O.T. milter-link - reject phishing & spam

Fri Jun 30 19:45:38 IST 2006

Scott Silva wrote:
> Ken A spake the following on 6/29/2006 8:27 AM:
>>
>> Stephen Swaney wrote:
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>>>> Sent: Wednesday, June 28, 2006 8:03 PM
>>>> To: MailScanner discussion
>>>> Subject: Re: O.T. milter-link - reject phishing & spam
>>>>
>>>>
>>>>
>>>> Ken A wrote:
>>>>> Steve Freegard wrote:
>>>>>> Hi Ken,
>>>>>>
>>>>>> Ken A wrote:
>>>>>>> Is the URIBL in your graph just a generic term here, or are you using
>>>>>>> milter-link with URIBL rather than SURBL, or both? I was just testing
>>>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>>>> It's a generic term -- I use all three URI lists (in the following
>>>>>> order):
>>>>>>
>>>>>> sbl-xbl.spamhaus.org
>>>>>> multi.surbl.org
>>>>>> black.uribl.com
>>>>>>
>>>>>> The spamhaus test is slightly different from the other two lists -- it
>>>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>>>> the best of all three lists.
>>>>> Seems like that could be risky when considering a shared hosting
>>>>> environment, where there are hundreds of sites on a single IP. Wouldn't
>>>>> you be punishing them all?
>>>> for example..
>>>>
>>>> # host humboldt.edu
>>>> humboldt.edu has address 137.150.145.17
>>>> # host 17.145.150.137.sbl-xbl.spamhaus.org
>>>> 17.145.150.137.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>
>>>> That's Humboldt State University in Northern California.
>>>> I wonder if they host student sites, or have an open relay script..
>>>> :-(
>>>>
>>>> Another one..
>>>> #host alumni.net
>>>> alumni.net has address 66.240.255.123
>>>> # host 123.255.240.66.sbl-xbl.spamhaus.org
>>>> 123.255.240.66.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>
>>>> This is a alumni networking site claiming 4 million members..
>>>> They aren't on any other lists, probably another site on the same ip is
>>>> being exploited to send spam. I think maybe just the sbl might be safer,
>>>> at least for an ISP environment.
>>>>
>>>> Thanks,
>>>> Ken A.
>>>> Pacific.Net
>>> Ken,
>>>
>>> I don't dispute your analysis or data but our service bureau scanners and
>>> all of our client's (Mostly UK, EU and US sites) have been blocking at
>>> the
>>> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's
>>> just
>>> luck but we've never had a single complaint of blocked email from a
>>> client
>>> or user that had email blocked because of an sbl-xbl.spamhaus.org
>>> listing.
>>>
>>> Many of our ISP and ASP clients would be unable to process the email they
>>> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
>>> level. We are seeing some of our IPS client sites where the attempted
>>> spam /
>>> junk delivery rate is 95% of all incoming email. They have just got to
>>> block
>>> as much as possible at the MTA level or they are out of business!
>>> My hats off to the people who maintain the sbl-xbl.spamhaus.org list. We
>>> should all tip our hats and support as best we can all of the good
>>> folks who
>>> create and maintain all of the lists and tools we use every day to stop
>>> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
>>>
>>> These are the people who are really keeping the Internet up, running and
>>> open for business. 
>> Steve,
>>
>> I Agree completely. The team at spamhaus does a great job. Using
>> spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of
>> sense. But, that's a lot different than using xbl to block with
>> milter-link given the realities of shared IPs addresses, and open
>> proxies that often land such IPs on the cbl.
>>
>> That's just my thinking on this, since we happen to host more than one
>> site on a shared IP. I certainly don't have the large scale operation
>> you do, so perhaps I'm just a bit off target with my theoretical look at
>> this, as is often the case, especially before the 2nd cup... :-)
>>
> As an administrator of a shared ip site, it would be up to you to drop or fix
> whoever got you listed and apply for a release of the IP from spamhaus.
> I know that our shoulders get heavy with the burdens of being a sysadmin, but
> that is the level that needs to resolve it.
> 
> 

At the risk of beating this to death. :-)

If you are going to do this, I'd at least include the IP in the error 
message, otherwise it's a bit of a wild goose chase to figure out why a 
particular host might be blacklisted, since you are taking the long way 
around to block it.

An example:

1. an email arrives from smtp.domain.tld containing a link to domain.tld
2. domain.tld has A record x.x.x.x
3 .x.x.x.x is in xbl(cbl)
4. mail is refused with error message containing just domain.tld

Problems with this:
1. domain.tld can resolv to multiple ips. So it's sometimes blocked, 
sometimes not.
2. Email admin gets a report that mail from domain.tld is being refused, 
so admin goes and checks spamhaus for listings containing smtp server 
ips and finds nothing there. Why would the email admin check the 
webserver ips if they never send mail outside the local network?

Conclusion: It would be better to include the IP if you are using a DNS 
based RBL with milter-link, so at least the poor overworked sysadmin can 
decipher the message a bit quicker.

I saw too many false positives testing with xbl(cbl) and milter link.
sbl, multi.surble.org and black.uribl.com all test good though, and this 
is a great milter. Highly recommended!

Ken A.
Pacific.Net