but think that SOME reading this thread haven't even
tried/implemented even all the zero-cost options for the (already
matured) lists I mentioned (where applicable)?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
listings!!)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
be a problem. But I
strongly don't think that is the case here.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
that their
zones are not yet populated. So I guess they are not yet operational
yet? (or maybe the site messages is out of date?)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
integrated into SA.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
to cast a wider net and catch more of those URIs that have eluded
many (and sometimes all!) blacklists!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
On 4/10/2012 3:16 PM, Axb wrote:
On 04/10/2012 08:07 PM, Rob McEwen wrote:
(b) If anyone programs this idea into SA, or anywhere else, then
this should be a separate step AFTER regular URI checkinggiving
the message a chance to short circuit out of processing
On 4/10/2012 6:29 PM, RW wrote:
On Tue, 10 Apr 2012 17:58:51 -0400
Rob McEwen wrote:
Meanwhile, the snowshoe spammer's DNS server happens to be messed up,
overloaded, and returns answers within about 4 seconds.
But unless I'm misunderstanding, the NS lookups would be done on the
TLDs
.
But, of course, your question is till valid! Having rules in place in SA
to deal with this kind of attempt at getting around bayes-filtering is a
good idea!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
with those
senders. Between these two things, I get probably 90% of the benefits of
greylisting, with only 10% of the problems from greylisting.
Hope this helps!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
, or am missing something here...
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
,
but the IP is caught from a previous spam campaign. But if you're not
using all the best DNSBLs, you miss out on some of this!
MORE: And, btw, really good /24 blacklists do _preemptively_ block much
snowshoe spam, from the very 1st spam sent!
--
Rob McEwen
http://dnsbl.invaluement.com/
r
low FPs since RBLs with moderate-to-high FPs are either worthless, or
can't be depended upon except for very low scoring... and that makes
their unique hits not nearly as valuable as such hits are on a
dependable low FP list).
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478
,
64-bit software!)
I had thought that, at some point in the past, I was told that only
freely available DNSBLs would be included in such testing? But if I'm
wrong or that has since changed, I'd welcome the opportunity to participate.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
... the expectations for an anti-spam blacklist's
consistency and quality can be extremely high--But I'm not
complaining... just making an observation!)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
and switches, and would really
like something with a similar graph.
I've been very pleased with www.websitepulse.com
They do a round trip smtp-send/pop-retrieval. I get text messaged if
this ever fails. I also used use them for http-checking my webmail.
--
Rob McEwen
http://dnsbl.invaluement.com/
r
Brennan when he
stated that he could use this for scoring instead of blocking... for
those redirectors which are heavily abused but have legit uses as well.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
it to the inbox INCREASED
substantially!!! Something would then VERY wrong with our measurements
of success!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
On 1/4/2011 11:14 AM, David F. Skoll wrote:
On Tue, 04 Jan 2011 11:01:52 -0500
Rob McEwen r...@invaluement.com wrote
I've thought this through and... best case scenario is that spammers
then get 5+ years of play time because it will take at least that time
for those other techniques to catch
realistic, the status quo is already not
realistic, even with the good ideas that you proposed, which did improve
on this problems in _some_ aspects.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
IPs.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
(and set
spam filtering years back) in the meantime.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
John Levine said:
Rob McEwen said:
To be extra clear, the kind of sender's list I was talking about
wouldn't be the same as a yellowlist because it would ALL types of IPs
(black, white, yellow). Except everyone... including spammers... would
have to jump through some hoops to get a single IP
sender's dream and a
DNSBL's nightmare. My proposed solution is the opposite.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
. No need to give me any credit. I doubt that I'm the
first to things of these things anyways!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
IPs (one-ip-per-spam)
...with that IP never to be heard from again)? (and with little or zero
collateral damage?)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
$$/message.
Otherwise, you'd have to convince the CEO of Comcast to increase their
IT budget by 100x... and that would cut into profits... and he'd be
fired by the board for that. (to give just one example)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
into this master IPv6 sender's list (as a means to
keep the volume further under control.)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
On 12/30/2010 2:28 PM, David F. Skoll wrote:
I in no way implied that we should abandon
IP address lookups in favour of only content-scanning
Thanks for the clarification!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
as absolute standards for IPv6... I
haven't kept up with all the RFC for IPv6!)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
, and without missiles.. and just depend on the foot
soldiers and tanks to do *all* the work. But is that wise? Does that
happen without a steep price?
We have a chance to impose some strict standards for mail sending on
IPv6 that will lessen these problems. Why wait until its too late?
--
Rob
the
original poster's intention of using this on the envelop from
minimizes that problem?)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
. (referring to legitimate situations here, not spam)
But the sending server couldn't possibly be sending from an IP that
the mail admin could have anticipated when setting up the SPF record.
...I'm sure there are others I haven't thought about!
--
Rob McEwen
http://dnsbl.invaluement.com/
r
really mean a Joe Job--where
a spammer is forging your users' e-mail addresses as the from address
in their spams, correct? If yes, a strict SPF record can get the spammer
to back of and go elsewhere. If something else, this might not help you?
--
Rob McEwen
http://dnsbl.invaluement.com/
r
is your friend. Otherwise, it is more trouble than
its worth, imo.
Because many feel this way, I suspect that this may be the reason why
the lastest and greatest SPF support probably wasn' a huge priority for SA?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
DNSBLs that this mail system uses are
not going to show up on that list at all, even if very good blacklists,
like Zen--due to those DNSBLs already being used for outright blocking
on that mail server where these spams were missed. That is the reason
some lists are missing or under-represented.
--
Rob
I think the problem is the following rule in sought:
body __SEEK_2TRLES /Facebook, Inc\. P\.O\. Box 10005, Palo Alto, CA 94303/
which is currently hitting on many (or maybe even all ALL?) legitimate
facebook notifications (along with the ones generated by spammers)
--
Rob McEwen
http
Benny Pedersen wrote:
On fre 20 aug 2010 19:42:04 CEST, Rob McEwen wrote
body __SEEK_2TRLES /Facebook, Inc\. P\.O\. Box 10005, Palo Alto, CA
94303/
which is currently hitting on many (or maybe even all ALL?) legitimate
facebook notifications (along with the ones generated by spammers)
dkim
DNSBLs come up as well that might
help you (at no cost!), too!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
include spams sent to non-existent users (i.e. dictionary
attack spams)?
(2) Was pre-filtering done, such as collecting stats only on messages
which made it past zen.spamhaus.org (etc.)? Or was there no pre-filtering?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475
fare VERY well either
way--so don't think I'm saying or implying ANYTHING bad about URIBL! (or
anything bad about ANY other list)
(fwiw)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
whether these were FPs, or
would-have-missed-without-the-new-rule spams (aka corrected FNs).
If anyone ever develops such a plugin before I have time to, PLEASE let
me know!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
jdow wrote:
his response personal spam to this account has increased sharply
Uuh, what does that mean, exactly?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
that are
obviously from Richard (including alter-ego ones)? Or some kind of UBE
campaign that you think he is behind? (if so, please describe)
Still confused.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
forces one from earlier today was a classic) --AND-- last but not
least--I will miss his willingness to break through the political
correctness and bring up various points that few others were willing (or
brave enough?) to point out.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1
it is
happening, I think the anti-spam community SHOULD ask questions!
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
of confidence from someone I
greatly trust, I'd still have lingering and suspicious questions. (or
maybe not since I starting to fatigue on this subject.)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
, instead of insults, if anyone has a grip with them, please just
point out SPECIFIC examples. Over time, if you find many egregious ones,
that will speak for itself. Otherwise, I'd prefer to not be bothered
with this.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475
% involves large and famous companies (like ATT recent
use of [withheld]'s ESP services)
And there are other examples which are a much harder to call.
But i think this well explains the overlap between URIBL-black and
HostKarma's domain whitelist.
--
Rob McEwen
http://dnsbl.invaluement.com/
r
this problem for many people.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
ask michael scheidell... he has a list for you that is 100% effective...
yeah, like that same joke that grandpa keeps telling over and over.. the
first time it was a little bit funny... but now it is annoying,
particularly the way he is the only one in the room laughing each time.
--
Rob
the whitelist overall, but find it leads to too
many FNs.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
ip4set, fwiw
Again, not saying these problems can't be solved, only pointing them out
so that anyone who cares to try can know what they need to do, or need
to expect.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
URI ratings engine to rate potential
candidates for whitelisting--this would separate most of the wheat from
the chaff with little effort--just as long as the entries submitted was
kept to a reasonably low volume.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
bitmasks.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
includes some excellent graphs.
Read about it here:
http://taint.org/2008/02/29/155648a.html
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
other techniques--and assuming FPs are equal--then and only then does
particular filtering methods make a particular DNSBL obsolete.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
their own e-mail
address. This then become a free trip to the inbox when the spammer puts
that address in the FROM header..
If you want to make sure you don't block your own users outgoing mail,
use SMTP password authentication instead. Don't rely on an easily forged
FROM e-mail address.
--
Rob McEwen
.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
secured our freedom and liberty... in comparison to what
the average American today is (unfortunately) brainwashed to believe by
their Government-run schools and Universities.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
not work.
http://postmaster.comcast.net/
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
and
the author should be praised... but anyone trying to use the botnet
plugin as the end all replacement for DNSBLs, or the bridge all gaps
from their existing DNSBLs' shortcomings... should be aware of these
limitations I mentioned.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478
RCVD_IN_PBL. But even extreme fewer legit emails
will have hits on BOTH of these. So I'd suggest scoring the combination
of the two either just above threshold, or (at the least...) just below
threshold.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
trying to
give back to the community and help those poor innocent system admins
from getting unfairly blacklisted in the future, right?/sarcasm
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
, that everyone
(or the SA powers that be) is OK with BRBL/emailreg.org business
practices... that is one thing. But to sweep this under the rug is
another very very sad and possibly unethical thing.
BTW, Neil, may I remind you...
red herring
--
Rob McEwen
http://dnsbl.invaluement.com/
r
to the fact that a domain *requires* ownership. URLs and subdomains
are more ambiguous, which then also makes removal requests extremely
subjective and murky process.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
causing FPs.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
is a typical time between the 419 spammer's last
spotted use of the e-mail, and appearance in that list?
(I don't need exactly precise answers which spammers might use to 'game'
the system... just basic estimates will do)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
... if done right and if FPs are kept
to a minimum. I'd been planning on starting such a list for quite some
time, but it kept getting delayed by more urgent needs.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
the emailreg.org web site
being hosted in Barracuda address space.
AND EXCEPT TO ASK: Is that $20 fee a one-time fee? Or a yearly fee? Or,
does it have any kind of expiration date?
Beyond this statement and question, I'll leave it to others to do their
own research and draw their own conclusions.
--
Rob
Matus UHLAR - fantomas wrote:
our customrer reported being listed in SpamRats blacklist.
What was that IP?
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
DNSBLs use different
techniques and, therefore, no one DNSBL can do even close to everything.
However, it is true that *most* DNSBLs which claim to be
low-FP lists (and which block much spam missed by SpamHaus) have more
FPs than Zen--to varying degrees.
--
Rob McEwen
http://dnsbl.invaluement.com/
r
year.
(if I seem upset about this... read between the lines... and you might
understand why)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
is for OpenDNS to simply cut these queries
off in house before they even have a chance of hitting URIBL, thus
saving them and URIBL some CPU cycles and bandwidth (I'd bet that this
is already happening)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
by spammers, won't possibly convey good
reputation onto a spammer's web page, and will still be easily
accessible to those using it for legit purposes.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
Chip M. wrote:
This snowshoe stuff has been a PITA for a while.
SNIP
*** Rob McEwen: ***
Would you be willing to provide your /24 list, for even a short period,
in some sort of plain text format (maybe one CIDR per line?), so those
of us with good hand-classified corpi could try out your
Chip M. wrote:
*** Rob McEwen: ***
Would you be willing to provide your /24 list, for even a short period,
in some sort of plain text format (maybe one CIDR per line?), so those
of us with good hand-classified corpi could try out your data?
Most of my users are in a shared hosting
was sent because the person who
started this thread didn't include full headers. So it is unclear if the
message hit this guy's server before these two URI blacklists listed
that domain? or after? (I'm guessing after?)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475
a bit more powerful and vb, and
has been used quite successfully to port ClamAV, btw.
I currently use an older port as a helper app to my own spam
filtering--but I had to revert to an even older version due to
memory/cpu issues with the most recent win32 build.
--
Rob McEwen
http
the DDOS, on each of their own networks, and
they simply shut those IPs down at the access point.)
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
used as a scoring list instead of a blocking list.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
---BeginMessage---
Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22
Rob McEwen wrote:
And I thing it is
probably better used as a scoring list instead of a blocking list.
oops. I meant probably better scored below threshold, since, of
course, BotNet isn't a list.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
, given that situation, back off of
his scoring of DNSBls and rely more on content filtering in comparison
to those whose e-mail is mostly US/Europe-based.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
. Still, I
think that URIBL-RED is worthy of use, even if scored a tiny bit below
URIBL-BLACK.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
on
this.
(I know 2.5 is a *really* low required score)
steadyrelationships DOT com is currently blacklisted on ivmURI
It was added to ivmURI at 12/16/2008, 6:31:03 PM EST
(I think that time is before that spam arrived at your server, but
double-check me on that)
--
Rob McEwen
http
I need a contact for both openrbl.org and robtex.com
Please e-mail me (off-list!) if you have a contact for the operators of
either service, or if you are the operator of either service.
Thanks!
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
with URIBL for this would have easily put that
message over the top for you.
SHORT ANSWER: Start using uribl.com's URI blacklist
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
with URIBL for this would have easily put that
message over the top for you.
SHORT ANSWER: Start using uribl.com's URI blacklist
-- Rob McEwen http://dnsbl.invaluement.com/ [EMAIL PROTECTED] +1 (478)
475-9032
to see how many of these are FNs and
how many of these are FPs.
I'm thinking that, if SA can delete and re-write the source file with a
new header, it seems like it could also copy the message to a different
folder, under certain conditions?
Thanks!
--
Rob McEwen
http://dnsbl.invaluement.com
posted on anti-spam lists like SA,
but I don't recall anyone ever making that distinction.
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
John Hardin wrote:
On Tue, 23 Sep 2008, Rob McEwen wrote:
Or, these could be False-False Positives... which is a very good
thing because that would mean that those were really spams that would
have scored below threshold without use of the new list. (or, some
mix of these two)
So
in my own spam filtering in such a manner.
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
that spelling it out this way might be
helpful for some.
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
. Otherwise, you will probably have a significant
amount of FPs.
Hope this helps!
--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032
can often help reduce CPU.
Using static .html documents instead of painful .php scripts will
practically eliminate CPU usage.
**
Maybe that has something to do with the problem?
--
Rob McEwen
http://dnsbl.invaluement.com/
Could you give an example? Are these newly registered top level domains
spotted in the body of the spams?
Rob McEwen
Mailing Lists wrote:
I'm getting dozens of emails daily from a few different spammers. The emails
consistently are graphic based, but the graphics are html img refs
/08/15/004348a.html
Rob McEwen
, when you said, too many false positives, are you referring
to FPs from *before* that transformation of SpamCop? Or, are these
*recent* FPs, spotted after that transformation?
(Also, I'm not trying to argue... just trying to learn... and seeking
clarity!)
Rob McEwen
101 - 200 of 362 matches
Mail list logo