You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/02/12 14:39:11 UTC
URIBL/DNSBL from a database
Hi,
For some time now I've been cycling URLs and IPs through a mariadb
database gathered from incoming mail on a honeypot I've created.
Surprising how many are received ahead of spamhaus/barracuda.
I'm looking for ideas on how to now make this information available to
spamassassin on my production system. I'd like to somehow export the
IPs, any URLs in the body, and email addresses to spamassassin.
Is it possible for spamassassin to query a database directly?
I'm familiar with how to create a uridnsbl, but is DNS the best
approach here? The info needs to be updated and reloaded rapidly, and
not all the info (URLs, emails) are conducive to being in DNS.
Is anyone else doing this, and are you just rejecting the IPs at the
SMTP level outright?
Thanks,
Alex
Re: URIBL/DNSBL from a database
Posted by John Hardin <jh...@impsec.org>.
On Sun, 14 Feb 2016, Allen Chen wrote:
> On 2/12/2016 8:48 AM, Axb wrote:
>> On 02/12/2016 02:39 PM, Alex wrote:
>> > For some time now I've been cycling URLs and IPs through a mariadb
>> > database gathered from incoming mail on a honeypot I've created.
>> > Surprising how many are received ahead of spamhaus/barracuda.
>> >
>> > I'm looking for ideas on how to now make this information available to
>> > spamassassin on my production system. I'd like to somehow export the
>> > IPs, any URLs in the body, and email addresses to spamassassin.
>> >
>> > Is it possible for spamassassin to query a database directly?
>
> Did you try iptables to block/allow IPs?
If you're getting that much abuse from specific IPs and you're sure that
it's all spam, then set up a TCP tarpit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
8 days until George Washington's 284th Birthday
Re: URIBL/DNSBL from a database
Posted by Allen Chen <ac...@harbourfrontcentre.com>.
On 2/12/2016 8:48 AM, Axb wrote:
> On 02/12/2016 02:39 PM, Alex wrote:
>> Hi,
>>
>> For some time now I've been cycling URLs and IPs through a mariadb
>> database gathered from incoming mail on a honeypot I've created.
>> Surprising how many are received ahead of spamhaus/barracuda.
>>
>> I'm looking for ideas on how to now make this information available to
>> spamassassin on my production system. I'd like to somehow export the
>> IPs, any URLs in the body, and email addresses to spamassassin.
>>
>> Is it possible for spamassassin to query a database directly?
Did you try iptables to block/allow IPs?
>
> You'd need a custom plugin query the DB directly.
>
>>
>> I'm familiar with how to create a uridnsbl, but is DNS the best
>> approach here?
> DNS is cheap/reliable and simple to deploy / load balance.
>
>> The info needs to be updated and reloaded rapidly, and
>> not all the info (URLs, emails) are conducive to being in DNS.
>
> rbldnsd can check and load fresh data instantly within seconds.
> If your dataset is not HUGE (loading 100MB zones is slow) rbldnspy
> will take inmemory updates so instant listings...
> https://github.com/gryphius/rbldnspy
>
>
>
--
Allen Chen
Network Administrator
IT
Harbourfront Centre
235 Queens Quay West, Toronto, ON
M5J 2G8, Canada | harbourfrontcentre.com <http://www.harbourfrontcentre.com>
Office: +1 416 973 7973
Cell: +1 416 556 2493
Re: URIBL/DNSBL from a database
Posted by Axb <ax...@gmail.com>.
On 02/12/2016 02:39 PM, Alex wrote:
> Hi,
>
> For some time now I've been cycling URLs and IPs through a mariadb
> database gathered from incoming mail on a honeypot I've created.
> Surprising how many are received ahead of spamhaus/barracuda.
>
> I'm looking for ideas on how to now make this information available to
> spamassassin on my production system. I'd like to somehow export the
> IPs, any URLs in the body, and email addresses to spamassassin.
>
> Is it possible for spamassassin to query a database directly?
You'd need a custom plugin query the DB directly.
>
> I'm familiar with how to create a uridnsbl, but is DNS the best
> approach here?
DNS is cheap/reliable and simple to deploy / load balance.
>The info needs to be updated and reloaded rapidly, and
> not all the info (URLs, emails) are conducive to being in DNS.
rbldnsd can check and load fresh data instantly within seconds.
If your dataset is not HUGE (loading 100MB zones is slow) rbldnspy will
take inmemory updates so instant listings...
https://github.com/gryphius/rbldnspy
Re: URIBL/DNSBL from a database
Posted by Shawn Bakhtiar <sh...@hotmail.com>.
On Feb 12, 2016, at 5:39 AM, Alex <my...@gmail.com>> wrote:
Hi,
For some time now I've been cycling URLs and IPs through a mariadb
database gathered from incoming mail on a honeypot I've created.
Surprising how many are received ahead of spamhaus/barracuda.
I'm looking for ideas on how to now make this information available to
spamassassin on my production system. I'd like to somehow export the
IPs, any URLs in the body, and email addresses to spam assassin.
DNSBLs are very effective at this task, and I would recommend using before you filter the email with SA, unless you specifically want to score, due to uncertainty.
Is it possible for spamassassin to query a database directly?
It is:
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
But even than I find it more effective having the server running the DNSBL manage the the block list using some metrics such as number of times the IP address appears, and/or not recording ip addresses in a whitelist table etc... Once (either via blacklist or metric) the IP gets into the DNSBL there is no need for me to worry about SA, simply reject. I find URI tend to change A LOT, so IP based blocking can be much more effective. But I think that's more of a preference.
I'm familiar with how to create a uridnsbl, but is DNS the best
approach here? The info needs to be updated and reloaded rapidly, and
not all the info (URLs, emails) are conducive to being in DNS.
That's the way I do it. using bind DLZ http://bind-dlz.sourceforge.net/
We have a delegated subdomain off our main domain that hosts a DNS exclusively used for block list, created from incoming mail sent to honeypot email address (ones that are no never were/or are no longer valid). Again I tend to focus on the IP address not the URI as a find that URI are dime a dozen and change quite frequently.
Is anyone else doing this, and are you just rejecting the IPs at the
SMTP level outright?
We use sendmail features to reject long before it gets to SA. It works better (IMHO) since there is much lower over head for sendmail doing a quick DNS lookup than engaging the milter that runs the email through it's passes with SA.
http://weldon.whipple.org/sendmail/dnsbl.html
But in this case it's IP based only not URI based. For URI (especially ones that you'll want to regex) SA may be more effective.
Thanks,
Alex
Re: URIBL/DNSBL from a database
Posted by Reindl Harald <h....@thelounge.net>.
Am 13.02.2016 um 16:46 schrieb Alex:
>> DNS is very effective to block at the MTA level. I setup my own private
>> RBL on the DNS servers my SA boxes point to. Dump your IPs into a
>> rbldnsd formatted zone file and setup your private RBL zone (doesn't
>> have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd
>> will detect changes to it's zone files and reload them automatically to
>> keep current.
>
> Do you have some kind of whitelist that includes gmail, yahoo, etc?
>
> I'm not looking to compete with spamhaus, just compliment it, but
> rejecting outright at the SMTP level for IPs reaching my honeypots
> could be dangerous if not checked
something PTR based like below is a good start
snippet of our in PHP written honeypot daemon at the bottom, and yes you
can write a proper network service in PHP listening not only on port 25
_________________________________
/** chroot to runtime directory and change basedir for later operations */
if(chroot(__DIR__))
{
$chroot_basedir = '/honeypot-chroot';
}
else
{
$chroot_basedir = __DIR__;
}
/** drop privileges to 'nobody' */
if(!posix_initgroups('nobody', $nobody_group) ||
!posix_setgid($nobody_group) || !posix_setuid($nobody_user))
{
error_log('ERROR: Drop privileges failed (' . $port . ')');
exit('ERROR: Drop privileges failed (' . $port . ')' . "\n");
}
_________________________________
/**
* Grosse Provider und offensichtliche Mailserver von automatischem
* Blacklisting ausnehmen Basis ist der Reverse-DNS
*
* Gibt 'true' zurueck wenn die IP zu ignorieren ist
* Honeypot speichert somit nur die Spam-Samples
*
* @param string $ptr
* @return boolean
* @access public
*/
function ignore_blacklist_ptr($ptr)
{
/** Sonderbehandlung */
if(strpos($ptr, 'smtp') !== false || strpos($ptr, 'mail') !== false
|| strpos($ptr, 'mxout') !== false)
{
return true;
}
/** Zu ignorierende PTR-Ends */
$ignored = array
(
'.ac.at',
'.apple.com',
'.ebay.com',
'.eyepin.com',
'.facebook.com',
'.gmx.at',
'.gmx.com',
'.gmx.de',
'.gmx.net',
'.google.com',
'.gv.at',
'.itronic.at',
'.itronic.at',
'.kundenserver.de',
'.microsoft.com',
'.mx.aol.com',
'.mx.aol.com',
'.observer.at',
'.office-vienna.at',
'.orf.at',
'.outlook.com',
'.paylife.at',
'.paypal.com',
'.phx3.secureserver.net',
'.pinterest.com',
'.skype.com',
'.smtp-out.amazonses.com',
'.thelounge.net',
'.twitter.com',
'.web.de',
'.wetransfer.com',
'.xing.com',
'.yahoo.co.jp',
'.yahoo.com',
'taro.utanet.at',
'tatiana.utanet.at',
);
/** Durchlaufen und gegen PTR testen */
foreach($ignored as $test)
{
if(strpos($ptr, $test) !== false)
{
$xtest = substr($ptr, strlen($ptr)-strlen($test));
if($xtest == $test)
{
return true;
break;
}
}
}
/** Wenn nicht gelistet 'false' zurueckgeben */
false;
}
Re: URIBL/DNSBL from a database
Posted by Dave Funk <db...@engineering.uiowa.edu>.
On Sat, 13 Feb 2016, Alex wrote:
> I've now got rbldnsd implemented. I've also known for a while it's
> faster/better than bind, but bind has always been in place.
>
> I have rbldnsd running on port 530, alongside bind on 53. How do I
> specify a urirhsbl in spamassassin to query the DNS server running on
> 530 instead of 53?
One way to do this is to set up a "forward only" zone in your bind config.
For example, assume you're authoritative for "example.com" and you've got
your rbldnsd set up to serve up your data as zone "mybl.example.com" and
it's bound to 192.168.124.23/530
Then in your bind config file create a zone:
zone "mybl.example.com" {
type forward;
forward only;
forwarders {
192.168.124.23 port 530;
};
};
Then when your clients (spamd or regular dns tools) query
"blah.com.mybl.example.com" it will hit your bind and then
get passed on to your rbldnsd for an answer.
If you want to hide that resource from the world put that zone
in a private 'view' in your bind. You could control access via an
ACL but by putting it inside a private view they'll never even see it
to try pounding on it.
To provide fault tolerance, you can set up rbldnsd's on multiple
machines and put multiple addresses in that 'forwarders' stanza.
You will need to put that zone definition in your primary bind and
each secondary.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: URIBL/DNSBL from a database
Posted by Noel Butler <no...@ausics.net>.
On 16/02/2016 01:08, Shawn Bakhtiar wrote:
>
>
> There are A LOT more people out there, far greater than just the
> Googles and Yahoos of the world, and to block IP addresses/subnets
> without an automated system using definable metric (that usually is
> enterprise specific), invariably IT will be inundated with complaints
> about users not receiving legitimate vendor emails.
>
>
Thats the entire point though, as it has been for over 20 years.
admins shrug off badguy-complaints, badguy complaints go to rbl, rbl
blocks, rbl gets notified badguy uses more resources, rbl blocks wider
range due to other IPs used
It's much much harder for admins to shrug off their own customers
complaints, so admin gets off lazy useless arse and sorts out the badguy
like should have in first place, rbl then removes blocks... life goes
on..
--
If you have the urge to reply to all rather than reply to list, you best
first read http://members.ausics.net/qwerty/
Re: URIBL/DNSBL from a database
Posted by Shawn Bakhtiar <sh...@hotmail.com>.
I use to spend a lot of time blocking hosts and subnets, using IP tables, of malicious providers who would let any tom, dick, and Harry (no pun intended) to host spam hosts/relays on their servers. What I ended up doing is also blocking a lot SMB vendors from sending legitimate emails to users because most SMBs outsource their services without really comprehending the consequences of the provider they choose, this is especially true for low tech industries such as toll and process manufacturing companies, and frankly led to a management nightmare.
There are A LOT more people out there, far greater than just the Googles and Yahoos of the world, and to block IP addresses/subnets without an automated system using definable metric (that usually is enterprise specific), invariably IT will be inundated with complaints about users not receiving legitimate vendor emails.
It is much more effective to use existing RBLs, and supplementing it with your own honeypot RBL that uses metrics developed in house that can react to what your organization will consider the critical mass of spam it can take. That, along with the proper training of SA, is perhaps the best defense you can have. Using metric like last seen, total count, and frequency seem to provide the best metrics for me, my private RBL (based on honeypot addresses) can react faster than the big guys, on both ends of the equation (to block and to release), It's not that Google doesn't sometimes land on my RBL, it's that it also drops off fast as they remedy the issue, and the time outs are reached and they drop off my list.
> On Feb 14, 2016, at 10:19 PM, Noel Butler <no...@ausics.net> wrote:
>
> On 15/02/2016 09:02, Reindl Harald wrote:
>> Am 14.02.2016 um 23:34 schrieb Noel Butler:
>>> On 14/02/2016 01:46, Alex wrote:
>>>> rejecting outright at the SMTP level for IPs reaching my honeypots
>>>> could be dangerous if not checked.
>>> how so? if your honey pots use specific non human used (ever) addresses,
>>> then there should never ever be a genuine mail destined for it.
>>> I dont care who the connector is, be it foobar.com or gmail.com if they
>>> relay it, they are listed, its where spamhaus and I always disagreed,
>>> because what they are doing is sending a clear message to spammers to
>>> simply "use gmail" to avoid being listed in spamhaus.
>>> You are never too big to be stuffed into a dnsbl, there are a number of
>>> well known bl's that have been around for over ten years that also take
>>> that approach.
>> you missed to say that you are the type RBL operator which lists whole
>> subnets (in not only personal RBL's) because you don't like specific
>> people on mailing-lists
>
>
> Ohh, so you wanna bring this up again in public do you, fine by me... lets have some history though shall we Harry...
>
> Most DNSBL's blacklist spam *and* abusive hosts, there is no question about you spamming, I know you don't and would never do that, but you are/were a very very aggressively abusive person - this is supported by all those mailing lists bannings/moderations you've copped over recent years which we need both hands to count, the listing I placed on you was not just because of the abuse and blackmailing you leveled at me, but number of complaints we received also.
>
> Further more, most people who've had interactions with you over the past couple of years, espeically those that you've disagreed with also know how you used to act, and occasionally still come close to, because you think you are always right and anyone who disagrees with you is the anti christ or something.
>
> Ordinarily this does just warrant a /32 listing, however as a system administrator with access to at least a /24, and evidence of your mailing list ghost accounts, including at least one I recall from another IP in that /24 a while back, yes, I took the step to block your /24.
>
>
>> also you don't realize that this don't stop any single mail from a
>> list sent by that person but just harms other domains using the SMTP
>> server
>
> I realise a lot more than you think, as I've told you, and told you, and told you, its up to lists what DNSBL's if any they use, but you are known to, on the lists youve been moderated on, send abusive messages to recipients directly since you can't via the lists
> so it does have a catching effect of those who use it.
>
>> so *you* are hardly in the position for education about RBL's since
>> you don't care about any collateral damage but only your ego
>
> You are entitled to your opinion, I care about valid collateral damage, if you abuse an employers resources and your employers customers are caught up on it, your employer, if they care, would take appropriate action, it is no different than blocking a domain for spamming, forcing the host to clean up its act and get rid of its spamming clients, of course at no time did I wish to see your employment terminated, just actions reigned in, resulting in cleaner transmissions, allowing for removal of blocking, just like networks that clean up spam.
>
> I have seen you have remarkable behaved yourself in past 6 months compared to how you used to carry on, your still no saint, but no one including me is either.
>
> This list is also off topic and I apologise to Gunther and co for replying to it on list, but some things needed to be said. No doubt Harry will rant and rave and carry on trollbaiting me, but I will try with-hold any further responses since, we are, well and truly OT.
>
> Have a nice day.
>
> --
>
>
> If you have the urge to reply to all rather than reply to list, you best
> first read http://members.ausics.net/qwerty/
Re: URIBL/DNSBL from a database
Posted by Noel Butler <no...@ausics.net>.
On 15/02/2016 09:02, Reindl Harald wrote:
> Am 14.02.2016 um 23:34 schrieb Noel Butler:
>> On 14/02/2016 01:46, Alex wrote:
>>>
>>> rejecting outright at the SMTP level for IPs reaching my honeypots
>>> could be dangerous if not checked.
>>
>> how so? if your honey pots use specific non human used (ever)
>> addresses,
>> then there should never ever be a genuine mail destined for it.
>>
>> I dont care who the connector is, be it foobar.com or gmail.com if
>> they
>> relay it, they are listed, its where spamhaus and I always disagreed,
>> because what they are doing is sending a clear message to spammers to
>> simply "use gmail" to avoid being listed in spamhaus.
>>
>> You are never too big to be stuffed into a dnsbl, there are a number
>> of
>> well known bl's that have been around for over ten years that also
>> take
>> that approach.
>
> you missed to say that you are the type RBL operator which lists whole
> subnets (in not only personal RBL's) because you don't like specific
> people on mailing-lists
>
Ohh, so you wanna bring this up again in public do you, fine by me...
lets have some history though shall we Harry...
Most DNSBL's blacklist spam *and* abusive hosts, there is no question
about you spamming, I know you don't and would never do that, but you
are/were a very very aggressively abusive person - this is supported by
all those mailing lists bannings/moderations you've copped over recent
years which we need both hands to count, the listing I placed on you was
not just because of the abuse and blackmailing you leveled at me, but
number of complaints we received also.
Further more, most people who've had interactions with you over the past
couple of years, espeically those that you've disagreed with also know
how you used to act, and occasionally still come close to, because you
think you are always right and anyone who disagrees with you is the anti
christ or something.
Ordinarily this does just warrant a /32 listing, however as a system
administrator with access to at least a /24, and evidence of your
mailing list ghost accounts, including at least one I recall from
another IP in that /24 a while back, yes, I took the step to block your
/24.
> also you don't realize that this don't stop any single mail from a
> list sent by that person but just harms other domains using the SMTP
> server
>
I realise a lot more than you think, as I've told you, and told you, and
told you, its up to lists what DNSBL's if any they use, but you are
known to, on the lists youve been moderated on, send abusive messages to
recipients directly since you can't via the lists
so it does have a catching effect of those who use it.
> so *you* are hardly in the position for education about RBL's since
> you don't care about any collateral damage but only your ego
You are entitled to your opinion, I care about valid collateral damage,
if you abuse an employers resources and your employers customers are
caught up on it, your employer, if they care, would take appropriate
action, it is no different than blocking a domain for spamming, forcing
the host to clean up its act and get rid of its spamming clients, of
course at no time did I wish to see your employment terminated, just
actions reigned in, resulting in cleaner transmissions, allowing for
removal of blocking, just like networks that clean up spam.
I have seen you have remarkable behaved yourself in past 6 months
compared to how you used to carry on, your still no saint, but no one
including me is either.
This list is also off topic and I apologise to Gunther and co for
replying to it on list, but some things needed to be said. No doubt
Harry will rant and rave and carry on trollbaiting me, but I will try
with-hold any further responses since, we are, well and truly OT.
Have a nice day.
--
If you have the urge to reply to all rather than reply to list, you best
first read http://members.ausics.net/qwerty/
Re: URIBL/DNSBL from a database
Posted by Reindl Harald <h....@thelounge.net>.
Am 14.02.2016 um 23:34 schrieb Noel Butler:
> On 14/02/2016 01:46, Alex wrote:
>>
>> rejecting outright at the SMTP level for IPs reaching my honeypots
>> could be dangerous if not checked.
>
> how so? if your honey pots use specific non human used (ever) addresses,
> then there should never ever be a genuine mail destined for it.
>
> I dont care who the connector is, be it foobar.com or gmail.com if they
> relay it, they are listed, its where spamhaus and I always disagreed,
> because what they are doing is sending a clear message to spammers to
> simply "use gmail" to avoid being listed in spamhaus.
>
> You are never too big to be stuffed into a dnsbl, there are a number of
> well known bl's that have been around for over ten years that also take
> that approach.
you missed to say that you are the type RBL operator which lists whole
subnets (in not only personal RBL's) because you don't like specific
people on mailing-lists
also you don't realize that this don't stop any single mail from a list
sent by that person but just harms other domains using the SMTP server
so *you* are hardly in the position for education about RBL's since you
don't care about any collateral damage but only your ego
Re: URIBL/DNSBL from a database
Posted by Noel Butler <no...@ausics.net>.
On 14/02/2016 01:46, Alex wrote:
>
>
>
> rejecting outright at the SMTP level for IPs reaching my honeypots
> could be dangerous if not checked.
>
how so? if your honey pots use specific non human used (ever) addresses,
then there should never ever be a genuine mail destined for it.
I dont care who the connector is, be it foobar.com or gmail.com if they
relay it, they are listed, its where spamhaus and I always disagreed,
because what they are doing is sending a clear message to spammers to
simply "use gmail" to avoid being listed in spamhaus.
You are never too big to be stuffed into a dnsbl, there are a number of
well known bl's that have been around for over ten years that also take
that approach.
--
If you have the urge to reply to all rather than reply to list, you best
first read http://members.ausics.net/qwerty/
Re: URIBL/DNSBL from a database
Posted by David Jones <dj...@ena.com>.
>> DNS is very effective to block at the MTA level. I setup my own private
>> RBL on the DNS servers my SA boxes point to. Dump your IPs into a
>> rbldnsd formatted zone file and setup your private RBL zone (doesn't
>> have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd
>> will detect changes to it's zone files and reload them automatically to
>> keep current.
>Do you have some kind of whitelist that includes gmail, yahoo, etc?
Yes. My database query excludes FREEMAIL hits. I also use/parse SPF
records of many of the large FREEMAIL domains to allow these in before
RBL checks. You also have to whitelist many of these from greylisting too
and let SA score them.
>I'm not looking to compete with spamhaus, just compliment it, but
>rejecting outright at the SMTP level for IPs reaching my honeypots
>could be dangerous if not checked.
I don't have any honeypots so I can't speak from experience but I
would think you would need to filter these differently -- much more
relaxed than real user domains and mailboxes. If your honeypot
addresses are on a different domain, send them through a different
MTA config that doesn't have all of these RBL checks.
>I've now got rbldnsd implemented. I've also known for a while it's
>faster/better than bind, but bind has always been in place.
>I have rbldnsd running on port 530, alongside bind on 53. How do I
>specify a urirhsbl in spamassassin to query the DNS server running on
>530 instead of 53?
You setup BIND to forward that zone of your own RBL to localhost:530.
http://www.surbl.org/setup-local-rbl-mirror (toward the bottom)
rbldnsd only has to be listening on 127.0.0.1:530
>> In a related note, I have found that using the senderscore.org score combined
>> with postscreen's weighting is very effective in quickly catching new spammers.
>>
>> postscreen_dnsbl_sites =
>> score.senderscore.com=127.0.4.[60..69]*2
>> score.senderscore.com=127.0.4.[50..59]*4
>> score.senderscore.com=127.0.4.[30..49]*6
>> score.senderscore.com=127.0.4.[0..29]*8
>> score.senderscore.com=127.0.4.[90..100]*-6
>> score.senderscore.com=127.0.4.[80..89]*-4
>> score.senderscore.com=127.0.4.[70..79]*-2
>>
>> You should monitor your own outbound IPs for their sender score. If your
>> IP goes below 90, it's a good indication that you have been sending spam
>> and that your users are going to start experiencing delivery issues to the
>> Internet.
>Do you use this on inbound mail as well?
Yes. Definitely use this primarily on inbound email. I also use
some RBLs on outbound email to help detect compromised
accounts but make sure you have your internal_networks and
trusted_networks properly so SA will work with external IPs
properly.
>How does it fit with the other postscreen dnsbls? I already have at
>least six various dnsbls with varying weights...
I have more than a dozen in addition to the ones above. You simply
list as many RBLs as you want with the proper weighting you think
based on their reliability/trustworthiness for your environment.
Negative numbers are used for reliable RBLs that show a good reputation
for the sending mail server IP. Positive numbers go higher toward
the threshold number (I use 8 like many examples I have seen). Set
your own private RBL at or slightly above your threshold along with
other trustworthy RBLs like zen.spamhaus.org. Only use negative
number weighting for those RBLs that you have confirmed to be
good sources for good reputation.
Re: URIBL/DNSBL from a database
Posted by Alex <my...@gmail.com>.
Hi,
> DNS is very effective to block at the MTA level. I setup my own private
> RBL on the DNS servers my SA boxes point to. Dump your IPs into a
> rbldnsd formatted zone file and setup your private RBL zone (doesn't
> have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd
> will detect changes to it's zone files and reload them automatically to
> keep current.
Do you have some kind of whitelist that includes gmail, yahoo, etc?
I'm not looking to compete with spamhaus, just compliment it, but
rejecting outright at the SMTP level for IPs reaching my honeypots
could be dangerous if not checked.
I've now got rbldnsd implemented. I've also known for a while it's
faster/better than bind, but bind has always been in place.
I have rbldnsd running on port 530, alongside bind on 53. How do I
specify a urirhsbl in spamassassin to query the DNS server running on
530 instead of 53?
> In a related note, I have found that using the senderscore.org score combined
> with postscreen's weighting is very effective in quickly catching new spammers.
>
> postscreen_dnsbl_sites =
> score.senderscore.com=127.0.4.[60..69]*2
> score.senderscore.com=127.0.4.[50..59]*4
> score.senderscore.com=127.0.4.[30..49]*6
> score.senderscore.com=127.0.4.[0..29]*8
> score.senderscore.com=127.0.4.[90..100]*-6
> score.senderscore.com=127.0.4.[80..89]*-4
> score.senderscore.com=127.0.4.[70..79]*-2
>
> You should monitor your own outbound IPs for their sender score. If your
> IP goes below 90, it's a good indication that you have been sending spam
> and that your users are going to start experiencing delivery issues to the
> Internet.
Do you use this on inbound mail as well?
How does it fit with the other postscreen dnsbls? I already have at
least six various dnsbls with varying weights...
Thanks,
Alex
Re: URIBL/DNSBL from a database
Posted by Alex <my...@gmail.com>.
Hi,
>> Is there any reason to not use the bl.score.sendrescore.com with
>> postscreen? I don't understand the distinction
>
> why?
>
> postscreen is supposed to be configured with sensible scoring to reject most
> spam without false positives long before it reachs smtpd or even expesnive
> contentfilters
>
> hence the scoring and any sensible setup would use postscreen combined with
> several whitelists
>
> that way your contentfilter has only to deal with the remaining 10% of junk
> and when you optimize postscreen to use a honeypot-MX (backup mx on a second
> IP with a postscreen whitelist_veto) and enforce pre-greet tests with a
> larger wait time there is not much for SpamAssasin to deal with
No, no, no. That's not at all what I mean. I know what the purpose and
benefit of postscreen is.
My issue relates to why is score.senderscore.com used with postscreen,
and not bl.score.senderscore.com as it is with SA?
Perhaps it should be as well?
The postscreen weights for score.senderscore.com are such that they
are relative to the threshold, so a reputation of say, 70 would
receive a higher score than a reputation of say, 90. In fact, 90
removes points.
And why is only bl.score.senderscore.com used with SA, and not the
reputation system?
Thanks,
Alex
Re: URIBL/DNSBL from a database
Posted by Reindl Harald <h....@thelounge.net>.
Am 03.03.2016 um 02:44 schrieb Alex:
> Is there any reason to not use the bl.score.sendrescore.com with
> postscreen? I don't understand the distinction
why?
postscreen is supposed to be configured with sensible scoring to reject
most spam without false positives long before it reachs smtpd or even
expesnive contentfilters
hence the scoring and any sensible setup would use postscreen combined
with several whitelists
that way your contentfilter has only to deal with the remaining 10% of
junk and when you optimize postscreen to use a honeypot-MX (backup mx on
a second IP with a postscreen whitelist_veto) and enforce pre-greet
tests with a larger wait time there is not much for SpamAssasin to deal with
Re: URIBL/DNSBL from a database
Posted by Alex <my...@gmail.com>.
Hi,
Some time ago, David Jones wrote:
> In a related note, I have found that using the senderscore.org score combined
> with postscreen's weighting is very effective in quickly catching new spammers.
>
> postscreen_dnsbl_sites =
> score.senderscore.com=127.0.4.[60..69]*2
> score.senderscore.com=127.0.4.[50..59]*4
> score.senderscore.com=127.0.4.[30..49]*6
> score.senderscore.com=127.0.4.[0..29]*8
> score.senderscore.com=127.0.4.[90..100]*-6
> score.senderscore.com=127.0.4.[80..89]*-4
> score.senderscore.com=127.0.4.[70..79]*-2
This has been quite effective, but there have also been some
false-positives which I've had to whitelist. I've lowered the 0-29
result a bit so as to not make it a poison pill in my case.
I also probably should have asked at the time what your
postscreen_dnsbl_threshold is? Mine is 8.
Can someone explain how this differs from the bl.score.senderscore.com
that's used in the RCVD_IN_RP_RNBL rule?
Is there any reason to not use the bl.score.sendrescore.com with
postscreen? I don't understand the distinction.
Does anyone know where the return result codes are defined? I've
looked all over the senderscore website and can't find them.
Thanks,
Alex
Re: URIBL/DNSBL from a database
Posted by David Jones <dj...@ena.com>.
>________________________________________
>From: Alex <my...@gmail.com>
>For some time now I've been cycling URLs and IPs through a mariadb
>database gathered from incoming mail on a honeypot I've created.
>Surprising how many are received ahead of spamhaus/barracuda.
Major RBLs like that keep up with lots of data points for IP reputation
over time so that can give a little extra time for normally reputable IPs
that happen to have a compromised account -- which happens to us
all. But if you don't detect compromised accounts on your system
through feedback loops and abuse reports, then a reputable IP can
eventually get listed on those major RBLs.
>Is anyone else doing this, and are you just rejecting the IPs at the
>SMTP level outright?
DNS is very effective to block at the MTA level. I setup my own private
RBL on the DNS servers my SA boxes point to. Dump your IPs into a
rbldnsd formatted zone file and setup your private RBL zone (doesn't
have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd
will detect changes to it's zone files and reload them automatically to
keep current.
Then I have a nightly script that goes through my list of IPs in my private
RBL to remove them if they show up in another major RBL that I use. This
prevents my list from becoming stale in the event that the IP becomes
delisted from the public RBLs.
In a related note, I have found that using the senderscore.org score combined
with postscreen's weighting is very effective in quickly catching new spammers.
postscreen_dnsbl_sites =
score.senderscore.com=127.0.4.[60..69]*2
score.senderscore.com=127.0.4.[50..59]*4
score.senderscore.com=127.0.4.[30..49]*6
score.senderscore.com=127.0.4.[0..29]*8
score.senderscore.com=127.0.4.[90..100]*-6
score.senderscore.com=127.0.4.[80..89]*-4
score.senderscore.com=127.0.4.[70..79]*-2
You should monitor your own outbound IPs for their sender score. If your
IP goes below 90, it's a good indication that you have been sending spam
and that your users are going to start experiencing delivery issues to the
Internet.
Dave
Re: URIBL/DNSBL from a database
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2016-02-12 at 07:30 -0800, Marc Perkel wrote:
> Yeah - unless you write your own SA module using DNS is the quick
> easy solution.
>
If Alex already has a set of scripts that populate and maintain the
database that he's happy with, then the quick and easy way may be to
make a custom SA module by using my database access module as a
starting point.
The benefits would be that he's already familiar the care and feeding
of his database and that he can update it any time without needing to
stop and restart anything.
Martin
Re: URIBL/DNSBL from a database
Posted by Marc Perkel <su...@junkemailfilter.com>.
On 02/12/16 05:39, Alex wrote:
> Hi,
>
> For some time now I've been cycling URLs and IPs through a mariadb
> database gathered from incoming mail on a honeypot I've created.
> Surprising how many are received ahead of spamhaus/barracuda.
>
> I'm looking for ideas on how to now make this information available to
> spamassassin on my production system. I'd like to somehow export the
> IPs, any URLs in the body, and email addresses to spamassassin.
>
> Is it possible for spamassassin to query a database directly?
>
> I'm familiar with how to create a uridnsbl, but is DNS the best
> approach here? The info needs to be updated and reloaded rapidly, and
> not all the info (URLs, emails) are conducive to being in DNS.
>
> Is anyone else doing this, and are you just rejecting the IPs at the
> SMTP level outright?
>
> Thanks,
> Alex
>
>
Yeah - unless you write your own SA module using DNS is the quick easy
solution.
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
Re: URIBL/DNSBL from a database
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2016-02-12 at 08:39 -0500, Alex wrote:
> Is it possible for spamassassin to query a database directly?
>
Yes, with a plugin.
I've been doing the opposite for some years now: I archive all my
outgoing mail and most of my non-spam incoming mail in a Postgres
database and use this as a whitelist: incoming mail from anybody that
I've sent mail to gets whitelisted. I use a plugin to query the
database via a view: the view is there to present the list of addresses
to which I've sent mail to the plugin's SQL query: its needed for
performance reasons because the database uses a many-to-many structure
to associate addresses with the messages they send or receive.
It should be simple enough to change my plugin's query to work with
your database, particularly if you already have a table containing the
addresses you'd like to blacklist. Likewise, its probably fairly simple
to extend it to deal with the URLs and IPs from message bodies.
If you'd like a copy of the plugin plus the associated .cf file[*],
contact me offlist.
Martin
[*] this loads and configures the plugin with database login details
and defines the rule that whitelists hits.