TLD domain changes

Hugo van der Kooij hvdkooij at vanderkooij.org
Sun Aug 3 12:23:59 IST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rick Cooper wrote:
|
|
|  > -----Original Message-----
|  > From: mailscanner-bounces at lists.mailscanner.info
|  > [mailto:mailscanner-bounces at lists.mailscanner.info] On
|  > Behalf Of Scott B. Anderson
|  > Sent: Thursday, July 31, 2008 9:41 AM
|  > To: MailScanner discussion
|  > Subject: OT: TLD domain changes
|  >
|  > I can't block any email based solely upon its source TLD,
|  > even if it is China and I have no Chinese clients because
|  > some users may receive legit email from business contacts
|  > there, and this goes for a lot of countries, so I think MTA
|  > based domain filtering is out of the question.  I've had a
|  > list in SA to limit the damage this causes but I was
|  > wondering about the infinite TLD change coming in a year or
|  > so and how to handle it.  Do I get a list of the current
|  > ones and block everything from the new ones?  I'm sure this
|  > won't work in the long run, but listing all the bad guys is
|  > impossible as well, so I'm thinking about doing something
|  > like adding (Spam Score - .5) to all emails from the new
|  > TLDs.  Would this be easiest for MailScanner, SA, the MTA or
|  > some other software (like a milter) to accomplish?
|  >
|  >
|
| I rsync the countries list from http://www.blackholes.us/ . I have a
couple
| scripts that pull all the Korea and China ASN cidrs and build iptables
rules
| to block them all together. I also have an exim->perl function that used
| IP::Country to pull the ASN for several other countries that we do not do
| business with and block them. I would imagine you could use either with
| whatever mail server you are using. In three years or so that I have been
| doing this we have only had one issue and that was because the owner was
| selling an aircraft to a Japanese fellow who was using a Taiwanese yahoo
| account.

I second the concept of blocking based on AS numbers or specific subnets
if the owner of the netblok is not fighting of spam/malware.

I also found out a way to educate network operators to increase their
awareness of spam/malware originating from their network.

~ 1. Document the complaint and send it to the owner of the netblock.
~ 2. If that fails to stop notorious senders go for the owner of the AS
(unless that happens to be the same team).
~ 3. If step 2 fails then contact all peers for said AS and show them why
they should review their peering deals with that AS and send a copy of
that complaint to the owner of the AS.

In at least 2 cases this resulted in shutting down infected machines
that were firing of spam/malware like machine guns for months.

Hugo.

- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIlZVNBvzDRVjxmYERAou3AKC4B1o+uAnQzwIdIiPiL8uTiL5IiACfeVwD
AOpqZimK8MNKywFPdBaCj10=
=40MW
-----END PGP SIGNATURE-----

More information about the MailScanner mailing list