blocking brand new domains - follow-up

2010-09-12 Thread pf at alt-ctrl-del.org


Noel Jones August 23, 2010

* p...@alt-ctrl-del.org:

I find that a lot of spam comes from recently registered, throw away
domains. The new domain may be used as the sender, hostname, or name
server.

Are there any rbl type lists that block fresh domains, for the first
10-15 days of their existence?


I've also been playing with these:
http://spameatingmonkey.com/lists.html
The FRESH lists are what you're looking for.




Again, thanks.
The fresh15 list + log monitoring really worked out well. It's been a good 
early warning system.

I have placed the fresh15 test, after all other tests. A few weeks of monitoring show that most of the positive hits 
come from a few specific networks. The senders from these networks generally have proper fcrdns, and the helo and "from" 
domain matches the fcrdns.


Blacklisting mail from these networks has made a significant dent.
Prior to blocking, >1 fresh15 hit per minute.
After blocking: as low as 1 fresh15 hit per 2-3 hours, up to 15 hits per hour. 





Re: blocking brand new domains

2010-08-23 Thread Ralf Hildebrandt
> >http://www.mail-archive.com/us...@spamassassin.apache.org/msg57008.html
> >Dunno if Marc is still active
> >
> 
> Yes, the "hostkarma" lists are active, IMO best used in SA because
> they mix whitelist with blacklist using different return codes.

reject_dnsbl_client hostkarma.junkemailfilter.com=127.0.0.6

should work for that particular purpose.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de



Re: blocking brand new domains

2010-08-23 Thread pf

Noel Jones wrote:


I've also been playing with these:
http://spameatingmonkey.com/lists.html
The FRESH lists are what you're looking for.



Very nice.
I'm now using their geobl.spameatingmonkey.net, right before I accept a 
delivery. But not for blocking. Just for statistics at this point. 





Re: blocking brand new domains

2010-08-23 Thread Noel Jones

On 8/23/2010 8:48 AM, Ralf Hildebrandt wrote:

* p...@alt-ctrl-del.org:

I find that a lot of spam comes from recently registered, throw away
domains. The new domain may be used as the sender, hostname, or name
server.

Are there any rbl type lists that block fresh domains, for the first
10-15 days of their existence?


http://www.mail-archive.com/us...@spamassassin.apache.org/msg57008.html
Dunno if Marc is still active



Yes, the "hostkarma" lists are active, IMO best used in SA 
because they mix whitelist with blacklist using different 
return codes.  (Might be time to revisit DNS whitelists in 
postfix.)

http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists



I've also been playing with these:
http://spameatingmonkey.com/lists.html
The FRESH lists are what you're looking for.



  -- Noel Jones


Re: blocking brand new domains

2010-08-23 Thread Ralf Hildebrandt
* p...@alt-ctrl-del.org :
> I find that a lot of spam comes from recently registered, throw away
> domains. The new domain may be used as the sender, hostname, or name
> server.
> 
> Are there any rbl type lists that block fresh domains, for the first
> 10-15 days of their existence?

http://www.mail-archive.com/us...@spamassassin.apache.org/msg57008.html
Dunno if Marc is still active

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de



Re: blocking brand new domains

2010-08-23 Thread Ralf Hildebrandt
* p...@alt-ctrl-del.org :
> I find that a lot of spam comes from recently registered, throw away
> domains. The new domain may be used as the sender, hostname, or name
> server.
> 
> Are there any rbl type lists that block fresh domains, for the first
> 10-15 days of their existence?

I'd like to know that as well. There used to be the "day old bread" BL.
> 

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de



blocking brand new domains

2010-08-23 Thread pf
I find that a lot of spam comes from recently registered, throw away 
domains. The new domain may be used as the sender, hostname, or name server.


Are there any rbl type lists that block fresh domains, for the first 10-15 
days of their existence?