On 12/7/15 7:19 PM, Wietse Venema wrote:
Wietse Venema:
sb:
Our point of view is plain: are we dealing with "proper" e-mail servers?
Good question.
Our emphasis, therefore, is on the DNS, to identify the sender and
its MX RR, because it is the de-facto standard to say "this is
where I receive e-mail".
For the envelope sender address, the sending IP addresses are covered
by SPF policy. Spammers were among the first to adopt it.
How else could you tell them apart?
Reputation (DNSXL).
Additionally, some people have used the check_policy_service feature
to collect additional information about the remote SMTP client. See
http://www.postfix.org/SMTPD_POLICY_README.html for the protocol.
Wietse
Dear Wietse,
Before answering, let me thank you, your colleagues, and Viktor
Dukhovni, for delivering postfix. It is a fantastic server!
Re. check_policy_service
Yes, I have it in the agenda.
Re. DNSXL
Let us try...
In what follows,
"(secure)" means authenticated DNSSEC response,
"(insecure)" means spoofable DNS response.
> ...
Received: from spike.porcupine.org (spike.porcupine.org [IPv6:2604:8d00:189::2])
by english-breakfast.cloud9.net (Postfix) with ESMTP id E5B44331FA3
for <postfix-users@postfix.org>; Mon, 7 Dec 2015 13:19:20 -0500 (EST)
Received: by spike.porcupine.org (Postfix, from userid 1001)
id 3pDtFh4YYszJrQ6; Mon, 7 Dec 2015 13:19:20 -0500 (EST)
> unbound-host -rvD spike.porcupine.org
spike.porcupine.org has address 168.100.189.2 (insecure)
spike.porcupine.org has IPv6 address 2604:8d00:189::2 (insecure)
spike.porcupine.org has no mail handler record (insecure)
> unbound-host -rvD postfix.org
postfix.org has no address (insecure)
postfix.org has no IPv6 address (insecure)
postfix.org mail is handled by 10 mail.cloud9.net. (insecure)
> /opt/org.OpenServer/port-53/sbin/unbound-host -rvD mail.cloud9.net
mail.cloud9.net has address 168.100.1.7 (insecure)
mail.cloud9.net has address 168.100.1.3 (insecure)
mail.cloud9.net has address 168.100.1.4 (insecure)
mail.cloud9.net has IPv6 address 2604:8d00:0:1::7 (insecure)
mail.cloud9.net has IPv6 address 2604:8d00:0:1::3 (insecure)
mail.cloud9.net has IPv6 address 2604:8d00:0:1::4 (insecure)
mail.cloud9.net has no mail handler record (insecure)
Is there a good DNSWL we can use?
> unbound-host -rvD 7.1.100.168.list.dnswl.org
unbound-host -rvD 7.1.100.168.list.dnswl.org
7.1.100.168.list.dnswl.org has no address (insecure)
7.1.100.168.list.dnswl.org has no IPv6 address (insecure)
7.1.100.168.list.dnswl.org has no mail handler record (insecure)
So, postfix.org e-mail originates from a non-whitelisted IP,
assuming we checked the right IPs for lack of DNSSEC.
Is there a good DNSBL we can use?
http://www.spamcannibal.org/dnsbl_compare.shtml
http://www.spamcannibal.org/history/2015-12-06.html
https://www.sdsc.edu/~jeff/spam/2014/bc-20140913.html
> unbound-host -rvD 7.1.100.168.zen.spamhaus.org
Host 7.1.100.168.zen.spamhaus.org not found: 3(NXDOMAIN). (insecure)
> unbound-host -rvD 7.1.100.168.b.barracudacentral.org
Host 7.1.100.168.b.barracudacentral.org not found: 3(NXDOMAIN). (insecure)
So, postfix.org e-mail originates from a non-blacklisted IP,
assuming we checked the right IPs for lack of DNSSEC.
Recent problems with spamhaus's DNS:
2013-03-21:
https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/
2013-03-27:
http://www.bbc.com/news/technology-21954636
http://www.bbc.com/news/technology-22314938
http://www.bbc.com/news/technology-33480257
In summary, mail.cloud9.net is not listed in the DBL,
the reputation of postfix is neither good nor bad,
and the filter would let the e-mail through.
Let us check an IP that delivered spam.
> unbound-host -rvD 78-134-2-123.v4.ngi.it
78-134-2-123.v4.ngi.it has address 78.134.2.123 (insecure)
78-134-2-123.v4.ngi.it has no IPv6 address (insecure)
78-134-2-123.v4.ngi.it has no mail handler record (insecure)
> unbound-host -rvD 123.2.134.78.list.dnswl.org
Host 123.2.134.78.list.dnswl.org not found: 3(NXDOMAIN). (insecure)
> unbound-host -rvD 123.2.134.78.zen.spamhaus.org
123.2.134.78.zen.spamhaus.org has no address (insecure)
123.2.134.78.zen.spamhaus.org has no IPv6 address (insecure)
123.2.134.78.zen.spamhaus.org has no mail handler record (insecure)
> unbound-host -rvD 123.2.134.78.b.barracudacentral.org
Host 123.2.134.78.b.barracudacentral.org not found: 2(SERVFAIL). (insecure)
Let us go up in the chain...
> unbound-host -rvD v4.ngi.it
v4.ngi.it has address 88.149.128.9 (insecure)
v4.ngi.it has no IPv6 address (insecure)
v4.ngi.it mail is handled by 100 ifm-relay.inet.it. (insecure)
v4.ngi.it mail is handled by 200 ifm-relay2.inet.it. (insecure)
> unbound-host -rvD ifm-relay2.inet.it
ifm-relay2.inet.it has address 213.92.5.56 (insecure)
ifm-relay2.inet.it has no IPv6 address (insecure)
ifm-relay2.inet.it has no mail handler record (insecure)
> unbound-host -rvD 56.5.92.213.list.dnswl.org
Host 56.5.92.213.list.dnswl.org not found: 3(NXDOMAIN). (insecure)
> unbound-host -rvD 56.5.92.213.zen.spamhaus.org
Host 56.5.92.213.zen.spamhaus.org not found: 3(NXDOMAIN). (insecure)
Perhaps a less known RNSBL would do?
http://multirbl.valli.org/lookup/78-134-2-123.v4.ngi.it.html
No, it does not.
In summary, the spammer's reputation is neither good nor bad.
Just like postfix, the filter would let the e-mail through.
