On 2019-03-01 07:21, Mike Marynowski wrote:
For anyone who wants to play around with this, the DNS service has been
posted. You can test the existence of a website on a domain or any of
its parent domains by making DNS queries as follows:
subdomain.domain.com.httpcheck.singulink.com
Hello.
On Thu, 21 Mar 2019 18:26:15 +0100
Ralph Seichter wrote:
> * Mike Marynowski:
>
> > I was more asking if there is a good reason to build packages
> > intended for local installation by email server operators and I
> > don't think there really is.
>
> As a maintainer of several Gentoo Linux
* Mike Marynowski:
> I was more asking if there is a good reason to build packages intended
> for local installation by email server operators and I don't think
> there really is.
As a maintainer of several Gentoo Linux ebuilds, I agree you should
leave packaging to the various Linux
Here ya go ;)
https://github.com/mikernet/HttpCheckDnsServer
On 3/21/2019 5:42 AM, Tom Hendrikx wrote:
On 20-03-19 19:56, Mike Marynowski wrote:
A couple people asked about me posting the code/service so they could
run it on their own systems but I'm currently leaning away from that. I
don't
Perhaps I should have been clearer - I'm not against posting the code
for any reason and I am planning to do that anyway in case anyone wants
to look at it or chip in improvements and whatnot.
I'm an active contributor on many open source projects and I have fully
embraces OSS :) I was more
On 20-03-19 19:56, Mike Marynowski wrote:
>
> A couple people asked about me posting the code/service so they could
> run it on their own systems but I'm currently leaning away from that. I
> don't think there is any benefit to doing that instead of just utilizing
> the centralized service. The
Continuing to fine-tune this service - thank you to everyone testing it.
Some updates were pushed out yesterday:
* Initial new domain "grace period" reduced to 8 minutes (down from 15
mins) - 4 attempts are made within this time to get a valid HTTP response
* Mozilla browser spoofing is
Thank you! I have no idea how I missed that...
On 3/13/2019 7:11 PM, RW wrote:
On Wed, 13 Mar 2019 17:40:57 -0400
Mike Marynowski wrote:
Can someone help me form the correct SOA record in my DNS responses
to ensure the NXDOMAIN responses get cached properly? Based on the
logs I don't think
On Wed, 13 Mar 2019 17:40:57 -0400
Mike Marynowski wrote:
> Can someone help me form the correct SOA record in my DNS responses
> to ensure the NXDOMAIN responses get cached properly? Based on the
> logs I don't think downstream DNS servers are caching it as requests
> for the same valid HTTP
Can someone help me form the correct SOA record in my DNS responses to
ensure the NXDOMAIN responses get cached properly? Based on the logs I
don't think downstream DNS servers are caching it as requests for the
same valid HTTP domains keep hitting the service instead of being cached
for 4
Any HTTP status code 400 or higher is treated as no valid website on the
domain. I see a considerable amount of spam that returns 5xx codes so at
this point I don't plan on changing that behavior. 503 is supposed to
indicate a temporary condition so this seems like an abuse of the error
code.
> Antony Stone kirjoitti 13.3.2019
> kello 20.36:
>
> On Wednesday 13 March 2019 at 19:21:47, Jari Fredriksson wrote:
>
>> What would it result for this:
>>
>> I have a couple domains that do not have any services for the root domain
>> name. How ever, the server the A points do have a web
On Wednesday 13 March 2019 at 19:21:47, Jari Fredriksson wrote:
> What would it result for this:
>
> I have a couple domains that do not have any services for the root domain
> name. How ever, the server the A points do have a web server that acts as
> a reverse proxy for many subdomains that
What would it result for this:
I have a couple domains that do not have any services for the root domain name.
How ever, the server the A points do have a web server that acts as a reverse
proxy for many subdomains that will be served a web page. A http 503 is
returned by the pound reverse for
On Wed, 13 Mar 2019 at 13:04, RW wrote:
>
> On Wed, 13 Mar 2019 10:53:06 +
> Dominic Raferd wrote:
>
> > On Wed, 13 Mar 2019 at 10:33, Mike Marynowski
> > wrote:
> > >
> >
> > For those of us who are not SA experts can you give an example of how
> > to use your helpful new lookup facility
On Wed, 13 Mar 2019 10:53:06 +
Dominic Raferd wrote:
> On Wed, 13 Mar 2019 at 10:33, Mike Marynowski
> wrote:
> >
>
> For those of us who are not SA experts can you give an example of how
> to use your helpful new lookup facility (i.e. lines to add in
> local.cf)? Thanks
askdns
On Wed, 13 Mar 2019 at 10:33, Mike Marynowski wrote:
>
For those of us who are not SA experts can you give an example of how
to use your helpful new lookup facility (i.e. lines to add in
local.cf)? Thanks
Back up after some extensive modifications.
Setting the DNS request timeout to 30 seconds is no longer necessary -
the service instantly responds to queries.
In order to prevent mail delivery issues if the website is having
technical issues the first time a domain is seen by the service, it
On Fri, 1 Mar 2019 01:21:40 -0500
Mike Marynowski wrote:
> For anyone who wants to play around with this, the DNS service has
> been posted. You can test the existence of a website on a domain or
> any of its parent domains by making DNS queries as follows:
>
>
Mike: If you want a tester, I am happy to join the effort, I see little
harm in assigning 0.75 to the results.
There are quite a few email only domains we end up whitelist_auth'ing
them and all is well.
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis
On 2/28/2019
On Fri, 01 Mar 2019 22:09:01 +
Rupert Gallagher wrote:
> Case study:
>
> example.com bans any e-mail sent from its third levels up, and does
> it by spf.
>
> spf-banned.example.com sent mail, and my SA at server.com adds a big
> fat penalty, high enough to bounch it.
example.com has a TXT
On Fri, Mar 1, 2019 at 23:14, Mike Marynowski wrote:
>> Does SpamAssassin even have facilities to do that?
> Yes, if spf runs at priority 1, you can define your test at priority 2, so SA
> executes them in the given order.
>> Don't all rules run all the time?
> They run when relevant, in the
The focus was on the To header for mailing lists, complaints on MUAs and
people's choices. If you do not want to appear in the To header of a list, you
are exercising a legal right under the GDPR. So, to cut through all those
problems and enforce a sound solution, I suggest list majordomos do
Does SpamAssassin even have facilities to do that? Don't all rules run
all the time? SpamAssassin still needs to run all the rules because MTAs
might have different spam mark / spam delete /etc thresholds than the
one set in SA.
The number of cycles you're talking about is the same as an RBL
Case study:
example.com bans any e-mail sent from its third levels up, and does it by spf.
spf-banned.example.com sent mail, and my SA at server.com adds a big fat
penalty, high enough to bounch it.
Suppose I do not bounch it, and use your filter to check for its websites. It
turns out that
On 3/1/2019 4:31 PM, Grant Taylor wrote:
afraid.org is much like DynDNS in that one entity (afaid.org
themselves or DynDNS) provide DNS services for other entities.
I don't see a good way to differentiate between the sets of entities.
I haven't come across any notable amount of spam that's
On 03/01/2019 01:25 AM, Rupert Gallagher wrote:
A future-proof list that complies with GDPR would automatically rewrite
the To header, leaving the list address only.
Doesn't GDPR also include things like signatures? Thus if the mailing
list is only modifying the email metadata and not the
On 02/28/2019 09:39 PM, Mike Marynowski wrote:
I modified it so it checks the root domain and all subdomains up to the
email domain.
:-)
As for your question - if afraid.org has a website then you are correct,
all subdomains of afraid.org will not flag this rule, but if lots of
afraid.org
On 3/1/2019 1:07 PM, RW wrote:
Sure, but had it turned-out that most of these domains didn't have the A
record necessary for your HTTP test, it wouldn't have been worth doing
anything more complicated.
I've noticed a lot of the spam domains appear to point to actual web
servers but throw 403
Sorry, I meant I thought it was doing those checks because I know I was
playing with checking A records before and figured the rules would have
it enabled by default...I tried to find the rules after I sent that
message and realized that was related to sender domain A record checks
done in my
On Friday 01 March 2019 at 17:37:18, Mike Marynowski wrote:
> Quick sampling of 10 emails: 8 of them have valid A records on the email
> domain. I presumed SpamAssassin was already doing simple checks like that.
That doesn't sound like a good idea to me (presuming, I mean).
Antony.
--
"The
On Fri, 1 Mar 2019 11:37:18 -0500
Mike Marynowski wrote:
> Looking for an A record on what - just the email address domain or
> the chain of parent domains as well? If the latter, well a lack of A
> record will cause this to fail so it's kind of embedded in.
Sure, but had it turned-out that most
Looking for an A record on what - just the email address domain or the
chain of parent domains as well? If the latter, well a lack of A record
will cause this to fail so it's kind of embedded in.
Quick sampling of 10 emails: 8 of them have valid A records on the email
domain. I presumed
On Wed, 27 Feb 2019 12:16:20 -0500
Mike Marynowski wrote:
> Almost all of the spam emails that are
> coming through do not have a working website at the room domain of
> the sender.
Did you establish what fraction of this spam could be caught just by
looking for an A record?
Changing up the algorithm a bit. Once a domain has been added to the
cache, the DNS service will perform HTTP checks in the background
automatically on a much more aggressive schedule for invalid domains so
that temporary website problems are much less of an issue and invalid
domains don't
A future-proof list that complies with GDPR would automatically rewrite the To
header, leaving the list address only. Any other recipient will still receive
it from the original sender.
On Thu, Feb 28, 2019 at 20:29, Mike Marynowski wrote:
> Unfortunately I don't see a reply-to header on your
For anyone who wants to play around with this, the DNS service has been
posted. You can test the existence of a website on a domain or any of
its parent domains by making DNS queries as follows:
subdomain.domain.com.httpcheck.singulink.com
So, if you wanted to check if mail1.mx.google.com or
You'll be able to decide how you want to prioritize the fields - I've
implemented it as a DNS server, so which domain you decide to send to
the DNS server is entirely up to you.
On 2/28/2019 10:23 PM, Grant Taylor wrote:
On 2/28/19 9:33 AM, Mike Marynowski wrote:
I'm doing grabs the first
I modified it so it checks the root domain and all subdomains up to the
email domain.
As for your question - if afraid.org has a website then you are correct,
all subdomains of afraid.org will not flag this rule, but if lots of
afraid.org subdomains are sending spam then I imagine other spam
On 2/28/19 1:24 PM, Luis E. Muñoz wrote:
I suggest you look at the Mozilla Public Suffix List at
https://publicsuffix.org/ — it was created for different purposes, but I
believe it maps well enough to my understanding of your use case. You'll
be able to pad the gaps using a custom list.
+1
On 2/28/19 12:33 PM, Mike Marynowski wrote:
This method checks the *root* domain, not the subdomain.
What about domains that have many client subdomains?
afraid.org (et al) come to mind.
You might end up allowing email from spammer.afraid.org who doesn't have
a website because the parent
On 2/28/19 9:33 AM, Mike Marynowski wrote:
I'm doing grabs the first available address in this order: reply-to,
from, sender.
That sounds like it might be possible to game things by playing with the
order.
I'm not sure what sorts of validations are applied to the Sender:
header. (I don't
but for the record I don't see any reply-to
headers.
But it's right there in the copy that the list delivered to me:
From: "Bill Cole"
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's
root domain
Date: Thu, 28 Feb 2019 14:21:41
I'm pretty sure the way I ended up implementing it everything is working
fine and it's nice and simple and clean but maybe there's some edge case
that doesn't work properly. If there is I haven't found it yet, so if
you can think of one let me know.
Since I'm sending an HTTP request to all
;
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's root domain
Date: Thu, 28 Feb 2019 14:21:41 -0500
Reply-To: users@spamassassin.apache.org
Whether you see it is a function of how your MUA (TBird, it seems... )
displays messages. Unfortunate
On 28 Feb 2019, at 14:39, Antony Stone wrote:
> On Thursday 28 February 2019 at 20:33:42, Mike Marynowski wrote:
>
>> But scconsult.com does in fact have a website so I'm not sure what you
>> mean. This method checks the *root* domain, not the subdomain.
>
> How do you identify the root domain,
On 28 Feb 2019, at 14:33, Mike Marynowski wrote:
But scconsult.com does in fact have a website so I'm not sure what you
mean. This method checks the *root* domain, not the subdomain.
Ah, I see. I had missed that detail.
That's likely to have fewer issues, as long as you get the registry
that the list delivered to me:
From: "Bill Cole"
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's root domain
Date: Thu, 28 Feb 2019 14:21:41 -0500
Reply-To: users@spamassassin.apache.org
Whether you see
On 28 Feb 2019, at 11:53, Mike Marynowski wrote:
There are many ways to determine what the root domain is. One way is
analyzing the DNS response from the query to realize it's actually a
root domain, or you can just grab the ICANN TLD list and use that to
make a determination.
What I'm
There are many ways to determine what the root domain is. One way is
analyzing the DNS response from the query to realize it's actually a
root domain, or you can just grab the ICANN TLD list and use that to
make a determination.
What I'm probably going to do now that I'm building this as a
On Thursday 28 February 2019 at 20:33:42, Mike Marynowski wrote:
> But scconsult.com does in fact have a website so I'm not sure what you
> mean. This method checks the *root* domain, not the subdomain.
How do you identify the root domain, given an email address?
For example, for many years in
But scconsult.com does in fact have a website so I'm not sure what you
mean. This method checks the *root* domain, not the subdomain.
Even if this wasn't the case well, it is what it is. Emails from this
mailing list (and most well configured lists) come in at a spam score of
-6, so they are
On Thursday 28 February 2019 at 20:25:36, Bill Cole wrote:
> On 28 Feb 2019, at 13:43, Mike Marynowski wrote:
> > On 2/28/2019 12:41 PM, Bill Cole wrote:
> >> You should probably put the envelope sender (i.e. the SA
> >> "EnvelopeFrom" pseudo-header) into that list, maybe even first. That
> >>
Unfortunately I don't see a reply-to header on your messages. What do
you have it set to? I thought mailing lists see who is in the "to"
section of a reply so that 2 copies aren't sent out. The "mailing list
ethics" guide I read said to always use "reply all" and the mailing list
system takes
On 28 Feb 2019, at 13:43, Mike Marynowski wrote:
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one)
Please respect my consciously set Reply-To header. I don't ever need 2
copies of a message posted to a mailing list, and ignoring that header
is rude.
On 28 Feb 2019, at 13:28, Mike Marynowski wrote:
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e.
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one) pass your test where a test of real header domains
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one) pass your test where a test of real header domains
Ralph Seichter skrev den 2019-02-28 18:53:
By the way, are you aware of https://www.dnswl.org ?
https://www.mywot.com
https://www.trustpilot.com
* Mike Marynowski:
> Question though - what is your reply-to address set to in the emails
> coming from your email-only domain?
We very rarely inject Reply-To, because this might interfere with what
the original sender intended.
-Ralph
* Mike Marynowski:
> You know what I mean.
That's quite an assumption to make, in a mailing list. ;-)
> I could just not publish this and keep it for myself and I'm sure that
> would make it more effective long term for me, but I figured I would
> contribute it so that others can gain some
* David Jones:
> I would like to see an Open Mail Reputation System setup by a working
> group of big companies so it would have some weight behind it.
Running a smaller business, I have no interest whatsoever in a "group of
big companies" having any say in our mail reputation, as you can surely
On 28 Feb 2019, at 11:33, Mike Marynowski wrote:
Question though - what is your reply-to address set to in the emails
coming from your email-only domain?
I can't answer for Ralph, but in my case I use a mail-only domain in
From for most of my personal mail, and while I usually set Reply-To
On 2/28/19 10:50 AM, Ralph Seichter wrote:
> * Mike Marynowski:
>
>> And the cat and mouse game continues :)
>
> It sure does, and that's what sticks in my craw here: For a pro spammer,
> it is easy to set up websites in an automated fashion. If I was such a
> naughty person, I'd just add one
You know what I mean. *Many (not all) of the rules (rDNS verification,
hostname check, SPF records, etc) are easy to circumvent but we still
check all that. Those simple checks still manage to catch a surprising
amount of spam.
I could just not publish this and keep it for myself and I'm sure
* Mike Marynowski:
> Everything we test for is easily compromised on its own.
That's quite a sweeping statement, and I disagree. IP-based real time
blacklists, anyone? Also, "we" is too unspecific. In addition to the
stock rules, I happen to maintain a set of custom tests which are
neither
Why even use a test for something that is so easily compromised?
-Ralph
Everything we test for is easily compromised on its own.
* Mike Marynowski:
> And the cat and mouse game continues :)
It sure does, and that's what sticks in my craw here: For a pro spammer,
it is easy to set up websites in an automated fashion. If I was such a
naughty person, I'd just add one tiny service that answers "all is well"
for every incoming
And the cat and mouse game continues :)
That said, all the big obvious "email-only domains" that send out
newsletters and notifications and such that I've come across in my
sampling already have placeholder websites or redirects to their main
websites configured. I'm sure that's not always
* Antony Stone:
> Each to their own.
Of course. Alas, if this gets widely adopted, we'll probably have to set
up placeholder websites (as will spammers, I'm sure).
-Ralph
I would not do it at all, caching or no caching. Personally, I don't see
a benefit trying to correlate email with a website, as mentioned before,
based on how we utilise email-only-domains.
-Ralph
Fair enough. Based on the sampling I've done and the way I intend to use
this, I still see
Question though - what is your reply-to address set to in the emails
coming from your email-only domain?
The domain checking I'm doing grabs the first available address in this
order: reply-to, from, sender. It's not using the domain of the SMTP
server. I did come across some email-only
On Thursday 28 February 2019 at 17:14:04, Ralph Seichter wrote:
> * Grant Taylor:
> > Why would you do it per email? I would think that you would do the
> > test and cache the results for some amount of time.
>
> I would not do it at all, caching or no caching. Personally, I don't see
> a
* Grant Taylor:
> Why would you do it per email? I would think that you would do the
> test and cache the results for some amount of time.
I would not do it at all, caching or no caching. Personally, I don't see
a benefit trying to correlate email with a website, as mentioned before,
based on
On 2/28/19 3:40 PM, Mike Marynowski wrote:
Right now the test plugin I've built makes a single HTTP request for
each email while I evaluate this but I'll be building a DNS query
endpoint or a local domain cache to make it more efficient before
putting it into production.
Please keep us
Just one more note - I've excluded .email domains from the check as I've
noticed several organizations using that as email only domains.
Right now the test plugin I've built makes a single HTTP request for
each email while I evaluate this but I'll be building a DNS query
endpoint or a local
I've tested this with good results and I'm actually not creating any
HTTPS connections - what I've found is a single HTTP request with zero
redirections is enough. If it returns a status code >= 400 then you
treat it like no valid website, and if you get a < 400 result (i.e. a
301/302 redirect
On 02/27/2019 03:25 PM, Ralph Seichter wrote:
We use some of our domains specifically for email, with no associated
website.
I agree that /requiring/ a website at one of the parent domains
(stopping before traversing into the Public Suffix List) is problematic
and prone to false positives.
* Mike Marynowski:
> Of the 100 last legitimate email domains that have sent me mail, 100%
> of them have working websites at the root domain.
We use some of our domains specifically for email, with no associated
website. Besides, I think the overhead to establish a HTTPS connection
for every
Hi everyone,
I haven't been able to find any existing spam rules or checks that do
this, but from my analysis of ham/spam I'm getting I think this would be
a really great addition. Almost all of the spam emails that are coming
through do not have a working website at the room domain of the
80 matches
Mail list logo
