RE: [Declude.JunkMail] DNS Test?
Hi; You are right but there are some issues that requires a tad re-thinking. We are getting a lot of spam from the following domains: .threeiscrowded.com .twelvesolvesthepuzzle.com .eightiscrazy.com .oneislonely.com .elevenisbarelythere.com .sixislazy.com All appear to follow the same thought process and naming convention. These domains are not listed in any of the DSBL tests and we have had some that actually make it to the receipient with weights of 15-19. We hold on 20. Since these guys use graphic images and only links are in the body it makes it hard to identify it as spam if the URL's are not in our filter file. Everyday we see a new variation of this naming convention. Of course once we see one we block the domain as a text filter but before we see one they manage to be sent to everyone in our domains in one blast. If we are to stop spam we have to go to the source of origin and then track the email. DNS is just one thought - perhaps even being able to whitelist a DNS server could be a great add-on for reducing false positives. While not everyone is doing the correct REVDNS everyone has to have a DNS server. eMails can be faked, helo can be faked. I don't know but I am sure Scott and others would know- Can DNS be faked? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rifat Levis Sent: Friday, July 18, 2003 6:08 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) Rifat Levis - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 19, 2003 12:40 AM Subject: Re: [Declude.JunkMail] DNS Test? Can't wait for this one! On Friday, July 18, 2003 11:10, R. Scott Perry [EMAIL PROTECTED] wrote: I have been looking at this trend and perhaps having another tool in our arsenal could help. Can there be a header or a variable we can assign weight to for DNS? A lot of spam houses have a DNS server and several that I checked were showing the same name server for their domains. Just like a blacklist that looks at emails I wonder if it is efficient use of resources if one could also have a blacklist of DNS servers. This way we can add weight to certain servers. This is an interesting idea. It's been added to the suggestion database. It would be a bit tricky to implement, but could be very useful (and would probably not require much extra in the way of resources). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
Being able to block on DNS servers today would at least be a temporary leg up for the white hats. In the end, DNS servers can be as easily registered as goofy domain names. They could set up an automated process to register a new batch of DNS servers daily. They could conceivably run the DNS servers as trojans as they do today for click-o-porn servers. http://forums.zdnet.com/group/zd.Security.Virus.Alerts/cnet/cnetnt.tpt/@[EMAIL PROTECTED]@[EMAIL PROTECTED]@D-,[EMAIL PROTECTED]/@[EMAIL PROTECTED]@44558?ROS=1OC=75 - Original Message - DNS is just one thought - perhaps even being able to whitelist a DNS server could be a great add-on for reducing false positives. While not everyone is doing the correct REVDNS everyone has to have a DNS server. eMails can be faked, helo can be faked. I don't know but I am sure Scott and others would know- Can DNS be faked? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
I have been looking at this trend and perhaps having another tool in our arsenal could help. Can there be a header or a variable we can assign weight to for DNS? A lot of spam houses have a DNS server and several that I checked were showing the same name server for their domains. Just like a blacklist that looks at emails I wonder if it is efficient use of resources if one could also have a blacklist of DNS servers. This way we can add weight to certain servers. This is an interesting idea. It's been added to the suggestion database. It would be a bit tricky to implement, but could be very useful (and would probably not require much extra in the way of resources). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
Can't wait for this one! On Friday, July 18, 2003 11:10, R. Scott Perry [EMAIL PROTECTED] wrote: I have been looking at this trend and perhaps having another tool in our arsenal could help. Can there be a header or a variable we can assign weight to for DNS? A lot of spam houses have a DNS server and several that I checked were showing the same name server for their domains. Just like a blacklist that looks at emails I wonder if it is efficient use of resources if one could also have a blacklist of DNS servers. This way we can add weight to certain servers. This is an interesting idea. It's been added to the suggestion database. It would be a bit tricky to implement, but could be very useful (and would probably not require much extra in the way of resources). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) Rifat Levis - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 19, 2003 12:40 AM Subject: Re: [Declude.JunkMail] DNS Test? Can't wait for this one! On Friday, July 18, 2003 11:10, R. Scott Perry [EMAIL PROTECTED] wrote: I have been looking at this trend and perhaps having another tool in our arsenal could help. Can there be a header or a variable we can assign weight to for DNS? A lot of spam houses have a DNS server and several that I checked were showing the same name server for their domains. Just like a blacklist that looks at emails I wonder if it is efficient use of resources if one could also have a blacklist of DNS servers. This way we can add weight to certain servers. This is an interesting idea. It's been added to the suggestion database. It would be a bit tricky to implement, but could be very useful (and would probably not require much extra in the way of resources). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
Think of the companies that offer spammers a haven. If you could block everything hosted by that ISP it would be wicked nice. There's no end to the mail servers these bastards can setup, but registered DNS servers is a whole other story. I don't take mail if there's no PTR, and the HELO has no A record so these people spamming me have to use DNS servers which are harder to switch constantly because it takes 24 - 48 hours for that stuff to change. -Josh - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 6:08 PM Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Test?
Be careful blocking solely on RDNS and HELOBOGUS. There are many legitimate mail servers out there with ignorant DNS admins. We are lucky to have Scott, Len (on the Imail list), and DNS Stuff/Report. I have taken the approach to attempt to enlighten them with the following email. Because my users recover their own email it make doing this easier. Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain acsmail1.amas.nl has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 194.151.97.18 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination unless the above so human intervention is involved to complete delivery to the final recipient. After my signiture is a message with the full headers for you to review. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. I have had great results in getting legitimate admins to fix there setups my biggest problem is with admins in China and admins that think it is a security risk for their firewall to have these entries. I also had our international department review the email so as not offend people in other countries with harsh language. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joshua Levitsky Sent: Friday, July 18, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNS Test? Think of the companies that offer spammers a haven. If you could block everything hosted by that ISP it would be wicked nice. There's no end to the mail servers these bastards can setup, but registered DNS servers is a whole other story. I don't take mail if there's no PTR, and the HELO has no A record so these people spamming me have to use DNS servers which are harder to switch constantly because it takes 24 - 48 hours for that stuff to change. -Josh - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 6:08 PM Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Test?
Great letter Kevin, but I recently tried to explain this to a company and their engineer said that it was by design. His explanation was that they did it for security/obscurity reasons and we were applying to strong restrictions on mail delivery. Sometimes you just can't win with these people. Jason -- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 18 Jul 2003 15:52:25 -0700 Be careful blocking solely on RDNS and HELOBOGUS. There are many legitimate mail servers out there with ignorant DNS admins. We are lucky to have Scott, Len (on the Imail list), and DNS Stuff/Report. I have taken the approach to attempt to enlighten them with the following email. Because my users recover their own email it make doing this easier. Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain acsmail1.amas.nl has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 194.151.97.18 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination unless the above so human intervention is involved to complete delivery to the final recipient. After my signiture is a message with the full headers for you to review. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. I have had great results in getting legitimate admins to fix there setups my biggest problem is with admins in China and admins that think it is a security risk for their firewall to have these entries. I also had our international department review the email so as not offend people in other countries with harsh language. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joshua Levitsky Sent: Friday, July 18, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNS Test? Think of the companies that offer spammers a haven. If you could block everything hosted by that ISP it would be wicked nice. There's no end to the mail servers these bastards can setup, but registered DNS servers is a whole other story. I don't take mail if there's no PTR, and the HELO has no A record so these people spamming me have to use DNS servers which are harder to switch constantly because it takes 24 - 48 hours for that stuff to change. -Josh - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 6:08 PM Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Test?
Exactly thats why I mentioned ignorant admins. I tell them that it is there decision to have there email delayed by not being RFC complient and I just want them to know the consequences. I generally find some one in management to CC when I sent this response. When CCing I place the origional email at the bottom for management to review. I get a prety good response when emailing management that there are configuration issues. Pisses off the admin but it gets fixed!! Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason Newland Sent: Friday, July 18, 2003 5:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] DNS Test? Great letter Kevin, but I recently tried to explain this to a company and their engineer said that it was by design. His explanation was that they did it for security/obscurity reasons and we were applying to strong restrictions on mail delivery. Sometimes you just can't win with these people. Jason -- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 18 Jul 2003 15:52:25 -0700 Be careful blocking solely on RDNS and HELOBOGUS. There are many legitimate mail servers out there with ignorant DNS admins. We are lucky to have Scott, Len (on the Imail list), and DNS Stuff/Report. I have taken the approach to attempt to enlighten them with the following email. Because my users recover their own email it make doing this easier. Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain acsmail1.amas.nl has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 194.151.97.18 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination unless the above so human intervention is involved to complete delivery to the final recipient. After my signiture is a message with the full headers for you to review. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. I have had great results in getting legitimate admins to fix there setups my biggest problem is with admins in China and admins that think it is a security risk for their firewall to have these entries. I also had our international department review the email so as not offend people in other countries with harsh language. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joshua Levitsky Sent: Friday, July 18, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DNS Test? Think of the companies that offer spammers a haven. If you could block everything hosted by that ISP it would be wicked nice. There's no end to the mail servers these bastards can setup, but registered DNS servers is a whole other story. I don't take mail if there's no PTR, and the HELO has no A record so these people spamming me have to use DNS servers which are harder to switch constantly because it takes 24 - 48 hours for that stuff to change. -Josh - Original Message - From: Rifat Levis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 6:08 PM Subject: Re: [Declude.JunkMail] DNS Test? It is seems like a intersting test , but it will do more harm to ISP , I am just thinking my case , having more than thousands domains. If 1 of those domains start doing a spam , thousands of others will have problems. The isp mail servers also . Adding a small weight can do the job :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail