Bombard by spam source in India that wasn't in any RBL used by spamassassin.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Mark London
Hi - We got several hours of spam from the IP address 103.136.41.36 in
India.    When I did a Multi-RBL check, the ip address was in the
following databases:

bl.emailbasura.org
dnsbl.sorbs.net
dns.spfbl.net
spam.spamrats.com
truncate.gbudb.net

I think sorbs.net is a paid for service.  At least I tried adding rules,
but they weren't triggered.

I was able to successfully add rules for spamrats and gbudb.   Does
anyone have experience with those?

After about 3 hours, the IP address finally appeared in
barracudacentra.org, which spamassassin uses.

Given the amount of traffic we were receiving, I'm surprised it didn't
show up sooner on the other RBLs.

Thanks. - Mark
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Benny Pedersen-2
Mark London skrev den 2019-11-06 20:33:

> Given the amount of traffic we were receiving, I'm surprised it didn't
> show up sooner on the other RBLs.

maybe greylist all ips that is not on dnswl at all, say greylist 4 days,
near to postfix default queue life time :=)

reduce need for more sleeping rbls
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Rob McEwen
In reply to this post by Mark London
fwiw - this has been blacklisted at invaluement for days.
--Rob McEwen, invaluement.com

On 11/6/2019 2:33 PM, Mark London wrote:

> Hi - We got several hours of spam from the IP address 103.136.41.36 in
> India.    When I did a Multi-RBL check, the ip address was in the
> following databases:
>
> bl.emailbasura.org
> dnsbl.sorbs.net
> dns.spfbl.net
> spam.spamrats.com
> truncate.gbudb.net
>
> I think sorbs.net is a paid for service.  At least I tried adding
> rules, but they weren't triggered.
>
> I was able to successfully add rules for spamrats and gbudb. Does
> anyone have experience with those?
>
> After about 3 hours, the IP address finally appeared in
> barracudacentra.org, which spamassassin uses.
>
> Given the amount of traffic we were receiving, I'm surprised it didn't
> show up sooner on the other RBLs.
>
> Thanks. - Mark
>

--
Rob McEwen
https://www.invaluement.com


Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Bill Cole
In reply to this post by Mark London
On 6 Nov 2019, at 14:33, Mark London wrote:

> Hi - We got several hours of spam from the IP address 103.136.41.36 in
> India.    When I did a Multi-RBL check, the ip address was in the
> following databases:
>
> bl.emailbasura.org

That one has been dead for years, and recently started "listing" the
whole IPv4 space after the domain was re-registered by a domain
speculator. You shouldn't even think of using it.

Note that most if not all of the public multi-rbl check facilities get
things wrong from time to time, and you should always use them for
screening only, NOT for authoritative information. For example, somehow
a few very popular sites learned of my private blacklist and I found out
by a large volume of queries that I had no desire to ever answer. I
tried asking the ones I could identify nicely to stop, but some ignored
me. It eventually it got bad enough that I started answering them with
pathological replies, listing the entire world but also including
long-lived authoritative NS records that pointed at the loopback and
TEST-NET. It helped a little...

The point is simply that you should always check a DNSBL via a resolver
that you control and that doesn't make a large volume of DNSBL queries
to free DNSBLs.

> dnsbl.sorbs.net
> dns.spfbl.net
> spam.spamrats.com
> truncate.gbudb.net
>
> I think sorbs.net is a paid for service.

Nope. Unless you are a very heavy user, it's free.

> At least I tried adding rules, but they weren't triggered.

Are you sure that you're adding them correctly?

> I was able to successfully add rules for spamrats and gbudb.   Does
> anyone have experience with those?

Not really. I'm pretty sure that SpamRats is well-intentioned and
honestly run, but I can't speak to their overall usefulness. I don't
recall hearing of gbudb before this.

> After about 3 hours, the IP address finally appeared in
> barracudacentra.org, which spamassassin uses.
>
> Given the amount of traffic we were receiving, I'm surprised it didn't
> show up sooner on the other RBLs.

Maybe you're special? :)

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Matus UHLAR - fantomas
In reply to this post by Mark London
On 06.11.19 14:33, Mark London wrote:
>I was able to successfully add rules for spamrats and gbudb.   Does
>anyone have experience with those?

bad experience iirc.

https://mail-archives.apache.org/mod_mbox/spamassassin-users/200904.mbox/<20090408151911.GA21449%40fantomas.sk>

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

John Hardin
In reply to this post by Mark London
On Wed, 6 Nov 2019, Mark London wrote:

> Hi - We got several hours of spam from the IP address 103.136.41.36 in India.

Tarpit 'em.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The philosophy of gun control: Teenagers are roaring through
   town at 90MPH, where the speed limit is 25. Your solution is to
   lower the speed limit to 20.                           -- Sam Cohen
-----------------------------------------------------------------------
  2 days until The 81st anniversary of Kristallnacht - disarmament enables genocide
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

RW-15
In reply to this post by Matus UHLAR - fantomas
On Thu, 7 Nov 2019 19:22:09 +0100
Matus UHLAR - fantomas wrote:

> On 06.11.19 14:33, Mark London wrote:
> >I was able to successfully add rules for spamrats and gbudb.   Does
> >anyone have experience with those?  
>
> bad experience iirc.
>
> https://mail-archives.apache.org/mod_mbox/spamassassin-users/200904.mbox/<20090408151911.GA21449%40fantomas.sk>

This suggests you weren't using it correctly. A blocklist that contains
dynamic IP addresses should be last-external.

Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Matus UHLAR - fantomas
>> On 06.11.19 14:33, Mark London wrote:
>> >I was able to successfully add rules for spamrats and gbudb.   Does
>> >anyone have experience with those?

>On Thu, 7 Nov 2019 19:22:09 +0100 Matus UHLAR - fantomas wrote:
>> bad experience iirc.
>>
>> https://mail-archives.apache.org/mod_mbox/spamassassin-users/200904.mbox/<20090408151911.GA21449%40fantomas.sk>

On 07.11.19 18:54, RW wrote:
>This suggests you weren't using it correctly. A blocklist that contains
>dynamic IP addresses should be last-external.

I wasn't using is at all, and those IP addresses were not dynamic...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Reply | Threaded
Open this post in threaded view
|

Re: Bombard by spam source in India that wasn't in any RBL used by spamassassin.

RW-15
On Fri, 8 Nov 2019 09:32:21 +0100
Matus UHLAR - fantomas wrote:

> >> On 06.11.19 14:33, Mark London wrote:  
> >> >I was able to successfully add rules for spamrats and gbudb.
> >> >Does anyone have experience with those?  
>
> >On Thu, 7 Nov 2019 19:22:09 +0100 Matus UHLAR - fantomas wrote:  
> >> bad experience iirc.
> >>
> >> https://mail-archives.apache.org/mod_mbox/spamassassin-users/200904.mbox/<20090408151911.GA21449%40fantomas.sk>
> >>  
>
> On 07.11.19 18:54, RW wrote:
> >This suggests you weren't using it correctly. A blocklist that
> >contains dynamic IP addresses should be last-external.  
>
> I wasn't using is at all, and those IP addresses were not dynamic...

Then you are presumably referring to the spamrats dynamic address
list, dyna.spamrats.com, rather than the spam.spamrats.com list
mentioned in the original post.