You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2006/06/22 16:15:06 UTC
DNS Whitelists
Are there any DNS bases whitelists out there? If not - shouldn't we
build one?
I need two different kinds of DNS whitelists. One would be hosts that
NEVER send spam. Large banks, etc.
The second list is a list of hosts that should never be blacklisted.
These are hosts that might send some spam but should never accidentally
be blacklisted because of it. Examples would be *.aol.com,
*.earthlink.nat, *.yahoo.com. The idea here for those of us who are
trying to build really reliable blacklists to reference these lists as
hosts to never blacklist.
Any thoughts on this?
Re: DNS Whitelists
Posted by Marc Perkel <ma...@perkel.com>.
JamesDR wrote:
> Marc Perkel wrote:
>> I'm not thinking links, What I want to do is whitelist based on the
>> host name of the server connecting to my server.
>>
>>
> Why use the host name? They way I see it is you want to whitelist a
> server, there already exists a way for SA to do a lookup based upon
> IP, why not go that route? If they are a constant sender of mail, then
> the IP shouldn't change very often (talking years here.) You could do
> the standard method of lookup, then instead of assigning a positive
> score, assign a negative one.
>
> My $0.02
The reason for using the hostname is that if say earthlink adds more
servers that resolve as *.earthlink.net then they would automatically be
included.
Re: DNS Whitelists
Posted by JamesDR <ja...@trusswood.net>.
Marc Perkel wrote:
> I'm not thinking links, What I want to do is whitelist based on the host
> name of the server connecting to my server.
>
>
Why use the host name? They way I see it is you want to whitelist a
server, there already exists a way for SA to do a lookup based upon IP,
why not go that route? If they are a constant sender of mail, then the
IP shouldn't change very often (talking years here.) You could do the
standard method of lookup, then instead of assigning a positive score,
assign a negative one.
My $0.02
--
Thanks,
James
Re: DNS Whitelists
Posted by jdow <jd...@earthlink.net>.
From: "Marc Perkel" <ma...@perkel.com>
> Matt Kettler wrote:
>> Marc Perkel wrote:
>>
>>> I'm not thinking links, What I want to do is whitelist based on the
>>> host name of the server connecting to my server.
>>>
>>>
>> You mean like bondedsender, and the current incarnation of Habeas?
>> (Habeas is no longer based on the SWE haiku)
>>
>
> Here's what I'm thinking. There are hosts out there who never send a
> single spam. And the host is something that spammers can't fake. So if
> we could somehow track that we could build a DNS list of hosts that
> don't have to be tested with SA or could just sail through with no other
> testing. For example, if the host name of the server that connects to me
> is *.paypal.com then I know it's not spam. So why bother with any other
> tests.
>
> SA is slow and resource intensive. So what I try to do is avoid it with
> DNS lists and Exim rules and use SA for what's left. this allows me to
> process far more spam per server than if I ran SA on everything.
>
> Also - I'm attempting to build a dns blacklist and I feed spam to other
> services like spamcop so that they can blacklist off of my feed. So on
> that feed and the data I forward I want to make sure that I never
> accidentally block earthlink or gmail or aol or other hosts who do send
> some spam. So that whitelist is for making sure that the host is never
> blacklisted.
>
> does anyone have a list of the major email providers like yahoo, gmail,
> earthlink, etc who have some spam but should not ne blacklisted in DNS
> lists?
Good idea. However, in past months I have received emailings from
E-Bay (correct path and all) and PayPal (aka e-bay and with correct
path and all) that are spams. I've also received email that is
genuine (and spam for a PayPal service) from a mailing service
PayPal apparently contracted with. I'd not make absolute decisions
on such a list given the computing power needed. Of course, this
is pretty much a one each followed by a several hour wait, me
logging into my appropriate account, sending a nastygram from
the account, and turning off these messages AGAIN. I typed in the
addresses. And waited for potential DNS contamination to perhaps
decay. (I did check the IP address for a "host" command just to
be paranoid.)
{o.o}
Re: DNS Whitelists
Posted by Marc Perkel <ma...@perkel.com>.
Matt Kettler wrote:
> Marc Perkel wrote:
>
>> I'm not thinking links, What I want to do is whitelist based on the
>> host name of the server connecting to my server.
>>
>>
> You mean like bondedsender, and the current incarnation of Habeas?
> (Habeas is no longer based on the SWE haiku)
>
Here's what I'm thinking. There are hosts out there who never send a
single spam. And the host is something that spammers can't fake. So if
we could somehow track that we could build a DNS list of hosts that
don't have to be tested with SA or could just sail through with no other
testing. For example, if the host name of the server that connects to me
is *.paypal.com then I know it's not spam. So why bother with any other
tests.
SA is slow and resource intensive. So what I try to do is avoid it with
DNS lists and Exim rules and use SA for what's left. this allows me to
process far more spam per server than if I ran SA on everything.
Also - I'm attempting to build a dns blacklist and I feed spam to other
services like spamcop so that they can blacklist off of my feed. So on
that feed and the data I forward I want to make sure that I never
accidentally block earthlink or gmail or aol or other hosts who do send
some spam. So that whitelist is for making sure that the host is never
blacklisted.
does anyone have a list of the major email providers like yahoo, gmail,
earthlink, etc who have some spam but should not ne blacklisted in DNS
lists?
Re: DNS Whitelists
Posted by Matt Kettler <mk...@comcast.net>.
Marc Perkel wrote:
> I'm not thinking links, What I want to do is whitelist based on the
> host name of the server connecting to my server.
>
You mean like bondedsender, and the current incarnation of Habeas?
(Habeas is no longer based on the SWE haiku)
RE: DNS Whitelists
Posted by Dallas Engelken <da...@uribl.com>.
> Actually what I was thinking of was an DNS version of this list so that
other applications can use it.
oh i see.. well SA couldnt use it without someone writing a plugin then.
dallase
http://uribl.com
Re: DNS Whitelists
Posted by Marc Perkel <ma...@perkel.com>.
Dallas Engelken wrote:
>> -----Original Message-----
>> From: Marc Perkel [mailto:marc@perkel.com]
>> Sent: Thursday, June 22, 2006 09:30
>> To: dallase@uribl.com
>> Cc: users@spamassassin.apache.org
>> Subject: Re: DNS Whitelists
>>
>> I'm not thinking links, What I want to do is whitelist based
>> on the host name of the server connecting to my server.
>>
>>
>
> isnt that what whitelist_rcvd_from is for?
>
> is that what http://www.rulesemporium.com/rules/70_sare_whitelist.cf is for?
>
> what am i missing here?
>
> dallase
> http://uribl.com
>
Thanks for that list. Actually what I was thinking of was an DNS version
of this list so that other applications can use it. Also, because SA is
expensive to run I try to see what ham/spam I can identify up front and
just use SA to do the rest. Right now I only run 5% of my email through SA.
>
>
RE: DNS Whitelists
Posted by Dallas Engelken <da...@uribl.com>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Thursday, June 22, 2006 09:30
> To: dallase@uribl.com
> Cc: users@spamassassin.apache.org
> Subject: Re: DNS Whitelists
>
> I'm not thinking links, What I want to do is whitelist based
> on the host name of the server connecting to my server.
>
isnt that what whitelist_rcvd_from is for?
is that what http://www.rulesemporium.com/rules/70_sare_whitelist.cf is for?
what am i missing here?
dallase
http://uribl.com
Re: DNS Whitelists
Posted by Marc Perkel <ma...@perkel.com>.
I'm not thinking links, What I want to do is whitelist based on the host
name of the server connecting to my server.
RE: DNS Whitelists
Posted by Dallas Engelken <da...@uribl.com>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Thursday, June 22, 2006 09:15
> To: users@spamassassin.apache.org
> Subject: DNS Whitelists
>
> Are there any DNS bases whitelists out there? If not -
> shouldn't we build one?
>
> I need two different kinds of DNS whitelists. One would be
> hosts that NEVER send spam. Large banks, etc.
>
> The second list is a list of hosts that should never be blacklisted.
> These are hosts that might send some spam but should never
> accidentally be blacklisted because of it. Examples would be
> *.aol.com, *.earthlink.nat, *.yahoo.com. The idea here for
> those of us who are trying to build really reliable
> blacklists to reference these lists as hosts to never blacklist.
>
> Any thoughts on this?
>
>
# ping aol.com.white.uribl.com
PING aol.com.white.uribl.com (127.0.0.2) 56(84) bytes of data.
64 bytes from localhost (127.0.0.2): icmp_seq=1 ttl=64 time=0.095 ms
# ping otherdomain.com.white.uribl.com
ping: unknown host otherdomain.com.white.uribl.com
white.uribl.com will probably do exactly what you want here... but just
realize spammers can include these domains in their spam also.
you could always do something like...
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL
blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3
urirhssub URIBL_WHITE white.uribl.com. A 2
body URIBL_WHITE eval:check_uridnsbl('URIBL_WHITE')
describe URIBL_WHITE Contains an URL listed in the URIBL
whitelist
tflags URIBL_WHITE net
score URIBL_WHITE -2
meta URIBL_COMPENSATE (URIBL_BLACK && URIBL_WHITE)
describe URIBL_COMPENSATE Contains an URL listed on both URIBL black
and white
score URIBL_COMPENSATE 1
dallase
http://uribl.com