You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Noah Meyerhans <fr...@morgul.net> on 2011/08/23 01:13:03 UTC
blacklist based on authoritative nameservers of sender domain
I've recently observed a fair amount of spam from domains that all share
the same set of authoritative nameservers. It occurred to me that it
might be nice to be able to blacklist mail from all domains sharing
these nameservers, or maybe to simply have that trait count toward the
spam score. I don't believe there's currently a plugin to allow this
sort of thing. Is that correct? If so, would anybody be interested in
one if I was to write it? Or am I missing something obvious that makes
this not worth doing? I realize that the potential for collateral
damage is high, so I don't think it'd be wise to try and publish any
sort of data for such a plugin, but it seems like the plugin itself
might be occasionally useful...
noah
Re: blacklist based on authoritative nameservers of sender
domain
Posted by SM <sm...@resistor.net>.
At 16:52 22-08-2011, Adam Katz wrote:
>You can't do whois en-masse (I'd love that, but ...), so this means an
>NS host lookup. To determine if they are authoritative, that's another
>lookup (which I don't believe is necessary). A blocklist would also be
>another lookup (if using a BL, it could check the authoritativeness),
>but I don't think that's completely necessary either.
You don't need to use Whois. You already have the data:
; ANSWER SECTION:
apache.org. 1800 IN A 140.211.11.131
;; AUTHORITY SECTION:
apache.org. 86398 IN NS ns2.no-ip.com.
apache.org. 86398 IN NS ns1.eu.bitnames.com.
apache.org. 86398 IN NS ns2.surfnet.nl.
apache.org. 86398 IN NS ns1.us.bitnames.com.
It's been a while since I tested this. If I recall correctly, it was
prone to false positives. You might be able to do some scoring
instead of blacklisting.
Regards,
-sm
Re: blacklist based on authoritative nameservers of sender domain
Posted by Axb <ax...@gmail.com>.
On 2011-08-23 2:21, darxus@chaosreigns.com wrote:
> On 08/22, Adam Katz wrote:
>>> this not worth doing? I realize that the potential for collateral
>>> damage is high, so I don't think it'd be wise to try and publish any
>>> sort of data for such a plugin, but it seems like the plugin itself
>>> might be occasionally useful...
>>
>> It might be useful, but we'd have to test it to know.
>
> I just wanted to point out we have the infrastructure for testing this,
> via mass-checks:
> http://wiki.apache.org/spamassassin/NightlyMassCheck
>
> You create the plugin and a blacklist, open a bug to get somebody to
> add it to trunk (the development branch of spamassassin), it gets run
> with mass-check, not only collecting stats on its effectiveness, but
> also calculating an optimal score to use for it.
>
>
> The ASRG (anti-spam research group) may or may not be useful to talk to
> about new ways to deal with spam.
create plugin? It's been in the URIBL plugin for quite a white
URIBL.com makes use of it: "URIBL_BLACK_NS"
http://www.uribl.com/usage.shtml
Re: blacklist based on authoritative nameservers of sender domain
Posted by da...@chaosreigns.com.
On 08/22, Adam Katz wrote:
> > this not worth doing? I realize that the potential for collateral
> > damage is high, so I don't think it'd be wise to try and publish any
> > sort of data for such a plugin, but it seems like the plugin itself
> > might be occasionally useful...
>
> It might be useful, but we'd have to test it to know.
I just wanted to point out we have the infrastructure for testing this,
via mass-checks:
http://wiki.apache.org/spamassassin/NightlyMassCheck
You create the plugin and a blacklist, open a bug to get somebody to
add it to trunk (the development branch of spamassassin), it gets run
with mass-check, not only collecting stats on its effectiveness, but
also calculating an optimal score to use for it.
The ASRG (anti-spam research group) may or may not be useful to talk to
about new ways to deal with spam.
--
"The most elementary and valuable statement in science, the beginning
of wisdom is: 'I do not know'." - Data, ST:TNG 2x2 Where Silence Has Lease
http://www.ChaosReigns.com
Re: blacklist based on authoritative nameservers of sender domain
Posted by Adam Katz <an...@khopis.com>.
On 08/22/2011 04:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all
> share the same set of authoritative nameservers. It occurred to me
> that it might be nice to be able to blacklist mail from all domains
> sharing these nameservers, or maybe to simply have that trait count
> toward the spam score.
You can't do whois en-masse (I'd love that, but ...), so this means an
NS host lookup. To determine if they are authoritative, that's another
lookup (which I don't believe is necessary). A blocklist would also be
another lookup (if using a BL, it could check the authoritativeness),
but I don't think that's completely necessary either.
Your plugin should create enough information for bayes and rules to
access the data, say through a pseudoheader that can be explicitly added
via template tags.
Thus, you'd be able to write a rule that checks the pseudoheader for a
problematic name server. Here's a mockup pseudoheader and matching rule
for an email that links spamassassin.org and example.net:
X-Spam-Uri-NS: [ dom=spamassassin.org ns=c.auth-ns.sonic.net
ns=ns.hyperreal.org ns=b.auth-ns.sonic.net ns=a.auth-ns.sonic.net ] [
dom=example.net ns=b.iana-servers.net. ns=a.iana-servers.net ]
header LOCAL_USES_DNS_EXAMPLE_NET X-Spam-Uri-NS =~ /
ns=[ab].iana-servers\.net /
I left out NS server IPs because that's even more DNS lookups. URIs are
in order of appearance. NS order is not predictable (though I suppose
we could asciibetize).
> I don't believe there's currently a plugin to allow this sort of
> thing. Is that correct? If so, would anybody be interested in one
> if I was to write it? Or am I missing something obvious that makes
> this not worth doing? I realize that the potential for collateral
> damage is high, so I don't think it'd be wise to try and publish any
> sort of data for such a plugin, but it seems like the plugin itself
> might be occasionally useful...
It might be useful, but we'd have to test it to know.
Re: blacklist based on authoritative nameservers of sender domain
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 22 Aug 2011 16:13:03 -0700, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all
> share
> the same set of authoritative nameservers.
1: make the plugin
2: add whitelist/skiplist could ideally be urlbl_skip_domain that are
used
commit code to sandbox testing or custom plugins page
for me i just think AS tracking number is more usefull, but lets see :)
how would the plugin work compared to freemail ?
Re: blacklist based on authoritative nameservers of sender domain
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 23 Aug 2011 01:38:08 -0400, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all
>> share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access
if outright blocking is wanted (its stupid)
Re: blacklist based on authoritative nameservers of sender domain
Posted by Axb <ax...@gmail.com>.
On 2011-08-23 7:38, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access
SA has this already... and more.
read into URIDNSBL.pm and AskDNS.pm
you can LOTS of magic with them.
Re: blacklist based on authoritative nameservers of sender domain
Posted by Michael Scheidell <mi...@secnap.com>.
On 8/22/11 7:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all share
> the same set of authoritative nameservers.
postfix:
check_sender_ns_access
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________