On Tue, 2015-09-29 at 12:13 -0700, Gordon Messmer wrote: > On 09/24/2015 08:00 AM, Lindsay Haisley wrote: > > Gordon, your thoughts? > > The one thing that consistently seems to be missing from your analyses > is a review of legitimate mail. > > name-services.com appears to be used by eNom, Name Cheap, and > Rackspace. I'm sure that it's used by a lot of spammers, but I'd > imagine that a good number of legitimate domains use those servers as well.
My research on this hasn't been exhaustive, but what I've done hasn't turned up any false positives; and yes, I've failed to mention this. Can you provide any examples of legit domain names which lead back to one of the suspect name servers? Using the signature domain names for these providers doesn't lead back to name-services.com ... $ ddig rackspace.com ns2.rackspace.com. ns.rackspace.com. ... self-referential. End of lookup. $ ddig enom.com usw5.akam.net. aus1.akam.net. etc... $ ddig akam.net a4-67.akam.net. a13-67.akam.net. etc ... ... self-referential at the DN level. End of lookup $ ddig namecheap.com ns4.p18.dynect.net. ns1.p18.dynect.net. $ ddig dynect.net ns3.dynamicnetworkservices.net. ns4.dynamicnetworkservices.net. $ ddig dynamicnetworkservices.net ns3.dynamicnetworkservices.net. ns2.dynamicnetworkservices.net. ... self-referential. End of lookup Perhaps looking at the resources belonging to customers of these providers, using other DNs, would yield a recursion to name-services.com. Examples would help, Gordon, if you could provide any. Enom may or may not be a proper candidate for scrutiny here. They're notorious for hosting spammers and not doing anything about it. I've already blocked a lot of their IP addresses. I do some fairly exhaustive log analysis of the results of rate limiting based on name servers as I have it now on my servers - a lot of it manual or only semi-automated - and have yet to see any false positives. I can get daily summaries of this activity, and what I'm seeing is a very clear pattern. Delivery attempts using name servers on the "offenders" list identify dozens of emails, generally from a sequence of IP addresses in the same /24 block, and the host names they use are almost always indicative of their intent, such as "kmartrewardsplus.faith" and "vodril.osmosisskincare.asia". > In order to reduce the effect of false positives, I think this should > probably be a module for SpamAssassin, so that it can contribute to a > robust scoring system. pythonfilter doesn't do that sort of thing. In addition to rate-limiting, I'm actually using a point scoring system here for automated blocking. It's generally similar to SpamAssassin (it takes SpamAssassin hits into consideration) but requires a substantial score before an IP address block is automatically entered into the Courier smtpaccess database as a prohibited address group. > Other than that, rate limiting based on the DNS servers is probably > fine. I'd suggest a few items for implementation: cache the value of > your lookups, limit the depth of your recursion, and watch for loops. If the lookup of the DN of a name server references name servers with the same DN, it's considered to be self-referential and the search is over. A limit on recursion depth would definitely be indicated for this, though. Circular recursion over more than 1 DN would, IMHO, amount to a misconfiguration elsewhere, but protection against it would be prudent. If I can find _any_ direct evidence that this algorithm has generated false positives, or would based on current DNS practices and configurations across the industry, then I'll go back to the drawing board with it. So far, I haven't seen it. Thanks for your feedback! > ------------------------------------------------------------------------------ > _______________________________________________ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com | ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
