Re: It's a fine line...
Matus UHLAR - fantomas wrote: The advise I've seen (iirc it was in rfc-ignorant lists) was not to allow send the mail to abuse and non-abuse mailboxes together, e.g. when it's sent to abuse mailbox, reject rcpt to:non-abuse mailboxes with temporary error and vice versa. This is what we're implementing for our abuse addresses, using MIMEDefang with sendmail. The temporary errors are 452 4.5.3, the same codes as for a normal RFC 2821+3463 too many recipients error, so any working mail server should retry the rejected addresses. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: It's a fine line...
Olivier Nicole wrote: meant there is no dns list for organizations. something like # lookup_company_by_ip 192.0.2.1 Reverse DNS on the contacting mail gateway? that only gives the domain name. but a single organization may have multiple domains, and in many cases it is hard to tell the organisation from the domain. whois will generlly help, but is is not adequate for automatic queries for every mail you receive.
Re: It's a fine line...
Olivier Nicole wrote: The attitude goes by organisation, not by country. On 06.11.07 08:37, mouss wrote: we know almost all countries. I don't even know a small part of the organizations in my own town. and there is no DNS equivalent of whois. actually, there are DNS lists (and I don't call them blacklists) who list countries. I've seen some people reporting that they use them to block spam from those countries... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
RE: It's a fine line...
But hey, that is a too big cut from Internet, so in some way it is cultural imperialism. Bests, Olivier Oliver uu, by default, all organizations get to specifically (or not) define network policies on their own networks. Like it or not that is the way it is. I don't know of too many democratically run for profit networks. Thing is, in a way, you are right Oliver... it's kinda the don't dog wow in your own backyard IP space thing. Crackers go after easier targets to abuse and the rich ruleth over the poor and so spam comes from countries that are poor in dollars and in ethics or law. Thank God for spamassassin! - rh
Re: It's a fine line...
Olivier Nicole wrote: It's not a matter of cultural imperialism, if that's what you're getting at. It's an acknowledgment of the importance of the rule of law in cyberspace. Except that I don't think it is anything close to a rule of law, but rather a sign of short view. As I said, I doubt you ever got any spam from my organisation (either originated from, or relayed). So, what are you saying? One well behaved citizen obviates the need for laws for all others? It doesn't work that way. Some countries enforce anti-spam, anti-trespass laws. Others lack them or don't enforce them. The attitude goes by organisation, not by country. Organizations don't make laws. Countries do. When these countries put some teeth into the enforcement of their laws, then they will stop being blacklisted. Plus if we would to ban the oginating country for 50% of spam (not my figure), USA should be banned. Do the math. 50% of the spam (if that is indeed the case) is very low, considering that the US generates a much larger percentage of the total Internet traffic than just half. In any case, you might get spammed from the US, but I don't: it would be too easy for me to make a complaint against the spammer and have them be charged, shut down, and fined. That's what effectively laws, properly enforced, do. But hey, that is a too big cut from Internet, so in some way it is cultural imperialism. Bests, Olivier That's a fairly specious argument. -Philip
Re: It's a fine line...
On 05.11.07 09:20, Philip Prindeville wrote: Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) the admin should be notified about that problem. abuse address should usually go to 'all_spam_to' lists, but there's possibility that spammerfs start Cc:ing abuse@ to get spam through. The advise I've seen (iirc it was in rfc-ignorant lists) was not to allow send the mail to abuse and non-abuse mailboxes together, e.g. when it's sent to abuse mailbox, reject rcpt to:non-abuse mailboxes with temporary error and vice versa. The result should be, once the mail will be sent to all non-abuse mailboxes, once to abuse mailboxes, and they can be filtered with different rules. However, I don't know about any possibility to implement such tests in my sendmail or any other MTA. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar]
Re: It's a fine line...
Matus UHLAR - fantomas wrote: The advise I've seen (iirc it was in rfc-ignorant lists) was not to allow send the mail to abuse and non-abuse mailboxes together, e.g. when it's sent to abuse mailbox, reject rcpt to:non-abuse mailboxes with temporary error and vice versa. The result should be, once the mail will be sent to all non-abuse mailboxes, once to abuse mailboxes, and they can be filtered with different rules. If only it were that easy. The issue is that a lot of sites are ignorant and haven't filled out all of their ICANN required fields in their ARIN (or RIPE or APNIC or LACNIC or AFRNIC) registrations So there might be a OrgTech contact as [EMAIL PROTECTED] who you Bcc: on the message, but you guess that there's also an abuse mailbox, and they just forgot to register it. However, you don't want to mail to the abuse mailbox to see if it gets delivered, and then if it bounced, mail to the OrgTech mailbox instead... because that's too much wasted time... So you To: the abuse mailbox on the odd chance that it exists, and you Bcc: the noc mailbox (or the hostmaster or whatever) as a fallback address. -Philip
Re: It's a fine line...
On 06.11.07 07:57, Philip Prindeville wrote: However, you don't want to mail to the abuse mailbox to see if it gets delivered, and then if it bounced, mail to the OrgTech mailbox instead... because that's too much wasted time... So you To: the abuse mailbox on the odd chance that it exists, and you Bcc: the noc mailbox (or the hostmaster or whatever) as a fallback address. Actually, I do want. And when someone from domain that does not support abuse@ wants to mail me, (s)he's out of luck. They don't care about rules, I don't care about their mail... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: It's a fine line...
Matus UHLAR - fantomas wrote: Olivier Nicole wrote: The attitude goes by organisation, not by country. On 06.11.07 08:37, mouss wrote: we know almost all countries. I don't even know a small part of the organizations in my own town. and there is no DNS equivalent of whois. actually, there are DNS lists (and I don't call them blacklists) who list countries. I've seen some people reporting that they use them to block spam from those countries... looks like you misunderstood me. yes, nerd.dk or geoip will help for the country part. but I was about the organization version. I meant there is no dns list for organizations. something like # lookup_company_by_ip 192.0.2.1 ...
Re: It's a fine line...
actually, there are DNS lists (and I don't call them blacklists) who list countries. I've seen some people reporting that they use them to block spam from those countries... True, GeoIP does that for example. Olivier
Re: It's a fine line...
uu, by default, all organizations get to specifically (or not) define network policies on their own networks. Exactly. Only I expected subscribers to SA list to be a bit wiser than lambda policy designer. Crackers go after easier targets to abuse and the rich ruleth over the poor and so spam comes from countries that are poor in dollars and in ethics or law. Agreed too. But I suspect that the policy designer above mentionned do not really pay close attention to the laws that various countries install or not. Thank God for spamassassin! Agreed with that, why bothering banning per country when SA does a fine and finer job (works well and per message, not per country bulk). Bests, Olivier
Re: It's a fine line...
meant there is no dns list for organizations. something like # lookup_company_by_ip 192.0.2.1 Reverse DNS on the contacting mail gateway? Bests, olivier
Re: It's a fine line...
Do the math. 50% of the spam (if that is indeed the case) is very low, considering that the US generates a much larger percentage of the total Internet traffic than just half. The 50% figure was given recently, was that by someone of ICANN or APNIC, I don't remember. In any case, you might get spammed from the US, but I don't: it would be too easy for me to make a complaint against the spammer and have them be charged, shut down, and fined. That's what effectively laws, properly enforced, do. OK, so maybe spammers are getting clever and USA spamer address to Asia and Asian spammers address to USA? So we each starts ignoring the others? That may not be the best attitude in Internet world. That's a fairly specious argument. I apologize, English is not my mother tongue, I may have miss stated what I intended. Bests, Olivier
It's a fine line...
Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) Sigh. Return-Path: Received: from localhost (localhost) by mail.redfish-solutions.com (8.14.1/8.14.1) id lA5HEMTM017203; Mon, 5 Nov 2007 10:14:22 -0700 Date: Mon, 5 Nov 2007 10:14:22 -0700 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=lA5HEMTM017203.1194282862/mail.redfish-solutions.com Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --lA5HEMTM017203.1194282862/mail.redfish-solutions.com The original message was received at Mon, 5 Nov 2007 10:14:14 -0700 from pool-71-112-36-94.sttlwa.dsl-w.verizon.net [71.112.36.94] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 Rejecting message scored for more than 8.0 (9.0) SPAM points.) - Transcript of session follows - ... while talking to arminco.com.: DATA 550 Rejecting message scored for more than 8.0 (9.0) SPAM points. 554 5.0.0 Service unavailable --lA5HEMTM017203.1194282862/mail.redfish-solutions.com Content-Type: message/delivery-status Reporting-MTA: dns; mail.redfish-solutions.com Received-From-MTA: DNS; pool-71-112-36-94.sttlwa.dsl-w.verizon.net Arrival-Date: Mon, 5 Nov 2007 10:14:14 -0700 Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.2.0 Remote-MTA: DNS; arminco.com Diagnostic-Code: SMTP; 550 Rejecting message scored for more than 8.0 (9.0) SPAM points. Last-Attempt-Date: Mon, 5 Nov 2007 10:14:22 -0700 --lA5HEMTM017203.1194282862/mail.redfish-solutions.com Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from [192.168.10.148] (pool-71-112-36-94.sttlwa.dsl-w.verizon.net [71.112.36.94]) (authenticated bits=0) by mail.redfish-solutions.com (8.14.1/8.14.1) with ESMTP id lA5HECTN017198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for [EMAIL PROTECTED]; Mon, 5 Nov 2007 10:14:14 -0700 Message-ID: [EMAIL PROTECTED] Date: Mon, 05 Nov 2007 09:14:05 -0800 From: Abuse Department [EMAIL PROTECTED] User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Filtering abuse reports Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.63 on 192.168.1.3 Of course submitted mail to the Abuse mailbox is going to score as spam. It is spam. Why else would anyone be reporting it? Please get a clue and turn off filtering on your abuse mailbox: The original message was received at Mon, 5 Nov 2007 10:10:58 -0700 from pool-71-112-36-94.sttlwa.dsl-w.verizon.net [71.112.36.94] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 Rejecting message scored for more than 8.0 (20.6) SPAM points.) - Transcript of session follows - ... while talking to styx.aic.net.: DATA 550 Rejecting message scored for more than 8.0 (15.1) SPAM points. 554 5.0.0 Service unavailable ... while talking to arminco.com.: DATA 550 Rejecting message scored for more than 8.0 (20.6) SPAM points. 554 5.0.0 Service unavailable --lA5HEMTM017203.1194282862/mail.redfish-solutions.com--
Re: It's a fine line...
Philip Prindeville wrote: Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) I filter my abuse address. Otherwise it would get so many spam messages, the ham would get lost in the noise. Only send the headers. If the body is actually needed post it on some webpage.
Re: It's a fine line...
Steven Kurylo wrote: Philip Prindeville wrote: Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) I filter my abuse address. Otherwise it would get so many spam messages, the ham would get lost in the noise. Only send the headers. If the body is actually needed post it on some webpage. A lot of sites won't accept just header lines. They need both (to confirm that it's software piracy, or pornography, or phishing... and with phishing, you need the 4th party: the link that is being used to spoof the legitimate organization). And who bothers to keep track of who wants what? I send everyone a complete copy of the message inline, because some braindead sites don't accept attachments, etc. -Philip
Re: It's a fine line...
On Mon, 5 Nov 2007, Steven Kurylo wrote: Philip Prindeville wrote: Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) I have a form note that I send to the postmaster address whenever a report to the abuse address is bounced. It says (1) you need a working abuse address and (2) you shouldn't filter it. I filter my abuse address. Otherwise it would get so many spam messages, the ham would get lost in the noise. Only send the headers. If the body is actually needed post it on some webpage. To heck with that. If I have to jump through that many hoops to report abuse in *your* network, I'm just going to roundfile it. It's enough work to pick out all of the relevant abuse addresses to forward the message to, and note the type of abuse (lottery, 419, money laundering, etc.). I almost don't report abuse to Yahoo because they refuse to deal with RFC-822 attachments and want the entire original message in the body, and that makes reporting abuse containing a Yahoo.* contact address two separate operations - forward as attachment to the relay owner, and forward in the body to Yahoo. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 6 days until Veterans Day
Re: It's a fine line...
John D. Hardin wrote: On Mon, 5 Nov 2007, Steven Kurylo wrote: Philip Prindeville wrote: Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) I have a form note that I send to the postmaster address whenever a report to the abuse address is bounced. It says (1) you need a working abuse address and (2) you shouldn't filter it. I filter my abuse address. Otherwise it would get so many spam messages, the ham would get lost in the noise. Only send the headers. If the body is actually needed post it on some webpage. To heck with that. If I have to jump through that many hoops to report abuse in *your* network, I'm just going to roundfile it. It's enough work to pick out all of the relevant abuse addresses to forward the message to, and note the type of abuse (lottery, 419, money laundering, etc.). I almost don't report abuse to Yahoo because they refuse to deal with RFC-822 attachments and want the entire original message in the body, and that makes reporting abuse containing a Yahoo.* contact address two separate operations - forward as attachment to the relay owner, and forward in the body to Yahoo. Well, Yahoo is a waste of time for other reasons, right? They tell you that it doesn't come from their site... but to use the top-most Received: line's IP address, then to look that up on ARIN which... surprise! ... typically points to Yahoo! (or one of their surrogates, like Inktomi... do their tier-1 people not *know* that Yahoo owns Inktomi? or are they just playing dumb?). -Philip
Re: It's a fine line...
On Mon, 5 Nov 2007, Philip Prindeville wrote: Well, Yahoo is a waste of time for other reasons, right? They tell you that it doesn't come from their site... I generally don't get spam from Yahoo MTAs; most of my reporting is of fraud spams with yahoo contact addresses. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Of the twenty-two civilizations that have appeared in history, nineteen of them collapsed when they reached the moral state the United States is in now. -- Arnold Toynbee --- 6 days until Veterans Day
Re: It's a fine line...
Hi, Between the truly clueless administrator, and those that feign ignorance to cover up their implicit approval of spammers... What do you do in the case where someone is filtering deliveries to their abuse mailbox? (Like 99% of mail sent there isn't going to score positively...) If I am in the mood, I would try to report one step above, to their ISP for example. Bests, Olivier
Re: It's a fine line...
And not to point fingers, how to react with a narrow minded sysadmin that ban per IP? From my legitimate mail server in Thailand, that has never been blacklisted as far as I know: mailon45: telnet mail.redfish-solutions.com 25 Trying 66.232.79.143... Connected to mail.redfish-solutions.com (66.232.79.143). Escape character is '^]'. 554 mail.redfish-solutions.com ESMTP not accepting messages From another mailserver I administrate, but located in Germany: sinoon72: telnet mail.redfish-solutions.com 25 Trying 66.232.79.143... Connected to mail.redfish-solutions.com. Escape character is '^]'. 220 mail.redfish-solutions.com ESMTP Sendmail 8.14.1/8.14.1; Mon, 5 Nov 2007 19:10:02 -0700 No need to remind that any person seriously looking at spam problem know that spam is mainly originated from USA, even if relayed through other, possibly Asian, countries. Yes I am quite pisse dby such attitude. Olivier
Re: It's a fine line...
Hi, adding to the list, I recently came across domain contacts like [EMAIL PROTECTED] (not sure about the exact domain name) This service also refuses some mails, particularly those that are sent via one of the mail servers of german telecom and it is operated by verisign Wolfgang Hamann
Re: It's a fine line...
Olivier Nicole wrote: And not to point fingers, how to react with a narrow minded sysadmin that ban per IP? From my legitimate mail server in Thailand, that has never been blacklisted as far as I know: mailon45: telnet mail.redfish-solutions.com 25 Trying 66.232.79.143... Connected to mail.redfish-solutions.com (66.232.79.143). Escape character is '^]'. 554 mail.redfish-solutions.com ESMTP not accepting messages From another mailserver I administrate, but located in Germany: sinoon72: telnet mail.redfish-solutions.com 25 Trying 66.232.79.143... Connected to mail.redfish-solutions.com. Escape character is '^]'. 220 mail.redfish-solutions.com ESMTP Sendmail 8.14.1/8.14.1; Mon, 5 Nov 2007 19:10:02 -0700 No need to remind that any person seriously looking at spam problem know that spam is mainly originated from USA, even if relayed through other, possibly Asian, countries. Yes I am quite pisse dby such attitude. Olivier It's not a matter of cultural imperialism, if that's what you're getting at. It's an acknowledgment of the importance of the rule of law in cyberspace. Some countries enforce anti-spam, anti-trespass laws. Others lack them or don't enforce them. When these countries put some teeth into the enforcement of their laws, then they will stop being blacklisted. -Philip
Re: It's a fine line...
It's not a matter of cultural imperialism, if that's what you're getting at. It's an acknowledgment of the importance of the rule of law in cyberspace. Except that I don't think it is anything close to a rule of law, but rather a sign of short view. As I said, I doubt you ever got any spam from my organisation (either originated from, or relayed). Some countries enforce anti-spam, anti-trespass laws. Others lack them or don't enforce them. The attitude goes by organisation, not by country. When these countries put some teeth into the enforcement of their laws, then they will stop being blacklisted. Plus if we would to ban the oginating country for 50% of spam (not my figure), USA should be banned. But hey, that is a too big cut from Internet, so in some way it is cultural imperialism. Bests, Olivier
Re: It's a fine line...
Olivier Nicole wrote: It's not a matter of cultural imperialism, if that's what you're getting at. It's an acknowledgment of the importance of the rule of law in cyberspace. Except that I don't think it is anything close to a rule of law, but rather a sign of short view. As I said, I doubt you ever got any spam from my organisation (either originated from, or relayed). Some countries enforce anti-spam, anti-trespass laws. Others lack them or don't enforce them. The attitude goes by organisation, not by country. we know almost all countries. I don't even know a small part of the organizations in my own town. and there is no DNS equivalent of whois. When these countries put some teeth into the enforcement of their laws, then they will stop being blacklisted. Plus if we would to ban the oginating country for 50% of spam (not my figure), USA should be banned. But hey, that is a too big cut from Internet, so in some way it is cultural imperialism. I won't argue about imperialism. but some people block countries based on the fact that they get very few mail from these countries, so the propability of an FP is very low. Ironically, such an approach is used by people who fear FPs too much that they don't use common checks such as DNSBLs, basic helo checks, ... etc.