Spam problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
HL
Reply | Threaded
Open this post in threaded view
|

Spam problem

HL
Hi list,
Just by looking at the headers "Return-Path", "From:" and  "To:"
one can sense that the following is spam ...

---------------------------------------------------------------------------------------------------

Return-Path:<[hidden email]>

X-Original-To: [hidden email]

Delivered-To: [hidden email]

Received: from localhost (unknown [127.0.0.1])

         by mail.example.gr (Postfix) with ESMTP id D17E557547EC

         for<[hidden email]>; Tue, 14 Jun 2011 00:39:48 +0300 (EEST)

X-Virus-Scanned: Debian amavisd-new at mail.example.gr

Received: from mail.example.gr ([127.0.0.1])

         by localhost (mail.example.gr [127.0.0.1]) (amavisd-new, port 10024)

         with LMTP id yHroNA2goYHC for<[hidden email]>;

         Tue, 14 Jun 2011 00:39:40 +0300 (EEST)

Received: from [186.194.3.66] (unknown [186.194.3.66])

         by mail.example.gr (Postfix) with ESMTP id 7567357547E2

         for<[hidden email]>; Tue, 14 Jun 2011 00:39:39 +0300 (EEST)

Received: from [95.53.111.119] (helo=uvthdjg.mnghdffxosiys.net)

         by  with esmtpa (Exim 4.69)

         (envelope-from )

         id 1MMI1H-7816uo-2U

         for [hidden email]; Mon, 13 Jun 2011 18:39:39 -0300

From:<[hidden email]>

To:<[hidden email]>

Subject: Re: CV 54

---------------------------------------------------------------------------------------------------
a) helo host uvthdjg.mnghdffxosiys.net  does not have an ip
b) rdns for 95.53.111.119 gives pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
c) Envelope sender ie "return path" is different that From: header
d) from: and to: headers are pretending to be postmaster @ my domain.


Is there an rfc compliant way to reject this ???
Thanks in advance for your help.


Regards

Harry.


Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Ansgar Wiechers
On 2011-06-14 Harry Lachanas ( via Freemail ) wrote:

> Just by looking at the headers "Return-Path", "From:" and  "To:"
> one can sense that the following is spam ...
>
> ---------------------------------------------------------------------------------------------------
> Return-Path:<[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> Received: from localhost (unknown [127.0.0.1])
>         by mail.example.gr (Postfix) with ESMTP id D17E557547EC
>         for<[hidden email]>; Tue, 14 Jun 2011 00:39:48 +0300 (EEST)
> X-Virus-Scanned: Debian amavisd-new at mail.example.gr
> Received: from mail.example.gr ([127.0.0.1])
>         by localhost (mail.example.gr [127.0.0.1]) (amavisd-new, port 10024)
>         with LMTP id yHroNA2goYHC for<[hidden email]>;
>         Tue, 14 Jun 2011 00:39:40 +0300 (EEST)
> Received: from [186.194.3.66] (unknown [186.194.3.66])
>         by mail.example.gr (Postfix) with ESMTP id 7567357547E2
>         for<[hidden email]>; Tue, 14 Jun 2011 00:39:39 +0300 (EEST)
> Received: from [95.53.111.119] (helo=uvthdjg.mnghdffxosiys.net)
>         by  with esmtpa (Exim 4.69)
>         (envelope-from )
>         id 1MMI1H-7816uo-2U
>         for [hidden email]; Mon, 13 Jun 2011 18:39:39 -0300
> From:<[hidden email]>
> To:<[hidden email]>
> Subject: Re: CV 54
> ---------------------------------------------------------------------------------------------------
> a) helo host uvthdjg.mnghdffxosiys.net  does not have an ip

<http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname>

> b) rdns for 95.53.111.119 gives
>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru

This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:

<http://www.hardwarefreak.com/fqrdns.pcre>

> c) Envelope sender ie "return path" is different that From: header

That is not a valid indicator for spam. Take a look at arbitrary
messages you received from this list.

> d) from: and to: headers are pretending to be postmaster @ my domain.

You could use a milter to check if From: == To: and the address is from
your domain(s), but AFAIK Postfix does not have a built-in check for
this.

I would, however, blacklist any client who sends spam to a postmaster
address.

HTH

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Rich Wales
>> b) rdns for 95.53.111.119 gives
>>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
>
> This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:
> http://www.hardwarefreak.com/fqrdns.pcre

Additionally, a reliable DNSBL (block list) could be used to detect and
block IP addresses which are known spam sources and/or are dynamically
assigned.  This particular IP address, for example, is listed in the
Spamhaus ZEN list (zen.spamhaus.org; http://www.spamhaus.org/zen/).

Read the documentation for the "reject_rbl_client" restriction.


Rich Wales
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Ansgar Wiechers
On 2011-06-14 Rich Wales wrote:
>>> b) rdns for 95.53.111.119 gives
>>>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
>>
>> This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:
>> http://www.hardwarefreak.com/fqrdns.pcre
>
> Additionally, a reliable DNSBL (block list) could be used to detect and
> block IP addresses which are known spam sources and/or are dynamically
> assigned.

Personally I prefer policyd-weight (to avoid rejecting valid mails
because of false positives on a single RBL), but yes.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Rich Wales
>> Additionally, a reliable DNSBL (block list) could be used to detect and
>> block IP addresses which are known spam sources and/or are dynamically
>> assigned.
>
> Personally I prefer policyd-weight (to avoid rejecting valid mails because
> of false positives on a single RBL), but yes.

Another approach would use the new "postscreen" capability introduced in
version 2.8 of Postfix:

    http://www.postfix.org/postscreen.8.html
    http://www.postfix.org/POSTSCREEN_README.html

I am currently using a combination of postscreen directives (with a bunch
of white lists and block lists, of varying reliability and assigned various
weights) and more traditional smtpd_*_restrictions items (referencing only
a handful of lists which I have decided are sufficiently conservative that
I'm prepared to trust them fully).  The smtpd_*_restrictions info duplicates
portions of my postscreen configuration; this might seem redundant, but it
may catch situations where postscreen's DNS lookups time out for some reason.

I have also defined a smtpd_reject_footer value in my configuration, in
which I provide an alternative (Gmail) address where legitimate senders
can report any delivery problems.  So far, at least, I have not received
any such communications.

Rich Wales
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

mouss-4
In reply to this post by Ansgar Wiechers
Le 14/06/2011 20:35, Ansgar Wiechers a écrit :

> On 2011-06-14 Rich Wales wrote:
>>>> b) rdns for 95.53.111.119 gives
>>>>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
>>>
>>> This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:
>>> http://www.hardwarefreak.com/fqrdns.pcre
>>
>> Additionally, a reliable DNSBL (block list) could be used to detect and
>> block IP addresses which are known spam sources and/or are dynamically
>> assigned.
>
> Personally I prefer policyd-weight (to avoid rejecting valid mails
> because of false positives on a single RBL), but yes.
>

non sense.

just because they are a lot doesn't mean they are right.
a single zen hit is more reliable than thousands of hits from arbitrary
DNSBLs.

policyd-weight is nice. use it if you think it is the right tool for
you. but for the sake of whatever you like: keep that for yourself
unless you have real (mathematical) argments.
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

mouss-4
In reply to this post by HL
Le 14/06/2011 11:34, Harry Lachanas ( via Freemail ) a écrit :

> Hi list,
> Just by looking at the headers "Return-Path", "From:" and  "To:"
> one can sense that the following is spam ...
>
> ---------------------------------------------------------------------------------------------------
>
>
> Return-Path:<[hidden email]>
>
> X-Original-To: [hidden email]
>
> Delivered-To: [hidden email]
>
> Received: from localhost (unknown [127.0.0.1])
>
>         by mail.example.gr (Postfix) with ESMTP id D17E557547EC
>
>         for<[hidden email]>; Tue, 14 Jun 2011 00:39:48 +0300 (EEST)
>
> X-Virus-Scanned: Debian amavisd-new at mail.example.gr
>
> Received: from mail.example.gr ([127.0.0.1])
>
>         by localhost (mail.example.gr [127.0.0.1]) (amavisd-new, port
> 10024)
>
>         with LMTP id yHroNA2goYHC for<[hidden email]>;
>
>         Tue, 14 Jun 2011 00:39:40 +0300 (EEST)
>
> Received: from [186.194.3.66] (unknown [186.194.3.66])
>
>         by mail.example.gr (Postfix) with ESMTP id 7567357547E2
>
>         for<[hidden email]>; Tue, 14 Jun 2011 00:39:39 +0300 (EEST)
>
> Received: from [95.53.111.119] (helo=uvthdjg.mnghdffxosiys.net)
>
>         by  with esmtpa (Exim 4.69)
>
>         (envelope-from )
>
>         id 1MMI1H-7816uo-2U
>
>         for [hidden email]; Mon, 13 Jun 2011 18:39:39 -0300
>
> From:<[hidden email]>
>
> To:<[hidden email]>
>
> Subject: Re: CV 54
>
> ---------------------------------------------------------------------------------------------------
>
> a) helo host uvthdjg.mnghdffxosiys.net  does not have an ip
> b) rdns for 95.53.111.119 gives
> pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru

if you want a hash:

.dynamic.lenobl.avangarddsl.ru REJECT generic hostname

if you want a pcre:

/pppoe.[\w\d]+\.dynamic\./ REJECT generic hostname



> c) Envelope sender ie "return path" is different that From: header
> d) from: and to: headers are pretending to be postmaster @ my domain.
>
>
> Is there an rfc compliant way to reject this ???

you can reject spam without asking the IETF.
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Ansgar Wiechers
In reply to this post by mouss-4
On 2011-06-14 mouss wrote:

> Le 14/06/2011 20:35, Ansgar Wiechers a écrit :
>> On 2011-06-14 Rich Wales wrote:
>>>>> b) rdns for 95.53.111.119 gives
>>>>>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
>>>>
>>>> This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:
>>>> http://www.hardwarefreak.com/fqrdns.pcre
>>>
>>> Additionally, a reliable DNSBL (block list) could be used to detect
>>> and block IP addresses which are known spam sources and/or are
>>> dynamically assigned.
>>
>> Personally I prefer policyd-weight (to avoid rejecting valid mails
>> because of false positives on a single RBL), but yes.
>
> non sense.

IBTD.

> just because they are a lot doesn't mean they are right. a single zen
> hit is more reliable than thousands of hits from arbitrary DNSBLs.

You may want to take an actual look at the DNSBLs policyd-weight uses.

> policyd-weight is nice. use it if you think it is the right tool for
> you. but for the sake of whatever you like: keep that for yourself
> unless you have real (mathematical) argments.

My rationale is that no matter how reliable a single source is, they can
still be wrong at times. Getting a second opinion helps mitigating these
cases. The false negative rate is probably somewhat higher with this
setup, but I consider a limited amount of false negatives far more
tolerable than a single false positive. If you think there's something
wrong with this rationale: please elaborate.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Benny Pedersen
In reply to this post by HL
On Tue, 14 Jun 2011 12:34:10 +0300, Harry Lachanas ( via Freemail )
wrote:

> Is there an rfc compliant way to reject this ???

reject if sender is postmaster@ your domain

and not sasl authed

make this email a mailbox so sasl works

reject all .hinet.net email senders based on evelope sender

problem left now ?

Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Ansgar Wiechers
On 2011-06-14 Benny Pedersen wrote:
> On Tue, 14 Jun 2011 12:34:10 +0300, Harry Lachanas ( via Freemail ) wrote:
>> Is there an rfc compliant way to reject this ???
>
> reject if sender is postmaster@ your domain
>
> and not sasl authed
>
> make this email a mailbox so sasl works

The sender isn't the postmaster address of his domain, so how is this
suggestion supposed to help?

> reject all .hinet.net email senders based on evelope sender

That would be throwing out the baby with the bath water.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

mouss-4
In reply to this post by Ansgar Wiechers
Le 14/06/2011 23:21, Ansgar Wiechers a écrit :

> On 2011-06-14 mouss wrote:
>> Le 14/06/2011 20:35, Ansgar Wiechers a écrit :
>>> On 2011-06-14 Rich Wales wrote:
>>>>>> b) rdns for 95.53.111.119 gives
>>>>>>    pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru
>>>>>
>>>>> This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges:
>>>>> http://www.hardwarefreak.com/fqrdns.pcre
>>>>
>>>> Additionally, a reliable DNSBL (block list) could be used to detect
>>>> and block IP addresses which are known spam sources and/or are
>>>> dynamically assigned.
>>>
>>> Personally I prefer policyd-weight (to avoid rejecting valid mails
>>> because of false positives on a single RBL), but yes.
>>
>> non sense.
>
> IBTD.
>
>> just because they are a lot doesn't mean they are right. a single zen
>> hit is more reliable than thousands of hits from arbitrary DNSBLs.
>
> You may want to take an actual look at the DNSBLs policyd-weight uses.
>
>> policyd-weight is nice. use it if you think it is the right tool for
>> you. but for the sake of whatever you like: keep that for yourself
>> unless you have real (mathematical) argments.
>
> My rationale is that no matter how reliable a single source is, they can
> still be wrong at times. Getting a second opinion helps mitigating these
> cases.

that's where you are wrong. if the second opinion is wrong, it doesn't
help at all. the word is: quality, not quantity.

review Bayes theorem again. now consider:
P1 = listed on zen
P2 = listed on spamcops

do you really think that
        P1 & P2
is any better than
        P1 OR P2
?

explain why? do you believe P1 and P2 are independent? did you test that
on a real system?

not convinced yet? now replace P2 with korea.services and try to argue.
then try with P2 = sorbs. etc etc.



> The false negative rate is probably somewhat higher with this
> setup, but I consider a limited amount of false negatives far more
> tolerable than a single false positive. If you think there's something
> wrong with this rationale: please elaborate.
>

while Bayes theorem can be applied to a "lot of attributes" (such as in
spamassassin, ...) without the independence clause, this doesn't work
when you only have very few attributes (such as what you get with the
envelope).
Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Benny Pedersen
In reply to this post by Ansgar Wiechers
On Tue, 14 Jun 2011 23:49:34 +0200, Ansgar Wiechers wrote:

> The sender isn't the postmaster address of his domain, so how is this
> suggestion supposed to help?

another problem then ?, as i read it you accept sender forges on your
domain for non sasl users

 From: "postmaster" <[hidden email]> is not a problem for a
spammer, but doing so on envelope is

>> reject all .hinet.net email senders based on evelope sender
> That would be throwing out the baby with the bath water.

and i have not seen a complaint from [hidden email] doing so :=)

Reply | Threaded
Open this post in threaded view
|

Re: Spam problem

Ansgar Wiechers
In reply to this post by mouss-4
On 2011-06-15 mouss wrote:
> Le 14/06/2011 23:21, Ansgar Wiechers a écrit :
>> My rationale is that no matter how reliable a single source is, they
>> can still be wrong at times. Getting a second opinion helps
>> mitigating these cases.
[...]

> now consider:
> P1 = listed on zen
> P2 = listed on spamcops
>
> do you really think that
> P1 & P2
> is any better than
> P1 OR P2
> ?
>
> explain why?

Because (P1 || P2) >= (P1 && P2) for all P1, P2.

I'm trying to reduce my FRR. I am aware that this does increase my FAR.

> do you believe P1 and P2 are independent?

Yes, I do. Because P1 and P2 are maintained by independent entities (at
least AFAIK), and I'm concerned about false positives, i.e. entries that
were added by mistake. I do assume that two independent entities won't
make the same mistake at the same time.

[...]
> not convinced yet? now replace P2 with korea.services and try to
> argue. then try with P2 = sorbs. etc etc.

Why? I'm talking about policyd-weight, not an arbitrary list of RBLs.
There seems to be some misunderstanding on your part about what policyd-
weight actually does.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky