You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/07/12 18:15:20 UTC
Need a rule written - Can whitelisting be this easy?
Need a rule written to take advantage of this trick and this could be a
major breakthrough in white listing.
Here's what it needs to do:
1) Take the IP of the connecting host and do an RDNS lookup to get the name.
2) Verify that the name that was looked up resolves to the same IP address.
3) Look up the name in this dns list ===
example.com.hostdomain.junkemailfilter.com
4) if it returns 127.0.0.1 - it's ham
Lets say the sending host is 69.50.231.2
RNDS of 69.50.231.2 is 2.ctyme.com
Looking up 2.ctyme.com returns 69.50.231.2 ---- MATCH!
Lookup 2.ctyme.com.hostdomain.junkemailfilter.com - returns 127.0.0.1 -
It's HAM!
That's all there is to it.
If you're running Exim it's even easier.
accept dnslists =
hostdomain.junkemailfilter.com=127.0.0.1/$sender_host_name
The Exim version works. Need someone to make it work for Spam Assassin.
The reason for the matching is that spammers can't spoof RDNS if you
verify it by matching the RNDS to the original IP. I have a few thousand
popular domains listed. If this works and with a bigger central list we
can probably ID 99% of ham without further processing.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Daryl C. W. O'Shea wrote:
>
> Marc, I'm quite amazed that you still haven't picked up the term FCrDNS!
>
>
Thanks - never hard that before. Glad there's a word for it.
Re: Need a rule written - Can whitelisting be this easy?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Marc Perkel wrote:
> Daryl C. W. O'Shea wrote:
>> Marc Perkel wrote:
>>> SPF is rather useless. Spammers can publish SPF records.
>> Guess what Marc, spammers can publish ANY DNS records! That includes
>> TXT records, type 99 (SPF) records, and your precious A and PTR records.
> What spammers can't do is publish a forward confirmed RNDS that ends in
> wellsfargo.com, which would be a listed domain.
WTF does whitelisting a domain have to do with whether or not a spammer
can publish DNS records.
From a DNS "forgeability" standpoint "your" method of checking FCrDNS
and checking for SPF_PASS are on equal ground.
Daryl
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Daryl C. W. O'Shea wrote:
>
> Guess what Marc, spammers can publish ANY DNS records! That includes
> TXT records, type 99 (SPF) records, and your precious A and PTR records.
>
>
What spammers can't do is publish a forward confirmed RNDS that ends in
wellsfargo.com, which would be a listed domain.
Re: Need a rule written - Can whitelisting be this easy?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Marc Perkel wrote:
>
>
> Meng Weng Wong wrote:
>> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>>
>>> Need a rule written to take advantage of this trick and this could be
>>> a major breakthrough in white listing.
>>>
>>> Here's what it needs to do:
>>>
>>> 1) Take the IP of the connecting host and do an RDNS lookup to get
>>> the name.
>>> 2) Verify that the name that was looked up resolves to the same IP
>>> address.
Marc, I'm quite amazed that you still haven't picked up the term FCrDNS!
>>> 3) Look up the name in this dns list ===
>>> example.com.hostdomain.junkemailfilter.com
>>> 4) if it returns 127.0.0.1 - it's ham
>>
>> I'd like to suggest that where the domain publishes SPF, we use that;
>> where it doesn't, we use your algorithm.
>>
>> I recently coded up a very similar approach; I posted about it on the
>> SPF and Karmasphere mailing lists. Here is the original message:
>>
>>
>
> SPF is rather useless. Spammers can publish SPF records.
Guess what Marc, spammers can publish ANY DNS records! That includes
TXT records, type 99 (SPF) records, and your precious A and PTR records.
Daryl
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Daryl C. W. O'Shea wrote:
> Marc Perkel wrote:
>
>> I appreciate you effort in this but lets come up with something
>> useful. If you give up SPF I will give you and PoBox some anti-spam
>> technology that will revolutionize your spam filtering. I'm just
>> tired of having to deal with the bad side effects of SPF and
>> expainging to people that the can't use my spam filtering unless they
>> turn SPF off.
>
> Marc, dude, for a guy that's proposing a reputation service (as if
> that was some sort of new revolutionary idea) I'm bedazzled (well not
> so much, I'm getting used to this) that you can not connect the
> benefit off being able to link an (controlling) identity to a
> previously unknown host.
>
> Forget any forwarding issues, if the mail doesn't pass SPF you simply
> won't be able to link the identity to the reputation database. This
> is no different than your idea where mail from a domain on your
> whitelist gets forwarded; you lose the ability to link that identity
> to your whitelist/reputation database.
>
The identity link is at the registrar barrier. I even have a DNS lookup
for that.
example.com.rb.junkemailfilter.com
It returns 127.0.0.1 for single TLDs, 127.0.0.2 for 2 level TLDs etc.
So - you do a lookup and then you count dots back from the end and that
becomes your key.
Re: Need a rule written - Can whitelisting be this easy?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Marc Perkel wrote:
> I appreciate you effort in this but lets come up with something useful.
> If you give up SPF I will give you and PoBox some anti-spam technology
> that will revolutionize your spam filtering. I'm just tired of having to
> deal with the bad side effects of SPF and expainging to people that the
> can't use my spam filtering unless they turn SPF off.
Marc, dude, for a guy that's proposing a reputation service (as if that
was some sort of new revolutionary idea) I'm bedazzled (well not so
much, I'm getting used to this) that you can not connect the benefit off
being able to link an (controlling) identity to a previously unknown host.
Forget any forwarding issues, if the mail doesn't pass SPF you simply
won't be able to link the identity to the reputation database. This is
no different than your idea where mail from a domain on your whitelist
gets forwarded; you lose the ability to link that identity to your
whitelist/reputation database.
Daryl
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
John D. Hardin wrote:
> On Thu, 12 Jul 2007, Marc Perkel wrote:
>
>
>> I'm just tired of having to deal with the bad side effects of SPF
>> and expainging to people that the can't use my spam filtering
>> unless they turn SPF off.
>>
>
> What's wrong with that? They are explicitly contracting with you to
> perform mail forwarding, if they do that then they should add your
> MTAs to their SPF whitelist and still perform SPF checks on mail
> that does not reach them via you.
>
> Are you performing SPF checks on your inbound feeds?
>
>
I perform no SPF checks at all because it's useless. There is no
information to be gathered that's useful. Several people forward email
to my servers and it breaks forwarding. I also forward email to other
servers (front end spam filtering) and when I forward good email the
receiving server sometimes rejects the message because of SPF false
positives.
SPF breaks email forwarding. And that's something that the world isn't
going to give up for 0 benefit.
Re: Need a rule written - Can whitelisting be this easy?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 12 Jul 2007, Marc Perkel wrote:
> I'm just tired of having to deal with the bad side effects of SPF
> and expainging to people that the can't use my spam filtering
> unless they turn SPF off.
What's wrong with that? They are explicitly contracting with you to
perform mail forwarding, if they do that then they should add your
MTAs to their SPF whitelist and still perform SPF checks on mail
that does not reach them via you.
Are you performing SPF checks on your inbound feeds?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance doesn't make stuff not exist. -- Bucky Katt
-----------------------------------------------------------------------
12 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Bill Landry wrote:
> Marc Perkel wrote the following on 7/12/2007 7:19 PM -0800:
>
>> Meng Weng Wong wrote:
>>
>>> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>>>
>>>
>>>> Need a rule written to take advantage of this trick and this could
>>>> be a major breakthrough in white listing.
>>>>
>>>> Here's what it needs to do:
>>>>
>>>> 1) Take the IP of the connecting host and do an RDNS lookup to get
>>>> the name.
>>>> 2) Verify that the name that was looked up resolves to the same IP
>>>> address.
>>>> 3) Look up the name in this dns list ===
>>>> example.com.hostdomain.junkemailfilter.com
>>>> 4) if it returns 127.0.0.1 - it's ham
>>>>
>>> I'd like to suggest that where the domain publishes SPF, we use that;
>>> where it doesn't, we use your algorithm.
>>>
>>> I recently coded up a very similar approach; I posted about it on the
>>> SPF and Karmasphere mailing lists. Here is the original message:
>>>
>>>
>>>
>> SPF is rather useless. Spammers can publish SPF records.
>>
> Hmmm, and that said in response to the author of SPF... Oops!
>
>
>
Good - I hope he's listening. SPF was an interesting attempt at
something but it breaks email forwarding unless you mangle the headers.
i've spent many hours trying to figure out some use for SPF and have
found no use for it at all. In fact all it's lead to is false positives
as I forward email to other hosts who reject it because of SPF failures.
There's lots of ideas I've had too that have gone nowhere and when I
figure out that I'm on the wrong track and what I'm trying to do just
isn't working then I give it up. So - Meng - why don't you just give it
up on SPF and quit wasing everyone's time on a broken idea.
I appreciate you effort in this but lets come up with something useful.
If you give up SPF I will give you and PoBox some anti-spam technology
that will revolutionize your spam filtering. I'm just tired of having to
deal with the bad side effects of SPF and expainging to people that the
can't use my spam filtering unless they turn SPF off.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Bill Landry <bi...@inetmsg.com>.
Bill Landry wrote the following on 7/12/2007 9:58 PM -0800:
> Marc Perkel wrote the following on 7/12/2007 7:19 PM -0800:
>
>> Meng Weng Wong wrote:
>>
>>> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>>>
>>>
>>>> Need a rule written to take advantage of this trick and this could
>>>> be a major breakthrough in white listing.
>>>>
>>>> Here's what it needs to do:
>>>>
>>>> 1) Take the IP of the connecting host and do an RDNS lookup to get
>>>> the name.
>>>> 2) Verify that the name that was looked up resolves to the same IP
>>>> address.
>>>> 3) Look up the name in this dns list ===
>>>> example.com.hostdomain.junkemailfilter.com
>>>> 4) if it returns 127.0.0.1 - it's ham
>>>>
>>> I'd like to suggest that where the domain publishes SPF, we use that;
>>> where it doesn't, we use your algorithm.
>>>
>>> I recently coded up a very similar approach; I posted about it on the
>>> SPF and Karmasphere mailing lists. Here is the original message:
>>>
>>>
>>>
>> SPF is rather useless. Spammers can publish SPF records.
>>
> Hmmm, and that said in response to the author of SPF... Oops!
>
>
Oh, and BTW Meng, the KARMA plugin for SA is working quite nicely here.
Thanks for all of your ongoing efforts in the fight against spam!
Bill
Re: Need a rule written - Can whitelisting be this easy?
Posted by Bill Landry <bi...@inetmsg.com>.
Marc Perkel wrote the following on 7/12/2007 7:19 PM -0800:
>
>
> Meng Weng Wong wrote:
>> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>>
>>> Need a rule written to take advantage of this trick and this could
>>> be a major breakthrough in white listing.
>>>
>>> Here's what it needs to do:
>>>
>>> 1) Take the IP of the connecting host and do an RDNS lookup to get
>>> the name.
>>> 2) Verify that the name that was looked up resolves to the same IP
>>> address.
>>> 3) Look up the name in this dns list ===
>>> example.com.hostdomain.junkemailfilter.com
>>> 4) if it returns 127.0.0.1 - it's ham
>>
>> I'd like to suggest that where the domain publishes SPF, we use that;
>> where it doesn't, we use your algorithm.
>>
>> I recently coded up a very similar approach; I posted about it on the
>> SPF and Karmasphere mailing lists. Here is the original message:
>>
>>
>
> SPF is rather useless. Spammers can publish SPF records.
Hmmm, and that said in response to the author of SPF... Oops!
Bill
Re: Need a rule written - Can whitelisting be this easy?
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Jul 12, 2007 at 07:19:06PM -0700, Marc Perkel wrote:
> SPF is rather useless. Spammers can publish SPF records.
Right, they can publish SPF records, so what? You want to know if
example.com is coming from a place that mail from example.com is supposed
to come from, and SPF tells you that. It has nothing to do with ham
versus spam, and gives you better information than just requesting a
PTR record.
--
Randomly Selected Tagline:
"You can test this theory by strapping a piece of buttered bread to
the top of a cat (butter side up) and dropping them from a few feet in
the air. On the theory that cats always land on thir feet and buttered
bread always falls butter side down, they should hover a few inches
above the floor and spin constantly." - Theo
Re: Need a rule written - Can whitelisting be this easy?
Posted by Dave Pooser <da...@pooserville.com>.
> SPF is rather useless. Spammers can publish SPF records.
Which is why the OP specifically stated:
>> What does it mean? An SPF pass, on its own, means little; an RHSWL
>> match, on its own, means little; but together, they mean a lot.
Was it asking too much of you to READ the message posted before you
commented on it, especially since it seems to complement your own idea quite
nicely?
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"I've *met* humanity. I worked retail."
--Diesel Sweeties
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Meng Weng Wong wrote:
> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>
>> Need a rule written to take advantage of this trick and this could be
>> a major breakthrough in white listing.
>>
>> Here's what it needs to do:
>>
>> 1) Take the IP of the connecting host and do an RDNS lookup to get
>> the name.
>> 2) Verify that the name that was looked up resolves to the same IP
>> address.
>> 3) Look up the name in this dns list ===
>> example.com.hostdomain.junkemailfilter.com
>> 4) if it returns 127.0.0.1 - it's ham
>
> I'd like to suggest that where the domain publishes SPF, we use that;
> where it doesn't, we use your algorithm.
>
> I recently coded up a very similar approach; I posted about it on the
> SPF and Karmasphere mailing lists. Here is the original message:
>
>
SPF is rather useless. Spammers can publish SPF records.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Luis Hernán Otegui <lu...@gmail.com>.
2007/7/12, Meng Weng Wong <me...@pobox.com>:
> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
>
> > Need a rule written to take advantage of this trick and this could
> > be a major breakthrough in white listing.
> >
> > Here's what it needs to do:
> >
> > 1) Take the IP of the connecting host and do an RDNS lookup to get
> > the name.
> > 2) Verify that the name that was looked up resolves to the same IP
> > address.
> > 3) Look up the name in this dns list ===
> > example.com.hostdomain.junkemailfilter.com
> > 4) if it returns 127.0.0.1 - it's ham
>
> I'd like to suggest that where the domain publishes SPF, we use that;
> where it doesn't, we use your algorithm.
>
> I recently coded up a very similar approach; I posted about it on the
> SPF and Karmasphere mailing lists. Here is the original message:
>
>
>
>
>
> On Jul 12, 2007, at 6:53 PM, Meng Weng Wong wrote:
> > Cross-posted to the SPF and Karmasphere lists ...
> >
> > On Jul 12, 2007, at 12:45 PM, Meng Weng Wong wrote:
> >>
> >> Those of you who have been following the authentication movement
> >> will remember that reputation was always part of the plan.
> >>
> >> It is the job of SPF/DKIM/etc to provide authentication.
> >>
> >> Karmasphere's job is to provide reputation.
> >>
> >
> > I have had a huge grin on my face for the last half an hour.
> >
> > Why?
> >
> > This afternoon I finally got up to speed with SpamAssassin's meta-
> > rules.
> >
> > and I just now got this report in my headers:
> >
> > * -0.0 SPF_PASS SPF: sender matches SPF record
> > * -0.0 KS_REPUTABLE_DOMAIN_DNS RBL: Envelope sender in mengwong
> > whitelist feedset
> > * -123 AUTH_ACCOUNTABLE Envelope sender is both authenticated and
> > reputable
> >
> > What does it mean? An SPF pass, on its own, means little; an RHSWL
> > match, on its own, means little; but together, they mean a lot.
> >
> > To obtain that score of -123, the message has to pass SPF and the
> > envelope sender domain has to be whitelisted at the
> > "mengwong.manywl-v1.dnswl.karmasphere.com" RHSWL.
> >
> > "mengwong.manywl-v1" is, in turn, a Karmasphere feedset that
> > contains multiple other whitelists, including the dnswl.org's
> > sources, ISIPP, Truste, and VeriSign's list of SSL certified domains.
> >
> > More feeds are being added to that feedset as we discover new
> > sources of domain whitelists.
> >
> > I am tremendously pleased. For me, this is the culmination of
> > several years of work: SPF offers authentication, and Karmasphere
> > offers reputation. Together, they fight spam!
> >
> > Here's the snippet from my local.cf that does this:
> >
> > # karmasphere domain-based whitelist
> > header KS_REPUTABLE_DOMAIN_DNS eval:check_rbl_envfrom
> > ('mengwong.manywl-v1', 'mengwong.manywl-v1.dnswl.karmasphere.com.')
> > describe KS_REPUTABLE_DOMAIN_DNS Envelope sender in mengwong
> > whitelist feedset
> > tflags KS_REPUTABLE_DOMAIN_DNS net
> >
> > score KS_REPUTABLE_DOMAIN_DNS -0.01
> >
> > meta AUTH_ACCOUNTABLE ((SPF_PASS || DKIM_VERIFIED ||
> > DK_VERIFIED) && KS_REPUTABLE_DOMAIN_DNS)
> > describe AUTH_ACCOUNTABLE Envelope sender is both authenticated
> > and reputable
> > tflags AUTH_ACCOUNTABLE userconf nice noautolearn
> >
> > score AUTH_ACCOUNTABLE -123
> >
> > I'm very happy!
> >
> > (At this time, while Karmasphere is in beta, querying that
> > whitelist requires IP registration; it will not work if you do not
> > have an account. After we're out of beta that requirement will be
> > dropped.)
> >
> > Off to rummage through the fridge in search of champagne...
>
>
Well, if my two cents worth anything, here in Argentina most of the
"big fishes" in the internet mail game (telephone and cellular
companies, internet providers, banks, etc) either don't publish any
SPF records at all, or they send their mail from hosts not listed as
MX, or they don't have a proper setup of their RDNS... It makes a
living hell to whitelist some of them, since they switch mail servers
as much as I change my socks (well, maybe I change my socks a little
more often than that...).
Jokes apart, on the other hand, recently we are seeing some
"legitimate" email publilshing enterprises, with proper SPF and MX
setups. Examples of this are 2marketed.com.ar, emailservers.com.ar,
mailservice.com.ar and some others.
Guess that only you could be sure of the hosts you control, as was
said before in this discussion...
Luis
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------
Re: Need a rule written - Can whitelisting be this easy?
Posted by Meng Weng Wong <me...@pobox.com>.
On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
> Need a rule written to take advantage of this trick and this could
> be a major breakthrough in white listing.
>
> Here's what it needs to do:
>
> 1) Take the IP of the connecting host and do an RDNS lookup to get
> the name.
> 2) Verify that the name that was looked up resolves to the same IP
> address.
> 3) Look up the name in this dns list ===
> example.com.hostdomain.junkemailfilter.com
> 4) if it returns 127.0.0.1 - it's ham
I'd like to suggest that where the domain publishes SPF, we use that;
where it doesn't, we use your algorithm.
I recently coded up a very similar approach; I posted about it on the
SPF and Karmasphere mailing lists. Here is the original message:
On Jul 12, 2007, at 6:53 PM, Meng Weng Wong wrote:
> Cross-posted to the SPF and Karmasphere lists ...
>
> On Jul 12, 2007, at 12:45 PM, Meng Weng Wong wrote:
>>
>> Those of you who have been following the authentication movement
>> will remember that reputation was always part of the plan.
>>
>> It is the job of SPF/DKIM/etc to provide authentication.
>>
>> Karmasphere's job is to provide reputation.
>>
>
> I have had a huge grin on my face for the last half an hour.
>
> Why?
>
> This afternoon I finally got up to speed with SpamAssassin's meta-
> rules.
>
> and I just now got this report in my headers:
>
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * -0.0 KS_REPUTABLE_DOMAIN_DNS RBL: Envelope sender in mengwong
> whitelist feedset
> * -123 AUTH_ACCOUNTABLE Envelope sender is both authenticated and
> reputable
>
> What does it mean? An SPF pass, on its own, means little; an RHSWL
> match, on its own, means little; but together, they mean a lot.
>
> To obtain that score of -123, the message has to pass SPF and the
> envelope sender domain has to be whitelisted at the
> "mengwong.manywl-v1.dnswl.karmasphere.com" RHSWL.
>
> "mengwong.manywl-v1" is, in turn, a Karmasphere feedset that
> contains multiple other whitelists, including the dnswl.org's
> sources, ISIPP, Truste, and VeriSign's list of SSL certified domains.
>
> More feeds are being added to that feedset as we discover new
> sources of domain whitelists.
>
> I am tremendously pleased. For me, this is the culmination of
> several years of work: SPF offers authentication, and Karmasphere
> offers reputation. Together, they fight spam!
>
> Here's the snippet from my local.cf that does this:
>
> # karmasphere domain-based whitelist
> header KS_REPUTABLE_DOMAIN_DNS eval:check_rbl_envfrom
> ('mengwong.manywl-v1', 'mengwong.manywl-v1.dnswl.karmasphere.com.')
> describe KS_REPUTABLE_DOMAIN_DNS Envelope sender in mengwong
> whitelist feedset
> tflags KS_REPUTABLE_DOMAIN_DNS net
>
> score KS_REPUTABLE_DOMAIN_DNS -0.01
>
> meta AUTH_ACCOUNTABLE ((SPF_PASS || DKIM_VERIFIED ||
> DK_VERIFIED) && KS_REPUTABLE_DOMAIN_DNS)
> describe AUTH_ACCOUNTABLE Envelope sender is both authenticated
> and reputable
> tflags AUTH_ACCOUNTABLE userconf nice noautolearn
>
> score AUTH_ACCOUNTABLE -123
>
> I'm very happy!
>
> (At this time, while Karmasphere is in beta, querying that
> whitelist requires IP registration; it will not work if you do not
> have an account. After we're out of beta that requirement will be
> dropped.)
>
> Off to rummage through the fridge in search of champagne...
Re: Need a rule written - Can whitelisting be this easy?
Posted by Per Jessen <pe...@computer.org>.
Marc Perkel wrote:
> If you do a lookup of the host name to verify it resolves back to the
> same IP then spammers can't forge that.
And? It doesn't work for my example, does it?
> Then I have a list of big companies that never send spam.
Oxymoron.
/Per Jessen, Zürich
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Loren Wilton wrote:
> How about this one:
>
> Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
> Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
> Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
> regardless of what it returns?)
> But let's assume mail.specogna.ch.junkemailfilter.com does return
> 127.0.0.1 - it means nothing wrt ham/spam. That mail-server is
> occasionally being used by a spambot sat on an internal machine at that
> company.
>
> I think what Marc is saying is that he is creating a global whitelist.
> Presumably that machine (being an occasional spammer) would not get
> itself on a whitelist, or would get itself removed pretty quickly. So
> presumably 127.0.0.1 is supposed to mean something relative to
> ham/spam for a given host, and the only trick is to be sure that the
> host id isn't forged.
>
> Loren
>
If you do a lookup of the host name to verify it resolves back to the
same IP then spammers can't forge that. Then I have a list of big
companies that never send spam. If this works the we should increase the
list and polish the system.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Dave Koontz wrote:
> Marc, please don't mis-read. Honestly, it was a simple question. Is
> the list from your own observation, or from user submissions? It's that
> simple. The rest is just why it may not work for us in it's present form!
>
>
>
It's a combination of a lot of sources. Some of them came from a list I
downloaded from uribl.org.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Dave Koontz <dk...@mbc.edu>.
Marc, please don't mis-read. Honestly, it was a simple question. Is
the list from your own observation, or from user submissions? It's that
simple. The rest is just why it may not work for us in it's present form!
Marc Perkel wrote:
>
>
> Dave Koontz wrote:
>> Marc, how do you arrive at your list, through user submission or your
>> own
>> observation? I notice the list is mostly void of any .EDU
>> organizations.
>> As you probably know, .EDU domain registration is restricted to only
>> those
>> meeting certain criteria and must go through EduCause -- see
>> http://www.educause.edu/edudomain/international.asp
>>
>> Obviously, as a .EDU domain, a substantial part of our legitimate
>> traffic is
>> to and from various .EDU domains. It would seem that at present your
>> idea
>> for reverse lookup matching to your whitelist would not work for us.
>>
>>
>>
>
> Before you all start criticizing the list I admit that it's not
> perfect. The concept behind having such a list is sound and once the
> concept is coded then people smarter than me can create a far better
> list.
>
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Dave Koontz wrote:
> Marc, how do you arrive at your list, through user submission or your own
> observation? I notice the list is mostly void of any .EDU organizations.
> As you probably know, .EDU domain registration is restricted to only those
> meeting certain criteria and must go through EduCause -- see
> http://www.educause.edu/edudomain/international.asp
>
> Obviously, as a .EDU domain, a substantial part of our legitimate traffic is
> to and from various .EDU domains. It would seem that at present your idea
> for reverse lookup matching to your whitelist would not work for us.
>
>
>
Before you all start criticizing the list I admit that it's not perfect.
The concept behind having such a list is sound and once the concept is
coded then people smarter than me can create a far better list.
RE: Need a rule written - Can whitelisting be this easy?
Posted by Dave Koontz <dk...@mbc.edu>.
Marc, how do you arrive at your list, through user submission or your own
observation? I notice the list is mostly void of any .EDU organizations.
As you probably know, .EDU domain registration is restricted to only those
meeting certain criteria and must go through EduCause -- see
http://www.educause.edu/edudomain/international.asp
Obviously, as a .EDU domain, a substantial part of our legitimate traffic is
to and from various .EDU domains. It would seem that at present your idea
for reverse lookup matching to your whitelist would not work for us.
-----Original Message-----
From: Marc Perkel [mailto:marc@perkel.com]
Sent: Thursday, July 12, 2007 5:14 PM
To: users@spamassassin.apache.org
Subject: Re: Need a rule written - Can whitelisting be this easy?
Here's my list so far. These are host name - not from addresses. So it
matches *.hostname.com
I could use more to add to the list.
123greetings.com
123greetings.info
20min.ch
2checkout.com
2co.com
2wheelsuperstore.com
34sp.com
360degreeslawn.com
3dsystems.com
3kloffice.info
4342thomas.com
aa.com
aaflightinfo.com
aalanis.com
abanet.org
about.com
abstrax.com
abuse.net
accuweather.com
acec.org
acicoat.com
acli.com
acml.com
acord.org
acsysweb.com
actuary.org
adac.de
adecco.com
adfinis.com
admail.net
admin.ch
adobe.com
adp.com
adrenaline-designs.com
adultfriendfinder.com
advancedpatientsupport.com
aegon.com
aemf.org
aerodesignmfg.com
aetna.com
aexp.com
af.mil
afcflex.com
aftenposten.no
ag.ch
agf.fr
aia.org
aicpa.org
aig.com
aiga.org
aiiworldwide.com
aimplas.es
airbridge.net
aircanada.ca
akanoc.com
akb.ch
ala.org
alabama.gov
alantechinc.com
algore.com
aliancadobrasil.com.br
aliroo.com
allenovery.com
allianz-suisse.ch
allianz.de
allstate.com
alphasoftware.com
alstom.com
altavidasantander.cl
altrec.com
amadeus.net
amag.ch
amal.se
amazon.com
ambest.com
amd.com
americanautoexports.com
americanautoexports.us
americanautomotiveexports.com
americanautomotiveexports.us
americanexpress.com
americanrestaurantconsultants.com
americanstandard.com
ameritrade.com
amgen.com
amv.se
anamcaraconsulting.com
annenbergfoundation.org
anpost.ie
anthem.com
aon.com
aopa.org
apa.org
apache.org
apfn.org
apple.com
appriver.com
aps.nl
arcsight.com
arenscontrols.com
ariba.com
aric.com
arkansasweevil.org
army.mil
arrival.net
asce.org
asialco.cn
aspectra.com
aspevents.net
astrology.com
atabank.com
atcassociates.com
athena.ch
atx.net
auctionworks.com
audi.de
aurorahealthcare.org
authorize.net
autodesk.com
autooneins.com
avanade.com
avantec.ch
avast.com
avenir-suisse.ch
avis-europe.com
awayawhile.com
axa.com
axa.com.au
axa.com.sg
bain.com
bancaintesa.it
bancomercantil.com
bankatlantic.com
bankcomm.com
bankersonline.com
bankisrael.net
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
bankone.com
banorte.com
baominh.com.vn
barclays.co.uk
barclayscapital.com
barnesandnoble.com
basler.ch
baz.ch
bbandt.com
bbc.co.uk
be-salon.com
be.ch
bear.com
beard.com
bee.gr
begasoft.ch
bellnexxia.net
benfieldgroup.com
bentrutwin.com
berlitz.us
bestbuy.com
bextpubs.com
bfh.ch
bigfootinteractive.com
bikebandit.com
bikeblast.com
billspipes.com
biotec.org.ar
bitbind.com
bittybooper.com
bizjournals.com
bkbusa.com
bkd.com
blackberry.com
blackberry.net
blastwave.org
blauberg.de
blizzard.com
blkb.ch
blockbuster.com
bloomberg.com
blue-bird.com
bmesrv.com
bmtmicro.com
bmw.de
bn.com
bnm.gov.my
bnpparibas.com
boeing.com
bofasecurities.com
boh.com
boisestate.edu
bombardier.com
boras.se
borlange.se
bosch.de
bose.com
boston.com
bowmanconsulting.com
bp00.com
bradblog.com
brainlab.com
brassring.com
brickerracing.com
bridgesolutions.net
britishairways.com
brittneysgift.org
broadbandsupport.net
brockins.com
brouhaha.com
bs.ch
bttech.org
buchzentrum.ch
buildgormanhomes.com
buoyweather.com
bupa.com
burns-wilcox.com
burpee.com
buy.com
buyhomesminnesota.com
buzzcast.com
bvb-bs.ch
bvrp.com
bvvo.be
cableone.net
cacert.org
cadre.qc.ca
california.com
callwave.com
cam.ac.uk
campaignmonitor.com
cancer.org
canon.com
capazoo.com
capitalconsulting.com
capitalone.com
caravan.kz
careerbuilder.com
carlsonwagonlit.com
carnival.com
cat.com
catalanaocci.es
catholic.org
cathypaper.com
cba.com.au
ccbill.com
ccialerts.com
cdc.gov
cdw.com
cede.ch
cellpack.com
cement.ca
center.com
centrepointpa.com
centurytheatres.com
cerious.com
cexp.com
cfe.gob.mx
cfidc.org
cfo.com
chaosreigns.com
charlestonhousing.com
charterone.com
charteronebank.com
chase.com
chealthpartners.com
cheapflights.com
cheaptickets.com
cheetahmail.com
chemie.de
chicagoreader.com
chiltington.co.uk
chotel.com
chubb.com
churchofstphilip.org
ciba.com
cibasc.com
cidca.org.ar
cignastu.com.pl
cimb.com
cira.ca
cisco.com
citibank.com
citibankcards.com
citigroup.com
citizensbank.com
city.ac.uk
cja-architects.com
cl-int.com
claimsmgmtservices.com
claimspages.com
clarkrealty.com
clasemanns.com
classmates.com
cleanmail.ch
clearchannel.com
clearswift.de
cls-communication.com
cmp.com
cmslaser.com
cna.com
cnet.com
cnn.com
cns.co.nz
coachingrelationships.com
codeproject.com
coffeeclubexpress.com
cogeco.com
cogentco.com
colorguardapparel.com
columbiahouse.com
comendo.com
commercebank.com
compusa.com
computerworld.com
concrete.org
constantcontact.com
contaxt.net
converium.com
convio.net
coop.no
copsewood.net
coriolis-systems.com
corner.ch
corpit.ru
costco.com
coupons.com
cpcaeroscience.com
cpcpackaging.co.uk
cpsa.com
cpsc.gov
craigslist.org
creativeconcreteinc.net
credit-suisse.com
creditlyonnais.fr
crewnetwork.org
crimsoneagle.com
crimsoneagle.net
csnc.ch
ctco.lv
cult.cu
customercenter.net
cv.net
cvent-planner.com
cyberguys.com
dailycandy.com
dalan.us
danskebank.dk
darkbb.com
darrenchelin.com
dart.biz
dartmail.net
datamaxcorp.com
davidtrutwin.com
db.com
dbv-winterthur.de
dccc.org
ddg.com
ddi-asia.com
deacons.com.hk
deals.priceline.com
deates.com
debconf.org
declude.com
deeringbrothers.com
dell.com
deloitte.com
delphi.com
delta.com
deltalloyd.nl
democrats.org
democratsenators.org
develooper.com
devolracing.com
dhl.com
dhs.org
di-mgmt.com
dice.com
digitalriver.com
disney.com
dmainc.org
doc.gov
dol.gov
doubleclick.net
dovecot.org
dowjones.com
dreamtheater.tv
dresdner-bank.ch
drkw.com
drugstore.com
drupal.org
drytechonline.com
duebendorf.ch
duo.it
e-gold.com
e-jstanley.com
ealaw.com
eaton.com
ebay.com
ebucks.com
ecademy.com
echolabs.net
ecks.ca
eckstein.ru
econometrix.com
ecri.org
ectaportal.com
eddata.com
edhec-risk.com
edirectory.co.uk
eds.com
efax.com
eh.net
eharmony.com
eksjo.se
elderhostel.org
ellos.se
eltiempo.com.co
emailkfc.com
emc.com
emergencyemailnetwork.net
emmi.ch
energystar.gov
epa.gov
epafes.com
epfl.ch
epson.com
ereinsure.com
ericksonbuilding.com
esa.it
ethz.ch
eucom.mil
eulerhermes.com
eurotax.ch
evanguard.com
evite.com
eweek.com
exacttarget.com
executiveboard.net
exeter.ac.uk
exim.org
expediamail.com
extend-media.com
extremedirttrackcamp.com
ey.com
eya.com
ezi.net
facebook.com
farmers.com
fastconcepts.biz
fastconcepts.com
fastconcepts.net
fbo.gov
fcrsuspension.com
fda.gov
fdic.gov
fdp-zh.ch
fedex.com
fedexkinkos.com
feedblitz.com
ffrf.org
fh-isny.de
fhlbatl.com
ficoh.com
fidelity.com
fiege.ch
filefolders.net
filesystems.biz
findlaw.com
fishersci.com
fitug.de
flagteamapparel.com
flamingangelfilms.com
fleetbank.com
flexmls.com
flixster.com
fnworldwide.com
foolsubs.com
forbesdigital.com
forrester.com
fotolabo.com
fourseasons.com
foxnews.com
fpk.com
fraunhofer.de
frc.com
freebsd.org
freedomscientific.com
freelance-2.unknowndns.net
freshbooks.com
friendfinder.com
frontbridge.com
fsfeurope.org
ftmbiz.com
ftmusa.net
fts.com.sg
fuw.ch
ga4.org
gaiconsulting.com
galileo.com
gallup.com
gamecity.ch
gandi.net
ganneff.de
gartner.com
gc.ca
gcm.com
ge.com
generali.it
genevoise.ch
genworth.com
genzyme.com
gerardiinsurance.com
germanwings.com
getabstract.com
getactive.com
getitallonline.com
gettyimages.com
gfnorte.com.mx
gilbertsoft.ch
givaudan.com
glacierre.com
global-impactllc.com
globalestrategias.com
globalinvest.com.br
globeandmail.ca
gm.com
gmn-usa.com
gn.apc.org
godaddy.com
gondrand.be
goodyear.com
googlegroups.com
goteborg.se
gov
gov.hk
gov.sg
gpmlife.com
gr.to
grants.gov
granus.net
greens.org
greyaconsulting.com
growerflowers.com
gruposantander.com
gs.com
gstaad.ch
gunessigorta.com.tr
guycarp.com
gwl.ca
halifax.co.uk
hallmark.com
handelsbanken.se
hanson.biz
harddiskcafe.de
harfordcountymd.gov
hargreav-hale.co.uk
harley-davidson.com
harpsfood.com
harryda.se
harsco.com
harte-hanks.com
hartfordlife.com
harvard.edu
haslaw.com
hawkins.com
haygroup.com
haywardbaker.com
hbcmd.com
hdrinc.com
he.net
healthx.com
heartcenteronline-mail.com
hedemora.se
heise.de
hellerehrman.com
herefordshire.gov.uk
hesketh.com
hetzner.de
hewitt.com
hexgraphics.com
hextremeprint.com
hhs.gov
hi.co.kr
hibernian.ie
hiddenriverassociation.com
hillaryclinton.com
hilton.com
hin.ch
hirslanden.ch
hjffb.com
hkbea.com
hklaw.com
hmhlp.com
hmp.ch
hnaoc.com
holcim.com
homegate.ch
homemadesimple.com
honeywell.com
hopenetwork.info
horizon21.com
hoteleuropa.lt
hotwire-travel.com
house-to-home.com
house.gov
householdaccount.com
howstuffworks.com
hp.com
hsbc.co.uk
hsbc.com
hse.ie
hserus.net
hsmm.com
hsr.ch
hsw.ch
huffingtonpost.com
huntington.com
hyphensolutions.net
hypovereinsbank.de
i-es.com
iannexflyer.net
ibm.com
ibs.fr
ibsys.com
icann.org
icao.int
icas.org.uk
icicibank.com
ideal-versicherung.de
idefense.com
idg.ch
idsn.gov.co
iecc.com
ieee.org.ar
ietf.org
ifdk.com
ifebp.org
igate.com
igns.net
ihomefinder.com
iic-iac.org
ikea.com
illinois.gov
imagesinmotion.biz
imagine-sw.com
imd.ch
immoscout24.ch
impregloncoatings.com
improware.ch
indymedia.org
inetinteractive.com
infineon.com
infinityresourcesinc.com
inforefinery.com
informa.com
ing.com.hk
ing.nl
ingcanada.com
inherent.com
init7.ch
init7.net
inkjetdepotusa.com
inno-tech.us
ins-cr.com
insead.edu
instat.com
insurancejournal.com
integratedchemistries.com
integratedfm.com
intellisurvey.com
interealty.net
internet.com
internetpro.net
intras.ch
intuit.com
inx.co.za
io.com
iowa.gov
ip-plus.net
ipass.com
ircsosudan.org
irisecom.be
irs.gov
is-stores.com
isaca.org
isaksenpromotions.com
isbank.com.tr
isc.org
isda.org
isigrp.com
isolution.pl
itesco.edu.mx
itunes.com
j2.com
jabber.org
jameco.com
jammicron.com
javeriana.edu.co
jbtwo.com
jeffhallmountainbiking.com
jeko.com
jeld-wen.com
jetblue.com
jetblueconnect.com
jg-marketinggroup.com
jltasia.com
jltgroup.com
jmalucelli.com.br
jmt-engineering.com
job.com
jodiw.com
johnmccain.com
johnwarburton.net
joomlashack.com
jordanvalleysolutions.com
jounce.net
jpmchase.com
jubl.com
juliusbaer.com
jumpstartresults.com
junc.org
jurinfor.pt
justabox.info
jwda.com
k12.ut.us
k12.va.us
kampshoff.org
karash.com
kaspersky.com
katrineholm.se
kcbs.us
kcrc.com
keele.ac.uk
keinan.com
keinan.com
kellogg.com
kellyservices.com
kernel.org
keybank.com
kff.org
kfn-ag.ch
kidshealth.org
kidsroe.org
kinesys.ch
kintera.com
kitcarson.net
kleinreport.ch
klinloe.de
kluge.net
knology.net
kodak.com
komando.com
koolibri.ee
kowner.ch
kp.org
kplaw.com
kpmg.com
kraft.com
kraftfoods.com
kroger.com
kruger.com
ksu.edu
kuki.de
kumho.co.kr
kungalv.se
kuoni.ch
kyberna.net
l5031.com
laaseguradora.com.hn
laiki.com
lakegatherings.com
laplink.com
larrywhitney.com
lasallebank.com
lasegunda.com.ar
lassosoft.com
lata.net
lataxlawyers.com
laurelwoodcabanaclub.com
law.du.edu
lbow.com
leadertech.com
leesummit.k12.mo.us
legendfilms.net
lehman.com
leisi.net
leonardson.com
letec.ch
level3.com
lewtan.com
lexico.com
lexisnexis.com
libertymutual.com
lifeforce.net
lifeisgreat.com.my
limegroup.com
limited.com
lindt.com
linkedin.com
linksynergy.com
linuxbox.org
linuxworldexpo.com
listeneremail.net
listrak.com
livejournal.com
lmig.com
localhost
locke.com
loenardsondesign.com
logmein.com
loreal.com
lorman.com
lorsungs.com
losrios.edu
lotus.com
louiekyte.com
lowes.com
lsoft.com
lund.se
lysekil.se
m0.net
m2.net
macquarie-gpa.com
macromedia.com
maddoc.com
mail.pressezentrum.ch
mailsender.com
main.ch
mainloop.net
makethemaccountable.com
managementsignature.com
managementsignature.net
managementsignature.org
manhattan.edu
manor.ch
manpower.ch
manulife.com
mapletronics.com
maritz.com
marketwatchmail.com
marriott.com
marsh.com
marymaxim.com
massmutual.com
mathworks.com
maupintour.com
maxcash.com
maxcash.com
mbna.com
mbolli.ch
mcdermott.com
mcgill.ca
mcgraw-hill.com
mchenry.edu
mcllc.net
medco.com
mediapost.com
medibank.com
meetup.com
mercer.com
merck.com
merrillcorp.com
messagelabs.com
messagingengine.com
met.co.nz
metalab.unc.edu
metanet.ch
meteoswiss.ch
metisnation.org
metlife.com
metmuseum.org
michigan.gov
microsoft.com
migros.ch
migrosbank.ch
mil
miltnews.com
mindjet.com
minnetonkafootball.org
minnetonkahockey.org
mises.org
missionguatemala.org
missionjamaica.org
misty.com
mit.edu
ml.com
mnhoopstournaments.com
mollfamilymn.com
molndal.se
moneybookers.com
moneycab.com
monster.com
moodys.com
morningstar.com
morsemedia.net
moto-md.com
moto-orthopaedics.com
motocityraceway.com
motorola.com
move.com
moveon.org
mp.pl
mrmouse.ch
ms.com
munichre.de
mupublishing.com
murchison-cumming.com
mus.ch
mutualofamerica.com
mva.ch
mvprelocation.com
mwave.com
mxlogic.net
myabout.com
myfax.com
mypoints.com
mysql.com
mythtv.org
myweather.net
n-space.com
nabertherm.de
namelessnet.com
namelessnet.net
namic.org
nasa.gov
nasd.com
nationalunderwriter.com
nationwide.com
nbc.com
ncmail.net
ncrw.org
ncs.com
nea.org
neckermann.de
nefba.com
nemf.com
nerdsonsite.com
nero.com
nestle.com
net-129-41-0-0-1
netbits.us
netbsd.org
netcloud.ch
netflix.com
netledger.com
netsecdesign.com
networksolutions.com
networksolutionsemail.com
netx.net
newegg.com
newham.gov.uk
newhopefellowship.com
news1-active.com
newsmax.com
nextag.com
nextron.ch
nfs.org
nhs.uk
nicolletplaza.com
nih.gov
nike.com
nine.ch
nintendo-europe.com
nissan-usa.com
njc.ch
nlc.org
noaa.gov
nobel.se
nobleseasonallighting.com
noepostinc.com
nominet.org.uk
nomoscapital.com
nomura.com
norddeutsche.de
nordstrom.com
norrtalje.se
northwesternmutual.com
norwich-union.co.uk
nova.no
novartis.com
novindustra.com
npr.org
npsf.org
nrtc.coop
nu.edu
nutrisystems.com
nvidia.com
nvnews.net
nwa.com
nwma.org
nylb.org
nypost.com
nysscpa.org
nytimes.com
nzz.ch
oasis-open.org
obruo.com
obsmtp.com
oekk.ch
oetiker.ch
officedepot.com
ofoto.com
oki.ch
oknotify2.com
olahracing.net
oneworldphoto.us
online-age.net
openbc.com
openbsd.org
oppenheim.ch
oracle.com
orangexl.com
orbitz.com
orchid.com
oreilly.com
osr.com
otrans.ru
ottawahospital.on.ca
ouac.on.ca
overstock.com
oxijendesign.com
oxyjendesign.com
p-tokyo.nttpc.ne.jp
p0.com
p5000.com
pacificlife.com
paic.com.cn
paintwithprepinc.com
palmgear.com
palmnewsletters.com
pamela-systems.com
pamho.net
panalpina.com
parago.com
parkhotel.ch
partnerre.com
passkey.com
passport.net
pay1040.com
paypal.com
pb.com
pbinews.com
pbs.ch
pchelps.com
pcmag.com
pdi-corp.com
peck-peck.com
pecosconsulting.com
pelicanpointassociation.com
penn-america.com
perskom.se
persoenlich.com
petercox.ie
petersenpages.com
pf.ns.ac.yu
pfadi.ch
phibro.com
philips.com
photocolor.ch
photoworks.com
phxmx.com
pioneerinvestments.com
pirelli.com
pkscargo.pl
plainsconstruction.com
planetmueller.com
platformmarketing.com
platformmarketinginc.com
plaxo.com
pmanet.org
poalim.co.il
policy.ch
pollackassociates.com
pong.ch
porcupine.org
porsche.de
post.ch
postdirect.com
postfix.org
postini.com
postsnet.com
pothe.de
potterybarn.com
powerbandracing.com
powered.com
powerfront.com
powertech.net
ppmenergy.com
premierpostcompany.com
premierunderdecking.com
prepforprep.org
pressetext.at
pressreadydesign.com
prezentacje.edu.pl
priceline.com
primevision.ch
principal.com
printronics.com
printronix.co.uk
printronix.com
printronix.us
prioritymetals.com
prisa.es
processrequest.com
prolifics.com
prometric.com
prorac.com
proteccion.com.co
protusfax.com
prsol.com
prudential.co.uk
prudential.com
ptnx.com
pwc.com
pwhs.org
quakeradio.com
quickbooks.com
quintessenz.at
rabobank.com
raiffeisen.ch
rainbird.com
randomhouse.com
randstad.com
rbc.com
rcmortgage.com
rd.com
rdwarf.net
rebateplus.com
redcedarcanyon.com
redhat.com
rediris.es
reedexpo.com
regdjsh.se
regionsbank.com
register.com
registeredsite.com
reinsurance.org
renaissanceins.com
retarus.de
reunion.com
reuters.com
revenue.ie
ricardo.ch
richemont.cc
ridgeviewassociation.com
riemerinsurance.com
rieter.com
rim.net
riseup.net
rixport80.se
rkexcel.com
rkexcelamerica.com
rl.ac.uk
rmllplaw.com
rms.com
rmwins.com
roadtool.net
roche.com
roe.ch
rolex.com
rootaction.net
rosehosting.com
roving.com
rpslmc.edu
rtc.ch
rtsi.ch
rwth-aachen.de
ryanair.com
s2u2.com
sabre.com
safeco.com
safeway.com
sagamorehotel.com
sagebenefitgroup.com
sagewire.com
saildocs.com
salonmonten.com
samba.org
sametcorp.com
samsung.com
sandhills.biz
sandiegort.com
sans.org
santa-barbara.ca.us
sap-ag.de
sarasin.ch
savannahoaksliving.com
schindler.com
schlagworte.org
schmidbritschgi.ch
schwab.com
scott-sports.com
scout24.ch
scsa.com.br
sctm.tfbnw.net
searchit.com
sears.com
seatlan.com
sec.gov
secaron.de
securecms.com
securityfocus.com
selectacast.net
sellhomesminnesota.com
senate.gov
sendmail.org
serimo.ch
sernet.de
server268.com
serversmiths.com
servicemaster.com
sexandculture.org
sexyads.net
sf-bay.org
sfgh.org
sfgov.org
shakeradio.com
shininglightpictures.com
shoes.com
shootingtarp.com
shopnbc.com
shps.com
shrubbery.net
shu.ac.uk
siemens.ch
siemens.com
sisterwitnessinternational.org
sixapart.com
sjsu.edu
skanska.com
skelleftea.se
skollfoundation.org
sktelecom.com
skyfile-access.com
slashdot.org
slug.org.au
snb.ch
snl.com
so.ch
socgen.com
socialtext.net
sodsolutions.com
songbird.com
sophos.com
sorbs.net
sourceforge.net
southernwine.com
southtrust.com
southwest.com
spamarrest.com
spamassassin.apache.org
spamassassin.org
spamcop.net
spamgourmet.com
spamhaus.org
sparklist.com
sparkpeople.com
speak-tech.com
spi-inc.org
spinelli-group.com
sportslogictech.com
spruengli.ch
spsu.edu
squid-cache.org
srg-ssr.ch
sscinc.com
ssha.ca
staeub.li
stamps.com
standardbank.com
standardlife.com
standardregister.com
standrewsaus.com.au
stanford.edu
stanislausorthopaedics.com
stanislausorthopedics.com
staples.com
star-group.net
starchoicecu.org
starwave.com
state.fl.us
state.ma.us
state.nv.us
state.sc.us
statefarm.com
steinberg.net
steinernet.ch
stenungsund.se
steptoe.com
sterling-mgmt.com
sterlingbenefits.com
stern-montana.com
stockholm.se
su.se
substancechurch.com
sumitomotrustusa.com
summitpartners.com
sumnet.com
sunbelt-software.com
suntrust.com
superb.net
surriel.com
suse.com
suva.ch
svwh.net
swedeclogs.com
swedishcomfort.com
swiretravel.com.tw
swiss.com
swisscom.com
swissinfo.org
swisslife.ch
swissolympic.ch
swissquote.ch
swissre.com
switch.ch
swsoft.com
swx.com
symantec.com
t-mobile.com
talisman-energy.com
tamedia.ch
tamu.edu
target.com
taxact.com
taz.net.au
tcfbank.com
tcs.com
td.com
teddybearparties.com
teddybearparties2u.com
telefloramktcom.com
telegraph.co.uk
telekurs.com
telesma.com.mx
terratec.net
tertianum.ch
textdrive.com
tfbnw.net
tg.ch
thalesgroup.com
thamesreach.org.uk
thawte.com
theclarogroup.com
thefileman.com
thehartford.com
thelakesouthboys.com
thelaw.net
themodelhomedemo.com
thepencegroup.com
thesmartshoppernetwork.com
thirteen.org
thymeonline.com
ticketmaster.com
tigerdirect.com
tigerflow.com
tigeronline.com
tillamookcheese.com
tilllate.com
tinyplanet.ca
tivo.com
tjorn.se
tmcs.net
tmomail.net
tmpw.net
tokiomarine.co.uk
tollesonwealth.com
tonarchiv.ch
topsecretrecipes.com
towtruckpanties.com
toytruckpublishing.com
tparca.org
traffic.com
trash.net
tratt.nu
travelers.com
travelingcoaches.com
travelocity.com
travelzoo.com
treas.gov
treehousei.com
tribune.com
tricktoolz.com
trivadis.com
trumpf.com
truthout.org
trutwins.com
truxstoronline.com
tst.ru
tu-berlin.de
tucows.com
tui.de
tulsaconnect.com
turner.com
tvisiontech.co.uk
twowheelsuperstore.com
tyco.net
tyingtheknotplanning.com
tymetrix.com
tysers.com
ua.edu
ubcinc.net
ubisoft.com
ubs.com
ucla.edu
uddevalla.se
uga.edu
uhcindia.com
uitm.edu.my
ulead.com.tw
umn.edu
un.org
unesco.org
unfi.com
unibas.ch
unibe.ch
unicc.org
unicommerce.net
unigrains.fr
unilever.com
unioncentral.com
unionplanters.com
unisg.ch
unistudios.com
unisys.com
united.com
unitedagencies.com
unitednat.com
univest.net
unizh.ch
unl.edu
unlp.edu.ar
unsw.edu.au
untd.com
uppsala.se
ups.com
usairways.com
usbank-email.com
usbank.com
usdoj.gov
useipi.com
usgs.gov
usi.net
usps.gov
ussa.org
usyd.edu.au
utc.com
utc.edu
uvic.ca
uwaterloo.ca
vandyke.com
vanguard.com
vd.ch
veggiehost.com
ver.lir.dk
verboten.net
verisign.com
verizonwireless.com
vgregion.se
viamichelin.com
virgin.com
virtualpbx.com
visa.com
visana.ch
visarisk.com
visicommedia.info
visionone.ws
visionslovakia.org
vitessere.com
vix.com
voegtlin.com
voguehomesinc.com
vogueicfhomes.com
voipsupply.com
vonage.com
vre.org
vsk.ru
vsnl.com
vzwpix.com
wachovia.com
walgreens.com
walmart.com
wammo.org
wamu.com
wardclaims.com
warnermusic.com
wbcsd.org
wc09.net
wcexec.com
weather.com
webcrossing.com
webex.com
webmd.com
weforum.org
weisshomes.com
wellsfargo.com
wenco.cl
wendyweiman.com
westernunion.com
westgroup.net
westminster.ac.uk
westpac.com.au
wghe.net
wholefoods.com
widderhotel.ch
wikimedia.org
wildlifecomputers.com
wiley.co.uk
wileypub.com
willis.com
windsor-life.co.uk
wine.com
winlink.org
winterguardapparel.com
winthrop.edu
wir.ch
wirz.ch
woodbridgepropertymanagement.com
woodgroup-esp.com
woody.ch
working-minds.com
workman.com
workplaceanswers.com
worleyparsons.com
wshome.com
wsvn.com
wtklaw.com
x2-technologies.net
xactware.com
xephi.com
xerox.com
xlre.com
yahoogroups.com
yodlee.com
yournewsletters.net
youshopgirls.com
youthforum.org
youtube.com
ysa.org
zatz.com
zdnet.com
zf-arts.com
zh.ch
ziffdavis.com
zignago.com
ziogiorgio.it
zionsbank.com
zip2print.com
zixmail.net
zkb.ch
zogby.com
zonetel.com.sg
zork.net
zurich.com
Re: Need a rule written - Can whitelisting be this easy?
Posted by Jeremy Kister <sp...@jeremykister.com>.
On 7/12/2007 5:14 PM, Marc Perkel wrote:
> atx.net
This is a shared domain hosted by an ISP's shared mail servers. Any
customer of the ISP can have an email address at this domain and each
has permission to send email from it. This clearly doesn't belong.
> gov
[...]
> grants.gov
does gov mean *.gov. ? or literally 'gov' ?
if it's *.gov. (like server.whitehouse.gov.) i think that could be a
good idea. but then why list grants.gov ?
on the same idea of listing *.gov, *.state.[ISO 3166-2].us could good
too (like server.state.pa.us)
I'm not advocating blind acceptance of mail from these hosts -- but a
point system could be a good idea.
--
Jeremy Kister
http://jeremy.kister.net./
Re: Need a rule written - Can whitelisting be this easy?
Posted by SM <sm...@resistor.net>.
At 14:14 12-07-2007, Marc Perkel wrote:
>Here's my list so far. These are host name - not from addresses. So
>it matches *.hostname.com
I have seen spam and viruses originating from some of the domains you listed.
Regards,
-sm
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Here's my list so far. These are host name - not from addresses. So it
matches *.hostname.com
I could use more to add to the list.
123greetings.com
123greetings.info
20min.ch
2checkout.com
2co.com
2wheelsuperstore.com
34sp.com
360degreeslawn.com
3dsystems.com
3kloffice.info
4342thomas.com
aa.com
aaflightinfo.com
aalanis.com
abanet.org
about.com
abstrax.com
abuse.net
accuweather.com
acec.org
acicoat.com
acli.com
acml.com
acord.org
acsysweb.com
actuary.org
adac.de
adecco.com
adfinis.com
admail.net
admin.ch
adobe.com
adp.com
adrenaline-designs.com
adultfriendfinder.com
advancedpatientsupport.com
aegon.com
aemf.org
aerodesignmfg.com
aetna.com
aexp.com
af.mil
afcflex.com
aftenposten.no
ag.ch
agf.fr
aia.org
aicpa.org
aig.com
aiga.org
aiiworldwide.com
aimplas.es
airbridge.net
aircanada.ca
akanoc.com
akb.ch
ala.org
alabama.gov
alantechinc.com
algore.com
aliancadobrasil.com.br
aliroo.com
allenovery.com
allianz-suisse.ch
allianz.de
allstate.com
alphasoftware.com
alstom.com
altavidasantander.cl
altrec.com
amadeus.net
amag.ch
amal.se
amazon.com
ambest.com
amd.com
americanautoexports.com
americanautoexports.us
americanautomotiveexports.com
americanautomotiveexports.us
americanexpress.com
americanrestaurantconsultants.com
americanstandard.com
ameritrade.com
amgen.com
amv.se
anamcaraconsulting.com
annenbergfoundation.org
anpost.ie
anthem.com
aon.com
aopa.org
apa.org
apache.org
apfn.org
apple.com
appriver.com
aps.nl
arcsight.com
arenscontrols.com
ariba.com
aric.com
arkansasweevil.org
army.mil
arrival.net
asce.org
asialco.cn
aspectra.com
aspevents.net
astrology.com
atabank.com
atcassociates.com
athena.ch
atx.net
auctionworks.com
audi.de
aurorahealthcare.org
authorize.net
autodesk.com
autooneins.com
avanade.com
avantec.ch
avast.com
avenir-suisse.ch
avis-europe.com
awayawhile.com
axa.com
axa.com.au
axa.com.sg
bain.com
bancaintesa.it
bancomercantil.com
bankatlantic.com
bankcomm.com
bankersonline.com
bankisrael.net
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
bankone.com
banorte.com
baominh.com.vn
barclays.co.uk
barclayscapital.com
barnesandnoble.com
basler.ch
baz.ch
bbandt.com
bbc.co.uk
be-salon.com
be.ch
bear.com
beard.com
bee.gr
begasoft.ch
bellnexxia.net
benfieldgroup.com
bentrutwin.com
berlitz.us
bestbuy.com
bextpubs.com
bfh.ch
bigfootinteractive.com
bikebandit.com
bikeblast.com
billspipes.com
biotec.org.ar
bitbind.com
bittybooper.com
bizjournals.com
bkbusa.com
bkd.com
blackberry.com
blackberry.net
blastwave.org
blauberg.de
blizzard.com
blkb.ch
blockbuster.com
bloomberg.com
blue-bird.com
bmesrv.com
bmtmicro.com
bmw.de
bn.com
bnm.gov.my
bnpparibas.com
boeing.com
bofasecurities.com
boh.com
boisestate.edu
bombardier.com
boras.se
borlange.se
bosch.de
bose.com
boston.com
bowmanconsulting.com
bp00.com
bradblog.com
brainlab.com
brassring.com
brickerracing.com
bridgesolutions.net
britishairways.com
brittneysgift.org
broadbandsupport.net
brockins.com
brouhaha.com
bs.ch
bttech.org
buchzentrum.ch
buildgormanhomes.com
buoyweather.com
bupa.com
burns-wilcox.com
burpee.com
buy.com
buyhomesminnesota.com
buzzcast.com
bvb-bs.ch
bvrp.com
bvvo.be
cableone.net
cacert.org
cadre.qc.ca
california.com
callwave.com
cam.ac.uk
campaignmonitor.com
cancer.org
canon.com
capazoo.com
capitalconsulting.com
capitalone.com
caravan.kz
careerbuilder.com
carlsonwagonlit.com
carnival.com
cat.com
catalanaocci.es
catholic.org
cathypaper.com
cba.com.au
ccbill.com
ccialerts.com
cdc.gov
cdw.com
cede.ch
cellpack.com
cement.ca
center.com
centrepointpa.com
centurytheatres.com
cerious.com
cexp.com
cfe.gob.mx
cfidc.org
cfo.com
chaosreigns.com
charlestonhousing.com
charterone.com
charteronebank.com
chase.com
chealthpartners.com
cheapflights.com
cheaptickets.com
cheetahmail.com
chemie.de
chicagoreader.com
chiltington.co.uk
chotel.com
chubb.com
churchofstphilip.org
ciba.com
cibasc.com
cidca.org.ar
cignastu.com.pl
cimb.com
cira.ca
cisco.com
citibank.com
citibankcards.com
citigroup.com
citizensbank.com
city.ac.uk
cja-architects.com
cl-int.com
claimsmgmtservices.com
claimspages.com
clarkrealty.com
clasemanns.com
classmates.com
cleanmail.ch
clearchannel.com
clearswift.de
cls-communication.com
cmp.com
cmslaser.com
cna.com
cnet.com
cnn.com
cns.co.nz
coachingrelationships.com
codeproject.com
coffeeclubexpress.com
cogeco.com
cogentco.com
colorguardapparel.com
columbiahouse.com
comendo.com
commercebank.com
compusa.com
computerworld.com
concrete.org
constantcontact.com
contaxt.net
converium.com
convio.net
coop.no
copsewood.net
coriolis-systems.com
corner.ch
corpit.ru
costco.com
coupons.com
cpcaeroscience.com
cpcpackaging.co.uk
cpsa.com
cpsc.gov
craigslist.org
creativeconcreteinc.net
credit-suisse.com
creditlyonnais.fr
crewnetwork.org
crimsoneagle.com
crimsoneagle.net
csnc.ch
ctco.lv
cult.cu
customercenter.net
cv.net
cvent-planner.com
cyberguys.com
dailycandy.com
dalan.us
danskebank.dk
darkbb.com
darrenchelin.com
dart.biz
dartmail.net
datamaxcorp.com
davidtrutwin.com
db.com
dbv-winterthur.de
dccc.org
ddg.com
ddi-asia.com
deacons.com.hk
deals.priceline.com
deates.com
debconf.org
declude.com
deeringbrothers.com
dell.com
deloitte.com
delphi.com
delta.com
deltalloyd.nl
democrats.org
democratsenators.org
develooper.com
devolracing.com
dhl.com
dhs.org
di-mgmt.com
dice.com
digitalriver.com
disney.com
dmainc.org
doc.gov
dol.gov
doubleclick.net
dovecot.org
dowjones.com
dreamtheater.tv
dresdner-bank.ch
drkw.com
drugstore.com
drupal.org
drytechonline.com
duebendorf.ch
duo.it
e-gold.com
e-jstanley.com
ealaw.com
eaton.com
ebay.com
ebucks.com
ecademy.com
echolabs.net
ecks.ca
eckstein.ru
econometrix.com
ecri.org
ectaportal.com
eddata.com
edhec-risk.com
edirectory.co.uk
eds.com
efax.com
eh.net
eharmony.com
eksjo.se
elderhostel.org
ellos.se
eltiempo.com.co
emailkfc.com
emc.com
emergencyemailnetwork.net
emmi.ch
energystar.gov
epa.gov
epafes.com
epfl.ch
epson.com
ereinsure.com
ericksonbuilding.com
esa.it
ethz.ch
eucom.mil
eulerhermes.com
eurotax.ch
evanguard.com
evite.com
eweek.com
exacttarget.com
executiveboard.net
exeter.ac.uk
exim.org
expediamail.com
extend-media.com
extremedirttrackcamp.com
ey.com
eya.com
ezi.net
facebook.com
farmers.com
fastconcepts.biz
fastconcepts.com
fastconcepts.net
fbo.gov
fcrsuspension.com
fda.gov
fdic.gov
fdp-zh.ch
fedex.com
fedexkinkos.com
feedblitz.com
ffrf.org
fh-isny.de
fhlbatl.com
ficoh.com
fidelity.com
fiege.ch
filefolders.net
filesystems.biz
findlaw.com
fishersci.com
fitug.de
flagteamapparel.com
flamingangelfilms.com
fleetbank.com
flexmls.com
flixster.com
fnworldwide.com
foolsubs.com
forbesdigital.com
forrester.com
fotolabo.com
fourseasons.com
foxnews.com
fpk.com
fraunhofer.de
frc.com
freebsd.org
freedomscientific.com
freelance-2.unknowndns.net
freshbooks.com
friendfinder.com
frontbridge.com
fsfeurope.org
ftmbiz.com
ftmusa.net
fts.com.sg
fuw.ch
ga4.org
gaiconsulting.com
galileo.com
gallup.com
gamecity.ch
gandi.net
ganneff.de
gartner.com
gc.ca
gcm.com
ge.com
generali.it
genevoise.ch
genworth.com
genzyme.com
gerardiinsurance.com
germanwings.com
getabstract.com
getactive.com
getitallonline.com
gettyimages.com
gfnorte.com.mx
gilbertsoft.ch
givaudan.com
glacierre.com
global-impactllc.com
globalestrategias.com
globalinvest.com.br
globeandmail.ca
gm.com
gmn-usa.com
gn.apc.org
godaddy.com
gondrand.be
goodyear.com
googlegroups.com
goteborg.se
gov
gov.hk
gov.sg
gpmlife.com
gr.to
grants.gov
granus.net
greens.org
greyaconsulting.com
growerflowers.com
gruposantander.com
gs.com
gstaad.ch
gunessigorta.com.tr
guycarp.com
gwl.ca
halifax.co.uk
hallmark.com
handelsbanken.se
hanson.biz
harddiskcafe.de
harfordcountymd.gov
hargreav-hale.co.uk
harley-davidson.com
harpsfood.com
harryda.se
harsco.com
harte-hanks.com
hartfordlife.com
harvard.edu
haslaw.com
hawkins.com
haygroup.com
haywardbaker.com
hbcmd.com
hdrinc.com
he.net
healthx.com
heartcenteronline-mail.com
hedemora.se
heise.de
hellerehrman.com
herefordshire.gov.uk
hesketh.com
hetzner.de
hewitt.com
hexgraphics.com
hextremeprint.com
hhs.gov
hi.co.kr
hibernian.ie
hiddenriverassociation.com
hillaryclinton.com
hilton.com
hin.ch
hirslanden.ch
hjffb.com
hkbea.com
hklaw.com
hmhlp.com
hmp.ch
hnaoc.com
holcim.com
homegate.ch
homemadesimple.com
honeywell.com
hopenetwork.info
horizon21.com
hoteleuropa.lt
hotwire-travel.com
house-to-home.com
house.gov
householdaccount.com
howstuffworks.com
hp.com
hsbc.co.uk
hsbc.com
hse.ie
hserus.net
hsmm.com
hsr.ch
hsw.ch
huffingtonpost.com
huntington.com
hyphensolutions.net
hypovereinsbank.de
i-es.com
iannexflyer.net
ibm.com
ibs.fr
ibsys.com
icann.org
icao.int
icas.org.uk
icicibank.com
ideal-versicherung.de
idefense.com
idg.ch
idsn.gov.co
iecc.com
ieee.org.ar
ietf.org
ifdk.com
ifebp.org
igate.com
igns.net
ihomefinder.com
iic-iac.org
ikea.com
illinois.gov
imagesinmotion.biz
imagine-sw.com
imd.ch
immoscout24.ch
impregloncoatings.com
improware.ch
indymedia.org
inetinteractive.com
infineon.com
infinityresourcesinc.com
inforefinery.com
informa.com
ing.com.hk
ing.nl
ingcanada.com
inherent.com
init7.ch
init7.net
inkjetdepotusa.com
inno-tech.us
ins-cr.com
insead.edu
instat.com
insurancejournal.com
integratedchemistries.com
integratedfm.com
intellisurvey.com
interealty.net
internet.com
internetpro.net
intras.ch
intuit.com
inx.co.za
io.com
iowa.gov
ip-plus.net
ipass.com
ircsosudan.org
irisecom.be
irs.gov
is-stores.com
isaca.org
isaksenpromotions.com
isbank.com.tr
isc.org
isda.org
isigrp.com
isolution.pl
itesco.edu.mx
itunes.com
j2.com
jabber.org
jameco.com
jammicron.com
javeriana.edu.co
jbtwo.com
jeffhallmountainbiking.com
jeko.com
jeld-wen.com
jetblue.com
jetblueconnect.com
jg-marketinggroup.com
jltasia.com
jltgroup.com
jmalucelli.com.br
jmt-engineering.com
job.com
jodiw.com
johnmccain.com
johnwarburton.net
joomlashack.com
jordanvalleysolutions.com
jounce.net
jpmchase.com
jubl.com
juliusbaer.com
jumpstartresults.com
junc.org
jurinfor.pt
justabox.info
jwda.com
k12.ut.us
k12.va.us
kampshoff.org
karash.com
kaspersky.com
katrineholm.se
kcbs.us
kcrc.com
keele.ac.uk
keinan.com
keinan.com
kellogg.com
kellyservices.com
kernel.org
keybank.com
kff.org
kfn-ag.ch
kidshealth.org
kidsroe.org
kinesys.ch
kintera.com
kitcarson.net
kleinreport.ch
klinloe.de
kluge.net
knology.net
kodak.com
komando.com
koolibri.ee
kowner.ch
kp.org
kplaw.com
kpmg.com
kraft.com
kraftfoods.com
kroger.com
kruger.com
ksu.edu
kuki.de
kumho.co.kr
kungalv.se
kuoni.ch
kyberna.net
l5031.com
laaseguradora.com.hn
laiki.com
lakegatherings.com
laplink.com
larrywhitney.com
lasallebank.com
lasegunda.com.ar
lassosoft.com
lata.net
lataxlawyers.com
laurelwoodcabanaclub.com
law.du.edu
lbow.com
leadertech.com
leesummit.k12.mo.us
legendfilms.net
lehman.com
leisi.net
leonardson.com
letec.ch
level3.com
lewtan.com
lexico.com
lexisnexis.com
libertymutual.com
lifeforce.net
lifeisgreat.com.my
limegroup.com
limited.com
lindt.com
linkedin.com
linksynergy.com
linuxbox.org
linuxworldexpo.com
listeneremail.net
listrak.com
livejournal.com
lmig.com
localhost
locke.com
loenardsondesign.com
logmein.com
loreal.com
lorman.com
lorsungs.com
losrios.edu
lotus.com
louiekyte.com
lowes.com
lsoft.com
lund.se
lysekil.se
m0.net
m2.net
macquarie-gpa.com
macromedia.com
maddoc.com
mail.pressezentrum.ch
mailsender.com
main.ch
mainloop.net
makethemaccountable.com
managementsignature.com
managementsignature.net
managementsignature.org
manhattan.edu
manor.ch
manpower.ch
manulife.com
mapletronics.com
maritz.com
marketwatchmail.com
marriott.com
marsh.com
marymaxim.com
massmutual.com
mathworks.com
maupintour.com
maxcash.com
maxcash.com
mbna.com
mbolli.ch
mcdermott.com
mcgill.ca
mcgraw-hill.com
mchenry.edu
mcllc.net
medco.com
mediapost.com
medibank.com
meetup.com
mercer.com
merck.com
merrillcorp.com
messagelabs.com
messagingengine.com
met.co.nz
metalab.unc.edu
metanet.ch
meteoswiss.ch
metisnation.org
metlife.com
metmuseum.org
michigan.gov
microsoft.com
migros.ch
migrosbank.ch
mil
miltnews.com
mindjet.com
minnetonkafootball.org
minnetonkahockey.org
mises.org
missionguatemala.org
missionjamaica.org
misty.com
mit.edu
ml.com
mnhoopstournaments.com
mollfamilymn.com
molndal.se
moneybookers.com
moneycab.com
monster.com
moodys.com
morningstar.com
morsemedia.net
moto-md.com
moto-orthopaedics.com
motocityraceway.com
motorola.com
move.com
moveon.org
mp.pl
mrmouse.ch
ms.com
munichre.de
mupublishing.com
murchison-cumming.com
mus.ch
mutualofamerica.com
mva.ch
mvprelocation.com
mwave.com
mxlogic.net
myabout.com
myfax.com
mypoints.com
mysql.com
mythtv.org
myweather.net
n-space.com
nabertherm.de
namelessnet.com
namelessnet.net
namic.org
nasa.gov
nasd.com
nationalunderwriter.com
nationwide.com
nbc.com
ncmail.net
ncrw.org
ncs.com
nea.org
neckermann.de
nefba.com
nemf.com
nerdsonsite.com
nero.com
nestle.com
net-129-41-0-0-1
netbits.us
netbsd.org
netcloud.ch
netflix.com
netledger.com
netsecdesign.com
networksolutions.com
networksolutionsemail.com
netx.net
newegg.com
newham.gov.uk
newhopefellowship.com
news1-active.com
newsmax.com
nextag.com
nextron.ch
nfs.org
nhs.uk
nicolletplaza.com
nih.gov
nike.com
nine.ch
nintendo-europe.com
nissan-usa.com
njc.ch
nlc.org
noaa.gov
nobel.se
nobleseasonallighting.com
noepostinc.com
nominet.org.uk
nomoscapital.com
nomura.com
norddeutsche.de
nordstrom.com
norrtalje.se
northwesternmutual.com
norwich-union.co.uk
nova.no
novartis.com
novindustra.com
npr.org
npsf.org
nrtc.coop
nu.edu
nutrisystems.com
nvidia.com
nvnews.net
nwa.com
nwma.org
nylb.org
nypost.com
nysscpa.org
nytimes.com
nzz.ch
oasis-open.org
obruo.com
obsmtp.com
oekk.ch
oetiker.ch
officedepot.com
ofoto.com
oki.ch
oknotify2.com
olahracing.net
oneworldphoto.us
online-age.net
openbc.com
openbsd.org
oppenheim.ch
oracle.com
orangexl.com
orbitz.com
orchid.com
oreilly.com
osr.com
otrans.ru
ottawahospital.on.ca
ouac.on.ca
overstock.com
oxijendesign.com
oxyjendesign.com
p-tokyo.nttpc.ne.jp
p0.com
p5000.com
pacificlife.com
paic.com.cn
paintwithprepinc.com
palmgear.com
palmnewsletters.com
pamela-systems.com
pamho.net
panalpina.com
parago.com
parkhotel.ch
partnerre.com
passkey.com
passport.net
pay1040.com
paypal.com
pb.com
pbinews.com
pbs.ch
pchelps.com
pcmag.com
pdi-corp.com
peck-peck.com
pecosconsulting.com
pelicanpointassociation.com
penn-america.com
perskom.se
persoenlich.com
petercox.ie
petersenpages.com
pf.ns.ac.yu
pfadi.ch
phibro.com
philips.com
photocolor.ch
photoworks.com
phxmx.com
pioneerinvestments.com
pirelli.com
pkscargo.pl
plainsconstruction.com
planetmueller.com
platformmarketing.com
platformmarketinginc.com
plaxo.com
pmanet.org
poalim.co.il
policy.ch
pollackassociates.com
pong.ch
porcupine.org
porsche.de
post.ch
postdirect.com
postfix.org
postini.com
postsnet.com
pothe.de
potterybarn.com
powerbandracing.com
powered.com
powerfront.com
powertech.net
ppmenergy.com
premierpostcompany.com
premierunderdecking.com
prepforprep.org
pressetext.at
pressreadydesign.com
prezentacje.edu.pl
priceline.com
primevision.ch
principal.com
printronics.com
printronix.co.uk
printronix.com
printronix.us
prioritymetals.com
prisa.es
processrequest.com
prolifics.com
prometric.com
prorac.com
proteccion.com.co
protusfax.com
prsol.com
prudential.co.uk
prudential.com
ptnx.com
pwc.com
pwhs.org
quakeradio.com
quickbooks.com
quintessenz.at
rabobank.com
raiffeisen.ch
rainbird.com
randomhouse.com
randstad.com
rbc.com
rcmortgage.com
rd.com
rdwarf.net
rebateplus.com
redcedarcanyon.com
redhat.com
rediris.es
reedexpo.com
regdjsh.se
regionsbank.com
register.com
registeredsite.com
reinsurance.org
renaissanceins.com
retarus.de
reunion.com
reuters.com
revenue.ie
ricardo.ch
richemont.cc
ridgeviewassociation.com
riemerinsurance.com
rieter.com
rim.net
riseup.net
rixport80.se
rkexcel.com
rkexcelamerica.com
rl.ac.uk
rmllplaw.com
rms.com
rmwins.com
roadtool.net
roche.com
roe.ch
rolex.com
rootaction.net
rosehosting.com
roving.com
rpslmc.edu
rtc.ch
rtsi.ch
rwth-aachen.de
ryanair.com
s2u2.com
sabre.com
safeco.com
safeway.com
sagamorehotel.com
sagebenefitgroup.com
sagewire.com
saildocs.com
salonmonten.com
samba.org
sametcorp.com
samsung.com
sandhills.biz
sandiegort.com
sans.org
santa-barbara.ca.us
sap-ag.de
sarasin.ch
savannahoaksliving.com
schindler.com
schlagworte.org
schmidbritschgi.ch
schwab.com
scott-sports.com
scout24.ch
scsa.com.br
sctm.tfbnw.net
searchit.com
sears.com
seatlan.com
sec.gov
secaron.de
securecms.com
securityfocus.com
selectacast.net
sellhomesminnesota.com
senate.gov
sendmail.org
serimo.ch
sernet.de
server268.com
serversmiths.com
servicemaster.com
sexandculture.org
sexyads.net
sf-bay.org
sfgh.org
sfgov.org
shakeradio.com
shininglightpictures.com
shoes.com
shootingtarp.com
shopnbc.com
shps.com
shrubbery.net
shu.ac.uk
siemens.ch
siemens.com
sisterwitnessinternational.org
sixapart.com
sjsu.edu
skanska.com
skelleftea.se
skollfoundation.org
sktelecom.com
skyfile-access.com
slashdot.org
slug.org.au
snb.ch
snl.com
so.ch
socgen.com
socialtext.net
sodsolutions.com
songbird.com
sophos.com
sorbs.net
sourceforge.net
southernwine.com
southtrust.com
southwest.com
spamarrest.com
spamassassin.apache.org
spamassassin.org
spamcop.net
spamgourmet.com
spamhaus.org
sparklist.com
sparkpeople.com
speak-tech.com
spi-inc.org
spinelli-group.com
sportslogictech.com
spruengli.ch
spsu.edu
squid-cache.org
srg-ssr.ch
sscinc.com
ssha.ca
staeub.li
stamps.com
standardbank.com
standardlife.com
standardregister.com
standrewsaus.com.au
stanford.edu
stanislausorthopaedics.com
stanislausorthopedics.com
staples.com
star-group.net
starchoicecu.org
starwave.com
state.fl.us
state.ma.us
state.nv.us
state.sc.us
statefarm.com
steinberg.net
steinernet.ch
stenungsund.se
steptoe.com
sterling-mgmt.com
sterlingbenefits.com
stern-montana.com
stockholm.se
su.se
substancechurch.com
sumitomotrustusa.com
summitpartners.com
sumnet.com
sunbelt-software.com
suntrust.com
superb.net
surriel.com
suse.com
suva.ch
svwh.net
swedeclogs.com
swedishcomfort.com
swiretravel.com.tw
swiss.com
swisscom.com
swissinfo.org
swisslife.ch
swissolympic.ch
swissquote.ch
swissre.com
switch.ch
swsoft.com
swx.com
symantec.com
t-mobile.com
talisman-energy.com
tamedia.ch
tamu.edu
target.com
taxact.com
taz.net.au
tcfbank.com
tcs.com
td.com
teddybearparties.com
teddybearparties2u.com
telefloramktcom.com
telegraph.co.uk
telekurs.com
telesma.com.mx
terratec.net
tertianum.ch
textdrive.com
tfbnw.net
tg.ch
thalesgroup.com
thamesreach.org.uk
thawte.com
theclarogroup.com
thefileman.com
thehartford.com
thelakesouthboys.com
thelaw.net
themodelhomedemo.com
thepencegroup.com
thesmartshoppernetwork.com
thirteen.org
thymeonline.com
ticketmaster.com
tigerdirect.com
tigerflow.com
tigeronline.com
tillamookcheese.com
tilllate.com
tinyplanet.ca
tivo.com
tjorn.se
tmcs.net
tmomail.net
tmpw.net
tokiomarine.co.uk
tollesonwealth.com
tonarchiv.ch
topsecretrecipes.com
towtruckpanties.com
toytruckpublishing.com
tparca.org
traffic.com
trash.net
tratt.nu
travelers.com
travelingcoaches.com
travelocity.com
travelzoo.com
treas.gov
treehousei.com
tribune.com
tricktoolz.com
trivadis.com
trumpf.com
truthout.org
trutwins.com
truxstoronline.com
tst.ru
tu-berlin.de
tucows.com
tui.de
tulsaconnect.com
turner.com
tvisiontech.co.uk
twowheelsuperstore.com
tyco.net
tyingtheknotplanning.com
tymetrix.com
tysers.com
ua.edu
ubcinc.net
ubisoft.com
ubs.com
ucla.edu
uddevalla.se
uga.edu
uhcindia.com
uitm.edu.my
ulead.com.tw
umn.edu
un.org
unesco.org
unfi.com
unibas.ch
unibe.ch
unicc.org
unicommerce.net
unigrains.fr
unilever.com
unioncentral.com
unionplanters.com
unisg.ch
unistudios.com
unisys.com
united.com
unitedagencies.com
unitednat.com
univest.net
unizh.ch
unl.edu
unlp.edu.ar
unsw.edu.au
untd.com
uppsala.se
ups.com
usairways.com
usbank-email.com
usbank.com
usdoj.gov
useipi.com
usgs.gov
usi.net
usps.gov
ussa.org
usyd.edu.au
utc.com
utc.edu
uvic.ca
uwaterloo.ca
vandyke.com
vanguard.com
vd.ch
veggiehost.com
ver.lir.dk
verboten.net
verisign.com
verizonwireless.com
vgregion.se
viamichelin.com
virgin.com
virtualpbx.com
visa.com
visana.ch
visarisk.com
visicommedia.info
visionone.ws
visionslovakia.org
vitessere.com
vix.com
voegtlin.com
voguehomesinc.com
vogueicfhomes.com
voipsupply.com
vonage.com
vre.org
vsk.ru
vsnl.com
vzwpix.com
wachovia.com
walgreens.com
walmart.com
wammo.org
wamu.com
wardclaims.com
warnermusic.com
wbcsd.org
wc09.net
wcexec.com
weather.com
webcrossing.com
webex.com
webmd.com
weforum.org
weisshomes.com
wellsfargo.com
wenco.cl
wendyweiman.com
westernunion.com
westgroup.net
westminster.ac.uk
westpac.com.au
wghe.net
wholefoods.com
widderhotel.ch
wikimedia.org
wildlifecomputers.com
wiley.co.uk
wileypub.com
willis.com
windsor-life.co.uk
wine.com
winlink.org
winterguardapparel.com
winthrop.edu
wir.ch
wirz.ch
woodbridgepropertymanagement.com
woodgroup-esp.com
woody.ch
working-minds.com
workman.com
workplaceanswers.com
worleyparsons.com
wshome.com
wsvn.com
wtklaw.com
x2-technologies.net
xactware.com
xephi.com
xerox.com
xlre.com
yahoogroups.com
yodlee.com
yournewsletters.net
youshopgirls.com
youthforum.org
youtube.com
ysa.org
zatz.com
zdnet.com
zf-arts.com
zh.ch
ziffdavis.com
zignago.com
ziogiorgio.it
zionsbank.com
zip2print.com
zixmail.net
zkb.ch
zogby.com
zonetel.com.sg
zork.net
zurich.com
Re: Need a rule written - Can whitelisting be this easy?
Posted by Meng Weng Wong <me...@pobox.com>.
On Jul 12, 2007, at 12:35 PM, Per Jessen wrote:
>
> Yeah, me too. I have a pretty decent list of whitelist_from_rcvd
> statements that is exactly that. If Marc can provide such a list, we
> might have something worth discussing.
>
Would you be willing to share your whitelist with the public?
For privacy, might be best to leave out the localparts and just
publish the domains.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Per Jessen <pe...@computer.org>.
Loren Wilton wrote:
> I think what Marc is saying is that he is creating a global whitelist.
Yeah, me too. I have a pretty decent list of whitelist_from_rcvd
statements that is exactly that. If Marc can provide such a list, we
might have something worth discussing.
> Presumably that machine (being an occasional spammer) would not get
> itself on a whitelist, or would get itself removed pretty quickly.
Well, it would get on to the whitelist_from_rcvd list with little
difficulty.
/Per Jessen, Zürich
Re: Need a rule written - Can whitelisting be this easy?
Posted by Loren Wilton <lw...@earthlink.net>.
How about this one:
Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
regardless of what it returns?)
But let's assume mail.specogna.ch.junkemailfilter.com does return
127.0.0.1 - it means nothing wrt ham/spam. That mail-server is
occasionally being used by a spambot sat on an internal machine at that
company.
I think what Marc is saying is that he is creating a global whitelist.
Presumably that machine (being an occasional spammer) would not get itself
on a whitelist, or would get itself removed pretty quickly. So presumably
127.0.0.1 is supposed to mean something relative to ham/spam for a given
host, and the only trick is to be sure that the host id isn't forged.
Loren
Re: Need a rule written - Can whitelisting be this easy?
Posted by John Rudd <jr...@ucsc.edu>.
Ken A wrote:
> or maybe a bot, who knows.. unless you establish with some confidence
> that the IP used sends ham only, you have nothing. According to arin,
> wellsfargo.com has 151.151.0.0/16 at least.. probably more. You really
> think you can trust 65534 hosts, so long as somebody setup the DNS
> properly?
IMO, you can't/shouldn't trust any host you don't directly control.
Everyone else either IS an adversary, or is vulnerable to being
manipulated by an adversary. That may seem a little paranoid, but it
has served me well over the years.
They don't get into my trusted networks, and I'm surely not going to put
them into my whitelists, nor trust hosts just because they got put into
a global whitelist.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Ken A <ka...@pacific.net>.
Per Jessen wrote:
> Ken A wrote:
>
>>> Nope, that's not correct. It's being sent by a Wells Fargo mail
>>> server, that is all.
>>>
>> or maybe a bot, who knows.. unless you establish with some confidence
>> that the IP used sends ham only, you have nothing.
>
> My point exactly. And even if you do "establish with some confidence",
> how much confidence is that really?
>
Confidence is everything, whether it's ham or spam, whether you are
looking at DNS, Content, or any statistical value you come up with.
That's why SA is so great, because you can combine things like the
Botnet plugin and various content checks and all sorts of things into a
score that represents a confidence.
M. Perkel tends towards oversimplification and curious 'marketing-like'
subject lines that get threads like this one going. Sometimes it's
interesting, but usually not. ymmv.
Ken
>
> /Per Jessen, Zürich
>
--
Ken Anderson
Pacific.Net
Re: Need a rule written - Can whitelisting be this easy?
Posted by Per Jessen <pe...@computer.org>.
Ken A wrote:
>> Nope, that's not correct. It's being sent by a Wells Fargo mail
>> server, that is all.
>>
>
> or maybe a bot, who knows.. unless you establish with some confidence
> that the IP used sends ham only, you have nothing.
My point exactly. And even if you do "establish with some confidence",
how much confidence is that really?
/Per Jessen, Zürich
Re: Need a rule written - Can whitelisting be this easy?
Posted by Ken A <ka...@pacific.net>.
Per Jessen wrote:
> Marc Perkel wrote:
>
>> What I have is a database of a few thousand big domains who never send
>> spam. Banks, Credit Card compaines, airlines, and other big
>> bisunesses.
>
> I think "big domains who never send spam" is an oxymoron. I don't think
> that is a valuable criteria at all.
>
>> Once the host is verified as not being spoofed RDNS then
>> for example the host is *.wellsfargo.com then it's from Wells Fargo
>> Bank.
>
> Nope, that's not correct. It's being sent by a Wells Fargo mail server,
> that is all.
>
or maybe a bot, who knows.. unless you establish with some confidence
that the IP used sends ham only, you have nothing. According to arin,
wellsfargo.com has 151.151.0.0/16 at least.. probably more. You really
think you can trust 65534 hosts, so long as somebody setup the DNS
properly?
Ken
>
> /Per Jessen, Zürich
>
--
Ken Anderson
Pacific.Net
Re: Need a rule written - Can whitelisting be this easy?
Posted by Per Jessen <pe...@computer.org>.
Marc Perkel wrote:
> What I have is a database of a few thousand big domains who never send
> spam. Banks, Credit Card compaines, airlines, and other big
> bisunesses.
I think "big domains who never send spam" is an oxymoron. I don't think
that is a valuable criteria at all.
> Once the host is verified as not being spoofed RDNS then
> for example the host is *.wellsfargo.com then it's from Wells Fargo
> Bank.
Nope, that's not correct. It's being sent by a Wells Fargo mail server,
that is all.
/Per Jessen, Zürich
Re: Need a rule written - Can whitelisting be this easy?
Posted by Marc Perkel <ma...@perkel.com>.
Per Jessen wrote:
> Marc Perkel wrote:
>
>
>> 1) Take the IP of the connecting host and do an RDNS lookup to get the
>> name.
>> 2) Verify that the name that was looked up resolves to the same
>> IP address.
>> 3) Look up the name in this dns list ===
>> example.com.hostdomain.junkemailfilter.com
>> 4) if it returns 127.0.0.1 - it's ham
>>
>> Lets say the sending host is 69.50.231.2
>>
>> RNDS of 69.50.231.2 is 2.ctyme.com
>> Looking up 2.ctyme.com returns 69.50.231.2 ---- MATCH!
>> Lookup 2.ctyme.com.hostdomain.junkemailfilter.com - returns 127.0.0.1
>> - It's HAM!
>>
>> That's all there is to it.
>>
>
> Uh, why?
>
> How about this one:
>
> Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
> Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
> Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
> regardless of what it returns?)
> But let's assume mail.specogna.ch.junkemailfilter.com does return
> 127.0.0.1 - it means nothing wrt ham/spam. That mail-server is
> occasionally being used by a spambot sat on an internal machine at that
> company.
>
>
> /Per Jessen, Zürich
>
>
>
What I have is a database of a few thousand big domains who never send
spam. Banks, Credit Card compaines, airlines, and other big bisunesses.
Once the host is verified as not being spoofed RDNS then for example the
host is *.wellsfargo.com then it's from Wells Fargo Bank.
I'm using it with Exim now and about 80% of ham is identified this way
allowing me to bypass SA and reduce system load and improve accuracy.
Re: Need a rule written - Can whitelisting be this easy?
Posted by Per Jessen <pe...@computer.org>.
Marc Perkel wrote:
> 1) Take the IP of the connecting host and do an RDNS lookup to get the
> name.
> 2) Verify that the name that was looked up resolves to the same
> IP address.
> 3) Look up the name in this dns list ===
> example.com.hostdomain.junkemailfilter.com
> 4) if it returns 127.0.0.1 - it's ham
>
> Lets say the sending host is 69.50.231.2
>
> RNDS of 69.50.231.2 is 2.ctyme.com
> Looking up 2.ctyme.com returns 69.50.231.2 ---- MATCH!
> Lookup 2.ctyme.com.hostdomain.junkemailfilter.com - returns 127.0.0.1
> - It's HAM!
>
> That's all there is to it.
Uh, why?
How about this one:
Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
regardless of what it returns?)
But let's assume mail.specogna.ch.junkemailfilter.com does return
127.0.0.1 - it means nothing wrt ham/spam. That mail-server is
occasionally being used by a spambot sat on an internal machine at that
company.
/Per Jessen, Zürich