Domain /Email address blacklist [70%]

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.

Do you want domain and Email address blocklist?

Yes
88
94%
No
6
6%
 
Total votes: 94

gonace_
New user
New user
Posts: 2
Joined: 2008-02-07 09:13

Domain /Email address blacklist [70%]

Post by gonace_ » 2008-02-07 09:21

I want to request a feature I’m dying to see in the next release.

The feature I want to have is a domain and email address block list. This feature is highly wanted thou the dns spam/blacklist aren’t god enough. I want to be able to block some domains and email addresses.

I’ve might be wrong here, the feature isn’t there yet? I’ve read the manual and the forum but haven’t seen the feature I want.

I think this is a god idea, any one ells that agrees or disagrees?


Note: Just have to say, I really love this application.



MOD EDIT: With hmailserver 5.4 can mostly be accomplished using new OnSMTPData event.
Trivial example:

Code: Select all

   Sub OnSMTPData(oClient, oMessage)
      '0: Pass OK, 1: 554 Rejected, 2: 554 Result.Message, 3: 453 Result.Message
      Result.Value = 0
      If oMessage.FromAddress = "spam@spammer.tld" Then Result.Value = 1
   End Sub

   ' Note: Rejected before message received accomplishes reject desire but since after DATA command received sender might not associate with rejected to/from address vs problem sending email.

Last edited by gonace_ on 2008-02-07 11:33, edited 1 time in total.

Viper
New user
New user
Posts: 14
Joined: 2008-01-31 10:00

Post by Viper » 2008-02-07 10:30

Yes, I'm agree. I think it's good idea to block spamers :)

gonace_
New user
New user
Posts: 2
Joined: 2008-02-07 09:13

Post by gonace_ » 2008-02-07 11:01

I think it would be nice to have this feature to so "people" that have an
account in hMailserver can through the web administration script block
people.

And off course also so the mail server administrator can block email and
domains that frequency sends spam towards the server.

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Post by westdam » 2008-03-14 12:57

what about rules?
this can be done with rules if i dont remember wrong.
from contains XXX@XXX.XXX action delete mail or whatever you want..

redrummy
Senior user
Senior user
Posts: 370
Joined: 2007-06-21 06:52
Location: Alaska

Post by redrummy » 2008-03-14 21:56

Yes, I could see the use of a blacklist feature. I think this has been requested before, though (haven't checked yet).

Rules can be used to delete unwanted messages, but only after they're received. A blacklist can reject at the SMTP level after HELO or FROM, depending on whether we're blacklisting IP range or address/domain string.

Usually people really serious about spam filtering use ASSP/SA/etc...

tocpcs
New user
New user
Posts: 12
Joined: 2008-02-26 13:58

Post by tocpcs » 2008-03-15 11:27

It'd be good to see a feature to block spammers by IP.

I've requested a similar feature before.

So, basically when it is noticed that a large spam emails are coming from a singular IP range, it can simply be IP blocked. If they want to get unblocked, they can then use a free email address to contact and get unblocked, etc.

chrissoumil
New user
New user
Posts: 2
Joined: 2008-05-15 06:40

Re: Domain /Email address blacklist

Post by chrissoumil » 2008-05-15 06:44

If you want to know more on email server blacklist or anything related to IP server blacklists CLICK HERE.EMAIL BLACKLISTS

ewieldra
Normal user
Normal user
Posts: 37
Joined: 2008-04-24 23:23
Location: The Netherlands

Re: Domain /Email address blacklist

Post by ewieldra » 2008-05-18 12:43

Would be nice a manual blacklist, just like the whitelist
Best regards,

Emiel Wieldraaijer
The Netherlands

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Domain /Email address blacklist

Post by Slug » 2008-05-21 16:52

Sorry guys but I'm not for this idea. Matter a fact I'm not for any idea that is in need of manual input to maintain . It just gets too hard after a while and turns into a mess.

Michael
Missing Hmailserver ... Now running Debian servers

rodolfor
Senior user
Senior user
Posts: 282
Joined: 2005-06-30 09:05
Location: Gubbio - Italy

Re: Domain /Email address blacklist

Post by rodolfor » 2008-05-22 08:24

I vote yes.
Sometimes I need to block a domain spammer istantly. A manual BL would be very appreciated.
Hmailserver [lastversion] + MSSQL

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2008-05-22 08:42

Yes, an ad hoc blacklist would be nice however, those who insist on an IP address based list are ignoring the fact that IP blacklist simply cannot work these days, when most of the net is moving towards dynamic IP address assignment. The chances of false positives are more than excellent. One only has to peruse the http://www.DynDNS.org to understand this more clearly. In fact, I would go so far as to suggest deliberately preventing someone from using IP addresses as a blocking trigger. The name is the thing and blocking by domain name BEFORE ClamWin is forced to scan the message, would be a good performance enhancement.

My problem with many of the anti-spam filters is that they are IP address based, which is stupid and useless these days.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Domain /Email address blacklist

Post by ^DooM^ » 2008-05-22 10:23

Well I would prefer to block an IP address of someone slamming my mailserver than blocking based on the from address domain name. Maybe have the option to auto expire after X amount of hours would help.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

rodolfor
Senior user
Senior user
Posts: 282
Joined: 2005-06-30 09:05
Location: Gubbio - Italy

Re: Domain /Email address blacklist

Post by rodolfor » 2008-05-24 09:53

I think is better to stop a single domain and/or email address.
There is also the case in wich someone molestate someone with an address xxx@google.com....
Stopping the ip address would stop a lot of email.
Hmailserver [lastversion] + MSSQL

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Domain /Email address blacklist

Post by ^DooM^ » 2008-05-24 10:28

rodolfor wrote:Stopping the ip address would stop a lot of email.
It is uptp the admin if he wants' to block an IP or not. If they do not check the IP and blindly add it to the blacklist that is their own problem to be honest.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Re: Domain /Email address blacklist

Post by Rainer » 2008-05-24 16:35

Hello @ll :)

Sometimes it makes no sence to block an ip-adress because sometimes silly persons are killing you with silly email.
OK, i block the ip-adress - no problem.
Few days later your chief is killing YOU because you blocked hotmail or aol or a other big ISP!

The blacklist must work with wildcards like:

Silly*@*.Silly.com or
*@silly.* or
*.kr

Kind regards :)
Rainer Noa

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Domain /Email address blacklist

Post by ^DooM^ » 2008-05-24 20:39

It should work with both wild card email address and IP address.

Like I said previously, if you are adding an AOL/Hotmail/Gmail IP address to your blacklist then that is your own fault for not checking it before adding it. Using my previous suggestion of an auto expire after X Minutes/Hours would make it less of an issue.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bevhost
New user
New user
Posts: 3
Joined: 2008-12-03 03:40

Re: Domain /Email address blacklist

Post by bevhost » 2008-12-03 03:57

Need to be sure that the postmaster mailbox can still be reached even if the sender IP address or Sender Email Address is blocked. This way the blocker sender can send an email to the administrator to ask for removal. I think there is an RFC that suggests or requires this.

I think there would need to be two block lists,
1) one that blocks by IP address (or PTR domain)
2) one that blocks by envelope sender address (MAIL FROM)

I would also like the ability to customise the reject error message.
eg
550 user has joined another company (try user@newco.com)
550 please call 555 1234 for more detail

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Re: Domain /Email address blacklist

Post by Rainer » 2008-12-03 08:30

Hello bevhost, good ideas, really good!

Kind regards and more of this good iedeas :)
Rainer Noa

User avatar
M*I*B
Normal user
Normal user
Posts: 80
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Domain /Email address blacklist

Post by M*I*B » 2008-12-30 20:23

Hi folkz...

...and greetings from germany; and dont hit me if I'm posting bulls***. 1st time here and running the server since yesterday ;)

Back to topic:
I'm also missing a manual blacklist but in the meanwhile I follow up the IP's in the protocol that try to send spams. Then I lookup by WhoIs who is behind the IP. Result from today: Only Asia, Russia and Polonia - systems, some with hard hacking - attacks...

So I take the IP-range of this server and add it under "IP - Area", name it i.e. "SPAM, SEEDNET, Taiwan" and give them Priority 999. Then I disable all services for this entry and activate (just to be shure) that they need login data.

At the moment that works fine for me; I don't need emails from a SpammingServer; There I have'nt any folkz that have to let me know some by eMail ;)


Baba
Micha

PS: The next days I will post a german ini-file if some are interesst in this...
... with much greetings ...

Micha

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-02-09 23:50

My question would be: What's the best way to block all the SPAM that appears to be coming from e-mail addresses that really do exist on my mail server, but are being spoofed by spammers? I'm sick of getting e-mail that says it's from one of my other accounts trying to sell me stuff in Russian. Should there be a way that incoming mail using "from" addresses that are local to the server knows they didn't come from the local server (which would have been an authenticated session), and block them?

I like my McAffee tool that will "report this as SPAM" in my e-mail client. If only it was smart enough to update my mail server blacklist (if there was one) and not just my e-mail client.

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-02-10 01:27

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-02-10 04:24

Hm, that doesn't work because it blocks all external inbound messages from the internet when trying to send to my local domains because they can't authenticate.
Sorry, the documentation is too technical talking about VB Script.

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-02-10 05:23

Nargauzius wrote:Hm, that doesn't work because it blocks all external inbound messages from the internet when trying to send to my local domains because they can't authenticate.
No it doesn't.
Why do you think that?
What it actually does, is make all e-mail with a from address that includes '@example.com' be authenticated or the mail is rejected.
Nargauzius wrote:Sorry, the documentation is too technical talking about VB Script.
So the documentation is too technical, or VB Script is too technical. I am unsure what you mean.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-02-10 05:44

The document referenced in your original link showed a segment of VBScript to authenticate local users (I think). Knowing nothing about scripting, I attempted to interpret where that information might be controlled in the GUI for the server, which looked like a checkbox under IP RANGES that says "Require Authentication for Deliveries" and the checkbox "to local accounts" under the IP range INTERNET.

Granted, that probably wasn't what you intended when you were being helpful with this link http://www.hmailserver.com/documentatio ... eptmessage
But there were no instructions, just a reference to requiring authentication for local senders.

Checking that box blocked delivery alright, but for everyone. So, I got lost immediately. Sorry for being an hMail dummy, but I use a Windows Server with no PHP, Apache, or command line stuff.

I've got hMail 4.4.3 B285, and just realized there's a version 5.0. Perhaps I should upgrade first before I say it can't do something else.

Thanks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-02-10 06:31

OK.

Scripting is very powerful.
You can do many things with scripts that can't be replicated with the GUI. This is one such example.

I certainly would NOT recommend that you select 'require authentication for deliveries' 'to local accounts' for the 'internet IP range'. This should only be used in specific situations. Turning on random features without knowledge of what they do is kind of dangerous. You should check that you haven't created a open relay http://www.hmailserver.com/documentatio ... elay_tests

Ver 5 is listed as stable - I would upgrade to Ver 5.

The earlier page that I linked to does say at the top of the page that it is a subset of scripting. Here is the scripting main page - http://www.hmailserver.com/documentatio ... _scripting.

Please feel free to ask for help, but a bit of an insite into your current knowledge level and the size of your installation is beneficial to those of us trying to help. The documentation is very thorough and detailed, but it needs to be.

Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

vbdotnetman
New user
New user
Posts: 15
Joined: 2008-12-09 12:27

Re: Domain /Email address blacklist

Post by vbdotnetman » 2009-05-11 20:35

Hello All,

I have written a program that maitains a blacklist automatically. It does have one requirement, and that is you must use Microsoft Outlook and turn on the Junk Email Filter which identifies the Spam senders Email Address :) .

After that the email will be rejected at the hMailserver level and the Outlook Email User will never see another email from that senders address.

This program will either perform at a domain or email address level.

Anyone wanting a copy can reach me @ rejectit@gmail.com. :mrgreen:

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-05-13 17:15

That sounds like a handy tool for most business users. Is there a straightforward way to removing a blacklisted address if you make an error adding it?

vbdotnetman
New user
New user
Posts: 15
Joined: 2008-12-09 12:27

Re: Domain /Email address blacklist

Post by vbdotnetman » 2009-05-13 17:29

Yes, aside from automatically rejecting email at the hMailserver level it has an option that can be accessed from an outlook menu to manually Add, Change or Remove E-mail addresses from the reject list.



Best Regards

jrb
New user
New user
Posts: 12
Joined: 2009-05-20 20:39
Location: Norway
Contact:

Re: Domain /Email address blacklist

Post by jrb » 2009-05-21 22:53

First of all: Thank you for sharing with us a first class mail server :D I have been using the server for a couple of years, and am impressed with both functionality and speed. Have used the server with Win2003 and Win2008, and it performs perfectly on these platforms!

Second: I also think that a blacklist is a good idea, but editing this may be too work consuming. Thus, I plan to make an addon for Outlook where one could click a "Spam button", which automatically (via hMailServer API) updates the hMailServer blacklist.

If anyone is interrested in this addon (or have other great ideas on how to maintain a sensible blacklist), please give me a hint.

luci
Normal user
Normal user
Posts: 70
Joined: 2008-02-29 14:29
Location: Romania

Re: Domain /Email address blacklist

Post by luci » 2009-05-22 09:56

Take a look at my post here:
http://www.hmailserver.com/forum/viewto ... 165#p86165

I suggest a reputation system rather than a blacklist. The sender is blacklisted for the reporting user and accumulates a bad reputation for the whole server.
Radical Image Optimization Tool developer
Project Manager at CRIOSWEB

armopop
Normal user
Normal user
Posts: 96
Joined: 2008-08-23 23:20
Location: Canada

Re: Domain /Email address blacklist

Post by armopop » 2009-05-26 16:32

I agree with DooM, i rather see a manual IP address black list than a domain or email address list. Oh well, maybe the combinstion of both?!

MikeD
New user
New user
Posts: 17
Joined: 2009-12-03 20:14
Location: UK

Re: Domain /Email address blacklist

Post by MikeD » 2009-12-10 15:06

Is there anywhere we can see whether this particular feature is planned to make it into hmailserver.

I am also interested in a blacklist facility and would add a vote for a string matching facility against the domain/email address but would agree that under certain circumstances IP addresses would also be useful

As previously suggested it could be implemented under rules but this would make it difficult to import lists of addresses that you may already have

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Domain /Email address blacklist

Post by ^DooM^ » 2009-12-10 15:36

If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Kob
New user
New user
Posts: 15
Joined: 2005-10-01 13:02

Re: Domain /Email address blacklist

Post by Kob » 2009-12-11 19:12

I run a FTP server (Serv-U) which being occasionally hit by Chinese hackers who try to guess the login PW, so I block their ISP's IP range before they see the login dialog box. Since I don't have any dealings with China, I deny wide-range subnets. The IP allow/deny rules are set up per FTP account or domain. Easy to implement and very effective, and if implemented in hMS it can be very useful.

An example of the GUI is attached.

Kob
Attachments
IP_Blocking_Rules_Serv-U.gif
IP_Blocking_Rules_Serv-U.gif (9.84 KiB) Viewed 59380 times

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-12-11 19:51

If you're trying to block China, you really need 202-203.*.*.*
(smile)

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: Domain /Email address blacklist

Post by DeanoX » 2009-12-11 20:02

Kob

You should consider blocking at your router, instead of an application.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Domain /Email address blacklist

Post by martin » 2009-12-12 10:17

Kob,
You could set up IP ranges in hMailServer to do the same thing.

Kob
New user
New user
Posts: 15
Joined: 2005-10-01 13:02

Re: Domain /Email address blacklist

Post by Kob » 2009-12-12 19:24

martin,

I went carefully through the documentation and the available choices in the admin GUI, and could not find a place where I could blacklist a range of IP addresses. Found whitelisting, but not blacklisting. A pointer to such a location would be appreciated.

Kob

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Domain /Email address blacklist

Post by martin » 2009-12-12 22:52

If you go to the settings (maybe under Advanced) you'll see something called IP ranges. Here you can add entire ranges and configure hMailServer not to allow any connections for those.

Kob
New user
New user
Posts: 15
Joined: 2005-10-01 13:02

Re: Domain /Email address blacklist

Post by Kob » 2009-12-13 00:50

I looked at this setup, but as far as I can tell it allows only one-off setup for an IP range.
I can not see the possibility to set the following:

Allow deliveries/Connections for the full internet's IP range except the following:
1. IP_Range1
2. IP_Range2
etc.

As I can with my example with the Serv-U FTP server above.

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-13 01:34

Ok

In IP ranges, higher priority number get preference. IE a priority of 30 outweighs a priority of 10.

Your 'My Computer' range should be highest (in most normal circumstances) say 30.

Autoban creates entries at 20.
The 'internet' range should be lower than 20, say about 10.

You have a specific range that you don't want to deal with say 222.240.0.0 >> 222.247.256.256, give that a priority above 20 and don't allow any connections. A priority of 25 would be appropriate.

Add multiple ranges with a priority of 25, and allow no connections.

As long as the internet range allows certain deliveries, it will always be the 'backstop'.

If a user connects from this IP range, they will just be rejected...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-13 11:35

mattg wrote:Ok

In IP ranges, higher priority number get preference. IE a priority of 30 outweighs a priority of 10.

Your 'My Computer' range should be highest (in most normal circumstances) say 30.

Autoban creates entries at 20.
The 'internet' range should be lower than 20, say about 10.

You have a specific range that you don't want to deal with say 222.240.0.0 >> 222.247.256.256, give that a priority above 20 and don't allow any connections. A priority of 25 would be appropriate.

Add multiple ranges with a priority of 25, and allow no connections.

As long as the internet range allows certain deliveries, it will always be the 'backstop'.

If a user connects from this IP range, they will just be rejected...

That sounds excessivly complex to me. Also, as I've stated before, in these days of massive dynamic address pools at ISPs IP blocking, even by range, is less than reliable and prone to false positives ^DOOM^'s suggestion of a combination of both is helpful.
  • 1.I want to block *.CN and *.RU, among others.
    2.If ClamWin finds a virus, I want that source mail address immediately blocked for all users, permanently.
    3.Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
    4.Allow blocking of User+<reg expression>@domain.tld addresses (I'm getting a lot of Facebook+<rand char>@facebook.com lately and Outlook doesn't know how to filter it).
This might require a bit more complex database structure to support.

A slightly different but related issue is that my mail server is constantly in the red from ClamWin virus scannin all inbound mail, including the spam. We need to run the spam filters before ClamWin runs.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-13 14:45

I was answering KOB's query in the post immediately prior to mine about how to use IP ranges to block by IP range.

This is not something that I would do, but appears to be something that KOB would like to do.
Slamlander wrote:
  • 1.I want to block *.CN and *.RU, among others.
    2.If ClamWin finds a virus, I want that source mail address immediately blocked for all users, permanently.
    3.Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
    4.Allow blocking of User+<reg expression>@domain.tld addresses (I'm getting a lot of Facebook+<rand char>@facebook.com lately and Outlook doesn't know how to filter it).
This might require a bit more complex database structure to support.

A slightly different but related issue is that my mail server is constantly in the red from ClamWin virus scannin all inbound mail, including the spam. We need to run the spam filters before ClamWin runs.
Similarly, there's not much in your latest post in this thread that I'd like either.

Change from ClamWin to ClamAV - much less memory intensive.
Running a live virus through spam filters isn't something I'd like to do. I rather kill the virus before it got to my system, not after it has been through some of it.

Anyway, each to their own opinions I guess.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Domain /Email address blacklist

Post by sheffters » 2009-12-14 02:57

http://hmailserver.com/forum/viewtopic.php?f=20&t=17029 ... does it via ip ranges in the database

http://hmailserver.com/forum/viewtopic.php?f=20&t=16679 ... does it via scripts

Don't know which is the better solution ... script or IP range.

Both automated though, so should help a bit to kill off countries you don't like.

S.

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 07:25

mattg wrote:
Slamlander wrote:
A slightly different but related issue is that my mail server is constantly in the red from ClamWin virus scannin all inbound mail, including the spam. We need to run the spam filters before ClamWin runs.
Change from ClamWin to ClamAV - much less memory intensive.
Running a live virus through spam filters isn't something I'd like to do. I rather kill the virus before it got to my system, not after it has been through some of it.
The problem isn't memory, it is CPU. I get about 200 Spams per Ham. Reducing the Spam before scanning for virii will not make the system more vulnerable, but will take a huge load off the virus scanner. There is no danger of the virus getting executed in the MTA.
mattg wrote:
Slamlander wrote:
  • Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
In routing they call it source address filtering (IIRC) and early routers didn't do it. The bad guys were able to inject packet from outside a network that looked like they came from an internal host.
There is a lot of new spam out there that is trying to do this, pretending that it's from the postmaster or even from the user themselves. Source address filtering would trivially block all of it. Email between two users on the same MTA should never originate from a foriegn MTA.

I hope that I am not misunderstanding something.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-14 08:23

You should still check ClamAV over ClamWin.
Memory / resources, both aren't used well by ClamWin. This is the method I used. http://www.hmailserver.com/forum/viewto ... 12&t=13699

I enforce all local users to authenticate, except when connecting from a specific set of IP addresses. I also have a script that forbids any user sending mail from an address other than the address they authenticated from.
I use greylisting to great effect - so much so that my SPAM count is <10 after three years. That is less than ten emails in total on a single domain with about 50 accounts in just over three years.

I do like the idea of a blacklist though.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 08:57

Let me rephrase a bit.
1. SMTP mail that comes from anywhere else with a sender address from the local MTA's domain(s), valid or not, should be failed.

2. Mail with a sender address from the local MTA's domain(s) that is invalid should be failed.
I wasn't sure that I was being clear, sorry. But those two tests should be trivial for the MTA at message reception time. I see a lot of both of them coming in as spam, including phishing emails pretending to be from Postmaster@Caselle-VPN.Net (an account that does not exist) linking to some web page that collects user account data and infects the user's machine in the process. The latter has caused me some serious grief.

Yes, I am looking at greylisting as well.

FYI, I am using NET10 and an internal TLD but users can connect with IMAP from the Internet.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-14 09:22

Yes I understand what you are saying.

What version of hMailserver are you using.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 09:52

mattg wrote:Yes I understand what you are saying.

What version of hMailserver are you using.
5.3-B1617
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-14 10:13

Slamlander wrote:Let me rephrase a bit.
1. SMTP mail that comes from anywhere else with a sender address from the local MTA's domain(s), valid or not, should be failed.

2. Mail with a sender address from the local MTA's domain(s) that is invalid should be failed.
OK. Well 2 was added in 5.2 - http://www.hmailserver.com/?page=changelog, primarily so that an alias would be considered local.

For 1. (and 2.) if you set local to local to require SMTP authentication in your internet IP range, and create a local LAN IP range that doesn't require SMTP authentication local to local, together with the below script, your issue should just cease....

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)

	If oClient.Username <> "" Then
		If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
        		Result.Value = 2
        		Result.Message = "You are only allowed to send from your own account"
		End If
	End If

	Result.Value = 0

End Sub
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 10:16

Awesome Matt, thank you very much. You are the best!
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Domain /Email address blacklist

Post by ^DooM^ » 2009-12-14 10:38

Be careful with that script if you are using a default domain. Read down a bit on this thread.

http://www.hmailserver.com/forum/viewto ... 117#p68117
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 11:21

Thanks ^DOOM^ and I am testing it now. I don't use default domains because I have four of them in addition to the two internal TLDs.

That plus the greylisting should cut down the spam. That should work good enough until I get SpamAssassin on my new back-end SuSe Linux server.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
mattg
Moderator
Moderator
Posts: 21308
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Domain /Email address blacklist

Post by mattg » 2009-12-14 12:50

Thanks for the pickup Doom.

And yes, kudos to Doom, it was his script to start with.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Domain /Email address blacklist

Post by dzekas » 2009-12-14 18:14

Slamlander wrote: 1.I want to block *.CN and *.RU, among others.
Your Chinese and Russian spam is not coming from China or Russia.
Slamlander wrote: 3.Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
That's what SPF does.


Domain and email address blocklists don't work against spam. Spammers just use other random addresses.

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-14 20:03

dzekas wrote:
Slamlander wrote: 1.I want to block *.CN and *.RU, among others.
Your Chinese and Russian spam is not coming from China or Russia.
I know, a lot comes from co.uk.
dzekas wrote:
Slamlander wrote: 3.Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
That's what SPF does.
I'm still trying to get that to work at DynDNS.Org. My IP address changes every 20 hours.
dzekas wrote:Domain and email address blocklists don't work against spam. Spammers just use other random addresses.
There is where I disagree. IP range blocking is useless when SwissCom and others are forced to use massive dynamic IP ranges by ARIN. The only thing left to block is sender domain. Still spam is less damaging than a DDOS attack.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Domain /Email address blacklist

Post by dzekas » 2009-12-14 20:20

Slamlander wrote:
dzekas wrote:Domain and email address blocklists don't work against spam. Spammers just use other random addresses.
There is where I disagree. IP range blocking is useless when SwissCom and others are forced to use massive dynamic IP ranges by ARIN. The only thing left to block is sender domain. Still spam is less damaging than a DDOS attack.
If you want to block known spammer, you block their IP address or their subnet. SMTP does not do sender verification by default. You can get email from santa@northpole.com or satan@hotplace.com and it wouldn't be from real Santa or Lord of Flies.

Last spammer that I've deliberately blocked on server was sending emails from same mailing list with different return addresses. I've reported them to their ISP and eventually was fed up and started bouncing their emails.

Nargauzius
New user
New user
Posts: 15
Joined: 2009-02-09 23:40

Re: Domain /Email address blacklist

Post by Nargauzius » 2009-12-14 20:43

Aside from that, you couldn't be my email provider because I do legitimate business with Russia and China importing medical equipment manufactured there, so blocking CN and RU ranges of IPs would put me out of business if I were your customer.

Hopefully this is a mail server that only you use.


dzekas wrote:
Slamlander wrote: 1.I want to block *.CN and *.RU, among others.
Your Chinese and Russian spam is not coming from China or Russia.
Slamlander wrote: 3.Any mail perportedly from an any internal account and to any other internal account and routed from an unaffiliated MTA (Not in the MX list) should be blocked.
That's what SPF does.


Domain and email address blocklists don't work against spam. Spammers just use other random addresses.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Domain /Email address blacklist

Post by dzekas » 2009-12-14 22:58

Nargauzius wrote:Aside from that, you couldn't be my email provider because I do legitimate business with Russia and China importing medical equipment manufactured there, so blocking CN and RU ranges of IPs would put me out of business if I were your customer.

Hopefully this is a mail server that only you use.
dzekas wrote:
Slamlander wrote: 1.I want to block *.CN and *.RU, among others.
Your Chinese and Russian spam is not coming from China or Russia.
I don't block servers by country. You confused original question with reply. The ones that are deliberately blocked on my server are one Lithuanian spammer which spammed unused address on my personal domain and regfly spam which will be blocked until it continues to hit spamtrap address. Used RBLs are country agnostic.

User avatar
Slamlander
Normal user
Normal user
Posts: 50
Joined: 2006-05-17 15:16
Location: Nyon, CH
Contact:

Re: Domain /Email address blacklist

Post by Slamlander » 2009-12-15 09:05

dzekas wrote:
Slamlander wrote:
dzekas wrote:Domain and email address blocklists don't work against spam. Spammers just use other random addresses.
There is where I disagree. IP range blocking is useless when SwissCom and others are forced to use massive dynamic IP ranges by ARIN. The only thing left to block is sender domain. Still spam is less damaging than a DDOS attack.
If you want to block known spammer, you block their IP address or their subnet. SMTP does not do sender verification by default. You can get email from santa@northpole.com or satan@hotplace.com and it wouldn't be from real Santa or Lord of Flies.
Okay, time for a trivial counter example

Spammer has swisscom IP address (10.34.23.11) . Sends spam. 20 hours later (or less), their address changes to (10.45.67.86) (Yes, there is really that degree of change). They send more spam. 20 hours later (or less), their address changes to (11.55.44.02). They send more spam. 20 hours later (or less), their address changes to (10.255.234.202).
WAN Gateway IP reassignment log excerpt wrote: 02-16-2009 13:52:19-IP Changed from [85.0.154.66] to [83.78.122.166]
02-16-2009 18:42:32-IP Changed from [83.78.122.166] to [85.1.153.129]
02-16-2009 18:52:33-IP Changed from [85.1.153.129] to [85.1.200.144]
02-16-2009 22:33:09-IP Changed from [85.1.200.144] to [83.77.245.220]
02-16-2009 22:43:10-IP Changed from [83.77.245.220] to [85.0.167.69]
02-16-2009 22:53:11-IP Changed from [85.0.167.69] to [83.79.39.83]
02-18-2009 16:45:12-IP Changed from [83.79.39.83] to [83.78.12.201]
02-19-2009 13:55:59-IP Changed from [83.78.12.201] to [85.1.168.179]
02-20-2009 11:26:34-IP Changed from [85.1.168.179] to [83.77.134.36]

Note that this includes assignments between 83.0.0.0/8 and 85.0.0.0/8
Now design me an IP filter or block that would work over the course of 5 days. No collateral damage (false positives) allowed.

IP filtering is old school and heavily dependent on everyone having a static IP address. Those days are long gone. Names are the only thing we have left.
Last edited by Slamlander on 2009-12-15 10:45, edited 3 times in total.
S L A M L A N D E R
Dynamic IP, the best defense against DDOS attacks!

Post Reply