Blacklists

I'm curious what blacklists everyone uses and how many FPs there are on
average.  Anyone want to post their config?

--Blaine

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 6 Nov 2009 at 13:28, Blaine Fleming wrote:

> I'm curious what blacklists everyone uses and how many FPs there are on
> average.  Anyone want to post their config?

Assuming you are talking about DNSBLs, check out the thread on this
list titled 'SORBS' just under a month ago.  Grayhat posted his
list which seemed quite comprehensive.

paul



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

Hi,

The "invalid HELO" option is very useful when enabled to reject large amount
of spam, but unfortunately also rejects lots of legitimate mail ;-(
What is the best way to enable it without having those legitimate senders
gets rejected.
I hope there is a workaround somehow.
Appreciate your input.

Thanks,
Hisham  




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

I do not know how to do it, but block on ehlo/helo does not contain  
one dot.  This is my most effective rule on another server, accounts  
for something like 90% of all blocked email.

Then make ehlo/ehlo look like dynamic ranges.  Those get the rest.
--
Scott * If you contact me off list replace talklists@ with scott@ *

On Nov 8, 2009, at 2:45 AM, Hisham Al Saad wrote:


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 8 Nov 2009 at 13:45, Hisham Al Saad wrote:

> Hi,
>
> The "invalid HELO" option is very useful when enabled to reject large amount
> of spam, but unfortunately also rejects lots of legitimate mail ;-(

You'll have to tell us what you have in your config and what gets
blocked.

The default setting blocks an IP address or a name without a dot -
both of which I would block from unknown senders.

paul


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

Here's the list from grayhat   I believe that karamsphere is no longer.

I've also found that the five-ten-sg has a lot of IP's like
constantcontact on it.

Hope this helps.

zen.spamhaus.org=>1
bl.spamcop.net=>1
ix.dnsbl.manitu.net=>1
combined.njabl.org=>1
dul.dnsbl.sorbs.net=>1
bb.barracudacentral.org=>1
bogons.cymru.com=>1
db.wpbl.info=>2
dnsbl-1.uceprotect.net=>2
psbl.surriel.com=>2
karmasphere.email-sender.dnsbl.karmasphere.com=>3
dnsbl-2.uceprotect.net=>3
blackholes.five-ten-sg.com=>3
dnsbl-3.uceprotect.net=>4
cbl.abuseat.org=>4


On Sun, Nov 8, 2009 at 5:11 AM,  <paul+as@...> wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

> Here's the list from grayhat   I believe that karamsphere is no longer.

Yes, karmasphere is discontinuing service, so remove it; also,
my current DNSBL setup is the following

zen.spamhaus.org=>1
bb.barracudacentral.org=>1
bl.spamcop.net=>1
ix.dnsbl.manitu.net=>1
combined.njabl.org=>1
dul.dnsbl.sorbs.net=>1
bogons.cymru.com=>1
db.wpbl.info=>2
dnsbl-1.uceprotect.net=>2
psbl.surriel.com=>2
dnsbl-2.uceprotect.net=>3
blackholes.five-ten-sg.com=>3
dnsbl-3.uceprotect.net=>4
cbl.abuseat.org=>4

somewhat shorter than the previous one and also rearranged
by putting at the top the DNSBLs getting most hits to speed
up things a little
 
> I've also found that the five-ten-sg has a lot of IP's like
> constantcontact on it.

Yes, but in whatever case I can't recommend using either
uceprotect or five-ten to block; those lists are quite aggressive
and while they may allow to nail some "fresh" spamming IPs
they may also cause false positives, and since I prefer staying
on the safe side and, in case of doubt, letting the other stuff
ASSP implements deal with messages, my suggestion is to
only use those list to "increase the scoring" (as above) and
not to immediately reject (as for e.g. spamhaus)


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

Thanks for the update and explanation!

On Sun, Nov 8, 2009 at 12:53 PM, Grayhat <grayhat@...> wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

Grayhat,
Where do you have the other settings in the DNSBL section like max
replies, max hits, max time, socket timeout, etc.

Thanks.

On Sun, Nov 8, 2009 at 1:05 PM, K Post <nntp.post@...> wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 8 Nov 2009 at 18:53, Grayhat wrote:

> my current DNSBL setup is the following
>
> zen.spamhaus.org=>1
> cbl.abuseat.org=>4

duplication here?



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On Nov 8, 2009, at 9:53 AM, Grayhat wrote:

> bb.barracudacentral.org=>1

Do you have to pay for this? I heard that at some point they were  
going to, or were charging for the data based on the analytics they  
gather.

> bl.spamcop.net=>1

In a binary mode, block or pass, I find them too aggressive, gmail,  
aol, lots of others get in spam cop. How has this worked out for you,  
I assume you use weighting?

Is there any way to provide stats that how which ones are hit he most,  
and how effective they are?  On another email server, which is not  
weighted, just pass or block, I run spamcop last, usually something  
else will catch it.

Thanks for any insight.
--
Scott * If you contact me off list replace talklists@ with scott@ *


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

Hi,

Thanks Paul,

In (Regular Expression to Validate Format of HELO*) field I have ,
^(([a-z\d][a-z\d-]*)?[a-z\d]\.)+[a-z]{2,6}$

Under my (Regular Expression to Invalidate Format of HELO*) file I have
these settings.

^\d+\.\d+\.\d+\.\d+$
^[^\.]+\.?$
\d{1,3}(\.|-|x)\d{1,3}(\.|-|x)\d{1,3}
\.intra$
\.local$
\.lan$
\.priv$
\.private$
\.localdomain$
\.online$

>From logs there are lots of detected real spam but there are also some
legitimate mail, please see below,

These are legitimate emails and should pass

Nov-7-09 00:52:28 44340-06460 [InvalidHELO][testmode] 217.64.225.57
<newsletters@...> to: xxx@... [spam found]
and passing because testmode, otherwise blocked (Invalid HELO:
'EMP10RLY01.emp10data.local') [Your weekly Finance newsletter from ME
ED] -> ./discarded/9703.eml

Nov-7-09 01:03:51 45029-09039 [InvalidHELO][testmode] 217.64.225.57
<newsletters@...> to: tariqali@... [spam found]
and passing because testmode, otherwise blocked (Invalid HELO:
'EMP10RLY01.emp10data.local') [Your weekly Industry newsletter from M
EED] -> ./discarded/11404.eml

----------------

These should be rejected always

 Nov-8-09 00:00:05 27587-07571 [InvalidHELO][testmode] 200.88.20.171
<wilfredolarsonit@...> to: xxx@... [spa
m found] and passing because testmode, otherwise blocked (Invalid HELO:
'0nic711') [Need pain killers Get them Here] -> ./discarded/
10531.eml

Nov-8-09 00:00:05 27592-07597 [InvalidHELO][testmode] 78.29.107.42
<selena.leach_vm@...> to: xxx@... [spam found] and
passing because testmode, otherwise blocked (Invalid HELO: '35fle82') [use
VicodinES to get rid of pain] -> ./dis
carded/13373.eml

Nov-8-09 00:00:05 27587-07573 [InvalidHELO][testmode] 187.4.86.142
<basillockwood_qx@...> to: xxx@... [
spam found] and passing because testmode, otherwise blocked (Invalid HELO:
'rfmm5i2') [Buy Vicodin Online For Less] -> ./discarded/6
706.eml

Please let me know what changes need to be done on my settings.

Thanks.











------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 8 Nov 2009 at 19:55, Scott Haneda wrote:

> On Nov 8, 2009, at 9:53 AM, Grayhat wrote:
>
> > bb.barracudacentral.org=>1
>
> Do you have to pay for this? I heard that at some point they were  
> going to, or were charging for the data based on the analytics they  
> gather.

I understand that bb.barracudacentral.org is freely available to all
IP addresses, but the published b.barracudacentral.org is for
registered users only. (Note 'b.' & 'bb.')

> > bl.spamcop.net=>1
>
> In a binary mode, block or pass, I find them too aggressive, gmail,  
> aol, lots of others get in spam cop. How has this worked out for you,  
> I assume you use weighting?

Spamcop have become much more reliable over the last year, and I have
been using them with much higher confidence.

paul


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

 
>> my current DNSBL setup is the following
>>
>> zen.spamhaus.org=>1
>> cbl.abuseat.org=>4
>
> duplication here?

not exactly; the abuseat contains some more
IPs which aren't into the spamhaus since the
latter (spamhaus) is more "conservative", so
I use the abuseat too but being "aggressive"
I use it at level 4


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

> >> bb.barracudacentral.org=>1
>>
>> Do you have to pay for this? I heard that at some point they were
>> going to, or were charging for the data based on the analytics they
>> gather.
>
> I understand that bb.barracudacentral.org is freely available to all
> IP addresses, but the published b.barracudacentral.org is for
> registered users only. (Note 'b.' & 'bb.')

right; the "bb" is "open to anyone" while the "b" is only available
to registered users; yet I find the "bb" quite reliable/effective since
that, together with spamhaus, spamcop and manitu will catch most
surefire spam

> Spamcop have become much more reliable over the last year, and
> I have been using them with much higher confidence.

I was about to write the same; in a past the spamcop list was somewhat
unreliable due to some "nits" in their addition methods, but nowadays I
find the list quite reliable and usable w/o problems in "reject mode"




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 9 Nov 2009 at 8:31, Hisham Al Saad wrote:

I don't know why they are using a local address in a helo, but I
would either put the IP in 'noHelo' or put the helo into
'heloBlacklistIgnore'.

The helos you want blocked will stay blocked.

paul



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On 9 Nov 2009 at 11:22, GrayHat wrote:

> > duplication here?
>
> not exactly; the abuseat contains some more
> IPs which aren't into the spamhaus since the
> latter (spamhaus) is more "conservative", so
> I use the abuseat too but being "aggressive"
> I use it at level 4

Do you find entries on cbl that aren't on zen?

Spamhaus say 'Mail servers already using cbl.abuseat.org should NOT
also use xbl.spamhaus.org or you will be making 'double' queries to
basically the same data source'

paul


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

> Grayhat,

> Where do you have the other settings in the DNSBL
> section like max replies, max hits, max time, socket
> timeout, etc.

Lemme "dump" the values...

validaterbl     block
forcerblcache   checked
addrblheader    checked
rblmaxreplies   8
rblmaxhits      2
rblmaxweight    50
rblmaxtime      10
rblsocktime     1
rblcacheexp     4

notice that I've a DNS resolver running on the same
box where ASSP is running so DNS response times
are quite fast :) at any rate I avoided increasing the
maxreplies too much and tuned the rblmaxtime to
be "balanced" with maxreplies; by the way you may
experiment a little and tune the parameters to fit your
own setup; also, and if you want to experiment a little
you may add the following DNSBLs

virbl.dnsbl.bit.nl
bhnc.njabl.org
drone.abuse.ch
spam.abuse.ch

putting them (e.g.) at level "2" I have been using them
for a while but since they got really few hits (for my
setup, your may be different) I decided to remove them
yet they may be worth some experimenting

About DNSBL "efficiency"; the simplest way to check it
is to use grep to extract the "[virus]" lines from the ASSP
logs and then further process them to obtain a "hit list"
for the various DNSBLs; by the way, if someone feels
like having some time in his hands and would like to
put together and share a perl script to generate stats
then that would be interesting (and useful) :)

Also, and since we're at filtering and grepping logs;
another routine task on my side is grepping logs to extract
IPs sending to spamtraps (automatically generated ones)
I then process the resulting IP list by sorting the IPs (real
IP sort) removing duplicates and using cymru and senderbase
to retrieve infos about each IP (owner, CIDR range, country...)
I then reprocess the "detailed list" crosschecking it with the
original one (with duplicates) to add hit counts to each IP
and at that point (this time manually) I use the resulting list
to generate a CIDR blocks list to add to "denyalways"; this
helps directly rejecting connections from known and surefire
spambots and avoiding to waste resources with them



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

> I don't know why they are using a local address in a helo, but I
> would either put the IP in 'noHelo' or put the helo into
> 'heloBlacklistIgnore'.
>
> The helos you want blocked will stay blocked.
>

In this case we will have to wait until they complain about it before we
know which address to put in 'noHelo'

If I remove \.local$ from my invalidhelo.txt file, will this allow them to
pass through ?




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user

On Nov 9, 2009, at 2:45 AM, Hisham Al Saad wrote:

Yes, and I also believe that .local is valid rfc for ehlo/helo.  I  
would not run that one. That is too high risk, as you are seeing,  
unless you can weight it, in which case, by all means, run it with a  
low weight.
--
Scott * If you contact me off list replace talklists@ with scott@ *


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-user mailing list
Assp-user@...
https://lists.sourceforge.net/lists/listinfo/assp-user