Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About seafire

  • Rank

Contact Methods

  • Website URL
  1. seafire

    Monitor/Track Spamvertised Web Sites?

    I am afraid that unless you become more pro-active about preventing abuse on your "free service" there is nothing you can do. In fact, if you don't take such action, your site will eventually become listed all over the net. In this day and age, you can't give the public unfettered access without getting into some serious trouble. I am not only talking about "spamvertized" listing, I am talking about serious legal difficulties. If some child pornographer were to put up a smut site, you could very well go to prison. YOU need to take control of your system. That's the ONLY solution. Seafire
  2. seafire

    False listings with SORBS DUHL

    That's BS Unless it is double opt-in. IE, you have an email from the specific recipient. Clicking on a web link does NOT OPT-IN make. Really? Then simply change the "static" in your IN-ADDR.ARPA to something useful. Then why do you have a "static" something in the reverse listing? BAD! Make it "customer.customer-domain.com" and you will have less trouble. There is no such thing as direct-to-MX 'Software'. Sendmail, Postfix..... all can use a relay or direct. It is not a function of the software, it's a function of how you set it up. The "static" will likely have the opposite effect. Lose it. Simply wrong! Wrong again! End of FREE advice. If you want to be setup "correctly" send me a private email, and I would be glad to educate you. My rates are $125.00/Hr. Seafire
  3. seafire

    False listings with SORBS DUHL

    I find it more than "suspicious". I for one do not wish to receive any email from any "marketers". You are not understanding the fundamental reason for a DUHL. Yes, it is labeled as a "Dynamic" listing. More accurately, it is a list of IPs which are blocked from sending "Direct-To-MX". Direct to MX means the end-user is sending email directly to recipients instead of using their ISP's SMTP server. It is my experience, that ALL such email is spam; and so I block access to all port25 connections who's RDNS has the words 'static', dynamic, ...... or ANY generic words. When RDNS contains such terms, it always means the mail server attempting connection is an "End-User" and not a legitimate mail server. ALL legitimate mail servers have control over their RDNS listing; either directly, or via their ISP. So, if you are legit, and you are example.com, then the RDNS of your sending IP needs to say something legit, like mailout.example.com. Bottom line; if your email server were legitimate, it's RDNS would indicate such. I doubt that your ISP is going to expend legal fees on a no-win law suit. Yeah. Do it correctly. At least look legit. Get a swipe from your ISP, and correctly set your RDNS to something acceptable. OR, have your ISP RDNS your mail server to something which identifies it as yours. The other suggestion I have is to use your ISP's outbound mail server instead of sending direct to MX. As I said above, direct-to-MX email is a sure sign of spam, and will likely be blocked. If not by a RBL, then by the targeted system itself. I manage many email servers, and not a single one will ever accept email from an IP address which looks like an end-user. That's your bigger problem. Seafire
  4. The solution is quite simple. A software firewall. See: http://www.obfuscation.org/ipf/ IPF and IPFIREWALL will do the trick. It will allow you to block specific port traffic from any IP or IP block. Cheers Bob
  5. seafire

    Recent Russian Botnet attacks

    See: http://countries.nerd.dk Seafire
  6. No. Each MX host must reverse resolve to your domain, not some generic name. You can have as many MXs as you want, each must be set up correctly. Bob
  7. This is likely not from a "blocklist". When people spam, and that spam is not blocked by the RBLs, many sysadmins will block the source IP directly on their mail server. I run many mail servers, and I have my own internal "blocklist". It returns "Rejected due to spam abuse". Once a site makes this list, chances are they will remain there forever. The only reason I ever remove a listing is if one of my customers complains of not receiving email from a particular source, and that source is being blocked by one of my entries. I never respond to non-customer requests for delisting. The other likely reason your connection was refused is because it looks like an end-user IP address; IE NOT a real mail server. resolves to 71-6-48-162.static-ip.telepacific.net. This is NOT a valid mail server address, but rather an end-user address. 90% of all spam originates from end-user addresses (botnets, infected PC... etc), so blocking ALL email requests from end-users has become an effective way to mitigate the spam problem. None of my mail servers will communicate with any end-users as a matter of policy. To get around this, use your ISP's mail server instead of sending direct from your PC. If is a legitimate mail server (Ie IP and RDNS'ed to the same domain as the email being sent) , then change the RDNS to reflect it. If you don't control the RDNS, or can't get the owner to do so, you will have increasing difficulty getting your mail accepted. Bob
  8. The only entity which can request removal is the owner of the network See: http://www.apews.org/?page=test&C=130&...ip= Entry matching your Query: E-219378 C-130 One or more bots in ASN / CIDR, unprofessional / negligent owner Special Reason: Only the ASN/CIDR owner can solve this listing by actioning FAQ 42 apews.org SHUTDOWN BOTS, ZOMBIES, NET ABUSEHistory: Entry created 2007-06-27 The "Owner of this network is: inetnum: - netname: XDSLSTREAMYX descr: Telekom Malaysia Berhad descr: Network Strategy descr: Wisma Telekom descr: Jalan Pantai Baru descr: 50672 Kuala Lumpur country: MY admin-c: TIA7-AP tech-c: TIA7-AP status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: MAINT-AP-STREAMYX mnt-routes: MAINT-AP-STREAMYX remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed[at]apnic.net 20040607 changed: hm-changed[at]apnic.net 20070209 source: APNIC role: TMNST IP Administrator address: TELEKOM MALAYSIA BERHAD, Level 17 TM Annex E 1, address: JALAN PANTAI BARU address: 50672 KUALA LUMPUR country: MY phone: +603 22406120 fax-no: +603 22402126 e-mail: ainols[at]tm.com.my trouble: abuse[at]tm.net.my Bob
  9. seafire

    Suggestions to further enhance spam blocking

    Use dnsbl xx.countries.nerd.dk where xx is the 2 letter country code you want to block so, Asia in part would be: tw.countries.nerd.dk cn.countries.nerd.dk hk.countries.nerd.dk Don't get any real mail from Brazil? br.countries.nerd.dk and so forth Cheers Bob
  10. seafire

    Suggestions to further enhance spam blocking

    Hi KClaisse: I also run a mail server off my DSL connection, and receive mail for 4 domains. I do, as you do, and run several dnsbls; and as you have discovered, they are good, but not good enough to cut the spam down to a trickle. The first thing I did was implement "Greylisting". This cut the spam in half all by itself. Then I did an analysis of the spams which leaked through the filters, and that got past greylisting, and discovered that 99% of them were being sent "Direct-MX" IE directly from an end-user account. Since no legitimate email ever comes Direct-MX, I decided to block all inbound traffic which was sent directly from an end-user (IE not using their ISP's mail server).. <A HREF="http://www.benzedrine.cx/milter-regex.html">Milter-Regex</a> did the trick. It allowes you to match on anything, and block inbound email during the smtp session. This means, your mail server never has to deal with it after arrival, it simply never arrives. This saves much bandwidth and CPU time, and spamassassin has much less to deal with. My milter regex configuration is this : (But is evolving) ################################ # reject "Bad RDNS [rgx]" connect /\[.*\]/ // # # reject things that look like they come from a dynamic address reject "Looks like an end-user address [rgx]" connect /[0-9][0-9]*\-[0-9][0-9]*\-[0-9][0-9]*/ // connect /[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*/ // connect /[0-9]{12}/e // # reject "Router?" connect /.*\.router\..*/ // # reject "Malformed HELO (not a domain, no dot)" helo /\./n # #reject "HTML mail not accepted [rgx]" ## use comma as delimiter here, as / occurs within RE #header /^Content-type$/i ,^text/html,i #body ,^Content-type: text/html,i # reject "Malformed RCPT TO (not an email address, not &lt;.*[at].*&gt;)" envrcpt /&lt;(.*[at].*|Postmaster)&gt;/ein # reject "Proaxad end-user SPAMMER [rgx]" connect /.*\.fbx\..*/ // # reject "Verizon Dynamic IP" connect /.*\.pub\.verizon\.net/ // # reject "Verizon Fios IP" connect /.*\.fios\..*/ // # reject "Static End-User IP" connect /.*\.static\..*/ // connect /^static\-.*/ // connect /^cpe\-.*/ // connect /^CPE\-.*/ // connect /^cpc\-.*/ // connect /^pc\-.*/ // connect /^port\-.*/ // connect /.*\.shared\..*/ // connect /.*\.rev\..*/ // connect /.*\.ptr\..*/ // connect /.*\.cst\..*/ // # reject "Dynamic pool" connect /.*\.pool\..*/ // connect /^pool\-.*/ // connect /^port\-.*/ // connect /.*\.pools\..*/ // connect /.*\-POOL\-.*/ // # # reject "End-User" connect /^host\-.*/ // connect /.*\.cablevision\..*/ // # reject "Dynamic Client" connect /.*\.client\..*/ // # reject "Broadband" connect /\.broadband\./ // # reject "VDSL" connect /^VDSL.*/ // # reject "PPPOE" connect /.*\.pppoe\..*/ // connect /.*\.pppool\..*/ // # reject "Dynamic" connect /.*\.dyn\..*/ // connect /^dyn\-.*/ // connect /\.dynamicIP\./ // connect /.*\.dynamic\..*/ // connect /.*\.xd\-dynamic\..*/ // # reject "Dialup" connect /.*\.dip\..*/ // connect /.*\.dip[0-9]\..*/ // connect /.*\.dial\..*/ // connect /.*\.dialup\..*/ // # reject "cust-adsl" connect /.*\.cust\-adsl\..*/ // # reject "DHCP" connect /.*\.dhcp\..*/ // connect /.*\.adsl\-dhcp\..*/ // # reject "End-User" connect /.*\.user\..*/ // connect /^user\-.*/ // connect /^softbank.*/ // connect /.*\.intra\..*/ // connect /.*\.numericable\..*/ // connect /.*\.cablelink\..*/ // connect /.*\.dedicated\..*/ // connect /.*turbodns.*/ // # reject "adsl" connect /.*adsl.*/ // connect /^adsl\-.*/ // # reject "dsl" helo /.*dsl\..*/ # reject "internetdsl" connect /.*\.internetdsl\..*/ // # reject "PPP" connect /.*ppp\-.*/ // connect /^ppp\-.*/ // # reject "HSD1" connect /.*\.hsd1\..*/ // # reject "Hosting" connect /.*\-hosting\..*/ // connect /.*\.hosting\..*/ // # reject "telecomitalia" header /Received/ /business\.telecomitalia\.it/ # reject "InterBusiness" header /Received/ /\.interbusiness\.it/ # reject "Retail" connect /.*\.retail\..*/ // # reject "linkspartnership.com" header /Received/ /\.linkspartnership\.com/ # reject "Cable" connect /.*\.cable\..*/ // # reject "Israel" connect /^CBL.*\.il/ // # reject "specialservers.com spammer" connect /.*\.specialservers\.com/ // # reject "business" connect /.*\.business\..*/ // # reject "Road Runner" connect /.*\.res\.rr\.com/ // connect /.*\.biz\.rr\.com/ // # reject "PayPal" header /From/ /.*paypal.com.*/ # reject "Nobody does not live here" header /From/ /^nobody.*/ # # spam Sources # reject "SBC" connect /\.sbcis\./ // # # Country blocks here reject "Israel" connect /.*\.il/ // # reject "Asia" connect /.*\.HINET-IP\..*/ // connect /.*\.twtelecom\..*/ // # reject "Asia" connect /.*\.hinet\..*/ // # reject "Asia" connect /.*\.netvigator\.com.*/ // connect /.*\.asianet\..*/ // # reject "fastwebhosting" connect /.*\.fastwebhosting\.net.*/ // # reject "ientrynetwork" connect /.*\.ientrynetwork\.net.*/ // # reject "Habeas" header /X\-Habeas\-.*/ // # reject "IpZone" connect /.*\.ipzone\..*/ // # reject "OVH" connect /.*\.ovh\..*/ // # reject "China banned due to spam" connect /.*\.cn\./ // # reject accomplishhosting connect /.*\.accomplishhosting\..*/ // # #reject "That Email account has been temporarily disconnected" #header /.*sokolski.zekaria[at]mindspring.com.*/ // # #### Spams Scams and phishes #### # reject "Security Phish" header /From/ /.*security.*/ # reject "Proxy" header /Received/ /.*proxy.*/ # reject "Unsolicited icpbounce Spammer" header /Received/ /.*\.icpbounce\..*/ # reject "Unsolicited intellicontact Spammer" header /Received/ /.*\.intellicontact\..*/ # reject "Unsolicited OnLetterhead spam" header /Received/ /olh\-.*/ # reject "No BIZ spam here Please" header /Received/ /.*\.biz/ # reject "For Urgent assistance call your local red cross" header /Subject/ /.*Urgent assistance.*/ header /Subject/ /.*Urgent Assistance.*/ header /Subject/ /.*urgent assistance.*/ header /Subject/ /HELLO/ header /Subject/ /Dearest/ # reject "faxbackbenefits.com spam" header /From/ /.*faxbackbenefits\.com.*/ # reject "asiasystems.com.sa spam" header /From/ /.*asiasystems.*/ # reject :Ebay Fraud" header /From/ /.*Fraud[at]eBay\.com.*/i # ################################# The above is VERY harsh, but for me, I get all my valid email, and almost no spam at all. Oh, one other thing; I use a valid outbound smtp server for my outbound email Best Regards Bob bob[at]tania.servebbs.org
  11. seafire

    The sum of all fears

    While this is an interesting and informative article, I have some problems with it. First, from a legal perspective, a computer can neither be a criminal, nor can it commit a crime. The "criminals" here are the hackers, the software manufacturers, and to a lesser extent the owners of the computers themselves. We all have certain social and legal l responsibilities to adhere to. Irresponsible behavior, whether it be drunken driving, selling dangerous products, or willful disregard of a known danger, are crimes as well. The article fails miserably when it ascribes total blame to the hackers. By default, the article exhonerates other culpable actors which are at least equally responsible for the ongoing problem; namely the manufactures of defective software, and negligent computer users. It perpetuates the myth of the helpless user, when in fact, if users would just practice the minimal level of responsibility, MOST of this problem would simply disappear. The balance of this problem would vanish almost totally if software vendors would be held accountable for their security flaws. Every househole appliance including Cars are recalled and fixed at no expense when a serious flaw is discovered, why not computer software? If an electronic phone were to be sold, which invited burgelers to your home, wouldn't the manufacturer of the phone be held somewhat responsible for the resulting theft? By shifting the ENTIRE blame to the hackers, this article perpetuates the problem. Seafire
  12. seafire

    Hello, I'm a Mac

    Those are some of the funniest and best done commercials on TV. They are among the very few I actually enjoy watching. They are "truth-in-advertising" and quite clever. Disclaimer: I am NOT a MAC user Seafire
  13. Yes, looks like. Just emailed you a complete set of transaction log entries on one bounce; it tells all. Done! That's exactly what happened, it went through. Best Regards Seafire
  14. Hi Spamcop was attempting to send me an email, it was a verification of a server addition. My server rejected the mail with the following error: l2R41fUO082150: Milter insert (1): header: Authentication-Results: tania.servebbs.org from=spamcop[at]devnull.spamcop.net; domainkeys=fail dk-filter[79619]: l2R41fUO082150: bad signature data The setup here is FreeBSD 6.1-RELEASE-p10 running sendmail 8.14.0 Any info on why this may be happening would be appreciated. TIA Seafire