Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 6 of 6 total
Thread Blacklisting email domains
Fri, Apr 15 2016 8:31 AMPermanent Link

Roy Lambert

NLH Associates

Team Elevate Team Elevate

<nice long preamble>

As a recruiter I have to let pretty much any email reach me unless I know its a duff one.

I want to update the anti-spam stuff in my email subsystem. I seem to be getting a lot of spam these days. Bayesian filtering is built in but I like to do as much using the header as possible. With a 90%+ rejection rate even with broadband it makes sense to download the header first and if I can dump based on that I want to.

I think someone has acquired logs from my ISP because some of the spam I'm getting is to addresses that are only ever used for receipt of email (eg my delphi account) and the ISP logs are the only place they come together unless someone can remote access encrypted ElevateDB files Smiley

Mostly spam is taken care of by my current suite of anto-spam measures but I'm thinking of adding in a blacklisted domain function. This because a lot of spammers simply tag a different name on the domain and splat away.

And before anyone can say it yes I know I have to be damned careful with a feature like this - no way can I blacklist gmail.com for example.

</nice long preamble>

OK now to the meat. What I'm asking for opinions about is how to handle domains like

yousave5.co.uk
yousave56.co.uk
yousave89.co.uk

Its easy enough to have a record in a blacklist table for each of them, or I could hard code something but I'm wondering if anyone has a nice efficient (I have several inefficient ones) idea for dealing with this type of spam domain?

yousave is the latest in the line of ones I've seen like this and is complicated by the fact that the return path and email domain do not match (thinks for the idea Tim) eg

Return path mailersys.com and weddingcompetition@yousave62.co.uk do not match
Return path mlgnmx.com and newsletters@yousave59.co.uk do not match

which means the email gets shuffled off to the suspicious folder before the user rules are actioned.

Roy Lambert
Fri, Apr 15 2016 8:43 AMPermanent Link

Matthew Jones

Roy Lambert wrote:

> Its easy enough to have a record in a blacklist table for each of
> them, or I could hard code something but I'm wondering if anyone has
> a nice efficient (I have several inefficient ones) idea for dealing
> with this type of spam domain?

Is the rDNS for the sender good? That's the number one thing that many
do, look up the IP's rDNS, then DNS lookup that, and if they don't
match it is dodgy. Also SPF, and DomainKeys.

--

Matthew Jones
Fri, Apr 15 2016 10:22 AMPermanent Link

Roy Lambert

NLH Associates

Team Elevate Team Elevate

Matthew


Good ideas but can be very time inefficient since they involve the internet Frown

Just had a look at a couple of the yousave ones and they contain a valid DKIM-Signature (I think - I'm trying to find the necessary bumph to interpret it) and I'm running a query to see what percentage of my emails and spam come with a DKIM header.

Roy Lambert
Mon, Apr 18 2016 10:19 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Roy,

How is the email being received ?  Are you running your own email server, or something else ?

Matthew is correct - use DNS to do an MX lookup on the domain used by the From: or Sender: headers, and make sure that there is at least one valid MX record for the sender and that it matches the domain used in one of those headers.  I can post code that does this.

The only thing you have to be careful with is that a lot of people use aliases for domains.  For example, they'll use GMail as their email server, but their From: or Sender: looks like myname@mycompany.com.  In such a case, you have to also do a DNS query to resolve that little bit.

But, in general, using DNS is how you fight spam.  It allows you to identify, with some degree of confidence, that the person sending the email is legit and eliminates the spoofed/forged crap that comprises most of the spam out there.

Tim Young
Elevate Software
www.elevatesoft.com
Tue, Apr 19 2016 2:39 AMPermanent Link

Roy Lambert

NLH Associates

Team Elevate Team Elevate

Tim

>How is the email being received ? Are you running your own email server, or something else ?

Sort of my own - it comes through an ISP who do some filtering (and annoyingly block things I'd happily let through) but after that its all my own (well including some 3rd party stuff like ElevateDB & Synapse)

>Matthew is correct - use DNS to do an MX lookup on the domain used by the From: or Sender: headers, and make sure that there is at least one valid MX record for the sender and that it matches the domain used in one of those headers. I can post code that does this.
>
>The only thing you have to be careful with is that a lot of people use aliases for domains. For example, they'll use GMail as their email server, but their From: or Sender: looks like myname@mycompany.com. In such a case, you have to also do a DNS query to resolve that little bit.
>
>But, in general, using DNS is how you fight spam. It allows you to identify, with some degree of confidence, that the person sending the email is legit and eliminates the spoofed/forged crap that comprises most of the spam out there.

The problem with this is that this is not spam in the sense that its unlawful junk its just junk that I don't want (competitions and special offers mainly) so the email checks out as valid. Its often just a web linked graphic so Bayesian filtering doesn't work very well, and I do get newsfeeds that do the same (little or no text content) so I can't just bomb on that basis

I think what I'll end up doing is building in a regex check for the sender email address


Thanks for your input

Roy
Tue, Apr 19 2016 10:45 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Roy,

<< The problem with this is that this is not spam in the sense that its unlawful junk its just junk that I don't want (competitions and special offers mainly) so the email checks out as valid. Its often just a web linked graphic so Bayesian filtering doesn't work very well, and I do get newsfeeds that do the same (little or no text content) so I can't just bomb on that basis >>

Ahhh, in that case it's a little harder to deal with.

Tim Young
Elevate Software
www.elevatesoft.com
Image