Dec 19

不用 anti-spam.org.cn 的 RBL 了...

Mail No Comments »

剛剛發現 anti-spam.org.cn 的 CBL 把 Xuite 的 smtp server 列進去了(IP 是 210.242.46.140)。

所以在 sendmailPostfixexim 的設定中把 anti-spam.org.cn 的 RBL 拿掉了。

另外,在 exim 中,把 前一篇 post 的 ACL 擴充成以下這樣:

check_hello:

deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{###.###.###.###} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO no dot
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
accept

check_mail:

deny message = $sender_host_address is listed in $dnslist_domain
hosts = !+relay_hosts
!authenticated = *
dnslists = bl.spamcop.net : \
sbl.spamhaus.org : \
list.dsbl.org
deny message = Invalid mail-from envelope header
hosts = !+relay_hosts
!authenticated = *
log_message = Invalid mail-from envelope header
condition = ${if match {$sender_address} {\\.} {no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com.tw
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Gmail
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@msa.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@umail.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@cm1.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Xuite
senders = *@xuite.net
condition = ${if match {$sender_host_name}{\Nxuite.net$\N}{no}{yes}}
accept

check_data:

deny message = Message SHOULD have Message-ID.
hosts = !+relay_hosts
!authenticated = *
log_message = No Message-ID
condition = ${if !def:h_Message-ID: {1}}
deny message = Message SHOULD have Date.
hosts = !+relay_hosts
!authenticated = *
log_message = No Date
condition = ${if !def:h_Date: {1}}
accept

話說... 前一篇 post 的 ACL 加上去之後, reject log 的檔案大小爆跳成原本的三倍多。 XD

Technorati Tags: , , , ,

Tags: , , , ,
(Visited 4350 times)
Dec 12

anti-spam.org.cn 的 RBL

Mail No Comments »

上一篇文章 中,可以看到我習慣用的 DNSBL 列表:

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cblless.anti-spam.org.cn,

sendmail 中,我是用這些設定:

FEATURE(`dnsbl", `bl.spamcop.net", `"550 Spam blocked, see: http://spamcop.net/bl.shtml?"$&{client_addr}")dnl
FEATURE(`dnsbl", `sbl.spamhaus.org", `"550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip="$&{client_addr}")dnl
FEATURE(`dnsbl", `list.dsbl.org", `"550 Spam blocked, see: http://dsbl.org/listing?"$&{client_addr}")dnl
FEATURE(`dnsbl", `cblless.anti-spam.org.cn", `"550 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP="$&{client_addr}")dnl

剛剛收到一封信件,說 Hinet 的信箱被擋了。
查詢 mailog 之後看到這些:

Dec 12 15:27:45 #### sm-mta[56538]: lBC7RiVG056538: ruleset=check_rcpt, arg1=< ####@####.####>, relay=msr14.hinet.net [168.95.4.114], reject=550 5.7.1 < ####@####.####>... Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.114

Dec 12 10:26:55 #### sm-mta[42224]: ruleset=check_relay, arg1=msr28.hinet.net, arg2=127.0.8.5, relay=msr28.hinet.net [168.95.4.128], reject=550 5.7.1 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.128

anti-spam.org.cn 有以下這幾種名單:

  • CBL(中國垃圾郵件黑名單):主要面向中國國內的垃圾郵件情況,所甄選的黑名單地址也以中國境內的垃圾郵件回應情況為主。
  • CDL(中國動態地址列表):中國國內與台灣省的動態分配的地址。
  • BML(大型郵件運營商列表)
  • TML(可信郵件伺服器地址)

可供應用的黑名單有這些(這些黑名單都已經把 BML 剔除了):

  • CBL
  • CDL
  • CBL+:內容是 CBL 加上 CDL。
  • CBL-:內容是 CBL 加上 CDL,再減去 TML。

其中,CBL- 就是這篇文章上面的設定用到的。

anti-spam.org.cn 的首頁 中,把 Hinet 的這兩台 mail server 丟進去作黑名單查詢,可以發現,這兩台 mail server 被誤判,放進 CDL 名單。

我覺得, Hinet 的 mail server 應該被放進 BML ,不過 anti-spam.org.cn 並沒有這樣作。
目前,因應 Hinet 的 mail server 還存在於 CDL 中,我們大概只能委屈一點,單純地使用 CBL 名單了。

所以,剛剛把 Postfix 的設定調成這樣:

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.anti-spam.org.cn,

sendmail 則是用這些:

FEATURE(`dnsbl", `bl.spamcop.net", `"550 Spam blocked, see: http://spamcop.net/bl.shtml?"$&{client_addr}")dnl
FEATURE(`dnsbl", `sbl.spamhaus.org", `"550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip="$&{client_addr}")dnl
FEATURE(`dnsbl", `list.dsbl.org", `"550 Spam blocked, see: http://dsbl.org/listing?"$&{client_addr}")dnl
FEATURE(`dnsbl", `cbl.anti-spam.org.cn", `"550 Spam blocked, see: http://anti-spam.org.cn/")dnl

話說,有沒有哪位大大用過其他的 DNSBL ,覺得還不錯的呀?
麻煩推薦一下吧~

Technorati Tags: , , ,

Tags: , , ,
(Visited 2672 times)
May 06

要馬跑, 又要馬兒不吃草...

Mail 4 Comments »

之前我在 sendmail milters 裡面提到 :

因為今天收到系上某個老師寄來的信, 他在信中還是在抱怨 mail spam 很多.

系上用的 mail server 已經採用 3 個 DNSBL ( SpamCop , Spamhaus , ORDB ) , SpamAssassin , 並擋除 ADSL 浮動 IP 的寄信權 ( SMTP Auth 過關才能寄 ) .
但是根據觀察的結果, 這些好像還是不太夠, 所以剛剛增加了 grey-listing 的機制, 希望能再減少廣告信的量.

結果, 今天 wise 收到信.
有老師說他的信都要過一陣子, 甚至幾天才能收到...

很明顯的, 問題應該出在 grey-listing 上.
我猜這些 delay 太久的信件應該都來自大型單位的郵件伺服器 , ex : Yahoo , Hotmail, Gmail .

看來, 我得苦命的開始找這種大型單位的郵件伺服器 IP 分佈區段了.... orz

Technorati Tags: , , ,

Tags: , , ,
(Visited 3054 times)
Mar 05

sendmail milters

Mail 2 Comments »

因為今天收到系上某個老師寄來的信, 他在信中還是在抱怨 mail spam 很多.

系上用的 mail server 已經採用 3 個 DNSBL ( SpamCop , Spamhaus , ORDB ) , SpamAssassin , 並擋除 ADSL 浮動 IP 的寄信權 ( SMTP Auth 過關才能寄 ) .
但是根據觀察的結果, 這些好像還是不太夠, 所以剛剛增加了 grey-listing 的機制, 希望能再減少廣告信的量.

一邊裝一邊亂逛網頁時看到這個: Sendmail Milter Softwares from Snert , 裡面列了一些 sendmail 能用的 milter 軟體.

另外, 在 FreeBSD ports 底下也有一些, 我在這邊整理起來備查. :p

  • kavmilter - Sendmail antivirus filter, based on Kaspersky Antivirus and Milter API.
  • milter-7bit - A mail filter that tags or rejects email that fail to adhere to proper transfer encodings.
  • milter-ahead - A call ahead milter that allows a gateway to verify recipients with an internal mail store before accepting mail.
  • milter-bcc - A utility milter that can Bcc: a mailbox for mail to/from particular users and/or domains.
  • milter-bogom - Simple sendmail milter to interface bogofilter.
  • milter-date - A Sendmail milter that validate a messages"s Received, Resent-Date, and Date headers.
  • milter-greylist - Easy-to-use greylist milter for sendmail.
  • milter-gris - A Sendmail milter that implements a grey listing techinque.
  • milter-limit - Limit the number of messages by connecting client IP, from a sender, or to a recipient over a given time period.
  • milter-regex - Milter plugin to sendmail for regular expression filtering.
  • milter-siq - Tag, reject, or discard mail using a SIQ reputation server. Based on the Internet Draft for the SIQ Protocol.
  • milter-sender - A Sendmail milter that checks in real-time if a sender"s mailbox is in good standing before accepting the message.
  • milter-spamc - Yet another Sendmail milter that interfaces with SpamAssassin"s spamd daemon.
  • rbl-milter - A milter that adds mail header warnings on mail from open-relays.
  • sccmilter - Sendmail spam control and canceling filter, based on Milter API.
  • spamass-milter - Sendmail Milter (mail filter) for SpamAssassin.
  • spamilter - A Sendmail LibMilter filter to block spam.

Technorati Tags: , ,

Tags: , ,
(Visited 5084 times)
Feb 21

TinyURL 與 Spam mail

Mail 3 Comments »

今天 report 廣告信給 SpamCop 的時候發現了一件很有趣的東西. ( 看的懂標題的人應該已經猜到是什麼了吧?! :p )
( 不懂 SpamCop 是啥的可以看看 Gea-Suan Lin’s BLOGSpamCop and SpamCup )

有趣的東西我會在文章最後作說明, 先說一下我在做 Anti-Spam 的過程.

很早以前我有自己玩過 DNSBL 的機制.
自己作了一個 DNSBL Database ( 相關文章在這 ) , 後來覺得自己 maintain 實在很累, 所以放棄了.

接下來在過濾廣告與病毒郵件的方向上 , 我陸續採用了這些軟體與設定方式 :

  • 搭配 SpamAssassin 判斷廣告信並加上判斷資訊在郵件表頭.
  • 使用 AMaVIS 搭配 F-Prot , Dr.Web , ClamAV 判斷與過濾病毒信.
  • 直接擋除 ADSL 浮動 IP 的寄信權 (通過 SMTP Authentication 才能寄信).
  • 使用 DSPAM 判斷廣告信並加上判斷資訊在郵件表頭.
  • 使用 Greylist 擋除廣告發送軟體.
  • 使用 SpamCop 擋除廣告信.

加進 SpamCop 是因為前幾天在 tw.bbs.comp.386bsd 上面看到 gslin 前輩的 [文件] SpamCop (擋廣告信) 後才決定的.

讀完文章後我還想了一陣子, 因為之前自己作 DNSBL 時, 會產生誤擋的情形.

因為 DNSBL 的機制跟 SpamAssassin , DSPAM 不一樣.

SpamAssassinDSPAM 是收信進來後才逐一比對信件裡面的特徵, 比對完後可以選擇是否要直接丟棄 ( 導給 /dev/null ) 或是只在信件裡面加上判別用訊息; DNSBL 則是把送信過來的 IP 送去作查詢, 如果有紀錄就直接 deny .

因為 DNSBL 是直接 deny , 所以就算被誤判了也很難救回來.

但是因為 SpamAssassinDSPAM 來作擋信非常耗用系統資源, 而且就算判斷為不想要廣告信了, AMaVIS 還是得掃一次看看有沒有病毒, 所以思考過後我在幾台機器上面都加進 SpamCopDNSBL 擋信機制.

加進 SpamCopDNSBL 擋信機制後, 廣告信量大減, SpamAssassin , DSPAMAMaVIS 的工作量也減輕了不少, 但是仍有些漏網之魚, 所以我也在 SpamCop 註冊了帳號來 report Spam .

因為 SpamCop 在接受 Spam report 時, 會把送件者的 IP 跟信件內的 URL 位址一起抓出來, 所以今天在 report Spam 時發現有封廣告信裡面藏了一個用 TinyURL 做出來的 URL 位址 .
( 我不清楚 SpamCop 會拿那些 URL 位址幹嘛, 不過我還是把那個 report 送出去了. XD )

TinyURL 已經淪陷了, 不知道啥時會出現 0rz.net . (抖)

Technorati Tags: , , , , , , ,

Tags: , , , , , , ,
(Visited 5753 times)