Mailing List Archive

On Fri, 17 Oct 2008, Alessandro Vesely wrote:

> May I ask how do you manage black list entries rehabilitation? I'm planning to
> do something similar to Stockade(*), i.e. to have a decay rate so that the
> probability that a listed IP gets blocked is automatically halved every that
> many seconds, until it eventually vanishes. That implies fuzzy blocking,
> though.

I use GOSSiP for domain reputation, where the confidence in a reputation
decays with time. Blocking doesn't begin until confidence reaches
a threshold.

IPs are on a 7 day rotation. So a given spammer IP gets to attempt to send 1
spam per week. The IPs are blocked at a low level, before getting to my filter
(although the filter decides when to blacklist them). That's short enough
to allow an IP sold to a legit party to get back in service.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

On Fri, 17 Oct 2008, Alessandro Vesely wrote:

> Doesn't that assume "+mx -all"? One should whitelist the IPs where replied
> messages actually came from... Rather, I would whitelist the sender and just
> flag the DNSBL lookup response, delaying any reaction until responding to the
> RCPT command. That way it is also possible to forget DNSBL altogether for
> specific recipients who don't want that filtering.

Senders change their IPs. If they have an SPF record, this is transparent.
For important senders with no SPF record, I can create a local one manually
to positively identify them.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

At 12:50 PM 10/17/2008 -0400, Stuart D. Gathman wrote:

>On Fri, 17 Oct 2008, Alessandro Vesely wrote:
>
>> Doesn't that assume "+mx -all"? One should whitelist the IPs where replied
>> messages actually came from... Rather, I would whitelist the sender and just
>> flag the DNSBL lookup response, delaying any reaction until responding to the
>> RCPT command. That way it is also possible to forget DNSBL altogether for
>> specific recipients who don't want that filtering.
>
>Senders change their IPs. If they have an SPF record, this is transparent.
>For important senders with no SPF record, I can create a local one manually
>to positively identify them.

How many of these records do you maintain? How much time does it take?

I do this only for the largest senders, like yahoo.com. It's a tough choice - manual labor to keep up with the sender's changes, or risk losing their messages in the spam filter.

What is the problem with these senders? What will it take to motivate them?





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

On Sat, 18 Oct 2008, David MacQuigg wrote:

> >Senders change their IPs. If they have an SPF record, this is transparent.
> >For important senders with no SPF record, I can create a local one manually
> >to positively identify them.
>
> How many of these records do you maintain? How much time does it take?

Currently 90. Very little time. Most senders are handled by the
default best guess - "v=spf1 a/24 mx/24 ptr". The local records are treated as
alternate "best guess" policies. For example:

$ORIGIN _spf.bmsi.com.
fedoraproject.org IN TXT "v=spf1 ptr:redhat.com ?all"

> What is the problem with these senders? What will it take to motivate them?

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

At 11:54 AM 10/20/2008 -0400, Stuart D. Gathman wrote:

>On Sat, 18 Oct 2008, David MacQuigg wrote:
>
>> >Senders change their IPs. If they have an SPF record, this is transparent.
>> >For important senders with no SPF record, I can create a local one manually
>> >to positively identify them.
>>
>> How many of these records do you maintain? How much time does it take?
>
>Currently 90. Very little time. Most senders are handled by the
>default best guess - "v=spf1 a/24 mx/24 ptr". The local records are treated as
>alternate "best guess" policies. For example:
>
>$ORIGIN _spf.bmsi.com.
>fedoraproject.org IN TXT "v=spf1 ptr:redhat.com ?all"

This is basically the same strategy I am following - best guess blocks around known good addresses, and quarantine for the rest.

This strategy does not "positively identify" a sender, however. Recently, I saw a bunch of messages from yahoo.com going to quarantine. A little research showed that they had started using transmitters from akamai.com, so I added all of Akamai's blocks, and now things are back to "normal" with Yahoo, at least until they add some more blocks somewhere else. This is too much labor, and too unreliable for a long-term solution that might include thousands, or even millions of domains.

Long-term, we need a way to motivate senders like Yahoo to publish their authorized IP addresses. We cannot reject their messages, but we can send an SMTP reject with a message like: "Sorry! We cannot guarantee delivery of this message. yahoo.com does not offer sufficient authentication to prevent forgery. We will run it through our spam filter, and keep it in our quarantine, but the recipient may not read it."

I think most senders will comply after seeing a large number of these messages. Yahoo may be special, however, since they have a vested interest in a competing protocol. We've got to sell the idea that its not either-or, but *both* protocols are needed.







-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

On Mon, 20 Oct 2008, David MacQuigg wrote:

> Long-term, we need a way to motivate senders like Yahoo to publish their
> authorized IP addresses. We cannot reject their messages, but we can send an
> SMTP reject with a message like: "Sorry! We cannot guarantee delivery of
> this message. yahoo.com does not offer sufficient authentication to prevent
> forgery. We will run it through our spam filter, and keep it in our
> quarantine, but the recipient may not read it."

Actually, yahoo *does* provide DKIM authentication. The problem is that
DKIM requires receiving the entire message first. We want them
to provide SPF in *addition* to DKIM.

> I think most senders will comply after seeing a large number of these
> messages. Yahoo may be special, however, since they have a vested interest
> in a competing protocol. We've got to sell the idea that its not either-or,
> but *both* protocols are needed.

Exactly. DKIM handles 2822 header fields. SPF handles 2821 envelope.
The protocols are complementary, not competing. SPF is super cheap.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

On Mon, 20 Oct 2008, David MacQuigg wrote:

> I think most senders will comply after seeing a large number of these
> messages. Yahoo may be special, however, since they have a vested interest
> in a competing protocol. We've got to sell the idea that its not either-or,
> but *both* protocols are needed.

Actually, I think you'll find yourself on one of those blacklists.
Since most people never read their DSNs, they are considered spam -
even when complaining about real RFC violations. Damn the RFCs and full speed
ahead.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

At 07:03 PM 10/20/2008 -0400, Stuart D. Gathman wrote:

>On Mon, 20 Oct 2008, David MacQuigg wrote:
>
>> I think most senders will comply after seeing a large number of these
>> messages. Yahoo may be special, however, since they have a vested interest
>> in a competing protocol. We've got to sell the idea that its not either-or,
>> but *both* protocols are needed.
>
>Actually, I think you'll find yourself on one of those blacklists.
>Since most people never read their DSNs, they are considered spam -
>even when complaining about real RFC violations. Damn the RFCs and full speed
>ahead.

Use an SMTP reject, not a DSN.





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

On Mon, 20 Oct 2008, David MacQuigg wrote:

> >> I think most senders will comply after seeing a large number of these
>
> Use an SMTP reject, not a DSN.

I do. Here is my current message for anonymous senders. Yours sounds better.

550-5.7.1 You must have a valid HELO or publish SPF: http://www.openspf.org
550-5.7.1 Contact your mail administrator IMMEDIATELY! Your mail server is
550-5.7.1 severely misconfigured. It has no PTR record (dynamic PTR records
550-5.7.1 that contain your IP don't count), an invalid or dynamic HELO,
550 5.7.1 and no SPF record.

Some senders only see the first line. I'm want to put an URL
in the first line with a web page to explain the problem fully.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

please stop sending these emails to my address
____________________________________________________________
Love Graphic Design? Find a school near you. Click Now.
http://thirdpartyoffers.juno.com/TGL2131/fc/Ioyw6iigksgqSewUBgWTQAE8zoH870ZnXTho7RPXICNNpJFXOVP7gK/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

please stop sending these emails to my address
____________________________________________________________
Click here to find the perfect picture with our powerful photo search features.
http://thirdpartyoffers.juno.com/TGL2131/fc/Ioyw6iiedACFaDn4KZl3P4PjNHu3myK75CFqLzOQZOY2t0BFFJDzsC/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com