Why there is no `reject_rbl_sender` restriction?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
Hi,

why there is no `reject_rbl_sender` restriction? It probably does not
make so much sense as `reject_rbl_client`, but it would help me in my
spam battle. Quite a lot of emails come from servers not listed inside
Spamhause blacklists, but sender's domain points to blacklisted IP.

For example yesterday came email from: Jaromil
<[hidden email]> from client: bounce.countrcultur.com
[66.45.255.215]

Client is not blacklisted under Spamhaus, but lets have a look in more
detail to sender.

# Domain is not listed:
> host spplalru.com.dbl.spamhaus.org
Host spplalru.com.dbl.spamhaus.org not found: 3(NXDOMAIN)

# Check for IP:
> host spplalru.com
spplalru.com has address 185.140.110.3

# But the domain point on blacklisted server!
> host 3.110.140.185.zen.spamhaus.org
3.110.140.185.zen.spamhaus.org has address 127.0.0.2


And this is not a unique case! In fact most of spam that pass my
anti-spam setting would be filtered with such restriction according
sender domain. Maybe it is more problem of Spamhaus and its list
synchronization, I do not know.

Or is there any fundamental reason why rejecting emails according
sender's domain IP is not a good idea?


My best wishes,
Martin Jiřička
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

allenc
For a while I tried a local black-list based on the senders of bounced
emails. It was deployed using "check_sender_access <filename>".

Using the whole email address didn't work - I never sawthe same sender
twice;
and using just the domain part gave me more false positives than true.

A more targeted list, containing PROVEN dud domains and reserved TLDs -
example.com or invalid.net - might have more success.  I haven't given
up on the idea completely.  :-)
 
Not quite what you asked - but it might help to explain


Allen C


On 03/08/17 10:07, Martin Jiřička wrote:

> Hi,
>
> why there is no `reject_rbl_sender` restriction? It probably does not
> make so much sense as `reject_rbl_client`, but it would help me in my
> spam battle. Quite a lot of emails come from servers not listed inside
> Spamhause blacklists, but sender's domain points to blacklisted IP.
>
> For example yesterday came email from: Jaromil
> <[hidden email]> from client: bounce.countrcultur.com
> [66.45.255.215]
>
> Client is not blacklisted under Spamhaus, but lets have a look in more
> detail to sender.
>
> # Domain is not listed:
>> host spplalru.com.dbl.spamhaus.org
> Host spplalru.com.dbl.spamhaus.org not found: 3(NXDOMAIN)
>
> # Check for IP:
>> host spplalru.com
> spplalru.com has address 185.140.110.3
>
> # But the domain point on blacklisted server!
>> host 3.110.140.185.zen.spamhaus.org
> 3.110.140.185.zen.spamhaus.org has address 127.0.0.2
>
>
> And this is not a unique case! In fact most of spam that pass my
> anti-spam setting would be filtered with such restriction according
> sender domain. Maybe it is more problem of Spamhaus and its list
> synchronization, I do not know.
>
> Or is there any fundamental reason why rejecting emails according
> sender's domain IP is not a good idea?
>
>
> My best wishes,
> Martin Jiřička
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
In reply to this post by Martin Jiřička
> Doing it on MX would require dnsbl lookups for each MX server in all
> received mail.
> That would massively increase amount of dnsbl lookups.

I do not know if I would call it "massively". I already do
`reject_unknown_client_hostname` check and 4 other dnsbl lookups. So I
would do another 2 in addition to current 5? Yes, it is a lot, but
thats how it is… My server does not serve a huge amount of real mail
fortunately.

> you still can block them locally using the rules above.

I think it will not work, almost every spam comes from different domain.

> On 03.08.17 11:09, Allen Coates wrote:
>> Using the whole email address didn't work - I never sawthe same sender
>> twice;

Yes, exactly. Spammers have huge amount of hostnames.

I do not think it is a good idea to build your own database. I even do
not know how to build it, because I do not run MDA, I only forward
emails… Simply put: I think it is difficult to fight against global
botnets with a local black list :-)


MJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

allenc
In reply to this post by Martin Jiřička
On 03/08/17 11:55, Matus UHLAR - fantomas wrote:
> You apparently mean something like check_sender_mx_access (reject when MX
> server of sending domain points to blacklisted IP) or maybe
> check_sender_a_access (similar), but with dnsbl lookups.
>
> Doing it on MX would require dnsbl lookups for each MX server in all
> received mail.
> That would massively increase amount of dnsbl lookups.
>
> Doing it on A would do the same, just not that much.

Do it after a white-list of senders you know

Allen C
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Wietse Venema
In reply to this post by Martin Jiřička
Martin Ji?i?ka:
> Hi,
>
> why there is no `reject_rbl_sender` restriction?

Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
That already exists.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
> Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
> That already exists.

The `reject_rhsbl_sender` checks whether MAIL FROM domain is listed
under rbl_domain. And I would like to have `reject_rbl_sender` that
would check whether reversed sender domain is listed under rbl_domain.
In other words, as there are `reject_rhsbl_client` and
`reject_rbl_client` restrictions, analogously I would like to have
`reject_rhsbl_sender` AND `reject_rbl_sender`.

Reason is I have found out that very very often my uncaught spam have
MAIL FROM domain that is not listed under dbl.spamhaus.org, but its
reversed address is listed under zen.spamhaus.org. I gave example with
"spplalru.com" domain.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Matus UHLAR - fantomas
In reply to this post by Martin Jiřička
>> Doing it on MX would require dnsbl lookups for each MX server in all
>> received mail.
>> That would massively increase amount of dnsbl lookups.

On 03.08.17 13:38, Martin Jiřička wrote:
>I do not know if I would call it "massively". I already do
>`reject_unknown_client_hostname` check and 4 other dnsbl lookups. So I
>would do another 2 in addition to current 5? Yes, it is a lot, but
>thats how it is… My server does not serve a huge amount of real mail
>fortunately.

I'm not talking about DNS lookups, but about DNSBL lookups.
You ask each dnsbl for client IP, now you will ask them for each A or MX
record. That means, number of DNSBL lookups will increase ad least two times
(for each dnsbl you already query).

Note that some dnsbls require (payed) subscription if you use them too much.

>> you still can block them locally using the rules above.
>
>I think it will not work, almost every spam comes from different domain.

we aren't talking about domains, but IP addresses of servers the domains
point to, correct?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
> I'm not talking about DNS lookups, but about DNSBL lookups.

Yes, I did interchanged them, pardon.

> You ask each dnsbl for client IP, now you will ask them for each A or MX
> record. That means, number of DNSBL lookups will increase ad least two times
> (for each dnsbl you already query).

Hmm, I am not server administrator by profession, so maybe I do not
understand it enough, but I would only add one more restriction on
domain in MAIL FROM header, that would make one DNS lookup (getting IP
for the domain) and one DNSBL lookup (checking that IP in Spamhaus).
That are two lookups, aren't they? It is true that it is not clear
whether to get A or MX records for the domain. For my example the
blacklisted IP address is within A record. I guess there is usually
only one A record for each domain?

> Note that some dnsbls require (payed) subscription if you use them too much.

This is my first mail server so I need to check which restrictions
work best. Then I will optimize number and order of restrictions.

> we aren't talking about domains, but IP addresses of servers the domains
> point to, correct?

I think Allen spoke about domains. So did I. It is probably true that
building blacklist of IP addresses would be better idea than building
list of domains. Because I guess spammers have more domains than IP
addresses…
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Wietse Venema
In reply to this post by Martin Jiřička
Martin Ji?i?ka:

> > Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
> > That already exists.
>
> The `reject_rhsbl_sender` checks whether MAIL FROM domain is listed
> under rbl_domain. And I would like to have `reject_rbl_sender` that
> would check whether reversed sender domain is listed under rbl_domain.
> In other words, as there are `reject_rhsbl_client` and
> `reject_rbl_client` restrictions, analogously I would like to have
> `reject_rhsbl_sender` AND `reject_rbl_sender`.
>
> Reason is I have found out that very very often my uncaught spam have
> MAIL FROM domain that is not listed under dbl.spamhaus.org, but its
> reversed address is listed under zen.spamhaus.org. I gave example with
> "spplalru.com" domain.

We already have check_mumble_mx_access and check_mumble_ns_access
to map a domain name to a collection of IP addresses.

It seems natural (for me at least) to introduce a new map type
dnsbl: that maps those IP addresses to an action.

Example:
    check_sender_mx_access dnsbl:zen.spamhaus.org=127.0.0.1
    check_client_ns_access dnsbl:zen.spamhaus.org=127.0.0.1

In case somoeone runs their DNS or MX service off a botnet.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
> It seems natural (for me at least) to introduce a new map type
> dnsbl: that maps those IP addresses to an action.

That would be amazing! If I get it right this would also deprecate
e.g. `reject_rhsbl_client` and `reject_rbl_client`. As a Postfix
novice I would appreciate the reduction of configuration parameters,
it is sometimes quite confusing to look at a long list of parameters
that all do similar thing and trying to spot a difference in its
description.


MJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Matus UHLAR - fantomas
In reply to this post by Martin Jiřička
>> You ask each dnsbl for client IP, now you will ask them for each A or MX
>> record. That means, number of DNSBL lookups will increase ad least two times
>> (for each dnsbl you already query).

On 03.08.17 17:04, Martin Jiřička wrote:
>Hmm, I am not server administrator by profession, so maybe I do not
>understand it enough, but I would only add one more restriction on
>domain in MAIL FROM header, that would make one DNS lookup (getting IP
>for the domain) and one DNSBL lookup (checking that IP in Spamhaus).
>That are two lookups, aren't they? It is true that it is not clear
>whether to get A or MX records for the domain. For my example the
>blacklisted IP address is within A record. I guess there is usually
>only one A record for each domain?

What I was trying to say is that (if there was 1 A record per domain), the
number of spamhaus lookups would increase two times.

If you check MX records, number of lookups can increase even more.

>> Note that some dnsbls require (payed) subscription if you use them too much.
>
>This is my first mail server so I need to check which restrictions
>work best. Then I will optimize number and order of restrictions.

hopefully you find it out before get blocked by spamhaus :-)

as Allen recommended, it's goot to have local whitelist for any kinds of
DNSBL lookups.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
> What I was trying to say is that (if there was 1 A record per domain), the
> number of spamhaus lookups would increase two times.
> If you check MX records, number of lookups can increase even more.

I am afraid I still do not understand how you count it :-( But it does
not matter, thank you very much for your effort! :-)

> hopefully you find it out before get blocked by spamhaus :-)

Spamhaus allows 300,000 queries per day. I am still waaay behind it.
Moreover 70% of all spam ends on my first Spamhaus restriction anyway.

But once again thank you for your notice, Matus! I will be carefull
with the restrictions :-)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why there is no `reject_rbl_sender` restriction?

Martin Jiřička
Hello again,

I discovered possibility of milters. So I have created a milter that
performs the restriction I wanted. If someone would be interested, it
is here:

https://github.com/mjiricka/MailFrom_DNSBL_Milter

So far results are as expected – all spam filtered, zero false-positives! :)

Martin
Loading...