Dynamic Black/Whitelists in your script.

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
Post Reply
User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 00:26

I have been using this feature a while now and it is brilliant. I used to modify my Black/Whitelists directly in my script and reload/restart every time. Not anymore.

Data is located in an XML file in the Events directory and I use Microsoft XML Notepad 2007 to edit the XML file across my SMB network.

Sample VBScript.

Code: Select all

Option Explicit
'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "*********"
'
'   XMLDATA file is located in .\hMailServer\Events\
'
Private Const XMLDATA = "dynamic-lists.xml"

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************

Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Function oLookup(strRegEx, strMatch, bGlobal)
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = bGlobal
      .MultiLine = True
      .IgnoreCase = True
      Set oLookup = .Execute(strMatch)
   End With
End Function

Function HTMLClean(strHTML)
   '
   ' <!-- ... -->   PHP: "(<!--[^>]*-->)"      JavaScript: "(<!--[\s\S]*?-->)"
   ' /*   ...  */   PHP: "(\/\*)[^>]*(\*\/)"   JavaScript: "(\/\*)[\s\S]*?(\*\/)"
   ' <!--[\\s\\S]*?(?:-->)?<!---+>?|<!(?![dD][oO][cC][tT][yY][pP][eE]|\\[CDATA\\])[^>]*>?|<[?][^>]*>?
   '
   With CreateObject("VBScript.RegExp")
      .Pattern = "(<style[\s\S]*?style>)|(\/\*[\s\S]*?\*\/)|(<[\s\S]*?>)"
      .Global = True
      .MultiLine = True
      .IgnoreCase = True
      HTMLClean = .Replace(strHTML, "")
   End With
End Function

Function LoadXML(XMLFile)
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Dim oXML : Set oXML = CreateObject("MSXML2.DOMDocument")
   oXML.Load(oApp.Settings.Directories.EventDirectory & "\" & XMLFile)
   If oXML.parseError <> 0 Then
      EventLog.Write( "XML ERROR - errorCode - " & oXML.parseError.errorCode ) ' Returns a long integer error code
      EventLog.Write( "XML ERROR - reason    - " & oXML.parseError.reason )    ' Returns a string explaining the reason for the error
      EventLog.Write( "XML ERROR - line      - " & oXML.parseError.line )      ' Returns a long integer representing the line number for the error
      EventLog.Write( "XML ERROR - linePos   - " & oXML.parseError.linePos )   ' Returns a long integer representing the line position for the error
      EventLog.Write( "XML ERROR - srcText   - " & oXML.parseError.srcText )   ' Returns a string containing the line that caused the error
      EventLog.Write( "XML ERROR - url       - " & oXML.parseError.url )       ' Returns the url pointing the loaded document
      EventLog.Write( "XML ERROR - filePos   - " & oXML.parseError.filePos )   ' Returns a long integer file position of the error
   End If
   Set LoadXML = oXML
End Function

Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = ""
   Dim Match, Matches, strTXT
   Set Matches = oXML.selectNodes(MyNode)
   strTXT = ""
   For Each Match In Matches
      strTXT = strTXT & Match.text & "|"
   Next
   If (Trim(strTXT) <> "") Then
      LoadXMLNode = Left(strTXT,Len(strTXT)-1)
   Else
      EventLog.Write( "ERROR: Empty string from LoadXMLNode(oXML, " & MyNode & ")" )
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnSMTPData(oClient, oMessage)
   Dim oXML : Set oXML = LoadXML(XMLDATA)
   Dim strRegEx
   '
   '   Whitelist HELO
   '
   strRegEx = LoadXMLNode(oXML, "//Whitelist/HELO")
   If Lookup(strRegEx, oClient.HELO) Then
      Exit Sub
   End If
   '
   '   Reject HELO
   '
   strRegEx = LoadXMLNode(oXML, "//Reject/HELO")
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "5.3.0 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
End Sub

Sub OnAcceptMessage(oClient, oMessage)
   Dim oXML : Set oXML = LoadXML(XMLDATA)
   Dim strRegEx, Match, Matches
   '
   '   Reject "Subject:"
   '
   strRegEx = LoadXMLNode(oXML, "//Reject/Subject")
   Set Matches = oLookup(strRegEx, oMessage.Subject, False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE02 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
   '
   '   Blacklist "Body:"
   '
   strRegEx = LoadXMLNode(oXML, "//Blacklist/Bodytxt")
   Set Matches = oLookup(strRegEx, oMessage.Body, False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
   Set Matches = oLookup(strRegEx, HTMLClean(oMessage.HTMLBody), False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE04 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
End Sub
The layout of the XML file is how I use it. <Root> is top level and should not be changed. <Reject>, <Blacklist>, <Whitelist> you can change any way you like HOWEVER the XML syntax is case sensitive so if you create <ACME> with elements of <Explosive>TNT</Explosive> and <explosive>Nitro</explosive> doing a lookup on "//ACME/Explosive" will ONLY list TNT!

IF you edit the XMLDATA file with a text editor... Well, there are some limitations you should be aware of.. The text representation of reserved letters are:

Code: Select all

&lt;   <
&gt;   >
&amp;  &
&quot; "
&apos; '
Sample XMLDATA file

Code: Select all

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Root>
  <Reject>
    <HELO>(0\.0\.0\.0)</HELO>
    <HELO>(127(?:\.[0-9]{1,3}){3})</HELO>
    <HELO>^(masscan)$</HELO>
    <HELO>^(ylmf\-pc)$</HELO>
    <From>(Sweetme)|(Kira Johns)|(July Girl)|(Hot Mama)|(Little Miss)</From>
    <From>(Baby Boobs)|(Booby Girl)|(Booby Booms)</From>
    <Subject>^(yo|hi|sup|hello|greets|hey t?here)(!?)(.?)(8?-?\)?)?$</Subject>
  </Reject>
  <Blacklist>
    <X-Envelope-From>^(.*\@.*bitcoin.*)$</X-Envelope-From>
    <From>(Tim Kristiansen)</From>
    <Bodytxt>(I have a proposal)</Bodytxt>
    <Bodytxt>(You are receiving this email because you opted in via our website)</Bodytxt>
    <IPRange>^216\.82\.(2(4[0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$</IPRange>
  </Blacklist>
  <Whitelist>
    <X-Envelope-From>^(security\@facebookmail\.com)$</X-Envelope-From>
    <X-Envelope-From>^(noreply\@fitnessworld\.com)$</X-Envelope-From>
    <From>(account-update\@amazon\.com)</From>
    <From>(\@id\.apple\.com)</From>
    <HELO>^(VVS-WEB)[0-9]{2}(\.localdomain)$</HELO>
    <HELO>^(app)[0-9]{2}(-shippii-com)$</HELO>
    <HELO>^(LouisesMatebookX)$</HELO>
    <HELO>^(LAPTOP08MT84VB)$</HELO>
  </Whitelist>
  <Ransomeware>
    <Bodytxt>(https://dl.dropboxusercontent.com/s/)</Bodytxt>
    <Bodytxt>(https://www.dropbox.com/meta_dl/)</Bodytxt>
  </Ransomeware>
</Root>
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 01:47

Installed. I'm not sure how useful the rest will be, but the reject on helo will slay a lot of spammers.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 14:54

palinka wrote:
2019-02-10 01:47
Installed. I'm not sure how useful the rest will be, but the reject on helo will slay a lot of spammers.
The code in OnSMTPData(oClient, oMessage) I have in OnHELO(oClient) but since OnHELO(oClient) is not in the official build, I placed the code there. The benefit of moving it to OnHELO(oClient) is AUTH is done AFTER OnHELO(oClient) and BEFORE OnSMTPData(oClient, oMessage) ... :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 15:26

This will filter out ANY non-RFC compliant HELO/EHLO greeting. There are a lot of SPAM BOTs and infected clients/servers that can be captured using this.
This is NOT a foolproof test and valid servers/clients MAY fail. That's why you MUST use a Whitelist BEFORE this test.

I experience Outlook 365 clients sometimes identify themselves with the machine name and not the FQDN. I believe this is a problem with DHCP service. I have made entries in my Whitelist to compensate for this. Also, skip this test for clients on my LAN.

Valid greetings are: FQDN, [192.168.0.1] and [IPv6:fe80::1]

Non-Valid greetings are: masscan, localhost, ylmf-pc, WIN-82VNUNPK9RO

Code: Select all

   '
   '   Validate HELO/EHLO greeting
   '
   Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
   Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
   Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
   strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
   If (Lookup(strRegEx, oClient.HELO) = False) Then
      Result.Value = 2
      Result.Message = SMTPCode(Result.Value) & " CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 17:13

I get a lot of these:

2019-02-10 01:02:22.199 RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net

It's a valid fqdn, i suppose. But it's bot net crap from a dynamic ip. SA filters them fine, but it would be great to reject them altogether.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 21:31

palinka wrote:
2019-02-10 17:13
I get a lot of these:

2019-02-10 01:02:22.199 RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net

It's a valid fqdn, i suppose. But it's bot net crap from a dynamic ip. SA filters them fine, but it would be great to reject them altogether.
This appear the most I can cut it down and still not cripple suddenlink.net completely.
<Root>
<Reject>
<HELO>^(.*\.com\.sta\.suddenlink\.net)$</HELO>
</Reject>
</Root>
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 21:53

Oh, sorry, no. I didn't mean they all come from suddenlink. They come from all over, every and any ISP but using the host name of the ISP's IP address. Some are static IPs as well ("STATIC" being part of the hostname).

Code: Select all

2019-02-10 01:02:22.199	RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net
2019-02-10 01:02:43.777	RECEIVED: MAIL FROM: <GeraldScott@suddenlink.net>

RECEIVED: EHLO 120.pool90-71-49.dynamic.orange.es
2019-02-10 01:55:41.518	RECEIVED: MAIL FROM: <JoshuaPatterson@orange.es>

RECEIVED: EHLO soetemanfc.nl
2019-02-10 02:02:13.921	RECEIVED: MAIL FROM: <MarkMoore@soetemanfc.nl>

RECEIVED: EHLO static-74-214-35-42.cpe.metrocast.net
2019-02-10 03:20:51.826	RECEIVED: MAIL FROM: <BrianMiller@metrocast.net>

RECEIVED: EHLO static-74-101-171-218.nycmny.fios.verizon.net
2019-02-10 03:47:20.016	RECEIVED: MAIL FROM: <RalphDavis@verizon.net>

RECEIVED: EHLO cityhotelsootmarsum.nl
2019-02-10 03:56:52.849	RECEIVED: MAIL FROM: <ScottMartinez@cityhotelsootmarsum.nl>

RECEIVED: EHLO 68-112-54-79.static.hlrg.nc.charter.com
2019-02-10 04:19:07.528	RECEIVED: MAIL FROM: <BillyCarter@charter.com>

RECEIVED: EHLO vandepoltours.nl
2019-02-10 04:39:20.121	RECEIVED: MAIL FROM: <GregoryRussell@vandepoltours.nl>

RECEIVED: EHLO nuvanwerknaarwerk.nl
2019-02-10 05:13:54.390	RECEIVED: MAIL FROM: <RoyWilson@nuvanwerknaarwerk.nl>

And so on and so forth. The pattern is in the from address: Capital first letter first name, capital first letter last name. Obviously they're spoofed addresses. Most are in the form of host name of the IP like "120.pool90-71-49.dynamic.orange.es".

Like I said, SA deals with them effectively because they are all or nearly all very high level malicious spam. Lots of viruses and "meet me" sex links. It would be great if they could be rejected. Not sure how that could be done. The only way I can think of is to check if the domain has a working mail server, but that could take a bunch of resources, I would imagine.

For example, I looked up static-74-214-35-42.cpe.metrocast.net on mxtoolbox.com. IP does match hostname, but when I do smpt dialogue test, it comes back with a timeout.

But then again, cityhotelsootmarsum.nl is/has a working mail server. They probably don't know they've been compromised.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 23:23

This is for IPv4 only. I must admit I have not seen one of those in a VERY VERY long time...

Code: Select all

   Dim a
   a = Split(oClient.IPAddress, ".")
   If (InStr(1, oClient.HELO, a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0), 1) > 0) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
   End
I presume this...

RECEIVED: EHLO 68-112-54-79.static.hlrg.nc.charter.com
2019-02-10 04:19:07.528 RECEIVED: MAIL FROM: <BillyCarter@charter.com>

came from 79.54.112.68 :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 00:36

Had a closer look at my raw SMTP logs ... oops ... I do get them, but they are denied as sender and recipient are the same and my domain require authentication.

Hmm... I got 1 Friday, 2 Saturday and today at 5 PM it really took off...

I see some of them have the IP address the "right way"

"SMTPD" 2764 142 "2019-02-10 18:19:48.276" "89.64.17.153" "RECEIVED: EHLO 89-64-17-153.dynamic.chello.pl"

and some of them have the IP address the "reverse way"

"SMTPD" 2792 162 "2019-02-10 19:37:56.236" "178.150.135.53" "RECEIVED: EHLO 53.135.150.178.triolan.net"

I have just added this to my EventHandlers.vbs, lets see if it works...

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 03:17

SorenR wrote:
2019-02-11 00:36

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
This looks really good. Good idea to use the dashes.

Does this require the new unofficial version of hmailserver?

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 03:23

palinka wrote:
2019-02-11 03:17
SorenR wrote:
2019-02-11 00:36

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
This looks really good. Good idea to use the dashes.

Does this require the new unofficial version of hmailserver?
You can add this to OnHELO or OnSMTPData, preferably after a HELO Whitelist, if you have one.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 03:45

SorenR wrote:
2019-02-11 03:23
You can add this to OnHELO or OnSMTPData, preferably after a HELO Whitelist, if you have one.
👍

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 03:49

Code: Select all

"SMTPD"	2052	3	"2019-02-11 01:27:19.137"	"191.19.107.164"	"SENT: 220 mx.acme.inc ESMTP"
"SMTPD"	2052	3	"2019-02-11 01:27:19.418"	"191.19.107.164"	"RECEIVED: EHLO 191-19-107-164.user.vivozap.com.br"
"SMTPD"	2052	3	"2019-02-11 01:27:19.528"	"191.19.107.164"	"SENT: 554 5.3.0 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
"SMTPD"	2052	3	"2019-02-11 01:27:19.793"	"191.19.107.164"	"RECEIVED: HELO 191-19-107-164.user.vivozap.com.br"
"SMTPD"	2052	3	"2019-02-11 01:27:19.825"	"191.19.107.164"	"SENT: 554 5.3.0 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 11:38

From this morning.

Code: Select all

SMTPD  –  83  –  66.167.205.6 ?
2019-02-11 00:54:11.603	RECEIVED: EHLO h-66-167-205-6.snva.ca.dynamic.globalcapacity.com
2019-02-11 00:54:32.821	SENT: 554 530 CODE10 Your access to this mail system has been rejected due to the sending MTAs poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate 

SMTPD  –  114  –  199.36.111.220 ?
2019-02-11 01:49:10.329	SENT: 220 mydomain
2019-02-11 01:49:10.954	RECEIVED: EHLO 26-108-144-198.customer.rigidtech.net
2019-02-11 01:49:50.755	SENT: 250-mydomain
250-SIZE 20480000
250-STARTTLS
250 HELP
2019-02-11 01:49:51.075	RECEIVED: MAIL FROM: <JamesBoyd@rigidtech.net>
2019-02-11 01:49:51.341	SENT: 250 OK

SMTPD  –  173  –  97.96.158.36 ?
2019-02-11 03:19:00.883	SENT: 220 mydomain
2019-02-11 03:19:01.398	RECEIVED: EHLO 097-096-158-036.biz.spectrum.com
2019-02-11 03:19:22.686	SENT: 250-mydomain
250-SIZE 20480000
250-STARTTLS
250 HELP
2019-02-11 03:19:23.139	RECEIVED: MAIL FROM: <FrederickJordan@spectrum.com>
2019-02-11 03:19:23.280	SENT: 250 OK

One worked. One had a different ip than the domain name, the other inserted 0's into the domain to make the ip portion all 3 digits. Weird.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 13:59

This should take care of;

1: 127-0-0-1
2: 127-000-000-001
3: 1-0-0-127
4: 001-000-000-127

Code: Select all

   Dim a, b(3), i, strRegEx
   a = Split(oClient.IPAddress, ".")
   For i = 0 to 3
      b(i) = Right("00" & a(i),3)
   Next
   strRegEx = "(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")|" &_
              "(" & b(0) & "-" & b(1) & "-" & b(2) & "-" & b(3) & ")|" &_
              "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|" &_
              "(" & b(3) & "-" & b(2) & "-" & b(1) & "-" & b(0) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-12 11:51

Thanks!

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script. Feb. 12. SECURITY UPDATE

Post by SorenR » 2019-02-12 18:39

This is potentially an IMPORTANT update.

If a lookup in the XML file returns "", the RegEx Lookup/oLookup WILL MATCH EVERYTHING.

The change is altering

---> Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = ""

to

---> Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = "THIS CANNOT BE EMPTY"


I came across this today as I deleted all "From" elements from node "Blacklist" this morning, leaving no results for LoadXMLNode(oXML, "//Blacklist/From").

Code: Select all

Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = "THIS CANNOT BE EMPTY"
   Dim Match, Matches, strTXT
   Set Matches = oXML.selectNodes(MyNode)
   strTXT = ""
   For Each Match In Matches
      strTXT = strTXT & Match.text & "|"
   Next
   If (Trim(strTXT) <> "") Then
      LoadXMLNode = Left(strTXT,Len(strTXT)-1)
   Else
      EventLog.Write( "ERROR: Empty string from LoadXMLNode(oXML, " & MyNode & ")" )
   End If
End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-15 19:44

Sneaky buggers using dots now.

Code: Select all

Received: from 33.net-3-2.embou.es (33.net-94.228.2.isbl.embou.net [94.228.2.33]) 

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-16 00:03

Deleted my last post... this fell into the trap: mail-oln040092254091.outbound.protection.outlook.com

spamhaus do have some bugs :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 884
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-16 15:29

SorenR wrote:
2019-02-16 00:03
Deleted my last post... this fell into the trap: mail-oln040092254091.outbound.protection.outlook.com

spamhaus do have some bugs :mrgreen:
Aye. Good for me. I have too many projects lined up this weekend anyway. :D

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-19 02:09

Been running this isLashBack() function over the weekend...
The listings are determined objectively and systematically. Only IPs that send email to specially-created, LashBack owned-and-monitored email addresses (unsubscribe probes) -- that are used only on suppression lists -- are blacklisted.
You know, these SPAM mails where the "unsubscribe" button don't really seem to function properly.

Code: Select all

Function isLashBack(strIP) : isLashBack = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ubl.unsubscore.com")
   End With
   If (InStr(1, strLookup, "127.0.0.2", 1) > 0) Then isLashBack = True
End Function

Function isSnowShoe(strIP) : isSnowShoe = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
   End With
   If (InStr(1, strLookup, "127.0.0.3", 1) > 0) Then isSnowShoe = True
End Function

Sub OnClientConnect(oClient)
   '
   '   LashBack SPAM detection
   '
   If isLashBack(oClient.IPAddress) Then
      Result.Value = 1
      Exit Sub
   End If
   '
   '   SnowShoe SPAM detection
   '
   If isSnowShoe(oClient.IPAddress) Then
      Result.Value = 1
      Exit Sub
   End If
End Sub
Between this and the SnowShoe function, my server is having an easy life.

I have changed the SnowShoe function for the rare event that sbl.spamhaus.org would return 127.0.0.2 AND 127.0.0.3. We only need to check for 127.0.0.3.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Dynamic Black/Whitelists in your script.

Post by mattg » 2019-02-19 03:37

I've been using ubl.unsubscore.com as an RBL for a long time

It had it set to 1, but checking a few this morning, SpamAssassin normally rejects these, and no other RBL picks them up

Think I'll increase my score for this RBL
Thanks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-13 13:42

Latest addition is an UCE list ... Let's see if I can piss some people off :mrgreen:
Oh and... To stop the complaints from coming, they need to stop the SPAM mails from coming :mrgreen:

I have added to my XML "directory"

Code: Select all

  <UCE>
    <namesilo>^(mail\.danzamor\.com)$</namesilo>
    <namesilo>^(mail\.downpic\.com)$</namesilo>
    <namesilo>^(mail\.rememberbeherenow\.com)$</namesilo>
    <namesilo>^(mail\.makze\.com)$</namesilo>
    <namesilo>^(mail\.retpem\.com)$</namesilo>
    <namesilo>^(mail\.genpip\.com)$</namesilo>
    <namesilo>^(mail\.kalosive\.com)$</namesilo>
    <namesilo>^(mail\.luckydaeon\.com)$</namesilo>
    <namesilo>^(mail\.3dmeditation\.com)$</namesilo>
    <namesilo>^(mail\.leinno\.com)$</namesilo>
    <namesilo>^(mail\.ssdspace\.com)$</namesilo>
    <namecheap>^(.*\.icu)$</namecheap>
  </UCE>
"namesilo" and "namecheap" are the registrars :twisted: IP addresses are all over the world.

NOTE: For a very long time I have received UCE/SPAM from tld ".icu" ... ONLY ... When I start receiving something else from an ".icu" domain, I MAY change away from using a wildcard.
When doing a Whois on the domains they are "redacted for privacy" thus the only usable information is the Abuse Contact Email. And so be it ... :mrgreen:

To: Whois Abuse Contact <abuse@????>
Cc: Danish Consumer Ombudsman <int@spamXXXX.dk>, Federal Trade Commission (FTC) <spam@uceXXXX.gov>
Bcc: Automated UCE/SPAM Defence <spam@acme.inc>
From: Automated UCE/SPAM Defence <spam@acme.inc>

Code: Select all

Function ReturnUCEMail(oMessage, strContact)
'
'   Forbrugerombudsmanden,         dansk@spamXXXX.dk
'   Danish Consumer Ombudsman,       int@spamXXXX.dk
'   Federal Trade Commission (FTC), spam@uceXXXX.gov
'
'   https://api.hackertarget.com/whois/?q=google.com
'   find email in text: strRegEx = "([\w.]+)\@(\w+\.\w+)(\.\w+)?"
'
   With CreateObject("hMailServer.Message")
      .HeaderValue("Message-ID") = "<" & CreateGUID & ">"
      .FromAddress = "spam@acme.inc"
      .AddRecipient "Whois Abuse Contact", strContact
      .AddRecipient "Danish Consumer Ombudsman", "int@spamXXXX.dk"
      .AddRecipient "Federal Trade Commission (FTC)", "spam@uceXXXX.gov"
      .AddRecipient "Automated UCE/SPAM Defence", "spam@acme.inc"
      .HeaderValue("To") = """Whois Abuse Contact""" & " <" & strContact & ">"
      .HeaderValue("Cc") = """Danish Consumer Ombudsman""" & " <int@spamXXXX.dk>, " & """Federal Trade Commission (FTC)""" & " <spam@uceXXXX.gov>"
      .HeaderValue("From") = """Automated UCE/SPAM Defence""" & " <spam@acme.inc>"
      .Subject = "Returning unused UCE/SPAM"
      .Body = "Thanks for trying, but we are NOT interested! The original sender (whom you are protecting) is violating EU GDPR law."
      .Attachments.Add(oMessage.Filename)
      .Save
   End With
End Function

Code: Select all

   Done = False
   If (oMessage.HeaderValue("X-hMailServer-Spam") <> "YES") Or Whitelisted Then Done = True
   Do Until Done
      '
      '   abuse@namesilo.com
      '
      strRegEx = LoadXMLNode(oXML, "//UCE/namesilo")
      Set Matches = oLookup(strRegEx, oClient.HELO, False)
      For Each Match In Matches
         Call ReturnUCEMail(oMessage, "abuse@namesiloXXXX.com")
      Next
      If Matches.Count > 0 Then Exit Do
      '
      '   abuse@namecheap.com
      '
      strRegEx = LoadXMLNode(oXML, "//UCE/namecheap")
      Set Matches = oLookup(strRegEx, oClient.HELO, False)
      For Each Match In Matches
         Call ReturnUCEMail(oMessage, "abuse@namecheapXXXX.com")
      Next
      Exit Do
   Loop
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Dynamic Black/Whitelists in your script.

Post by mattg » 2019-03-14 03:45

nice

I think I shall play with that concept
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-14 18:13

mattg wrote:
2019-03-14 03:45
nice

I think I shall play with that concept
I hit a showstopper on the continued development... The "Whois Abuse Contact" was actually a picture :evil:

Code: Select all

Option Explicit

Dim sURL, sHTML, sWhois, Match, Matches, Email, Emails

sURL = "https://www.whois.com/whois/" & "exvoice.icu"

With CreateObject("MSXML2.ServerXMLHTTP.6.0")
   .setoption(2) = (.getoption(2) & " - SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS")
   .open "GET", sURL, False
   .setrequestheader "User-Agent", "online link validator (http://www.dead-links.com/)"
   .send ("")
   sHTML = .ResponseText
End With

With CreateObject("VBScript.RegExp")
   .Pattern = "(?:<pre class=""df-raw"" id=""registryData"">)([\s\S]*?)(?:<\/pre>)"
   .Global = True
   .MultiLine = True
   .IgnoreCase = True
   Set Matches = .Execute(sHTML)
End With

For Each Match In Matches
   sWhois = Match.Value
   WScript.Echo sWhois

   With CreateObject("VBScript.RegExp")
      .Pattern = "([\w.]+)\@(\w+\.\w+)(\.\w+)?"
      .Global = True
      .MultiLine = True
      .IgnoreCase = True
      Set Emails = .Execute(sWhois)
   End With

   For Each Email In Emails
      WScript.Echo Email.Value
   Next

Next
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Dynamic Black/Whitelists in your script.

Post by mattg » 2019-03-15 01:36

So those who allow spam bots on their networks don't like to be spammed by bots... :shock:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-15 16:04

Well, after feeding Namecheap and Namesilo a handsome number of "unused UCE/SPAM" email they've responded.

Namecheap Legal & Abuse Team have consolidated all the domains into one case and are actively looking into it. They recognise the domains are listed in SURBL and Spamhaus DBL and ask for 48 hours to investigate.

Namesilo however... Have returned 7 almost identical messages and I really feel they insult my intelligence. This is the latest and shortest reply.
Hi,

we are only the domain name registrar and cannot validate or remove the content posted on the site.

This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/

Once you know the hosting provider, please look up their company information and contact them with the case.


You can also use the following pages to report the website:

Malware: https://safebrowsing.google.com/safebro ... t_badware/

Scam and Fraud: https://secure.nclforms.org/nficweb/Onl ... tForm.aspx

You may also discuss the case with your local law enforcement officer to seek help.


NameSilo Abuse Team

NameSilo Abuse Portal powered by Freshdesk 22604:175916
I now need to figure out what to do in the future as this obviously was a waste of time. Contacting the hosting company will not give me the identity of the spammer for me to report and if they terminate the contract the spammer only moves to another hosting company.

Terminating the domain is by far the most efficient action to take against the spammer.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8010
Joined: 2011-09-08 17:48

Re: Dynamic Black/Whitelists in your script.

Post by jimimaseye » 2019-03-15 20:31

The problem there is they cannot terminate the domain because the domain will have been bought by the spammer and as such he will own it. The Host can disconnect the hosting service however as that will be a contravention of the terms. The spammer can't take his domain and set up in any other hosts where he wishes to. It is unlikely that you will determine who the spammer is. Only by moving the services from one host to the next will the spammer get fed up and decease.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-16 01:37

jimimaseye wrote:
2019-03-15 20:31
The problem there is they cannot terminate the domain because the domain will have been bought by the spammer and as such he will own it. The Host can disconnect the hosting service however as that will be a contravention of the terms. The spammer can't take his domain and set up in any other hosts where he wishes to. It is unlikely that you will determine who the spammer is. Only by moving the services from one host to the next will the spammer get fed up and decease.

[Entered by mobile. Excuse my spelling.]
Well... I read the Terms and Conditions :mrgreen:

Namecheap, Inc. Registration Agreement
This Registration Agreement ("Agreement") sets forth the terms and conditions of your use of domain name registration and related services ("Services").

bla bla bla

4. Service(s) provided at will and termination of service(s)
We may reject your domain name registration application or elect to discontinue providing Service(s) to you for any reason within 30 days of a Service initiation or a Service renewal. Outside of this period, we may terminate or suspend the Service(s) at any time for cause, which, without limitation, includes registration of prohibited domain name(s), abuse of the Services, payment irregularities, material allegations of illegal conduct, or if your use of the Services involves us in a violation of any Internet Service Provider's ("ISP's") acceptable use policies, including the transmission of unsolicited bulk email in violation of the law. You agree that if we terminate or suspend the Services provided to you under this Agreement, that we may then, at our option, make either ourselves or a third party the beneficiary of Services which are substantially similar to those which were previously providing to you and that any reference in this Agreement to termination or suspension of the Services to you includes this option. If we have grounds to terminate or suspend Service(s) with respect to one domain name or in relation to other Service(s) provided through your account, we may terminate or suspend all Service(s) provided through your account, including Service(s) to other domain names maintained by you with us. No fee refund will be made when there is a suspension or termination of Service(s) for cause. At any time and for any reason, we may terminate the Services thirty (30) days after we send notice of termination via mail or email, at our option, to the WHOIS contact information provided in association with your domain name registration. Following notice of termination other than for cause, you must transfer your domain name or risk that we may delete your domain name or suspend or modify Services to it. If we terminate Services for a reason other than cause, we will attempt to refund your fees. You further acknowledge and agree that your registration of a domain name is subject to suspension, cancellation or transfer by any ICANN procedure, by any registrar or registry administrator procedures approved by an ICANN-adopted policy, to correct mistakes by us, another registrar or the registry administrator in administering the domain name or for the resolution of disputes concerning the domain name. You agree that your failure to comply completely with the terms and conditions of this agreement and any Namecheap rule or policy may be considered by Namecheap to be a material breach of this agreement and that Namecheap may provide you with notice of such breach either in writing or electronically (i.e. email). In the event you do not provide Namecheap with material evidence that you have not breached your obligations to Namecheap within ten (10) business days, Namecheap may terminate its relationship with you and take any remedial action available to Namecheap under the applicable laws. Such remedial action may be implemented without notice to you and may include, but is not limited to, canceling the registration of any of your domain names and discontinuing any services provided by Namecheap to you.
https://www.namecheap.com/legal/domains ... ement.aspx
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8010
Joined: 2011-09-08 17:48

Re: Dynamic Black/Whitelists in your script.

Post by jimimaseye » 2019-03-16 01:51

That is the namecheap TnC. I thought you were taking about namesilo that were being non helpful.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-16 02:19

jimimaseye wrote:
2019-03-16 01:51
That is the namecheap TnC. I thought you were taking about namesilo that were being non helpful.
Namesilo have similar wording in their Terms and Conditions.

https://www.namesilo.com/terms.php Chapter 5, section vi

Maybe I should write them an email and remind them :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8010
Joined: 2011-09-08 17:48

Re: Dynamic Black/Whitelists in your script.

Post by jimimaseye » 2019-03-16 02:22

SorenR wrote:
2019-03-16 02:19
jimimaseye wrote:
2019-03-16 01:51
That is the namecheap TnC. I thought you were taking about namesilo that were being non helpful.
Namesilo have similar wording in their Terms and Conditions.

https://www.namesilo.com/terms.php Chapter 5, section vi

Maybe I should write them an email and remind them :mrgreen:
Certainly wouldn't hurt.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-17 14:31

SUCCESS! It turns out those guys at Namecheap are awesome!

Domains are still listed in Whois BUT! mxtoolbox cannot find the suspended ones so it appear they have no DNS records. :mrgreen:
Hello,

Thank you for your email.

While the following domain names are registered with Namecheap, they are hosted with another company:

acceptmiss.icu
almonlycian.icu
fruitweed.icu
gratefulcode.icu
hurtsail.icu
huttap.icu
limitedjest.icu
nascapacify.icu
springbeg.icu
tolerantload.icu

That is why we cannot check the logs for the domains and confirm if they are involved in sending unsolicited bulk emails.

However, it seems the domain names are listed in Spamhaus DBL and SURBL. Since we consider them to be trusted organizations, we opened a case regarding the domain names. Please allow us about 48 hours for our further investigation.

Additionally, please be informed that the following domain names have been suspended:

bozoiritis.icu
choosemyth.icu
comeheptad.icu
fulltool.icu
grantithiel.icu
gutflecky.icu
journalfear.icu
judgmentrub.icu
jutelysias.icu
kiddokumasi.icu
penzaabbrev.icu
pivotkitted.icu
rundumper.icu
sampjellib.icu
scandalarmy.icu
shaleburton.icu
slaminn.icu
slotflu.icu
spaetucket.icu
wasteupcast.icu

Thank you for letting us know about the issue.

------------------------
Regards,
Xxxxxx Xx. (redacted by SorenR according to GDPR)
Legal & Abuse Department
Namecheap Team

Ticket Details
Ticket ID: JBB-179-XXXXX (redacted by SorenR according to GDPR)
Department: Domains -- Legal and Abuse
Type: Issue
Status: Awaiting Client Response
Priority: High

Helpdesk: https://support.namecheap.com/index.php?
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-20 12:05

While Namecheap came back to me with yet another list of domains they have suspended, I have had NO LUCK with Namesilo. Those fcukers are just persistant.

The Whois entries for the domains in question are protected by PrivacyGuardian.org and I had a look at them. They may disclose the identity of the registrant in case of fraud or misuse (like UCE and SPAM) so I launced a complaint on the PrivacyGuardian.org website ... Using a reply mail not registered with Namesilo...

Can't really say I'm surprised...

Domains in question: danzamor.com, downpic.com, rememberbeherenow.com, makze.com, retpem.com, genpip.com, kalosive.com, luckydaeon.com, 3dmeditation.com, leinno.com, ssdspace.com

First occurance of UCE/SPAM from above domains was May 5'th 2018. They have been rock solid since, so I have actually used them to finetune my "defences".

From: abuse@namesiloabuse.freshdesk.com
Sent: 19. marts 2019 13:54
To: abuse@acme.inc
Cc: abuse@namesilo.com
Subject: Re: PrivacyGuardian.org Abuse Form - 23773



Hi,

we are only the domain name registrar and cannot validate or control the content of emails. You will need to contact the email provider of the domain owner. To find out the email provider we recommend to use this site: https://www.whoishostingthis.com/ Once you know the email provider, please look up the company to find out their contact information and report the issue to them to take care of.

To limit the number of spam landing in your mailbox please follow these instructions:

Check your email account to see if it provides a tool to filter out potential spam or to channel spam into a bulk email folder. You might want to consider these options when you're choosing which Internet Service Provider (ISP) or email service to use.

Limit your exposure. You might decide to use two email addresses — one for personal messages and one for shopping, newsletters, chat rooms, coupons and other services. You also might consider using a disposable email address service that forwards messages to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address.

Also, try not to display your email address in public. That includes on blog posts, in chat rooms, on social networking sites, or in online membership directories. Spammers use the web to harvest email addresses.

Check privacy policies and uncheck boxes. Check the privacy policy before you submit your email address to a website. See if it allows the company to sell your email to others. You might decide not to submit your email address to websites that won't protect it.

When submitting your email address to a website, look for pre-checked boxes that sign you up for email updates from the company and its partners. Some websites allow you to opt out of receiving these mass emails.

Choose a unique email address. Your choice of email addresses may affect the amount of spam you receive. Spammers send out millions of messages to probable name combinations at large ISPs and email services, hoping to find a valid address. Thus, a common name such as jdoe may get more spam than a more unique name like j26d0e34. Of course, there is a downside - it's harder to remember an unusual email address.

Hackers and spammers troll the internet looking for computers that are not protected by up-to-date security software. When they find unprotected computers, they try to install hidden software – called malware – that allows them to control the computers remotely. Many thousands of these computers linked together make up a “botnet ,“ a network used by spammers to send millions of emails at once. Millions of home computers are part of botnets. In fact, most spam is sent this way.

Do not let spammers use your computer. You can help reduce the chances that your computer will become part of a botnet: Use good computer security practices and disconnect from the internet when you're away from your computer. Hackers can’t get to your computer when it’s not connected to the internet. Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment — even if it looks like it's from a friend or coworker — unless you are expecting it or you know what it is. If you send an email with an attached file, include a message explaining what it is.
Download free software only from sites you know and trust. It can be appealing to download free software – like games, file-sharing programs, and customized toolbars. But remember that free software programs may contain malware.


Report Spam to the Federal Trade Commission at spam@uce.gov and at https://www.spamcop.net/anonsignup.shtml


Read more about reporting spam on this page: https://en.wikipedia.org/wiki/Spam_reporting


Hope you find this helpful!


NameSilo Abuse Team
NameSilo Abuse Portal powered by Freshdesk 23773:175916
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Dynamic Black/Whitelists in your script.

Post by mattg » 2019-03-21 01:12

Ha ha

They think that you are a noob
If only they knew
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-21 15:48

mattg wrote:
2019-03-21 01:12
Ha ha

They think that you are a noob
If only they knew
I've just sent a recent list to Namecheap today ... :mrgreen:

Code: Select all

"Last seen","Domain","Hits","First seen"
"2019-03-16 18:59:39","airway.icu","2","2019-03-16 18:59:29"
"2019-03-20 15:17:55","armeye.icu","2","2019-03-20 15:17:46"
"2019-03-17 02:28:53","ashgo.icu","2","2019-03-17 02:28:49"
"2019-03-19 09:33:22","basissalad.icu","2","2019-03-19 09:33:09"
"2019-03-19 21:34:49","beginsense.icu","2","2019-03-19 21:34:44"
"2019-03-18 19:32:06","belongfreeze.icu","2","2019-03-18 19:31:56"
"2019-03-16 03:42:03","billpace.icu","2","2019-03-16 03:41:50"
"2019-03-17 22:37:56","biteview.icu","2","2019-03-17 22:37:45"
"2019-03-19 10:50:11","blameforge.icu","2","2019-03-19 10:50:03"
"2019-03-20 00:46:57","blastshame.icu","2","2019-03-20 00:46:47"
"2019-03-21 02:21:54","blessscore.icu","2","2019-03-21 02:21:48"
"2019-03-17 19:35:10","blowseal.icu","2","2019-03-17 19:35:01"
"2019-03-20 10:36:04","budgeinn.icu","2","2019-03-20 10:35:52"
"2019-03-16 20:41:08","capbed.icu","2","2019-03-16 20:40:54"
"2019-03-18 03:52:24","choptop.icu","4","2019-03-18 03:52:16"
"2019-03-15 21:04:09","clublog.icu","2","2019-03-15 21:04:00"
"2019-03-17 18:57:46","cordlean.icu","2","2019-03-17 18:57:41"
"2019-03-19 13:48:50","courtfirst.icu","2","2019-03-19 13:48:46"
"2019-03-18 16:02:25","creditexpect.icu","4","2019-03-18 16:02:14"
"2019-03-21 08:43:59","cycleagency.icu","2","2019-03-21 08:43:50"
"2019-03-17 04:31:48","daypop.icu","2","2019-03-17 04:31:43"
"2019-03-15 21:57:38","debtlast.icu","2","2019-03-15 21:57:31"
"2019-03-20 03:09:35","decayadd.icu","2","2019-03-20 03:09:30"
"2019-03-19 19:10:57","driftvirus.icu","2","2019-03-19 19:10:50"
"2019-03-18 01:59:36","drumdry.icu","2","2019-03-18 01:59:28"
"2019-03-18 05:43:37","eatshot.icu","2","2019-03-18 05:43:32"
"2019-03-20 01:28:28","fainteject.icu","2","2019-03-20 01:28:19"
"2019-03-19 20:02:35","fairypitch.icu","2","2019-03-19 20:02:29"
"2019-03-16 09:43:51","fanfew.icu","2","2019-03-16 09:43:42"
"2019-03-18 04:22:03","filmcare.icu","3","2019-03-18 04:18:01"
"2019-03-20 05:40:00","fleetmix.icu","2","2019-03-20 05:39:53"
"2019-03-20 14:28:50","forumleg.icu","2","2019-03-20 14:28:45"
"2019-03-21 07:54:01","freshair.icu","1","2019-03-21 07:54:01"
"2019-03-19 16:48:19","fruitslave.icu","4","2019-03-19 16:48:08"
"2019-03-17 01:32:34","funcan.icu","2","2019-03-17 01:32:28"
"2019-03-16 19:55:48","furtap.icu","2","2019-03-16 19:55:44"
"2019-03-15 23:00:56","getfine.icu","2","2019-03-15 23:00:47"
"2019-03-16 17:45:45","godbuy.icu","4","2019-03-16 17:45:22"
"2019-03-20 16:03:35","growfat.icu","2","2019-03-20 16:03:27"
"2019-03-18 15:19:49","igniteoutput.icu","2","2019-03-18 15:19:45"
"2019-03-20 04:31:11","jellycow.icu","2","2019-03-20 04:31:02"
"2019-03-21 07:01:04","jewelwin.icu","1","2019-03-21 07:01:04"
"2019-03-15 18:03:55","juryscan.icu","2","2019-03-15 18:03:43"
"2019-03-21 12:57:56","kidillness.icu","3","2019-03-21 12:52:21"
"2019-03-17 21:29:53","kidtile.icu","2","2019-03-17 21:29:42"
"2019-03-19 22:57:34","layerstill.icu","2","2019-03-19 22:57:26"
"2019-03-21 03:30:54","lootingcash.icu","2","2019-03-21 03:30:48"
"2019-03-20 09:48:51","lossboy.icu","2","2019-03-20 09:48:44"
"2019-03-17 23:34:55","lovebush.icu","2","2019-03-17 23:34:48"
"2019-03-17 14:11:48","manlie.icu","2","2019-03-17 14:11:43"
"2019-03-18 01:07:47","mildsoul.icu","2","2019-03-18 01:07:42"
"2019-03-18 00:19:37","moodsuit.icu","2","2019-03-18 00:19:32"
"2019-03-16 12:41:29","navymark.icu","2","2019-03-16 12:41:22"
"2019-03-17 12:13:16","newbad.icu","2","2019-03-17 12:13:01"
"2019-03-20 08:07:50","newspin.icu","2","2019-03-20 08:07:45"
"2019-03-17 03:30:53","nutinn.icu","2","2019-03-17 03:30:44"
"2019-03-19 17:42:56","offerwrong.icu","2","2019-03-19 17:42:48"
"2019-03-21 04:16:24","officesalad.icu","4","2019-03-21 04:16:10"
"2019-03-17 11:08:51","oilpot.icu","2","2019-03-17 11:08:45"
"2019-03-16 23:27:30","oldrow.icu","2","2019-03-16 23:27:23"
"2019-03-18 23:02:45","outputethics.icu","2","2019-03-18 23:02:41"
"2019-03-19 04:38:09","packetcoerce.icu","2","2019-03-19 04:38:04"
"2019-03-16 13:42:51","pieedge.icu","2","2019-03-16 13:42:46"
"2019-03-18 02:56:49","poolurge.icu","2","2019-03-18 02:56:44"
"2019-03-18 18:13:33","prisoninside.icu","3","2019-03-18 18:13:08"
"2019-03-21 05:49:46","rabbitcause.icu","1","2019-03-21 05:49:46"
"2019-03-21 09:43:14","relievesocial.icu","1","2019-03-21 09:43:14"
"2019-03-18 23:55:59","rescuehammer.icu","4","2019-03-18 23:55:33"
"2019-03-20 08:56:53","richkidz.icu","2","2019-03-20 08:56:46"
"2019-03-20 19:41:51","roarpat.icu","2","2019-03-20 19:41:47"
"2019-03-16 11:41:53","rocksofa.icu","2","2019-03-16 11:41:46"
"2019-03-16 22:27:46","shylot.icu","2","2019-03-16 22:27:40"
"2019-03-21 10:22:50","softsubject.icu","2","2019-03-21 10:22:46"
"2019-03-15 19:03:48","sourmenu.icu","1","2019-03-15 19:03:48"
"2019-03-19 23:43:08","sparekoran.icu","2","2019-03-19 23:42:41"
"2019-03-13 15:03:45","springbeg.icu","1","2019-03-13 15:03:45"
"2019-03-19 01:26:55","squashcellar.icu","2","2019-03-19 01:26:48"
"2019-03-19 12:50:00","steepdecay.icu","2","2019-03-19 12:49:50"
"2019-03-18 04:56:13","stemlion.icu","2","2019-03-18 04:56:08"
"2019-03-18 22:20:06","stickychance.icu","2","2019-03-18 22:19:49"
"2019-03-20 16:58:35","stripoil.icu","2","2019-03-20 16:58:28"
"2019-03-21 04:59:00","suburbproper.icu","2","2019-03-21 04:58:49"
"2019-03-15 19:51:39","tapspy.icu","2","2019-03-15 19:51:32"
"2019-03-20 18:56:00","tensetap.icu","2","2019-03-20 18:55:48"
"2019-03-16 02:39:10","tiebaby.icu","2","2019-03-16 02:39:00"
"2019-03-19 03:05:55","tranceemploy.icu","2","2019-03-19 03:05:41"
"2019-03-19 18:26:38","unclevalid.icu","2","2019-03-19 18:26:30"
"2019-03-16 10:41:33","userfear.icu","2","2019-03-16 10:41:29"
"2019-03-20 07:18:08","vannet.icu","2","2019-03-20 07:17:56"
"2019-03-17 05:33:46","vanowe.icu","1","2019-03-17 05:33:46"
"2019-03-16 01:44:01","vatmoon.icu","2","2019-03-16 01:43:56"
"2019-03-19 16:02:01","virusuncle.icu","4","2019-03-19 16:01:20"
"2019-03-16 08:26:36","zonefolk.icu","2","2019-03-16 08:26:30"
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-03-22 00:47

Birds flying high
You know how I feel
Sun in the sky
You know how I feel
Breeze driftin' on by
You know how I feel
It's a new dawn
It's a new day
It's a new life
For me
And I'm feeling good
I'm feeling good


22 more domains suspended... :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply