You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sean Lynch <se...@literati.org> on 2019/06/30 16:08:48 UTC
Scoring by registrar?
Hi, everyone! I used to run my own mail servers back in the mid '90s and
even worked as the postmaster for a regional ISP and worked on mail
servers for some large corporations and even a small national ISP as a
consultant. After a hiatus where I drank the hosted email kool-aid, I'm
back to hosting my own email. At the moment I'm using a combination of
SMTP-time DNSBL and other checks and SpamAssassin at delivery time for
spam filtering. Very few spams are even making it to SpamAssassin, but
many that do make it all the way through into my inbox.
A very large number (nearly all, in fact) of the spams I receive these
days involve domains registered with Namecheap. I've received hundreds
of spams involving .icu domains from what appear to be the same spammer.
I also receive a large number of scams impersonating Bitmain, again
using domains involving Namecheap.
While Namecheap does suspend at least some domains within days of their
being used in a campaign, it's clear that these are being treated as
single-use domains, so this has very little impact on the spammers.
Since for whatever reason they're so attractive to spammers that they
seem to be a nearly universal choice, at least for spams I get, I'd like
to add a spam score to any message using a domain registered with them.
Does such functionality already exist in SpamAssassin? Is there an RHSBL
or some other simple mechanism I could use to look up the registrar for
a domain?
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 6/30/19 11:05 AM, John Hardin wrote:
> On Sun, 30 Jun 2019, Sean Lynch wrote:
>
>> A very large number (nearly all, in fact) of the spams I receive
>> these days involve domains registered with Namecheap.
>
>> I'd like to add a spam score to any message using a domain registered
>> with them.
>>
>> Does such functionality already exist in SpamAssassin? Is there an
>> RHSBL or some other simple mechanism I could use to look up the
>> registrar for a domain?
>
> There's really no infrastructure for it. Somebody would have to hook
> into the registrar data feeds to collect it and publish it in a usable
> form, and nobody has done so that I am aware of.
>
> A decade ago I wrote a plugin that used whois to try to do this as an
> experiment. The big drawback is: actually doing this could easily be
> considered abuse of the whois system and could easily get you
> blacklisted. This is *not* recommended for production use.
>
> http://www.impsec.org/~jhardin/antispam/registrar_scoring/
>
> This is just for illustration. I *strongly* discourage using this in
> anything other than a limited test environment (assuming it even still
> works).
I've been wary of just querying whois for precisely this reason. Maybe
rate-limited queries along with greylisting to give time to do the lookup?
>
> If you had access to the registrar feeds you might be able to write
> something that used that data which would not be considered abusive.
>
> Is there anybody in the SA user community who does have access to the
> raw registrar feeds?
This would be lovely. Turning it into a DNS-based service would be even
better!
Thanks for the response!
Re: Scoring by registrar?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Jun 2019, Grant Taylor wrote:
> On 6/30/19 12:05 PM, John Hardin wrote:
>> There's really no infrastructure for it. Somebody would have to hook into
>> the registrar data feeds to collect it and publish it in a usable form, and
>> nobody has done so that I am aware of.
>
> Whois Domain Search has some information.
>
> Link - Whois Domain Search
> - http://whoisds.com/
>
> They provide an API and an ability to download copies of their database.
>
> I'm downloading their free newly registered domain list. It's only a list of
> domains registered in the last day and they have 10 (?) days worth available
> for download.
>
>> A decade ago I wrote a plugin that used whois to try to do this as an
>> experiment. The big drawback is: actually doing this could easily be
>> considered abuse of the whois system and could easily get you blacklisted.
>> This is *not* recommended for production use.
>>
>> http://www.impsec.org/~jhardin/antispam/registrar_scoring/
>>
>> This is just for illustration. I *strongly* discourage using this in
>> anything other than a limited test environment (assuming it even still
>> works).
>
> Interesting. I'll have to read and assimilate your work. I'm sure I'll
> learn many things. Thank you for sharing. :-)
>
> If I were ever to implement something like this, I would NOT blindly do the
> Whois query directly for each incoming email. I would query a local service
> that cached information (as in committed to disk) and have that service fetch
> information about domains that it didn't have information on.
Which is what that does.
> I might even make such a system periodically check to see if things like DNS
> servers had changed and then refresh the cache on demand as necessary.
I don't remember if I implemented cache expiry.
> I agree that blindly and directly doing a Whois query for each and every
> incoming email would cause some people to get upset. Not to mention the
> performance and latency implications.
Well, for each domain not seen [yet|recently].
>> If you had access to the registrar feeds you might be able to write
>> something that used that data which would not be considered abusive.
>
> I think that's exactly the type of data that Whois Domain Search is selling,
> and why they are selling it.
Right. I neglected to mention above that the data *was* available for $$$,
as I presumed we were discussing this in the context of a free service.
>> Is there anybody in the SA user community who does have access to the raw
>> registrar feeds?
>
> I don't. But I think Whois Domain Search offers trial options.
>
> No, I'm not affiliated with Whois Domain Search. I simply download their
> free list of domains registered yesterday each day. }:-) Not that I've
> actually done anything with that data yet. But that's a different problem.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until the 243rd anniversary of the Declaration of Independence
Re: Scoring by registrar?
Posted by Paul Stead <pa...@gmail.com>.
On Mon, 1 Jul 2019 at 06:38, Sean Lynch <se...@literati.org> wrote:
> It's pretty useful already. If you're able to get the name of the
> registrar from that service, I think it might make a useful spam signal
> since some registrars seem to be a lot more popular with spammers than
> others.
>
Not really, essentially it's access to the zonefile, so no more information
available that doing an "NS" DNS lookup
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 6/30/19 9:41 PM, Paul Stead wrote:
> On Sun, 30 Jun 2019 at 19:46, Sean Lynch <seanl@literati.org
> <ma...@literati.org>> wrote:
>
>
> On 6/30/19 11:40 AM, Grant Taylor wrote:
> > On 6/30/19 12:05 PM, John Hardin wrote:
> >> There's really no infrastructure for it. Somebody would have to
> hook
> >> into the registrar data feeds to collect it and publish it in a
> >> usable form, and nobody has done so that I am aware of.
> >
> > Whois Domain Search has some information.
> >
> > Link - Whois Domain Search
> > - http://whoisds.com/
> >
> > They provide an API and an ability to download copies of their
> database.
> >
> > I'm downloading their free newly registered domain list. It's
> only a
> > list of domains registered in the last day and they have 10 (?)
> days
> > worth available for download.
>
> I wonder if that's the list fresh.fmb.la <http://fresh.fmb.la> uses?
>
>
> fresh.fmb.la <http://fresh.fmb.la> uses the CZDS service from ICANN to
> create the fresh list - is there anything I could do to make the BL
> more useful?
>
It's pretty useful already. If you're able to get the name of the
registrar from that service, I think it might make a useful spam signal
since some registrars seem to be a lot more popular with spammers than
others.
Re: Scoring by registrar?
Posted by Paul Stead <pa...@gmail.com>.
On Sun, 30 Jun 2019 at 19:46, Sean Lynch <se...@literati.org> wrote:
>
> On 6/30/19 11:40 AM, Grant Taylor wrote:
> > On 6/30/19 12:05 PM, John Hardin wrote:
> >> There's really no infrastructure for it. Somebody would have to hook
> >> into the registrar data feeds to collect it and publish it in a
> >> usable form, and nobody has done so that I am aware of.
> >
> > Whois Domain Search has some information.
> >
> > Link - Whois Domain Search
> > - http://whoisds.com/
> >
> > They provide an API and an ability to download copies of their database.
> >
> > I'm downloading their free newly registered domain list. It's only a
> > list of domains registered in the last day and they have 10 (?) days
> > worth available for download.
>
> I wonder if that's the list fresh.fmb.la uses?
>
fresh.fmb.la uses the CZDS service from ICANN to create the fresh list - is
there anything I could do to make the BL more useful?
Paul
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 6/30/19 11:40 AM, Grant Taylor wrote:
> On 6/30/19 12:05 PM, John Hardin wrote:
>> There's really no infrastructure for it. Somebody would have to hook
>> into the registrar data feeds to collect it and publish it in a
>> usable form, and nobody has done so that I am aware of.
>
> Whois Domain Search has some information.
>
> Link - Whois Domain Search
> - http://whoisds.com/
>
> They provide an API and an ability to download copies of their database.
>
> I'm downloading their free newly registered domain list. It's only a
> list of domains registered in the last day and they have 10 (?) days
> worth available for download.
I wonder if that's the list fresh.fmb.la uses?
>
>> A decade ago I wrote a plugin that used whois to try to do this as an
>> experiment. The big drawback is: actually doing this could easily be
>> considered abuse of the whois system and could easily get you
>> blacklisted. This is *not* recommended for production use.
>>
>> http://www.impsec.org/~jhardin/antispam/registrar_scoring/
>>
>> This is just for illustration. I *strongly* discourage using this in
>> anything other than a limited test environment (assuming it even
>> still works).
>
> Interesting. I'll have to read and assimilate your work. I'm sure
> I'll learn many things. Thank you for sharing. :-)
>
> If I were ever to implement something like this, I would NOT blindly
> do the Whois query directly for each incoming email. I would query a
> local service that cached information (as in committed to disk) and
> have that service fetch information about domains that it didn't have
> information on.
>
> I might even make such a system periodically check to see if things
> like DNS servers had changed and then refresh the cache on demand as
> necessary.
>
> I agree that blindly and directly doing a Whois query for each and
> every incoming email would cause some people to get upset. Not to
> mention the performance and latency implications.
>
>> If you had access to the registrar feeds you might be able to write
>> something that used that data which would not be considered abusive.
>
> I think that's exactly the type of data that Whois Domain Search is
> selling, and why they are selling it.
>
>> Is there anybody in the SA user community who does have access to the
>> raw registrar feeds?
>
> I don't. But I think Whois Domain Search offers trial options.
>
> No, I'm not affiliated with Whois Domain Search. I simply download
> their free list of domains registered yesterday each day. }:-) Not
> that I've actually done anything with that data yet. But that's a
> different problem.
With fresh.fmb.la, the raw data is a little less useful unless you want
better resolution than a week at a time. It might be useful for finding
and reporting Bitmain lookalike domains before they get used in spam blasts.
I might find it worth it to sign up for one of their services if I can
use it to offer some useful service such as a DNSBL to others. I'll need
to check their subscriber agreement. Thanks for pointing it out!
Re: Scoring by registrar?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 6/30/19 12:05 PM, John Hardin wrote:
> There's really no infrastructure for it. Somebody would have to hook
> into the registrar data feeds to collect it and publish it in a usable
> form, and nobody has done so that I am aware of.
Whois Domain Search has some information.
Link - Whois Domain Search
- http://whoisds.com/
They provide an API and an ability to download copies of their database.
I'm downloading their free newly registered domain list. It's only a
list of domains registered in the last day and they have 10 (?) days
worth available for download.
> A decade ago I wrote a plugin that used whois to try to do this as an
> experiment. The big drawback is: actually doing this could easily be
> considered abuse of the whois system and could easily get you
> blacklisted. This is *not* recommended for production use.
>
> http://www.impsec.org/~jhardin/antispam/registrar_scoring/
>
> This is just for illustration. I *strongly* discourage using this in
> anything other than a limited test environment (assuming it even still
> works).
Interesting. I'll have to read and assimilate your work. I'm sure I'll
learn many things. Thank you for sharing. :-)
If I were ever to implement something like this, I would NOT blindly do
the Whois query directly for each incoming email. I would query a local
service that cached information (as in committed to disk) and have that
service fetch information about domains that it didn't have information on.
I might even make such a system periodically check to see if things like
DNS servers had changed and then refresh the cache on demand as necessary.
I agree that blindly and directly doing a Whois query for each and every
incoming email would cause some people to get upset. Not to mention the
performance and latency implications.
> If you had access to the registrar feeds you might be able to write
> something that used that data which would not be considered abusive.
I think that's exactly the type of data that Whois Domain Search is
selling, and why they are selling it.
> Is there anybody in the SA user community who does have access to the
> raw registrar feeds?
I don't. But I think Whois Domain Search offers trial options.
No, I'm not affiliated with Whois Domain Search. I simply download
their free list of domains registered yesterday each day. }:-) Not
that I've actually done anything with that data yet. But that's a
different problem.
--
Grant. . . .
unix || die
Re: Scoring by registrar?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Jun 2019, Sean Lynch wrote:
> A very large number (nearly all, in fact) of the spams I receive these days
> involve domains registered with Namecheap.
> I'd like to add a spam score to any message using a domain registered
> with them.
>
> Does such functionality already exist in SpamAssassin? Is there an RHSBL or
> some other simple mechanism I could use to look up the registrar for a
> domain?
There's really no infrastructure for it. Somebody would have to hook into
the registrar data feeds to collect it and publish it in a usable form,
and nobody has done so that I am aware of.
A decade ago I wrote a plugin that used whois to try to do this as an
experiment. The big drawback is: actually doing this could easily be
considered abuse of the whois system and could easily get you blacklisted.
This is *not* recommended for production use.
http://www.impsec.org/~jhardin/antispam/registrar_scoring/
This is just for illustration. I *strongly* discourage using this in
anything other than a limited test environment (assuming it even still
works).
If you had access to the registrar feeds you might be able to write
something that used that data which would not be considered abusive.
Is there anybody in the SA user community who does have access to the raw
registrar feeds?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If Microsoft made hammers, everyone would whine about how poorly
screws were designed and about how they are hard to hammer in, and
wonder why it takes so long to paint a wall using the hammer.
-----------------------------------------------------------------------
4 days until the 243rd anniversary of the Declaration of Independence
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 6/30/19 11:00 AM, Grant Taylor wrote:
> On 6/30/19 10:08 AM, Sean Lynch wrote:
>> Hi, everyone! I used to run my own mail servers back in the mid '90s
>> and even worked as the postmaster for a regional ISP and worked on
>> mail servers for some large corporations and even a small national
>> ISP as a consultant. After a hiatus where I drank the hosted email
>> kool-aid, I'm back to hosting my own email.
>
> Welcome back to the fray. :-)
>
>> At the moment I'm using a combination of SMTP-time DNSBL and other
>> checks and SpamAssassin at delivery time for spam filtering. Very few
>> spams are even making it to SpamAssassin, but many that do make it
>> all the way through into my inbox.
>
> :-(
>
>> A very large number (nearly all, in fact) of the spams I receive
>> these days involve domains registered with Namecheap. I've received
>> hundreds of spams involving .icu domains from what appear to be the
>> same spammer. I also receive a large number of scams impersonating
>> Bitmain, again using domains involving Namecheap.
>
> Is Namecheap just the registrar? Or are they also hosting the DNS
> service?
Ah, I should have mentioned that. Unfortunately, they're just the
registrar. I suspect the spammers use DNS servers they can update
quickly, but since it's slower to update NS records and glue records,
the nameserver IPs and names might make interesting extra signals to
score on.
>
>> While Namecheap does suspend at least some domains within days of
>> their being used in a campaign, it's clear that these are being
>> treated as single-use domains, so this has very little impact on the
>> spammers. Since for whatever reason they're so attractive to spammers
>> that they seem to be a nearly universal choice, at least for spams I
>> get, I'd like to add a spam score to any message using a domain
>> registered with them.
>>
>> Does such functionality already exist in SpamAssassin? Is there an
>> RHSBL or some other simple mechanism I could use to look up the
>> registrar for a domain?
>
> I'm not sure how to check for Namecheap as the domain registrar. I
> think it should be relatively easy to check if the Namecheap is being
> used for the DNS service by checking what DNS servers are used.
> Perhaps you could alter the score that way.
>
> I think you could likely take this a step further and use something
> like BIND's features to alter responses to DNS queries based on the
> DNS server the information comes from. Meaning you could break email
> from domains using specific DNS servers. }:-) This means that you
> could configure your MTA to require valid DNS (which it should be
> doing anyway). Thus your email server would not accept email from
> domains that use Namecheap DNS servers. }:-D
>
> I think there are also lists of domains that have been recently
> registered. Which might help if the single use domains were recently
> registered.
>
I do plan to set up a DNS server at some point in order to implement my
own DNSBLs among other things.
About 1/3 of both the .icu and Bitmain spams do hit one of the
FROM_FMBLA_NEWDOM rules. I've bumped the scores up for those so that any
recently-registered .icu domain will always go to my junk folder.
One of my goals is to incentivize Namecheap to make themselves less
attractive to spammers. Having one person use their being the registrar
as a spam signal doesn't accomplish that, but inspiring many people to
might.
Even better would be to use signals like that as an SMTP-time test so
that senders will (hopefully) see a bounce message that says they need
to register with dnswl.org if they want to be able to send email from a
Namecheap-registered domain. I should probably investigate mtpolicyd a
little more closely; right now I just use policyd-spf-python to reject
any messages that fail SPF, but that catches almost nothing because the
spammers who are able to get past the DNSBLs I use typically have set up
all the right records for their throwaway domains, including SPF and DKIM.
Re: Scoring by registrar?
Posted by Paul Stead <pa...@gmail.com>.
On Mon, 1 Jul 2019 at 16:17, RW <rw...@googlemail.com> wrote:
>
> On the site they have:
>
> Query Response Name Meaning
> domain 127.2.0.2 fresh Domain registered in last 7 days
> domain 127.2.0.14 fresh14 Domain registered in last 7-14 days
>
> there's no mention of the 127.2.0.28 result, but from the previous line
> it looks like NEWDOM28 would be 14-28.
>
>
This. I've updated the site to reflect the 127.2.0.28 return (NEWDOM28)
Paul
Re: Scoring by registrar?
Posted by RW <rw...@googlemail.com>.
On Mon, 01 Jul 2019 07:45:23 -0700
Sean Lynch wrote:
> On July 1, 2019 7:22:58 AM PDT, micah anderson <mi...@riseup.net>
> wrote:
> >Sean Lynch <se...@literati.org> writes:
> >
> >>>Having such a list would be very helpful for dealing with fast
> >>>flux.
> >>
> >> SA already has this. It used fresh.fmb.la to detect domains
> >registered within the past couple of weeks.
> >
> >It does? Do I need to enable something to get that?
>
> I got the test via sa-update, and it's a network check so they have
> to be enabled. Its the FROM_FMBLA_NEWDOM, FROM_FMBLA_NEWDOM14, and
> FROM_FMBLA_NEWDOM28 rules. Though since fresh.fmb.la only returns 0-7
> days and 7-14 days and I've only seen NEWDOM and NEWDOM28 fire I
> think NEWDOM28 may actually mean 7-14 days. Or the fresh.fmb.la docs
> are out of date. The maintainer is on this list and can probably
> comment.
On the site they have:
Query Response Name Meaning
domain 127.2.0.2 fresh Domain registered in last 7 days
domain 127.2.0.14 fresh14 Domain registered in last 7-14 days
there's no mention of the 127.2.0.28 result, but from the previous line
it looks like NEWDOM28 would be 14-28.
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On July 1, 2019 7:22:58 AM PDT, micah anderson <mi...@riseup.net> wrote:
>Sean Lynch <se...@literati.org> writes:
>
>>>Having such a list would be very helpful for dealing with fast flux.
>>
>> SA already has this. It used fresh.fmb.la to detect domains
>registered within the past couple of weeks.
>
>It does? Do I need to enable something to get that?
I got the test via sa-update, and it's a network check so they have to be enabled. Its the FROM_FMBLA_NEWDOM, FROM_FMBLA_NEWDOM14, and FROM_FMBLA_NEWDOM28 rules. Though since fresh.fmb.la only returns 0-7 days and 7-14 days and I've only seen NEWDOM and NEWDOM28 fire I think NEWDOM28 may actually mean 7-14 days. Or the fresh.fmb.la docs are out of date. The maintainer is on this list and can probably comment.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Scoring by registrar?
Posted by micah anderson <mi...@riseup.net>.
Sean Lynch <se...@literati.org> writes:
>>Having such a list would be very helpful for dealing with fast flux.
>
> SA already has this. It used fresh.fmb.la to detect domains registered within the past couple of weeks.
It does? Do I need to enable something to get that?
--
micah
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On July 1, 2019 5:44:37 AM PDT, micah anderson <mi...@riseup.net> wrote:
>Grant Taylor <gt...@tnetconsulting.net> writes:
>
>>> A very large number (nearly all, in fact) of the spams I receive
>these
>>> days involve domains registered with Namecheap. I've received
>hundreds
>>> of spams involving .icu domains from what appear to be the same
>spammer.
>>> I also receive a large number of scams impersonating Bitmain, again
>>> using domains involving Namecheap.
>>
>> Is Namecheap just the registrar? Or are they also hosting the DNS
>service?
>
>As a Namecheap customer, you are making me want to move. That is good,
>but its also something you should consider, before you block the entire
>registrar: there are a significant number of non-spamming Namecheap
>customers that you would be cutting off if you did this. I understand
>you want to put pressure on Namecheap, but the flip side of that is you
>will be cutting yourself off from those domains in the process.
Like all SA rules, registrar would be just one of many signals, so Namecheap customers would only be cut off if their emails or IPs seem spammy in other ways. And there's always the option of registering with dnswl.org.
>>> While Namecheap does suspend at least some domains within days of
>their
>>> being used in a campaign, it's clear that these are being treated as
>
>>> single-use domains, so this has very little impact on the spammers.
>
>This sounds like Fast Flux - and it is not something that happens only
>on Namecheap.
>
>> I think there are also lists of domains that have been recently
>> registered. Which might help if the single use domains were recently
>
>> registered.
>
>Having such a list would be very helpful for dealing with fast flux.
SA already has this. It used fresh.fmb.la to detect domains registered within the past couple of weeks.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Scoring by registrar?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 1 Jul 2019, micah anderson wrote:
> Grant Taylor <gt...@tnetconsulting.net> writes:
>
> As a Namecheap customer, you are making me want to move. That is good,
> but its also something you should consider, before you block the entire
> registrar: there are a significant number of non-spamming Namecheap
> customers that you would be cutting off if you did this. I understand
> you want to put pressure on Namecheap, but the flip side of that is you
> will be cutting yourself off from those domains in the process.
Note: I don't think "poison pill" treatment is being advocated here, just
"another spam sign along with the rest"...
>> I think there are also lists of domains that have been recently
>> registered. Which might help if the single use domains were recently
>> registered.
>
> Having such a list would be very helpful for dealing with fast flux.
Day Old Bread et. al.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
3 days until the 243rd anniversary of the Declaration of Independence
Re: Scoring by registrar?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 7/1/19 4:32 PM, Sean Lynch wrote:
> I think fast flux came up in reference to a speculation I'd made
> regarding why the spammers were using their own nameservers rather than
> Namecheap's.
Ah.
> I don't think it's particularly off-base to refer to rapid registration
> of new domains as fast flux.
I can't agree to that.
Fast Flux is a technique used within a given domain name. Not something
that is done across domain names.
Infoblox has a good article that refers to changing IPs behind a domain.
This is decidedly not multiple domain names.
Link - What is a Fast Flux?
- https://www.infoblox.com/glossary/fast-flux/
As for rapidly registering domains, I'm seeing an average of 106,608 new
domains registered a day. So, even if a bad actor registers 1,000 new
domains, that's only 1% of the overall daily registration.
> In fact, I'm pretty sure support for this, and slowness in taking down
> domains (though they do often take them down eventually at least),
> are why Namecheap is so popular.
That may very well be the case. But I think that "fast flux" is the
wrong term for it.
> As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the
> domains. Fortunately, since they're actually using their own servers and
> not a botnet, blocking their netblock catches the rest, though it's not
> my preference since it will cause collateral damage (even though
> registering with dnswl.org is an easy way around that), it's manual, and
> it only helps my 3 users. Incentivizing Namecheap to move faster on
> these would benefit a lot more people.
ACK
--
Grant. . . .
unix || die
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 7/1/19 3:13 PM, Grant Taylor wrote:
> On 7/1/19 6:44 AM, micah anderson wrote:
>> This sounds like Fast Flux
>
> How is this fast flux?
>
> I thought fast flux was rapidly updating A records on the DNS server
> (for a given qname) or updating NS records with the registrar for a
> single given domain.
>
> It sounds to me like Sean was talking about wanting to identify which of
> many domains were had a common registrar. This doesn't sound like fast
> flux—as I understand it—to me.
>
>> Having such a list would be very helpful for dealing with fast flux.
>
> How is what the OP's talking about related to fast flux?
I think fast flux came up in reference to a speculation I'd made
regarding why the spammers were using their own nameservers rather than
Namecheap's. I don't think it's particularly off-base to refer to rapid
registration of new domains as fast flux. In fact, I'm pretty sure
support for this, and slowness in taking down domains (though they do
often take them down eventually at least), are why Namecheap is so popular.
As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the
domains. Fortunately, since they're actually using their own servers and
not a botnet, blocking their netblock catches the rest, though it's not
my preference since it will cause collateral damage (even though
registering with dnswl.org is an easy way around that), it's manual, and
it only helps my 3 users. Incentivizing Namecheap to move faster on
these would benefit a lot more people.
Re: Scoring by registrar?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 7/1/19 6:44 AM, micah anderson wrote:
> This sounds like Fast Flux
How is this fast flux?
I thought fast flux was rapidly updating A records on the DNS server
(for a given qname) or updating NS records with the registrar for a
single given domain.
It sounds to me like Sean was talking about wanting to identify which of
many domains were had a common registrar. This doesn't sound like fast
flux—as I understand it—to me.
> Having such a list would be very helpful for dealing with fast flux.
How is what the OP's talking about related to fast flux?
--
Grant. . . .
unix || die
Re: Scoring by registrar?
Posted by micah anderson <mi...@riseup.net>.
Grant Taylor <gt...@tnetconsulting.net> writes:
>> A very large number (nearly all, in fact) of the spams I receive these
>> days involve domains registered with Namecheap. I've received hundreds
>> of spams involving .icu domains from what appear to be the same spammer.
>> I also receive a large number of scams impersonating Bitmain, again
>> using domains involving Namecheap.
>
> Is Namecheap just the registrar? Or are they also hosting the DNS service?
As a Namecheap customer, you are making me want to move. That is good,
but its also something you should consider, before you block the entire
registrar: there are a significant number of non-spamming Namecheap
customers that you would be cutting off if you did this. I understand
you want to put pressure on Namecheap, but the flip side of that is you
will be cutting yourself off from those domains in the process.
>> While Namecheap does suspend at least some domains within days of their
>> being used in a campaign, it's clear that these are being treated as
>> single-use domains, so this has very little impact on the spammers.
This sounds like Fast Flux - and it is not something that happens only
on Namecheap.
> I think there are also lists of domains that have been recently
> registered. Which might help if the single use domains were recently
> registered.
Having such a list would be very helpful for dealing with fast flux.
--
micah
Re: Scoring by registrar?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 6/30/19 10:08 AM, Sean Lynch wrote:
> Hi, everyone! I used to run my own mail servers back in the mid '90s and
> even worked as the postmaster for a regional ISP and worked on mail
> servers for some large corporations and even a small national ISP as a
> consultant. After a hiatus where I drank the hosted email kool-aid, I'm
> back to hosting my own email.
Welcome back to the fray. :-)
> At the moment I'm using a combination of SMTP-time DNSBL and other
> checks and SpamAssassin at delivery time for spam filtering. Very
> few spams are even making it to SpamAssassin, but many that do make
> it all the way through into my inbox.
:-(
> A very large number (nearly all, in fact) of the spams I receive these
> days involve domains registered with Namecheap. I've received hundreds
> of spams involving .icu domains from what appear to be the same spammer.
> I also receive a large number of scams impersonating Bitmain, again
> using domains involving Namecheap.
Is Namecheap just the registrar? Or are they also hosting the DNS service?
> While Namecheap does suspend at least some domains within days of their
> being used in a campaign, it's clear that these are being treated as
> single-use domains, so this has very little impact on the spammers.
> Since for whatever reason they're so attractive to spammers that they
> seem to be a nearly universal choice, at least for spams I get, I'd like
> to add a spam score to any message using a domain registered with them.
>
> Does such functionality already exist in SpamAssassin? Is there an RHSBL
> or some other simple mechanism I could use to look up the registrar for
> a domain?
I'm not sure how to check for Namecheap as the domain registrar. I
think it should be relatively easy to check if the Namecheap is being
used for the DNS service by checking what DNS servers are used. Perhaps
you could alter the score that way.
I think you could likely take this a step further and use something like
BIND's features to alter responses to DNS queries based on the DNS
server the information comes from. Meaning you could break email from
domains using specific DNS servers. }:-) This means that you could
configure your MTA to require valid DNS (which it should be doing
anyway). Thus your email server would not accept email from domains
that use Namecheap DNS servers. }:-D
I think there are also lists of domains that have been recently
registered. Which might help if the single use domains were recently
registered.
--
Grant. . . .
unix || die
Re: Scoring by registrar?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Jun 2019, Sean Lynch wrote:
> On June 30, 2019 11:20:33 AM PDT, John Hardin <jh...@impsec.org> wrote:
>
>> ...and if the same IP address is a regular abuser that never sends any
>> legitimate traffic, tarpit them:
>>
>> http://www.impsec.org/~jhardin/antispam/spammer-firewall
>
> I do like the idea of tarpitting spammers, because I want to drive up
> the cost of spamming. I haven't been able to find even anecdotal
> evidence that it causes them any genuine pain beyond just sleeping
> though since they tend to have very aggressive timeouts.
Anectodal tarpit evidence from a *very* small MTA:
25/tcp (smtp): 5 host(s), 98 connection(s)
1 185.16.204.92
6 193.56.28.33
10 185.234.219.100
20 37.72.168.198
61 193.169.252.171
If enough people were doing this I believe it would have an impact.
> postscreen's short sleep during its two-line greeting seems to cause a
> lot of spammers to hang up, or they try saying HELO too early and
> postscreen blocks them.
I do that, too. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until the 243rd anniversary of the Declaration of Independence
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On June 30, 2019 11:20:33 AM PDT, John Hardin <jh...@impsec.org> wrote:
>On Sun, 30 Jun 2019, Grant Taylor wrote:
>
>> On 6/30/19 10:51 AM, Martin Gregorie wrote:
>>> If you don't mind a delay in receiving mail from hosts you've never
>seen
>>> before, why not implement a greylister?
>>>
>>> https://en.wikipedia.org/wiki/Greylisting
>>
>> I see your GreyListing and raise you NoListing:
>>
>> https://en.wikipedia.org/wiki/Nolisting
>>
>> TL;DR: NoListing works by having an MX record that either does not
>respond
>> to TCP connections for SMTP, or sends TCP Resets. Thus causing RFC
>compliant
>> DNS servers to move on to the next priority MX in short order.
NoListing concerns me for two reasons: first, it causes everyone to have to try twice regardless of reputation. Second, Bad Things will happen if I do anything punitive on the highest preference MX and my primary and secondary go down. With greylisting, I can at least whitelist anyone registered with dnswl.org, etc. A greylist server could also whitelist an entire domain once any of its servers passes, if SPF is set up.
>
>...and if the same IP address is a regular abuser that never sends any
>legitimate traffic, tarpit them:
>
> http://www.impsec.org/~jhardin/antispam/spammer-firewall
I do like the idea of tarpitting spammers, because I want to drive up the cost of spamming. I haven't been able to find even anecdotal evidence that it causes them any genuine pain beyond just sleeping though since they tend to have very aggressive timeouts. postscreen's short sleep during its two-line greeting seems to cause a lot of spammers to hang up, or they try saying HELO too early and postscreen blocks them.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Scoring by registrar?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Jun 2019, Grant Taylor wrote:
> On 6/30/19 10:51 AM, Martin Gregorie wrote:
>> If you don't mind a delay in receiving mail from hosts you've never seen
>> before, why not implement a greylister?
>>
>> https://en.wikipedia.org/wiki/Greylisting
>
> I see your GreyListing and raise you NoListing:
>
> https://en.wikipedia.org/wiki/Nolisting
>
> TL;DR: NoListing works by having an MX record that either does not respond
> to TCP connections for SMTP, or sends TCP Resets. Thus causing RFC compliant
> DNS servers to move on to the next priority MX in short order.
...and if the same IP address is a regular abuser that never sends any
legitimate traffic, tarpit them:
http://www.impsec.org/~jhardin/antispam/spammer-firewall
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The focus of our education system is
the transfer of tax dollars between politicians and unions.
Educating children is its waste product. -- Frank Fleming
-----------------------------------------------------------------------
4 days until the 243rd anniversary of the Declaration of Independence
Re: Scoring by registrar?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 6/30/19 10:51 AM, Martin Gregorie wrote:
> If you don't mind a delay in receiving mail from hosts you've never seen
> before, why not implement a greylister?
>
> https://en.wikipedia.org/wiki/Greylisting
I see your GreyListing and raise you NoListing:
https://en.wikipedia.org/wiki/Nolisting
TL;DR: NoListing works by having an MX record that either does not
respond to TCP connections for SMTP, or sends TCP Resets. Thus causing
RFC compliant DNS servers to move on to the next priority MX in short order.
I find that this cuts out a LOT of crap without most (if not all) of the
problems generally associated with GreyListing.
· It's stateless
· It doesn't care where the retries come from
· It's RFC compliant, no grey area
· It allows fast retries.
· Nothing prevents the same server from trying the next MX immediately.
· There aren't issues with "You must wait X number of minutes".
· There is no mechanism in SMTP to indicate how long to wait.
· Servers can try the next MX immediately
I also highly recommend something like Junk Email Filter's Project
Tar(baby) as a high order MX.
Link - Project Tar
- http://wiki.junkemailfilter.com/index.php/Project_tarbaby
While you're at it, consider using Junk Email Filter's Spam DNS Lists to
filter bad actors learned via Project Tar.
Link - Spam DNS Lists
- http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
--
Grant. . . .
unix || die
Re: Scoring by registrar?
Posted by Sean Lynch <se...@literati.org>.
On 6/30/19 9:51 AM, Martin Gregorie wrote:
> On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote:
>> A very large number (nearly all, in fact) of the spams I receive
>> these days involve domains registered with Namecheap. I've received
>> hundreds of spams involving .icu domains from what appear to be the
>> same spammer.
>>
> Write a local rule that adds points for mails from .icu
Such a rule already exists. I've bumped up its score already.
>
>> I also receive a large number of scams impersonating Bitmain, again
>> using domains involving Namecheap.
>>
> As above, but for Bitmain.
Thanks. I'm aware I can do this.
>
>> While Namecheap does suspend at least some domains within days of
>> their being used in a campaign, it's clear that these are being
>> treated as single-use domains, so this has very little impact on the
>> spammers. Since for whatever reason they're so attractive to spammers
>> that they seem to be a nearly universal choice, at least for spams I
>> get, I'd like to add a spam score to any message using a domain
>> registered with them.
>>
> If you don't mind a delay in receiving mail from hosts you've never seen
> before, why not implement a greylister?
>
> https://en.wikipedia.org/wiki/Greylisting
Thanks. I'm aware of greylisting already.
>
> Does such functionality already exist in SpamAssassin?
>
> Defining local rules has always been possible.
Thanks. I'm aware of this. I was asking what functionality exists, if
any, for determining who a domain's registrar is.
>
> Greylisters are used to front end your MTA, so work independently of
> Spamassassin.
>
> I find combinations of rules can be surprisingly specific, e.g. to catch
> sales spam:
>
> - write a rule that contains a list of selling terms with a very small
> positive score (0.001)
> - write another rule that contains a list of products pushed by
> spammers, again with a very small positive score
> - write a meta rule the triggers only when both the previous rules
> are hit and give it a significant score
>
> If you avoid sales terms and product names/descriptions that are in
> common use the meta rule will cause few false positives.
Thanks. As I said, been using SpamAssassin (and generally fighting spam)
for years, so I'm already aware of this.
>
> Martin
>
>
Re: Scoring by registrar?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote:
> A very large number (nearly all, in fact) of the spams I receive
> these days involve domains registered with Namecheap. I've received
> hundreds of spams involving .icu domains from what appear to be the
> same spammer.
>
Write a local rule that adds points for mails from .icu
> I also receive a large number of scams impersonating Bitmain, again
> using domains involving Namecheap.
>
As above, but for Bitmain.
> While Namecheap does suspend at least some domains within days of
> their being used in a campaign, it's clear that these are being
> treated as single-use domains, so this has very little impact on the
> spammers. Since for whatever reason they're so attractive to spammers
> that they seem to be a nearly universal choice, at least for spams I
> get, I'd like to add a spam score to any message using a domain
> registered with them.
>
If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?
https://en.wikipedia.org/wiki/Greylisting
Does such functionality already exist in SpamAssassin?
>
Defining local rules has always been possible.
Greylisters are used to front end your MTA, so work independently of
Spamassassin.
I find combinations of rules can be surprisingly specific, e.g. to catch
sales spam:
- write a rule that contains a list of selling terms with a very small
positive score (0.001)
- write another rule that contains a list of products pushed by
spammers, again with a very small positive score
- write a meta rule the triggers only when both the previous rules
are hit and give it a significant score
If you avoid sales terms and product names/descriptions that are in
common use the meta rule will cause few false positives.
Martin