Background
==========
I'm an end user at an ISP that uses a modified qmail to allow endusers
to admin smtp-stage filters without having to admin the MTA. I have a
personal domain that uses zonedit, which allows me to point my MX entry
at a remote ISP. The personal email account allows 10 email addresses.
That leaves me 7 free, after allowing for postmaster, domain admin, and
abuse @ my domain.
On Fri, Jan 27, 2006 at 07:54:01AM -0500, Daniel Feenberg wrote
Of these only 874 (13%) had an existing RDNS that did not reek of dynamic
assignment. That is, did not include the strings "dsl", "dynamic", "dial"
or "pool" and did not have any all-digit components.
My rDNS filters for dynamic addresses are...
PIREJECTREGEX [0-9]+-[0-9]+-[0-9]+
PIREJECTREGEX [0-9]+\.[0-9]+\.[0-9]+
PIREJECTREGEX adsl
PIREJECTREGEX dhcp
PIREJECTREGEX dynamic
PIREJECTTAIL ipt.aol.com
PIREJECTTAIL cpe.net.cable.rogers.com
So by adding that test, it looks like we could dramatically reduce the
remaining spam burden we face.
I put DNSbls at the latest stage possible in the sequence. If a
heuristic rule blocks an email, the DNSbls are never queried. This is
kinder-&-gentler on the DNSbls, and speeds up processing at my (remote)
inbox. Here's an analysis of January's rejects so far in sequential
order. If a rule rejects an email, following rules don't see it.
Total = 2694
# Yes, spammers *ARE* stupid enough to HELO as my remote ISP or as
# waltdnes.org. If they want to make things easy for me, I'm happy.
Badly forged HELO = 97
# The next 2 rules account for 5/6ths of all rejects.
No hostname = 648
Dynamic IP by rDNS regex = 1602
Country by rDNS = 160
Country by envelope-sender = 6
Provider by rDNS = 0
Provider by envelope-sender = 0
Blatant phish = 4
# The 419/lottery assholes have recently set up shop at Hotmail. I'm
# not going to fall for their scams, but the spams are annoying.
Rejected Hotmail = 19
# Since this is a personal domain, I can put on draconian filters that
# ISPs could never consider
12.0.0.0/8 CIDR = 2
24.0.0.0/8 CIDR = 17
41.0.0.0/8 CIDR = 0
58.0.0.0/7 CIDR = 0
60.0.0.0/7 CIDR = 0
124.0.0.0/7 CIDR = 0
126.0.0.0/8 CIDR = 0
189.0.0.0/8 CIDR = 0
190.0.0.0/8 CIDR = 0
200.0.0.0/6 CIDR = 3
210.0.0.0/7 CIDR = 2
218.0.0.0/7 CIDR = 7
220.0.0.0/6 CIDR = 2
Various lists of dnsbl.sorbs.net = 90
list.dsbl.org = 19
# Email from somebody(_at_)aol(_dot_)com must actually originate from AOL.
Email
# from somebody(_at_)yahoo(_dot_)com must actually originate from yahoo.com,
etc.
# Some domains are heavily forged but, unlike Hotmail, I don't receive
# much spam actually from them.
Commonly forged from not verified = 11
But I wonder why the DNSBLs don't do that. I have seen the suggestion
that many legitimate mailservers have such addresses. Is this really
true? I never see them in my own incoming mail, and I don't have
access to a more general sample of known good mail.
They do, but they're known as "DUL" lists. DUL was the actual name of
an early "Dial Up List", and is now used generically, like "RBL". For
legal reasons, calling *EVERY* dynamic IP a spam source is a bad idea.
But making a truthful statement of fact ("This IP address is dynamically
assigned") is more defensible in court (IANAL, talk to a real one for
legal advice). It is up to MTA admins to decide to use the lists as a
reason for rejection.
I've been using my dynamic IP regexes for over a year and ran into
only one case where a business (actually multiple domain hosting)
tripped the "[0-9]+-[0-9]+-[0-9]+" rule. The admin, who ran the MTA
which served multiple small businesses, was concerned about having ended
up in a DNSbl. I assured him that it was my homebrew rule, not a DNSbl,
explained exactly why the false positive occured, and curteously
suggested that he request his provider fix up the rDNS to not look like
an average home user dynamic IP address. I whitelisted 209.139.212.0/24
where some addresses do have static-looking rDNS, whilst others look
like h209-139-212-nnn.gtcust.grouptelecom.net, where "nnn" is the last
of the dotted quads.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg