Milter-greylist

I've been having a lot of multiple attempt spam that's coming from 
domain names that have been created in the last 2 months. 

Is there any way to look up a domain name to see when the name was 
created?  Whois services will only let you look up a few names before 
blocking you.

I'm thinking of making either a patch for milter-greylist or else a new 
milter to block domains that have been created within a configurable 
time period.  The theory is that the domain names will be dropped and/or 
the ips will be blacklisted before the end of your expiry period.  
Legitimate new domains will have to either wait or be white listed. 

Does milter-greylist deal with this issue already somehow?  Does anybody 
know of any other solution to this problem?  I think that spammers are 
getting more and more keen to the greylisting technique, and finding 
various workarounds.  I have large and ever increasing personal 
blacklist.  I think 90% of it involves recently created domains, though. 


Thanks.

On 09/26/2008 12:47 PM Mark Walker wrote:
> I've been having a lot of multiple attempt spam that's coming from 
> domain names that have been created in the last 2 months. 
> 
> Is there any way to look up a domain name to see when the name was 
> created?  Whois services will only let you look up a few names before 
> blocking you.

Don't know if this helps, but spamassassin has "Day Old Bread" rules:

updates_spamassassin_org/72_active.cf:##{ DNS_FROM_DOB
updates_spamassassin_org/72_active.cf:header DNS_FROM_DOB 
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')

On Fri, Sep 26, 2008 at 09:47:09AM -0700, Mark Walker wrote:
> I've been having a lot of multiple attempt spam that's coming from 
> domain names that have been created in the last 2 months. 
> 
> Is there any way to look up a domain name to see when the name was 
> created?  Whois services will only let you look up a few names before 
> blocking you.
> 
> I'm thinking of making either a patch for milter-greylist or else a new 
> milter to block domains that have been created within a configurable 
> time period.  The theory is that the domain names will be dropped and/or 
> the ips will be blacklisted before the end of your expiry period.  
> Legitimate new domains will have to either wait or be white listed. 
> 
> Does milter-greylist deal with this issue already somehow?  Does anybody 
> know of any other solution to this problem?  I think that spammers are 
> getting more and more keen to the greylisting technique, and finding 
> various workarounds.  I have large and ever increasing personal 
> blacklist.  I think 90% of it involves recently created domains, though. 

SpamAssassin can do this and since Emmanuel checked in SA-support into
CVS today, you're very welcome to test the code and tweak the following
checks in your local.cf:

	score DNS_FROM_DOB  5.0
	score RCVD_IN_DOB   5.0
	score URIBL_RHS_DOB 5.0


See http://spamassassin.apache.org/tests_3_2_x.html


HTH,

Petar

Thanks Ron, that's close to what I'm looking for.  It appears that DOB 
is an RBL that lists recent domain additions.  I'm not sure which one 
Spammassin uses. For instance the following got through on my system:

X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,HTML_IMAGE_RATIO_06,
	HTML_MESSAGE,HTML_TITLE_SUBJ_DIFF,MPART_ALT_DIFF_COUNT autolearn=no
	version=3.2.4

Received: from rs4.vparseals.com (rs4.vparseals.com [64.187.98.73])

But is listed on a blacklist mentioned here:

http://www.nabble.com/I%27ve-created-a-new-Day-Old-Bread-type-list-RBL-tt19531901.html

I'm already running SA from procmail, but would like to run it as part 
of mgl.  I'll do that and check out Petar's suggestions.

Thanks

Ron Wilhoite wrote:

>
> On 09/26/2008 12:47 PM Mark Walker wrote:
> > I've been having a lot of multiple attempt spam that's coming from
> > domain names that have been created in the last 2 months.
> >
> > Is there any way to look up a domain name to see when the name was
> > created? Whois services will only let you look up a few names before
> > blocking you.
>
> Don't know if this helps, but spamassassin has "Day Old Bread" rules:
>
> updates_spamassassin_org/72_active.cf:##{ DNS_FROM_DOB
> updates_spamassassin_org/72_active.cf:header DNS_FROM_DOB
> eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
>
>

Mark Walker <furface@...> wrote:

> Thanks Ron, that's close to what I'm looking for.  It appears that DOB
> is an RBL that lists recent domain additions.  

Then you can use it with dnsrbl clauses in your ACLs (no need to rely on
SpamAssassin)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Mark Walker <furface@...> wrote:

> Whois services will only let you look up a few names before 
> blocking you.

Too bad. I thought about implementing a whois lookup to filter on the
registar, since some registar are well known spam harbours.

I guess I'll have to give up that idea.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Mark Walker <furface@...> wrote:
> 
> > Whois services will only let you look up a few names before 
> > blocking you.
> 
> Too bad. I thought about implementing a whois lookup to filter on the
> registar, since some registar are well known spam harbours.
> 
> I guess I'll have to give up that idea.

I run my own whois server for my clients to query, which forwards on the whois
requests to the different whois servers.

I understand that too many requests cause you to be blocked on many providers,
but I've never been blocked when my clients use the whois server I supply.

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

On Fri, Sep 26, 2008 at 10:08:12PM +0200, manu@... wrote:
> Mark Walker <furface@...> wrote:
> 
> > Thanks Ron, that's close to what I'm looking for.  It appears that DOB
> > is an RBL that lists recent domain additions.  
> 
> Then you can use it with dnsrbl clauses in your ACLs (no need to rely on
> SpamAssassin)

Eh, yes, that's truly simple..

But without SA you'll miss all the DOB domains in the body.

Michael Mansour <mic@...> wrote:

> I run my own whois server for my clients to query, which forwards on the whois
> requests to the different whois servers.
> 
> I understand that too many requests cause you to be blocked on many providers,
> but I've never been blocked when my clients use the whois server I supply.

How many query per minute do you forward? Perhaps this is the
explanation.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Petar Bogdanovic <petar@...> wrote:

> Eh, yes, that's truly simple..
> But without SA you'll miss all the DOB domains in the body.

Yes, it would be nice to have a DATA-stage ACl clause that would lookup
URL found in the message against domain black lists. This is a bit
complicated to implement, though.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Greg Troxel <gdt@...> wrote:

> The next thing I would like most is variable greylisting delay depending
> on spam score.  Has anyone tried to do this?  If so, could they share
> their config?

Manuel included such an example in the man greylist.conf(5) page.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Michael Mansour <mic@...> wrote:
> 
> > I run my own whois server for my clients to query, which forwards on the whois
> > requests to the different whois servers.
> > 
> > I understand that too many requests cause you to be blocked on many providers,
> > but I've never been blocked when my clients use the whois server I supply.
> 
> How many query per minute do you forward? Perhaps this is the
> explanation.

Not that much and I use different whois servers depending on the domain tld.

I'm sure I would be blocked if the whois system hit a threshold for the whois
server.

Regards,

Michael

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

Michael Mansour <mic@...> wrote:

> I run my own whois server for my clients to query, which forwards on the whois
> requests to the different whois servers.

What software do you use for your local whois server?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Michael Mansour <mic@...> wrote:
> 
> > I run my own whois server for my clients to query, which forwards on the whois
> > requests to the different whois servers.
> 
> What software do you use for your local whois server?

http://wp-whois-proxy.sourceforge.net/

Regards,

Michael.