What countries to block ? and detectng Trojan attachments?

[Jerry <ad...@mybloo.com>]

We are getting a lot of spam mail from  countries outside of the US.  Anyone 
have a list of what country domain extensions are fairly Ok to block?  We 
don't have a lot of users whoreceive mail from outside the US.  We'd like to 
cut down onspam/spoof/virus messages.

Currently I am blocking all mails from = *.nl *.br *.ch etc..

Also, Is there a special rule to detect  messages like the one below?

Thanks
----- Original Message -----

Dear user sam,

You have successfully = updatedthe password of your Mybloo account.

If you did not authorize = this change or if you need assistance with your 
account, please contact Mybloo customer service at: service@mybloo.com

Thank = you for=20 using Mybloo!
The Mybloo Support Team =






+++=20 Attachment: No Virus (Clean)
+++ Mybloo Antivirus - www.mybloo.com=20

Re: What countries to block ? and detectng Trojan attachments?

[Matt Kettler <mk...@evi-inc.com>]

Jerry wrote:
> 
>>> Also, Is there a special rule to detect  messages like the one below?
>>
>>
>> Yeah, it's called a virus scanner. That's a mytob variant virus message.
>>
> 
> My virus scanner cleans the attachment, but still get people emailing
> and calling about their accounts when they receive these messages.

Well, then that's a problem with your virus scanner setup.. Mine tags the
subject line with {VIRUS} so my users never bother me about them...

Re: What countries to block ? and detectng Trojan attachments?

[Jerry <ad...@mybloo.com>]

>> Also, Is there a special rule to detect  messages like the one below?
>
> Yeah, it's called a virus scanner. That's a mytob variant virus message.
>

My virus scanner cleans the attachment, but still get people emailing and 
calling about their accounts when they receive these messages.

Re: What countries to block ? and detectng Trojan attachments?

[Matt Kettler <mk...@evi-inc.com>]

Jerry wrote:
> We are getting a lot of spam mail from  countries outside of the US. 
> Anyone have a list of what country domain extensions are fairly Ok to
> block?  We don't have a lot of users whoreceive mail from outside the
> US.  We'd like to cut down onspam/spoof/virus messages.
> 
> Currently I am blocking all mails from = *.nl *.br *.ch etc..

Personally, I find it unreasonable to outright block any country.

The problem being if you post on a list like say, users@spamassassin.apache.org
an off-list reply can come to you with help from *anywhere* in the world.

For example you might think it safe to block Ireland, not knowing anyone from
there. However, if Justin Mason emailed you off-list about a SA problem you'd be
blocking him.

Unless you can prove you strictly don't ever communicate with anyone from a
given country (including mailing lists), and never want to use any OSS with any
developers in that country, you're pretty much not-safe blocking it.

That said, I do use ACLs in milter-greylist to greylist all of apnic and lacnic,
as well as a variety of DUL networks in the US and EU, as well as any host with
no RDNS.

The greylist takes care of a lot of the spam without blocking legitimate mail,
although there are a couple of legitimate messages hit each week, they only get
delayed not dropped.

Thus far this week  10,181 messages were greylisted by my setup. Of those 376
retried and were delivered. Of those, 316 were tagged as spam by SA, and 51 were
not. A few of the 51 were SA FNs, but none of the 316 appear to be SA FPs.




> Also, Is there a special rule to detect  messages like the one below?

Yeah, it's called a virus scanner. That's a mytob variant virus message.

Re: What countries to block ? and detectng Trojan attachments?

[Dave Pooser <da...@pooserville.com>]

> That's fun, we're blocking each other! Most spam here in the Netherlands
> comes from the US.

Most spam in the US comes from the US too; it's a matter of blocking
countries that rarely or never send us legitimate email. After all, if my
only purpose were to never receive spam I'd just unplug my mail server.

I don't block *.nl, or any of western Europe, based on country, but they do
get a +2 on the SA score. It seems to work in my specific situation, which
is all I can ask for.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
A computer lets you make more mistakes faster than any invention in
human history with the possible exceptions of handguns and tequila.

Re: What countries to block ? and detectng Trojan attachments?

[Menno van Bennekom <mv...@xs4all.nl>]

> Currently I am blocking all mails from = *.nl *.br *.ch etc..
That's fun, we're blocking each other! Most spam here in the Netherlands
comes from the US..
We block almost everything from China, Korea and Taiwan in postfix based
on domain-name and on ip-range (mostly complete B-classes).
But also a lot of other domains/ips are blocked like comcast, rr, verizon,
brasialian ips, dynamic*, dialup*, indeed some .jp domains, etcetera.
And all dynamic/dialup addresses in dynablock.njabl.org and
dul.dnsbl.sorbs.net are blocked.
The spamstats from spamcop.net shows the popular spam ip-ranges:
http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt

Regards
Menno van Bennekom

Re: What countries to block ?

[mouss <us...@free.fr>]

Dave Pooser a écrit :

>One other caveat: if you're going to be preemptively blocking whole
>geographic swaths, make sure that your blacklist reject message reflects
>that. In my case I changed "your host $HOST is blacklisted" to "your host
>$HOST is on a network from which we do not normally accept email" to avoid
>adding insult to injury, and to minimize confusion.
>  
>
Also do not send mail to networks that you block. I find it really 
annoying to get rejected by say verizon.net (not even able to reach 
their abuse/postmaster/... addresses), but still getting mail from them.

Re: What countries to block ?

[Dave Pooser <da...@pooserville.com>]

> We are getting a lot of spam mail from  countries outside of the US.  Anyone
> have a list of what country domain extensions are fairly Ok to block?

That depends entirely on your business model. For $DAYJOB I have a long list
of countries from which we never expect to receive legitimate email; they're
rejected with a message that tells them to email a blacklist-admin
unfiltered role account. There's another list of countries from which we
rarely receive email; they get scored at +2 in SpamAssassin. (Since I'm
using a rather limited MTA, SA processes mail after it's been received, and
spammy messages are dropped in a bucket for me to sort through as a last
line of defense against FPs. Once I upgrade to Exim, sufficiently spammy
messages will get the same treatment as blacklisted addresses, i.e.: reject
with message pointing to pinhole.) So far, I've had to whitelist one remote
server, and that wasn't a business customer but a personal correspondent.

In my case I use a script to download country blacklists from blackholes.us
and concatenate them (along with various additions) into a local blacklist
and a local yellowlist. It works pretty well, though I've had some problems
with DNS lookups recently that I may raise in another post.

One other caveat: if you're going to be preemptively blocking whole
geographic swaths, make sure that your blacklist reject message reflects
that. In my case I changed "your host $HOST is blacklisted" to "your host
$HOST is on a network from which we do not normally accept email" to avoid
adding insult to injury, and to minimize confusion.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"NOTHING says love like a monkey. It's a fuzzy screeching
bundle of tenderness!" -- QueenOfWands.net