Mailing List Archive

ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one
for Sendgrid-spams!

...a collection of a new TYPE of DNSBL, with the FIRST of these having a
focus on Sendgrid-sent spams. AND - there is a FREE version of this -
that can be used NOW! (/well... might need a SpamAssassin rule or two!
Your help appreciated!)/:

INFO AND INSTRUCTIONS HERE:

https://www.invaluement.com/serviceproviderdnsbl/

This provides a way to surgically block Sendgrid's WORST spammers, yet
without the massive collateral damage that would happen if blocking
Sendgrid domains and IP addresses. But we're NOT stopping at the phishes
and viruses - and we're not finished! There will be some well-deserved
economic pain, that puts the recipients' best interests at heart.
Therefore, flagrant "cold email" spamming to recipients who don't even
know the sender - is also being targeted - first with the absolute worst
- and then progressing to other offenders as we make adjustments in the
coming weeks.

-- Rob McEwen https://www.invaluement.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Rob McEwen skrev den 2020-08-21 21:28:
> ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one
> for Sendgrid-spams!

(1) Sendgrid IDs that are found OFTEN in the SMTP-ENVELOPE FROM address
of Sendgrid-sent messages.
EXAMPLE: <bounces+14927644-0137-rob=pvsys.com@sendgrid.net>
So this THIS case, 14927644 is the ID. Nothing more. Nothing less.

blacklist_from *+14927644-*

untested but should work

i just use this form

blacklist_from *-rob=pvsys.com@sendgrid.net

:-)
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
> On Aug 21, 2020, at 1:28 PM, Rob McEwen <rob@invaluement.com> wrote:
>
> ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
>
> ...a collection of a new TYPE of DNSBL, with the FIRST of these having a focus on Sendgrid-sent spams. AND - there is a FREE version of this - that can be used NOW! (well... might need a SpamAssassin rule or two! Your help appreciated!):
>
> INFO AND INSTRUCTIONS HERE:
>
> https://www.invaluement.com/serviceproviderdnsbl/
>
> This provides a way to surgically block Sendgrid's WORST spammers, yet without the massive collateral damage that would happen if blocking Sendgrid domains and IP addresses. But we're NOT stopping at the phishes and viruses - and we're not finished! There will be some well-deserved economic pain, that puts the recipients' best interests at heart. Therefore, flagrant "cold email" spamming to recipients who don't even know the sender - is also being targeted - first with the absolute worst - and then progressing to other offenders as we make adjustments in the coming weeks.
>


I fail to see the point: that we do the work that sendgrid should be doing, but on a duplicative scale?

Why don’t they police themselves?

We’re effectively calling out spam that’s escaped after the fact. What’s the point of that?

They should be scanning email as it leaves their infrastructure and using rules and Bayesian filters to know if something is amiss and they need to have human intervention.

Nothing is stopping them from doing the right thing.

Why should we enable their bad behavior?
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/22/20 4:37 AM, Philip Prindeville wrote:
>
>
>> On Aug 21, 2020, at 1:28 PM, Rob McEwen <rob@invaluement.com> wrote:
>>
>> ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
>>
>> ...a collection of a new TYPE of DNSBL, with the FIRST of these having a focus on Sendgrid-sent spams. AND - there is a FREE version of this - that can be used NOW! (well... might need a SpamAssassin rule or two! Your help appreciated!):
>>
>> INFO AND INSTRUCTIONS HERE:
>>
>> https://www.invaluement.com/serviceproviderdnsbl/
>>
>> This provides a way to surgically block Sendgrid's WORST spammers, yet without the massive collateral damage that would happen if blocking Sendgrid domains and IP addresses. But we're NOT stopping at the phishes and viruses - and we're not finished! There will be some well-deserved economic pain, that puts the recipients' best interests at heart. Therefore, flagrant "cold email" spamming to recipients who don't even know the sender - is also being targeted - first with the absolute worst - and then progressing to other offenders as we make adjustments in the coming weeks.
>>
>
>
> I fail to see the point: that we do the work that sendgrid should be doing, but on a duplicative scale?
>
> Why don’t they police themselves?
>
> We’re effectively calling out spam that’s escaped after the fact. What’s the point of that?
>
> They should be scanning email as it leaves their infrastructure and using rules and Bayesian filters to know if something is amiss and they need to have human intervention.
>
> Nothing is stopping them from doing the right thing.
>
> Why should we enable their bad behavior?
>

The point is to prevent Phish, Spearphish and other bad stuff, not just
"spam"

seems you're sort of late to the party...
Get on board @ Mailop, SDLU, etc lists
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 21 Aug 2020, at 14:15, Benny Pedersen <me@junc.eu> wrote:
> blacklist_from *+14927644-*

I think adding 5.0 to all sendgrid mail is the best idea I've heard.

Sendgrid makes me long for the days of the SPEWS RBL.


--
These are the thoughts that kept me out of the really good schools.
-- George Carlin
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
@lbutlr skrev den 2020-08-22 08:03:
> On 21 Aug 2020, at 14:15, Benny Pedersen <me@junc.eu> wrote:
>> blacklist_from *+14927644-*
>
> I think adding 5.0 to all sendgrid mail is the best idea I've heard.
>
> Sendgrid makes me long for the days of the SPEWS RBL.

i am soon to be tired of it to add it to rpz in bind9
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Sendgrid and their likes...

Checking 1 days logs for 1 domain, I see that of the 17 SendGrid mails to hit my antispam gateway, 17 of them were spam from 9 distinct senders.

I can't deal with hunting spammers like that, giving a nice little score the spam tools that allow this kind of mass mailing without checks is the better approach IMO.





M. Omer GOLGELI


August 22, 2020 10:17 AM, "Benny Pedersen" <me@junc.eu> wrote:

> @lbutlr skrev den 2020-08-22 08:03:
>
>> On 21 Aug 2020, at 14:15, Benny Pedersen <me@junc.eu> wrote:
>>> blacklist_from *+14927644-*
>>
>> I think adding 5.0 to all sendgrid mail is the best idea I've heard.
>> Sendgrid makes me long for the days of the SPEWS RBL.
>
> i am soon to be tired of it to add it to rpz in bind9
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
----- On Aug 21, 2020, at 10:37 PM, Philip Prindeville philipp_subx@redfish-solutions.com wrote:

> I fail to see the point: that we do the work that sendgrid should be doing, but
> on a duplicative scale?
>
> Why don’t they police themselves?

Presumably for the same reasons we filter spam at all. SendGrid is a (type of) ISP. Users sign up, and create and send content. Some of that content is spam. We want to block the spam, without blocking the entire ISP.

Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value.

(The easiest way to consume this is surely as an DNS RBL?)

--Jered
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd
<jered@convivian.com> wrote:

> Like most ISPs, they have a feedback loop to remove malicious users. I
> assume it is too slow, so a SendGrid account ID RBL would provide
> meaningful value.

Would not Pyzor accomplish the same thing? Submit the SendGrid spam to
Pyzor to quickly get it blacklisted.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/22/2020 3:35 PM, Kenneth Porter wrote:
> --On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd
> <jered@convivian.com> wrote:
>
>> Like most ISPs, they have a feedback loop to remove malicious users.  I
>> assume it is too slow, so a SendGrid account ID RBL would provide
>> meaningful value.
>
> Would not Pyzor accomplish the same thing? Submit the SendGrid spam to
> Pyzor to quickly get it blacklisted.


(1) Pyzor requires resource-expensive content filtering - whereas the
sendgrid list can do the filtering at the SMTP-envelope level - BEFORE
the message is even downloaded - for some systems with millions of users
- that is a HUGE advantage.

(2) being filterable at the SMTP-Envelope level opens up possibilities
for things like MTA plugins or feature additions - that enable this
filtering at the MTA level - for MTAs that do NOT try to do any content
filtering of the message. That creates more options for deployment where
many will hopefully be able to make use of this, who don't have Pyzor
(for whatever reasons)

(3) The strategy you described is SOMETIMES easily defeated with certain
variations in the messages, where each message is sufficiently different
to NOT be blockable by Pyzor. That is a HUGE loophole in Pyzor
technology. This Sendgrid ID list doesn't have that problem.

(4) Also, a spammer who sends out many different types of spams - can
potentially stay off of Pyzor's radar - but yet ALL of those spams under
that Sendgrid ID - will be collectively noticed in our engine. And,
likewise, Pyzor's methods could create a game of whack-a-mole. The
spammer will just keep coming out with new types of spam - that all get
past Pyzor while Pyzor tries to catch up - then Pyzor catches up - then
the spammer just reformats the content. Rinse. Repeat. Meanwhile, ALL of
those LATER spams are ALREADY blocked by our Sendgrid list BEFORE the
next types of spams are sent - ALL OF THEM. (you could argue that we
might get into a game of whack-a-mole too with those Sendgrid IDs - but
we're FAR less vulnerable to that - it will happen MUCH LESS often!)

(5) for these reasons and others - I strongly suspect that our Sendgrid
list is going to have a MUCH faster turnaround time on listing the
initial spams from a new sendgrid ID - and, as mentioned, their later
spams will then ALREADY be caught by this Sendgrid list - while Pyzor is
bogged down in that silly whack-a-mole game.

Don't get me wrong - Pyzor and other such checksum content filters - are
wonderful and have their place - but thinking that they remove the need
for this Sendgrid list - is absolutely not even close to true.

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
----- On Aug 22, 2020, at 3:35 PM, Kenneth Porter shiva@sewingwitch.com wrote:

>> Like most ISPs, they have a feedback loop to remove malicious users. I
>> assume it is too slow, so a SendGrid account ID RBL would provide
>> meaningful value.
>
> Would not Pyzor accomplish the same thing? Submit the SendGrid spam to
> Pyzor to quickly get it blacklisted.

SA has multiple overlapping metrics. As long as they are not fully overlapping, each adds to spam/ham assurance.

As Rob points out, it's also valuable to prioritize low-cost tests on inbound mail -- matching a sender ID is simpler than a message digest.

--Jered
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/21/20 9:28 PM, Rob McEwen wrote:
> ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
>
> ...a collection of a new TYPE of DNSBL, with the FIRST of these having a focus on Sendgrid-sent spams. AND - there is a FREE version of this - that can be used NOW! (/well... might need a SpamAssassin rule or two! Your help appreciated!)/:
>
SpamAssassin plugin available at:
https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz

We will work on improving this new type of DNSBL with more data and more features, stay tuned.

Giovanni

> INFO AND INSTRUCTIONS HERE:
>
> https://www.invaluement.com/serviceproviderdnsbl/
>
> This provides a way to surgically block Sendgrid's WORST spammers, yet without the massive collateral damage that would happen if blocking Sendgrid domains and IP addresses. But we're NOT stopping at the phishes and viruses - and we're not finished! There will be some well-deserved economic pain, that puts the recipients' best interests at heart. Therefore, flagrant "cold email" spamming to recipients who don't even know the sender - is also being targeted - first with the absolute worst - and then progressing to other offenders as we make adjustments in the coming weeks.
>
> -- Rob McEwen https://www.invaluement.com
>
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
The following plugin extracts the SendGrid ID to a Tag, now we can use it
with askdns..

https://github.com/fmbla/spamassassin-sendgrid

Paul


On Sun, 23 Aug 2020 at 20:42, Giovanni Bechis <gbechis@apache.org> wrote:

> On 8/21/20 9:28 PM, Rob McEwen wrote:
> > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one
> for Sendgrid-spams!
> >
> > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a
> focus on Sendgrid-sent spams. AND - there is a FREE version of this - that
> can be used NOW! (/well... might need a SpamAssassin rule or two! Your help
> appreciated!)/:
> >
> SpamAssassin plugin available at:
> https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz
>
> We will work on improving this new type of DNSBL with more data and more
> features, stay tuned.
>
> Giovanni
>
> > INFO AND INSTRUCTIONS HERE:
> >
> > https://www.invaluement.com/serviceproviderdnsbl/
> >
> > This provides a way to surgically block Sendgrid's WORST spammers, yet
> without the massive collateral damage that would happen if blocking
> Sendgrid domains and IP addresses. But we're NOT stopping at the phishes
> and viruses - and we're not finished! There will be some well-deserved
> economic pain, that puts the recipients' best interests at heart.
> Therefore, flagrant "cold email" spamming to recipients who don't even know
> the sender - is also being targeted - first with the absolute worst - and
> then progressing to other offenders as we make adjustments in the coming
> weeks.
> >
> > -- Rob McEwen https://www.invaluement.com
> >
>
>
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Hi Rob

This works like a charm, blocking a lot of: bounces+8465718 atm.

Thank you for your excellent plugin!

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
>>--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd
>><jered@convivian.com> wrote:
>>>Like most ISPs, they have a feedback loop to remove malicious users.? I
>>>assume it is too slow, so a SendGrid account ID RBL would provide
>>>meaningful value.

>On 8/22/2020 3:35 PM, Kenneth Porter wrote:
>>Would not Pyzor accomplish the same thing? Submit the SendGrid spam
>>to Pyzor to quickly get it blacklisted.

On 22.08.20 17:23, Rob McEwen wrote:
>sendgrid list can do the filtering at the SMTP-envelope level - BEFORE
>the message is even downloaded - for some systems with millions of
>users - that is a HUGE advantage.
>
>(2) being filterable at the SMTP-Envelope level opens up possibilities
>for things like MTA plugins or feature additions - that enable this
>filtering at the MTA level - for MTAs that do NOT try to do any
>content filtering of the message. That creates more options for
>deployment where many will hopefully be able to make use of this, who
>don't have Pyzor (for whatever reasons)

well, do we have anything available now to block at SMTP level?
- postfix policy server?
- milter?

so far I have noticed only SA plugins. Which is not bad, but that HUGE
advantage is not usable now.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/25/2020 11:42 AM, Matus UHLAR - fantomas wrote:
> well, do we have anything available now to block at SMTP level?
> - postfix policy server?
> - milter?
> so far I have noticed only SA plugins. Which is not bad, but that HUGE
> advantage is not usable now.


And likewise - 48 hours ago - a SpamAssassin plugin didn't exist either!
These things take at least a little bit of time. We're only at the 3rd
business day that this tech has been in existence. But I think you and I
would both be surprised at how many systems are likely already (quietly)
using this at the SMTP-connection level, for certain more
custom-programmed systems. I believe adaptation in other public MTAs is
inevitable. For example, I have some good contacts at Exim and it's on
my "to do" list to ask them about this, but I can do everything, at
least not all at once. And those MTAs that don't enable usage of this
will be left behind.

PRO TIP: Instead of complaining about this problem on this thread - why
not go to the discussion list or forum of your preferred MTA - and ask
them to implement it?

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/25/2020 1:20 PM, Rob McEwen wrote:
> but I can do everything, at least not all at once

*can't do

--
Rob McEwen
https://www.invaluement.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
>
> well, do we have anything available now to block at SMTP level?
> - postfix policy server?
> - milter?
>
> so far I have noticed only SA plugins. Which is not bad, but that HUGE
> advantage is not usable now.

Nothing elegant about this but it was easy to implement. You need to
create the software specific to your MX servers to update the files
below from Rob's web site.

Adjust the paths below to your Postfix install

Add these entries to your main.cf:

smtpd_restriction_classes =
sendgrid

# Limit senders that are matched with the regexes in sendgrid-ids
#
sendgrid =
check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids

smtpd_recipient_restrictions =
check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid

Create a file like this from the senders in
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt

sendgrid.net sendgrid
appliedaicourse.com sendgrid
bithumbcorp.email sendgrid
bitline.life sendgrid
bureausveritas.com sendgrid
caractere.ro sendgrid
craftsgenerals.com sendgrid
dalvry.com sendgrid
...

Name it from-sendgrid and place it in your Postfix directory
postmap from-sendgrid

Create a file like this from the ids in
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt

/^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
...

Name it sendgrid-ids and place it in your Postfix directory

postfix reload

John Capo
Tuffmail.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Matus UHLAR - fantomas skrev den 2020-08-25 17:42:

> well, do we have anything available now to block at SMTP level?
> - postfix policy server?
> - milter?
>
> so far I have noticed only SA plugins. Which is not bad, but that HUGE
> advantage is not usable now.

fuglu

i reject highscore spams, just setup fuglu in prequeue with postfix
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Rob McEwen skrev den 2020-08-25 19:20:

> PRO TIP: Instead of complaining about this problem on this thread -
> why not go to the discussion list or forum of your preferred MTA - and
> ask them to implement it?

maybe make clamav sigs ?

is mimedefang working still ?, special plugins needed ?, i just use
fuglu
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/25/2020 2:29 PM, Benny Pedersen wrote:
> maybe make clamav sigs ?


Benny,

Thanks for your other suggestions - those are worth exploring.

Also - the Clamav Sigs is not a bad idea - but even besides the fact
that (like SA rules), Clamav is content filtering and not at the
SMTP-Envelope level - Clamav doesn't tend to have nearly AS fast of a
turnaround time as do DNSBLs.

In a previous message, someone was disappointed that we missed one, and
it turns out our 24-second turnaround time on that message (from the
start of the SMTP connection - to being fully deployed in the data) was
a contributing factor. We now have a plan to shorten that 24-seconds to
about 4 seconds AND (for invaluement subscribers) - we have a "push"
technology that is available now where those invaluement subscribers who
opt for this feature (no extra charge!) - can get a split second
notification to run their RSYNC just 1 second after the file updates -
and we do that already for our direct query servers. So there is an
option (once implemented!) to potentially get the these FULLY
DISTRIBUTED within about 8 seconds from the start of the SMTP connection
of the first such spam received - to being FULLY deployed on DNS servers
(both our own direct query servers - and our RSYNC subscribers' internal
rbldnsd servers) - that will be AMAZING. I expect to be there within a
week from now. Something like clamav just can't even begin to compete
with that fast of a turnaround. But ClamAv rules may still be a good way
to get this implemented for many.

Someone else mentioned one that was completely off of our radar - but
we're about to double the coverage of these in terms of mailboxes and
traps used for this purpose - so that will help further minimize our
"blind spots".

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On Tue, Aug 25, 2020 at 08:29:55PM +0200, Benny Pedersen wrote:
> Rob McEwen skrev den 2020-08-25 19:20:
>
> > PRO TIP: Instead of complaining about this problem on this thread -
> > why not go to the discussion list or forum of your preferred MTA - and
> > ask them to implement it?
>
> maybe make clamav sigs ?
>
> is mimedefang working still ?, special plugins needed ?, i just use
> fuglu
Mimedefang is still alive on a new home:
https://github.com/The-McGrail-Foundation/MIMEDefang
I think it should not be complicated to implement it.
Giovanni
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On Tue, 25 Aug 2020, John Capo wrote:

> Create a file like this from the ids in
> https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
>
> /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
> account
> /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
> account
> /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
> account
> /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
> account
> /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
> account
> ...

I just wrote something similar to generate a rule, in case for some reason
you don't want to use a plugin. Let me know if there's any interest in it.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Today: the 1941st anniversary of the destruction of Pompeii
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
Thanks, John Capo, for the suggestions! Honestly, I'm at the end of my
rope - completely burned out from creating this - desperately needing to
catch up in other areas of my business so that I can pay my bills. And I
have other ideas for how to make this data even better that I'm trying
to get to asap. So help like this is very appreciated!

BTW - does Postfix "know" to refresh the data when the files are
updated? Or is there some kind of command that needs to run to tell
Postfix to reload the files? How does that work? ALSO - would it help if
I created a separate set of files for Postfix that are pre-formatted
this way already?

Thanks!

Rob McEwen, invaluement.com


On 8/25/2020 2:26 PM, John Capo wrote:
> On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
>>
>> well, do we have anything available now to block at SMTP level?
>> - postfix policy server?
>> - milter?
>>
>> so far I have noticed only SA plugins. Which is not bad, but that HUGE
>> advantage is not usable now.
>
> Nothing elegant about this but it was easy to implement. You need to
> create the software specific to your MX servers to update the files
> below from Rob's web site.
>
> Adjust the paths below to your Postfix install
>
> Add these entries to your main.cf:
>
> smtpd_restriction_classes =
>    sendgrid
>
> # Limit senders that are matched with the regexes in sendgrid-ids
> #
> sendgrid =
>     check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids
>
> smtpd_recipient_restrictions =
>     check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid
>
> Create a file like this from the senders in
> https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt
>
> sendgrid.net        sendgrid
> appliedaicourse.com sendgrid
> bithumbcorp.email   sendgrid
> bitline.life        sendgrid
> bureausveritas.com  sendgrid
> caractere.ro        sendgrid
> craftsgenerals.com  sendgrid
> dalvry.com          sendgrid
> ...
>
> Name it from-sendgrid and place it in your Postfix directory
> postmap from-sendgrid
>
> Create a file like this from the ids in
> https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
>
> /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised
> Sendgrid account
> /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised
> Sendgrid account
> /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised
> Sendgrid account
> /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised
> Sendgrid account
> /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised
> Sendgrid account
> ...
>
> Name it sendgrid-ids and place it in your Postfix directory
>
> postfix reload
>
> John Capo
> Tuffmail.com
>

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! [ In reply to ]
On 8/25/2020 11:04 PM, John Hardin wrote:
> I just wrote something similar to generate a rule, in case for some
> reason you don't want to use a plugin. Let me know if there's any
> interest in it.

yes - please share!

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032

1 2  View All