O.T. milter-link - reject phishing & spam

Fri Jun 30 21:13:32 IST 2006

Ken A spake the following on 6/30/2006 11:45 AM:
> 
> 
> Scott Silva wrote:
>> Ken A spake the following on 6/29/2006 8:27 AM:
>>>
>>> Stephen Swaney wrote:
>>>>> -----Original Message-----
>>>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>>>>> Sent: Wednesday, June 28, 2006 8:03 PM
>>>>> To: MailScanner discussion
>>>>> Subject: Re: O.T. milter-link - reject phishing & spam
>>>>>
>>>>>
>>>>>
>>>>> Ken A wrote:
>>>>>> Steve Freegard wrote:
>>>>>>> Hi Ken,
>>>>>>>
>>>>>>> Ken A wrote:
>>>>>>>> Is the URIBL in your graph just a generic term here, or are you
>>>>>>>> using
>>>>>>>> milter-link with URIBL rather than SURBL, or both? I was just
>>>>>>>> testing
>>>>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>>>>> It's a generic term -- I use all three URI lists (in the following
>>>>>>> order):
>>>>>>>
>>>>>>> sbl-xbl.spamhaus.org
>>>>>>> multi.surbl.org
>>>>>>> black.uribl.com
>>>>>>>
>>>>>>> The spamhaus test is slightly different from the other two lists
>>>>>>> -- it
>>>>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>>>>> the best of all three lists.
>>>>>> Seems like that could be risky when considering a shared hosting
>>>>>> environment, where there are hundreds of sites on a single IP.
>>>>>> Wouldn't
>>>>>> you be punishing them all?
>>>>> for example..
>>>>>
>>>>> # host humboldt.edu
>>>>> humboldt.edu has address 137.150.145.17
>>>>> # host 17.145.150.137.sbl-xbl.spamhaus.org
>>>>> 17.145.150.137.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>>
>>>>> That's Humboldt State University in Northern California.
>>>>> I wonder if they host student sites, or have an open relay script..
>>>>> :-(
>>>>>
>>>>> Another one..
>>>>> #host alumni.net
>>>>> alumni.net has address 66.240.255.123
>>>>> # host 123.255.240.66.sbl-xbl.spamhaus.org
>>>>> 123.255.240.66.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>>
>>>>> This is a alumni networking site claiming 4 million members..
>>>>> They aren't on any other lists, probably another site on the same
>>>>> ip is
>>>>> being exploited to send spam. I think maybe just the sbl might be
>>>>> safer,
>>>>> at least for an ISP environment.
>>>>>
>>>>> Thanks,
>>>>> Ken A.
>>>>> Pacific.Net
>>>> Ken,
>>>>
>>>> I don't dispute your analysis or data but our service bureau
>>>> scanners and
>>>> all of our client's (Mostly UK, EU and US sites) have been blocking at
>>>> the
>>>> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's
>>>> just
>>>> luck but we've never had a single complaint of blocked email from a
>>>> client
>>>> or user that had email blocked because of an sbl-xbl.spamhaus.org
>>>> listing.
>>>>
>>>> Many of our ISP and ASP clients would be unable to process the email
>>>> they
>>>> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
>>>> level. We are seeing some of our IPS client sites where the attempted
>>>> spam /
>>>> junk delivery rate is 95% of all incoming email. They have just got to
>>>> block
>>>> as much as possible at the MTA level or they are out of business!
>>>> My hats off to the people who maintain the sbl-xbl.spamhaus.org
>>>> list. We
>>>> should all tip our hats and support as best we can all of the good
>>>> folks who
>>>> create and maintain all of the lists and tools we use every day to stop
>>>> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
>>>>
>>>> These are the people who are really keeping the Internet up, running
>>>> and
>>>> open for business. 
>>> Steve,
>>>
>>> I Agree completely. The team at spamhaus does a great job. Using
>>> spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of
>>> sense. But, that's a lot different than using xbl to block with
>>> milter-link given the realities of shared IPs addresses, and open
>>> proxies that often land such IPs on the cbl.
>>>
>>> That's just my thinking on this, since we happen to host more than one
>>> site on a shared IP. I certainly don't have the large scale operation
>>> you do, so perhaps I'm just a bit off target with my theoretical look at
>>> this, as is often the case, especially before the 2nd cup... :-)
>>>
>> As an administrator of a shared ip site, it would be up to you to drop
>> or fix
>> whoever got you listed and apply for a release of the IP from spamhaus.
>> I know that our shoulders get heavy with the burdens of being a
>> sysadmin, but
>> that is the level that needs to resolve it.
>>
>>
> 
> At the risk of beating this to death. :-)
> 
> If you are going to do this, I'd at least include the IP in the error
> message, otherwise it's a bit of a wild goose chase to figure out why a
> particular host might be blacklisted, since you are taking the long way
> around to block it.
> 
> An example:
> 
> 1. an email arrives from smtp.domain.tld containing a link to domain.tld
> 2. domain.tld has A record x.x.x.x
> 3 .x.x.x.x is in xbl(cbl)
> 4. mail is refused with error message containing just domain.tld
> 
> Problems with this:
> 1. domain.tld can resolv to multiple ips. So it's sometimes blocked,
> sometimes not.
> 2. Email admin gets a report that mail from domain.tld is being refused,
> so admin goes and checks spamhaus for listings containing smtp server
> ips and finds nothing there. Why would the email admin check the
> webserver ips if they never send mail outside the local network?
> 
> Conclusion: It would be better to include the IP if you are using a DNS
> based RBL with milter-link, so at least the poor overworked sysadmin can
> decipher the message a bit quicker.
> 
> I saw too many false positives testing with xbl(cbl) and milter link.
> sbl, multi.surble.org and black.uribl.com all test good though, and this
> is a great milter. Highly recommended!
> 
> Ken A.
> Pacific.Net
> 
This is what I have in my sendmail.m4 file;

FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`"550 Mail from " $&{client_addr} "
refused. Rejected - your SMTP server is listed in SBL-XBL list -- see
http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')

It gives a reject message, and lists the rejected IP address as resolved by
sendmail.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!