published by http://www.ipdeny.com

A similar script could derive a DNS zone file - with varying levels of "badness"
- if you wanted to run your own RBL...

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Charles Sprickman

On May 30, 2019, at 5:38 PM, Allen Coates <[hidden email]> wrote:


On 30/05/2019 22:21, Allen Coates wrote:
Currently, I am using a CIDR access-control-list to block (in PostScreen) hosts
from certain "nuisance" countries.  A weekly script derives the netblocks from
the zone lists published by http://www.ipdeny.com

A similar script could derive a DNS zone file - with varying levels of "badness"
- if you wanted to run your own RBL…

I see the Cymru guys have an IP to ASN DNS lookup:


That’s part way there. I can easily find the ASNs I care to penalize.  But still have to figure out how to do something with that in postscreen…

Charles


Allen C

Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Wietse Venema
Charles Sprickman:
> https://www.team-cymru.com/IP-ASN-mapping.html#dns <https://www.team-cymru.com/IP-ASN-mapping.html#dns>
>
> That?s part way there. I can easily find the ASNs I care to penalize.  But still have to figure out how to do something with that in postscreen?

There is no need to do everything in postscreen, especially considering
that the purpose is to block spambots, which is not the same thing
as blocking all spam operators.

For the latter, I have used check_{client,helo,sender}_{ns,mx}_access
to trap mail from different 'domains' that share infrastructure.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Charles Sprickman


> On May 31, 2019, at 7:45 PM, Wietse Venema <[hidden email]> wrote:
>
> Charles Sprickman:
>> https://www.team-cymru.com/IP-ASN-mapping.html#dns <https://www.team-cymru.com/IP-ASN-mapping.html#dns>
>>
>> That?s part way there. I can easily find the ASNs I care to penalize.  But still have to figure out how to do something with that in postscreen?
>
> There is no need to do everything in postscreen, especially considering
> that the purpose is to block spambots, which is not the same thing
> as blocking all spam operators.

I really want to weight against some sources, not block them entirely though...

>
> For the latter, I have used check_{client,helo,sender}_{ns,mx}_access
> to trap mail from different 'domains' that share infrastructure.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Bill Cole-3
On 31 May 2019, at 22:03 (-0400), Charles Sprickman wrote:

> I really want to weight against some sources, not block them entirely
> though...

Then the ideal tool is SpamAssassin, not postscreen. It's easy to add
and set the scoring of any DNSBLs you find useful and if you want more
complex logic, that's available as well.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: OT: Postscreen and scoring/blocking by ISP

Wietse Venema
In reply to this post by Charles Sprickman
Charles Sprickman:
> > There is no need to do everything in postscreen, especially considering
> > that the purpose is to block spambots, which is not the same thing
> > as blocking all spam operators.
>
> I really want to weight against some sources, not block them entirely though...

Quoting POSTSCREEN_README:

postscreen(8) is part of a multi-layer defense.

  * As the first layer, postscreen(8) blocks connections from zombies and other
    spambots that are responsible for about 90% of all spam. It is implemented
    as a single process to make this defense as inexpensive as possible.

    ....

  * The fourth layer provides heavy-weight content inspection with external
    content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter
    applications.

In the last layer you get to combine different spamminess indicators
into one verdict.

        Wietse