spamd - SPEWS status

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

spamd - SPEWS status

Josh Grosse
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1) According to www.spews.org, the text files for SPEWS level 1 and 2 have
not been updated since August, 2006.

2) There has been much discussion of this in both
news.admin.net-abuse.blocklisting, and in news.admin.net-abuse.email.

3) As of today, SORBS is no longer mirroring the SPEWS DNSbl, according to
Matthew Sullivan who posted in news.admin.net-abuse.blocklisting:

"...I have emptied all live blocks out of the SPEWS zonefiles I hold locally
and disabled the download and update script from overwriting the empty
zones....I will keep the zones configured and emptied for another 6 months,
and will drop the zones from there should SPEWS never update them again..."

ref: <epsfah$gmb$[hidden email]>

- ----

Based on the general consensus that SPEWS may be dead, if not dormant,
it *might* be time to remove references to SPEWS from /etc/spamd.conf and
from spamd.conf(5).

Below are example diffs for src/etc/spamd.conf and
src/share/man/man5/spamd.conf.5, as well as for www/spamd/index.html.  

The web mirrors compressed SPEWS level-1 and level-2 text files in the
../files directory, but neither that directory nor the mirroring scripts
are part of the www tree.

- ----

- --- src/etc/spamd.conf.orig Tue Jul 11 01:40:33 2006
+++ src/etc/spamd.conf Thu Feb  1 11:18:06 2007
@@ -23,23 +23,7 @@
 # www.openbsd.org with, for instance, to www.de.openbsd.org
 
 all:\
- - :spews1:china:korea:
- -
- -# Mirrored from http://www.spews.org/spews_list_level1.txt
- -spews1:\
- - :black:\
- - :msg="SPAM. Your address %A is in the spews level 1 database\n\
- - See <a href="http://www.spews.org/ask.cgi?x=%A">http://www.spews.org/ask.cgi?x=%A for more details":\
- - :method=http:\
- - :file=www.openbsd.org/spamd/spews_list_level1.txt.gz:
- -
- -# Mirrored from http://www.spews.org/spews_list_level2.txt
- -spews2:\
- - :black:\
- - :msg="SPAM. Your address %A is in the spews level 2 database\n\
- - See <a href="http://www.spews.org/ask.cgi?x=%A">http://www.spews.org/ask.cgi?x=%A for more details":\
- - :method=http:\
- - :file=www.openbsd.org/spamd/spews_list_level2.txt.gz:
+ :china:korea:
 
 # Mirrored from http://www.okean.com/chinacidr.txt
 china:\

- ----

- --- spamd.conf.5.orig Thu Jan 29 12:44:29 2004
+++ spamd.conf.5 Thu Feb  1 11:15:22 2007
@@ -50,15 +50,16 @@
 Example:
 .Bd -literal -offset indent
 all:\e
- - :spews1:white:myblack:
+ :korea:white:myblack:
 
- -spews1:\e
+korea:\e
  :black:\e
- - :msg="SPAM. Your address \&%A is in the spews\e
- - level 1 database\ensee http://www.spews.org/ask.cgi?x=\&%A\en":\e
- - :method=http:\e
- - :file=www.spews.org/spews_list_level1.txt:
+ :msg="SPAM. Your address \&%A appears to be from Korea\\n
+ See http://www.okean.com/asianspamblocks.html":\\
+ :method=http:\\
+ :file=www.openbsd.org/spamd/koreacidr.txt.gz:
 
+
 white:\e
  :white:\e
  :method=file:\e
@@ -77,13 +78,13 @@
 are to be applied.
 The addresses in a whitelist are removed from the preceding blacklist.
 In the above example, if the address was present in all three lists, blacklists
- -.Ar spews1
+.Ar korea
 and
 .Ar myblack ,
 as well as whitelist
 .Ar white ,
 the address would be removed from blacklist
- -.Ar spews1
+.Ar korea
 by the subsequent
 .Ar white
 whitelist.

- ----

- --- www/spamd/index.html.orig Tue Jul 11 01:42:06 2006
+++ www/spamd/index.html Thu Feb  1 11:27:45 2007
@@ -42,51 +42,6 @@
 <p>
 
 <ul>
- -<li><a href="http://www.spews.org">Spews Level 1</a><br>
- -<font color="#a00000">"SPEWS publishes two lists. The majority of the Level 1 list
- -is made up of netblocks owned by the spammers or spam support
- -operations themselves, with few or no other legitimate customers
- -detected. We don't even try and educate these types as any past
- -attempts at education have failed. If a known spammer buys a
- -new netblock but hasn't started spamming from it yet, it is still
- -eligible to be listed here. If used, this list should have close to
- -zero inadvertent blocking."</font> (from their web page)
- -<p>
- -Original source location:
- -<a href="http://www.spews.org/spews_list_level1.txt">
- -http://www.spews.org/spews_list_level1.txt</a>
- -<br>
- -OpenBSD mirror location:
- -<a href="http://www.openbsd.org/spamd/spews_list_level1.txt.gz">
- -http://www.openbsd.org/spamd/spews_list_level1.txt.gz</a>
- -<p>
- -
- -<li><a href="http://www.spews.org">Spews Level 2</a><br>
- -<font color="#a00000">
- -"This includes all of Level 1, plus anyone who is
- -spam-friendly, supporting spammers, or highly suspicious, but not
- -blatant enough to be included in the Level 1 list yet. If it becomes
- -obvious that someone at Level 2 has become a real problem, they
- -will be escalated to Level 1 after some attempt at education. The
- -Level 2 list will have some inadvertent blocking (non-spammer IP
- -addresses listed), but can still be used by small ISPs or
- -individuals who want a stricter level of blocking/filtering. By
- -having a two tiered list, you can make the hardcore spamfighters
- -happy; those who want to block first and ask questions later.
- -Also, a listing in the Level 2 list may exert a bit of pressure on
- -spam friendly sites and may keep them from turning totally bad -
- -but that is not really the point, stopping spam is. (note: a Level
- -value of "0" means that area is not listed)"</font> (from their web page)
- -<p>
- -Original source location:
- -<a href="http://www.spews.org/spews_list_level2.txt">
- -http://www.spews.org/spews_list_level2.txt</a>
- -<br>
- -OpenBSD mirror location:
- -<a href="http://www.openbsd.org/spamd/spews_list_level2.txt.gz">
- -http://www.openbsd.org/spamd/spews_list_level2.txt.gz</a>
- -<p>
- -
 <li><a href="http://www.okean.com/asianspamblocks.html">China CIDR</a><br>
 <font color="#a00000">
 "Because these two countries have the chronic and pervasive practice
iD8DBQFFwhjJYi5wNVWLbsURAjozAJ9cZyaoGmmcbh+6GEA+MRORQKPvxQCdH8Oc
umSV+sGBIyBdIIzvulJldT8=
=I3ad
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

beck-7
        Yeah, probably time to retire spews, they aren't going
to fix it.

        Aside from my traplist (which I'll add) anyone have
any suggestions for useful addtions when I commit this? I seldom
use exernally maintained blacklists anymore :)

        -Bob


* Josh Grosse <[hidden email]> [2007-02-01 10:01]:

> 1) According to www.spews.org, the text files for SPEWS level 1 and 2 have
> not been updated since August, 2006.
>
> 2) There has been much discussion of this in both
> news.admin.net-abuse.blocklisting, and in news.admin.net-abuse.email.
>
> 3) As of today, SORBS is no longer mirroring the SPEWS DNSbl, according to
> Matthew Sullivan who posted in news.admin.net-abuse.blocklisting:
>
> "...I have emptied all live blocks out of the SPEWS zonefiles I hold locally
> and disabled the download and update script from overwriting the empty
> zones....I will keep the zones configured and emptied for another 6 months,
> and will drop the zones from there should SPEWS never update them again..."
>
> ref: <epsfah$gmb$[hidden email]>
>
> ----
>
> Based on the general consensus that SPEWS may be dead, if not dormant,
> it *might* be time to remove references to SPEWS from /etc/spamd.conf and
> from spamd.conf(5).
>
> Below are example diffs for src/etc/spamd.conf and
> src/share/man/man5/spamd.conf.5, as well as for www/spamd/index.html.  
>
> The web mirrors compressed SPEWS level-1 and level-2 text files in the
> ../files directory, but neither that directory nor the mirroring scripts
> are part of the www tree.
>
> ----
>
> --- src/etc/spamd.conf.orig Tue Jul 11 01:40:33 2006
> +++ src/etc/spamd.conf Thu Feb  1 11:18:06 2007
> @@ -23,23 +23,7 @@
>  # www.openbsd.org with, for instance, to www.de.openbsd.org
>  
>  all:\
> - :spews1:china:korea:
> -
> -# Mirrored from http://www.spews.org/spews_list_level1.txt
> -spews1:\
> - :black:\
> - :msg="SPAM. Your address %A is in the spews level 1 database\n\
> - See <a href="http://www.spews.org/ask.cgi?x=%A">http://www.spews.org/ask.cgi?x=%A for more details":\
> - :method=http:\
> - :file=www.openbsd.org/spamd/spews_list_level1.txt.gz:
> -
> -# Mirrored from http://www.spews.org/spews_list_level2.txt
> -spews2:\
> - :black:\
> - :msg="SPAM. Your address %A is in the spews level 2 database\n\
> - See <a href="http://www.spews.org/ask.cgi?x=%A">http://www.spews.org/ask.cgi?x=%A for more details":\
> - :method=http:\
> - :file=www.openbsd.org/spamd/spews_list_level2.txt.gz:
> + :china:korea:
>  
>  # Mirrored from http://www.okean.com/chinacidr.txt
>  china:\
>
> ----
>
> --- spamd.conf.5.orig Thu Jan 29 12:44:29 2004
> +++ spamd.conf.5 Thu Feb  1 11:15:22 2007
> @@ -50,15 +50,16 @@
>  Example:
>  .Bd -literal -offset indent
>  all:\e
> - :spews1:white:myblack:
> + :korea:white:myblack:
>  
> -spews1:\e
> +korea:\e
>   :black:\e
> - :msg="SPAM. Your address \&%A is in the spews\e
> - level 1 database\ensee http://www.spews.org/ask.cgi?x=\&%A\en":\e
> - :method=http:\e
> - :file=www.spews.org/spews_list_level1.txt:
> + :msg="SPAM. Your address \&%A appears to be from Korea\\n
> + See http://www.okean.com/asianspamblocks.html":\\
> + :method=http:\\
> + :file=www.openbsd.org/spamd/koreacidr.txt.gz:
>  
> +
>  white:\e
>   :white:\e
>   :method=file:\e
> @@ -77,13 +78,13 @@
>  are to be applied.
>  The addresses in a whitelist are removed from the preceding blacklist.
>  In the above example, if the address was present in all three lists, blacklists
> -.Ar spews1
> +.Ar korea
>  and
>  .Ar myblack ,
>  as well as whitelist
>  .Ar white ,
>  the address would be removed from blacklist
> -.Ar spews1
> +.Ar korea
>  by the subsequent
>  .Ar white
>  whitelist.
>
> ----
>
> --- www/spamd/index.html.orig Tue Jul 11 01:42:06 2006
> +++ www/spamd/index.html Thu Feb  1 11:27:45 2007
> @@ -42,51 +42,6 @@
>  <p>
>  
>  <ul>
> -<li><a href="http://www.spews.org">Spews Level 1</a><br>
> -<font color="#a00000">"SPEWS publishes two lists. The majority of the Level 1 list
> -is made up of netblocks owned by the spammers or spam support
> -operations themselves, with few or no other legitimate customers
> -detected. We don't even try and educate these types as any past
> -attempts at education have failed. If a known spammer buys a
> -new netblock but hasn't started spamming from it yet, it is still
> -eligible to be listed here. If used, this list should have close to
> -zero inadvertent blocking."</font> (from their web page)
> -<p>
> -Original source location:
> -<a href="http://www.spews.org/spews_list_level1.txt">
> -http://www.spews.org/spews_list_level1.txt</a>
> -<br>
> -OpenBSD mirror location:
> -<a href="http://www.openbsd.org/spamd/spews_list_level1.txt.gz">
> -http://www.openbsd.org/spamd/spews_list_level1.txt.gz</a>
> -<p>
> -
> -<li><a href="http://www.spews.org">Spews Level 2</a><br>
> -<font color="#a00000">
> -"This includes all of Level 1, plus anyone who is
> -spam-friendly, supporting spammers, or highly suspicious, but not
> -blatant enough to be included in the Level 1 list yet. If it becomes
> -obvious that someone at Level 2 has become a real problem, they
> -will be escalated to Level 1 after some attempt at education. The
> -Level 2 list will have some inadvertent blocking (non-spammer IP
> -addresses listed), but can still be used by small ISPs or
> -individuals who want a stricter level of blocking/filtering. By
> -having a two tiered list, you can make the hardcore spamfighters
> -happy; those who want to block first and ask questions later.
> -Also, a listing in the Level 2 list may exert a bit of pressure on
> -spam friendly sites and may keep them from turning totally bad -
> -but that is not really the point, stopping spam is. (note: a Level
> -value of "0" means that area is not listed)"</font> (from their web page)
> -<p>
> -Original source location:
> -<a href="http://www.spews.org/spews_list_level2.txt">
> -http://www.spews.org/spews_list_level2.txt</a>
> -<br>
> -OpenBSD mirror location:
> -<a href="http://www.openbsd.org/spamd/spews_list_level2.txt.gz">
> -http://www.openbsd.org/spamd/spews_list_level2.txt.gz</a>
> -<p>
> -
>  <li><a href="http://www.okean.com/asianspamblocks.html">China CIDR</a><br>
>  <font color="#a00000">
>  "Because these two countries have the chronic and pervasive practice
> iD8DBQFFwhjJYi5wNVWLbsURAjozAJ9cZyaoGmmcbh+6GEA+MRORQKPvxQCdH8Oc
> umSV+sGBIyBdIIzvulJldT8=
> =I3ad
> -----END PGP SIGNATURE-----
>

--
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n";
}

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Daniel Ouellet
Bob Beck wrote:
> Yeah, probably time to retire spews, they aren't going
> to fix it.
>
> Aside from my traplist (which I'll add) anyone have
> any suggestions for useful addtions when I commit this? I seldom
> use exernally maintained blacklists anymore :)
>
> -Bob

Not that it can be added that quick for sure, but your greyscanner
really does wonder even in ISP setup witch I run now for a few months
with only joy from customers!

May be if there was a way to distribute one own addition only may be a
good idea as then we could merge traplist from multiple locations if one
wants to do this. I wouldn't have any objection to make mine available
if that help.

As for blacklist, I have to say that I do not run any at all anymore
after tuning the greyscanner and adding many domains to it that have no
users to them.

I was using ORDB as one of blacklist before, but as they close down too,
I now have removed all of them. I am really not sure that blacklist is
the way to go anymore. The greyscanner with adjustment on specific setup
and a bunch of dead domains and the ldap, or any other way to trap all
not valid email address would be a killer and then I don't think any
blacklist would ever be needed anymore, or even useful anyway.

That's just my own feedback from the field.

Best,

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Jacob Yocom-Piatt
Daniel Ouellet wrote:

> Bob Beck wrote:
>>     Yeah, probably time to retire spews, they aren't going
>> to fix it.
>>     Aside from my traplist (which I'll add) anyone have
>> any suggestions for useful addtions when I commit this? I seldom
>> use exernally maintained blacklists anymore :)
>>     -Bob
>
> Not that it can be added that quick for sure, but your greyscanner
> really does wonder even in ISP setup witch I run now for a few months
> with only joy from customers!
>
> May be if there was a way to distribute one own addition only may be a
> good idea as then we could merge traplist from multiple locations if
> one wants to do this. I wouldn't have any objection to make mine
> available if that help.
>

sharing traplists would be absolutely awesome and i remember seeing
something about this being upcoming in one of bob's slideshows. this is
obviously no simple task though.

> As for blacklist, I have to say that I do not run any at all anymore
> after tuning the greyscanner and adding many domains to it that have
> no users to them.
>
> I was using ORDB as one of blacklist before, but as they close down
> too, I now have removed all of them. I am really not sure that
> blacklist is the way to go anymore. The greyscanner with adjustment on
> specific setup and a bunch of dead domains and the ldap, or any other
> way to trap all not valid email address would be a killer and then I
> don't think any blacklist would ever be needed anymore, or even useful
> anyway.
>

the only blacklist i use is one i generate for a chunk of the
OptInBig.com TLDs. besides that, greylisting does a great job.

cheers,
jake

> That's just my own feedback from the field.
>
> Best,
>
> Daniel

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

J.C. Roberts
In reply to this post by beck-7
On Thursday 01 February 2007 09:25, Bob Beck wrote:
>         Yeah, probably time to retire spews, they aren't going
> to fix it.
>
>         Aside from my traplist (which I'll add) anyone have
> any suggestions for useful addtions when I commit this? I seldom
> use exernally maintained blacklists anymore :)
>
>         -Bob

<disclaimer>
I'm not mail server admin and can not even play one on TV.
</disclaimer>

I don't know what you're currently using for lists but the following are
some of the "questionable activity" type block list (i.e. a politically
correct way to dodge the issue of compromised hosts being used for
attacks but owned by legit companies)
http://www.projecthoneypot.org/

These guys are working with sans and supposedly have a block list, but
I've been unable to find said list.
http://www.dshield.org

I'm not sure if this new list is up yet...
http://security.itworld.com/4357/nlssecurity070116/page_1.html
http://blogs.securiteam.com/index.php?s=honeynet

I hope it helps...

-jcr

--
cd ~.   -Almost Home

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

smith-16
In reply to this post by Daniel Ouellet
On Thu, 01 Feb 2007 15:38:37 -0500, Daniel Ouellet wrote
> May be if there was a way to distribute one own addition only may be
> a good idea as then we could merge traplist from multiple locations
> if one wants to do this. I wouldn't have any objection to make mine
> available if that help.
>
Wouldn't distributing a traplist make it prone to being poisoned?  i.e. a
pissed off spammer adding a legit email to the traplist.

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Daniel Ouellet
smith wrote:
> On Thu, 01 Feb 2007 15:38:37 -0500, Daniel Ouellet wrote
>> May be if there was a way to distribute one own addition only may be
>> a good idea as then we could merge traplist from multiple locations
>> if one wants to do this. I wouldn't have any objection to make mine
>> available if that help.
>>
> Wouldn't distributing a traplist make it prone to being poisoned?  i.e. a
> pissed off spammer adding a legit email to the traplist.

Yes it would same as with blacklist.

So, you select only the one you trust as source of traplist.

I am not saying a Internet wide lists. I don't see how that may work
without a lack of trust, etc.

If you do that, then you would need to only accept in your list merged
that have been found multiple times in multiple lists. Not sure how even
that might be good.

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Holger Mauermann
In reply to this post by beck-7
Bob Beck wrote:
> Aside from my traplist (which I'll add) anyone have
> any suggestions for useful addtions when I commit this? I seldom
> use exernally maintained blacklists anymore :)

I use a script that extracts addresses from the blacklist at
http://www.heise.de/ix/nixspam/dnsbl_en/. It catches lots of spammers
that are not on Bob's traplist. My /var/log/spamd shows that there are
about 30% catched by traplist, 55% by nixspam and 15% by both lists.

Holger

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Gregory Edigarov-2
In reply to this post by Jacob Yocom-Piatt
Jacob Yocom-Piatt wrote:
>
> the only blacklist i use is one i generate for a chunk of the
> OptInBig.com TLDs. besides that, greylisting does a great job.
>
Yeah, greylisting is good, but this is for only short while, I am
afraid. My measurements telling me that spamers  are adapting quicker
then somebody expected.

It seems like their soft started analyzing  the return codes, and so
they are resending their mail after a short while. So I think
blacklisting is still in rule.
--
With best regards,
    Gregory Edigarov

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

P. Pruett
> It seems like their soft started analyzing  the return codes, and so they are
> resending their mail after a short while. So I think blacklisting is still in
> rule.
> --

Since greylisting has become more defacto, I have seen more
successfull 411 like spam squeezing through "legitimate" email
servers with free web emails and expecially the old excitenework,
  and then the scoring is low on spamassassin on our side
  even with SARES, because they craft the words better....  :(

So you still need to block by content, but that's getting harder also.

Since the need block by content scanning, the changes of errors
are higher, thus the need to craft the 5.5.0 error message with
someting like, call or fill out form on this website to get whitelisted...


A while back I had posted a question about grey listing, and if it
got answered I missed it....

Basically for spamd we can edit the /etc/spamd.conf so that black
listings get a specific message when rejected, good...

But what about greytrapping?
When an email gets rejected due to greytrapping, what error message
can be returned?  how do you put that in /etc/spamd.conf

Somehow occassionally a legit server sends an email to a poison
address, maybe a spammer can use known poison emails and fake them
as from, then they spam legit servers, they in return send email
to the poison address and get greytrapped?   ARGH....

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Rod Dorman
In reply to this post by Gregory Edigarov-2
On Friday, February 2, 2007, 04:02:38, Gregory Edigarov wrote:
>   ...
> Yeah, greylisting is good, but this is for only short while, I am
> afraid. My measurements telling me that spamers  are adapting quicker
> then somebody expected.
>
> It seems like their soft started analyzing  the return codes, and so
> they are resending their mail after a short while. So I think
> blacklisting is still in rule.

But having to queue, wait, and resend
   a) cuts down on the crap/hour they can send
   b) their IP might be on a blacklist the second time they try

--
[hidden email]     "The avalanche has already started, it is too
Rod Dorman              late for the pebbles to vote." - Ambassador Kosh

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Nils.Reuvers
In reply to this post by Josh Grosse
I really think spammers don't give a damn about coming back to deliver
e-mail properly. The new breed of spammers uses botnets to deliver their
crap. And since those systems are not theirs and that bandwidth is not
theirs, they write software to act as a proper mail server. That means,
they come back when mail isn't properly delivered.

Downside is:
a) The botnet pc is getting whitelisted
b) The system administrator has to manually take it off the whitelist
and put it on the blacklist (I have written a shell script to take care
of this)
c) Your users are bothered with crap

Agreed, not all spammers are using botnets, thank god. However, the
spammers that do cause most of our and our users' irritation.

One solution would be to check if the delivering IP Address has a
logical name like: mail. smtp. mx. etcetera
But..not all mail servers are setup like that. So, I will get a lot of
users complaining e-mail doesn't reach them and it will cost me about
the same amount of time to explain it to my users and whitelist the IP
Address.

A solution I think would be a step in the right direction is providers
making international agreements.
First rule would be:
Home users should NOT have access to port 25 and may only use the
provider's mail server. That would block a lot, and I do mean a lot, of
the spam. Only on request, port 25 could be opened.

Second rule:
Those who do send spam should be blocked from sending e-mail until they
have cleaned their system. And I know, most people that are infected by
a Trojan sending spam, do not know how to get rid of it. Providers
should deliver some kind of support to those people. Other upside is;
you'll educate users.

Well, there you have it.... my opinion.



On Friday, February 2, 2007, 04:02:38, Gregory Edigarov wrote:
>   ...
> Yeah, greylisting is good, but this is for only short while, I am
> afraid. My measurements telling me that spamers  are adapting quicker
> then somebody expected.
>
> It seems like their soft started analyzing  the return codes, and so
> they are resending their mail after a short while. So I think
> blacklisting is still in rule.

But having to queue, wait, and resend
   a) cuts down on the crap/hour they can send
   b) their IP might be on a blacklist the second time they try

--
[hidden email]     "The avalanche has already started, it is too
Rod Dorman              late for the pebbles to vote." - Ambassador Kosh

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Stuart Henderson
On 2007/02/03 10:46, [hidden email] wrote:
> Second rule:
> Those who do send spam should be blocked from sending e-mail until they
> have cleaned their system. And I know, most people that are infected by
> a Trojan sending spam, do not know how to get rid of it. Providers
> should deliver some kind of support to those people. Other upside is;
> you'll educate users.

the way this is being done in the wild has certain implications for
privacy...  http://wesii.econinfosec.org/draft.php?paper_id=47

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Csillag Tamas-2
In reply to this post by beck-7
On 02/01, Bob Beck wrote:
> Yeah, probably time to retire spews, they aren't going
> to fix it.
>
> Aside from my traplist (which I'll add) anyone have
> any suggestions for useful addtions when I commit this? I seldom
> use exernally maintained blacklists anymore :)
>
> -Bob
 
 hi,

 cbl.abuseat.org, njabl.org, zen.spamhaus.org are the rbls I use.
 CBL is the best agains botnets/viruses, and you can easily fetch its
 zone. For njabl.org you need to request access. zen... is for rbl
 queries only, you cannot download it.

 I used to load both cbl and njabl into spamd, but I stopped because
 they grow too big and won't fit. Now I use it at my real MTA.

cstamas
--
Person who say it cannot be done should not interrupt person doing it.
                 -- Chinese Proverb

CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

beck-7
In reply to this post by smith-16
* smith <[hidden email]> [2007-02-01 17:15]:
> On Thu, 01 Feb 2007 15:38:37 -0500, Daniel Ouellet wrote
> > May be if there was a way to distribute one own addition only may be
> > a good idea as then we could merge traplist from multiple locations
> > if one wants to do this. I wouldn't have any objection to make mine
> > available if that help.
> >
> Wouldn't distributing a traplist make it prone to being poisoned?  i.e. a
> pissed off spammer adding a legit email to the traplist.
>

        no, the list is not based on email addresses.

        -Bob

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status

Craig Skinner
In reply to this post by Nils.Reuvers
On Sat, Feb 03, 2007 at 10:46:02AM +0100, [hidden email] wrote:

> I really think spammers don't give a damn about coming back to deliver
> e-mail properly. The new breed of spammers uses botnets to deliver their
> crap. And since those systems are not theirs and that bandwidth is not
> theirs, they write software to act as a proper mail server. That means,
> they come back when mail isn't properly delivered.
>
> Downside is:
> a) The botnet pc is getting whitelisted
> b) The system administrator has to manually take it off the whitelist
> and put it on the blacklist (I have written a shell script to take care
> of this)
> c) Your users are bothered with crap
>
> Agreed, not all spammers are using botnets, thank god. However, the
> spammers that do cause most of our and our users' irritation.
>
> One solution would be to check if the delivering IP Address has a
> logical name like: mail. smtp. mx. etcetera
> But..not all mail servers are setup like that. So, I will get a lot of
> users complaining e-mail doesn't reach them and it will cost me about
> the same amount of time to explain it to my users and whitelist the IP
> Address.

Greylisting is still the best crap-cutter at the moment.




A workable method is to reject mail from IPs that don't have rDNS that
maps to forward DNS, such as with postfix:

These are OK to use:

smtpd_recipient_restrictions =
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        ....


These will reject mail from legit servers that don't have rDNS for the
IP that they helo with, and the name that they helo with:

        reject_unknown_client
        reject_unknown_hostname

But it does cut the crap. So does a pcre that inspects rDNS of the
client like this:

/(dhcp|dyn|dial|ppp)/   REJECT Mail not accepted from hosts at dynamic IPs due to *spam*, Client checks


If you don't use all the above, you get pain from users about spam
volume.  If you do use it, you get pain from them about legit mail not
comming through...



I guess other MTAs such as Sendmail and Exim have similar methods to the
above.

Reply | Threaded
Open this post in threaded view
|

Re: spamd - SPEWS status -- Fun results --

Bob DeBolt
In reply to this post by beck-7
Greets

>> Wouldn't distributing a traplist make it prone to being poisoned?  i.e. a
>> pissed off spammer adding a legit email to the traplist.

I plugged in the traplist recently while mostly asleep  ( late night )
at the keyboard.

Next day I spen an hour and a half examining my mail server because
my mail volume dropped so suddenly by 75%, I had forgot I reinitialized
spamd etc. and thought the server had  problems.


Bob

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]