|

Adding spam attack IP's to DNSRBL providers

View: New views

6 Messages — Rating Filter: Alert me

	Adding spam attack IP's to DNSRBL providers by Sharma, Ashish-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hello, I have a Postfix e-mail receiving server setup. I have applied the following setting in my Postfix main.cf file: smtpd_recipient_restrictions = reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net permit for checking the mails with DNSRBL providers. Since Postfix has custom built RBL check, I want to know if a certain IP address is continuously attacking with spam on my e-mail server, then how can I get it added with the following DNSRBL provider list: Spamcop Spamhaus thanks in advance. Ashish
	Re: Adding spam attack IP's to DNSRBL providers by Ralf Hildebrandt :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message * Sharma, Ashish <ashish.sharma3@...>: > Hello, > I have a Postfix e-mail receiving server setup. > I have applied the following setting in my Postfix main.cf file: > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_rbl_client sbl-xbl.spamhaus.org, You may want to use zen.spamhaus.org > reject_rbl_client bl.spamcop.net > permit > for checking the mails with DNSRBL providers. > Since Postfix has custom built RBL check, I want to know if a certain IP address is continuously attacking with spam on my e-mail server, then how can I get it added with the following DNSRBL provider list: > > 1. Spamcop > 2. Spamhaus Check their websites. -- Ralf Hildebrandt Geschäftsbereich IT \| Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 \| D-12203 Berlin Tel. +49 30 450 570 155 \| Fax: +49 30 450 570 962 ralf.hildebrandt@... \| http://www.charite.de
	Adding spam attack IP's to DNSRBL providers by Stan Hoeppner :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Sharma, Ashish put forth on 11/3/2009 3:58 AM: > Hello, > > I have a Postfix e-mail receiving server setup. > > I have applied the following setting in my Postfix main.cf file: > > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_rbl_client sbl-xbl.spamhaus.org, > reject_rbl_client bl.spamcop.net > permit > > for checking the mails with DNSRBL providers. > > Since Postfix has custom built RBL check, I want to know if a certain IP > address is continuously attacking with spam on my e-mail server, then > how can I get it added with the following DNSRBL provider list: > > 1. Spamcop > 2. Spamhaus Short answer: For most dnsbls you can't. You can report spam to Spamcop and it _might_ make it into their listing. You can't report spam to Spamhaus at all. They are strictly trap driven or they list based upon their own research. With Spamhaus, you can report entire spammy networks, but your research needs to be thorough and dead on, and this must be done through back channel contacts AFAIK. They have no official mechanism for receiving reports. You seem to be at the same point I was a couple of years ago--only using dnsbls and no local lists and filters. At the time, I desired to, and attempted to do the same thing you desire, to report the spam to the dnsbls hoping they'd list the senders. After I learned that's not a realistic possibility or solution, I started my own local block lists implemented in various Postfix access tables. It has been very effective, especially against snowshoe spammers. http://www.postfix.org/access.5.html http://www.postfix.org/cidr_table.5.html Also, if you will never need to receive emails from certain countries, you can smtp block their entire address space (or firewall it for that matter) using http://ipdeny.com I use this to great effect, blocking around 1/4 to 1/3 of all inbound spam attempts. -- Stan
	Re: Adding spam attack IP's to DNSRBL providers by mouss-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Sharma, Ashish a écrit : > Hello, > > I have a Postfix e-mail receiving server setup. > > I have applied the following setting in my Postfix main.cf file: > > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_rbl_client sbl-xbl.spamhaus.org, > reject_rbl_client bl.spamcop.net > permit > > for checking the mails with DNSRBL providers. > > Since Postfix has custom built RBL check, I want to know if a certain IP > address is continuously attacking with spam on my e-mail server, then > how can I get it added with the following DNSRBL provider list: > > 1. Spamcop > 2. Spamhaus > you can submit spam to spamcop. posttfix can't help here. you can't submit anything to spamhaus.
	RE: Adding spam attack IP's to DNSRBL providers by Sharma, Ashish-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Stan, Thanks for the reply and showing me a way. Can you elaborate on your solution ? Some of my doubts arise from : >I started my own local block lists >implemented in various Postfix access tables. It has been very >effective, especially against snowshoe spammers. >http://www.postfix.org/access.5.html >http://www.postfix.org/cidr_table.5.html How were you able to identify that a particular IP/IP's are the source of spam attack on your mail server? After identifying that a particular IP/IP's is the source of attack how were you able to update your local block lists automatically? For how long did you maintain the IP/IP's record in your local block lists and refreshed them? Thanks in advance Ashish Sharma -----Original Message----- From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Stan Hoeppner Sent: Tuesday, November 03, 2009 8:10 PM To: postfix-users@... Subject: Adding spam attack IP's to DNSRBL providers Sharma, Ashish put forth on 11/3/2009 3:58 AM: > Hello, > > I have a Postfix e-mail receiving server setup. > > I have applied the following setting in my Postfix main.cf file: > > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_rbl_client sbl-xbl.spamhaus.org, > reject_rbl_client bl.spamcop.net > permit > > for checking the mails with DNSRBL providers. > > Since Postfix has custom built RBL check, I want to know if a certain IP > address is continuously attacking with spam on my e-mail server, then > how can I get it added with the following DNSRBL provider list: > > 1. Spamcop > 2. Spamhaus Short answer: For most dnsbls you can't. You can report spam to Spamcop and it _might_ make it into their listing. You can't report spam to Spamhaus at all. They are strictly trap driven or they list based upon their own research. With Spamhaus, you can report entire spammy networks, but your research needs to be thorough and dead on, and this must be done through back channel contacts AFAIK. They have no official mechanism for receiving reports. You seem to be at the same point I was a couple of years ago--only using dnsbls and no local lists and filters. At the time, I desired to, and attempted to do the same thing you desire, to report the spam to the dnsbls hoping they'd list the senders. After I learned that's not a realistic possibility or solution, I started my own local block lists implemented in various Postfix access tables. It has been very effective, especially against snowshoe spammers. http://www.postfix.org/access.5.html http://www.postfix.org/cidr_table.5.html Also, if you will never need to receive emails from certain countries, you can smtp block their entire address space (or firewall it for that matter) using http://ipdeny.com I use this to great effect, blocking around 1/4 to 1/3 of all inbound spam attempts. -- Stan
	Adding spam attack IP's to DNSRBL providers by Stan Hoeppner :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Sharma, Ashish put forth on 11/16/2009 6:23 AM: > How were you able to identify that a particular IP/IP's are the source of spam attack on your mail server? A trap and a Mark I eyeball, Senderbase reputation data, examining rDNS within a netblock, etc. > After identifying that a particular IP/IP's is the source of attack how were you able to update your local block lists automatically? I don't update my block lists automatically, but manually, see above. Local block lists are not a substitute for dnsbls, but an additional tool used to kill spam sources that aren't listed (yet) by the dnsbls. Very few dnsbls catch snowshoe spammers because they rely on volume trap data from individual IPs. The snowshoe method was invented specifically to bypass dnsbls. Spamhaus now has a list specifically targeting dnsbls, and Invaluement has a paid dnsbl that is very effective at catching snowshoe. The Spamhaus snowshoe list is very new. > For how long did you maintain the IP/IP's record in your local block lists and refreshed them? Permanently in almost all cases. Dealing with scorched earth netblocks is the ISP's responsibility, not mine. They create the mess by knowingly assigning spammers to their /24s, /20s, etc, so it's up to them to clean it up. Again, local lists aren't a substitute for dnsbls, so there is no reason to 'refresh' or 'expire' listings in a local block list, as far as I'm concerned. I do very thorough analysis before adding a netblock, and I'm adding maybe only a couple of small ranges a week. Think of local block lists as an extremely focused/targeted tool used to kill spam sources that aren't yet in the dnsbls or likely won't be listed by dnsbls. Use them to "pick up the slack" so to speak. Hope this helps. Also, you may wish to join spam-l.com to learn more about various methods used in fighting spam. -- Stan