Domain: njabl.org
Stories and comments across the archive that link to njabl.org.
Comments · 15
-
dnsbl's + other means for spam abatement to use
here's the bl's that i am using with sendmail that would go into your siteconfig.mc file -- that through trial and error -- i have found have zero false positive hit rate... n.b. that the XXX.r.mail-abuse.com (RBL) & XXX.q.mail-abuse.com (QIL) bl's require that you to have a subscription to Trend Micro Advanced Email Reputation Services at http://us.trendmicro.com/us/products/enterprise/n
e twork-reputation-services/index.html -- you can get a free trial at https://nssg.trendmicro.com/download/trial/trial-s ervices.php?id=66 --
make sure you select "Email Reputation Services, Advanced". you would then replace the "XXX" in the below with the activation code they would send you:
FEATURE(dnsbl, `XXX.r.mail-abuse.com.', `"550 Mail from " $&{client_addr} " BLOCKED/RBL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')
FEATURE(dnsbl, `zen.spamhaus.org.', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN; see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')
FEATURE(dnsbl, `bhnc.njabl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/BHNC; see http://www.njabl.org/lookup?" $&{client_addr}')
FEATURE(dnsbl, `bl.spamcop.net.', `"550 Mail from " $&{client_addr} " BLOCKED/COP; see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr}')
FEATURE(dnsbl, `list.dsbl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/DSBL; see http://www.dsbl.org/listing?" $&{client_addr}')
FEATURE(rhsbl, `dsn.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DSN; MX of domain dose not accept bounces in violation of RFC 821/2505/2821, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')
FEATURE(rhsbl, `bogusmx.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/BMX; MX of domain contains bogus address information in violation of RFC 1035/3330, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')
FEATURE(dnsbl, `XXX.q.mail-abuse.com.', `"450 Mail from " $&{client_addr} " BLOCKED/QIL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')
FEATURE(dnsbl, `safe.dnsbl.sorbs.net.', `"450 Mail from " $&{client_addr} " BLOCKED/SAFE; see http://www.dnsbl.sorbs.net/lookup.shtml?" $&{client_addr}')
i also use the http://hcpnet.free.fr/milter-greylist greylisting package as well as spamassassin with some custom score tweaks available at http://iconia.com/user_prefs. all this keeps my mailbox as well as other users at a college radio station and a commercial asp with lots of public email addresses on their respective websites relatively spam free.
respectfully submitted,
geoff goodfellow -
Re:No way to combat filesharing
Then they'll turn off connections for "excessive" bandwidth usage, or for using a high number of SSL connections to IPs listed as residential in a DNSbl. Encryption is not a panacea.
-
Re:SORBS
-
Re:Not noticing the increase
Blacklists, my friend. Here's my current list:
rsync-mirrors.uceprotect.net : Level 2 - Fast local blocking
combined.njabl.org - For dynamic IPs and other
dnsbl.sorbs.net - For open relays
relays.ordb.org - For open relays
list.dsbl.orgM - Various types of Unsecured servers
dnsbl.tqmcube.com - dynamic IPs, spam trap
bl.spamcop.net - Spam trap
sbl-xbl.spamhaus.org - Known spammers, exploited servers
l2.spews.dnsbl.sorbs.net - Spam friendly ISPs
dnsbl.ahbl.org - Realtime composite
About four of those are composites, and contain blocks for dynamic IPs. Each link goes to the usage page for the blacklist, and if you want, you can just block dynamic IPs by using the correct subdomain. -
Re:Need s0ftware?
Ever head of the many great realtime blackhole lists?
http://www.spamcop.net/bl.shtml
http://dnsbl.njabl.org/
http://ordb.org/
No need to roll your own. There is even one designed to list dynamic IPs (http://www.dnsbl.nl.sorbs.net/). -
Re:Will it be better than milter-sender?SBL-XBL is great. It blocks a lot of stuff. In the last serveral months I added the follow which have also helped:
relays.ordb.org - http://www.ordb.org/
I also added ClamAV with the clamav-milter. That's eliminated all of the viruses that I used to get, although it does nothing for the virus warning messages I get from poorly administrated mail servers out there. Before I added ClamAV I was using the Virus Snaggers procmail package which was great at catching a lot of that stuff.
combined.njabl.org - http://www.njabl.org/
list.dsbl.org - http://dsbl.orgBTW, I use this procmail rule to catch all of the DSNs I get and stuff them in a mbox rather than having them clutter my inbox. I didn't write this and I forget who did. I think I got it from a post here on Slashdot sometime in the last year. To whoever wrote this, thanks.
# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs -
depends on the spammers.I run a mail server which hosts several domains. My personal domain gets almost no spam, because I haven't used any addresses there in public.
However, there is another domain which has had banner ads for its services. After getting a particularly bad spam attack (around 30k/day to random addresses @ that domain from the same spammer), I spoke with the owner about killing wildcard handling and instead only handling the ones being used.
Btw, three months later, that spammer is *still* being hosted by CW/Savvis. http://www.sheckmedia.com/ is the site of the spam domain owner, but the spamming subnnets, 64.70.43.0/24 and 216.39.64.0/24 are different than the website. Anyway, talk about bulletproof hosting...
After setting up individual boxes for that domain, I decided to direct the rest into a file just to see what kind of crap comes through. For the month of June, there were over 107000 emails. For the month of July there have been 41969 so far. The July numbers are probably a bit lower because I recently added njabl.org blocking (w/o dialup blacklisting) with rbldns. During both months, spamhaus.org's lists and spamcop.net's lists were in use.
So, it's not really a matter of whether or not you handle wildcard addresses, but whether the spammers to decide to use dictionary attacks on your domain.
-
Re:here you go:
-
Re:dont forget ...
You can make it even simpler. Don't accept mail from likely abuse sources, from dynamic IP addresses, or from known abusers. Those three blocklists get rid of an enormous amount of my spam.
Taken along with a few select country blocklists (I use China, Taiwan, Hong Kong, Korea, Brazil, and Argentina), you can go from a flood to a trickle in no time. China is a Very Special Case -- they're completely filtered at the borders now. If they ever clean up their act, they may get to pass packets again, but I'm not holding my breath. In the meantime, they can enjoy their shrinking view of the Internet.
-
Off on a tangent from that
(Yeah, offtopic, whatever)
I've often wondered about a variation on that theme - using -1 AC posts to communicate information over slashdot. The specific application I've been thinking of is trojan horses that need to phone home.
Right now, the typical trojan horse phones home by joining some specific channel on some (private or not) irc network. On that network, they announce to whoever's listening their IP address and how to gain remote control of the victim's machine. (Perhaps this announcement is encrypted somehow, or requires that first a message with password be sent to them, or something similar)
The thing is - this is pretty easy for corporate networks to trace (just flag outgoing IRC connections), and places that have a "no outgoing TCP, only outgoing web traffic through this specific proxy" policy in place are clearly protected to some extent.
It also allows law enforcement to start up the trojan in a controlled environment and monitor the connection for clues as to the ultimate controller of these little beasts.
But what if these trojans communicate through follow-ups to the lowest-moderated troll on the first article of each day? Or what if they simply receive their directions by looking for comments with specific subject lines? (Steganography, meet Natalie Portman's hot grits) Of course the person controlling these would work through some random anonymous proxy in Asia - every day, spammers send me hundreds of proxy IP addresses, and there are convenient anti-spam sites that will tell me exactly what those proxies can do.
And it's not just slashdot - many main stream news sites now allow comments posted anonymously with a minimum of fuss, and then there's the idea of looking for certain blog comments, or postings to certain newsgroups on google. -
Re:Do we need this?
I think laws can be helpful, provided they are not, well, clueless. As for CAN-SPAM, the best part is outlawing the use of deceptive headers. Now pill pushers and mortgage brokers (who are almost always located in the U.S.) can be prosecuted if they forge headers. If they don't forge headers, then ISPs can blacklist their source much more effectively.
The more common blacklists (at least the ones I use) are Spamhaus , Sorbs, and NJABL. I don't think those are going down anytime soon, with the work they have done to distribute their hosts.
I completely agree that ISPs (and any business that has computers connected to the Internet) should block egress port 25 traffic. I have rallied this point for quite some time, and it has proven to be quite unpopular:
The arguments against sum up to "let's fix the spam problem, but not if it means I can't use my consumer cable modem as if I were a business" and the equaly irresponsible "but I want to run my own mail server-- how dare you try to take away my toy!" To be fair, there are legitimate reasons that a person might need to run their own mail server, but they are quite few and far between-- certainly less in number than spammers! -
Re:who says its spammers?
He obviously has more knowledge of blacklisting than you have. Or give us an EXAMPLE of spews blacklisting an subnet that isn't on a spemmer friendly ISP. And lumping every blacklist from spews to dsbl.org and spamhaus.org isn't very wise either.
Even spews doesn't just blaclist entire A/B subnets at glance, unless they obviously belong to a spammer. They start with single IP:s, and ONLY IF the spammer doesn't get kicked out, the block is gradually enlargened.
It's not blind logic either. Standard whois queries are used to check what IP block belong together and who owns them. If your ISP owns an /16 subclass and doesn't bother setting rwhois up to make people able to distinguish between IP's owned be legitimate companies and IP's owned by spammers, how can a blacklister know what IP's of /16 black belong to the spammer?
And while boasting spamassassin, remember that it uses blacklists as well. However, using blacklists on SMTP level seems to be the only way bring attention for the spamming problem for the ISP harboring spammers.
Personally, I don't use spews, but:
dsbl open relay, open proxy lists.
spamhaus sblIp network ranges belonging to spammers.
0 collateral damage so far. Other high-quality blacklists include:
spamcop dynamic and automatic blacklist that lists IP addresses only WHILE they are spamming.
njabl probably the best list overall, listing all of them: spammers, proxies, relays, dialups.
Ofcourse, many insist not using their ISP's smtp servers so dialup ip blocking is risky, and spamcop.net relies on users repoting spam so a group of clueless people may reuslt a wrong IP blacklisted, so the above two blacklists don't suit everyone..
-
Re:Distrustful of Network Level Censorship
Spam control with RBLs is, in fact, decentralized. There are many RBLs to choose from, and any that are too severe will not be used for long if they generate too many false positives. As a system admin, I have my choice. I use 4 RBLs right now:
- spamhaus.relays.osirusoft.com
(this is a mirror of the Spamhaus Block List) Well known spam operations, and is checked hourly. - dialups.relays.osiruSoft.com
(details at OsiruSoft) This list is of DHCP IP addresses of home users (DSL, cable, dial up). - dnsbl.njabl.org
(extensive details of what's on this list) - rbl.restongeek.com
I maintain this one myself for anything I want all my servers, primary and backup MX, to block
/. journal for a sample report). If I start to think maybe one of these lists is a little too severe, or someone lets me know that there are problems with one or more of the lists, I will delete it and pick another. Or maybe not. It is my choice, I want to keep down the spam on my system, for my sake as well as my clients'. - spamhaus.relays.osirusoft.com
-
Re:A quick run-down of what ORBZ is (i.e. was)
It was more widely used that most people know; Spamcop used it. (And as of last check was still attempting to, although I've emailed them, perhaps they've fixed it by now.)
Because of that, I bet lots of people who have never heard of ORBZ were "using" it.
But there's no reason to despair; there are many others still functioning, and new ones coming up all the time.
My favorite new one is NJABL; Not Just Another BlackList.
Spamcop has a lovely one, and Osirus is excellent as well. -
Re:Subscribing to blacklists did not help me.
I have only about 7 users. I am using two blacklists:
Not Just Another Black List, and Osirus
Between them, I'm stopping an average of over 100 messages a day. We do not have a single indication of any false positives yet.
Considering that only 2 of my 7 users receive a lot of mail per day (based on the size of their mail spools), that's a hell of a lot of spam.
So protestations that "they don't work" are bunk. If you think spam blacklists don't work, then you either have a skewed definition of "work", or you're just sadly misinformed.
As for "false positives", that depends on your definition. I personally choose not to do business with people who keep open relays. I therefore by definition can only have a "false positive" if there's a bug in one of my blacklists. Legitimate mail from an open relay isn't a false positive as far as I'm concerned, and my users have hundreds of alternatives if they don't like my policies.