Spamhaus Zen

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Spamhaus Zen

Post by palinka » 2019-06-08 14:02

Currently I'm using spamhaus to reject snowshoe spam, which is very effective. I'm considering expanding the rejection to other blacklists.

Code: Select all

Return Codes	Contains
127.0.0.2	Direct UBE sources, spam operations & spam services
127.0.0.3	Direct snowshoe spam sources detected via automation
127.0.0.4-7	CBL (3rd party exploits such as proxies, trojans, etc.)
127.0.0.10-11	End-user Non-MTA IP addresses set by ISP outbound mail policy
Before I do that, I was wondering if there is a good reason not to, like too many false positives. Does anyone have experience REJECTING based on the other blacklists? Rejecting as in not accepting/receiving the message at all VS accepting the message and processing it for possible spam. Thanks for any advice.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-08 14:06

I use them all, although through SpamAssassin :)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-06-08 14:56

RvdH wrote:
2019-06-08 14:06
I use them all, although through SpamAssassin :)
Me too, but the goal is to not even receive any spam for SA to process. :mrgreen:

I want to break bayes through neglect. :lol:

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-08 16:25

Does hMailServer stop processing antispam measures once the Spam mark threshold has been reached? Otherwise you would be doing double lookups...
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-06-08 17:20

Code: Select all

Function IsLashBack(strIP) : IsLashBack = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ubl.unsubscore.com")
   End With
   If (InStr(1, strLookup, "127.0.0.2", 1) > 0) Then IsLashBack = True
End Function
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-08 18:09

Lashback?

Code: Select all

' The Spamhaus Block List ("SBL") Advisory is a database of IP addresses from which Spamhaus does not recommend 
' the acceptance of electronic mail.
' Spamhaus DROP/EDROP Data (127.0.0.9 in addition to 127.0.0.2, since 01-Jun-2016)
Function IsInSpamHausSBL(strIP) : IsInSpamHausSBL = false
	Dim a : a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
	End With
	Dim strRegEx : strRegEx = "(127\.0\.0\.(?:2|9))"
	IsInSpamHausSBL = Lookup(strRegEx, strIP)
End Function

' Spamhaus CSS Component of the SBL
' The Spamhaus CSS list is an automatically produced dataset of IP addresses that are involved in sending 
' low-reputation email. CSS mostly targets static spam emitters that are not covered in the PBL or XBL, 
' such as snowshoe spam operations.
Function IsInSpamHausCSS(strIP) : IsInSpamHausCSS = false
	Dim a : a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
	End With
	Dim strRegEx : strRegEx = "(127\.0\.0\.3)"
	IsInSpamHausCSS = Lookup(strRegEx, strIP)
End Function

' EXPLOITS BLOCK LIST
' The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by 
' illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses 
' with built-in spam engines, and other types of trojan-horse exploits.
Function IsInSpamHausXBL(strIP) : IsInSpamHausXBL = false
	Dim a : a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".xbl.spamhaus.org")
	End With
	Dim strRegEx : strRegEx = "(127\.0\.0\.4)"
	IsInSpamHausXBL = Lookup(strRegEx, strIP)
End Function

Function Lookup(strRegEx, strMatch)
	With CreateObject("VBScript.RegExp")
		.Global = False
		.Pattern = strRegEx
		.IgnoreCase = True
		Lookup = .Test(strMatch)
	End With
End Function
:mrgreen: :mrgreen: :mrgreen:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-06-08 18:22

https://blacklist.lashback.com/
The listings are determined objectively and systematically. Only IPs that send email to specially-created, LashBack owned-and-monitored email addresses (unsubscribe probes) -- that are used only on suppression lists -- are blacklisted.

LashBack has been monitoring unsubscribe compliance for more than a decade and this effort has resulted in, what we believe to be, the world’s largest unsubscribe intelligence database.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-08 18:35

I know what lashback is, i just wondered why you posted it here... no one was talking/asking about lashback :o

I have it defined in SA, eg:

Code: Select all

	# lashback.com 
	header   	RCVD_IN_UNSUBSCORE  eval:check_rbl('unsubscore-lastexternal','ubl.unsubscore.com.','127.0.0.2')
	describe 	RCVD_IN_UNSUBSCORE  Listed in Lashback unsubscore.com
	tflags   	RCVD_IN_UNSUBSCORE  net
	score    	RCVD_IN_UNSUBSCORE  0.5 # please adjust the score value
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-06-08 19:30

RvdH wrote:
2019-06-08 18:35
I know what lashback is, i just wondered why you posted it here... no one was talking/asking about lashback :o
palinka wrote:
2019-06-08 14:02
Currently I'm using spamhaus to reject snowshoe spam, which is very effective. I'm considering expanding the rejection to other blacklists.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-06-08 20:35

So i take it you guys are ok with rejecting these other lists? You both listed your functions for scoring, but didn't say what you actually did with the messages. Reject or score? If reject, have you come across any false positives (complaints about not receiving mail)?

Also thanks for posting these very useful functions. :D

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-06-08 23:30

palinka wrote:
2019-06-08 20:35
So i take it you guys are ok with rejecting these other lists? You both listed your functions for scoring, but didn't say what you actually did with the messages. Reject or score? If reject, have you come across any false positives (complaints about not receiving mail)?

Also thanks for posting these very useful functions. :D
SnowShoe + LashBack are 112% reject. I don't ban them as my ban list would grow to epic proportions in no time.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-08 23:31

I actually don't use any of hMailServers builtin DNS Blacklists or SURBL server, i totally rely on SpamAssasin for that, i just score the messages in SA

Some info on DNS Blacklists & their effectiveness
https://www.intra2net.com/en/support/antispam/index.php

As for the (script) code snippets shown above, i use them in OnClientConnect, like soren i do not auto-ban those..i just reject them (+ Disconnect.exe)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-06-08 23:55

Ok cool. Thanks. I use the default hmailserver settings for spamcop scoring and i noticed that almost ALL of my false positives are from spamcop. I would never reject based on spamcop. That's why i was a little hesitant about adding more blacklists for outright rejection.

Looks like lashback is a good one.

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-06-09 00:01

RvdH wrote:
2019-06-08 23:31
i just reject them (+ Disconnect.exe)
I downloaded your disconnect.exe but i don't know how to use it. Is there a thread with an explanation? Looks interesting.

Also, i am banning spamhaus rejections. My ban list floats about 2,000 entries (7 day ban). The only performance hit that I've noticed is that opening the advanced settings in the hmail admin console takes about a second. Maybe 2 sometimes. Otherwise i haven't seen any other adverse affects of the big ban list.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spamhaus Zen

Post by RvdH » 2019-06-09 00:10

Ps, note 127.0.0.4 is the only return code for CBL
palinka wrote:
2019-06-08 14:02
Currently I'm using spamhaus to reject snowshoe spam, which is very effective. I'm considering expanding the rejection to other blacklists.

Code: Select all

Return Codes	Contains
127.0.0.2	Direct UBE sources, spam operations & spam services
127.0.0.3	Direct snowshoe spam sources detected via automation
127.0.0.4-7	CBL (3rd party exploits such as proxies, trojans, etc.)
127.0.0.10-11	End-user Non-MTA IP addresses set by ISP outbound mail policy
Before I do that, I was wondering if there is a good reason not to, like too many false positives. Does anyone have experience REJECTING based on the other blacklists? Rejecting as in not accepting/receiving the message at all VS accepting the message and processing it for possible spam. Thanks for any advice.
In the past, 127.0.0.5 was assigned to NJABL listings and 127.0.0.6 to OPM listings; these codes are no longer in use at this time. 127.0.0.5, 127.0.0.6 and 127.0.0.7 remain allocated to XBL for possible future use.

Code: Select all

Function Disconnect(sIPAddress)
	With CreateObject("WScript.Shell")
		.Run """C:\Program Files (x86)\hMailServer\Events\Disconnect.exe"" " & sIPAddress & "", 0, True
		REM EventLog.Write("Disconnect.exe " & sIPAddress & "")
	End With
End Function
And then just use: Call Disconnect(oClient.IPAddress)

Code: Select all

REM Block Everything in ZEN except PBL
If IsInSpamHausZEN(oClient.IPAddress) Then
	EventLog.Write("INFO: zen.spamhaus.org: " & oClient.IPAddress & ":" & oClient.Port)			
	Result.Value = 1
	Call Disconnect(oClient.IPAddress)
	Exit Sub
End If

' ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist 
' to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.
' 127.0.0.2|9	Direct UBE sources, spam operations & spam services (Spamhaus DROP/EDROP Data (127.0.0.9 in addition to 127.0.0.2, since 01-Jun-2016)
' 127.0.0.3	Direct snowshoe spam sources detected via automation
' 127.0.0.4-7	CBL 3rd party exploits such as proxies, trojans, etc. (127.0.0.5, 127.0.0.6 and 127.0.0.7 remain allocated to XBL for possible future use.)
' 127.0.0.10-11	End-user Non-MTA IP addresses set by ISP outbound mail policy
Function IsInSpamHausZEN(strIP) : IsInSpamHausZEN = false
	Dim a : a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
	End With
	Dim strRegEx : strRegEx = "(127\.0\.0\.(?:2|3|4|9))"
	IsInSpamHausZEN = Lookup(strRegEx, strIP)
End Function
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20111
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spamhaus Zen

Post by mattg » 2019-06-09 01:48

RvdH wrote:
2019-06-08 16:25
Does hMailServer stop processing antispam measures once the Spam mark threshold has been reached? Otherwise you would be doing double lookups...
I think that mail can be rejected by hMailserver before the SpamAssassin tests

It has been a while, because I now delete high spam scores rather than reject them (to limit backscatter) so that means that my SpamAssassin tests ALL messages
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-06-11 11:40

Code: Select all

HMS Server Start Time: 2019-06-09 23:58:27
HMS Daily Spam Reject count: 0
HMS Daily Viruses Removed count: 0
Yeah, baby! :mrgreen:

I don't even remember a day without spam.

Thanks, guys!

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-01 23:58

SorenR wrote:
2019-06-08 23:30
SnowShoe + LashBack are 112% reject. I don't ban them as my ban list would grow to epic proportions in no time.
I just banned all of Microsoft based on lashback. :roll: Looks like lashback is not appropriate for reject 'n' ban.

Update. Was a bona fide "change your password" confirmation my daughter requested. The message came through after i removed the rejection for lashback. But holy cow they tried about 25 times from different IPs before i let them through.

Released:
http://hmsfirewallbandemo.ddns.net/sear ... mit=Search

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-03 23:42

Update #2: I checked yesterday and the M$ servers were delisted from lashback. Then today I got another hit for the same M$ IPs! Even though I disabled rejection, I still have a notification setup to let me know when I get a lashback hit, which to date has only been one IP other than the M$ ones. Listed, delisted, listed again... I googled "lashback microsoft" and found a bunch of complaints about getting occasionally listed and relying on M$ to make things right.

So yeah, Lashback is definitely not rejection worthy.

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-05 20:18

Got another false positive from lashback: bona fide message from uber eats (food delivery receipt).

Code: Select all

X-hMailServer-Reason-1: Rejected by LashBack - (Score: 3)

It was scored, not rejected. Poor wording in hmailserver headers. Looks like I'll be removing scoring as well. I've only received false positives.

Checking lashback is 3rd in line of filters after geoip and spamhaus.

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-05 23:17

palinka wrote:
2019-07-05 20:18
Got another false positive from lashback: bona fide message from uber eats (food delivery receipt).

Code: Select all

X-hMailServer-Reason-1: Rejected by LashBack - (Score: 3)

It was scored, not rejected. Poor wording in hmailserver headers. Looks like I'll be removing scoring as well. I've only received false positives.

Checking lashback is 3rd in line of filters after geoip and spamhaus.
There are no false-positives on lashback, the IP's are not reported by anyone.
The listings are determined objectively and systematically. Only IPs that send email to specially-created, LashBack owned-and-monitored email addresses (unsubscribe probes) -- that are used only on suppression lists -- are blacklisted.

LashBack has been monitoring unsubscribe compliance for more than a decade and this effort has resulted in, what we believe to be, the world’s largest unsubscribe intelligence database.

Organizations use the UBL free-of-charge as a unique and important component in determining reputation and email delivery. LashBack maintains the UBL because of the importance of the reputation data and as part of its advocacy for best practices. The primary objective of the UBL is not revenue generation; in fact, the only fees charged are modest fees to repeat offenders. These fees discourage bad email and partially offset the expense of managing the blacklist.

If you have been blacklisted, then your IP sent email to a harvested email address. Either you know that it was done or you have a security issue. We let first-time offenders request the removal of their IP address free-of-charge, but if it happens more than once, there is a fee to request removal. If thirty days have passed without additional incidences, the IP is automatically removed from the list. We suggest that you make sure that any security issue is resolved before paying to delist. If you pay to delist and are immediately relisted, it is solely because we received new messages from the same IP address to our unsubscribe probes.
https://blacklist.lashback.com/
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-05 23:34

SorenR wrote:
2019-07-05 23:17

There are no false-positives on lashback, the IP's are not reported by anyone.
I get that. I read the same thing when i started using it. But that doesn't matter. I consider a false positive to be a message that is rejected or scored as spam when it's actually not spam. Im looking from my own end use.

If literally all messages hit by lashback get labeled spam when they're not, i don't trust lashback enough to use it for anything.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8120
Joined: 2011-09-08 17:48

Re: Spamhaus Zen

Post by jimimaseye » 2019-07-05 23:42

Hmmm...

I've not paid much attention to this laidback talk until now. But of what i have just read is understood correctly then i am with Palinka.

Just because an ip sending address fell in to one of lashbacks traps, how it does it mean that the email it is sending me is rubbish or spam? All it means is they were not playing by the rules surely.

What i am missing?

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 00:05

palinka wrote:
2019-07-05 23:34
SorenR wrote:
2019-07-05 23:17

There are no false-positives on lashback, the IP's are not reported by anyone.
I get that. I read the same thing when i started using it. But that doesn't matter. I consider a false positive to be a message that is rejected or scored as spam when it's actually not spam. Im looking from my own end use.

If literally all messages hit by lashback get labeled spam when they're not, i don't trust lashback enough to use it for anything.
Not SPAM, untrustworthy. Something completely different.

It's all about your environment... I've had 112 reported "LashBack's" so far this month and all are spot on.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-06 00:20

SorenR wrote:
2019-07-06 00:05
palinka wrote:
2019-07-05 23:34
SorenR wrote:
2019-07-05 23:17

There are no false-positives on lashback, the IP's are not reported by anyone.
I get that. I read the same thing when i started using it. But that doesn't matter. I consider a false positive to be a message that is rejected or scored as spam when it's actually not spam. Im looking from my own end use.

If literally all messages hit by lashback get labeled spam when they're not, i don't trust lashback enough to use it for anything.
Not SPAM, untrustworthy. Something completely different.

It's all about your environment... I've had 112 reported "LashBack's" so far this month and all are spot on.
I don't get many lashback hits. Like i said, it's 3rd in line of filters. So i setup a notification. When i get a hit for lashback, i get a message letting me know. Since i put it in place 3 or 4 weeks ago, I've had only bona fide messages get marked out of the 25 or so messages to get hit. Except maybe one. I didn't check the very first one. But all the rest were actual wanted messages. Who's untrustworthy? :mrgreen:

User avatar
mattg
Moderator
Moderator
Posts: 20111
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spamhaus Zen

Post by mattg » 2019-07-06 03:24

The way that i read this

A smarty pants customer of uber eats used a lashback honeytrap email address as their email for receipts, and uber eats has sent the receipt to the nominated address, only to get listed at lashback...?

Seems like any person anywhere can take out their business opposition by completing web forms on the business competitors websites, using a compromised honey trap address

Is that right??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 09:04

mattg wrote:
2019-07-06 03:24
The way that i read this

A smarty pants customer of uber eats used a lashback honeytrap email address as their email for receipts, and uber eats has sent the receipt to the nominated address, only to get listed at lashback...?

Seems like any person anywhere can take out their business opposition by completing web forms on the business competitors websites, using a compromised honey trap address

Is that right??
From the text on their site...
Only IPs that send email to specially-created, LashBack owned-and-monitored email addresses (unsubscribe probes) -- that are used only on suppression lists -- are blacklisted.
It would be highly unprofessional to use a LashBack email address to order food.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8120
Joined: 2011-09-08 17:48

Re: Spamhaus Zen

Post by jimimaseye » 2019-07-06 09:52

Ok, let's go simpler.

What exactly do they do?

They generate an email address. They use it to subscribe to a service or website. They then unsubscribe using the service 'unsubscribe' link or feature and then they want to see if the sender keeps sending them emails and of they do they list the ip address?

Is that how it works?

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 11:18

jimimaseye wrote:
2019-07-06 09:52
Ok, let's go simpler.

What exactly do they do?

They generate an email address. They use it to subscribe to a service or website. They then unsubscribe using the service 'unsubscribe' link or feature and then they want to see if the sender keeps sending them emails and of they do they list the ip address?

Is that how it works?

[Entered by mobile. Excuse my spelling.]
If I understand it correctly they "post" an email address somewhere, this address is harvested and used for sending out "stuff". I think they actively try to unsubscribe and if unsuccessfull they ban the IP address.

I used to receive tons of "stuff/SPAM" where the unsubscribe button (if present) would send you to a page stating "You are unsubscribed from bla bla" ... Well, NOT! Not only that, most of the time the unsubscribe page would auto-refresh before you could "unsubscribe" so you could not script it ... Bloody /&%%¤%¤#!
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8120
Joined: 2011-09-08 17:48

Re: Spamhaus Zen

Post by jimimaseye » 2019-07-06 12:07

Yeah. So what we have is a punishment for non- conformity, not an anti spam feature.

Just because CarpetsForYou (for example) harvested or acquired some email address (provided by lashback) and doesn't offer a successful or valid unsubscribe doesn't mean that i (or palinka or anyone else) does want to give our email address, sign up and receive their emails. And using the lashback ubl would do just that (scoring dependant).

Furthermore, it lists based on ip address. What address? The originating address? The intermediary smtp sending address? What if they are using 'sendgrid' for example. Would that mean the sendgrid ip would be banned effectively affecting any other company sendgrid sends mail for.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-06 13:38

jimimaseye wrote:
2019-07-06 12:07
What if they are using 'sendgrid' for example. Would that mean the sendgrid ip would be banned effectively affecting any other company sendgrid sends mail for.

[Entered by mobile. Excuse my spelling.]
YES. That's exactly how it works. And that's how Microsoft is perennially on the list. Some spammer (or legit user with poorly implemented unsubscribe) uses Microsoft to send his marketing email. Lashback fails to unsubscribe and Microsoft gets listed and all users are affected.

That's exactly the scenario i dealt with when my daughter requested a password change from Microsoft. I had set up lashback to reject and the IP (not the sender) was rejected. Fortunately i caught that before they gave up trying.

Then i got rid of the reject and setup lashback to score. Next lashback hit was the uber eats receipt. The message was marked as spam.

I suspect uber eats got caught up in lashback through a mass mailing, not a receipt. But yeah, no more lashback for me.

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-06 13:45

mattg wrote:
2019-07-06 03:24

Seems like any person anywhere can take out their business opposition by completing web forms on the business competitors websites, using a compromised honey trap address

Is that right??
I doubt lashback publicizes their honeypot email addresses. But if you could find one, then yes. Should work.

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 14:53

Out of the 112 addresses I found so far this month none are SendGrid, either they have NO rDNS or it's some form of subscriber net address in South America, Turkey, Vietnam or China.

Part of this issue is also that Palinka is in USA where there is no privacy online and Google own your personal information, I am in the EU where corporations like Google pay big fines for breaching my privacy. The amount of US based SPAM has dropped substantially since GDPR was introduced. Now it's mostly BOT's generating traffic.

A lot of American companies still have not come to terms with the EU laws so they pretend EU is some sort of dark socialist community like Argentina and put up a wall ... :roll:

I was checking up on a buddy from long time back who lives in Palmdale, CA, now with the quake and all...

https://www.fastpeoplesearch.com/

Anywho, I found his phone number elsewhere. He's not on social media.
Attachments
website.jpg
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8120
Joined: 2011-09-08 17:48

Re: Spamhaus Zen

Post by jimimaseye » 2019-07-06 15:19

Same results for GB. Nothing that using a vpn didn't overcome though. (I have Hola app installed on my phone)

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 15:58

jimimaseye wrote:
2019-07-06 15:19
Same results for GB. Nothing that using a vpn didn't overcome though. (I have Hola app installed on my phone)

[Entered by mobile. Excuse my spelling.]
Lets see now that Margrethe Vestager is no longer who Trump refers to as "The TAX lady with a grudge against USA" what will happend with sharing data.

By the way, she's aparently to become vice-president of the Commision so ... more power to the tax-lady :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-06 18:59

SorenR wrote:
2019-07-06 14:53
Out of the 112 addresses I found so far this month none are SendGrid, either they have NO rDNS or it's some form of subscriber net address in South America, Turkey, Vietnam or China.

Part of this issue is also that Palinka is in USA where there is no privacy online
I suppose account related emails to Microsoft users in Europe are sent from European servers. Probably the same goes for the other big mail providers and relay services.

What can I say? Hell, I'm already firewall banning most of the world :mrgreen:

Image

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-06 21:09

Grand Torino ... Hmm ... You do know that the hero dies in the end ?
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-06 22:33

SorenR wrote:
2019-07-06 21:09
Grand Torino ... Hmm ... You do know that the hero dies in the end ?
They still got off his lawn. And he died a hero.

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhaus Zen

Post by SorenR » 2019-07-09 02:38

I knew there was a good reason for running your own mailserver... :mrgreen:

https://www.theverge.com/2019/5/17/1862 ... l-receipts

If I go to https://myaccount.google.com/purchases ... Tadaaaa ... It's empty :mrgreen:

Now you try it ... I dare you :twisted:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20111
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spamhaus Zen

Post by mattg » 2019-07-09 06:11

empty for me too...:D
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8120
Joined: 2011-09-08 17:48

Re: Spamhaus Zen

Post by jimimaseye » 2019-07-09 08:21

Other than rented films from Google Play, i am empty too.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 1097
Joined: 2017-09-12 17:57

Re: Spamhaus Zen

Post by palinka » 2019-07-09 11:50

SorenR wrote:
2019-07-09 02:38
If I go to https://myaccount.google.com/purchases ... Tadaaaa ... It's empty :mrgreen:

Now you try it ... I dare you :twisted:
I have a bunch of receipts from home depot (home improvement store). They offer to email the receipt at the point of sale so i tried that out several times. You enter your email address once and it gets stored with the card number, so next time you go you just hit "yes" for email receipt. Very convenient for stuff i buy for work that gets reimbursed. The receipt email comes to my hmailserver. Apparently goolag gets their hands on it first before I do.

My account was migrated from Goolag apps to hmailserver, so the gmail account still exists but it's not used.

Not all purchases are there. Sometimes i don't need the receipt emailed or just don't think about it because I'm in a rush. Looks like goolag only gets their greedy little fingers on it if i choose to email the receipt, but not for paper receipt only.

Post Reply