Re: [spamdyke-users] RBLs
Almost all of my uncaught spam comes from two domains: colocrossing.com hostnoc.net The latter usually has the ip address in the rdns so you can trap it that way, but I just block them entirely. With these two out of the way, and barracudacentral and zen.spamhaus, my users see almost no spam. I also use Sam's hunter_seeker script but had to whitelist a few of it's entries. Gary On 03/07/2014 09:57 PM, Dossy Shiobara wrote: My list: dns-blacklist-entry=b.barracudacentral.org dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=opm.tornevall.org dns-blacklist-entry=torexit.dan.me.uk dns-blacklist-entry=sbl.spamhaus.org #dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net I get enough spam that I'm very tempted to set up something like Spamikaze (although I'd write it myself, to be honest) that I can redirect email addresses that only receive spam and have it maintain an DNSBL, and then point my Spamdyke at that ... it would effectively stop all spam from an IP address after the first message arrives from it. Hmm ... On 3/7/14 4:02 PM, Sam Clippinger wrote: Honestly, the RBL that seems to do the most good these days for me is the Barracuda Central list (b.barracudacentral.org http://b.barracudacentral.org). I also use Spamhaus, Spamcop and Spam Eating Monkey, but together those three don't catch even a tenth of what Barracuda catches. -- Sam Clippinger On Mar 6, 2014, at 6:05 PM, BC bc...@purgatoire.org mailto:bc...@purgatoire.org wrote: One of the RBLs I'm using is bl.mailspike.net http://bl.mailspike.net. Today they started listing an IP which 100 other blacklists don't have listed. Then it delisted it, then it put it back, then delisted it again - all over the course of a couple of hours. Now blacklisted again. What other free, RBL services are you guys using? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
On Mar 8, 2014, at 6:52 AM, Gary Gendel g...@genashor.com wrote: Almost all of my uncaught spam comes from two domains: colocrossing.com hostnoc.net Color me unsurprised. I even think I know which spammer you're referring to. HostNoc/BurstNet has long had a reputation of being a spam-friendly hosting service. Lately, they seem to be the preferred provider for one of the most prolific and effective spammers I've seen. This particular spammer is exploiting 'syndicated marketing' programs on a massive scale, and they make a point of varying every possible aspect of their messages to systematically work around filtering - From lines, Subject lines, hostnames, message text, even their URL schemes are heavily randomized and changing constantly. Every single feature of the message that could be the target for a filter is changed continuously. Their hosting services (something like 50% of their domains were in HostNoc space, last time I looked) further facilitate things by letting them constantly switch IPs (snowshoe spamming). These guys have put some real thought into getting past filters and blacklists, and it works. So I'd bet that when you talk about uncaught spam, it's theirs. HostNoc also host other similar spam operations, but this outfit is both the most prolific and the hardest to filter. Incidentally, I have a personal axe to grind with HostNoc. I used to be a BurstNet customer until one of their tame spammers moved into the IP block where I had my IPs and pumped out so much crap that the entire block got blacklisted. I spent a few weeks trying to get BurstNet to do something, such as simply allocate me new IPs in a non-contaminated block. They stalled me for a while with vague responses, then took to ignoring me completely, so I switched to a new provider. It sounds like hyperbole, but I really now believe that HostNoc care more about supporting the spammers (who apparently rent a _lot_ of servers) than their legitimate customers. TL;DR: if you null-route every IP that HostNoc owns, it will make a dramatic difference to the amount of spam you see. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
On 3/8/2014 7:03 AM, Angus McIntyre wrote: TL;DR: if you null-route every IP that HostNoc owns, it will make a dramatic difference to the amount of spam you see. Angus, To what does the TL;DR refer? How are you null-routing all those IPs? With spamdyke somehow? Bucky PS - this is a very informative discussion, so please to all, keep it up. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
My list consists of b.barracudacentral.org zen.spamhause.org Barracuda is not a relevant Blacklist. The most serious in (in this Order) are: zen.spamhaus.org bl.spamcop.net bl.mailspike.net ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
On 3/8/2014 7:18 AM, Lutz Petersen wrote: Instead make this spamdyke.conf Settings: dns-blacklist-entry=bl.mailspike.net This is the one causing all sorts of mischief lately - blacklisting and unblacklisting legit and non-spamming IPs rapidly. What is wrong with barracuda? You said it isn't relevant. What does that mean? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
What is wrong with barracuda? You said it isn't relevant. What does that mean? The barracuda list is not maintained as the other lists. Beware - ist needs _huge_ manpower to produce good lists. Spamhaus and Spamcop have worldwide offices working 24/7. Barracuda not; the only usage of Barracuda is within SpamAssin. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
BC wrote: On 3/8/2014 7:03 AM, Angus McIntyre wrote: TL;DR: if you null-route every IP that HostNoc owns, it will make a dramatic difference to the amount of spam you see. To what does the TL;DR refer? TL;DR is Internet slang for 'Too Long; Didn't Read'. As it's used now, it's a way for someone who has written a long post to provide a very brief summary of what they said (usually no more than a single line) for the benefit of anyone skim-reading the post. Sometimes the summary may be a humorous simplification of whatever was said. ... How are you null-routing all those IPs? With spamdyke somehow? I'm not actually null-routing HostNoc IPs (but believe me, I've been tempted). You could probably use spamdyke to block mail coming from HostNoc customers, because spamdyke's ip blacklisting allows you to blacklist entire address ranges as well as individual addresses. However, when people talk of 'null-routing' an address, it means configuring your firewall (such as an iptables firewall) to simply drop any incoming packets from that source. It's the most absolute form of rejection possible. The other host literally cannot connect to your system in any way, because you've told the firewall Ignore everything coming from here. Basically, my TL;DR was saying If you refuse to accept any communication whatsoever from this entire chunk of the Internet, it wouldn't be a bad thing. And I was partly joking ... but only partly. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
Funny, based on my own empirical evidence, Barracuda Central's DNSBL yields the best results. As with anything on the Internet, be skeptical and collect your own data. Доверяй, но проверяй (doveryai, no proveryai). *** 9373 92.80% DENIED_RBL_MATCH --- Breakdown --- 6956 81.35% b.barracudacentral.org 878 10.26% cbl.abuseat.org 561 6.56% bl.spamcop.net 154 1.80% dnsbl.sorbs.net 1 0.01% opm.tornevall.org - 329 3.25% ALLOWED 183 1.81% DENIED_GRAYLISTED 142 1.40% TIMEOUT 68 0.67% ERROR 5 0.04% DENIED_RELAYING Summary Allowed: 329 3.25% Timeout: 142 1.40% Errors : 68 0.67% Denied : 9561 94.66% Total : 10100 100.00% On 3/8/14 9:36 AM, Lutz Petersen wrote: What is wrong with barracuda? You said it isn't relevant. What does that mean? The barracuda list is not maintained as the other lists. Beware - ist needs _huge_ manpower to produce good lists. Spamhaus and Spamcop have worldwide offices working 24/7. Barracuda not; the only usage of Barracuda is within SpamAssin. -- Dossy Shiobara | He realized the fastest way to change do...@panoptic.com | is to laugh at your own folly -- then you http://panoptic.com/ | can let go and quickly move on. (p. 70) * WordPress * jQuery * MySQL * Security * Business Continuity * ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
And, anyone who wants to do just this, here's a handy list of hostnoc snowshoe netblocks documented: http://www.spamhaus.org/sbl/listings/hostnoc.net On 3/8/14 9:58 AM, Angus McIntyre wrote: Basically, my TL;DR was saying If you refuse to accept any communication whatsoever from this entire chunk of the Internet, it wouldn't be a bad thing. And I was partly joking ... but only partly. -- Dossy Shiobara | He realized the fastest way to change do...@panoptic.com | is to laugh at your own folly -- then you http://panoptic.com/ | can let go and quickly move on. (p. 70) * WordPress * jQuery * MySQL * Security * Business Continuity * ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
Okay, thanks for the excellent explanation and I know how to null route an IP at the firewall. On 3/8/2014 7:58 AM, Angus McIntyre wrote: BC wrote: On 3/8/2014 7:03 AM, Angus McIntyre wrote: TL;DR: if you null-route every IP that HostNoc owns, it will make a dramatic difference to the amount of spam you see. To what does the TL;DR refer? TL;DR is Internet slang for 'Too Long; Didn't Read'. As it's used now, it's a way for someone who has written a long post to provide a very brief summary of what they said (usually no more than a single line) for the benefit of anyone skim-reading the post. Sometimes the summary may be a humorous simplification of whatever was said. ... How are you null-routing all those IPs? With spamdyke somehow? I'm not actually null-routing HostNoc IPs (but believe me, I've been tempted). You could probably use spamdyke to block mail coming from HostNoc customers, because spamdyke's ip blacklisting allows you to blacklist entire address ranges as well as individual addresses. However, when people talk of 'null-routing' an address, it means configuring your firewall (such as an iptables firewall) to simply drop any incoming packets from that source. It's the most absolute form of rejection possible. The other host literally cannot connect to your system in any way, because you've told the firewall Ignore everything coming from here. Basically, my TL;DR was saying If you refuse to accept any communication whatsoever from this entire chunk of the Internet, it wouldn't be a bad thing. And I was partly joking ... but only partly. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
Funny, based on my own empirical evidence, Barracuda Central's DNSBL yields the best results. 99% of this Hits are false positives: 6956 81.35% b.barracudacentral.org You are talking simply nonsense ! ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users