[SC-Help] Re: Spam "from" reserved netblocks

[Graeme Leith]

Geoff Lane wrote:

> Although I reported this particular spam (ID = 1463337860), I got the IP
> address myself direct from the headers. I submitted the report to
> Cyveilance purely to help get the offending IP added to the SBL.

Where did you get evidence of a connection between Spamhaus and
Cyveillance? As far as I am aware, they are in no way related.

> 
> My interest here is whether mail from a reserved netblock is likely to
> be a legitimate message, and so whether I can legitimately filter on
> reserved netblocks. I don't need to parse anything through Spamcop for
> that because my filters already have the ability to blacklist netblocks.
> If I add 96.0.0.0-123.255.255.255 to the blacklist, anything that
> purports to be from or routed via the RESERVED-8 netblock will get
> dumped into my spam bin - and it would be similar for any other reserved
> netblock that I would add to my blacklist when I discovered spammy using
> it. 

It's probably not a good idea filtering on IANA reserved blocks. People
often use them as internal addresses and run a NAT gateway. If they have
servers inside their network that pass the mail around before it gets to
the internet proper, there will be headers with reserved addresses in
them that are legitimate.

You can filter connect attempts from reserved addresses at your border
routers, as these should never see connections from reserved space on
the external interface. They are called "bogons" in the networking world
if you're looking for a list.

> BTW, I can't quite get my head around mailhosts configuration. I have
> potentially an unlimited number of e-mail accounts with a catch-all
> mailbox for each of several domains. AFAICT, you have to configure every
> email address - and that's something I can't do because there are far
> too many fo them. Also, I have intermediate servers between my MUA and
> my ISP's servers, which you can see from the report referenced above. 

I run my own mail server and although I don't have a catch all address,
I do create new addresses for each new contact I have. I trained the
mailhosts setup with a single address and haven't had any problems with
it. It seems to associate the mail servers with your account, rather
than individual addresses.

When you set up mailhosts, it sends out discovery emails to get a
baseline. The system handles intermediate MTAs with no problems that
I've seen. My system not only includes my own server, but POPs and
forwards to/from several locations. As long as you train it with each
path you expect to see mail go through it seems very reliable.

-- 
Evidence shows Cyveillance abuse internet resources.
I recommend unchecking their box in SpamCop reports.
Cyveillance are part of the problem.
They are not part of the solution.