rhsbl and subdomains?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

rhsbl and subdomains?

Paul Hutchings
I'm experimenting with various measures to try and stop the amount of
spam we let in.

Rhsbl client and sender lookups seem quite effective, but how do I get
them to match on subdomains please?

Currently I'm accepting mail from mtaxyz.theliquidcomet.com or from
bill<at>whatever.theliquidcomet.com and of course it's not matching and
blocking it because of the subdomain.

The only setting I could see/find was parent_domain_matches_subdomains
which is currently empty.

Thanks in advance.


--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: rhsbl and subdomains?

Justin Piszcz


On Sun, 25 May 2008, Paul Hutchings wrote:

> I'm experimenting with various measures to try and stop the amount of
> spam we let in.
>
> Rhsbl client and sender lookups seem quite effective, but how do I get
> them to match on subdomains please?
>
> Currently I'm accepting mail from mtaxyz.theliquidcomet.com or from
> bill<at>whatever.theliquidcomet.com and of course it's not matching and
> blocking it because of the subdomain.
>
> The only setting I could see/find was parent_domain_matches_subdomains
> which is currently empty.
>
> Thanks in advance.

Not possible, write a policy server to do it, I requested the same thing as
well, often spammers will put sjfdshdfhs.domain.com and in the RHSBL it only
lists the domain.com.  You need to create a custom policy server to do this,
although it would be very nice if postfix allowed a switch for this as well.

Justin.

Reply | Threaded
Open this post in threaded view
|

RE: rhsbl and subdomains?

Paul Hutchings
That's a shame as I'm seeing a fair amount of spam from hosts/senders
where the sending IP isn't on any rbls (or at least not any that could
reasonably be used in a business environment) yet the client or sender
domain name is on the likes of surbl/uribl yet the random sub-domain the
spammers use doesn't trigger a match.

I'm not capable of writing anything, I know enough to get me by - does
anyone have any suggestions or is this feature in the pipeline with
Postfix?

Thanks in advance.

-----Original Message-----
From: Justin Piszcz [mailto:[hidden email]]
Sent: 25 May 2008 13:05
To: Paul Hutchings
Cc: postfix users list
Subject: Re: rhsbl and subdomains?



On Sun, 25 May 2008, Paul Hutchings wrote:

> I'm experimenting with various measures to try and stop the amount of
> spam we let in.
>
> Rhsbl client and sender lookups seem quite effective, but how do I get
> them to match on subdomains please?
>
> Currently I'm accepting mail from mtaxyz.theliquidcomet.com or from
> bill<at>whatever.theliquidcomet.com and of course it's not matching
and
> blocking it because of the subdomain.
>
> The only setting I could see/find was parent_domain_matches_subdomains
> which is currently empty.
>
> Thanks in advance.

Not possible, write a policy server to do it, I requested the same thing
as
well, often spammers will put sjfdshdfhs.domain.com and in the RHSBL it
only
lists the domain.com.  You need to create a custom policy server to do
this,
although it would be very nice if postfix allowed a switch for this as
well.

Justin.


--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: rhsbl and subdomains?

Henrik K
In reply to this post by Justin Piszcz
On Sun, May 25, 2008 at 08:04:30AM -0400, Justin Piszcz wrote:

>
>
> On Sun, 25 May 2008, Paul Hutchings wrote:
>
>> I'm experimenting with various measures to try and stop the amount of
>> spam we let in.
>>
>> Rhsbl client and sender lookups seem quite effective, but how do I get
>> them to match on subdomains please?
>>
>> Currently I'm accepting mail from mtaxyz.theliquidcomet.com or from
>> bill<at>whatever.theliquidcomet.com and of course it's not matching and
>> blocking it because of the subdomain.
>>
>> The only setting I could see/find was parent_domain_matches_subdomains
>> which is currently empty.
>>
>> Thanks in advance.
>
> Not possible, write a policy server to do it, I requested the same thing as
> well, often spammers will put sjfdshdfhs.domain.com and in the RHSBL it only
> lists the domain.com.  You need to create a custom policy server to do this,
> although it would be very nice if postfix allowed a switch for this as well.

It's possible that there could be a legimate.domain.com, resulting in FPs.
Also the client would need to parse all 2+ level domains properly
(http://spamcheck.freeapp.net/two-level-tlds etc).

It should be the blacklists job to answer domains as wildcard when needed
(confirmed to be owned by some spammer etc). If someone doesn't do this, try
asking for it.

Reply | Threaded
Open this post in threaded view
|

RE: rhsbl and subdomains?

Paul Hutchings
I can see the logic behind that, as you say it gets tricky with domains
where there are a mix of "good" and "bad" subdomains.

What do people do then?

I'm currently using as much as I believe I can get away with in the way
of client, helo, and sender checks, rbls, rhsbls, greylisting, almost
you name it, and I'm seeing stuff that is blatantly spam being flagged
correctly by spamassassin, but short of manual access maps there seems
no obviously reliably/partially automated way to stop it getting in in
the first place?

smtpd_recipient_restrictions =
 check_client_access hash:/etc/postfix/client_blacklist,
 check_sender_access hash:/etc/postfix/sender_blacklist,
 check_recipient_maps,
 permit_mynetworks,
 reject_unauth_destination,
 check_client_access hash:/etc/postfix/client_whitelist,
 check_sender_access hash:/etc/postfix/sender_whitelist,
 check_helo_access regexp:/etc/postfix/helo_checks.regexp,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_reverse_client_hostname,
 reject_unauth_pipelining,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client dul.dnsbl.sorbs.net,
 reject_rbl_client web.dnsbl.sorbs.net,
 reject_rhsbl_client multi.uribl.com,
 reject_rhsbl_sender multi.uribl.com,
 reject_rhsbl_sender multi.surbl.org,
 reject_rhsbl_client multi.surbl.org,
 check_policy_service unix:private/spf,
 check_client_access regexp:/etc/postfix/greylist_dyn_fqdn.regexp,
 check_client_access regexp:/etc/postfix/greylist_hosts.regexp,
 permit

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Henrik K
Sent: 25 May 2008 14:43
To: [hidden email]
Subject: Re: rhsbl and subdomains?

It's possible that there could be a legimate.domain.com, resulting in
FPs.
Also the client would need to parse all 2+ level domains properly
(http://spamcheck.freeapp.net/two-level-tlds etc).

It should be the blacklists job to answer domains as wildcard when
needed
(confirmed to be owned by some spammer etc). If someone doesn't do this,
try
asking for it.


--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: rhsbl and subdomains?

mouss-2
In reply to this post by Paul Hutchings
Paul Hutchings wrote:
> That's a shame as I'm seeing a fair amount of spam from hosts/senders
> where the sending IP isn't on any rbls (or at least not any that could
> reasonably be used in a business environment) yet the client or sender
> domain name is on the likes of surbl/uribl

do surbl and uribl recommend blocking domains in client and sender?
alternatively: are there a lot of clients and sender that would be
caught this way (assuming only the "subdomain" is checked)? can you post
few examples (with client IP, rdns, helo and sender please)?

> yet the random sub-domain the
> spammers use doesn't trigger a match.
> I'm not capable of writing anything, I know enough to get me by - does
> anyone have any suggestions or is this feature in the pipeline with
> Postfix?
>  

probably the best approach is a policy server.

Alternatively, try to get an rsync access to the zones. then you can
prepend "*." to all domains and use rbldnsd.


Reply | Threaded
Open this post in threaded view
|

RE: rhsbl and subdomains?

MacShane, Tracy
In reply to this post by Paul Hutchings
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Paul Hutchings
> Sent: Sunday, 25 May 2008 11:13 PM
> To: postfix users list
> Subject: RE: rhsbl and subdomains?
>
> That's a shame as I'm seeing a fair amount of spam from
> hosts/senders where the sending IP isn't on any rbls (or at
> least not any that could reasonably be used in a business
> environment) yet the client or sender domain name is on the
> likes of surbl/uribl yet the random sub-domain the spammers
> use doesn't trigger a match.
>
> I'm not capable of writing anything, I know enough to get me
> by - does anyone have any suggestions or is this feature in
> the pipeline with Postfix?
>
> Thanks in advance.
>

I do a fair bit of semi-manual log parsing for these kinds of instances.
I compare the relative frequency of rejections for particular domains,
and if a threshold is exceeded over a number of days, I add the TLD to a
client_access check (such domains as res.rr.com, *dsl.tpnet.pl, ono.com,
etc). Obviously, I have another process to review these on a regular
basis, to see if hosts from these domains are still attempting regular
connections. There are less than 50 domains on my list, so it's not too
onerous to maintain.

It's obviously not as automated and flexible as a policy server, but
given the small/medium size of our organisation, it seems to work
reasonably well for us.
Reply | Threaded
Open this post in threaded view
|

RE: rhsbl and subdomains?

Paul Hutchings
In reply to this post by mouss-2
As a couple of examples:

From - Sun May 25 15:16:19 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from relay.mira.co.uk ([193.35.217.1]) by mail03.mira.co.uk
with Microsoft SMTPSVC(6.0.3790.1830); Sun, 25 May 2008 03:37:38 +0100
Received: from v-160-254.theliquidcomet.com
(v-160-254.theliquidcomet.com [208.116.160.254]) by relay.mira.co.uk
(Postfix) with SMTP id 5B59E1FDEB for <[hidden email]>; Sun,
25 May 2008 03:37:34 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple;
d=theliquidcomet.com;h=from:to:subject:content-type:date:message-id;q=dn
s/txt; s=s512;
bh=uGWN8wlACn6+TOh7Xc5nrRaupS0=;b=a5Ro/ht7HQjozuHkoe8fFnMRTjRZVWZNnkk5z1
EA2qrm50Qbiudd9GJ02xRGiz66lNvmaJrmQXpt2q3pwI1fhA==;
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;s=s512;
d=theliquidcomet.com;b=bDlb4dSMAy3S2rYCL1BM88qxeByALIUIEcTmI+yg247KTkB7j
y9c5uBHXBCkVP+1nzHFeTP54JZC1cTB2RXL+w==;
Received: from v-160-254.theliquidcomet.com [208.116.160.254] by
theliquidcomet.com [208.116.160.254];  Sat, 24 May 2008 19:23:34 PST
MIME-Version: 1.0
From: "Experian" <[hidden email]>
To: <[hidden email]>
Subject: ***** Spam ***** , look at your Experian credit report now.
Content-Type: multipart/report;
        report-type=spam-notification;
        boundary="----=_NextPart_000_53C4A7_01C8BE71.EAF8420A"
Date: Sat, 24 May 2008 19:23:34 PST
Message-ID:
<[hidden email]>
X-MIRA-MailScanner-Watermark: 1212287856.73704@p7ruKKjwXq57HC0QZRihbw
X-MIRA-MailScanner-Information: Please contact your Help Desk for more
information
X-MailScanner-ID: 5B59E1FDEB.67C44
X-MIRA-MailScanner: Found to be clean
X-MIRA-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
score=16.186,required 6, autolearn=spam, BAYES_99 3.50, DIGEST_MULTIPLE
0.00,DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, HTML_MESSAGE
0.00,PYZOR_CHECK 3.70, RATWARE_EFROM 1.53, RAZOR2_CF_RANGE_51_100
0.50,RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100
1.50,RAZOR2_CHECK 0.50, URIBL_BLACK 1.96, URIBL_OB_SURBL 1.50)
X-MIRA-MailScanner-SpamScore: ssssssssssssssss
X-MIRA-MailScanner-From:
1-2471148-mira.co.uk?[hidden email]
X-Spam-Status: Yes
Return-Path:
<1-2471148-mira.co.uk?[hidden email]>
X-OriginalArrivalTime: 25 May 2008 02:37:38.0106 (UTC)
FILETIME=[4BD4F1A0:01C8BE10]



------=_NextPart_000_53C4C8_01C8BE71.EAFF6912--
From - Sun May 25 15:16:19 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from relay.mira.co.uk ([193.35.217.1]) by mail03.mira.co.uk
with Microsoft SMTPSVC(6.0.3790.1830); Sun, 25 May 2008 09:06:06 +0100
Received: from mx246.activesegmode.com (mx246.activesegmode.com
[64.125.150.246]) by relay.mira.co.uk (Postfix) with SMTP id 2A0C31FDEA
for <[hidden email]>; Sun, 25 May 2008 09:05:59 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple;
d=activesegmode.com;h=from:to:subject:date:message-id:content-type;q=dns
/txt; s=s512;
bh=MkTZ8isGQy65pqLFa5b/ZRGHrrw=;b=mi/lldlF95uqlv7rvKK0uUuCyQQwQejFOpqmTD
jzdcRyzi7FTr+LU26gpabwKPIjjCXdev3P4njoBaHQvhbBSw==;
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;s=s512;
d=activesegmode.com;b=LSv/pB0yRR9IqBEGhkufDN/Rh/FDomTPZAYDepbB/yWbIA7UdT
gdlkB3yeSLQFkj80Xcjrhpd3ve2AkaVE4zqA==;
Received: from mx246.activesegmode.com [64.125.150.246] by
activesegmode.com [64.125.150.246];  Sat, 24 May 2008 20:38:39 PST
MIME-Version: 1.0
From: "GHD Gift Card Sweepstakes"
<[hidden email]>
To: <[hidden email]>
Subject:
=?iso-8859-1?Q?=2A=2A=2A=2A=2A_Spam_=2A=2A=2A=2A=2A_We=27re_giving_?=
        =?iso-8859-1?Q?away_=A3500?=
Date: Sat, 24 May 2008 20:38:39 PST
Message-ID:
<[hidden email]>
Content-Type: multipart/report;
        report-type=spam-notification;
        boundary="----=_NextPart_000_53C4D1_01C8BE71.EB042DC2"
X-MIRA-MailScanner-Watermark: 1212307561.52681@qUUOvMklLQcQP5M1Vz8Zsw
X-MIRA-MailScanner-Information: Please contact your Help Desk for more
information
X-MailScanner-ID: 2A0C31FDEA.8EE10
X-MIRA-MailScanner: Found to be clean
X-MIRA-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
score=14.22,required 6, BAYES_99 3.50, DATE_IN_PAST_03_06 0.04,
DKIM_SIGNED 0.00,DKIM_VERIFIED -0.00, HTML_IMAGE_ONLY_28
1.56,HTML_IMAGE_RATIO_04 0.17, HTML_MESSAGE 0.00, MIME_HTML_ONLY
1.46,RATWARE_EFROM 1.53, RAZOR2_CF_RANGE_51_100
0.50,RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100
1.50,RAZOR2_CHECK 0.50, SUBJECT_NEEDS_ENCODING 0.00, URIBL_BLACK 1.96)
X-MIRA-MailScanner-SpamScore: ssssssssssssss
X-MIRA-MailScanner-From:
2-7272199-mira.co.uk?[hidden email]
X-Spam-Status: Yes
Return-Path:
<2-7272199-mira.co.uk?[hidden email]>
X-OriginalArrivalTime: 25 May 2008 08:06:06.0233 (UTC)
FILETIME=[2ECA7890:01C8BE3E]

This is a multi-part message in MIME format.


-----Original Message-----
From: mouss [mailto:[hidden email]]
Sent: 25 May 2008 17:48
To: Paul Hutchings
Cc: postfix users list
Subject: Re: rhsbl and subdomains?

Paul Hutchings wrote:
> That's a shame as I'm seeing a fair amount of spam from hosts/senders
> where the sending IP isn't on any rbls (or at least not any that could
> reasonably be used in a business environment) yet the client or sender
> domain name is on the likes of surbl/uribl

do surbl and uribl recommend blocking domains in client and sender?
alternatively: are there a lot of clients and sender that would be
caught this way (assuming only the "subdomain" is checked)? can you post

few examples (with client IP, rdns, helo and sender please)?

> yet the random sub-domain the
> spammers use doesn't trigger a match.
> I'm not capable of writing anything, I know enough to get me by - does
> anyone have any suggestions or is this feature in the pipeline with
> Postfix?
>  

probably the best approach is a policy server.

Alternatively, try to get an rsync access to the zones. then you can
prepend "*." to all domains and use rbldnsd.



--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: rhsbl and subdomains?

mouss-2
Paul Hutchings wrote:
> As a couple of examples:
>  

the envelope sender (or Return-Path header) is missing. If it is the
same as what is in the From: header, then sender rhsbl on surbl/uribl
would catch. so I guess it is different from the From: header, which
would suggest that the spammers are intentionally using subdomains to
escape surbl/uribl?

uribl and surbl maintainers don't like to get too many queries, but if
you rsync the zones, you can use rbldns locally and include subdomains.
otherwise, a policy server seems the way to go.


Reply | Threaded
Open this post in threaded view
|

RE: rhsbl and subdomains?

Paul Hutchings
Sorry my mistake, you're correct the envelope header/client hostname was
using subdomains.

Would querying uribl/surbl and getting a match on subdomains cause them
to receive more queries?  Wouldn't the reverse be true as the result
would be cached locally after the first query rather than querying
mta123.domain.com and receiving "no match" and 2 seconds later querying
mta234.domain and receiving "no match" vs. querying domain.com and
receiving a match, IYSWIM?

Writing a policy server is way beyond my abilities, but if this email
has made anyone who could do so think "hmmm" feel free to let me know
:-)

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of mouss
Sent: 28 May 2008 10:50
Cc: postfix users list
Subject: Re: rhsbl and subdomains?

Paul Hutchings wrote:
> As a couple of examples:
>  

the envelope sender (or Return-Path header) is missing. If it is the
same as what is in the From: header, then sender rhsbl on surbl/uribl
would catch. so I guess it is different from the From: header, which
would suggest that the spammers are intentionally using subdomains to
escape surbl/uribl?

uribl and surbl maintainers don't like to get too many queries, but if
you rsync the zones, you can use rbldns locally and include subdomains.
otherwise, a policy server seems the way to go.



--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: rhsbl and subdomains?

mouss-2
Paul Hutchings wrote:

> Sorry my mistake, you're correct the envelope header/client hostname was
> using subdomains.
>
> Would querying uribl/surbl and getting a match on subdomains cause them
> to receive more queries?  Wouldn't the reverse be true as the result
> would be cached locally after the first query rather than querying
> mta123.domain.com and receiving "no match" and 2 seconds later querying
> mta234.domain and receiving "no match" vs. querying domain.com and
> receiving a match, IYSWIM?
>  

sorry, I wasn't clear. I meant they prefer to get query for "domain.com"
only, just like you say.

Now the problem is that the extraction of the "base" domain is heuristic
(it uses a list of country tld's) rather than standard.

> Writing a policy server is way beyond my abilities, but if this email
> has made anyone who could do so think "hmmm" feel free to let me know
> :-)
>  

looks like a feature for postfwd... (or policyd-weight if someone wants
to maintain it).