Jump to content

Suggestions to further enhance spam blocking


KClaisse

Recommended Posts

I run a little email host just for me and up until 5 days ago, I hadn't received 1 spam message in 7 months. But since 5 days ago, my spam volume has gone up 100-fold. I use list.dsbl.org, cbl.abuseat.org, sbl-xbl.spamhaus.org, bl.spamcop.net, and dul.dnsbl.sorbs.net to block spam. And although they work, some messages still get through.

Here's a sample from a logwatch I got this morning

Every one of the IP's that was rejected is added to my hosts.deny and is added to iptables (using /sbin/iptables -I INPUT -s $1 -j DROP).

My server is under constant bombardment from spammers and even though only 4 or 5 get through a day, it's really starting to annoy me. I've tried blocking them in Thunderbird using some custom filters, but they use words with numbers in them and Unicode characters that my filters don't get.

I'm curious if anyone else has been in my situation and has found solutions that work.

Link to comment
Share on other sites

<snip>

I'm curious if anyone else has been in my situation and has found solutions that work.

...My guess is that everyone in the world who uses blocklists is in your situation and most people don't use blocklists and are therefore even worse off. :) <g>

...Blocklists, especially SpamCop's, tend to be reactive, so it isn't possible for them to block every spam. The only 100% solution of which I can conceive is to stop all e-mail, which, of course, kind of defeats the purpose of having e-mail. :) <g>

Link to comment
Share on other sites

I understand that everyone has problems with spam, I was just looking for someone who has come up with a clever solution or device that goes beyond RBL's. I've googled, but have come up empty handed. I'm just a little distressed because i'm a little new to this. I'm only 17 and just started my email last year. :D

Link to comment
Share on other sites

<snip>

I was just looking for someone who has come up with a clever solution or device that goes beyond RBL's. I've googled, but have come up empty handed. I'm just a little distressed because i'm a little new to this. I'm only 17 and just started my email last year. :D

<snip>

...And little wonder, in my mind -- I would suggest that there is not, and never will be, a solution that gets you to 100% no false positives and also no false negatives. IMHO, nothing will ever be able to predict in advance the next previously unused source of spam.

...However, I'm not nearly qualified as an expert, so you may want to watch here in case someone more knowledgeable than I has suggestions that will at least improve your ability to recognize spam before it hits your inbox.

Link to comment
Share on other sites

[...]

I'm curious if anyone else has been in my situation and has found solutions that work.

Hi KClaisse:

I also run a mail server off my DSL connection, and receive mail for 4 domains. I do, as you do, and run several dnsbls; and as you have discovered, they are good, but not good enough to cut the spam down to a trickle.

The first thing I did was implement "Greylisting". This cut the spam in half all by itself.

Then I did an analysis of the spams which leaked through the filters, and that got past greylisting, and discovered that 99% of them were being sent "Direct-MX" IE directly from an end-user account. Since no legitimate email ever comes Direct-MX, I decided to block all inbound traffic which was sent directly from an end-user (IE not using their ISP's mail server)..

<A HREF="http://www.benzedrine.cx/milter-regex.html">Milter-Regex</a> did the trick. It allowes you to match on anything, and block inbound email during the smtp session. This means, your mail server never has to deal with it after arrival, it simply never arrives. This saves much bandwidth and CPU time, and spamassassin has much less to deal with.

My milter regex configuration is this : (But is evolving)

################################
#
reject "Bad RDNS [rgx]"
connect /\[.*\]/ //
#
# reject things that look like they  come from a dynamic address
reject "Looks like an end-user address [rgx]"
connect /[0-9][0-9]*\-[0-9][0-9]*\-[0-9][0-9]*/ //
connect /[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*/ //
connect /[0-9]{12}/e //
#
reject "Router?"
connect /.*\.router\..*/ //
#
reject "Malformed HELO (not a domain, no dot)"
helo /\./n
#
#reject "HTML mail not accepted [rgx]"
## use comma as delimiter here, as / occurs within RE
#header /^Content-type$/i ,^text/html,i
#body ,^Content-type: text/html,i
#
reject "Malformed RCPT TO (not an email address, not &lt;.*[at].*&gt;)"
envrcpt /&lt;(.*[at].*|Postmaster)&gt;/ein
#
reject "Proaxad end-user SPAMMER [rgx]"
connect /.*\.fbx\..*/ //
#
reject "Verizon Dynamic IP"
connect /.*\.pub\.verizon\.net/ //
#
reject "Verizon Fios IP"
connect /.*\.fios\..*/ //
#
reject "Static End-User IP"
connect /.*\.static\..*/ //
connect /^static\-.*/ //
connect /^cpe\-.*/ //
connect /^CPE\-.*/ //
connect /^cpc\-.*/ //
connect /^pc\-.*/ //
connect /^port\-.*/ //
connect /.*\.shared\..*/ //
connect /.*\.rev\..*/ //
connect /.*\.ptr\..*/ //
connect /.*\.cst\..*/ //
#
reject "Dynamic pool"
connect /.*\.pool\..*/ //
connect /^pool\-.*/ //
connect /^port\-.*/ //
connect /.*\.pools\..*/ //
connect /.*\-POOL\-.*/ //
#
#
reject "End-User"
connect /^host\-.*/ //
connect /.*\.cablevision\..*/ //
#
reject "Dynamic Client"
connect /.*\.client\..*/ //
#
reject "Broadband"
connect /\.broadband\./ //
#
reject "VDSL"
connect /^VDSL.*/ //
#
reject "PPPOE"
connect /.*\.pppoe\..*/ //
connect /.*\.pppool\..*/ //
#
reject "Dynamic"
connect /.*\.dyn\..*/ //
connect /^dyn\-.*/ //
connect /\.dynamicIP\./ //
connect /.*\.dynamic\..*/ //
connect /.*\.xd\-dynamic\..*/ //
#
reject "Dialup"
connect /.*\.dip\..*/ //
connect /.*\.dip[0-9]\..*/ //
connect /.*\.dial\..*/ //
connect /.*\.dialup\..*/ //
#
reject "cust-adsl"
connect /.*\.cust\-adsl\..*/ //
#
reject "DHCP"
connect /.*\.dhcp\..*/ //
connect /.*\.adsl\-dhcp\..*/ //
#
reject "End-User"
connect /.*\.user\..*/ //
connect /^user\-.*/ //
connect /^softbank.*/ //
connect /.*\.intra\..*/ //
connect /.*\.numericable\..*/ //
connect /.*\.cablelink\..*/ //
connect /.*\.dedicated\..*/ //
connect /.*turbodns.*/ //
#
reject "adsl"
connect /.*adsl.*/ //
connect /^adsl\-.*/ //
#
reject "dsl"
helo /.*dsl\..*/
#
reject "internetdsl"
connect /.*\.internetdsl\..*/ //
#
reject "PPP"
connect /.*ppp\-.*/ //
connect /^ppp\-.*/ //
#
reject "HSD1"
connect /.*\.hsd1\..*/ //
#
reject "Hosting"
connect /.*\-hosting\..*/ //
connect /.*\.hosting\..*/ //
#
reject "telecomitalia"
header /Received/ /business\.telecomitalia\.it/
#
reject "InterBusiness"
header /Received/ /\.interbusiness\.it/
#
reject "Retail"
connect /.*\.retail\..*/ //
#
reject "linkspartnership.com"
header /Received/ /\.linkspartnership\.com/
#
reject "Cable"
connect /.*\.cable\..*/ //
#
reject "Israel"
connect /^CBL.*\.il/ //
#
reject "specialservers.com spammer"
connect /.*\.specialservers\.com/ //
#
reject "business"
connect /.*\.business\..*/ //
#
reject "Road Runner"
connect /.*\.res\.rr\.com/ //
connect /.*\.biz\.rr\.com/ //
#
reject "PayPal"
header /From/ /.*paypal.com.*/
#
reject "Nobody does not live here"
header /From/ /^nobody.*/
#
# spam Sources
#
reject "SBC"
connect /\.sbcis\./ //
#
# Country blocks here
reject "Israel"
connect /.*\.il/ //
#
reject "Asia"
connect /.*\.HINET-IP\..*/ //
connect /.*\.twtelecom\..*/ //
#
reject "Asia"
connect /.*\.hinet\..*/ //
#
reject "Asia"
connect /.*\.netvigator\.com.*/ //
connect /.*\.asianet\..*/ //
#
reject "fastwebhosting"
connect /.*\.fastwebhosting\.net.*/ //
#
reject "ientrynetwork"
connect /.*\.ientrynetwork\.net.*/ //
#
reject "Habeas"
header /X\-Habeas\-.*/ //
#
reject "IpZone"
connect /.*\.ipzone\..*/ //
#
reject "OVH"
connect /.*\.ovh\..*/ //
#
reject "China banned due to spam"
connect /.*\.cn\./ //
#
reject accomplishhosting
connect /.*\.accomplishhosting\..*/ //
#
#reject "That Email account has been temporarily disconnected"
#header /.*sokolski.zekaria[at]mindspring.com.*/ //
#
#### Spams Scams and phishes ####
#
reject "Security Phish"
header /From/ /.*security.*/
#
reject "Proxy"
header /Received/ /.*proxy.*/
#
reject "Unsolicited icpbounce Spammer"
header /Received/ /.*\.icpbounce\..*/
#
reject "Unsolicited intellicontact Spammer"
header /Received/ /.*\.intellicontact\..*/
#
reject "Unsolicited OnLetterhead spam"
header /Received/ /olh\-.*/
#
reject "No BIZ spam here Please"
header /Received/ /.*\.biz/
#
reject "For Urgent assistance call your local red cross"
header /Subject/ /.*Urgent assistance.*/
header /Subject/ /.*Urgent Assistance.*/
header /Subject/ /.*urgent assistance.*/
header /Subject/ /HELLO/
header /Subject/ /Dearest/
#
reject "faxbackbenefits.com spam"
header /From/ /.*faxbackbenefits\.com.*/
#
reject "asiasystems.com.sa spam"
header /From/ /.*asiasystems.*/
#
reject :Ebay Fraud"
header /From/ /.*Fraud[at]eBay\.com.*/i
#
#################################

The above is VERY harsh, but for me, I get all my valid email, and almost no spam at all.

Oh, one other thing; I use a valid outbound smtp server for my outbound email

Best Regards

Bob

bob[at]tania.servebbs.org

Link to comment
Share on other sites

There are lots of options.

Greylisting has already been mentioned. It helps a lot.

I also block home IP addresses that have rDNS correctly configured (such as Comcast and Verizon and so forth do). Check with your mail server to see how to block ranges such as these:

*.res.rr.com

*.dsl-w.verizon.net

*.dynamic.covad.net

*.(state abbreviation).comcast.net

I don't know about the server you use, but Exim4 allows SpamAssassin to process the messages and reject them at SMTP time. That is, before they show up in your inbox.

I'm curious if anyone else has been in my situation and has found solutions that work.

Link to comment
Share on other sites

I use Postfix and it has the other servers jump through hoops just to deliver messages. I also looked at those ranges you posted and checked some of the reverse ip's that connect to me and none of them were big names like verizon or comcast. Most of them ended in .tw or had chinanet in them. So I think i'll just block all of Asia. I don't know anyone or anything over there anyway. :D

Link to comment
Share on other sites

ISo I think i'll just block all of Asia

Use dnsbl xx.countries.nerd.dk

where xx is the 2 letter country code you want to block

so, Asia in part would be:

tw.countries.nerd.dk

cn.countries.nerd.dk

hk.countries.nerd.dk

Don't get any real mail from Brazil?

br.countries.nerd.dk

and so forth

Cheers

Bob

Link to comment
Share on other sites

Well i'm up to 45 blocked countries and i'm still getting spam. It's a completely fruitless effort. These spammers aren't in one country, they control botnets around the world which makes identifying sources impossible..

I just need to blacklist the world (except US) and then start whitelisting.

Link to comment
Share on other sites

I am not a server admin, but I think that if you are aggressive about spam, then you do need a whitelist. Also have you tried spamassassin? . the spamcop email users seem satisfied that it gets what the blocklists miss. But maybe it isn't free

Miss Betsy

Link to comment
Share on other sites

Well i'm up to 45 blocked countries and i'm still getting spam. It's a completely fruitless effort. These spammers aren't in one country, they control botnets around the world which makes identifying sources impossible..

I just need to blacklist the world (except US) and then start whitelisting.

The USa also has many Zombie Computers allowing spam to be sent through them from anywhere. Country blocking only is not going to help

For US$30 per annum you can get a SpamCop email account.

It is best use your SpamCop address as the only email address you will ever need allowing all others to fade over time

SpamCop will collect and filter email from all existing accounts putting all spam into a folder for very easy reporting (VER). Every spam reported a abuse report is sent allowing ISP to rectify their security problem (and most do)

I use a password saver and collect my email from any windows computer all on a 4GB USB from anywhere no laptop needed

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...