O.T. milter-link - reject phishing & spam

Fri Jun 30 21:29:30 IST 2006

Scott Silva wrote:
> Ken A spake the following on 6/30/2006 11:45 AM:
>>
>> Scott Silva wrote:
>>> Ken A spake the following on 6/29/2006 8:27 AM:
>>>> Stephen Swaney wrote:
>>>>>> -----Original Message-----
>>>>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>>>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>>>>>> Sent: Wednesday, June 28, 2006 8:03 PM
>>>>>> To: MailScanner discussion
>>>>>> Subject: Re: O.T. milter-link - reject phishing & spam
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ken A wrote:
>>>>>>> Steve Freegard wrote:
>>>>>>>> Hi Ken,
>>>>>>>>
>>>>>>>> Ken A wrote:
>>>>>>>>> Is the URIBL in your graph just a generic term here, or are you
>>>>>>>>> using
>>>>>>>>> milter-link with URIBL rather than SURBL, or both? I was just
>>>>>>>>> testing
>>>>>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>>>>>> It's a generic term -- I use all three URI lists (in the following
>>>>>>>> order):
>>>>>>>>
>>>>>>>> sbl-xbl.spamhaus.org
>>>>>>>> multi.surbl.org
>>>>>>>> black.uribl.com
>>>>>>>>
>>>>>>>> The spamhaus test is slightly different from the other two lists
>>>>>>>> -- it
>>>>>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>>>>>> the best of all three lists.
>>>>>>> Seems like that could be risky when considering a shared hosting
>>>>>>> environment, where there are hundreds of sites on a single IP.
>>>>>>> Wouldn't
>>>>>>> you be punishing them all?
>>>>>> for example..
>>>>>>
>>>>>> # host humboldt.edu
>>>>>> humboldt.edu has address 137.150.145.17
>>>>>> # host 17.145.150.137.sbl-xbl.spamhaus.org
>>>>>> 17.145.150.137.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>>>
>>>>>> That's Humboldt State University in Northern California.
>>>>>> I wonder if they host student sites, or have an open relay script..
>>>>>> :-(
>>>>>>
>>>>>> Another one..
>>>>>> #host alumni.net
>>>>>> alumni.net has address 66.240.255.123
>>>>>> # host 123.255.240.66.sbl-xbl.spamhaus.org
>>>>>> 123.255.240.66.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>>>>
>>>>>> This is a alumni networking site claiming 4 million members..
>>>>>> They aren't on any other lists, probably another site on the same
>>>>>> ip is
>>>>>> being exploited to send spam. I think maybe just the sbl might be
>>>>>> safer,
>>>>>> at least for an ISP environment.
>>>>>>
>>>>>> Thanks,
>>>>>> Ken A.
>>>>>> Pacific.Net
>>>>> Ken,
>>>>>
>>>>> I don't dispute your analysis or data but our service bureau
>>>>> scanners and
>>>>> all of our client's (Mostly UK, EU and US sites) have been blocking at
>>>>> the
>>>>> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's
>>>>> just
>>>>> luck but we've never had a single complaint of blocked email from a
>>>>> client
>>>>> or user that had email blocked because of an sbl-xbl.spamhaus.org
>>>>> listing.
>>>>>
>>>>> Many of our ISP and ASP clients would be unable to process the email
>>>>> they
>>>>> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
>>>>> level. We are seeing some of our IPS client sites where the attempted
>>>>> spam /
>>>>> junk delivery rate is 95% of all incoming email. They have just got to
>>>>> block
>>>>> as much as possible at the MTA level or they are out of business!
>>>>> My hats off to the people who maintain the sbl-xbl.spamhaus.org
>>>>> list. We
>>>>> should all tip our hats and support as best we can all of the good
>>>>> folks who
>>>>> create and maintain all of the lists and tools we use every day to stop
>>>>> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
>>>>>
>>>>> These are the people who are really keeping the Internet up, running
>>>>> and
>>>>> open for business. 
>>>> Steve,
>>>>
>>>> I Agree completely. The team at spamhaus does a great job. Using
>>>> spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of
>>>> sense. But, that's a lot different than using xbl to block with
>>>> milter-link given the realities of shared IPs addresses, and open
>>>> proxies that often land such IPs on the cbl.
>>>>
>>>> That's just my thinking on this, since we happen to host more than one
>>>> site on a shared IP. I certainly don't have the large scale operation
>>>> you do, so perhaps I'm just a bit off target with my theoretical look at
>>>> this, as is often the case, especially before the 2nd cup... :-)
>>>>
>>> As an administrator of a shared ip site, it would be up to you to drop
>>> or fix
>>> whoever got you listed and apply for a release of the IP from spamhaus.
>>> I know that our shoulders get heavy with the burdens of being a
>>> sysadmin, but
>>> that is the level that needs to resolve it.
>>>
>>>
>> At the risk of beating this to death. :-)
>>
>> If you are going to do this, I'd at least include the IP in the error
>> message, otherwise it's a bit of a wild goose chase to figure out why a
>> particular host might be blacklisted, since you are taking the long way
>> around to block it.
>>
>> An example:
>>
>> 1. an email arrives from smtp.domain.tld containing a link to domain.tld
>> 2. domain.tld has A record x.x.x.x
>> 3 .x.x.x.x is in xbl(cbl)
>> 4. mail is refused with error message containing just domain.tld
>>
>> Problems with this:
>> 1. domain.tld can resolv to multiple ips. So it's sometimes blocked,
>> sometimes not.
>> 2. Email admin gets a report that mail from domain.tld is being refused,
>> so admin goes and checks spamhaus for listings containing smtp server
>> ips and finds nothing there. Why would the email admin check the
>> webserver ips if they never send mail outside the local network?
>>
>> Conclusion: It would be better to include the IP if you are using a DNS
>> based RBL with milter-link, so at least the poor overworked sysadmin can
>> decipher the message a bit quicker.
>>
>> I saw too many false positives testing with xbl(cbl) and milter link.
>> sbl, multi.surble.org and black.uribl.com all test good though, and this
>> is a great milter. Highly recommended!
>>
>> Ken A.
>> Pacific.Net
>>
> This is what I have in my sendmail.m4 file;
> 
> FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`"550 Mail from " $&{client_addr} "
> refused. Rejected - your SMTP server is listed in SBL-XBL list -- see
> http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')
> 
> It gives a reject message, and lists the rejected IP address as resolved by
> sendmail.
> 
> 

Yes, that's a good thing. However, milter-link (what this thread was 
about) from snertsoft looks at message bodies, not the connecting IP.
It's great for catching mail with links to some-evil-site.biz in message 
bodies, but it has some limits, which is what I was rather 
unsuccessfully pointing out. :-)

Ken A.
Pacific.Net