You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2009/04/08 17:19:11 UTC
Spam Rats - does anyone know them?
Hello,
our customrer reported being listed in SpamRats blacklist.
I would accept this if they were spamming, however it means that SpamRats
have braindead method to "detect" "dynamic" IP addresses and requirements
for removing them.
http://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html
Is anyone familiar to that blacklist?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
Re: Spam Rats - does anyone know them?
Posted by mouss <mo...@ml.netoyen.net>.
McDonald, Dan a écrit :
> On Wed, 2009-04-08 at 23:49 +0200, mouss wrote:
>> Matus UHLAR - fantomas a écrit :
>>> Even if that record would be listed in SPF?
>>>
>> SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF
>> record. you know about fast flux, right?
>
> You are thinking of SPF at the wrong layer.
No, I am not. I was saying that the fact that one sets up SPF record
doesn't mean he can use generic hostnames. maybe I was too "concise".
> It is a "non-repudiation"
> tool. When I create an SPF record, I am asserting that anything that
> matches that policy is my responsibility.
Unfortunately, this is not the general case. or more precisely, people
claim responsibility too easily.
yes, I do use SPF "statically" (static whitelisting of IPs after I
checked their infos, or via whitelist_from_* in SA).
> Whether you might want to
> whitelist (or blacklist!) anything matching that policy is a function of
> my perceived reputation to you.
>
> But at least it gives me a clue. There is no reason to send a DSN in
> response to a message that fails SPF. And there is no reason to accept
> a message on a whitelist if it fails SPF.
>
>
I don't check SPF at smtp time. so it is theoritically possible that I
return a bounce (disk full or so) but this shouldn't happen. and if it
does, it will be fixed, without regard to SPF. the rationale is:
- "bad" bounces shouldn't be sent even if the domain has no SPF record
- if things are done "right", bad bounces should rarely occur.
Re: Spam Rats - does anyone know them?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Wed, 2009-04-08 at 23:49 +0200, mouss wrote:
> Matus UHLAR - fantomas a écrit :
> > Even if that record would be listed in SPF?
> >
>
> SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF
> record. you know about fast flux, right?
You are thinking of SPF at the wrong layer. It is a "non-repudiation"
tool. When I create an SPF record, I am asserting that anything that
matches that policy is my responsibility. Whether you might want to
whitelist (or blacklist!) anything matching that policy is a function of
my perceived reputation to you.
But at least it gives me a clue. There is no reason to send a DSN in
response to a message that fails SPF. And there is no reason to accept
a message on a whitelist if it fails SPF.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spam Rats - does anyone know them?
Posted by mouss <mo...@ml.netoyen.net>.
Matus UHLAR - fantomas a écrit :
> On 08.04.09 10:45, Jesse Stroik wrote:
>> Dropping mail outright because you can't reverse-resolve the mail server
>> is bad, of course. And it /will/ drop messages from legitimate mail
>> servers, especially those on private networks behind mail proxies as
>> many older exchange installations are configured. And those
>> installations aren't configured wrongly, in the strictest sense.
>
> Just FYI, the IP _does_ have _correct_ reverse DNS entry. I wouldn't
> complain if it would not.
> Yes, the entry is generic, however _not_ dynamic in any way.
<devil advocate>
and why not set an "identifiable" name? I mean, I could also send mail
that triggers a lot of SA rules and come complain that it gets blocked
while it is not spam...
</!$1>
If I never get ham from ns\d+\.ovh\.net and get a lot of junk from some
of such hosts, what do you think I am going to do?
Anyway, can you disclose the IP so that we see if the name is really bad?
> However you
> know the
>
> What I am complaining about is that the IP is reported to be dynamic because
> it does not have hostname that follows kind of sick rules.
> If I send mail from host fantomas.fantomas.sk, does it follow the rules?
> If I send mail from fantomas.test.nextra.sk, does it follow the rules?
> If I send mail from smtp.nextra.sk, does it?
> And if I'd send mail from a0.fantomas.cust.gts.sk, would it?
linuxmagic.com is commercial. so we have no idea how they really do
their stuff. just ignore it. complain to the admin who blocked your mail
instead.
> Even if that record would be listed in SPF?
>
SPF again? any spammer can buy a domain and add arbitrary IPs to the SPF
record. you know about fast flux, right?
> I guess that marking address as "dynamic" just because the hostname does not
> start with "firewall", "mail" or WTF is braindead.
>
their terminology is wrong. what they probably mean is "generic name",
not "dynamic".
>> Unfortunately, determining which messages are spam is a hard problem.
>
> I know there are problems defining if messages are spam. However this way
> spamrats is creating another problemm.
>
Re: Spam Rats - does anyone know them?
Posted by mouss <mo...@ml.netoyen.net>.
Matus UHLAR - fantomas a écrit :
>>> What I am complaining about is that the IP is reported to be dynamic
>>> because it does not have hostname that follows kind of sick rules.
>
> On 09.04.09 01:28, Mark wrote:
>> Their rules DO seem a mite odd:
>>
>> "Also remember, according to Best Practises, having a reverse DNS that
>> appears to be part of your upstream provider is not good enough for an
>> email server. adsl.23.204.205.upstream.com means that it is an IP address
>> they are responsible for."
>>
>> 'Having a reverse DNS that appears to be part of your upstream provider'
>> as opposed to what exactly? HELO? That's fixed easily enough. :) What they
>> seem to say, if I read them correctly, is that they'll reject when it
>> looks to be from a dynamic pool belonging to upstream.com.
>
> Well, there's no "adsl", no part of IP, nothing that would indicate the
> address being dynamic. Generic, maybe. Dynamic, no way.
>
>>> And if I'd send mail from a0.fantomas.cust.gts.sk, would it?
>> Well, that's the thing, ain't it? As opposed to what? If your PTR were
>> 'a0.fantomas.cust.gts.sk' and you sent mail with HELO
>> 'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust'
>> part, or the digits.
>
> Their page does not say anything about the HELO string. The IP (of the
> format above, ok, let's say it's a0.fantomas.ba.cust.gts.sk) is now
> registered as dynamic and does not follow the "reverse hostname naming
> convention".
>
>>> Even if that record would be listed in SPF?
>> SPF checks against the envelope-from domain part (or HELO, in certain
>> circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk'
>> to send mail on behalf of 'fantomas.sk', but that will not prevent Spam
>> Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part
>> of your upstream provider; so they'd probably reject the connection
>> anyway.
>
> That's the question. I do not object against listing of a spammer, but
> dynamic? naming convention? Will they block host if it spams, if it sends
> mail from gmail com and the hostname is qw-out-1920.google.com which looks
> like their upstream provider?
>
>
> OK, I don't want to bitch, I'm searching for some valid informations, mostly
> about their "best practices".
the thing is: use your own name. avoid a name that may be used by a
spammer.
lte's take an example. look at:
mon75-10-82-239-111-76.fbx.proxad.net.
This is a generic IP. such names are used both for static and dynamic
IPs. and spam gets out of such hosts, be them static or dynamic (it
really doesn't matter). In short, the fact that it is dynamic or not is
irrelevant.
now, if you get spam from such hosts, you want to get infos about the
host. if it is 82.239.111.75, you do
$ host 82.239.111.75
75.111.239.82.in-addr.arpa domain name pointer ouzoud.netoyen.net.
you could either contact me or block my domain.
but if you get mail from *.$isp, you can contact the isp (good luck) or
block a large part (IP or domain).
BTW google for "ennemies list". it is used by some sites. (but it should
be "safer" than magiclinux...)
Re: Spam Rats - does anyone know them?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > On 09/04/09 2:35 PM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
> > > OK, I don't want to bitch, I'm searching for some valid informations, mostly
> > > about their "best practices".
> On Thu, 2009-04-09 at 15:55 -0400, Neil Schwartzman wrote:
> > Well there certainly has been some discussion on the MAAWG senders' list
> > about naming conventions and clarity or rDNS resolution HELO, and so on and
> > it is something *we* recommend to our certified and safelisted clients
> > (beyond FQ rDSN which is a requirement), but blocking on something that is
> > far far far from an industry standard? I'd suggest that is silly at best,
> > but "do tell us how that works out for you" as the phrase goes.
On 09.04.09 15:06, McDonald, Dan wrote:
> I won't block on it alone, but if someone wants a whitelist entry, they
> have to have rDNS correct. And preferably an SPF or DKIM policy....
seems not just "correct" but even satifsying some kind of "best practices"
which means not to mention your ISP, and apparently containing some "mail",
"firewall" or "gateway" prefix. Good to know for companies that host their
MX pools by other providers.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
Re: Spam Rats - does anyone know them?
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 09/04/09 4:06 PM, "McDonald, Dan" <Da...@austinenergy.com> wrote:
> I won't block on it alone, but if someone wants a whitelist entry, they
> have to have rDNS correct. And preferably an SPF or DKIM policy....
Well, an Sender ID-compliant SPF record has long been a requirement for our
Certified and Safelist whitelists, and we are rolling out DKIM as a
requirement sometime this year.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: Spam Rats - does anyone know them?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2009-04-09 at 15:55 -0400, Neil Schwartzman wrote:
> On 09/04/09 2:35 PM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
>
> > That's the question. I do not object against listing of a spammer, but
> > dynamic? naming convention? Will they block host if it spams, if it sends
> > mail from gmail com and the hostname is qw-out-1920.google.com which looks
> > like their upstream provider?
> >
> >
> > OK, I don't want to bitch, I'm searching for some valid informations, mostly
> > about their "best practices".
>
> Well there certainly has been some discussion on the MAAWG senders' list
> about naming conventions and clarity or rDNS resolution HELO, and so on and
> it is something *we* recommend to our certified and safelisted clients
> (beyond FQ rDSN which is a requirement), but blocking on something that is
> far far far from an industry standard? I'd suggest that is silly at best,
> but "do tell us how that works out for you" as the phrase goes.
I won't block on it alone, but if someone wants a whitelist entry, they
have to have rDNS correct. And preferably an SPF or DKIM policy....
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spam Rats - does anyone know them?
Posted by Neil Schwartzman <ne...@returnpath.net>.
BWA HAHAHAHA
Someone here isn't just using SA.
Got a bounce saying I said a bad word. For the record, it wasn't me.
Microsoft Antigen for SMTP found a message matching a filter. The message is
currently Purged.
Message: "Re_ Spam Rats _ does anyone know them_"
Filter name: "KEYWORD= profanity: bitch;sexual discrimination: bitch"
Sent from: "Neil Schwartzman "
Folder: "SMTP Messages\Inbound"
Location: "psp/TRACYSV05"
On 09/04/09 3:55 PM, "Neil Schwartzman" <ne...@returnpath.net>
wrote:
> On 09/04/09 2:35 PM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
>
>> That's the question. I do not object against listing of a spammer, but
>> dynamic? naming convention? Will they block host if it spams, if it sends
>> mail from gmail com and the hostname is qw-out-1920.google.com which looks
>> like their upstream provider?
>>
>>
>> OK, I don't want to bitch, I'm searching for some valid informations, mostly
>> about their "best practices".
>
> Well there certainly has been some discussion on the MAAWG senders' list
> about naming conventions and clarity or rDNS resolution HELO, and so on and
> it is something *we* recommend to our certified and safelisted clients
> (beyond FQ rDSN which is a requirement), but blocking on something that is
> far far far from an industry standard? I'd suggest that is silly at best,
> but "do tell us how that works out for you" as the phrase goes.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: Spam Rats - does anyone know them?
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 09/04/09 2:35 PM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
> That's the question. I do not object against listing of a spammer, but
> dynamic? naming convention? Will they block host if it spams, if it sends
> mail from gmail com and the hostname is qw-out-1920.google.com which looks
> like their upstream provider?
>
>
> OK, I don't want to bitch, I'm searching for some valid informations, mostly
> about their "best practices".
Well there certainly has been some discussion on the MAAWG senders' list
about naming conventions and clarity or rDNS resolution HELO, and so on and
it is something *we* recommend to our certified and safelisted clients
(beyond FQ rDSN which is a requirement), but blocking on something that is
far far far from an industry standard? I'd suggest that is silly at best,
but "do tell us how that works out for you" as the phrase goes.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: Spam Rats - does anyone know them?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > What I am complaining about is that the IP is reported to be dynamic
> > because it does not have hostname that follows kind of sick rules.
On 09.04.09 01:28, Mark wrote:
> Their rules DO seem a mite odd:
>
> "Also remember, according to Best Practises, having a reverse DNS that
> appears to be part of your upstream provider is not good enough for an
> email server. adsl.23.204.205.upstream.com means that it is an IP address
> they are responsible for."
>
> 'Having a reverse DNS that appears to be part of your upstream provider'
> as opposed to what exactly? HELO? That's fixed easily enough. :) What they
> seem to say, if I read them correctly, is that they'll reject when it
> looks to be from a dynamic pool belonging to upstream.com.
Well, there's no "adsl", no part of IP, nothing that would indicate the
address being dynamic. Generic, maybe. Dynamic, no way.
> > And if I'd send mail from a0.fantomas.cust.gts.sk, would it?
>
> Well, that's the thing, ain't it? As opposed to what? If your PTR were
> 'a0.fantomas.cust.gts.sk' and you sent mail with HELO
> 'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust'
> part, or the digits.
Their page does not say anything about the HELO string. The IP (of the
format above, ok, let's say it's a0.fantomas.ba.cust.gts.sk) is now
registered as dynamic and does not follow the "reverse hostname naming
convention".
> > Even if that record would be listed in SPF?
>
> SPF checks against the envelope-from domain part (or HELO, in certain
> circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk'
> to send mail on behalf of 'fantomas.sk', but that will not prevent Spam
> Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part
> of your upstream provider; so they'd probably reject the connection
> anyway.
That's the question. I do not object against listing of a spammer, but
dynamic? naming convention? Will they block host if it spams, if it sends
mail from gmail com and the hostname is qw-out-1920.google.com which looks
like their upstream provider?
OK, I don't want to bitch, I'm searching for some valid informations, mostly
about their "best practices".
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
RE: Spam Rats - does anyone know them?
Posted by Mark <ad...@asarian-host.net>.
-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
Sent: woensdag 8 april 2009 18:00
To: users@spamassassin.apache.org
Subject: Re: Spam Rats - does anyone know them?
> What I am complaining about is that the IP is reported to be dynamic
> because it does not have hostname that follows kind of sick rules.
Their rules DO seem a mite odd:
"Also remember, according to Best Practises, having a reverse DNS that
appears to be part of your upstream provider is not good enough for an
email server. adsl.23.204.205.upstream.com means that it is an IP address
they are responsible for."
'Having a reverse DNS that appears to be part of your upstream provider'
as opposed to what exactly? HELO? That's fixed easily enough. :) What they
seem to say, if I read them correctly, is that they'll reject when it
looks to be from a dynamic pool belonging to upstream.com.
> If I send mail from host fantomas.fantomas.sk, does it follow the rules?
As mouss already said, with knowing what the PTR in question is, it's hard
to answer this. Looking at your email, I'd say 'fantomas.fantomas.sk'
should be okay. It neatly resolves to your IP address, and back; and it's
how you identify yourself in HELO.
> And if I'd send mail from a0.fantomas.cust.gts.sk, would it?
Well, that's the thing, ain't it? As opposed to what? If your PTR were
'a0.fantomas.cust.gts.sk' and you sent mail with HELO
'fantomas.fantomas.sk'? More likely, they'd just reject on the 'cust'
part, or the digits.
> Even if that record would be listed in SPF?
SPF checks against the envelope-from domain part (or HELO, in certain
circumstances). So, with SPF you could authorize 'a0.fantomas.cust.gts.sk'
to send mail on behalf of 'fantomas.sk', but that will not prevent Spam
Rats from identifying 'a0.fantomas.cust.gts.sk' as appearing to be part
of your upstream provider; so they'd probably reject the connection
anyway.
- Mark
Re: Spam Rats - does anyone know them?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 08.04.09 10:45, Jesse Stroik wrote:
> Dropping mail outright because you can't reverse-resolve the mail server
> is bad, of course. And it /will/ drop messages from legitimate mail
> servers, especially those on private networks behind mail proxies as
> many older exchange installations are configured. And those
> installations aren't configured wrongly, in the strictest sense.
Just FYI, the IP _does_ have _correct_ reverse DNS entry. I wouldn't
complain if it would not.
Yes, the entry is generic, however _not_ dynamic in any way. However you
know the
What I am complaining about is that the IP is reported to be dynamic because
it does not have hostname that follows kind of sick rules.
If I send mail from host fantomas.fantomas.sk, does it follow the rules?
If I send mail from fantomas.test.nextra.sk, does it follow the rules?
If I send mail from smtp.nextra.sk, does it?
And if I'd send mail from a0.fantomas.cust.gts.sk, would it?
Even if that record would be listed in SPF?
I guess that marking address as "dynamic" just because the hostname does not
start with "firewall", "mail" or WTF is braindead.
> Unfortunately, determining which messages are spam is a hard problem.
I know there are problems defining if messages are spam. However this way
spamrats is creating another problemm.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Re: Spam Rats - does anyone know them?
Posted by Jesse Stroik <js...@ssec.wisc.edu>.
Matus,
Dropping mail outright because you can't reverse-resolve the mail server
is bad, of course. And it /will/ drop messages from legitimate mail
servers, especially those on private networks behind mail proxies as
many older exchange installations are configured. And those
installations aren't configured wrongly, in the strictest sense.
Unfortunately, determining which messages are spam is a hard problem.
What's more unfortunate is that a lot of admins refuse to deal with hard
problems and want an easy solution. Dropping messages outright that
don't reverse-resolve is one such easy solution.
You are ultimately forced to follow rules like these if you want to
mitigate the risks of your mail being classified as spam. Even in the
case where spamassassin users assign a value to mail that arrives from
machines that don't have reverse DNS, you'll want to ensure that your
mail is coming from hosts that have proper reverse DNS entries.
Best,
Jesse
Matus UHLAR - fantomas wrote:
> Hello,
>
> our customrer reported being listed in SpamRats blacklist.
>
> I would accept this if they were spamming, however it means that SpamRats
> have braindead method to "detect" "dynamic" IP addresses and requirements
> for removing them.
>
> http://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html
>
> Is anyone familiar to that blacklist?
>
Re: Spam Rats - does anyone know them?
Posted by Rob McEwen <ro...@invaluement.com>.
Matus UHLAR - fantomas wrote:
> our customrer reported being listed in SpamRats blacklist.
What was that IP?
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032