You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Noah Meyerhans <fr...@morgul.net> on 2011/08/23 01:13:03 UTC

blacklist based on authoritative nameservers of sender domain

I've recently observed a fair amount of spam from domains that all share
the same set of authoritative nameservers.  It occurred to me that it
might be nice to be able to blacklist mail from all domains sharing
these nameservers, or maybe to simply have that trait count toward the
spam score.  I don't believe there's currently a plugin to allow this
sort of thing.  Is that correct?  If so, would anybody be interested in
one if I was to write it?  Or am I missing something obvious that makes
this not worth doing?  I realize that the potential for collateral
damage is high, so I don't think it'd be wise to try and publish any
sort of data for such a plugin, but it seems like the plugin itself
might be occasionally useful...

noah

Re: blacklist based on authoritative nameservers of sender domain

Posted by SM <sm...@resistor.net>.

At 16:52 22-08-2011, Adam Katz wrote:
>You can't do whois en-masse (I'd love that, but ...), so this means an
>NS host lookup.  To determine if they are authoritative, that's another
>lookup (which I don't believe is necessary).  A blocklist would also be
>another lookup (if using a BL, it could check the authoritativeness),
>but I don't think that's completely necessary either.

You don't need to use Whois.  You already have the data:

; ANSWER SECTION:
apache.org.         1800    IN      A       140.211.11.131

;; AUTHORITY SECTION:
apache.org.             86398   IN      NS      ns2.no-ip.com.
apache.org.             86398   IN      NS      ns1.eu.bitnames.com.
apache.org.             86398   IN      NS      ns2.surfnet.nl.
apache.org.             86398   IN      NS      ns1.us.bitnames.com.

It's been a while since I tested this.  If I recall correctly, it was 
prone to false positives.  You might be able to do some scoring 
instead of blacklisting.

Regards,
-sm

Re: blacklist based on authoritative nameservers of sender domain

Posted by Axb <ax...@gmail.com>.

On 2011-08-23 2:21, darxus@chaosreigns.com wrote:
> On 08/22, Adam Katz wrote:
>>> this not worth doing?  I realize that the potential for collateral
>>> damage is high, so I don't think it'd be wise to try and publish any
>>> sort of data for such a plugin, but it seems like the plugin itself
>>> might be occasionally useful...
>>
>> It might be useful, but we'd have to test it to know.
>
> I just wanted to point out we have the infrastructure for testing this,
> via mass-checks:
> http://wiki.apache.org/spamassassin/NightlyMassCheck
>
> You create the plugin and a blacklist, open a bug to get somebody to
> add it to trunk (the development branch of spamassassin), it gets run
> with mass-check, not only collecting stats on its effectiveness, but
> also calculating an optimal score to use for it.
>
>
> The ASRG (anti-spam research group) may or may not be useful to talk to
> about new ways to deal with spam.

create plugin? It's been in the URIBL plugin for quite a white

URIBL.com makes use of it: "URIBL_BLACK_NS"

http://www.uribl.com/usage.shtml

Re: blacklist based on authoritative nameservers of sender domain

Posted by da...@chaosreigns.com.

On 08/22, Adam Katz wrote:
> > this not worth doing?  I realize that the potential for collateral
> > damage is high, so I don't think it'd be wise to try and publish any
> > sort of data for such a plugin, but it seems like the plugin itself
> > might be occasionally useful...
> 
> It might be useful, but we'd have to test it to know.

I just wanted to point out we have the infrastructure for testing this,
via mass-checks:
http://wiki.apache.org/spamassassin/NightlyMassCheck

You create the plugin and a blacklist, open a bug to get somebody to
add it to trunk (the development branch of spamassassin), it gets run
with mass-check, not only collecting stats on its effectiveness, but
also calculating an optimal score to use for it.

The ASRG (anti-spam research group) may or may not be useful to talk to
about new ways to deal with spam.

-- 
"The most elementary and valuable statement in science, the beginning
of wisdom is: 'I do not know'." - Data, ST:TNG 2x2 Where Silence Has Lease
http://www.ChaosReigns.com

Re: blacklist based on authoritative nameservers of sender domain

Posted by Adam Katz <an...@khopis.com>.

On 08/22/2011 04:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all
> share the same set of authoritative nameservers.  It occurred to me
> that it might be nice to be able to blacklist mail from all domains
> sharing these nameservers, or maybe to simply have that trait count
> toward the spam score.

You can't do whois en-masse (I'd love that, but ...), so this means an
NS host lookup.  To determine if they are authoritative, that's another
lookup (which I don't believe is necessary).  A blocklist would also be
another lookup (if using a BL, it could check the authoritativeness),
but I don't think that's completely necessary either.

Your plugin should create enough information for bayes and rules to
access the data, say through a pseudoheader that can be explicitly added
via template tags.

Thus, you'd be able to write a rule that checks the pseudoheader for a
problematic name server.  Here's a mockup pseudoheader and matching rule
for an email that links spamassassin.org and example.net:

X-Spam-Uri-NS: [ dom=spamassassin.org ns=c.auth-ns.sonic.net
ns=ns.hyperreal.org ns=b.auth-ns.sonic.net ns=a.auth-ns.sonic.net ] [
dom=example.net ns=b.iana-servers.net. ns=a.iana-servers.net ]

header LOCAL_USES_DNS_EXAMPLE_NET X-Spam-Uri-NS =~ /
ns=[ab].iana-servers\.net /

I left out NS server IPs because that's even more DNS lookups.  URIs are
in order of appearance.  NS order is not predictable (though I suppose
we could asciibetize).

> I don't believe there's currently a plugin to allow this sort of
> thing.  Is that correct?  If so, would anybody be interested in one
> if I was to write it?  Or am I missing something obvious that makes
> this not worth doing?  I realize that the potential for collateral
> damage is high, so I don't think it'd be wise to try and publish any
> sort of data for such a plugin, but it seems like the plugin itself
> might be occasionally useful...

It might be useful, but we'd have to test it to know.

Re: blacklist based on authoritative nameservers of sender domain

Posted by Benny Pedersen <me...@junc.org>.

On Mon, 22 Aug 2011 16:13:03 -0700, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all 
> share
> the same set of authoritative nameservers.

1: make the plugin
2: add whitelist/skiplist could ideally be urlbl_skip_domain that are 
used

commit code to sandbox testing or custom plugins page

for me i just think AS tracking number is more usefull, but lets see :)

how would the plugin work compared to freemail ?

Re: blacklist based on authoritative nameservers of sender domain

Posted by Benny Pedersen <me...@junc.org>.

On Tue, 23 Aug 2011 01:38:08 -0400, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all 
>> share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access

if outright blocking is wanted (its stupid)

Re: blacklist based on authoritative nameservers of sender domain

Posted by Axb <ax...@gmail.com>.

On 2011-08-23 7:38, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access

SA has this already... and more.
read into URIDNSBL.pm and AskDNS.pm
you can LOTS of magic with them.

Re: blacklist based on authoritative nameservers of sender domain

Posted by Michael Scheidell <mi...@secnap.com>.

On 8/22/11 7:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all share
> the same set of authoritative nameservers.

postfix:
check_sender_ns_access

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________