Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread John Levine via mailop
It appears that Grant Taylor via mailop said: >I know that each postmaster is free to run their own server(s) as they >fit. But I too question carte blanch blocking of TLDs. It's a matter of playing the odds. Also keep in mind that some TLDs are a lot bigger than others. CAM only has 36,000 n

Re: [mailop] Any reason to NOT block the entire .cam domain? [signed]

2022-05-27 Thread P Vixie via mailop
I disintermediate stuff like this at the DNS later since if my ("protective") DNS firewall says something doesn't exist then communications involving that thing can't start up. So for example all of .TK except TCL.TK looks unreachable here. Nothing can be treated as to big to black-hole. Withou

Re: [mailop] *LIKELY SPAM 27.9* Re: Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Michael Peddemors via mailop
For the record, yes.. place the blame where it should be, on the network operator that allows it.. and Grant's suggestion is the better method if you can implement... Use 'detection' to find the bad guys, either by IP or ASN, insert those into a a reputation list, even if it is only your own..

Re: [mailop] *LIKELY SPAM 27.9* Re: Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Michael Rathbun via mailop
On Fri, 27 May 2022 15:22:29 -0600, Grant Taylor via mailop wrote: >Is there a reason that you (dynamically) re-configure your MTA(s) via a >script verses configuring an upstream router to not route traffic from >the IPs in their ASN? > >I'm just trying to understand and learn vicariously throu

Re: [mailop] Any reason to NOT block the entire .cam domain? [signed]

2022-05-27 Thread Sebastian Nielsen via mailop
Got this reply. The sad thing is that these new TLDs that ICANN opened (don't know why) seem to attract spammers like a big magnet. Sadly I have to block many of them... The .berlin domains is regularly used in spam for berlin travels. For most of the times, TLDs were operated by competent peopl

Re: [mailop] *LIKELY SPAM 27.9* Re: Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Grant Taylor via mailop
On 5/27/22 3:10 PM, Michael Rathbun via mailop wrote: I have a script that detects these guys when they fire up a new /24, which happens about 1.3 times per week, and puts new rules in the MTA. Is there a reason that you (dynamically) re-configure your MTA(s) via a script verses configuring an

Re: [mailop] *LIKELY SPAM 27.9* Re: Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Michael Rathbun via mailop
On Fri, 27 May 2022 22:57:37 +0200, Hans-Martin Mosner via mailop wrote: >If you look up the MX records for these domains, you see a certain clustering >around one provider. The IP addresses that >I checked don't accept port 25 connections at this time, but probably they did >when the spam run

Re: [mailop] *LIKELY SPAM 27.9* Re: Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Hans-Martin Mosner via mailop
Am 27.05.22 um 21:38 schrieb Michael Rathbun via mailop: Here are the domains this gang has used in the last seven days: If you look up the MX records for these domains, you see a certain clustering around one provider. The IP addresses that I checked don't accept port 25 connections at this

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Grant Taylor via mailop
On 5/27/22 1:26 PM, Andreas Ziegler via mailop wrote: Sorry, but this strategy looks more like some hobbyist hosting the server for himself and his friends. I know that each postmaster is free to run their own server(s) as they fit. But I too question carte blanch blocking of TLDs. Some of

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Grant Taylor via mailop
On 5/27/22 2:15 PM, Grant Taylor wrote: I can understand the desire to block some -- what I refer to as -- vanity domains.  But .us is a country code TLD.  I would refrain from blocking CC TLDs. I also have to call out that blocking early -- possibly questionable -- adopters of new domains /a

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Ken Simpson via mailop
Hi Michael, We don't have intel on how these guys are interacting with the forms. Regards Ken On Fri, May 27, 2022 at 7:34 AM Michael Peddemors via mailop < mailop@mailop.org> wrote: > Hey Ken, > > Are these contact info spammers using DSL Home style connections, or > VPN's.. different actors a

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Johannes Posel via mailop
Hello Sebastian, well that is a perfect example why shunning tlds is difficult. Your users will never be able to get tickets for the botanical garden in Berlin (www.bo.berlin). Let us not dive into the universities like the Technische Universität Berlin at www.tu.berlin. And, of course, you mi

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Andreas Ziegler via mailop
Sorry, but this strategy looks more like some hobbyist hosting the server for himself and his friends. Some of the TLDs you simply block are used by people i know for legitimate purposes, let alone by all the people i don't know. Scoring messages by the TLD, ok, i do that, too - but an immedi

Re: [mailop] *LIKELY SPAM 29.9* Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Michael Rathbun via mailop
On Fri, 27 May 2022 12:01:46 -0600, Anne Mitchell via mailop wrote: >We've started getting a fair amount of spam from .cam domains; in fact they >all look the same, using the same HTML template with the same body format, but >from different .cam domain for different 'businesses', so I suspect t

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Michael Peddemors via mailop
This week saw a comeback of that operator, using new networks. They have been on our reputation lists for a bit.. Also have detection systems that detect the sending patterns, for this one.. Don't have the actual detection algorithms, but can share them off list if you want. That 131 range

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Sebastian Nielsen via mailop
I block a lot of these pieces of shit domains, including .cam: deny message = 5.7.1 Banned TLD in MAIL FROM sender_domains = ^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|casa|christmas|click|club|college|computer|country|cricket|date|design|download|ex

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Jarland Donnell via mailop
I can't see a single reason not to block .cam, but I will say that I always get myself into trouble when I block a TLD. All it takes is one legitimate sender and my plans are shot. That said, this right here: mnt-by: ashitt You see that, blackhole and never second guess it. That's one

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread John Levine via mailop
It appears that Anne Mitchell via mailop said: >We've started getting a fair amount of spam from .cam domains; in fact they >all look the same, ... Whatever its putative initial purpose, it mostly seems to be typosquats, so block away. It's not very big, 36,000 names most of which are parked.

[mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Anne Mitchell via mailop
We've started getting a fair amount of spam from .cam domains; in fact they all look the same, using the same HTML template with the same body format, but from different .cam domain for different 'businesses', so I suspect that one operation is selling "email marketing" packages to clients and s

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Michael Peddemors via mailop
Hey Ken, Are these contact info spammers using DSL Home style connections, or VPN's.. different actors are using different methods of course. "Eric Jones" still leads the pack in automated methods, while a couple of other players use bots, and a couple of others appear to be 'human' aided.

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Ken Simpson via mailop
Hi Jarland, Yes, we see this as well - since this morning Pacific Time. They are snow-shoeing too, sending just one or two submissions per web form, presumably to keep a low profile. Same pattern of recipients as you are seeing. I'm trying to track down the victim software, which seems to be a Wo