*Slightly OT* DNSBL Opinions.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

*Slightly OT* DNSBL Opinions.

Adam C. Mathews
Presenting using the following blacklists...

dul.dnsbl.sorbs.net
psbl.surriel.com
zen.spamhaus.org


These do a good job for me, but I wanted to look for opinions on a
couple additional ones.  Specifically look for false-positive opinions,
adding additional DNS lookups isn't much concern to me.

The two I am looking at are ...

hostkarma.junkemailfilter.com
combined.rbl.msrbl.net

Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

d.hill
On Tue, 19 Aug 2008, Adam C. Mathews wrote:

> Presenting using the following blacklists...
>
> dul.dnsbl.sorbs.net
> psbl.surriel.com
> zen.spamhaus.org
>
>
> These do a good job for me, but I wanted to look for opinions on a
> couple additional ones.  Specifically look for false-positive opinions,
> adding additional DNS lookups isn't much concern to me.
>
> The two I am looking at are ...
>
> hostkarma.junkemailfilter.com

I will give the list developer credit for the fact he/she has done
research. However, the list developer has not provided any evidence as to
the results or validity of using this list (even when asked for).

Not to mention, I have not found anywhere on the site where it lists any
price for mass-querying or any data feed service for its zone files. We
purchase data feed service for SpamHaus and query an average of close to
four(4) million every 24 hours.

> combined.rbl.msrbl.net

Don't know much about this list. Perhaps someone else has feedback.

-d
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Stan Hoeppner
I highly recommend you sub to spam-l and post your question there also.
http://www.claws-and-paws.com/spam-l/spam-l.html

FWIW, here's my dnsbl config:

         reject_rbl_client zen.spamhaus.org,
          reject_rbl_client dul.dnsbl.sorbs.net,
          reject_rbl_client dsn.rfc-ignorant.org,
          reject_rbl_client bl.spamcop.net,
          reject_rbl_client relays.mail-abuse.org,
          reject_rbl_client korea.services.net,
          reject_rbl_client web.dnsbl.sorbs.net,
          reject_rbl_client relays.bl.gweep.ca,
          reject_rbl_client proxy.block.transip.nl,
          reject_rbl_client relays.dnsbl.sorbs.net

The only 2 that catch anything regularly, for me, are spamhaus and
sorbs.  The 2nd of these usually only catches stuff when there's a
transient lookup failure to zen.  The korea one stopped two spam in the
last year AFAICT.  I may as well remove the others...

I have more success today with the standard postfix DNS and hostname
checks and an IP block list than with dnsbls.  Recent partial pflogsumm
output summary:

Client host rejected: Access denied (total: 231)
cannot find your hostname (total: 97)
Helo command rejected: need fully-qualified hostname (total: 37)
blocked using zen.spamhaus.org (total: 57)
blocked using dul.dnsbl.sorbs.net (total: 4)

YMMV.


P.S.  I'd look into uribl and implementing your own ban list before
either of the two dnsbls you mentioned.
http://www.uribl.com/





Duane Hill wrote:

> On Tue, 19 Aug 2008, Adam C. Mathews wrote:
>
>> Presenting using the following blacklists...
>>
>> dul.dnsbl.sorbs.net
>> psbl.surriel.com
>> zen.spamhaus.org
>>
>>
>> These do a good job for me, but I wanted to look for opinions on a
>> couple additional ones.  Specifically look for false-positive opinions,
>> adding additional DNS lookups isn't much concern to me.
>>
>> The two I am looking at are ...
>>
>> hostkarma.junkemailfilter.com
>
> I will give the list developer credit for the fact he/she has done
> research. However, the list developer has not provided any evidence as
> to the results or validity of using this list (even when asked for).
>
> Not to mention, I have not found anywhere on the site where it lists any
> price for mass-querying or any data feed service for its zone files. We
> purchase data feed service for SpamHaus and query an average of close to
> four(4) million every 24 hours.
>
>> combined.rbl.msrbl.net
>
> Don't know much about this list. Perhaps someone else has feedback.
>
> -d
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Ralf Hildebrandt
* Stan Hoeppner <[hidden email]>:
> I highly recommend you sub to spam-l and post your question there also.
> http://www.claws-and-paws.com/spam-l/spam-l.html
>
> FWIW, here's my dnsbl config:
>
> reject_rbl_client zen.spamhaus.org,
>          reject_rbl_client dul.dnsbl.sorbs.net,

>          reject_rbl_client dsn.rfc-ignorant.org,
That's wrong.
           reject_rbl_sender dsn.rfc-ignorant.org
           
>          reject_rbl_client bl.spamcop.net,

>          reject_rbl_client relays.mail-abuse.org,
Dead, Jim

>          reject_rbl_client korea.services.net,
>          reject_rbl_client web.dnsbl.sorbs.net,
>          reject_rbl_client relays.bl.gweep.ca,

>          reject_rbl_client proxy.block.transip.nl,
I *think* this one may be dead as well.

>          reject_rbl_client relays.dnsbl.sorbs.net
>
> The only 2 that catch anything regularly, for me, are spamhaus and
> sorbs.  The 2nd of these usually only catches stuff when there's a
> transient lookup failure to zen.  The korea one stopped two spam in the
> last year AFAICT.  I may as well remove the others...
>
> I have more success today with the standard postfix DNS and hostname
> checks and an IP block list than with dnsbls.  Recent partial pflogsumm
> output summary:
>
> Client host rejected: Access denied (total: 231)
> cannot find your hostname (total: 97)
> Helo command rejected: need fully-qualified hostname (total: 37)
> blocked using zen.spamhaus.org (total: 57)
> blocked using dul.dnsbl.sorbs.net (total: 4)
>
> YMMV.
>
>
> P.S.  I'd look into uribl and implementing your own ban list before  
> either of the two dnsbls you mentioned.
> http://www.uribl.com/
>
>
>
>
>
> Duane Hill wrote:
>> On Tue, 19 Aug 2008, Adam C. Mathews wrote:
>>
>>> Presenting using the following blacklists...
>>>
>>> dul.dnsbl.sorbs.net
>>> psbl.surriel.com
>>> zen.spamhaus.org
>>>
>>>
>>> These do a good job for me, but I wanted to look for opinions on a
>>> couple additional ones.  Specifically look for false-positive opinions,
>>> adding additional DNS lookups isn't much concern to me.
>>>
>>> The two I am looking at are ...
>>>
>>> hostkarma.junkemailfilter.com
>>
>> I will give the list developer credit for the fact he/she has done  
>> research. However, the list developer has not provided any evidence as  
>> to the results or validity of using this list (even when asked for).
>>
>> Not to mention, I have not found anywhere on the site where it lists any
>> price for mass-querying or any data feed service for its zone files. We  
>> purchase data feed service for SpamHaus and query an average of close to
>> four(4) million every 24 hours.
>>
>>> combined.rbl.msrbl.net
>>
>> Don't know much about this list. Perhaps someone else has feedback.
>>
>> -d

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
He may look like an idiot and talk like an idiot but don't let that
fool you. He really is an idiot. - Groucho Marx
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Stan Hoeppner
Thanks for the pruning tips Ralf.  I figured some of those were dead,
just hadn't bothered to do any verification recently.



Ralf Hildebrandt wrote:

> * Stan Hoeppner <[hidden email]>:
>> I highly recommend you sub to spam-l and post your question there also.
>> http://www.claws-and-paws.com/spam-l/spam-l.html
>>
>> FWIW, here's my dnsbl config:
>>
>> reject_rbl_client zen.spamhaus.org,
>>          reject_rbl_client dul.dnsbl.sorbs.net,
>
>>          reject_rbl_client dsn.rfc-ignorant.org,
> That's wrong.
>            reject_rbl_sender dsn.rfc-ignorant.org
>  
>>          reject_rbl_client bl.spamcop.net,
>
>>          reject_rbl_client relays.mail-abuse.org,
> Dead, Jim
>
>>          reject_rbl_client korea.services.net,
>>          reject_rbl_client web.dnsbl.sorbs.net,
>>          reject_rbl_client relays.bl.gweep.ca,
>
>>          reject_rbl_client proxy.block.transip.nl,
> I *think* this one may be dead as well.
>
>>          reject_rbl_client relays.dnsbl.sorbs.net
>>
>> The only 2 that catch anything regularly, for me, are spamhaus and
>> sorbs.  The 2nd of these usually only catches stuff when there's a
>> transient lookup failure to zen.  The korea one stopped two spam in the
>> last year AFAICT.  I may as well remove the others...
>>
>> I have more success today with the standard postfix DNS and hostname
>> checks and an IP block list than with dnsbls.  Recent partial pflogsumm
>> output summary:
>>
>> Client host rejected: Access denied (total: 231)
>> cannot find your hostname (total: 97)
>> Helo command rejected: need fully-qualified hostname (total: 37)
>> blocked using zen.spamhaus.org (total: 57)
>> blocked using dul.dnsbl.sorbs.net (total: 4)
>>
>> YMMV.
>>
>>
>> P.S.  I'd look into uribl and implementing your own ban list before  
>> either of the two dnsbls you mentioned.
>> http://www.uribl.com/
>>
>>
>>
>>
>>
>> Duane Hill wrote:
>>> On Tue, 19 Aug 2008, Adam C. Mathews wrote:
>>>
>>>> Presenting using the following blacklists...
>>>>
>>>> dul.dnsbl.sorbs.net
>>>> psbl.surriel.com
>>>> zen.spamhaus.org
>>>>
>>>>
>>>> These do a good job for me, but I wanted to look for opinions on a
>>>> couple additional ones.  Specifically look for false-positive opinions,
>>>> adding additional DNS lookups isn't much concern to me.
>>>>
>>>> The two I am looking at are ...
>>>>
>>>> hostkarma.junkemailfilter.com
>>> I will give the list developer credit for the fact he/she has done  
>>> research. However, the list developer has not provided any evidence as  
>>> to the results or validity of using this list (even when asked for).
>>>
>>> Not to mention, I have not found anywhere on the site where it lists any
>>> price for mass-querying or any data feed service for its zone files. We  
>>> purchase data feed service for SpamHaus and query an average of close to
>>> four(4) million every 24 hours.
>>>
>>>> combined.rbl.msrbl.net
>>> Don't know much about this list. Perhaps someone else has feedback.
>>>
>>> -d
>
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Ralf Hildebrandt
* Stan Hoeppner <[hidden email]>:
> Thanks for the pruning tips Ralf.  I figured some of those were dead,  
> just hadn't bothered to do any verification recently.

There COULD be something in the logs. It can be dangerous to leave
those old entries in, since the DNS servers could return 127.0.0.1
anytime...

If the admins are pissed off enough.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
It is impossible to sharpen a pencil with a blunt axe. It is equally
vain to try to do it with ten blunt axes instead.  -- E. W. Dijkstra
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Aaron Wolfe
In reply to this post by d.hill
On Tue, Aug 19, 2008 at 11:41 PM, Duane Hill <[hidden email]> wrote:

> On Tue, 19 Aug 2008, Adam C. Mathews wrote:
>
>> Presenting using the following blacklists...
>>
>> dul.dnsbl.sorbs.net
>> psbl.surriel.com
>> zen.spamhaus.org
>>
>>
>> These do a good job for me, but I wanted to look for opinions on a
>> couple additional ones.  Specifically look for false-positive opinions,
>> adding additional DNS lookups isn't much concern to me.
>>
>> The two I am looking at are ...
>>
>> hostkarma.junkemailfilter.com

Evaluated this one about a year ago.  Too many false positives to use
as a block list, but I do include it as a spamassassin check.  Using
the list as the author intends is difficult in postfix without a
policy filter, because the list returns several different values with
different meanings.

>
> I will give the list developer credit for the fact he/she has done research.
> However, the list developer has not provided any evidence as to the results
> or validity of using this list (even when asked for).
>
> Not to mention, I have not found anywhere on the site where it lists any
> price for mass-querying or any data feed service for its zone files. We
> purchase data feed service for SpamHaus and query an average of close to
> four(4) million every 24 hours.
>
>> combined.rbl.msrbl.net
>
> Don't know much about this list. Perhaps someone else has feedback.
>
> -d
>

I would also take a good look at the 'invaluement antispam rbl', see
http://dnsbl.invaluement.com/
This list performs extremely well for us.

-Aaron
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Stan Hoeppner
Aaron Wolfe wrote:
> I would also take a good look at the 'invaluement antispam rbl', see
> http://dnsbl.invaluement.com/
> This list performs extremely well for us.

That's Rob's list, haha!  It's cool to hear folks are using it.  He's
been plugging it on spam-l for a while.  I know he's put much hard work
into it.  He had me test drive his web interface a few weeks ago.  He
was missing quite a few listings I had so I forwarded him the "usable by
others" portion of my block list.  I hope he added them as they are all
venerable, dedicated, annoying snowshoe spammers.

Anyway, glad to hear you're having success with Rob's list.
Reply | Threaded
Open this post in threaded view
|

Spam from hotmail servers - how to kill?

Bugzilla from j@mesrobertson.com
Recently we noticed an increase in junk and discovered that it's coming
from Hotmail (and to a lesser extent Yahoo).

The problem is that these spammers are smarter that the average spammer.

The don't spam flatout all the time (not to us anyway) and since the
mail comes from hotmail's servers and they use a Hotmail address
"<[hidden email]> then they get by Postfix and Spamassassin
quite easily.

I have not tested it but I would imagine greylisting would fail since
hotmail's servers will do the normal thing and retry later (using same
sender address etc).

Most of what we have been getting is Drugs related junk so I increased
the scores in Spamassassin accordingly which has helped but some still
gets by based on different content in the messages and obvioulsy if they
chnage tactics and start doing weight loss etc then it will probably get in.

We cannot block hotmail due to valid mail coming from there.  Is there a
way in Postfix that could filter out this junk somehow?

Below are some examples

##########################################################

Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
             Tue, 19 Aug 2008 23:59:42 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
            by mail.icfrith.com.au (Postfix) with ESMTP id DD64D2B959
            for <[hidden email]>; Tue, 19 Aug 2008 23:59:43 +1000
(EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: -0.144
X-Spam-Level:
X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599,
            DCC_CHECK=2.17, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
            ONLINE_PHARMACY=0.001, TVD_VISIT_PHARMA=0.001]
Received: from mail.icfrith.com.au ([127.0.0.1])
            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
            with ESMTP id JLdoDGWcLqRX for <[hidden email]>;
            Tue, 19 Aug 2008 23:59:40 +1000 (EST)
Received: from blu0-omc3-s29.blu0.hotmail.com
(blu0-omc3-s29.blu0.hotmail.com [65.55.116.104])
            by mail.icfrith.com.au (Postfix) with ESMTP id 00ED62B905
            for <[hidden email]>; Tue, 19 Aug 2008 23:59:34 +1000
(EST)
Received: from BLU135-W36 ([65.55.116.73]) by
blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
             Tue, 19 Aug 2008 06:59:27 -0700
Message-ID: <[hidden email]>
Content-Type: multipart/alternative;
            boundary="_605a643e-57e1-4566-b4f5-80149ef06c75_"
X-Originating-IP: [68.97.155.25]
From: Nancy Johnson <[hidden email]>
To: <[hidden email]>
Subject: Back into the youth - only with Viagra Professional
Date: Tue, 19 Aug 2008 13:59:26 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 19 Aug 2008 13:59:27.0695 (UTC)
FILETIME=[CB5F55F0:01C90203]
Return-Path: [hidden email]
 
--_605a643e-57e1-4566-b4f5-80149ef06c75_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
--_605a643e-57e1-4566-b4f5-80149ef06c75_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
 
--_605a643e-57e1-4566-b4f5-80149ef06c75_--

#################################################################

Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
             Tue, 19 Aug 2008 20:55:59 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
            by mail.icfrith.com.au (Postfix) with ESMTP id 5A7AC2B961
            for <[hidden email]>; Tue, 19 Aug 2008 20:56:00 +1000
(EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: 1.728
X-Spam-Level: *
X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001,
            DRUGS_ERECTILE=0.282, FB_CIALIS_LEO3=1.441, HTML_MESSAGE=0.001,
            SUBJECT_DRUG_GAP_C=0.003]
Received: from mail.icfrith.com.au ([127.0.0.1])
            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
            with ESMTP id oFVqnG2CBkCi for <[hidden email]>;
            Tue, 19 Aug 2008 20:55:52 +1000 (EST)
Received: from blu0-omc2-s17.blu0.hotmail.com
(blu0-omc2-s17.blu0.hotmail.com [65.55.111.92])
            by mail.icfrith.com.au (Postfix) with ESMTP id 6700E2B905
            for <[hidden email]>; Tue, 19 Aug 2008 20:55:45 +1000
(EST)
Received: from BLU118-W8 ([65.55.111.72]) by
blu0-omc2-s17.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
             Tue, 19 Aug 2008 03:55:42 -0700
Message-ID: <[hidden email]>
Content-Type: multipart/alternative;
            boundary="_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_"
X-Originating-IP: [119.141.38.224]
From: Nancy Taylor <[hidden email]>
To: <[hidden email]>
Subject: Amplify your sexual power with Soft Cialis.
Date: Tue, 19 Aug 2008 10:55:42 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 19 Aug 2008 10:55:42.0785 (UTC)
FILETIME=[20039310:01C901EA]
Return-Path: [hidden email]
 
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
 
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_--







Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

Stan Hoeppner
In this scenario you're better off trying to help others clean up their
networks than to try to block or filter based on the content.  As you
stated, they are the Gorillas of mail and you can't really block them.
So, work with them.  Believe it or not, these records are published
because people are behind those phone numbers and addresses.  Help them
to do their jobs by getting them the information they need.

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  [hidden email]

OrgAbuseHandle: IC146-ARIN
OrgAbuseName:   Cox Communications, Inc
OrgAbusePhone:  +1-404-269-7626
OrgAbuseEmail:  [hidden email]

Send a copy of the original email below with full headers to the above
addresses.  The originating client IP is in Cox's broadband cable
network in Oklahoma:

Name: ip68-97-155-25.ok.ok.cox.net
Address: 68.97.155.25

M$ can put a hold on or disable the Hotmail account.  Cox can either
kill the customer if he/she is a repeat offender or assist in getting
the PC cleaned up if it's a zombie infection.



James Robertson wrote:

> Recently we noticed an increase in junk and discovered that it's coming
> from Hotmail (and to a lesser extent Yahoo).
>
> The problem is that these spammers are smarter that the average spammer.
>
> The don't spam flatout all the time (not to us anyway) and since the
> mail comes from hotmail's servers and they use a Hotmail address
> "<[hidden email]> then they get by Postfix and Spamassassin
> quite easily.
>
> I have not tested it but I would imagine greylisting would fail since
> hotmail's servers will do the normal thing and retry later (using same
> sender address etc).
>
> Most of what we have been getting is Drugs related junk so I increased
> the scores in Spamassassin accordingly which has helped but some still
> gets by based on different content in the messages and obvioulsy if they
> chnage tactics and start doing weight loss etc then it will probably get
> in.
>
> We cannot block hotmail due to valid mail coming from there.  Is there a
> way in Postfix that could filter out this junk somehow?
>
> Below are some examples
>
> ##########################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
>             Tue, 19 Aug 2008 23:59:42 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
>            by mail.icfrith.com.au (Postfix) with ESMTP id DD64D2B959
>            for <[hidden email]>; Tue, 19 Aug 2008 23:59:43 +1000
> (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: -0.144
> X-Spam-Level:
> X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599,
>            DCC_CHECK=2.17, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
>            ONLINE_PHARMACY=0.001, TVD_VISIT_PHARMA=0.001]
> Received: from mail.icfrith.com.au ([127.0.0.1])
>            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
>            with ESMTP id JLdoDGWcLqRX for <[hidden email]>;
>            Tue, 19 Aug 2008 23:59:40 +1000 (EST)
> Received: from blu0-omc3-s29.blu0.hotmail.com
> (blu0-omc3-s29.blu0.hotmail.com [65.55.116.104])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 00ED62B905
>            for <[hidden email]>; Tue, 19 Aug 2008 23:59:34 +1000
> (EST)
> Received: from BLU135-W36 ([65.55.116.73]) by
> blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
>             Tue, 19 Aug 2008 06:59:27 -0700
> Message-ID: <[hidden email]>
> Content-Type: multipart/alternative;
>            boundary="_605a643e-57e1-4566-b4f5-80149ef06c75_"
> X-Originating-IP: [68.97.155.25]
> From: Nancy Johnson <[hidden email]>
> To: <[hidden email]>
> Subject: Back into the youth - only with Viagra Professional
> Date: Tue, 19 Aug 2008 13:59:26 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 19 Aug 2008 13:59:27.0695 (UTC)
> FILETIME=[CB5F55F0:01C90203]
> Return-Path: [hidden email]
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_--
>
> #################################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
>             Tue, 19 Aug 2008 20:55:59 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 5A7AC2B961
>            for <[hidden email]>; Tue, 19 Aug 2008 20:56:00 +1000
> (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: 1.728
> X-Spam-Level: *
> X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001,
>            DRUGS_ERECTILE=0.282, FB_CIALIS_LEO3=1.441, HTML_MESSAGE=0.001,
>            SUBJECT_DRUG_GAP_C=0.003]
> Received: from mail.icfrith.com.au ([127.0.0.1])
>            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
>            with ESMTP id oFVqnG2CBkCi for <[hidden email]>;
>            Tue, 19 Aug 2008 20:55:52 +1000 (EST)
> Received: from blu0-omc2-s17.blu0.hotmail.com
> (blu0-omc2-s17.blu0.hotmail.com [65.55.111.92])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 6700E2B905
>            for <[hidden email]>; Tue, 19 Aug 2008 20:55:45 +1000
> (EST)
> Received: from BLU118-W8 ([65.55.111.72]) by
> blu0-omc2-s17.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
>             Tue, 19 Aug 2008 03:55:42 -0700
> Message-ID: <[hidden email]>
> Content-Type: multipart/alternative;
>            boundary="_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_"
> X-Originating-IP: [119.141.38.224]
> From: Nancy Taylor <[hidden email]>
> To: <[hidden email]>
> Subject: Amplify your sexual power with Soft Cialis.
> Date: Tue, 19 Aug 2008 10:55:42 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 19 Aug 2008 10:55:42.0785 (UTC)
> FILETIME=[20039310:01C901EA]
> Return-Path: [hidden email]
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_--
>
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

Henrik K
In reply to this post by Bugzilla from j@mesrobertson.com
On Thu, Aug 21, 2008 at 01:10:32PM +1000, James Robertson wrote:
>
> Recently we noticed an increase in junk and discovered that it's coming  
> from Hotmail (and to a lesser extent Yahoo).
>
> X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599,
> ...
> X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001,
> ...

Bayes playes a big factor here. Train it better.

Also more people might find this useful:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5861

SA 3.2.5 requires the DKIM patch there. Otherwise you come up with too many
clean tokens from places that sign all mail.

I've had good results also with the patch there that removes all
"(?:gmail|yahoo|hotmail)" tokens. They are just too common and are biased to
be ham.

Please reply to spamassassin-users, remove postfix-users.

Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Stan Hoeppner
In reply to this post by Stan Hoeppner
Rob McEwen wrote:

> Stan Hoeppner wrote:
>> That's Rob's list, haha!  It's cool to hear folks are using it.  He's
>> been plugging it on spam-l for a while.
> Stan, I really do like you... and I don't want to make an enemy out of
> you... but there are massive mis-characterizations in that statement
> above... to a point where I'm offended. (1) Since my original
> announcement about my lists (about 17 months ago!), I think I've
> averaged mentioning my lists on SPAM-L about once every two months...
> all within proper context... and about half of these in response to
> others bringing it up... and not at all in many, many recent weeks.
> Seriously, is that "plugging it for a while"? (you make me sound like a
> slimy used car salesmen and, in the context of what actually happened,
> I'm a little offended by that!)

I'll make this brief as we're way OT for the postfix-users list and then
go off list for the rest.  I just want my apology to be in public, as it
was not at all my intention to portray Rob as a slimy used car salesman!
  "Plugging" was a very bad word choice.  To correct myself:

"Rob's list had been mentioned a few times on spam-l in recent months."

Again Rob, I'm sorry.

Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

lst_hoe02
In reply to this post by Stan Hoeppner
Zitat von Stan Hoeppner <[hidden email]>:

> In this scenario you're better off trying to help others clean up their
> networks than to try to block or filter based on the content.  As you
> stated, they are the Gorillas of mail and you can't really block them.
> So, work with them.  Believe it or not, these records are published
> because people are behind those phone numbers and addresses.  Help them
> to do their jobs by getting them the information they need.
>
> OrgAbuseHandle: HOTMA-ARIN
> OrgAbuseName:   Hotmail Abuse
> OrgAbusePhone:  +1-425-882-8080
> OrgAbuseEmail:  [hidden email]

Sorry but i have to disagree in this case. MSN/Hotmail has not really  
done anything for a long time to get rid of the spammers and there  
Abuse-Desk is some kind of bad-joke.
We regularly get answers like "you need a Hotmail account  to report  
spam" or "the injection IP is not in our network so its not our  
problem" or "it is no Hotmail sender address" from them.

Because of this we have decided to block Hotmail servers for our most  
affected accounts. No one who cares should use Hotmail anyway.

Regards

Andreas



--
All your trash belong to us ;-)  www.spamschlucker.org
To: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

Benny Pedersen
In reply to this post by Bugzilla from j@mesrobertson.com

On Tors, August 21, 2008 05:10, James Robertson wrote:

> We cannot block hotmail due to valid mail coming from there.  Is there a
> way in Postfix that could filter out this junk somehow?

hotmail use spf, let recipient benefit from this, whitelist sender from
address book with spf in mta level, no need to be smart :)

shourt:

dont whitelist *@hotmail.com
whitelist [hidden email]

this will stop most spammers trying again

why is there no squirrelmail plugin that modify a spf policyd ?

dkim is nice, but implementions needs body testing :(

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

Bugzilla from j@mesrobertson.com
hotmail use spf, let recipient benefit from this, whitelist sender from
address book with spf in mta level, no need to be smart :)

> I'm not sure I understand what you mean by this could you elaborate?  The email is coming from Hotmails server and therefore SPF is valid.

shourt:

dont whitelist *@hotmail.com
whitelist [hidden email]

> I had considered that but manually adding/maintaining addresses would be a pain in the neck frankly - I briefly surveyed the logs for valid hotmail email and it turns out there is quite a lot being received by the mail server "unfortunately".

I have emailed [hidden email] as recommended here by Stan and will see what happens but I think jumping on Spamassassins mailing list as suggested by Henrik and using bayes better will be my best bet by the sounds of it.

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Ralf Hildebrandt
In reply to this post by Aaron Wolfe
* Aaron Wolfe <[hidden email]>:

> >> hostkarma.junkemailfilter.com
>
> Evaluated this one about a year ago.  Too many false positives to use
> as a block list,

Amen, I activated it for 30 Seconds (!) and had 3 FP during that time.
That was because I used it incorrectly...

> but I do include it as a spamassassin check.  Using the list as the
> author intends is difficult in postfix without a policy filter, because
> the list returns several different values with different meanings.

Exactly.
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Postfix_Examples
this example lacks the usage described further down in "Name Based DNS
Lookup"

   reject_rbl_sender hostkarma.junkemailfilter.com=127.0.0.2

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
A bus station is where buses stop. A train station is where trains stop.
On my desk, there is a workstation...
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Ralf Hildebrandt
* Ralf Hildebrandt <[hidden email]>:

> Exactly.
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Postfix_Examples
> this example lacks the usage described further down in "Name Based DNS
> Lookup"
>
>    reject_rbl_sender hostkarma.junkemailfilter.com=127.0.0.2

I fixed that now in the aforementioned WIKI

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
What is this "XP pro"? Does this make "XP" unprofessional?
Reply | Threaded
Open this post in threaded view
|

Re: *Slightly OT* DNSBL Opinions.

Geert Hendrickx
In reply to this post by Adam C. Mathews
On Tue, Aug 19, 2008 at 09:27:39PM -0400, Adam C. Mathews wrote:

> Presenting using the following blacklists...
>
> dul.dnsbl.sorbs.net
> psbl.surriel.com
> zen.spamhaus.org
>
>
> These do a good job for me, but I wanted to look for opinions on a
> couple additional ones.  Specifically look for false-positive opinions,
> adding additional DNS lookups isn't much concern to me.
>
> The two I am looking at are ...
>
> hostkarma.junkemailfilter.com
> combined.rbl.msrbl.net
>



The following site gives their own stats for a number of public DNSBL's:

http://stats.dnsbl.com/

Might be interesting for comparison.


        Geert


Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

Bugzilla from j@mesrobertson.com
In reply to this post by Bugzilla from j@mesrobertson.com
James Robertson wrote:

> Recently we noticed an increase in junk and discovered that it's
> coming from Hotmail (and to a lesser extent Yahoo).
>
> The problem is that these spammers are smarter that the average spammer.
>
> The don't spam flatout all the time (not to us anyway) and since the
> mail comes from hotmail's servers and they use a Hotmail address
> "<[hidden email]> then they get by Postfix and Spamassassin
> quite easily.
>
> I have not tested it but I would imagine greylisting would fail since
> hotmail's servers will do the normal thing and retry later (using same
> sender address etc).
>
> Most of what we have been getting is Drugs related junk so I increased
> the scores in Spamassassin accordingly which has helped but some still
> gets by based on different content in the messages and obvioulsy if
> they chnage tactics and start doing weight loss etc then it will
> probably get in.
>
> We cannot block hotmail due to valid mail coming from there.  Is there
> a way in Postfix that could filter out this junk somehow?
>
> Below are some examples
>
> ##########################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
>             Tue, 19 Aug 2008 23:59:42 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
>            by mail.icfrith.com.au (Postfix) with ESMTP id DD64D2B959
>            for <[hidden email]>; Tue, 19 Aug 2008 23:59:43
> +1000 (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: -0.144
> X-Spam-Level:
> X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599,
>            DCC_CHECK=2.17, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
>            ONLINE_PHARMACY=0.001, TVD_VISIT_PHARMA=0.001]
> Received: from mail.icfrith.com.au ([127.0.0.1])
>            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
>            with ESMTP id JLdoDGWcLqRX for <[hidden email]>;
>            Tue, 19 Aug 2008 23:59:40 +1000 (EST)
> Received: from blu0-omc3-s29.blu0.hotmail.com
> (blu0-omc3-s29.blu0.hotmail.com [65.55.116.104])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 00ED62B905
>            for <[hidden email]>; Tue, 19 Aug 2008 23:59:34
> +1000 (EST)
> Received: from BLU135-W36 ([65.55.116.73]) by
> blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
>             Tue, 19 Aug 2008 06:59:27 -0700
> Message-ID: <[hidden email]>
> Content-Type: multipart/alternative;
>            boundary="_605a643e-57e1-4566-b4f5-80149ef06c75_"
> X-Originating-IP: [68.97.155.25]
> From: Nancy Johnson <[hidden email]>
> To: <[hidden email]>
> Subject: Back into the youth - only with Viagra Professional
> Date: Tue, 19 Aug 2008 13:59:26 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 19 Aug 2008 13:59:27.0695 (UTC)
> FILETIME=[CB5F55F0:01C90203]
> Return-Path: [hidden email]
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_605a643e-57e1-4566-b4f5-80149ef06c75_--
>
> #################################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
>             Tue, 19 Aug 2008 20:55:59 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 5A7AC2B961
>            for <[hidden email]>; Tue, 19 Aug 2008 20:56:00
> +1000 (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: 1.728
> X-Spam-Level: *
> X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001,
>            DRUGS_ERECTILE=0.282, FB_CIALIS_LEO3=1.441,
> HTML_MESSAGE=0.001,
>            SUBJECT_DRUG_GAP_C=0.003]
> Received: from mail.icfrith.com.au ([127.0.0.1])
>            by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
>            with ESMTP id oFVqnG2CBkCi for <[hidden email]>;
>            Tue, 19 Aug 2008 20:55:52 +1000 (EST)
> Received: from blu0-omc2-s17.blu0.hotmail.com
> (blu0-omc2-s17.blu0.hotmail.com [65.55.111.92])
>            by mail.icfrith.com.au (Postfix) with ESMTP id 6700E2B905
>            for <[hidden email]>; Tue, 19 Aug 2008 20:55:45
> +1000 (EST)
> Received: from BLU118-W8 ([65.55.111.72]) by
> blu0-omc2-s17.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
>             Tue, 19 Aug 2008 03:55:42 -0700
> Message-ID: <[hidden email]>
> Content-Type: multipart/alternative;
>            boundary="_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_"
> X-Originating-IP: [119.141.38.224]
> From: Nancy Taylor <[hidden email]>
> To: <[hidden email]>
> Subject: Amplify your sexual power with Soft Cialis.
> Date: Tue, 19 Aug 2008 10:55:42 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 19 Aug 2008 10:55:42.0785 (UTC)
> FILETIME=[20039310:01C901EA]
> Return-Path: [hidden email]
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_--
>
>

I sent this a little while ago and had some helpful responses but I had
an idea last night and would like some feedback.

Its easiest if I use an example.

[hidden email] is valid email address
[hidden email] is a spammer address.

[hidden email] sends and email to [hidden email].
The message is held with a timeout before its is purged from the hold
queue e.g 5 days becuase the domain is hotmail.com.  and a identifier is
assiciated with the message somehow.
An email message is sent back to the address asking them to resend a
message with a key (specific words or characters in the subject line,
body or both).
The sender responds with the requested info.
The message is received and processed perhaps with procmail or similiar
which matches the key to the identifier and then releases the message
and marks the hotmail address as a valid one so it does not hold any
further emails from [hidden email].

[hidden email] sends junk mail to [hidden email].
The message is held becuase the domain is hotmail.com and a identifier
is assiciated with the message.
An email message is sent back to the address asking them to resend a
message with a key (specific words or characters in the subject line or
body or both).
The spammer doesn't respond to the request and the mail is help for 5
dyas before being purged.

It could probably use a web interface running on the mail server the
sender could go to and even use a captcha or something........

I'm not sure if anything like this exists already and if it does could
someone please direct me to it.

Unfortunately I'm not a programmer (but I'm learning) so implementing
this would be a very long and laborious task for me.

Any suggestions or advise appreciated.

Thanks.


Reply | Threaded
Open this post in threaded view
|

Re: Spam from hotmail servers - how to kill?

mouss-2
James Robertson wrote:
> I sent this a little while ago and had some helpful responses but I had
> an idea last night and would like some feedback.

consider starting a new thread. most people will miss this old thread.

>
> Its easiest if I use an example.
>
> [hidden email] is valid email address
> [hidden email] is a spammer address.
>
> [hidden email] sends and email to [hidden email].
> The message is held with a timeout before its is purged from the hold
> queue e.g 5 days becuase the domain is hotmail.com.  and a identifier is
> assiciated with the message somehow.
> An email message is sent back to the address asking them to resend a
> message with a key (specific words or characters in the subject line,
> body or both).
> The sender responds with the requested info.
> The message is received and processed perhaps with procmail or similiar
> which matches the key to the identifier and then releases the message
> and marks the hotmail address as a valid one so it does not hold any
> further emails from [hidden email].
>
> [hidden email] sends junk mail to [hidden email].
> The message is held becuase the domain is hotmail.com and a identifier
> is assiciated with the message.
> An email message is sent back to the address asking them to resend a
> message with a key (specific words or characters in the subject line or
> body or both).
> The spammer doesn't respond to the request and the mail is help for 5
> dyas before being purged.
>


if spammer forges my address, I will respond so that you get a lot of
spam. There is no reason pass you junk filtering to me.

if spammer uses a trap as sender, you'll end up in a blacklist.

This has a name: Challenge-Response (C/R). it's bad. spammers forge
sender addresses, so notifying the forged sender is spam.

do not delegate your spam filtering to strangers.

http://www.spamcop.net/fom-serve/cache/329.html
http://www.politechbot.com/p-04746.html

see also the links on:
http://spamlinks.net/filter-cr.htm#issues-harmful


> It could probably use a web interface running on the mail server the
> sender could go to and even use a captcha or something........
>
> I'm not sure if anything like this exists already and if it does could
> someone please direct me to it.
>
> Unfortunately I'm not a programmer (but I'm learning) so implementing
> this would be a very long and laborious task for me.
>
> Any suggestions or advise appreciated.


Fix your Bayes. having BAYES_00 trigger on pharma junk is a sign that
your Bayes data is corrupted. empty your Bayes db and start again. it is
possible that your AWL is polluted too. disable AWL until you are
confortable that you can make it work correctly. and train your Bayes.
it should yield BAYES_99 on such crap.

Followup on the spamassassin-users list.