On 20 Oct 2017, at 12:25 (-0400), Matus UHLAR - fantomas wrote:
On 20 Oct 2017, at 9:38 (-0400), Matus UHLAR - fantomas wrote:
unless you know that hotmial.com is an malicious site, don't block
it.
On 20.10.17 10:43, Bill Cole wrote:
Go to http://hotmial.com with a JavaScript-enabled browser and tell
me what you think.
Or, DON'T DO THAT!
At least, don't do it on a weakly-defended system. I give you my
word: it IS a malicious site.
then I really wonder why it's not listed in domain blacklist (just
searched
through blacklistalert and mxtoolbox)
You'd have to ask the people who maintain those blacklists, but my first
guess would be that it is an entirely passive malicious domain, slurping
up mail and web hits from typos.
The web site redirects hits using JavaScript, with the initial reply
varying based on User-Agent. After the 3rd such redirection it pops up a
bogus warning frame claiming to be alerting the user to a backdoor
trojan infection that can only be removed by calling a phone number, and
asserting that if the user fails to do so, their Internet access will be
blocked.
If you hit the site with curl, wget, or no User-Agent header, it yields
a simple "403 Forbidden" response, which is what provider-nuked sites
often do. It may be that domain blacklists intended for email usage are
blind to the existence of the domain because it does not appear in spam,
they may be fooled by the fact that the website is playing dead to
simple web clients, or it may be that some blacklists intended for email
intentionally avoid listing domains that are known bad but never show up
in spam.
in those cases reject_rhsbl_recipient should do the job.
However my recommendation was generic:
don't block domains only because your users mistype.
Yes.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole