Reverse DNS blacklisting and filtering

Post your MailEnable suggestions here.
zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Reverse DNS blacklisting and filtering

Post by zeusdk »

Hi Mail Enable

1) Extending the ”Reverse DNS blacklisting” to also looking up the IP of the server, where the URL in a e-mail is pointing, would be great – because the spammers have to place their spam-pages on a server somewhere. This server is most often already blacklisted, but is not found because Mail Enable is only looking up the IP of the sending mail server (and not the server to which the URL is pointing). Therefore, the current version of Reverse DNS blacklisting is not catching spammers, who have hacked a mail server or the like, but this recommended extension would.

NoSpamToday uses this feature and it is working very very good: http://www.nospamtoday.com/download/server/

NoSpamToday (based on SpamAssassin) is a mail proxy, which is to be placed in front of the Mail Enable server. The mail proxy must listen to port 25 and redirects the mail to another port, where Mail Enable is listening. Mail Enable cannot not listen on port 25 also, because then it will conflict with the mail proxy. The mail proxy then adds blacklisting-positives in the header of the mail, which you can filter out in MailEnable. In this work-around-way Mail Enable also rejects spam, which is sent from hacked mail servers and the like.

It is working great, but I really would like to see the feature included in Mail Enable too, because centralized administration is better.

2) Mail Enable’s filtering could be much better, if we could use “And”, “Or”, “Not” ect. in the process of filtering.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

Content filtering is a very broad subject and there are an array of tools and plug-ins that can be integrated to provide a comprehensive filtering strategy. Parsing messages for content (including URLs/IP addresses) is arguably one of the best means of determining if a message is spam.

There are many vendors providing solutions to Spam and rather than integrate each and every one of them, the short term solution is to provide a more flexible means of calling and integrating such plug-ins.

As such, MailEnable intends to provide advanced filtering through scripts. This will effectively allow you to script your own filters as to either call other content analysis plugins or to craft your own scripts to acheive the same.

It is likely to be released into the current release of Enterprise Edition and into V2 of Professional Edition (but this as yet has not been finalized).

Some insight into its form is outlined here: http://www.mailenable.com/mailenable/he ... ipting.asp
Regards, Andrew

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Thank you :-)

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

No worries - thx for the suggestions.
Regards, Andrew

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Making it possible to use plug-ins is good, but why not extent it to also looking up the web server (the url)? I mean when the mail enable team already has done the programming of finding out if the sending mail server is blacklisted, why not also do the inquiry on the web server.

It is like "walking all the way" to the police and asking if a person has done crime A and not wanting to know if the person has done crime B - even though the chance of this is much higher.

If mail enable would extent their BL-inquiry to the web server too, then we have no use for mail proxies and the like, which makes a better solution for us. No extra programs like NoSpamToday and SpamA. were needed. We would have it all in the Enterprise solution.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

Re: "why not also do the inquiry on the web server. "

I am not sure exactly how this would occur. Someone in this scenario would presumably need to maintain a list of spammer urls/host names/ip addresses to be verified against.

DNS blacklisting works in this way whereby the IP address of their mail server's outbound interface is blacklisted. The same sort of list would need to be available for spam urls - if such a list is available, it would almost certainly need to be subscribed to and charged.... in which case a plug-in by that vendor is most likely to be needed. More likely, I would think MailEnable would provide support for the content scanning engine used by NoSpamToday (as an example).
Regards, Andrew

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

The blacklists are already available for everyone and they are already being maintained professionally and Mail Enable is already using them, but Mail Enable is sadly only looking up the IP of the sending server and not the IP of the web server (and not a url). Therefore, Mail Enable is not catching the real spammers and we, the consumers, have to buy extra software to protect our mail servers even though a little extension would do the trick.

Here is the trick:
1) Analyze the received e-mail.
2) If it has a URL inside, then retrieve the domain of it.
3) With this domain, retrieve the IP of the web server.
4) Make the enquiry in the blacklist (as Mail Enable is already doing with the sending mail server).
5) If the IP is blacklisted, then reject the mail (as Mail Enable already is doing)

Please, take a look at: http://www.spamhaus.org/effective_filtering.html

And read:
Spamhaus lists the IPs of spammers' web servers and DNS servers, in addition to spam sources in the SBL for this purpose. Spammers may find fresh sources not yet on our DNSBLs, but they have to advertize a web site hosted somewhere.
Now you see? :-D

Can we please have this option in Mail Enable too, so we can extent our spam prevention to not only looking up the IP of the sending mail server, but also the IP of the web server?

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

Thanks, I see.. I was not aware that web server records were maintained by the spamhaus, etc. I have passed on the suggestion (by logging it in the function register) - and if it yeilds the results mentioned in the link you provided, it will hopefully be included in the short term.
Regards, Andrew

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Yaaaaaaaahhhhhhhhhhooooooouuuuuuuuwwwwwwwww :-D

The real spammers jump around a lot hijacking new mail server, but they do not that often change their web servers, because if they did people wouldn't reach to see they site, before they had moved and it is also harder for them to setup up new web servers then hijacking new mail servers.

Thank you for your time :-) Hope to see this feature in Mail Enable soon. Until then I recommend NoSpamToday. Actually, NoSpamToday use other dns-registers then SpamHaus'. NoSpamToday is working so effectually at this point that if I did not do anything other than using NoSpamToday’s way of also looking up the web server then it would still take 95% of all spam – alone! The current Reverse DNS Backlisting and Bayesian filtering (in Mail Enable enterprise version) would take the rest.
Last edited by zeusdk on Tue May 24, 2005 7:26 pm, edited 1 time in total.

JoshWithrow
Posts: 192
Joined: Tue Mar 22, 2005 1:18 pm

Post by JoshWithrow »

I must say that this is one of the absolute best and most thorough suggestions I've seen turned out since my initial use of MEStandard v1...

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

:-)

Guest

Post by Guest »

Some more BLs - besides SpamHaus':

OB_URI_RBL
SPAMCOP_URI_RBL
WS_URI_RBL

djwhisky
Posts: 28
Joined: Thu Oct 02, 2003 11:31 pm

Post by djwhisky »

Just wondering if this has been looked at at further, or has been included in MailEnable yet - as it seems like it would be relatively easy to include this URL on SBL functionality as an extra to the current DNS Blacklisting. It would solve lots of my problems too :)

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

The only thing is blacklisting happens on the connector. The URL lookup would only happen after the mail is received for obvious reasons. Therefore the filtering of that content would most likley be built into the MTA. There are many SURBL lists available. I believe Spam Ass.. uses them as well.

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

I have just finished writing full SURBL support in MEFilter. Its just gone into limited testing and should be release in a few weeks if all goes well.

Post Reply