On 08/26/2015 12:11 PM, g wrote:> > > On 08/26/15 13:11, Valeri Galtsev wrote: >> On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote: > <<>> > > something no one seems to have mentioned, so i will.. > >>> | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com > > loverhearts.com is a single page that seems to do nothing. and there is > nothing in page source to do anything. > > validator.w3.org shows 1 error and 1 warning showing that page was > poorly written. > > so the only harm is spam, which i now have going to my Junk folder. > > so, to all of you, i pass along a much more loving 'love' link; > > http://lovehearts.com > > enjoy. > >If you look at the SPF record for loverhearts.com (where they are coming from for me) there are a whole slew of servers permitted to send on their behalf. So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a path to filter avoidance. Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.
On 08/26/15 14:29, Alice Wonder wrote: <<>>> If you look at the SPF record for loverhearts.com (where they are coming > from for me) there are a whole slew of servers permitted to send on > their behalf. > > So I took all those IP addresses specified and added them to my > blacklist, it appears spammers are learning that SPF records can be a > path to filter avoidance. > > Maybe I'll start blocking any server with an SPF record that includes > more than 5 IP addresses, or servers where any host in the SPF record is > in a DNS blacklist. >. that can work. but is more than i care to bother with. because i have filters and folders for what i want to read, everything else hits my "Local Folders/Inbox" where i mark them as spam. reason is that there is a lot of spam content that is repeated by other spammers so the spam filters learn not only addresses, they also learn content. anyway, as i always say, "what ever churns your butter". ;-) -- peace out. If Bill Gates got a dime for every time Windows crashes... ...oh, wait. He does. THAT explains it! -+- in a world with out fences, who needs gates. CentOS GNU/Linux 6.6 tc,hago. g .
On Wed, August 26, 2015 2:29 pm, Alice Wonder wrote:> > > On 08/26/2015 12:11 PM, g wrote: >> On 08/26/15 13:11, Valeri Galtsev wrote: >>> On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote: >> <<>> >> something no one seems to have mentioned, so i will.. >>>> | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com >> loverhearts.com is a single page that seems to do nothing. and there isnothing in page source to do anything.>> validator.w3.org shows 1 error and 1 warning showing that page waspoorly written.>> so the only harm is spam, which i now have going to my Junk folder. so,to all of you, i pass along a much more loving 'love' link;>> http://lovehearts.com >> enjoy. > > If you look at the SPF record for loverhearts.com (where they are comingfrom for me) there are a whole slew of servers permitted to send on their behalf. This way you may block good people. SPF records you used are owned by bad guys: loverhearts.com allows others resend e-mail for themselves, but they do not need permissions of whomever they add to their SPF records to do so. In other words, one shouldn't trust anything what is in the records created by bad guys. I did nasty thing myself, but what I did at least IMHO is more or less justified. As I received bad e-mail after Fabian contacted IP block owner (digitalocean.com; 45.55.0.0/16), then I concluded IP block owner didn't act promptly on abuse complaint, so I blocked e-mail from this whole block owned by digitalocean.com IPs. This way their other clients will start asking their provider questions why their e-mail is being blocked (by some...) Just my $0.02 Valeri> > So I took all those IP addresses specified and added them to my > blacklist, it appears spammers are learning that SPF records can be apath to filter avoidance.> > Maybe I'll start blocking any server with an SPF record that includesmore than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.> _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 08/26/2015 02:07 PM, Valeri Galtsev wrote:> On Wed, August 26, 2015 2:29 pm, Alice Wonder wrote: >> >> >> On 08/26/2015 12:11 PM, g wrote: >>> On 08/26/15 13:11, Valeri Galtsev wrote: >>>> On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote: >>> <<>> >>> something no one seems to have mentioned, so i will.. >>>>> | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com >>> loverhearts.com is a single page that seems to do nothing. and there is > nothing in page source to do anything. >>> validator.w3.org shows 1 error and 1 warning showing that page was > poorly written. >>> so the only harm is spam, which i now have going to my Junk folder. so, > to all of you, i pass along a much more loving 'love' link; >>> http://lovehearts.com >>> enjoy. >> >> If you look at the SPF record for loverhearts.com (where they are coming > from for me) there are a whole slew of servers permitted to send on > their behalf. > > This way you may block good people. SPF records you used are owned by bad > guys: loverhearts.com allows others resend e-mail for themselves, but they > do not need permissions of whomever they add to their SPF records to do > so. In other words, one shouldn't trust anything what is in the records > created by bad guys.No what I mean is - I get e-mail from example.net If example.net has an SPF record, I then check all the IPs in the SPF record against blacklists and if two or more match, I reject the message as spam. That way if the MTA they are using isn't on a blacklist but others they specify in the SPF record are, they get identified as spammer and blocked. It doesn't matter if they add IP addresses to SPF from others, it wouldn't block every IP in the SPF - just check if 2 or more IPs in their SPF are on blacklists. I probably would have to write a custom filter to do that, but it may be worth doing.
On 08/27/2015 07:29 AM, Alice Wonder wrote:> Maybe I'll start blocking any server with an SPF record that includes > more than 5 IP addresses,That's not a very good idea. major ESPs (eg: gmail.com) have way more IPs listed than that.> or servers where any host in the SPF record is in a DNS blacklist.That could work better, but I would still say be careful, you could certainly end up wih false positives doing this. Peter
On 08/26/2015 03:38 PM, Peter wrote:> On 08/27/2015 07:29 AM, Alice Wonder wrote: >> Maybe I'll start blocking any server with an SPF record that includes >> more than 5 IP addresses, > > That's not a very good idea. major ESPs (eg: gmail.com) have way more > IPs listed than that.Yeah, I thought about that.> >> or servers where any host in the SPF record is in a DNS blacklist. > > That could work better, but I would still say be careful, you could > certainly end up wih false positives doing this.I would try to count 2 before rejecting I think. Valid SPF reduces spam score with a lot of filter systems, but snowshoe spammers can just modify the record at will to add whatever smtp servers they currently are using. If they are going to use SPF records to lower their score then I will use SPF records to try to identify them. False positives are a risk with any automated filter, but whitelists like dnswl.org can help reduce that problem. I suspect if somesite.tld has MTAs in the SPF list that it actually uses and are on blacklists then somesite.tld already has mail delivery problems it needs to address.