Re: Why there is no `reject_rbl_sender` restriction?

2017-08-14 Thread Martin Jiřička 
Hello again,

I discovered possibility of milters. So I have created a milter that
performs the restriction I wanted. If someone would be interested, it
is here:

https://github.com/mjiricka/MailFrom_DNSBL_Milter

So far results are as expected – all spam filtered, zero false-positives! :)

Martin

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-05 Thread Martin Jiřička 
> What I was trying to say is that (if there was 1 A record per domain), the
> number of spamhaus lookups would increase two times.
> If you check MX records, number of lookups can increase even more.

I am afraid I still do not understand how you count it :-( But it does
not matter, thank you very much for your effort! :-)

> hopefully you find it out before get blocked by spamhaus :-)

Spamhaus allows 300,000 queries per day. I am still waaay behind it.
Moreover 70% of all spam ends on my first Spamhaus restriction anyway.

But once again thank you for your notice, Matus! I will be carefull
with the restrictions :-)

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-04 Thread Matus UHLAR - fantomas 

You ask each dnsbl for client IP, now you will ask them for each A or MX
record. That means, number of DNSBL lookups will increase ad least two times
(for each dnsbl you already query).


On 03.08.17 17:04, Martin Jiřička wrote:

Hmm, I am not server administrator by profession, so maybe I do not
understand it enough, but I would only add one more restriction on
domain in MAIL FROM header, that would make one DNS lookup (getting IP
for the domain) and one DNSBL lookup (checking that IP in Spamhaus).
That are two lookups, aren't they? It is true that it is not clear
whether to get A or MX records for the domain. For my example the
blacklisted IP address is within A record. I guess there is usually
only one A record for each domain?


What I was trying to say is that (if there was 1 A record per domain), the
number of spamhaus lookups would increase two times.

If you check MX records, number of lookups can increase even more.


Note that some dnsbls require (payed) subscription if you use them too much.


This is my first mail server so I need to check which restrictions
work best. Then I will optimize number and order of restrictions.


hopefully you find it out before get blocked by spamhaus :-)

as Allen recommended, it's goot to have local whitelist for any kinds of
DNSBL lookups.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-04 Thread Martin Jiřička 
> It seems natural (for me at least) to introduce a new map type
> dnsbl: that maps those IP addresses to an action.

That would be amazing! If I get it right this would also deprecate
e.g. `reject_rhsbl_client` and `reject_rbl_client`. As a Postfix
novice I would appreciate the reduction of configuration parameters,
it is sometimes quite confusing to look at a long list of parameters
that all do similar thing and trying to spot a difference in its
description.


MJ

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Wietse Venema 
Martin Ji?i?ka:
> > Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
> > That already exists.
> 
> The `reject_rhsbl_sender` checks whether MAIL FROM domain is listed
> under rbl_domain. And I would like to have `reject_rbl_sender` that
> would check whether reversed sender domain is listed under rbl_domain.
> In other words, as there are `reject_rhsbl_client` and
> `reject_rbl_client` restrictions, analogously I would like to have
> `reject_rhsbl_sender` AND `reject_rbl_sender`.
> 
> Reason is I have found out that very very often my uncaught spam have
> MAIL FROM domain that is not listed under dbl.spamhaus.org, but its
> reversed address is listed under zen.spamhaus.org. I gave example with
> "spplalru.com" domain.

We already have check_mumble_mx_access and check_mumble_ns_access
to map a domain name to a collection of IP addresses.

It seems natural (for me at least) to introduce a new map type
dnsbl: that maps those IP addresses to an action.

Example:
check_sender_mx_access dnsbl:zen.spamhaus.org=127.0.0.1
check_client_ns_access dnsbl:zen.spamhaus.org=127.0.0.1

In case somoeone runs their DNS or MX service off a botnet.

Wietse

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Martin Jiřička 
> I'm not talking about DNS lookups, but about DNSBL lookups.

Yes, I did interchanged them, pardon.

> You ask each dnsbl for client IP, now you will ask them for each A or MX
> record. That means, number of DNSBL lookups will increase ad least two times
> (for each dnsbl you already query).

Hmm, I am not server administrator by profession, so maybe I do not
understand it enough, but I would only add one more restriction on
domain in MAIL FROM header, that would make one DNS lookup (getting IP
for the domain) and one DNSBL lookup (checking that IP in Spamhaus).
That are two lookups, aren't they? It is true that it is not clear
whether to get A or MX records for the domain. For my example the
blacklisted IP address is within A record. I guess there is usually
only one A record for each domain?

> Note that some dnsbls require (payed) subscription if you use them too much.

This is my first mail server so I need to check which restrictions
work best. Then I will optimize number and order of restrictions.

> we aren't talking about domains, but IP addresses of servers the domains
> point to, correct?

I think Allen spoke about domains. So did I. It is probably true that
building blacklist of IP addresses would be better idea than building
list of domains. Because I guess spammers have more domains than IP
addresses…

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Matus UHLAR - fantomas 

Doing it on MX would require dnsbl lookups for each MX server in all
received mail.
That would massively increase amount of dnsbl lookups.


On 03.08.17 13:38, Martin Jiřička wrote:

I do not know if I would call it "massively". I already do
`reject_unknown_client_hostname` check and 4 other dnsbl lookups. So I
would do another 2 in addition to current 5? Yes, it is a lot, but
thats how it is… My server does not serve a huge amount of real mail
fortunately.


I'm not talking about DNS lookups, but about DNSBL lookups.
You ask each dnsbl for client IP, now you will ask them for each A or MX
record. That means, number of DNSBL lookups will increase ad least two times
(for each dnsbl you already query).

Note that some dnsbls require (payed) subscription if you use them too much.


you still can block them locally using the rules above.


I think it will not work, almost every spam comes from different domain.


we aren't talking about domains, but IP addresses of servers the domains
point to, correct?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Martin Jiřička 
> Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
> That already exists.

The `reject_rhsbl_sender` checks whether MAIL FROM domain is listed
under rbl_domain. And I would like to have `reject_rbl_sender` that
would check whether reversed sender domain is listed under rbl_domain.
In other words, as there are `reject_rhsbl_client` and
`reject_rbl_client` restrictions, analogously I would like to have
`reject_rhsbl_sender` AND `reject_rbl_sender`.

Reason is I have found out that very very often my uncaught spam have
MAIL FROM domain that is not listed under dbl.spamhaus.org, but its
reversed address is listed under zen.spamhaus.org. I gave example with
"spplalru.com" domain.

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Wietse Venema 
Martin Ji?i?ka:
> Hi,
> 
> why there is no `reject_rbl_sender` restriction?

Did you mean: reject_rhsbl_sender (i.e. reject the sender domain)?
That already exists.

Wietse

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Allen Coates 
On 03/08/17 11:55, Matus UHLAR - fantomas wrote:
> You apparently mean something like check_sender_mx_access (reject when MX
> server of sending domain points to blacklisted IP) or maybe
> check_sender_a_access (similar), but with dnsbl lookups.
>
> Doing it on MX would require dnsbl lookups for each MX server in all
> received mail.
> That would massively increase amount of dnsbl lookups.
>
> Doing it on A would do the same, just not that much.

Do it after a white-list of senders you know

Allen C

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Martin Jiřička 
> Doing it on MX would require dnsbl lookups for each MX server in all
> received mail.
> That would massively increase amount of dnsbl lookups.

I do not know if I would call it "massively". I already do
`reject_unknown_client_hostname` check and 4 other dnsbl lookups. So I
would do another 2 in addition to current 5? Yes, it is a lot, but
thats how it is… My server does not serve a huge amount of real mail
fortunately.

> you still can block them locally using the rules above.

I think it will not work, almost every spam comes from different domain.

> On 03.08.17 11:09, Allen Coates wrote:
>> Using the whole email address didn't work - I never sawthe same sender
>> twice;

Yes, exactly. Spammers have huge amount of hostnames.

I do not think it is a good idea to build your own database. I even do
not know how to build it, because I do not run MDA, I only forward
emails… Simply put: I think it is difficult to fight against global
botnets with a local black list :-)


MJ

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Matus UHLAR - fantomas 

On 03.08.17 11:07, Martin Jiřička wrote:

why there is no `reject_rbl_sender` restriction? It probably does not
make so much sense as `reject_rbl_client`, but it would help me in my
spam battle. Quite a lot of emails come from servers not listed inside
Spamhause blacklists, but sender's domain points to blacklisted IP.


You apparently mean something like check_sender_mx_access (reject when MX
server of sending domain points to blacklisted IP) or maybe
check_sender_a_access (similar), but with dnsbl lookups.

Doing it on MX would require dnsbl lookups for each MX server in all
received mail.
That would massively increase amount of dnsbl lookups.

Doing it on A would do the same, just not that much.


For example yesterday came email from: Jaromil
 from client: bounce.countrcultur.com
[66.45.255.215]



Host spplalru.com.dbl.spamhaus.org not found: 3(NXDOMAIN)



spplalru.com has address 185.140.110.3



3.110.140.185.zen.spamhaus.org has address 127.0.0.2


you still can block them locally using the rules above.

On 03.08.17 11:09, Allen Coates wrote:

For a while I tried a local black-list based on the senders of bounced
emails. It was deployed using "check_sender_access ".

Using the whole email address didn't work - I never sawthe same sender
twice;
and using just the domain part gave me more false positives than true.


this is the keyword: false positives.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: Why there is no `reject_rbl_sender` restriction?

2017-08-03 Thread Allen Coates 
For a while I tried a local black-list based on the senders of bounced
emails. It was deployed using "check_sender_access ".

Using the whole email address didn't work - I never sawthe same sender
twice;
and using just the domain part gave me more false positives than true.

A more targeted list, containing PROVEN dud domains and reserved TLDs -
example.com or invalid.net - might have more success.  I haven't given
up on the idea completely.  :-)
 
Not quite what you asked - but it might help to explain


Allen C


On 03/08/17 10:07, Martin Jiřička wrote:
> Hi,
>
> why there is no `reject_rbl_sender` restriction? It probably does not
> make so much sense as `reject_rbl_client`, but it would help me in my
> spam battle. Quite a lot of emails come from servers not listed inside
> Spamhause blacklists, but sender's domain points to blacklisted IP.
>
> For example yesterday came email from: Jaromil
>  from client: bounce.countrcultur.com
> [66.45.255.215]
>
> Client is not blacklisted under Spamhaus, but lets have a look in more
> detail to sender.
>
> # Domain is not listed:
>> host spplalru.com.dbl.spamhaus.org
> Host spplalru.com.dbl.spamhaus.org not found: 3(NXDOMAIN)
>
> # Check for IP:
>> host spplalru.com
> spplalru.com has address 185.140.110.3
>
> # But the domain point on blacklisted server!
>> host 3.110.140.185.zen.spamhaus.org
> 3.110.140.185.zen.spamhaus.org has address 127.0.0.2
>
>
> And this is not a unique case! In fact most of spam that pass my
> anti-spam setting would be filtered with such restriction according
> sender domain. Maybe it is more problem of Spamhaus and its list
> synchronization, I do not know.
>
> Or is there any fundamental reason why rejecting emails according
> sender's domain IP is not a good idea?
>
>
> My best wishes,
> Martin Jiřička
>