RE: Uptick in spam

[Kevin Miller <ke...@juneau.org>]

I'm a bit late to the party (was on vacation) but your woes sounded awfully familiar.  I was getting slammed by spam a couple months ago.  The domains changed daily, but the one consistent thing was they were all served by RRPPROXY.NET.  I blocked the RRPPROXY.NET name servers at the firewall.  Doing a whois lookup on wheelerweightoff.com, I see that it is served by RRPPROXY.NET DNS servers: NS1, NS2, and NS3.  I'd bet the others are too.

After I did that, almost instantly the spam dropped dramatically.

FWIW, I found no legitimate messages from the domains they hosted.  Conveniently, they're a German company I think, and I'm in the US, so legitimate mail from them is unlikely.

There was some discussion in this group about blocking on DNS providers about a month or so ago, spawned by my initial requests for help.  I don't know if you have the luxury of dropping the connections at the firewall but it worked for me.   Look back through the archives.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 

Re: Uptick in spam

[Bill Cole <sa...@billmail.scconsult.com>]

On 1 Apr 2015, at 17:26, Amir Caspi wrote:

> On Apr 1, 2015, at 3:03 PM, Kevin Miller <ke...@juneau.org> 
> wrote:
>
>> You can reject on RDNS (or lack thereof) in sendmail depending on the 
>> version.  Search for "require_rdns".
>
> Thanks, I'll look into it.  Sadly I don't think I have time to 
> manually whitelist misconfigured servers, since I suspect there are 
> not a few of them... a lot of people fail to put rDNS entries on their 
> mail servers (including my own $DAYJOB employer, who only fixed it 
> once I complained).

That experience may bias your expectations. When I was handling spam 
control for a corporate system that had a million SMTP sessions per day  
and legit inbound mail in 5 digits per day with prominent public retail 
brand domains, our policy was to reject mail from IP's without valid 
rDNS. From 2004-2008 we had to whitelist *zero* sending systems and only 
had a handful of cases where we were the "bully" to get senders to fix 
their DNS. In the 7 years since I've been handling a much smaller 
corporate mail system of less significance to senders with the same 
policy, where we've seen no need to whitelist anyone and 2 cases where 
we know the policy has played some role in fixing senders' rDNS. 
However, it is a bit more common to have transient false positives due 
to DNS robustness issues (anything from connectivity problems to zone 
file typos) which are the price of any DNS-based filtering policy. The 
more DNS rules you enforce, the more ways DNS carelessness can be 
caught, and there's a richly diverse ecosystem of DNS carelessness.

Re: Uptick in spam

[Amir Caspi <ce...@3phase.com>]

On Apr 1, 2015, at 3:03 PM, Kevin Miller <ke...@juneau.org> wrote:

> You can reject on RDNS (or lack thereof) in sendmail depending on the version.  Search for "require_rdns".

Thanks, I'll look into it.  Sadly I don't think I have time to manually whitelist misconfigured servers, since I suspect there are not a few of them... a lot of people fail to put rDNS entries on their mail servers (including my own $DAYJOB employer, who only fixed it once I complained).

> There may be other options than the firewall - if you have access to the mail server itself, you could maybe run an instance of iptables.  I presume you're running it on Linux.  Or maybe put the name servers in the /etc/host file with 127.0.0.x addresses?  Not sure if that would work or not.  If all else fails, bribe the DNS admin! :-)

I do run iptables, which I use for fail2ban... but then I'd need to look up all the IP ranges served by the evil DNS servers.  I could put the name servers in /etc/hosts but that would only help if I configure sendmail to require rDNS.  Looks like there's no optimal solution on that one...

Thanks.

--- Amir

RE: Uptick in spam

[Kevin Miller <ke...@juneau.org>]

> -----Original Message-----
> Ah, I see... you killed them at the firewall itself, before they even
> got to sendmail.  I was wondering how blocking the name servers
> themselves would help, since (at least in my configuration) sendmail
> doesn't reject just due to bad rDNS (not sure if that's even possible).
> Unfortunately, no, I don't have control over the firewall.  Indeed,
> there is no hard firewall, so I only have software, and I'm not sure I
> have anything that could do specifically this.
> 
> Certainly it would be interesting to add such capability to SA (to add
> points for known spammy DNS providers and/or registrars), though I
> imagine that could be a recipe for FPs in some cases.  Then again, we
> did it for .pw URIs, so...
> 
> --- Amir

You can reject on RDNS (or lack thereof) in sendmail depending on the version.  Search for "require_rdns".  On my newer servers it's included in sendmail.  On an older server I had to implement it as a hack.  But it's easily found on the web, and wasn't hard to implement.  Kills a lot of spam, but also some legitimate mail.  I put the IP addresses of the legitimate (albeit misconfigured) servers in my access file and that seems to do the job.  You will need to check the logs for rejects and decide who's OK.

There may be other options than the firewall - if you have access to the mail server itself, you could maybe run an instance of iptables.  I presume you're running it on Linux.  Or maybe put the name servers in the /etc/host file with 127.0.0.x addresses?  Not sure if that would work or not.  If all else fails, bribe the DNS admin! :-)


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 

Re: Uptick in spam

[Axb <ax...@gmail.com>]

On 04/01/2015 10:45 PM, Amir Caspi wrote:
> Certainly it would be interesting to add such capability to SA (to
> add points for known spammy DNS providers and/or registrars), though
> I imagine that could be a recipe for FPs in some cases.  Then again,
> we did it for .pw URIs, so...


You can do it running your private dnsbl (using rbldnsd) and a 
urifullnsrhssub SA rule.
It's not hard to do - cheap as well as effective.

Re: Uptick in spam

[Amir Caspi <ce...@3phase.com>]

On Apr 1, 2015, at 2:26 PM, Kevin Miller <ke...@juneau.org> wrote:

> I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did that, almost instantly the spam dropped dramatically.
[...]
> There was some discussion in this group about blocking on DNS providers about a month or so ago, spawned by my initial requests for help.  I don't know if you have the luxury of dropping the connections at the firewall but it worked for me.   Look back through the archives.

Ah, I see... you killed them at the firewall itself, before they even got to sendmail.  I was wondering how blocking the name servers themselves would help, since (at least in my configuration) sendmail doesn't reject just due to bad rDNS (not sure if that's even possible).  Unfortunately, no, I don't have control over the firewall.  Indeed, there is no hard firewall, so I only have software, and I'm not sure I have anything that could do specifically this.

Certainly it would be interesting to add such capability to SA (to add points for known spammy DNS providers and/or registrars), though I imagine that could be a recipe for FPs in some cases.  Then again, we did it for .pw URIs, so...

--- Amir