You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Screaming Eagle <te...@gmail.com> on 2006/06/07 18:43:00 UTC
is there a way to block email coming from
country, other than USA? How would you look up the network block on country
such as Romania, China, Taiwan,Thailand, Korea, and so on...
Thanks.
Re: is there a way to block email coming from
Posted by Steve Thomas <li...@sthomas.net>.
> country, other than USA? How would you look up the network block on
> country
> such as Romania, China, Taiwan,Thailand, Korea, and so on...
>
> Thanks.
Check out http://countries.nerd.dk/ and http://www.blackholes.us/
Re: is there a way to block email coming from
Posted by "John D. Hardin" <jh...@impsec.org>.
You can also block specific ISPs, with varying degrees of reliability.
For example:
describe BL_COUNTRY_FR_2 Mail client in France
header BL_COUNTRY_FR_2 eval:check_rbl('wanadoo-fr', 'wanadoo-fr.blackholes.us')
score BL_COUNTRY_FR_2 0.5
tflags BL_COUNTRY_FR_2 net
Wanadoo is a French ISP that has a lot of dynamic-IP spammers.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
----------------------------------------------------------------------
11 days until SWMBO's Birthday
Re: is there a way to block email coming from
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 7 Jun 2006, Screaming Eagle wrote:
> Is BL_COUNTRY_TW_1 for all country? "Mail client in Taiwan" is an arg value?
> If so, then this Synthax would be o.k:
> describe BL_COUNTRY_TW_1 Mail client in Korea?
Sorry, I assumed you were familiar with the syntax of rules in SA.
> On 6/7/06, John D. Hardin <jh...@impsec.org> wrote:
> >
> > On Wed, 7 Jun 2006, Screaming Eagle wrote:
> >
> > > country, other than USA? How would you look up the network block
> > > on country such as Romania, China, Taiwan,Thailand, Korea, and so
> > > on...
> >
> > describe BL_COUNTRY_TW_1 Mail client in Taiwan
BL_COUNTRY_TW_1 is a unique label for this rule. For other country
rules, you'd change the "TW" part as appropriate. I recommend sticking
to the ISO two-letter country codes. If you had more than one rule for
a country you'd increment the "1" as appropriate. For example:
describe BL_COUNTRY_KR_1 Mail client in Korea
> > header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
This says the check is a RBL test. You need to alter the label and
substitute arguments as appropriate. The appropriate substitutions
should be fairly obvious:
header BL_COUNTRY_KR_1 eval:check_rbl('korea', 'kr.countries.nerd.dk')
> > score BL_COUNTRY_TW_1 0.5
> > tflags BL_COUNTRY_TW_1 net
These set the score for a match (higher is more spammy) and flags the
test as a network test. If you really wanted to punish someone in
Korea contacting your mail server, you would set a high score:
score BL_COUNTRY_KR_1 5.0
tflags BL_COUNTRY_KR_1 net
You would end up with a block of rules that might look something like
this:
describe BL_COUNTRY_TH_1 Mail client in Thailand
header BL_COUNTRY_TH_1 eval:check_rbl('thailand', 'th.countries.nerd.dk')
score BL_COUNTRY_TH_1 0.5
tflags BL_COUNTRY_TH_1 net
describe BL_COUNTRY_JP_1 Mail client in Japan
header BL_COUNTRY_JP_1 eval:check_rbl('japan', 'jp.countries.nerd.dk')
score BL_COUNTRY_JP_1 0.5
tflags BL_COUNTRY_JP_1 net
describe BL_COUNTRY_CN_1 Mail client in China
header BL_COUNTRY_CN_1 eval:check_rbl('china', 'cn.countries.nerd.dk')
score BL_COUNTRY_CN_1 0.5
tflags BL_COUNTRY_CN_1 net
describe BL_COUNTRY_TW_1 Mail client in Taiwan
header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
score BL_COUNTRY_TW_1 0.5
tflags BL_COUNTRY_TW_1 net
describe BL_COUNTRY_KR_1 Mail client in Korea
header BL_COUNTRY_KR_1 eval:check_rbl('korea', 'kr.countries.nerd.dk')
score BL_COUNTRY_KR_1 0.5
tflags BL_COUNTRY_KR_1 net
describe BL_COUNTRY_MX_1 Mail client in Mexico
header BL_COUNTRY_MX_1 eval:check_rbl('mexico', 'mexico.blackholes.us')
score BL_COUNTRY_MX_1 0.5
tflags BL_COUNTRY_MX_1 net
describe BL_COUNTRY_MX_2 Mail client in Mexico
header BL_COUNTRY_MX_2 eval:check_rbl('mexico', 'mx.countries.nerd.dk')
score BL_COUNTRY_MX_2 0.5
tflags BL_COUNTRY_MX_2 net
Note the two Mexico rules. It is possible for nerd.dk and
blackholes.us to list different netblocks due to the way they obtain
the IP -> Country mappings. One or the other may be "more fresh".
Hope this helps!
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
----------------------------------------------------------------------
11 days until SWMBO's Birthday
Re: is there a way to block email coming from
Posted by Screaming Eagle <te...@gmail.com>.
Is BL_COUNTRY_TW_1 for all country? "Mail client in Taiwan" is an arg value?
If so, then this Synthax would be o.k:
describe BL_COUNTRY_TW_1 Mail client in Korea?
Thanks.
On 6/7/06, John D. Hardin <jh...@impsec.org> wrote:
>
> On Wed, 7 Jun 2006, Screaming Eagle wrote:
>
> > country, other than USA? How would you look up the network block
> > on country such as Romania, China, Taiwan,Thailand, Korea, and so
> > on...
>
> describe BL_COUNTRY_TW_1 Mail client in Taiwan
> header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
> score BL_COUNTRY_TW_1 0.5
> tflags BL_COUNTRY_TW_1 net
>
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Look at the people at the top of both efforts. Linus Torvalds is a
> university graduate with a CS degree. Bill Gates is a university
> dropout who bragged about dumpster-diving and using other peoples'
> garbage code as the basis for his code. Maybe that has something to
> do with the difference in quality/security between Linux and
> Windows. -- anytwofiveelevenis on Y! SCOX
> ----------------------------------------------------------------------
> 11 days until SWMBO's Birthday
>
>
Re: is there a way to block email coming from
Posted by Robert Nicholson <ro...@elastica.com>.
In my case the rule is designed to catch UK recruiters who are always
contacting me.
This isn't the only way I trap spam obviously.
Another thing I just realized is that this only looks for URI's in
the email itself in order to determine if they reside in the UK.
Something different from RBL type solutions.
On Nov 10, 2006, at 8:54 PM, Benny Pedersen wrote:
>
> On Sat, November 11, 2006 02:31, Robert Nicholson wrote:
>
>> header URICOUNTRY_GB eval:check_uricountry('URICOUNTRY_GB')
>
> what if a spammer sends mails from another ip outside GB ?
>
> imho such rules only changes the problem, not solving it :(
>
> --
> "This message was sent using 100% recycled spam mails."
>
Re: is there a way to block email coming from
Posted by Derek Harding <de...@innovyx.com>.
Benny Pedersen wrote:
>> header URICOUNTRY_GB eval:check_uricountry('URICOUNTRY_GB')
>>
>
> what if a spammer sends mails from another ip outside GB ?
>
> imho such rules only changes the problem, not solving it :(
>
>
URICOUNTRY scores on spams that URIs hosted in a given country rather
than spam that came from that country. Obviously this isn't suitable for
large installations but can be very useful for individuals or small
organizations that know they don't have any contact with (for example)
China, Korea, India, Russia and so don't expect to receive email
referencing websites in those countries.
You're right however that it only changes the problem. Many spammers
moved their websites offshore to spam-friendly countries because they
were harder to track down and prosecute. Encouraging them to bring the
servers back home helps bring them back into local jurisdiction and
hopefully increases accountability. Is this flawed logic? Maybe. However
uricountry has certainly caught a lot of spam at my site with pretty
much no false positives. Obviously YMMV.
Derek
Re: is there a way to block email coming from
Posted by Benny Pedersen <me...@junc.org>.
On Sat, November 11, 2006 02:31, Robert Nicholson wrote:
> header URICOUNTRY_GB eval:check_uricountry('URICOUNTRY_GB')
what if a spammer sends mails from another ip outside GB ?
imho such rules only changes the problem, not solving it :(
--
"This message was sent using 100% recycled spam mails."
Re: is there a way to block email coming from
Posted by Robert Nicholson <ro...@elastica.com>.
Here's the solution I use
loadplugin Mail::SpamAssassin::Plugin::URICountry
uricountry URICOUNTRY_GB GB
header URICOUNTRY_GB eval:check_uricountry('URICOUNTRY_GB')
describe URICOUNTRY_GB Contains a URI hosted in GB
tflags URICOUNTRY_GB net
score URICOUNTRY_GB 2.0
On Jun 7, 2006, at 11:53 AM, John D. Hardin wrote:
> On Wed, 7 Jun 2006, Screaming Eagle wrote:
>
>> country, other than USA? How would you look up the network block
>> on country such as Romania, China, Taiwan,Thailand, Korea, and so
>> on...
>
> describe BL_COUNTRY_TW_1 Mail client in Taiwan
> header BL_COUNTRY_TW_1 eval:check_rbl('taiwan',
> 'tw.countries.nerd.dk')
> score BL_COUNTRY_TW_1 0.5
> tflags BL_COUNTRY_TW_1 net
>
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ----------------------------------------------------------------------
> -
> Look at the people at the top of both efforts. Linus Torvalds is a
> university graduate with a CS degree. Bill Gates is a university
> dropout who bragged about dumpster-diving and using other peoples'
> garbage code as the basis for his code. Maybe that has something to
> do with the difference in quality/security between Linux and
> Windows. -- anytwofiveelevenis on Y! SCOX
> ----------------------------------------------------------------------
> 11 days until SWMBO's Birthday
>
Re: is there a way to block email coming from
Posted by Kai Schaetzl <ma...@conactive.com>.
John D. Hardin wrote on Wed, 7 Jun 2006 20:41:38 -0700 (PDT):
> The greatest drawback is that using the RBL within sendmail is an
> all-or-nothing proposition. What if you *do* have legitimate
> correspondents in those countries?
You can still whitelist these in access.db.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
Posted by Kai Schaetzl <ma...@conactive.com>.
Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 17:50:33 -0400:
> I agree that outright blocking based on dynamic IP range lists often
> doesn't suite a particular organizations needs. I was just pointing out
> that some people do rely on these lists, often blindly, and that anyone
> who is aware that they are on such a list and does nothing to avoid the
> problems that it causes is also foolish.
All of that agreed :-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Kai Schaetzl wrote:
> Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 11:46:48 -0400:
>
>> Still, when your ISP isn't responsive
>
> As Chris says you better move away from them then if you can. If you can't
> I'd really bother them day and night since I don't get what I paid for. My
Over the years, for one company alone, I've spent well over a week on
hold with Bell attempting to get it resolved. They suck. It came to
the point where it really wasn't worth anymore of my time trying to get
them to do anything and was just easier and more cost effective to just
relay their few thousand messages a day through my own systems. If
their was another provider able to provide service they'd move in a second.
> IP range was once listed at SORBS as well, three years ago or so. When I
> contacted my upstream ISP they were already in contact with SORBS and it
> all got sorted out within 48 hours. Mistakes can happen and I understand
> that they cannot simply put addresses on the list that are *confirmed* to
> be dynamic. If they don't know if something is dynamic or not, it's better
> to get it listed once and remove it per request. That usually removes it
> forever and broadens the covered range of addresses.
Don't get me wrong, I have no problem with SORBS, even their DUHL list.
Matt and his crew do a great job. I've never had a problem having IP
ranges that meet their criteria removed and have never had a problem
with getting any ISP (except for Bell) to conform to their criteria for
static IP ranges.
> and it's the single option for
>> connectivity, it's your own fault too if you don't at least try to avoid
>> the problem by relaying your mail through a "cleaner" relay.
>
> yes, of course. I was merely addressing the "you cannot rely on DUL lists"
> theme.
I agree that outright blocking based on dynamic IP range lists often
doesn't suite a particular organizations needs. I was just pointing out
that some people do rely on these lists, often blindly, and that anyone
who is aware that they are on such a list and does nothing to avoid the
problems that it causes is also foolish.
Daryl
Re: is there a way to block email coming from
Posted by Kai Schaetzl <ma...@conactive.com>.
Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 11:46:48 -0400:
> Still, when your ISP isn't responsive
As Chris says you better move away from them then if you can. If you can't
I'd really bother them day and night since I don't get what I paid for. My
IP range was once listed at SORBS as well, three years ago or so. When I
contacted my upstream ISP they were already in contact with SORBS and it
all got sorted out within 48 hours. Mistakes can happen and I understand
that they cannot simply put addresses on the list that are *confirmed* to
be dynamic. If they don't know if something is dynamic or not, it's better
to get it listed once and remove it per request. That usually removes it
forever and broadens the covered range of addresses.
and it's the single option for
> connectivity, it's your own fault too if you don't at least try to avoid
> the problem by relaying your mail through a "cleaner" relay.
yes, of course. I was merely addressing the "you cannot rely on DUL lists"
theme.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Kai Schaetzl wrote:
> Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 01:18:11 -0400:
>
>> Some even with T1s (probably quietly provisioned over
>> DSL) that have IPs smack in the middle of static business DSL ranges
>> that are listed in SORBS' dynamic list.
>
> Nevertheless, it's their ISP's fault and if they remain on the list for
> longer than a week they obviously want to. "static business DSL" is not a
> criterion for listing in SORBS at all, it's an anti-criterion. I have
> "static business DSL" with a /28 myself.
Still, when your ISP isn't responsive and it's the single option for
connectivity, it's your own fault too if you don't at least try to avoid
the problem by relaying your mail through a "cleaner" relay.
Does it suck that a major telecom company is your only choice and they
can screw you around all they want? Uh, yeah, but hey, what else are
you going to do?
Daryl
Re: is there a way to block email coming from
Posted by Kai Schaetzl <ma...@conactive.com>.
Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 01:18:11 -0400:
> Some even with T1s (probably quietly provisioned over
> DSL) that have IPs smack in the middle of static business DSL ranges
> that are listed in SORBS' dynamic list.
Nevertheless, it's their ISP's fault and if they remain on the list for
longer than a week they obviously want to. "static business DSL" is not a
criterion for listing in SORBS at all, it's an anti-criterion. I have
"static business DSL" with a /28 myself.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 6/8/2006 12:05 AM, Greg Allen wrote:
>>However, the ISP dynamic address tests *do* belong in the MTA RBL
>>checks. The fraction of legitimate emails received from dynamic-IP
>>hosts is vanishingly small compared to the tens or hundreds of
>>thousands of compromised Windows boxen spewing spam and viruses...
>>
>
>
> Sorry to poke in on the thread, but I disagree.
>
> Most small start-up businesses buy business class DSL these days with 1-5
> fixed IP addresses. They often have small firewalls, anti-virus, most
> everything they should have. They probably don't have a full time IT staff.
>
> There are a lot of small businesses on these legitimate business class DSL
> lines with fixed IP addresses (which they pay extra for) who are very
> frequently incorrectly listed as "dynamic" IP addresses. The vast majority
> of these small companies are NOT spammers.
Some of those small businesses aren't really all that small either.
There are a number of ~500 employee companies around here that have the
same problem. Some even with T1s (probably quietly provisioned over
DSL) that have IPs smack in the middle of static business DSL ranges
that are listed in SORBS' dynamic list.
> If you are a system admin and you flat-out reject email that shows on
> various error ridden "dial-up" lists as "dynamic" IP address for a company,
> other than your own, you should be fired IMO.
Likewise, if you're a system admin that is aware that they are in such
dynamic lists and can't get out of them, you're asking for trouble not
smart hosting your mail through a (RBL list-wise) cleaner relay.
I know that in the automotive industry there are a lot of tier 1
suppliers and a number of MXes at a couple auto manufacturers that
reject on SORBS dynamic listings (of truly static space). Having mail
blocked, or worse silently discarded or unread, could easily cost you a
LOT of revenue. Having this happen when it's avoidable on your own part
is inexcusable, no matter how annoying it is that you can't send mail
directly from IP space that you are paying to do so with.
Daryl
Re: is there a way to block email coming from
Posted by Kai Schaetzl <ma...@conactive.com>.
Greg Allen wrote on Thu, 8 Jun 2006 00:05:12 -0400:
> They probably don't have a full time IT staff.
They don't need one for getting unlisted.
> There are a lot of small businesses on these legitimate business class DSL
> lines with fixed IP addresses (which they pay extra for) who are very
> frequently incorrectly listed as "dynamic" IP addresses.
In that case they should ask their ISP to get these ranges unlisted, it doesn't
cost him anything other than issueing a support request. It's actually that ISP
that isn't doing what they get paid for.
> To expect every small start-up to be on a major Internet carrier with a T1
> is simply not reality these days.
Greg, no dynamic list expects this.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
RE: is there a way to block email coming from
Posted by Greg Allen <sa...@floridacpu.com>.
> -----Original Message-----
> From: John D. Hardin [mailto:jhardin@impsec.org]
> Sent: Thursday, June 08, 2006 12:33 PM
> To: Greg Allen
> Cc: Users@Spamassassin. Apache. Org
> Subject: RE: is there a way to block email coming from
>
>
> On Thu, 8 Jun 2006, Greg Allen wrote:
>
> > There are a lot of small businesses on these legitimate business
> > class DSL lines with fixed IP addresses (which they pay extra for)
> > who are very frequently incorrectly listed as "dynamic" IP
> > addresses. The vast majority of these small companies are NOT
> > spammers.
>
> Amusingly enough, I am dealing with that exact situation right now.
> GoDaddy has my hosting provider's netblock listed as dynamic space.
Ironic huh...
;-)
RE: is there a way to block email coming from
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 8 Jun 2006, Greg Allen wrote:
> There are a lot of small businesses on these legitimate business
> class DSL lines with fixed IP addresses (which they pay extra for)
> who are very frequently incorrectly listed as "dynamic" IP
> addresses. The vast majority of these small companies are NOT
> spammers.
Amusingly enough, I am dealing with that exact situation right now.
GoDaddy has my hosting provider's netblock listed as dynamic space.
> To expect every small start-up to be on a major Internet carrier
> with a T1 is simply not reality these days. To block on dynamic is
> asking for a lot of trouble. It also is a pay-to-play mentality.
> If a start-up business can't afford a T1 then they can't send
> email?
I never said that or meant to imply that. Perhaps I was placing too
much trust in the accuracy of the public DULs.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
----------------------------------------------------------------------
10 days until SWMBO's Birthday
RE: is there a way to block email coming from
Posted by Greg Allen <sa...@floridacpu.com>.
>
> However, the ISP dynamic address tests *do* belong in the MTA RBL
> checks. The fraction of legitimate emails received from dynamic-IP
> hosts is vanishingly small compared to the tens or hundreds of
> thousands of compromised Windows boxen spewing spam and viruses...
>
Sorry to poke in on the thread, but I disagree.
Most small start-up businesses buy business class DSL these days with 1-5
fixed IP addresses. They often have small firewalls, anti-virus, most
everything they should have. They probably don't have a full time IT staff.
There are a lot of small businesses on these legitimate business class DSL
lines with fixed IP addresses (which they pay extra for) who are very
frequently incorrectly listed as "dynamic" IP addresses. The vast majority
of these small companies are NOT spammers.
To expect every small start-up to be on a major Internet carrier with a T1
is simply not reality these days. To block on dynamic is asking for a lot of
trouble. It also is a pay-to-play mentality. If a start-up business can't
afford a T1 then they can't send email?
If you are a system admin and you flat-out reject email that shows on
various error ridden "dial-up" lists as "dynamic" IP address for a company,
other than your own, you should be fired IMO.
Re: is there a way to block email coming from
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 7 Jun 2006, Steven W. Orr wrote:
> On Wednesday, Jun 7th 2006 at 09:53 -0700, quoth John D. Hardin:
>
> =>On Wed, 7 Jun 2006, Screaming Eagle wrote:
> =>
> =>> country, other than USA? How would you look up the network block
> =>> on country such as Romania, China, Taiwan,Thailand, Korea, and so
> =>> on...
> =>
> =>describe BL_COUNTRY_TW_1 Mail client in Taiwan
> =>header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
> =>score BL_COUNTRY_TW_1 0.5
> =>tflags BL_COUNTRY_TW_1 net
>
> I'm running a sendmail server and I already block a few countries
> in my mc file. e.g.,
>
> FEATURE(enhdnsbl,`kr.countries.nerd.dk', `SPAM from Korea:$&{client_addr} rejected',`t')dnl
> FEATURE(enhdnsbl,`cn.countries.nerd.dk', `SPAM from China:$&{client_addr} rejected',`t')dnl
>
> Are there any pros or cons to doing the checks in the mc file vs
> sa config? In the case of sa I am using spamass-milter so the
> message will be rejected either way.
>
> TIA
The greatest drawback is that using the RBL within sendmail is an
all-or-nothing proposition. What if you *do* have legitimate
correspondents in those countries?
When I was doing that as postmaster for my company, it was only
because we did not do business in those countries at all, and I was
finding myself poking holes through for things like: one of our major
programming tool suppliers has their home office in Europe; I would
ask questions on Usenet or other online sites and get relevant replies
from other countries; some of our employees corresponded with
relatives in other countries.
It's more reasonable to do the country tests in SA, where they can
contribute to the score rather than being a pass-fail test.
However, the ISP dynamic address tests *do* belong in the MTA RBL
checks. The fraction of legitimate emails received from dynamic-IP
hosts is vanishingly small compared to the tens or hundreds of
thousands of compromised Windows boxen spewing spam and viruses...
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
----------------------------------------------------------------------
11 days until SWMBO's Birthday
Re: is there a way to block email coming from
Posted by "Steven W. Orr" <st...@syslang.net>.
On Wednesday, Jun 7th 2006 at 09:53 -0700, quoth John D. Hardin:
=>On Wed, 7 Jun 2006, Screaming Eagle wrote:
=>
=>> country, other than USA? How would you look up the network block
=>> on country such as Romania, China, Taiwan,Thailand, Korea, and so
=>> on...
=>
=>describe BL_COUNTRY_TW_1 Mail client in Taiwan
=>header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
=>score BL_COUNTRY_TW_1 0.5
=>tflags BL_COUNTRY_TW_1 net
I'm running a sendmail server and I already block a few countries in my mc
file. e.g.,
FEATURE(enhdnsbl,`kr.countries.nerd.dk', `SPAM from Korea:$&{client_addr} rejected',`t')dnl
FEATURE(enhdnsbl,`cn.countries.nerd.dk', `SPAM from China:$&{client_addr} rejected',`t')dnl
Are there any pros or cons to doing the checks in the mc file vs sa
config? In the case of sa I am using spamass-milter so the message will be
rejected either way.
TIA
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
Re: is there a way to block email coming from
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 7 Jun 2006, Screaming Eagle wrote:
> country, other than USA? How would you look up the network block
> on country such as Romania, China, Taiwan,Thailand, Korea, and so
> on...
describe BL_COUNTRY_TW_1 Mail client in Taiwan
header BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
score BL_COUNTRY_TW_1 0.5
tflags BL_COUNTRY_TW_1 net
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
----------------------------------------------------------------------
11 days until SWMBO's Birthday