You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/06/17 03:24:24 UTC
My Newly Expanded DNS Blacklist - Who wants to try it?
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how to use it with SpamAssassin and Exim.
http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
I'd like to get some feedback on how well it's working.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Bart Schaefer wrote:
> On 6/16/07, Marc Perkel <ma...@perkel.com> wrote:
>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>> addresses and is updated every 10 minutes.
>>
>> http://iplist.junkemailfilter.com/black.txt
>
> Just glancing through the list and reversing an IP address whose first
> two quads I recognize, I see you've blacklisted Red Condor
> (redcondor.com), a network security and anti-phishing service provider
> (64.84.16.173).
>
> So either they've got a problem they ought to be made aware of, or you
> do ...
>
OK - I'll have to look into that.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Bart Schaefer <ba...@gmail.com>.
On 6/16/07, Marc Perkel <ma...@perkel.com> wrote:
> Using my new ideas here's my raw blacklist file. It has about 80k IP
> addresses and is updated every 10 minutes.
>
> http://iplist.junkemailfilter.com/black.txt
Just glancing through the list and reversing an IP address whose first
two quads I recognize, I see you've blacklisted Red Condor
(redcondor.com), a network security and anti-phishing service provider
(64.84.16.173).
So either they've got a problem they ought to be made aware of, or you do ...
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Jari Fredriksson wrote:
> Marc Perkel wrote:
>
>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>> addresses and is updated every 10 minutes.
>>
>> http://iplist.junkemailfilter.com/black.txt
>>
>> Here's instructions on how to use it with SpamAssassin and Exim.
>>
>> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>>
>> I'd like to get some feedback on how well it's working.
>>
>
>
> Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list?
>
>
The wiki link has it somewhat documented but I'm trying something new and I'm still testing it so I'm not going to document it for a while till I know it works. But - the simple explanation is this.
On the lower numbered MX records I have 3 mail servers any one of which can carry the whole load in an emergency. I have on higher numbered MX about 10 dummy IP addresses that normal email should never hit. Spammers however, especially spam bots have been hitting random MX records instead of figuring out the proper order. The idea is that the backup servers might have less spam filtering than the main server.
So any hits on these fake MX records are counted as spam hits. Every 10 minutes I count up the spam and ham hits per IP and generate my black, white, and yellow lists. To make the black list there has to be enough hits to be worth counting and has to be 99% spam. The high MX records always return a 421 error but counts as a spam hit.
Some of the details are a little more complex. I process SA determined spam hits differently than spammer trick spam not only in scoring but in the time that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham lives 7 days. Every 6 hours I shift the log data own creating a new file and deleting the oldest file.
If this works out it could be done on a more massive community scale and it could totally wipe out all spambot spam. Right now I have no spambot spam at all making it through the system using this and other tricks. Most of my filtering is done using Exim rules but I still use SA for the remaining 1% or so. I'm also feeding spam to several block list services who are using my data to add to blocking spam everywhere.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Jari Fredriksson <ja...@iki.fi>.
Marc Perkel wrote:
> Using my new ideas here's my raw blacklist file. It has about 80k IP
> addresses and is updated every 10 minutes.
>
> http://iplist.junkemailfilter.com/black.txt
>
> Here's instructions on how to use it with SpamAssassin and Exim.
>
> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>
> I'd like to get some feedback on how well it's working.
Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list?
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Shane Williams wrote:
> On Sat, 16 Jun 2007, Marc Perkel wrote:
>
>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>> addresses and is updated every 10 minutes.
>>
>> http://iplist.junkemailfilter.com/black.txt
>>
>> Here's instructions on how to use it with SpamAssassin and Exim.
>>
>> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>>
>> I'd like to get some feedback on how well it's working.
>
> This filter blocked my last response to you, as I suspect it will
> for this one. As such, I looked at your wiki to determine why I was
> listed, but couldn't find a clear reason. The documentation says that
> only known spam sources are blocked, but if I had to guess, I'd say
> it's because I'm on a dynamic cable IP address (which I didn't see
> any text about when I looked on Friday).
>
> Mind you, I've gotten used to the idea that places are going to block
> me because I'm on a Cablemodem, so that doesn't really bother me much.
> It's just that your documentation didn't mention this as a possible
> reason for listing, and gave me no real idea as to why I was listed.
>
> I would suggest that if you really want to know how well it's working
> you should, for some time, accept mail that it would drop, filter it
> to a special place, and then visually inspect for ham/spam ratio. I
> don't see any better method for gathering hard data on it's success
> rate.
>
Shane, post the error you got to this list in case I don't get it
direct. I haven't documented my new trick in the wiki yet because I'm
still testing it to see if it works, If it doesn't work then I'll have
to give up on it. The wiki give instructions on how to use the black list.
As to what I'm doing I talked about it in a different thread. The idea
is that I have 3 working servers on low numbered MX records. I have a
number of high numbered MX IPs that should never be hit. However
spammers don't follow the rules and try the high numbered MX looking to
get in the back door. So in theory only spammers will hit the high
numbered MX.
The idea is that after about 10 hits on the high numbered MX I add them
to the blacklist. It seems to be working but I'm still testing this
idea. I'm convinced that this method or something similar might be an
affective way to catch spammers and I'm testing it out. But - it has to
actually work in the real world and when it does, maybe someone who is a
better programmer than me will really do it right.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Robert - eLists <li...@abbacomm.net>.
>
> This is a personal mail server, so I know exactly who sends mail on
> it, and "we" don't have a spam problem (unless you mean all the spam
> we're fighting to keep out). Of course, since it's a dynamic address,
> I can't be certain that other users of this address haven't sent spam,
> but as others have pointed out, the only other blacklists 70.112.27.10
> is listed on are dynamic or dialup lists only, so there's no
> indication that it's been a previous spam source.
>
> So, unless you're intending to block dynamic IPs as part of your
> method, I'd say this is a false-positive situation.
>
> --
> Public key #7BBC68D9 at | Shane Williams
> http://pgp.mit.edu/ | System Admin - UT iSchool
Shane,
I realize this is a few days old...
dig -x 70.112.27.10
\
;; QUESTION SECTION:
;10.27.112.70.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.27.112.70.in-addr.arpa. 3600 IN PTR
cpe-70-112-27-10.austin.res.rr.com.
For a mail server, why don't you migrate from a RBL listed dynamic ip to a
non-RBL listed static ip (or another transit solution) and if you cannot
afford it, ill bet you could afford some hosting.
Unless you are relaying that email from this server to your upstream, I
think this implementation is flawed for real world work in general
- rh
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
John Rudd wrote:
>
> If you're going to do this, I would suggest that instead of counting
> to X hits on your low priority MX's and then blacklisting the IP, do
> this:
>
> Count on all of your MX's, and look for a ratio between "hits on low
> priority MX's and hits on high priority MX's".
>
> IF the high priority MX hit rate is 0, then just do a simple count on
> the hits against the low priority MX's.
>
> IF the highr priority MX hit rate is > 0, then do (low priority hit
> rate) / (high priority hit rate), and look for a number >= something
> like 10.
>
>
> That way, senders that might sequentially try your servers, due to
> problems, or even just because they roll through the servers over
> time, wont get tagged.
>
That's a good suggestion. You have me thinking. I'm using Exim and it
has the RateLimit logic. Rather than a ratio I could maybe create a time
window where if they hit the proper MX then it bypasses the improper MX
tests for a fixed number of seconds.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
John Rudd wrote:
>
> If you're going to do this, I would suggest that instead of counting
> to X hits on your low priority MX's and then blacklisting the IP, do
> this:
>
> Count on all of your MX's, and look for a ratio between "hits on low
> priority MX's and hits on high priority MX's".
>
> IFF the high priority MX hit rate is 0, then just do a simple count on
> the hits against the low priority MX's.
>
> IF the highr priority MX hit rate is > 0, then do (low priority hit
> rate) / (high priority hit rate), and look for a number >= something
> like 10.
>
>
> That way, senders that might sequentially try your servers, due to
> problems, or even just because they roll through the servers over
> time, wont get tagged.
>
>
OK - I've implemented an interesting trick that solves the problem. I'm
using the Exim RateLimit logic that only allows 1 hit per 20 seconds to
be counted. Thus if a high priority MX is hit then that creates a 20
second window where hitting my fake MX records don't count. I've noticed
in my logs that most servers will zip through all MX records (now 10) in
less than a second or two. This trick also prevents multiple hits on
fake MX records from being counted multiple times.
With this new trick along with a few others I no longer get any bot spam
at all. I'm still tweaking and testing but this is looking really good.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by John Rudd <jr...@ucsc.edu>.
Marc Perkel wrote:
>
>
> Rick Cooper wrote:
>> I don't know what his reason is but had I attempted to send mail to your
>> server last Friday I could easily have ended up hitting one of your
>> higher
>> MXs. I had a problem with Verizon where I would loose my connection for
>> seconds to a min and everything would be fine for seconds to a min or
>> two.
>> This went on for hours, it was like someone flicking a light switch.
>> If exim
>> couldn't connect to your lower mx servers during one of these episodes it
>> would have rolled up the list as it should since Verizon has yet to
>> inform
>> my mail server they are having transient network problems and to consider
>> any connection issues to be temporary and please try again.
>>
>> Rick
>>
>>
>
> Rick, it does take multiple hits to get listed and I did add code that
> if you hit all the high ones in sucession that it only counts as one.
> However, having said that, this is experimental and there's a
> possibility that it's just not going to work. I do believe that there's
> information to be had by looking at hosts who hit high numbered MX
> records when low numbered MX servers are available. I'm just trying to
> figure out how to extract this information.
>
> So - I ask the question - I think we can all agree that there's
> information to be had. How do we extract this in a useful form an avoid
> false positives?
>
If you're going to do this, I would suggest that instead of counting to
X hits on your low priority MX's and then blacklisting the IP, do this:
Count on all of your MX's, and look for a ratio between "hits on low
priority MX's and hits on high priority MX's".
IFF the high priority MX hit rate is 0, then just do a simple count on
the hits against the low priority MX's.
IF the highr priority MX hit rate is > 0, then do (low priority hit
rate) / (high priority hit rate), and look for a number >= something
like 10.
That way, senders that might sequentially try your servers, due to
problems, or even just because they roll through the servers over time,
wont get tagged.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Rick Cooper wrote:
>
> I am probably over sensitive to blacklists of this nature because of past
> problems. I had an issue where someone could not deliver a reply to a
> customer once and when I investigated I found the (actually two) server was
> on a blacklist I had never heard of. I let our ISP know that apparently
> their entire address space was on the list and the owner (someone I have
> known since the early eighties) investigated and found the entire att
> address space (their carrier) was on this black list and att knew all about
> it. Apparently this person wanted them to pay him $50,000 to be removed in
> less than one year. Granted few people probably use the list but it still
> worries me when some one uses a list maintained by "a guy" and even more so
> if it's fully automated.
>
> Personally a relatively few mails on our servers make it to RBL portion (I
> also use exim) and get dumped for other reasons, right now the biggest is
> probably non FQDN (or bracketed dotted quad) helo. I would say number two is
> attempting to send mail heloing as part of our domain space when the host is
> not part of our network, and three is attempting to send mail to our
> addresses from a host not allowed to send mail from our addresses. I also
> seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would
> like to see a lot more hardfail SPF hits and less SPF none.
>
> I still believe there are too many people who (subconsciously or otherwise)
> get a thrill out of "fighting spam" and the world would be much better off
> to move to taking responsibility for the mails they send. DKIM is about the
> closest thing to what I would like. You can have all the anti-spam laws in
> the world but proving responsibility is always the biggest problem. I would
> like to see a light weight service similar to DNS used to validate emails,
> quick and simple. It could be distributed like DNS and do you approve this
> mail, yes or no, like sender verification only without the smtp overhead.
> Last one that touches it is responsible, through the chain. The current,
> base, smtp spec simply wasn't developed in a time where anyone considered
> today's enviroment.
>
> There has to be a better way than trying to catch spam as that does nothing
> toward trying to stop it.
>
> Rick
>
>
Rick - I totally understand where you are coming from. I've had similar
problems with people blacklisting my servers. But what I'm trying to do
here is develop new tricks for fighting spam. I've found my most
accurate methods of detecting spam is based on differences in the
behaviour of spammers as compared to normal email. When I see something
that's a clear difference I try to find a way to use it. That's what I'm
doing here.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Rick Cooper <rc...@dwford.com>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Monday, June 18, 2007 10:00 AM
> To: Rick Cooper
> Cc: users@spamassassin.apache.org
> Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it?
>
>
>
> Rick Cooper wrote:
> > I don't know what his reason is but had I attempted to
> send mail to your
> > server last Friday I could easily have ended up hitting
> one of your higher
> > MXs. I had a problem with Verizon where I would loose my
> connection for
> > seconds to a min and everything would be fine for seconds
> to a min or two.
> > This went on for hours, it was like someone flicking a
> light switch. If exim
> > couldn't connect to your lower mx servers during one of
> these episodes it
> > would have rolled up the list as it should since Verizon
> has yet to inform
> > my mail server they are having transient network problems
> and to consider
> > any connection issues to be temporary and please try again.
> >
> > Rick
> >
> >
>
> Rick, it does take multiple hits to get listed and I did add
> code that
> if you hit all the high ones in sucession that it only
> counts as one.
> However, having said that, this is experimental and there's a
> possibility that it's just not going to work. I do believe
> that there's
> information to be had by looking at hosts who hit high numbered MX
> records when low numbered MX servers are available. I'm just
> trying to
> figure out how to extract this information.
>
> So - I ask the question - I think we can all agree that there's
> information to be had. How do we extract this in a useful
> form an avoid
> false positives?
>
I am probably over sensitive to blacklists of this nature because of past
problems. I had an issue where someone could not deliver a reply to a
customer once and when I investigated I found the (actually two) server was
on a blacklist I had never heard of. I let our ISP know that apparently
their entire address space was on the list and the owner (someone I have
known since the early eighties) investigated and found the entire att
address space (their carrier) was on this black list and att knew all about
it. Apparently this person wanted them to pay him $50,000 to be removed in
less than one year. Granted few people probably use the list but it still
worries me when some one uses a list maintained by "a guy" and even more so
if it's fully automated.
Personally a relatively few mails on our servers make it to RBL portion (I
also use exim) and get dumped for other reasons, right now the biggest is
probably non FQDN (or bracketed dotted quad) helo. I would say number two is
attempting to send mail heloing as part of our domain space when the host is
not part of our network, and three is attempting to send mail to our
addresses from a host not allowed to send mail from our addresses. I also
seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would
like to see a lot more hardfail SPF hits and less SPF none.
I still believe there are too many people who (subconsciously or otherwise)
get a thrill out of "fighting spam" and the world would be much better off
to move to taking responsibility for the mails they send. DKIM is about the
closest thing to what I would like. You can have all the anti-spam laws in
the world but proving responsibility is always the biggest problem. I would
like to see a light weight service similar to DNS used to validate emails,
quick and simple. It could be distributed like DNS and do you approve this
mail, yes or no, like sender verification only without the smtp overhead.
Last one that touches it is responsible, through the chain. The current,
base, smtp spec simply wasn't developed in a time where anyone considered
today's enviroment.
There has to be a better way than trying to catch spam as that does nothing
toward trying to stop it.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Rick Cooper wrote:
> I don't know what his reason is but had I attempted to send mail to your
> server last Friday I could easily have ended up hitting one of your higher
> MXs. I had a problem with Verizon where I would loose my connection for
> seconds to a min and everything would be fine for seconds to a min or two.
> This went on for hours, it was like someone flicking a light switch. If exim
> couldn't connect to your lower mx servers during one of these episodes it
> would have rolled up the list as it should since Verizon has yet to inform
> my mail server they are having transient network problems and to consider
> any connection issues to be temporary and please try again.
>
> Rick
>
>
Rick, it does take multiple hits to get listed and I did add code that
if you hit all the high ones in sucession that it only counts as one.
However, having said that, this is experimental and there's a
possibility that it's just not going to work. I do believe that there's
information to be had by looking at hosts who hit high numbered MX
records when low numbered MX servers are available. I'm just trying to
figure out how to extract this information.
So - I ask the question - I think we can all agree that there's
information to be had. How do we extract this in a useful form an avoid
false positives?
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Rick Cooper <rc...@dwford.com>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Monday, June 18, 2007 9:31 AM
> To: Shane Williams
> Cc: Daryl C. W. O'Shea; users@spamassassin.apache.org
> Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it?
>
>
>
> Shane Williams wrote:
> > On Sun, 17 Jun 2007, Marc Perkel wrote:
> >
> >> Shane Williams wrote:
> >>>
[...]
>
> Shane - your listing has nothing to do with dynamic IPs. The
> way you got
> listed is that your server hit my high MX records when all
> of my lower
> MX records were working. What I'm still investigating is why that
> happened. And it's a problem I intend to fix because I don't
> want any
> false positives in the list. Is there any reason your server
> would try
> MX records in an unusual order?
>
I don't know what his reason is but had I attempted to send mail to your
server last Friday I could easily have ended up hitting one of your higher
MXs. I had a problem with Verizon where I would loose my connection for
seconds to a min and everything would be fine for seconds to a min or two.
This went on for hours, it was like someone flicking a light switch. If exim
couldn't connect to your lower mx servers during one of these episodes it
would have rolled up the list as it should since Verizon has yet to inform
my mail server they are having transient network problems and to consider
any connection issues to be temporary and please try again.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Shane Williams <sh...@shanew.net>.
On Mon, 18 Jun 2007, Marc Perkel wrote:
> Shane - your listing has nothing to do with dynamic IPs. The way you got
> listed is that your server hit my high MX records when all of my lower MX
> records were working. What I'm still investigating is why that happened. And
> it's a problem I intend to fix because I don't want any false positives in
> the list. Is there any reason your server would try MX records in an unusual
> order?
As others have mentioned, there are reasons (internet congestion, for
instance), but I gather what you really want to know is whether
there's something unusual about my configuration that would cause this
to happen. The answer to that is no. I'm running sendmail on a
gentoo server. No crazy configs, I don't run my own DNS, and frankly
I don't know why my sendmail would try high MXs before low ones, but
apparently it does.
I'd say any system that requires you to investigate to this extent
with blocked senders on a one-on-one basis has problems, and I would
once again recommend that you test any system by tagging mails before
actually rejecting them so that you learn about false-positives rather
than assuming there aren't any unless someone reports it (which would
be hard to do, since you're blocking them).
Since this is now way OT for the SA list, I'm not going to respond on
the list anymore, and since you're blacklist rejects my emails, I'm
guessing this is the end of the conversation for me. Good luck.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Shane Williams wrote:
> On Sun, 17 Jun 2007, Marc Perkel wrote:
>
>> Shane Williams wrote:
>>>
>>> Here's the "failed for the last 4 hours" message...
>>>
>>> ----- Transcript of session follows -----
>>> ... while talking to mx.junkemailfilter.com.:
>>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>>> hostkarma.junkemailfilter.com
>>> <<< 550 (127.0.0.2); 70.112.27.10
>>> ... while talking to mx.junkemailfilter.net.:
>>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>>> hostkarma.junkemailfilter.com
>>> <<< 550 (127.0.0.2); 70.112.27.10
>>> ... while talking to mx.junkemailfilter.org.:
>>> <<< 451 Temporary local problem - please try later
>>> ... while talking to dummy1.junkemailfilter.com.:
>>> <<< 451 Temporary local problem - please try later
>>> ... while talking to dummy2.junkemailfilter.com.:
>>> <<< 451 Temporary local problem - please try later
>>> ... while talking to dummy3.junkemailfilter.com.:
>>> <<< 451 Temporary local problem - please try later
>>> ... while talking to dummy4.junkemailfilter.com.:
>>> <<< 451 Temporary local problem - please try later
>>> <ma...@perkel.com>... Deferred: 451 Temporary local problem - please
>>> try later
>>
>> ok - that's a different IP and that IP is blocked on my list and 4
>> other lists. Based on your logs it doesn't look like it give up after
>> a 550 error. I think you have a spam problem.
>
> This is a personal mail server, so I know exactly who sends mail on
> it, and "we" don't have a spam problem (unless you mean all the spam
> we're fighting to keep out). Of course, since it's a dynamic address,
> I can't be certain that other users of this address haven't sent spam,
> but as others have pointed out, the only other blacklists 70.112.27.10
> is listed on are dynamic or dialup lists only, so there's no
> indication that it's been a previous spam source.
>
> So, unless you're intending to block dynamic IPs as part of your
> method, I'd say this is a false-positive situation.
>
Shane - your listing has nothing to do with dynamic IPs. The way you got
listed is that your server hit my high MX records when all of my lower
MX records were working. What I'm still investigating is why that
happened. And it's a problem I intend to fix because I don't want any
false positives in the list. Is there any reason your server would try
MX records in an unusual order?
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Jerry Durand <jd...@interstellar.com>.
At 06:18 AM 6/18/2007, Shane Williams wrote:
>So, unless you're intending to block dynamic IPs as part of your
>method, I'd say this is a false-positive situation.
Our mail and web server is on a business dynamic address, has been
for years and serves several domains. We block (554 error) dynamic
servers trying to connect to us and would expect the same from anyone
we tried to directly connect to. ALL our outgoing mail is relayed
through our ISP's mail server using AUTH. Each domain has an SPF
record that lists our ISP as the only valid source of mail from us.
Works fine except for the short time Internic started deep-scanning
headers and message bodies with Zen, then they blocked lots of people
they shouldn't have.
We used to use several RBLs, but Zen seems pretty good and saves
time. The few dynamic addresses that get by Zen seem to be caught by
SA. Good work guys!
--
Jerry Durand, Durand Interstellar, Inc. www.interstellar.com
tel: +1 408 356-3886, USA toll free: 1 866 356-3886
Skype: jerrydurand
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Shane Williams wrote:
>
> This is a personal mail server, so I know exactly who sends mail on
> it, and "we" don't have a spam problem (unless you mean all the spam
> we're fighting to keep out). Of course, since it's a dynamic address,
> I can't be certain that other users of this address haven't sent spam,
> but as others have pointed out, the only other blacklists 70.112.27.10
> is listed on are dynamic or dialup lists only, so there's no
> indication that it's been a previous spam source.
>
> So, unless you're intending to block dynamic IPs as part of your
> method, I'd say this is a false-positive situation.
>
Shane, I found the bug and fixed it. It was dynamic IP related where I
was returning temp errors in certian cases. Your IP has been removed
also and sorry about that but this is still something I'm testing.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Shane Williams <sh...@shanew.net>.
On Sun, 17 Jun 2007, Marc Perkel wrote:
> Shane Williams wrote:
>>
>> Here's the "failed for the last 4 hours" message...
>>
>> ----- Transcript of session follows -----
>> ... while talking to mx.junkemailfilter.com.:
>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>> hostkarma.junkemailfilter.com
>> <<< 550 (127.0.0.2); 70.112.27.10
>> ... while talking to mx.junkemailfilter.net.:
>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>> hostkarma.junkemailfilter.com
>> <<< 550 (127.0.0.2); 70.112.27.10
>> ... while talking to mx.junkemailfilter.org.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy1.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy2.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy3.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy4.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> <ma...@perkel.com>... Deferred: 451 Temporary local problem - please
>> try later
>
> ok - that's a different IP and that IP is blocked on my list and 4 other
> lists. Based on your logs it doesn't look like it give up after a 550 error.
> I think you have a spam problem.
This is a personal mail server, so I know exactly who sends mail on
it, and "we" don't have a spam problem (unless you mean all the spam
we're fighting to keep out). Of course, since it's a dynamic address,
I can't be certain that other users of this address haven't sent spam,
but as others have pointed out, the only other blacklists 70.112.27.10
is listed on are dynamic or dialup lists only, so there's no
indication that it's been a previous spam source.
So, unless you're intending to block dynamic IPs as part of your
method, I'd say this is a false-positive situation.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> ... while talking to mx.junkemailfilter.com.:
>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>> hostkarma.junkemailfilter.com
>> <<< 550 (127.0.0.2); 70.112.27.10
>> ... while talking to mx.junkemailfilter.net.:
>> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
>> hostkarma.junkemailfilter.com
>> <<< 550 (127.0.0.2); 70.112.27.10
>> ... while talking to mx.junkemailfilter.org.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy1.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy2.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy3.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> ... while talking to dummy4.junkemailfilter.com.:
>> <<< 451 Temporary local problem - please try later
>> <ma...@perkel.com>... Deferred: 451 Temporary local problem - please
>> try later
http://openrbl.org/client/#70.112.27.10
> ok - that's a different IP and that IP is blocked on my list and 4 other
> lists. Based on your logs it doesn't look like it give up after a 550 error.
> I think you have a spam problem.
You also had a look WHY they were listed?
ASPEWS = crap, i dont even count that one. Wonder why they even still list ASPEWS at all
Spamhaus = ZEN = Dynamic space, correct.
SORBS = Dynamic space, correct
NJABL = Dynamic space, correct
I think i would be wise to check your OWN list and and let us know why it
ended up there, i didnt see any good reason yet in the information
provided why YOU would list it. Its your list, you offered to let people
test it so you tell us whats wrong please. And not say 'you have a spam
problem'. Marc, YOU have a problem with this list. And i truely hope
people will not start blocking mail with this, like someone else stated
allready.
OTOH, this is not really a topic for the spamassassin list is it ?
Bye,
Raymond.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Shane Williams wrote:
> On Sun, 17 Jun 2007, Marc Perkel wrote:
>
>> Daryl C. W. O'Shea wrote:
>>> Shane Williams wrote:
>>> > On Sat, 16 Jun 2007, Marc Perkel wrote:
>>> > > > Using my new ideas here's my raw blacklist file. It has about
>>> 80k IP > > addresses and is updated every 10 minutes.
>>> > > > > http://iplist.junkemailfilter.com/black.txt
>>> > > > > Here's instructions on how to use it with SpamAssassin and
>>> Exim.
>>> > > > >
>>> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>>> > > > > I'd like to get some feedback on how well it's working.
>>> > > This filter blocked my last response to you, as I suspect it will
>>> > for this one. As such, I looked at your wiki to determine why I was
>>> > listed, but couldn't find a clear reason. The documentation says
>>> that
>>> > only known spam sources are blocked, but if I had to guess, I'd say
>>> > it's because I'm on a dynamic cable IP address (which I didn't see
>>> > any text about when I looked on Friday).
>>> > > Mind you, I've gotten used to the idea that places are going to
>>> block
>>> > me because I'm on a Cablemodem, so that doesn't really bother me
>>> much.
>>> > It's just that your documentation didn't mention this as a possible
>>> > reason for listing, and gave me no real idea as to why I was listed.
>>>
>>> You're relaying though an MSA (fiat.ischool.utexas.edu
>>> [128.83.248.27])
>>> that isn't on a cable connection, though, right?
>
> That's true when I send to an apache.org list, because at some point
> it blocked me. By and large I send direct-to-MX from cable-modem,
> adding exceptions to my mailertable entry as necessary (Nor will yours
> when I reply to this, so we'll see what happens).
>
>>> Blocking because someone uses a cable modem, but isn't delivering
>>> direct-to-MX from that cable connection, is asinine.
>
> True, but I don't think that's what Marc is doing, since his server
> doesn't have a mailtertable entry on my end.
>
>> I definitely want to figure out what the problem is. Any false
>> positive isn't acceptable. However that IP isn't blocked. If you can
>> post the error you got I'd like to see it.
>
> Here's the "failed for the last 4 hours" message...
>
> ----- Transcript of session follows -----
> ... while talking to mx.junkemailfilter.com.:
> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
> hostkarma.junkemailfilter.com
> <<< 550 (127.0.0.2); 70.112.27.10
> ... while talking to mx.junkemailfilter.net.:
> <<< 550-REJECTED - 70.112.27.10 is blacklisted at
> hostkarma.junkemailfilter.com
> <<< 550 (127.0.0.2); 70.112.27.10
> ... while talking to mx.junkemailfilter.org.:
> <<< 451 Temporary local problem - please try later
> ... while talking to dummy1.junkemailfilter.com.:
> <<< 451 Temporary local problem - please try later
> ... while talking to dummy2.junkemailfilter.com.:
> <<< 451 Temporary local problem - please try later
> ... while talking to dummy3.junkemailfilter.com.:
> <<< 451 Temporary local problem - please try later
> ... while talking to dummy4.junkemailfilter.com.:
> <<< 451 Temporary local problem - please try later
> <ma...@perkel.com>... Deferred: 451 Temporary local problem - please
> try later
>
ok - that's a different IP and that IP is blocked on my list and 4 other
lists. Based on your logs it doesn't look like it give up after a 550
error. I think you have a spam problem.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Shane Williams <sh...@shanew.net>.
On Sun, 17 Jun 2007, Marc Perkel wrote:
> Daryl C. W. O'Shea wrote:
>> Shane Williams wrote:
>> > On Sat, 16 Jun 2007, Marc Perkel wrote:
>> >
>> > > Using my new ideas here's my raw blacklist file. It has about 80k IP
>> > > addresses and is updated every 10 minutes.
>> > >
>> > > http://iplist.junkemailfilter.com/black.txt
>> > >
>> > > Here's instructions on how to use it with SpamAssassin and Exim.
>> > >
>> > > http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>> > >
>> > > I'd like to get some feedback on how well it's working.
>> >
>> > This filter blocked my last response to you, as I suspect it will
>> > for this one. As such, I looked at your wiki to determine why I was
>> > listed, but couldn't find a clear reason. The documentation says that
>> > only known spam sources are blocked, but if I had to guess, I'd say
>> > it's because I'm on a dynamic cable IP address (which I didn't see
>> > any text about when I looked on Friday).
>> >
>> > Mind you, I've gotten used to the idea that places are going to block
>> > me because I'm on a Cablemodem, so that doesn't really bother me much.
>> > It's just that your documentation didn't mention this as a possible
>> > reason for listing, and gave me no real idea as to why I was listed.
>>
>> You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27])
>> that isn't on a cable connection, though, right?
That's true when I send to an apache.org list, because at some point
it blocked me. By and large I send direct-to-MX from cable-modem,
adding exceptions to my mailertable entry as necessary (Nor will yours
when I reply to this, so we'll see what happens).
>> Blocking because someone uses a cable modem, but isn't delivering
>> direct-to-MX from that cable connection, is asinine.
True, but I don't think that's what Marc is doing, since his server
doesn't have a mailtertable entry on my end.
> I definitely want to figure out what the problem is. Any false positive isn't
> acceptable. However that IP isn't blocked. If you can post the error you got
> I'd like to see it.
Here's the "failed for the last 4 hours" message...
----- Transcript of session follows -----
... while talking to mx.junkemailfilter.com.:
<<< 550-REJECTED - 70.112.27.10 is blacklisted at
hostkarma.junkemailfilter.com
<<< 550 (127.0.0.2); 70.112.27.10
... while talking to mx.junkemailfilter.net.:
<<< 550-REJECTED - 70.112.27.10 is blacklisted at
hostkarma.junkemailfilter.com
<<< 550 (127.0.0.2); 70.112.27.10
... while talking to mx.junkemailfilter.org.:
<<< 451 Temporary local problem - please try later
... while talking to dummy1.junkemailfilter.com.:
<<< 451 Temporary local problem - please try later
... while talking to dummy2.junkemailfilter.com.:
<<< 451 Temporary local problem - please try later
... while talking to dummy3.junkemailfilter.com.:
<<< 451 Temporary local problem - please try later
... while talking to dummy4.junkemailfilter.com.:
<<< 451 Temporary local problem - please try later
<ma...@perkel.com>... Deferred: 451 Temporary local problem - please
try later
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Marc Perkel <ma...@perkel.com>.
Daryl C. W. O'Shea wrote:
> Shane Williams wrote:
>> On Sat, 16 Jun 2007, Marc Perkel wrote:
>>
>>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>>> addresses and is updated every 10 minutes.
>>>
>>> http://iplist.junkemailfilter.com/black.txt
>>>
>>> Here's instructions on how to use it with SpamAssassin and Exim.
>>>
>>> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>>>
>>> I'd like to get some feedback on how well it's working.
>>
>> This filter blocked my last response to you, as I suspect it will
>> for this one. As such, I looked at your wiki to determine why I was
>> listed, but couldn't find a clear reason. The documentation says that
>> only known spam sources are blocked, but if I had to guess, I'd say
>> it's because I'm on a dynamic cable IP address (which I didn't see
>> any text about when I looked on Friday).
>>
>> Mind you, I've gotten used to the idea that places are going to block
>> me because I'm on a Cablemodem, so that doesn't really bother me much.
>> It's just that your documentation didn't mention this as a possible
>> reason for listing, and gave me no real idea as to why I was listed.
>
> You're relaying though an MSA (fiat.ischool.utexas.edu
> [128.83.248.27]) that isn't on a cable connection, though, right?
>
> Blocking because someone uses a cable modem, but isn't delivering
> direct-to-MX from that cable connection, is asinine.
>
>
I definitely want to figure out what the problem is. Any false positive
isn't acceptable. However that IP isn't blocked. If you can post the
error you got I'd like to see it.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Shane Williams wrote:
> On Sat, 16 Jun 2007, Marc Perkel wrote:
>
>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>> addresses and is updated every 10 minutes.
>>
>> http://iplist.junkemailfilter.com/black.txt
>>
>> Here's instructions on how to use it with SpamAssassin and Exim.
>>
>> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>>
>> I'd like to get some feedback on how well it's working.
>
> This filter blocked my last response to you, as I suspect it will
> for this one. As such, I looked at your wiki to determine why I was
> listed, but couldn't find a clear reason. The documentation says that
> only known spam sources are blocked, but if I had to guess, I'd say
> it's because I'm on a dynamic cable IP address (which I didn't see
> any text about when I looked on Friday).
>
> Mind you, I've gotten used to the idea that places are going to block
> me because I'm on a Cablemodem, so that doesn't really bother me much.
> It's just that your documentation didn't mention this as a possible
> reason for listing, and gave me no real idea as to why I was listed.
You're relaying though an MSA (fiat.ischool.utexas.edu [128.83.248.27])
that isn't on a cable connection, though, right?
Blocking because someone uses a cable modem, but isn't delivering
direct-to-MX from that cable connection, is asinine.
Daryl
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Posted by Shane Williams <sh...@shanew.net>.
On Sat, 16 Jun 2007, Marc Perkel wrote:
> Using my new ideas here's my raw blacklist file. It has about 80k IP
> addresses and is updated every 10 minutes.
>
> http://iplist.junkemailfilter.com/black.txt
>
> Here's instructions on how to use it with SpamAssassin and Exim.
>
> http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
>
> I'd like to get some feedback on how well it's working.
This filter blocked my last response to you, as I suspect it will
for this one. As such, I looked at your wiki to determine why I was
listed, but couldn't find a clear reason. The documentation says that
only known spam sources are blocked, but if I had to guess, I'd say
it's because I'm on a dynamic cable IP address (which I didn't see
any text about when I looked on Friday).
Mind you, I've gotten used to the idea that places are going to block
me because I'm on a Cablemodem, so that doesn't really bother me much.
It's just that your documentation didn't mention this as a possible
reason for listing, and gave me no real idea as to why I was listed.
I would suggest that if you really want to know how well it's working
you should, for some time, accept mail that it would drop, filter it
to a special place, and then visually inspect for ham/spam ratio. I
don't see any better method for gathering hard data on it's success
rate.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew