spamhaus
From our friends at Spamhaus via Twitter today (Saturday, November 13th), here’s a warning about fraudulent US Federal Bureau of Investigation (FBI) emails that are sending from IP addresses actually used by the FBI.”We have been made aware of “scary” emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.”These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!”You can find a screenshot here.[ H/T: Jennifer Nespola Lantz ]
You’ll recall me warning recently that using Spamhaus data to protect your mail server is a bad idea if you’re using open or public DNS resolvers. TL;DR? Spamhaus is worried about too much traffic via public channels but blocking is implemented in a way that makes it effectively intermittent and potentially confusing. You could be fine for weeks and then suddenly you start bouncing all inbound mail accidentally. Or you could be querying a resolver that never shows ANY bad IPs to block, losing you out on the good spam filtering benefit that you were hoping for.Here’s what to do about that.No matter how you implement DNSBL usage, check your logs periodically. In the case of Spamhaus, look for the “127.255.255” response codes. That will indicate that your attempt to query Spamhaus data is being blocked, so you’ve got a problem. That problem is probably interfering with the delivery of…
From Spamhaus: Here’s a bonkers tale about a spamming doorbell. Oof, crappy “internet of things” devices are a scourge unto the internet. Alex Grosjean shares this very interesting story of tracking down where the spam was coming from on a home broadband subscriber’s network. And why ISPs ought to be blocking port 25. And why IOT devices need to be more secure.[ H/T: Kiersti Esparza and Atro Tossavainen ]
Do you use any of the Spamhaus blocking lists (DNSBLs) to protect yourself from inbound spam and email threats? If so, you’re not alone. The Spamhaus data is quite popular and used by many ISPs as a front door gatekeeper for IP (and domain) reputation.If you do use any of Spamhaus’s DNSBLs, though, make sure you’re not doing it via a public DNS resolver or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you’ll end up blocking mail that wasn’t spam and that you probably didn’t mean to block.Here’s how to catch that. Look in your server’s mail log for response codes or response text from Spamhaus queries. For text responses, look for things like “Error: open…