O.T. milter-link - reject phishing & spam

Scott Silva ssilva at sgvwater.com
Fri Jun 30 21:13:32 IST 2006

Ken A spake the following on 6/30/2006 11:45 AM:
> Scott Silva wrote:
>> Ken A spake the following on 6/29/2006 8:27 AM:
>>> Stephen Swaney wrote:
>>>>> -----Original Message-----
>>>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>>>>> Sent: Wednesday, June 28, 2006 8:03 PM
>>>>> To: MailScanner discussion
>>>>> Subject: Re: O.T. milter-link - reject phishing & spam
>>>>> Ken A wrote:
>>>>>> Steve Freegard wrote:
>>>>>>> Hi Ken,
>>>>>>> Ken A wrote:
>>>>>>>> Is the URIBL in your graph just a generic term here, or are you
>>>>>>>> using
>>>>>>>> milter-link with URIBL rather than SURBL, or both? I was just
>>>>>>>> testing
>>>>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>>>>> It's a generic term -- I use all three URI lists (in the following
>>>>>>> order):
>>>>>>> sbl-xbl.spamhaus.org
>>>>>>> multi.surbl.org
>>>>>>> black.uribl.com
>>>>>>> The spamhaus test is slightly different from the other two lists
>>>>>>> -- it
>>>>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>>>>> the best of all three lists.
>>>>>> Seems like that could be risky when considering a shared hosting
>>>>>> environment, where there are hundreds of sites on a single IP.
>>>>>> Wouldn't
>>>>>> you be punishing them all?
>>>>> for example..
>>>>> # host humboldt.edu
>>>>> humboldt.edu has address
>>>>> # host
>>>>> has address
>>>>> That's Humboldt State University in Northern California.
>>>>> I wonder if they host student sites, or have an open relay script..
>>>>> :-(
>>>>> Another one..
>>>>> #host alumni.net
>>>>> alumni.net has address
>>>>> # host
>>>>> has address
>>>>> This is a alumni networking site claiming 4 million members..
>>>>> They aren't on any other lists, probably another site on the same
>>>>> ip is
>>>>> being exploited to send spam. I think maybe just the sbl might be
>>>>> safer,
>>>>> at least for an ISP environment.
>>>>> Thanks,
>>>>> Ken A.
>>>>> Pacific.Net
>>>> Ken,
>>>> I don't dispute your analysis or data but our service bureau
>>>> scanners and
>>>> all of our client's (Mostly UK, EU and US sites) have been blocking at
>>>> the
>>>> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's
>>>> just
>>>> luck but we've never had a single complaint of blocked email from a
>>>> client
>>>> or user that had email blocked because of an sbl-xbl.spamhaus.org
>>>> listing.
>>>> Many of our ISP and ASP clients would be unable to process the email
>>>> they
>>>> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
>>>> level. We are seeing some of our IPS client sites where the attempted
>>>> spam /
>>>> junk delivery rate is 95% of all incoming email. They have just got to
>>>> block
>>>> as much as possible at the MTA level or they are out of business!
>>>> My hats off to the people who maintain the sbl-xbl.spamhaus.org
>>>> list. We
>>>> should all tip our hats and support as best we can all of the good
>>>> folks who
>>>> create and maintain all of the lists and tools we use every day to stop
>>>> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
>>>> These are the people who are really keeping the Internet up, running
>>>> and
>>>> open for business. 
>>> Steve,
>>> I Agree completely. The team at spamhaus does a great job. Using
>>> spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of
>>> sense. But, that's a lot different than using xbl to block with
>>> milter-link given the realities of shared IPs addresses, and open
>>> proxies that often land such IPs on the cbl.
>>> That's just my thinking on this, since we happen to host more than one
>>> site on a shared IP. I certainly don't have the large scale operation
>>> you do, so perhaps I'm just a bit off target with my theoretical look at
>>> this, as is often the case, especially before the 2nd cup... :-)
>> As an administrator of a shared ip site, it would be up to you to drop
>> or fix
>> whoever got you listed and apply for a release of the IP from spamhaus.
>> I know that our shoulders get heavy with the burdens of being a
>> sysadmin, but
>> that is the level that needs to resolve it.
> At the risk of beating this to death. :-)
> If you are going to do this, I'd at least include the IP in the error
> message, otherwise it's a bit of a wild goose chase to figure out why a
> particular host might be blacklisted, since you are taking the long way
> around to block it.
> An example:
> 1. an email arrives from smtp.domain.tld containing a link to domain.tld
> 2. domain.tld has A record x.x.x.x
> 3 .x.x.x.x is in xbl(cbl)
> 4. mail is refused with error message containing just domain.tld
> Problems with this:
> 1. domain.tld can resolv to multiple ips. So it's sometimes blocked,
> sometimes not.
> 2. Email admin gets a report that mail from domain.tld is being refused,
> so admin goes and checks spamhaus for listings containing smtp server
> ips and finds nothing there. Why would the email admin check the
> webserver ips if they never send mail outside the local network?
> Conclusion: It would be better to include the IP if you are using a DNS
> based RBL with milter-link, so at least the poor overworked sysadmin can
> decipher the message a bit quicker.
> I saw too many false positives testing with xbl(cbl) and milter link.
> sbl, multi.surble.org and black.uribl.com all test good though, and this
> is a great milter. Highly recommended!
> Ken A.
> Pacific.Net
This is what I have in my sendmail.m4 file;

FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`"550 Mail from " $&{client_addr} "
refused. Rejected - your SMTP server is listed in SBL-XBL list -- see
http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')

It gives a reject message, and lists the rejected IP address as resolved by


MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list