Hello again, On Wed, 17 Jan 2018, Kris Deugau wrote:
"All over the place". ... ... hard block on Spamhaus hits and a handful of sender addresses; ... more aggressive IP blocking result in blocked legitimate mail ... local DNSBL, but ... we don't get enough volume ... also don't see these broadly over our user base ... but they're regularly reported by a couple of customers.
All very interesting. None of these would have made it through here, based on the dig results below alone. So I don't think these would present any problem for us. But the homebrew milter the I mentioned might be looking at things that some other mail systems don't. You might be interested in the SOA records. :) $ dig -t soa ouruntain.com ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa obesrum.net ... 106621 IN SOA ns1.dnsowl.com. hostmaster.dnsowl.com ... $ dig -t soa easyuest.net ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa infcket.com ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa renthant.net ... 172800 IN SOA ns1.dnsowl.com. hostmaster.dnsowl.com ... $ dig -t soa frisplay.net ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa shallenge.net ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa firsia.net ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa direghting.com ... 3600 IN SOA dns1.name-services.com. info.name-services.com ... $ dig -t soa awesomder.net ... status: SERVFAIL ... $ dig -t soa smoothving.com ... status: SERVFAIL ... $ dig -t soa purplebin.net ... status: NXDOMAIN ... $ dig -t soa karft.net ... status: NXDOMAIN ... $ dig -t soa virtualree.net ... status: SERVFAIL ... $ dig -t soa exceama.net ... status: SERVFAIL ... However I looked at the past six months' mailserver logs, and I found our local blacklists blocking the following in any case: Blocked by country code: 103.214.147.181 HK, AS135330 "Sin Ming Man t/a Adcdata.com" 103.214.147.215 HK, AS135330 "Sin Ming Man t/a Adcdata.com" 180.149.247.22 IN, AS33480 Web Werks Blocked by ASN: Yes, we block almost *everything* from these ASNs but we do of course have whitelists which can override the ASN blacklist. 142.4.9.60 US, "AS46606 Unified Layer" 162.144.157.215 US, "AS46606 Unified Layer" 162.144.50.141 US, "AS46606 Unified Layer" 178.132.3.63 NL, "AS49981 WorldStream B.V." 149.56.84.30 CA, "AS16276 OVH SAS" 54.36.251.80 FR, "AS16276 OVH SAS" 62.210.10.113 FR, "AS12876 Online S.a.s." 209.94.191.189 US, "AS396426 CyberOne Data LLC" Several were caught here by DNSBL: 69.64.48.56 US, United States GeoIP ASNum Edition: AS30083 "HEG US Inc.", formerly (until late November) "SERVER4YOU". Zen, Mailspike, SORBS, and our milter/whois (China). This is currently in our tarpit, and thanks to you now also in our local ASN blocklist. :) 81.171.28.52 NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V." 37.48.119.162 NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V." 95.211.175.208 NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V." truncate.gbudb.net, bl.fmb.la I find these two DNSBLs very good, approaching Spamhaus performance. If you haven't already, I'd suggest that you try them out. 92.48.86.80 GB, United Kingdom GeoIP ASNum Edition: AS29550 "Simply Transit Ltd" Blocked by several DNSBLs, but I understand your reluctance about some of those. 88.198.194.76 DE, Germany GeoIP ASNum Edition: AS24940 "Hetzner Online GmbH" This one's a little tricky, as it's used by several of our customers and suppliers, for employee pensions, several mailing lists, and a couple of other odd things like DMARC reporting. Nevertheless all the spam from AS24940 has been blocked by one or more of the following: If multiple DNSBLs are triggered (truncate or Zen + 1 other); Local sender blacklists (including some TLDs, especially .ua). 'Spambot' (i.e. no reverse DNS); SPF; recipient filters (spam trap). Unknown recipient and/or relaying attempts denied. Invalid helo (e.g. localhost). Probably this is off topic for this list so I've been more brief than I'd have liked. Please feel free to contact me privately if you'd like to discuss it further - but you'll need to use a different local part in the address. :) Incidentally I'm on the digest list. For some reason SpamAssassin decided to quarantine the list message yesterday. I haven't looked exactly why, but a score of 7.5 is unusually high for a list message. :/ Finally, back on topic, ClamAV didn't have to do *anything* here to block any of the spam from these sources. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml