Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

blacklist based on authoritative nameservers of sender domain

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


frodo at morgul

Aug 22, 2011, 4:13 PM

Post #1 of 9 (526 views)
Permalink
blacklist based on authoritative nameservers of sender domain

I've recently observed a fair amount of spam from domains that all share
the same set of authoritative nameservers. It occurred to me that it
might be nice to be able to blacklist mail from all domains sharing
these nameservers, or maybe to simply have that trait count toward the
spam score. I don't believe there's currently a plugin to allow this
sort of thing. Is that correct? If so, would anybody be interested in
one if I was to write it? Or am I missing something obvious that makes
this not worth doing? I realize that the potential for collateral
damage is high, so I don't think it'd be wise to try and publish any
sort of data for such a plugin, but it seems like the plugin itself
might be occasionally useful...

noah
Attachments: signature.asc (0.19 KB)


antispam at khopis

Aug 22, 2011, 4:52 PM

Post #2 of 9 (506 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On 08/22/2011 04:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all
> share the same set of authoritative nameservers. It occurred to me
> that it might be nice to be able to blacklist mail from all domains
> sharing these nameservers, or maybe to simply have that trait count
> toward the spam score.

You can't do whois en-masse (I'd love that, but ...), so this means an
NS host lookup. To determine if they are authoritative, that's another
lookup (which I don't believe is necessary). A blocklist would also be
another lookup (if using a BL, it could check the authoritativeness),
but I don't think that's completely necessary either.

Your plugin should create enough information for bayes and rules to
access the data, say through a pseudoheader that can be explicitly added
via template tags.

Thus, you'd be able to write a rule that checks the pseudoheader for a
problematic name server. Here's a mockup pseudoheader and matching rule
for an email that links spamassassin.org and example.net:

X-Spam-Uri-NS: [ dom=spamassassin.org ns=c.auth-ns.sonic.net
ns=ns.hyperreal.org ns=b.auth-ns.sonic.net ns=a.auth-ns.sonic.net ] [
dom=example.net ns=b.iana-servers.net. ns=a.iana-servers.net ]

header LOCAL_USES_DNS_EXAMPLE_NET X-Spam-Uri-NS =~ /
ns=[ab].iana-servers\.net /

I left out NS server IPs because that's even more DNS lookups. URIs are
in order of appearance. NS order is not predictable (though I suppose
we could asciibetize).

> I don't believe there's currently a plugin to allow this sort of
> thing. Is that correct? If so, would anybody be interested in one
> if I was to write it? Or am I missing something obvious that makes
> this not worth doing? I realize that the potential for collateral
> damage is high, so I don't think it'd be wise to try and publish any
> sort of data for such a plugin, but it seems like the plugin itself
> might be occasionally useful...

It might be useful, but we'd have to test it to know.
Attachments: signature.asc (0.26 KB)


darxus at chaosreigns

Aug 22, 2011, 5:21 PM

Post #3 of 9 (498 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On 08/22, Adam Katz wrote:
> > this not worth doing? I realize that the potential for collateral
> > damage is high, so I don't think it'd be wise to try and publish any
> > sort of data for such a plugin, but it seems like the plugin itself
> > might be occasionally useful...
>
> It might be useful, but we'd have to test it to know.

I just wanted to point out we have the infrastructure for testing this,
via mass-checks:
http://wiki.apache.org/spamassassin/NightlyMassCheck

You create the plugin and a blacklist, open a bug to get somebody to
add it to trunk (the development branch of spamassassin), it gets run
with mass-check, not only collecting stats on its effectiveness, but
also calculating an optimal score to use for it.


The ASRG (anti-spam research group) may or may not be useful to talk to
about new ways to deal with spam.

--
"The most elementary and valuable statement in science, the beginning
of wisdom is: 'I do not know'." - Data, ST:TNG 2x2 Where Silence Has Lease
http://www.ChaosReigns.com


michael.scheidell at secnap

Aug 22, 2011, 10:38 PM

Post #4 of 9 (493 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On 8/22/11 7:13 PM, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all share
> the same set of authoritative nameservers.

postfix:
check_sender_ns_access

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________


axb.lists at gmail

Aug 22, 2011, 10:51 PM

Post #5 of 9 (499 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On 2011-08-23 2:21, darxus [at] chaosreigns wrote:
> On 08/22, Adam Katz wrote:
>>> this not worth doing? I realize that the potential for collateral
>>> damage is high, so I don't think it'd be wise to try and publish any
>>> sort of data for such a plugin, but it seems like the plugin itself
>>> might be occasionally useful...
>>
>> It might be useful, but we'd have to test it to know.
>
> I just wanted to point out we have the infrastructure for testing this,
> via mass-checks:
> http://wiki.apache.org/spamassassin/NightlyMassCheck
>
> You create the plugin and a blacklist, open a bug to get somebody to
> add it to trunk (the development branch of spamassassin), it gets run
> with mass-check, not only collecting stats on its effectiveness, but
> also calculating an optimal score to use for it.
>
>
> The ASRG (anti-spam research group) may or may not be useful to talk to
> about new ways to deal with spam.

create plugin? It's been in the URIBL plugin for quite a white

URIBL.com makes use of it: "URIBL_BLACK_NS"

http://www.uribl.com/usage.shtml


me at junc

Aug 22, 2011, 11:11 PM

Post #6 of 9 (503 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On Mon, 22 Aug 2011 16:13:03 -0700, Noah Meyerhans wrote:
> I've recently observed a fair amount of spam from domains that all
> share
> the same set of authoritative nameservers.

1: make the plugin
2: add whitelist/skiplist could ideally be urlbl_skip_domain that are
used

commit code to sandbox testing or custom plugins page

for me i just think AS tracking number is more usefull, but lets see :)

how would the plugin work compared to freemail ?


me at junc

Aug 22, 2011, 11:15 PM

Post #7 of 9 (495 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On Tue, 23 Aug 2011 01:38:08 -0400, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all
>> share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access

if outright blocking is wanted (its stupid)


axb.lists at gmail

Aug 22, 2011, 11:17 PM

Post #8 of 9 (495 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

On 2011-08-23 7:38, Michael Scheidell wrote:
> On 8/22/11 7:13 PM, Noah Meyerhans wrote:
>> I've recently observed a fair amount of spam from domains that all share
>> the same set of authoritative nameservers.
>
> postfix:
> check_sender_ns_access

SA has this already... and more.
read into URIDNSBL.pm and AskDNS.pm
you can LOTS of magic with them.


sm at resistor

Aug 27, 2011, 4:38 PM

Post #9 of 9 (476 views)
Permalink
Re: blacklist based on authoritative nameservers of sender domain [In reply to]

At 16:52 22-08-2011, Adam Katz wrote:
>You can't do whois en-masse (I'd love that, but ...), so this means an
>NS host lookup. To determine if they are authoritative, that's another
>lookup (which I don't believe is necessary). A blocklist would also be
>another lookup (if using a BL, it could check the authoritativeness),
>but I don't think that's completely necessary either.

You don't need to use Whois. You already have the data:

; ANSWER SECTION:
apache.org. 1800 IN A 140.211.11.131

;; AUTHORITY SECTION:
apache.org. 86398 IN NS ns2.no-ip.com.
apache.org. 86398 IN NS ns1.eu.bitnames.com.
apache.org. 86398 IN NS ns2.surfnet.nl.
apache.org. 86398 IN NS ns1.us.bitnames.com.

It's been a while since I tested this. If I recall correctly, it was
prone to false positives. You might be able to do some scoring
instead of blacklisting.

Regards,
-sm

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.