email from spam domain that pass all tests and all surb/blacklists. - ORF Forums

email from spam domain that pass all tests and all surb/blacklists. RSS Back to forum

1

frankly, it seems like a thing to register a domain + register a valid spf etc then use it to spam . these spam gets through ORF. (also passes through all the dns blacklists)

is there anything we can do like domain must be 6 months/1 year old otherwise autoblacklist.

by chris low 2 years ago
2

Error checking the SPF policy of domain "shmachinetw.com": Policy syntax error. Source "shmachinetw.com", message "Unknown term "ipv4"." at character 8 ("v=spf1 ipv4:118.163.195.185 ~all").

just had email from this spam domain that pass all rbs checks. spf error = considered pass as well.

by chris low 2 years ago
3

@chris low: Just having a domain and a published SPF policy will not help any spammer to get through ORF. The only ORF test that can exempt a sender from its own inspection in case a valid SPF record is found is Greylisting and only if you explicitly allow it to do so - which you should not. However, this can be changed on the Greylisting settings page in the Administration Tool, anytime.

As for filtering emails based on the sender domain's age, there is no such feature in ORF I am afraid. That being said, you could write a batch/script (e.g. using Powershell for the WHOIS lookups) to return an exit code if the creation date of a domain is less than a specified value and then connect it to ORF as an External Agent. That would be possible.

Furthermore, if you were to send us your ORF logs and the configuration file, we could review your current settings and identify any technical or configuration issues that might be hindering ORF to do its job. If you agree, please send us (to ) a few recent ORF log files (e.g. orfee-2017-05-18.log), the configuration file (orfent.ini) and some spam samples that managed to get through the filters***. The requested ORF files can be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion).

***If the total size of attachments is greater than 5 MBs, make sure to send them compressed in an archive (e.g. zip, rar, 7z).

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

4

I'm just saying its a pattern of setting up "clean domains" with valid spf to send spam through. as such, those domains does not appear in any rbl at all.

guess i need to subscribe for https://www.farsightsecurity.com/solutions/threat-intelligence-team/newly-observed-domains/ if its a persistent thing

by christopher.low 2 years ago
5

@chris low: "Error checking the SPF policy of domain "shmachinetw.com": Policy syntax error. Source "shmachinetw.com", message "Unknown term "ipv4"." at character 8 ("v=spf1 ipv4:118.163.195.185 ~all")."

SPF error != Pass. When ORF encounters a badly formatted SPF record, such as in this case, the evaluation ends with "PermError" (see SPF syntax: http://www.openspf.org/SPF_Record_Syntax), the SPF test stops and ORF proceeds with the rest of the blacklist tests. Many legitimate domains have invalid SPF records as well, thus it would be really bad practice to blacklist emails on SPF "PermError" and "TempError".

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

6

@christopher.low: Newly minted domains can sometimes be a problem but lately it has fallen out of fashion. We saw this in our own mail stream more than 1 year ago and when I saw ORF had no test for this so I added this feature to our external agent, checking domain age with the tcpiputils.com API (paid subscription). What I've found is:

- A paid subscription to SpamHaus will catch these new domains after some hours in the wild.
- While throw away domain spam still occurs, it has become more rare.

I also make full use of TLD domain pattern filtering and large IP address range blacklists for known bullet proof hosts, etc so this helps alot, perhaps mitigating the need to check on new domains. IP Range blacklists are not necessarily recommended by Vamsoft but when you can detect and confirm the worst offenders, they are very effective with very low false positive risk. The downside is the manual labor involved so I stick to ranges (not single IPs) to make it worthwhile.

My custom API test looks for domains less than 3 days old, since by then certainly SpamHaus would report it if spammy. With that, I can tell you it's come up only 5 out of the last 100,000 incoming mails. So I would not expect this to help you much in the present times. It is still possible that a campaign could start with that as the focus, as spammer tastes change and revisit old techniques, so I keep the domain test running.

by Sam Russo 2 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2