postwhite? (why not?)

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

postwhite? (why not?)

mrobti
Asking for opinions about postwhite.
https://github.com/stevejenkins/postwhite

Below is the default whitelist domains. It's nice idea, but what about
the time when spammers got hold of 10.000 hotmail accounts?

OTOH this is only for postscreen and not whitelisted your antispam
engine so seems like a good idea. Really like to know arguments against
using this, please speak up.



webmail_hosts="aol.com google.com microsoft.com outlook.com hotmail.com
gmx.com icloud.com mail.com inbox.com zoho.com fastmail.com"

social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
instagram.com tumblr.com reddit.com linkedin.com"

commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"

bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"

misc_hosts="zendesk.com github.com"
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Karol Augustin
On 2018-03-02 12:09, MRob wrote:

> Asking for opinions about postwhite.
> https://github.com/stevejenkins/postwhite
>
> Below is the default whitelist domains. It's nice idea, but what about
> the time when spammers got hold of 10.000 hotmail accounts?
>
> OTOH this is only for postscreen and not whitelisted your antispam
> engine so seems like a good idea. Really like to know arguments
> against using this, please speak up.
>
>
>
> webmail_hosts="aol.com google.com microsoft.com outlook.com
> hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com
> fastmail.com"
>
> social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
> instagram.com tumblr.com reddit.com linkedin.com"
>
> commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"
>
> bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
> cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
> fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"
>
> misc_hosts="zendesk.com github.com"

Hi,

Can't really say anything against using postwhite. So these are my
experienses:

I have started using it some time ago. I have noticed that some provides
use some kind of SPF rotation daily (???) and rotate between IPv6
subnets. So it is important to run it periodically to update the file.
It might be good to implement rounding to the nearest /64 or even /56
for efficiency, but I didn't have a chance to look into that.

Other than that, I am using the generated list to whitelist postscreen
and some custom filtering that forces greylisting and honeypot checks as
well.

My main observation is that senders included in the default list you
posted will pass postscreen anyway and additional benefit is to exclude
them from RBL checks because vast majority of users would like to still
allow them, even if they hit some RBLs from time to time.

The additional benefit is huge saving on DNS queries and (for me)
avoiding greylisting if some otherwise good server finds it's way to
RBL.

I also added some hosts to my list from banks, Amazon SES etc. I have
about 800 lines in the generated file, which is reasonable. I have about
60-75% passing connections whitelisted now.

Karol




--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Wietse Venema
In reply to this post by mrobti
MRob:
> Asking for opinions about postwhite.
> https://github.com/stevejenkins/postwhite
>
> Below is the default whitelist domains. It's nice idea, but what about
> the time when spammers got hold of 10.000 hotmail accounts?

Perhaps it is time to repeat what postscreen is and is not.

Don't use postscreen to block spam. Use postscreen to block spambots.
Those who misunderstand the difference will be disappointed.

In particular, hotmail is not a spambot, therefore it should not
be blocked by postscreen.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

J Doe
Hi Wietse,

> On Mar 2, 2018, at 10:15 AM, Wietse Venema <[hidden email]> wrote:
>
> Perhaps it is time to repeat what postscreen is and is not.
>
> Don't use postscreen to block spam. Use postscreen to block spambots.
> Those who misunderstand the difference will be disappointed.
>
> In particular, hotmail is not a spambot, therefore it should not
> be blocked by postscreen.
>
>    Wietse

I have been using the following in my /etc/postfix/main.cf:

    postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org                                      
    postscreen_dnsbl_action = drop

While this weeds out spambots I imagine it is weeding out spam sources as well.  As a point of clarification, should I list DNSBL sites specifically for spambots here and then have a separate list of DNSBL for just spam on the smtpd restrictions ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Wietse Venema
J Doe:
> Hi Wietse,
>
> > On Mar 2, 2018, at 10:15 AM, Wietse Venema <[hidden email]> wrote:
> >
> > Perhaps it is time to repeat what postscreen is and is not.
> >
> > Don't use postscreen to block spam. Use postscreen to block spambots.
> > Those who misunderstand the difference will be disappointed.

For example, all blacksmiths are black, therefore all black people
are blacksmiths.

> > In particular, hotmail is not a spambot, therefore it should not
> > be blocked by postscreen.
>
> I have been using the following in my /etc/postfix/main.cf:
>
>     postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org
>     postscreen_dnsbl_action = drop
>
> While this weeds out spambots I imagine it is weeding out spam
> sources as well

Postscreen blocks sites based on:

- Their reputation that hey don't send legitimate mail.
  zen.spamhaus.org and bl.spamcop.net are examples of that.

- Their behavior. The postscreen pregreet test is an example of that.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

mrobti
In reply to this post by Karol Augustin
On 2018-03-02 13:46, Karol Augustin wrote:

> On 2018-03-02 12:09, MRob wrote:
>> Asking for opinions about postwhite.
>> https://github.com/stevejenkins/postwhite
>>
>> Below is the default whitelist domains. It's nice idea, but what about
>> the time when spammers got hold of 10.000 hotmail accounts?
>>
>> OTOH this is only for postscreen and not whitelisted your antispam
>> engine so seems like a good idea. Really like to know arguments
>> against using this, please speak up.
>>
>>
>>
>> webmail_hosts="aol.com google.com microsoft.com outlook.com
>> hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com
>> fastmail.com"
>>
>> social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
>> instagram.com tumblr.com reddit.com linkedin.com"
>>
>> commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"
>>
>> bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
>> cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
>> fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"
>>
>> misc_hosts="zendesk.com github.com"
>
> I also added some hosts to my list from banks, Amazon SES etc. I have
> about 800 lines in the generated file, which is reasonable. I have
> about
> 60-75% passing connections whitelisted now.

Would you share those you've added?
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Karol Augustin
On 2018-03-03 5:06, MRob wrote:
> On 2018-03-02 13:46, Karol Augustin wrote:
>> I also added some hosts to my list from banks, Amazon SES etc. I have
>> about 800 lines in the generated file, which is reasonable. I have about
>> 60-75% passing connections whitelisted now.
>
> Would you share those you've added?

custom_hosts="ulsterbank.com amazonses.com nodeping.com
spamassassin.apache.org outages.org paypal.com allegro.pl"

k.


--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

J Doe
In reply to this post by Wietse Venema
Hi Wietse,

> On Mar 2, 2018, at 1:49 PM, Wietse Venema <[hidden email]> wrote:
>
> Postscreen blocks sites based on:
>
> - Their reputation that hey don't send legitimate mail.
>  zen.spamhaus.org and bl.spamcop.net are examples of that.
>
> - Their behavior. The postscreen pregreet test is an example of that.
>
>    Wietse

Ok.  I am definitely making use of the zombie detection (pre-greeting, etc.), but I also use the DNSRBL’s on postscreen.  I was under the possibly mistaken impression that this was a bit more efficient instead of having a spam source connect, possibly negotiate STARTTLS and then start a SMTP transaction and then have it rejected based on smtpd restrictions.

Should I then continue to use postscreen for the zombie detection but then move my DNSRBL entries to smtpd restrictions ?

Apologies for belabouring the point - I’m just not understanding.

Thanks,

- J


Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Wietse Venema
J Doe:

> Hi Wietse,
>
> > On Mar 2, 2018, at 1:49 PM, Wietse Venema <[hidden email]> wrote:
> >
> > Postscreen blocks sites based on:
> >
> > - Their reputation that hey don't send legitimate mail.
> >  zen.spamhaus.org and bl.spamcop.net are examples of that.
> >
> > - Their behavior. The postscreen pregreet test is an example of that.
> >
> >    Wietse
>
> Ok.  I am definitely making use of the zombie detection (pre-greeting,
> etc.), but I also use the DNSRBL?s on postscreen.  I was under the
> possibly mistaken impression that this was a bit more efficient
> instead of having a spam source connect, possibly negotiate STARTTLS
> and then start a SMTP transaction and then have it rejected based
> on smtpd restrictions.
>
> Should I then continue to use postscreen for the zombie detection
> but then move my DNSRBL entries to smtpd restrictions ?

postscreen handles multiple sessions in parallel. Only clients that
"PASS" are allowed to talk to an SMTP daemon process. In a word
where most email comes from spambots, this is more efficient than
always spending one SMTP daemon process on every client.

        wietse
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Bill Cole-3
In reply to this post by J Doe
On 3 Mar 2018, at 14:25, J Doe wrote:

> Should I then continue to use postscreen for the zombie detection but
> then move my DNSRBL entries to smtpd restrictions ?
>
> Apologies for belabouring the point - I’m just not understanding.

Not all DNSBLs are equivalent. SOME are suited for use in postscreen as
absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL configuration
should be designed to only block IPs that *only* send spam. There are
DNSBLs designed to be hyper-sensitive, to not give any sender a free
pass, and to generate occasional collateral damage. There are DNSBLs
designed to be used in complex anti-spam systems and NOT as a unilateral
basis for blocking. Those sorts of DNSBL should not be used in
postscreen with a score at or above postscreen_dnsbl_threshold.
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Karol Augustin
On 2018-03-05 6:39, Bill Cole wrote:

> On 3 Mar 2018, at 14:25, J Doe wrote:
>
>> Should I then continue to use postscreen for the zombie detection but then move my DNSRBL entries to smtpd restrictions ?
>>
>> Apologies for belabouring the point - I’m just not understanding.
>
> Not all DNSBLs are equivalent. SOME are suited for use in postscreen
> as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
> configuration should be designed to only block IPs that *only* send
> spam. There are DNSBLs designed to be hyper-sensitive, to not give any
> sender a free pass, and to generate occasional collateral damage.
> There are DNSBLs designed to be used in complex anti-spam systems and
> NOT as a unilateral basis for blocking. Those sorts of DNSBL should
> not be used in postscreen with a score at or above
> postscreen_dnsbl_threshold.

Hi Bill,

Would you mind sharing which RBLs you recommend to use in postscreen?

k.

--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Matus UHLAR - fantomas
>> On 3 Mar 2018, at 14:25, J Doe wrote:
>>> Should I then continue to use postscreen for the zombie detection but then move my DNSRBL entries to smtpd restrictions ?
>>>
>>> Apologies for belabouring the point - I’m just not understanding.

>On 2018-03-05 6:39, Bill Cole wrote:
>> Not all DNSBLs are equivalent. SOME are suited for use in postscreen
>> as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam. There are DNSBLs designed to be hyper-sensitive, to not give any
>> sender a free pass, and to generate occasional collateral damage.
>> There are DNSBLs designed to be used in complex anti-spam systems and
>> NOT as a unilateral basis for blocking. Those sorts of DNSBL should
>> not be used in postscreen with a score at or above
>> postscreen_dnsbl_threshold.

On 05.03.18 08:59, Karol Augustin wrote:
>Would you mind sharing which RBLs you recommend to use in postscreen?

I don't see problems having spamhaus, sorbs and spamcop at postscreen level,
especially when someone adds e.g. dnswl weighing -1 too.

veri simple example:
postscreen_dnsbl_sites = zen.spamhaus.org, dnsbl.sorbs.net, bl.spamcop.net, list.dnswl.org*-1

you can play with weighing blacklists and whitelists, and/or tuning
postscreen_dnsbl_threshold

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Matus UHLAR - fantomas
>>>On 3 Mar 2018, at 14:25, J Doe wrote:
>>>>Should I then continue to use postscreen for the zombie detection but then move my DNSRBL entries to smtpd restrictions ?

I forgot to add: when you use dnsbl entries at postscreen level, you
apparently won't need them in other postfix restrictions.

if you use spam filter e.g. spamassassin, leave the rest on it.

>>On 2018-03-05 6:39, Bill Cole wrote:
>>>Not all DNSBLs are equivalent. SOME are suited for use in postscreen
>>>as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
>>>configuration should be designed to only block IPs that *only* send
>>>spam. There are DNSBLs designed to be hyper-sensitive, to not give any
>>>sender a free pass, and to generate occasional collateral damage.
>>>There are DNSBLs designed to be used in complex anti-spam systems and
>>>NOT as a unilateral basis for blocking. Those sorts of DNSBL should
>>>not be used in postscreen with a score at or above
>>>postscreen_dnsbl_threshold.
>
>On 05.03.18 08:59, Karol Augustin wrote:
>>Would you mind sharing which RBLs you recommend to use in postscreen?

On 05.03.18 16:54, Matus UHLAR - fantomas wrote:
>I don't see problems having spamhaus, sorbs and spamcop at postscreen level,
>especially when someone adds e.g. dnswl weighing -1 too.
>
>veri simple example:
>postscreen_dnsbl_sites = zen.spamhaus.org, dnsbl.sorbs.net, bl.spamcop.net, list.dnswl.org*-1
>
>you can play with weighing blacklists and whitelists, and/or tuning
>postscreen_dnsbl_threshold

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
Reply | Threaded
Open this post in threaded view
|

Re: postwhite? (why not?)

Bill Cole-3
In reply to this post by Karol Augustin
On 5 Mar 2018, at 3:59, Karol Augustin wrote:

> On 2018-03-05 6:39, Bill Cole wrote:
>> On 3 Mar 2018, at 14:25, J Doe wrote:
>>
>>> Should I then continue to use postscreen for the zombie detection
>>> but then move my DNSRBL entries to smtpd restrictions ?
>>>
>>> Apologies for belabouring the point - I’m just not understanding.
>>
>> Not all DNSBLs are equivalent. SOME are suited for use in postscreen
>> as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam. There are DNSBLs designed to be hyper-sensitive, to not give
>> any
>> sender a free pass, and to generate occasional collateral damage.
>> There are DNSBLs designed to be used in complex anti-spam systems and
>> NOT as a unilateral basis for blocking. Those sorts of DNSBL should
>> not be used in postscreen with a score at or above
>> postscreen_dnsbl_threshold.
>
> Hi Bill,
>
> Would you mind sharing which RBLs you recommend to use in postscreen?

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
     zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
     zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
     psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
postscreen_dnsbl_threshold = 2

For my own system I also use 2 local DNSBLs scored at 1 (both are full
of non-spam sources by design) and reuse all of those and more in smtpd,
with whitelisting of various sorts to protect mail that needs
protecting. That's a bespoke config that isn't suitable for most sites.
(And those local DNSBLs tell intentional lies to the outside world
anyway.)

Reply | Threaded
Open this post in threaded view
|

FQRDNS blacklist why not? Re: postwhite? (why not?)

mrobti
In reply to this post by Bill Cole-3
Bill Cole said:
> The postscreen DNSBL
> configuration should be designed to only block IPs that *only* send
> spam.

So why, I like to ask is fqrdns list not recommended for use in
postscreen?
https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre

Its maintained by same person as postwhite so I guess that means he
knows good reason why not to outright blacklist the clients in that
list.
Reply | Threaded
Open this post in threaded view
|

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

Noel Jones-2
On 3/5/2018 3:38 PM, MRob wrote:

> Bill Cole said:
>> The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam.
>
> So why, I like to ask is fqrdns list not recommended for use in
> postscreen?
> https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
>
> Its maintained by same person as postwhite so I guess that means he
> knows good reason why not to outright blacklist the clients in that
> list.


By design, postscreen operates on the client IP only, and the rDNS
hostname is not available.  This is intentional to keep performance
high and latency low.

The fqrdns.pcre operates on the rDNS hostname of the connecting
client, which isn't available in postscreen.

Consequently, by design the fcrdns.pcre cannot work in postscreen,
and should not be used there.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

Benny Pedersen-2
In reply to this post by mrobti
MRob skrev den 2018-03-05 22:38:
> Bill Cole said:
>> The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam.
>
> So why, I like to ask is fqrdns list not recommended for use in
> postscreen?
> https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre

too much fp

> Its maintained by same person as postwhite so I guess that means he
> knows good reason why not to outright blacklist the clients in that
> list.

postscreen is not ment for testing that data
Reply | Threaded
Open this post in threaded view
|

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

Bill Cole-3
In reply to this post by mrobti
On 5 Mar 2018, at 16:38, MRob wrote:

> Bill Cole said:
>> The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam.
>
> So why, I like to ask is fqrdns list not recommended for use in
> postscreen?

Did you see "DNSBL" in that sentence? The "fqrdns" list is not a DNSBL.

With that said, I don't use it because:

1. I find it generally superfluous given my other defenses.
2. I would never want to use it in postscreen because it is not designed
to identify only known spam-only sources.
3. I don't believe it is possible to use it in postscreen because it
relies on domain names, while postscreen_access_list only looks up the
client IP.
Reply | Threaded
Open this post in threaded view
|

spamhaus zen response codes in postscreen Re: postwhite? (why not?)

mrobti
In reply to this post by Bill Cole-3
On 2018-03-05 18:05, Bill Cole wrote:
>> Would you mind sharing which RBLs you recommend to use in postscreen?
>
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
>     zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
>     zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2

Why list all these, are there zen response codes that you don't want to
blacklist?

Reply | Threaded
Open this post in threaded view
|

manitu.net RBL, opinions? Re: postwhite? (why not?)

mrobti
In reply to this post by Bill Cole-3
On 2018-03-05 18:05, Bill Cole wrote:
>> Would you mind sharing which RBLs you recommend to use in postscreen?
>
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
>     zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
>     zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
>     psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1

I just learned of manitu.net RBL is it helpful? Bill you don't use
things like barracuda.net, spamcop, whatever that monkey one is,
mailspike. Is manitu a good replacement for all those?

12