I'd like to get my blacklist/whitelist included in SA - SpamAssassin

This is a discussion on I'd like to get my blacklist/whitelist included in SA - SpamAssassin ; I'm referring to the Hostkarma list from junk email filter. http://wiki.junkemailfilter.com/inde...Spam_DNS_Lists What is the procedure/requirements to make this happen? I have 4 servers running rbldnsd. Questions .... What kind of license do I need to provide to be SA compatible? ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: I'd like to get my blacklist/whitelist included in SA

  1. I'd like to get my blacklist/whitelist included in SA

    I'm referring to the Hostkarma list from junk email filter.

    http://wiki.junkemailfilter.com/inde...Spam_DNS_Lists

    What is the procedure/requirements to make this happen? I have 4 servers
    running rbldnsd.

    Questions ....

    What kind of license do I need to provide to be SA compatible?
    What would the bandwidth load be?
    Anything I should know before making this offer?

    Thanks in advance.


  2. Re: I'd like to get my blacklist/whitelist included in SA

    Marc Perkel wrote:
    > I'm referring to the Hostkarma list from junk email filter.
    >
    > http://wiki.junkemailfilter.com/inde...Spam_DNS_Lists
    >
    > What is the procedure/requirements to make this happen? I have 4 servers
    > running rbldnsd.
    >
    > Questions ....
    >
    > What kind of license do I need to provide to be SA compatible?


    free anonymous access. you can setup a "reasonable" limit to avoid being
    abused by some networks. in short, small networks should be able to
    access it without even knowing. if they need to know, then there is no
    point putting this in the default rules (a url may be as effective).
    unfortunately, this requires some work on your part (to detect the
    abusers, such as vendors who "resell" your lists as part of their
    services without acknowledging that or reversing ...). but life is that
    way: it's not easy;-p



    > What would the bandwidth load be?
    > Anything I should know before making this offer?
    >
    > Thanks in advance.
    >
    >



  3. Re: I'd like to get my blacklist/whitelist included in SA

    In article <488A0F17.60303@perkel.com>, Marc Perkel
    writes
    >What kind of license do I need to provide to be SA compatible?


    I'd imagine the line "anyone who uses our lists or our data either
    directly from us or indirectly through a third party grants us a license
    for us to use your data from any lists that you might publish either
    directly or indirectly." needs dropping if you're even halfway serious.

    Demanding access to data in a default install option seems a tad
    excessive and unenforceable. I know that through various simple aspects
    of running a mail filter I can't ensure I'd be able to grant you access
    to all the data I indirectly contribute to lists.

    Even if you exempted me from such indirect contributions I'd assume the
    vast majority of the local data I could provide would be completely
    worthless to anyone but myself, and I doubt the overhead of my telling
    you that I have X.X.X.X whitelisted because I know someone behind that
    address would be worth it to access your blacklists.

    I'd also note that the wording of that line allows for future access to
    any lists I may be involved in, which would mean I'd have to make sure
    any future potential employers realised I'd signed away access to any
    lists they might run.

    Oh, and you seriously need a lawyer to look over your "fees" for small
    businesses. If I ever did feel the need for your data in a small
    business environment I assure you that the current wording
    is in such a way that I can stick to the letter of the license and still
    *really* avoid the junk you're after.

    Kevin


  4. mysterious spam - what is this trying to do?

    Sample posted here: http://pastebin.com/m7d993dc7

    Have seen several similar to this, the message contains only random words, no images, no web links. What's the point? It's not advertising, or trying to lure victims to a site, or carrying any payload. Commentary anyone?


  5. Re: mysterious spam - what is this trying to do?

    Please do NOT *reply* to a mail, if you start a new thread. Changing the
    Subject and removing the quoted text does not make it a new mail. It
    still is a reply. You just hijacked an unrelated thread.


    On Tue, 2008-07-29 at 10:38 -0400, Kevin Parris wrote:
    > Sample posted here: http://pastebin.com/m7d993dc7
    >
    > Have seen several similar to this, the message contains only random
    > words, no images, no web links. What's the point? It's not
    > advertising, or trying to lure victims to a site, or carrying any
    > payload. Commentary anyone?


    It is most likely just horribly broken. These are rather common since a
    few days.

    The weird X-Header-CompanyDBUserName: header is entirely static. As is
    the X-Mailer: header. The other X-Header-* headers likely aren't
    intended to be sent either. The first Received: is utterly broken (IP
    with 18-digit numbers).

    Even the body is pretty static. The words are random (including length),
    but the punctuation and whitespace of the body is static again.


    I guess it should be rather safe to catch these based on the headers, if
    you got problems detecting them otherwise.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  6. Re: mysterious spam - what is this trying to do?

    Can be a probe too. Accepting mail from that IP with that content says
    something about your system. Spammers aren't stupid. They fingerprint us
    just like we fingerprint them.
    Ken
    Pacific.Net


    Karsten Bräckelmann wrote:
    > Please do NOT *reply* to a mail, if you start a new thread. Changing the
    > Subject and removing the quoted text does not make it a new mail. It
    > still is a reply. You just hijacked an unrelated thread.
    >
    >
    > On Tue, 2008-07-29 at 10:38 -0400, Kevin Parris wrote:
    >> Sample posted here: http://pastebin.com/m7d993dc7
    >>
    >> Have seen several similar to this, the message contains only random
    >> words, no images, no web links. What's the point? It's not
    >> advertising, or trying to lure victims to a site, or carrying any
    >> payload. Commentary anyone?

    >
    > It is most likely just horribly broken. These are rather common since a
    > few days.
    >
    > The weird X-Header-CompanyDBUserName: header is entirely static. As is
    > the X-Mailer: header. The other X-Header-* headers likely aren't
    > intended to be sent either. The first Received: is utterly broken (IP
    > with 18-digit numbers).
    >
    > Even the body is pretty static. The words are random (including length),
    > but the punctuation and whitespace of the body is static again.
    >
    >
    > I guess it should be rather safe to catch these based on the headers, if
    > you got problems detecting them otherwise.
    >
    > guenther
    >
    >



    --
    Ken Anderson
    Pacific.Net


  7. Re: mysterious spam - what is this trying to do?

    Ken A wrote:
    > Can be a probe too. Accepting mail from that IP with that content says
    > something about your system. Spammers aren't stupid. They fingerprint us
    > just like we fingerprint them.


    If I was a spammer, I don't see why I would probe you. I understand if
    it's filter poisoning, but probing to see if the message will be
    accepted is useless. they can just send their spam. if you reject it,
    others will accept it, and some will read it, which is exactly what they
    want to achieve.


  8. Re: mysterious spam - what is this trying to do?

    On Wednesday 30 July 2008 00:55:50 mouss wrote:
    > Ken A wrote:
    > > Can be a probe too. Accepting mail from that IP with that content says
    > > something about your system. Spammers aren't stupid. They fingerprint us
    > > just like we fingerprint them.

    >
    > If I was a spammer, I don't see why I would probe you. I understand if
    > it's filter poisoning, but probing to see if the message will be
    > accepted is useless. they can just send their spam. if you reject it,
    > others will accept it, and some will read it, which is exactly what they
    > want to achieve.


    No. Some spammers are a lot more clever then that.
    Especialy if you sell lists, you usually make sure they are high quality.
    This is a low volume probe. Propably to clean out harvested lists.

    - They are probing for wrong addresses
    (This is why returning 550 imho makes sense and greylisting does not)
    - They are probing for backscatterer
    All mails would have the same From address,envelope, and helo
    of a compromised mailserver.
    - They are probing for spamtraps.
    Bigger ISPs can propably detect that best,
    since the mails would have a pattern.

    Of course there is always the posibility that the ratware is simply broken.
    **** happens :P

    --
    mit freundlichen Grüßen / best regards
    Arvid Ephraim Picciani


  9. Re: mysterious spam - what is this trying to do?

    On Tuesday 29 July 2008, Yet Another Ninja wrote:
    >On 7/29/2008 4:38 PM, Kevin Parris wrote:
    >> Sample posted here: http://pastebin.com/m7d993dc7
    >>
    >> Have seen several similar to this, the message contains only random
    >> words, no images, no web links. What's the point? It's not
    >> advertising, or trying to lure victims to a site, or carrying any
    >> payload. Commentary anyone?

    >
    >1- possible broken templates so the spam are missing something.
    >2- hashbusters in hope to pollute Bayes and render hash based filters
    >usless - "in hope" coz it doesn't work as "they" expect .-)


    I would almost argue that as bayes poison, it might be working, it seems to me
    that either the Viagra ads are getting more prolific, or more of them are now
    getting by SA. A month ago maybe 10 a day got past, now its pushing 30.

    --
    Cheers, Gene
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author)
    Oblivion together does not frighten me, beloved.
    -- Thalassa (in Anne Mulhall's body), "Return to Tomorrow",
    stardate 4770.3.


  10. Re: mysterious spam - what is this trying to do?

    Arvid Ephraim Picciani wrote:
    > On Wednesday 30 July 2008 00:55:50 mouss wrote:
    >> Ken A wrote:
    >>> Can be a probe too. Accepting mail from that IP with that content says
    >>> something about your system. Spammers aren't stupid. They fingerprint us
    >>> just like we fingerprint them.

    >> If I was a spammer, I don't see why I would probe you. I understand if
    >> it's filter poisoning, but probing to see if the message will be
    >> accepted is useless. they can just send their spam. if you reject it,
    >> others will accept it, and some will read it, which is exactly what they
    >> want to achieve.

    >
    > No. Some spammers are a lot more clever then that.
    > Especialy if you sell lists, you usually make sure they are high quality.
    > This is a low volume probe. Propably to clean out harvested lists.
    >
    > - They are probing for wrong addresses
    > (This is why returning 550 imho makes sense and greylisting does not)
    > - They are probing for backscatterer
    > All mails would have the same From address,envelope, and helo
    > of a compromised mailserver.
    > - They are probing for spamtraps.
    > Bigger ISPs can propably detect that best,
    > since the mails would have a pattern.
    >
    > Of course there is always the posibility that the ratware is simply broken.
    > **** happens :P
    >


    Yes. And also, in any war, consider resource usage.
    A simple example: Spammer at any given time may have access to a number
    of DNSRBL listed bots, and a number of unlisted bots. With an
    understanding of how ISP handles filtering based on a given DNSRBL,
    spammer may choose a certain delivery pattern.

    Ken


    --
    Ken Anderson
    Pacific.Net


  11. Re: mysterious spam - what is this trying to do?

    On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
    > Arvid Ephraim Picciani wrote:
    > > On Wednesday 30 July 2008 00:55:50 mouss wrote:
    > >> Ken A wrote:
    > >>> Can be a probe too. Accepting mail from that IP with that content says
    > >>> something about your system. Spammers aren't stupid. They fingerprint us
    > >>> just like we fingerprint them.
    > >> If I was a spammer, I don't see why I would probe you. I understand if
    > >> it's filter poisoning, but probing to see if the message will be
    > >> accepted is useless. they can just send their spam. if you reject it,
    > >> others will accept it, and some will read it, which is exactly what they
    > >> want to achieve.

    > >
    > > No. Some spammers are a lot more clever then that.
    > > Especialy if you sell lists, you usually make sure they are high quality.
    > > This is a low volume probe. Propably to clean out harvested lists.
    > >
    > > - They are probing for wrong addresses
    > > (This is why returning 550 imho makes sense and greylisting does not)
    > > - They are probing for backscatterer
    > > All mails would have the same From address,envelope, and helo
    > > of a compromised mailserver.
    > > - They are probing for spamtraps.
    > > Bigger ISPs can propably detect that best,
    > > since the mails would have a pattern.
    > >
    > > Of course there is always the posibility that the ratware is simply broken.
    > > **** happens :P
    > >

    >
    > Yes. And also, in any war, consider resource usage.
    > A simple example: Spammer at any given time may have access to a number
    > of DNSRBL listed bots, and a number of unlisted bots. With an
    > understanding of how ISP handles filtering based on a given DNSRBL,
    > spammer may choose a certain delivery pattern.



    How does the spammer come to know his mail is delivered and not
    quarantined / deleted / or spam tagged


  12. Re: mysterious spam - what is this trying to do?

    On Wed, 2008-07-30 at 01:31 +0200, Arvid Ephraim Picciani wrote:

    > No. Some spammers are a lot more clever then that.
    > Especialy if you sell lists, you usually make sure they are high quality.
    > This is a low volume probe. Propably to clean out harvested lists.


    What makes you believe this is low volume? It's not the highest volume I
    am seeing right now, but it isn't particularly low volume either.

    Also, according to $something that pretty much has evolved into a spam
    trap, they are *not* cleaning out *harvested* lists. I do see a lot of
    recipient addresses which can not possibly have been harvested.


    > Of course there is always the posibility that the ratware is simply broken.
    > **** happens :P


    Yup.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  13. Re: mysterious spam - what is this trying to do?

    ram wrote:
    > On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
    >> Arvid Ephraim Picciani wrote:
    >>> On Wednesday 30 July 2008 00:55:50 mouss wrote:
    >>>> Ken A wrote:
    >>>>> Can be a probe too. Accepting mail from that IP with that content says
    >>>>> something about your system. Spammers aren't stupid. They fingerprint us
    >>>>> just like we fingerprint them.
    >>>> If I was a spammer, I don't see why I would probe you. I understand if
    >>>> it's filter poisoning, but probing to see if the message will be
    >>>> accepted is useless. they can just send their spam. if you reject it,
    >>>> others will accept it, and some will read it, which is exactly what they
    >>>> want to achieve.
    >>> No. Some spammers are a lot more clever then that.
    >>> Especialy if you sell lists, you usually make sure they are high quality.
    >>> This is a low volume probe. Propably to clean out harvested lists.
    >>>
    >>> - They are probing for wrong addresses
    >>> (This is why returning 550 imho makes sense and greylisting does not)
    >>> - They are probing for backscatterer
    >>> All mails would have the same From address,envelope, and helo
    >>> of a compromised mailserver.
    >>> - They are probing for spamtraps.
    >>> Bigger ISPs can propably detect that best,
    >>> since the mails would have a pattern.
    >>>
    >>> Of course there is always the posibility that the ratware is simply broken.
    >>> **** happens :P
    >>>

    >> Yes. And also, in any war, consider resource usage.
    >> A simple example: Spammer at any given time may have access to a number
    >> of DNSRBL listed bots, and a number of unlisted bots. With an
    >> understanding of how ISP handles filtering based on a given DNSRBL,
    >> spammer may choose a certain delivery pattern.

    >
    >
    > How does the spammer come to know his mail is delivered and not
    > quarantined / deleted / or spam tagged
    >



    If it's a yahoo, google or other freemail address, that's not too hard
    to figure out, is it? If it's another email provider, who knows.. many
    providers document their anti-spam approach, use very informative bounce
    messages, or use easily identifiable products that have certain
    behaviors. It certainly isn't possible to learn everything from a probe
    email, but it's worth thinking about, imho. Of course we don't want to
    give them any ideas either!

    Ken

    >
    >
    >



    --
    Ken Anderson
    Pacific.Net


  14. Re: mysterious spam - what is this trying to do?

    On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:

    > Yes. And also, in any war, consider resource usage.
    > A simple example: Spammer at any given time may have access to a number
    > of DNSRBL listed bots, and a number of unlisted bots. With an
    > understanding of how ISP handles filtering based on a given DNSRBL,
    > spammer may choose a certain delivery pattern.


    Oh, so THAT is, why botnets check RBLs and prevent sending out massive
    amounts of spam from RBL listed zombies, like Spamhaus XPL and PBL.
    Right, I don't get any of these...

    So spammers are checking RBLs, eh? Reality seems to be more like sending
    anyway, in the hope some of them get through.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  15. Re: mysterious spam - what is this trying to do?

    Arvid Ephraim Picciani wrote:
    > On Wednesday 30 July 2008 00:55:50 mouss wrote:
    >> Ken A wrote:
    >>> Can be a probe too. Accepting mail from that IP with that content says
    >>> something about your system. Spammers aren't stupid. They fingerprint us
    >>> just like we fingerprint them.

    >> If I was a spammer, I don't see why I would probe you. I understand if
    >> it's filter poisoning, but probing to see if the message will be
    >> accepted is useless. they can just send their spam. if you reject it,
    >> others will accept it, and some will read it, which is exactly what they
    >> want to achieve.

    >
    > No.



    Is this "No, I have evidence that you are wrong" or "No, I don't think so"?


    > Some spammers are a lot more clever then that.


    this doesn't make them clever. sending easy to catch junk will not help
    them.

    > Especialy if you sell lists, you usually make sure they are high quality.


    really? that's new to me... come on. do you want my postfix logs? more
    than a half are \d{5}.*@$mydomain (bodug message-id harvesting and
    phone-style address attempt).

    > This is a low volume probe. Propably to clean out harvested lists.


    I am not seeing that. if you have evidence, please share it. if it's
    just your opinion, please make this clear.

    >
    > - They are probing for wrong addresses
    > (This is why returning 550 imho makes sense and greylisting does not)


    ahuh? and why so?

    > - They are probing for backscatterer
    > All mails would have the same From address,envelope, and helo
    > of a compromised mailserver.
    > - They are probing for spamtraps.
    > Bigger ISPs can propably detect that best,
    > since the mails would have a pattern.
    >
    > Of course there is always the posibility that the ratware is simply broken.
    > **** happens :P



    That's what I believe. this resembles old junk that I used to see where
    the message was "obviously" truncated and/or random variables not expanded.


+ Reply to Thread