confused_spammer.jpg
dilbert2003071742312.gif
newyorker_spam.jpg
uf-spam.gif
uf005742.gifIf you're looking for information on setting up Spamassassin, please see my spamassassin-setup.current.html article.
you're not alone. Please scroll down to the "Finding Spammers" section.
Boldfaced directories have been collapsed into one listing. Click on them to see their contents.
The sa-blacklist.current file in this directory is a blacklist of spammers in a form suitable for use in the spamassassin mail filter program ( http://spamassassin.org/ ). Many thanks to a growing number of contributors; please see the blacklist file for their names. Thanks to all for their contributions! Please send additions or corrections to me, William Stearns <wstearns@pobox.com> . Please read the README.policy file first. Here's the new way of installing the blacklist. Pick a non-root user under which this will be done; substitute that user's login name for non-root-user in the following. Do this once as root: touch /etc/mail/spamassassin/50blacklist.cf chown non-root-user /etc/mail/spamassassin/50blacklist.cf , make sure that /etc/sudoers has a line for the above user: non-root-user ALL=(root) NOPASSWD: /etc/init.d/spamassassin restart , and place all on one line in non-root-user's crontab (/var/spool/cron/non-root-user): 17 1,7,13,19 * * * sleep $[ $RANDOM / 1024 ] ; rsync -aqL zaphod.stearns.org::wstearns/sa-blacklist/sa-blacklist.current /home/non-root-user/50blacklist.cf && cat /home/non-root-user/50blacklist.cf >/etc/mail/spamassassin/50blacklist.cf && /usr/bin/sudo /etc/init.d/spamassassin restart >/dev/null 2>/dev/null Then get cron to reread the config file by doing this as root: touch /var/spool/cron I'm also providing a list of the domains in sa-blacklist as the file "sa-blacklist.current.domains". Squid will gladly use that as a list of blocked domains; perfect for email clients that will go out to fetch images stored on spammer web servers. Set up a regular download like the above and add these two lines to /etc/squid/squid.conf: acl spammers url_regex "/etc/squid/sa-blacklist.current.domains" http_access deny all spammers There's also a .uri.cf version of this file that looks for these domains inside URL's in the message.
I regularly get email from people who are looking for spammers. They've lost money and want to get it back, or they want to find out if a given company is reputable. Let me cover a few things:
Once you have the blackist installed, here's how to test whether it's working or not. Start up the "telnet" program (included in Windows and all Unix flavors) with the command:
telnet {your_mail_server} 25
Your mail server will send back a banner something like:
220 mymailserver.com - Welcome to our Sendmail ESMTP
and it will sit waiting for you. Now we'll feed it the first few lines of an SMTP exchange (you type the lines starting with capitals):
MAIL FROM: martha@sendmails.com
250 ok
RCPT TO: {a_valid_email_address@your.domain}
553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)
QUIT
221 mymailserver.com - Goodbye
In this case, we tried to send mail from an account at a known spammer; sendmails.com. We then told the mail server where the mail needs to go. The mail server then told us that it can't accept mail from sendmails.com because we'd correctly installed the qmail block list.
If, however, you have the blacklist installed in your spam filtering program, instead of giving you a 553 error, the mail server will likely allow you to continue feeding in the message with a prompt like:
250 {a_velid_email_address@your.domain}... Recipient ok
Now you give it the actual message content. The blank line
and the line with nothing but a "." are both needed verbatim:
DATA 354 Enter mail, end with "." on a line by itself From: martha@sendmails.com Subject: Test mail for blacklist This is a test message <a href="http://www.sendmails.com">www.sendmails.com</a> . 250 2.0.0 i3L3v5c23955 Message accepted for delivery QUIT 221 mymailserver.com closing connection
The mailserver gives the 354, 250, and 221 lines, you type the rest.
Now go back to your mail software and take a look at the spam score assigned by your spam filter. Look at the list of reasons why it's marked as spam; does it mention the sa-blacklist? Does it say the domain was found on the RBL at surbl.org? If so, the spam filter is successfully using the blacklist.
The sa-blacklist files hold lists of spammer domains, in a form suitable for blocking access to those domains. Each one has a datestamp so you can locate a specific version and identify newer and older releases, but you should only need to use the versions with "current" in the name, which always points to the latest release.
Find the program you're using below to decide which one to use.
Just thought I'd drop you a quick note on how to add your SA black list to Exim. To start with, the Squid list ( sa-blacklist.current.domains ) looks OK to use with Exim. Then, in exim.conf the following is added (near any other deny sections):
deny message = $sender_host_address Blocked by http://www.stearns.org/sa-blacklist/ hosts = partial()lsearch;/path/to/sa-blacklist.current.domainsI'd like to sincerely thank Daniel Bird for contributing the above instructions.
Postfix is chocked full of features to help stem the tide of UCE, if you are already using some of them, you should consider the below recipe a guide and not so much a drop in solution. Take a look at the Postfix UCE docs, available here, (consider using a mirror):
http://www.postfix.org/uce.html...but for those of us who aren't using any of these conf declarations and would like to drop in Bill's blacklist, the following should suffice, we are going to be filtering based on the envelope sender.
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_restrictions
postmap /etc/postfix/sender_restrictions
postfix reload
You are now rejecting envelope senders from the blacklisted domains, they will be rejected with a 554 error. If you would like to test this without actually rejecting mails, you can add `warn_if_reject, ' before the `check_sender_access' token, messages that would be rejected will be logged with a `reject_warning'.
I would like to sincerely thank Jereme Corrado for doing the postfix research and testing, and for contributing the above instructions.The Privoxy privacy proxy (based on the Internet Junkbuster) filters outbound http and https requests and inbound replies, allowing you to block access to undesirable sites, block popups, block tracking gifs, etc. To install, place sa-blacklist.current.action in /etc/privoxy/ (your path may differ, based on operating system) and edit the "config" file there (note, this was previously called sa-blacklist.current.actions). Add the:
actionsfile sa-blacklist.current #spamassassin domain blacklistline so the file looks like:
actionsfile standard # Internal purpose, recommended actionsfile sa-blacklist.current #spamassassin domain blacklist actionsfile default # Main actions file actionsfile user # User customizations
Restart Privoxy.
Qmail has the ability to unconditionally block mail from spammers based on the envelope sender (which may not be the same as the "From:" field in the header, don't be surprised if this approach misses some emails that you think it should catch). In other words, if the spammers don't lie about their sending domain, qmail may be able to block them before the mail message is even transmitted. This cuts down on things like bounces, and hopefully spam!
To install, locate qmail's "control" directory. Download the sa-blacklist.current.at-domains file, and append it to the "badmailfrom" file there. Restart qmail.
As a side note, I also have random.current.cf as a list of tags spammers sometimes forget to convert in spam, also in spamassassin format.
All three files increase the spam score for the message, making it more likely that the spam will get caught.
To install, download the above three files and place them in /etc/mail/spamassassin/ , making sure they each end in ".cf" (spamassassin treats all files ending in .cf as configuration files and loads them all). Restart spamassassin.
A second approach, currently under test, is to publish the sa-blacklist domains as a dns-based RBL. This replaces the use of the .uri.cf file above, but performs the same checks with lower load.
For more information on this approach, installation instructions, and details on using both a dns-rbl-based sa-blacklist and a dns-rbl-based Spamcop database, please see http://www.surbl.org .
Squid can unconditionally block all outbound requests to certain domains. Privoxy is preferred for this, as privoxy will replace images with images, and squid will put in a dummy html page instead (which just means your pages will have broken images, no big deal). Other than that it will work just fine.
Download sa-blacklist.current.domains to /etc/squid/ (again, path may vary). Edit squid.conf , adding the line:
acl spammers url_regex "/etc/squid/sa-blacklist.current.domains"in with the other acl lines (order for acl lines doesn't matter), and adding
http_access deny all spammersabove your http_access lines (order does matter here). Restart squid.
Like qmail, sendmail can also inspect the envelope sender address and block based on the domain. Go to the /etc/mail directory, append sa-blacklist.current.sendmail-access to /etc/mail/access, run
make access.dband restart sendmail.
If you have a spam filtering tool, mail transport agent, http proxy, or any other program that you want to filter spammer domains, no problem. I can provide the list in any format you need. Simply send me the format to use and I'll add it to my build script.
This is a list of domains, hosts, and IP addresses used by spammers. This can include bulk email houses, individual companies that send spam, and servers that are used to host images for spam. Spam is strictly defined as Unsolicited Bulk Email, and so I will include unsolicited mail where the sender is not explicity asking for money, such as political and religious spam. The domains and IP's can be the original ones listed in the mail, but also include the intermediate redirectors and the final target site. If the company is attempting to hide behind a temporary domain used for email campaign(s), the real company domain is included as well. The list does _not_ include hosting services where spammers and non-spammers can sign up for accounts (geocities, store.yahoo.com, etc.) It also does not include counters, ad trackers (although this is severely borderline), free email services (hotmail, msn, etc.), and generic ISP's that host normal user accounts (earthlink, etc.). It does not include individual email addresses; this takes far too much work for too little payback. In short, I want this list to be a list of domains, hosts, and IP addresses used exclusively by companies that spam. The file is Copyright 2003 William Stearns <wstearns@pobox.com> and other contributors (see the actual file for their contact information). It is made available under the GNU GPL.
Here are some guidelines for submission. Please note that these instructions will change in the future; we have an improved approach in the works.
Please send new domains in an email to wstearns@pobox.com . The domains should be in all lowercase, free from host portions (www. , mx02. , spleen.arctic.mountbatten. , etc.), and have no port numbers at the end (:2700, :8080, etc.), have no directory or file names (/unsubscribe.ddd , /images/a2.jpg, etc.). Please send them in sorted order, and with no duplicates. Please check your list against http://www.stearns.org/sa-blacklist/sa-blacklist.current.domains ; try not to submit domains that are already in the list.
Before sending in domains, please check them. This is critical; submissions from automated scripts without human eyes in the process yield far too many false positives to be useful. Actually go to the web site; is there any content at all, or is it just a blank page? Is there any chance this is an ISP, and the spammer just signed up for cohosting space? Worse yet, did they just sign up for an individual user account? Take a look at the whois record; domains that have been around since 1998 are far less likely to be spammer domains than domains that were first registered in the last two months. In short, if there's any chance this domain is an ISP or an account on someone else's domain, please don't submit it. A list of 20 domains you're absolutely positive about is much more useful than 1000 domains you're 98% sure about.
Here's a sample submission message body:
anotherspammer.biz spammerdomain.com thirdspamco.info
Please include the word "blacklist" somewhere in the subject, so it skips by my spam filter, such as:
Subject: [blacklist] 20040423 entries from Bob Smith
If you want to include comments, that's fine, but please place them on separate lines, preferably before the domains start.
Please save at least 1 or 2 of the emails that prompted the domain submission; we may get a false positive report in the future, and whether the report is correct or not, it's helpful to be able to refer to the original email for additional background.
From time to time we'll make a mistake and add a legitimate domain in the list. Please accept our sincere apologies in advance; we know it's frustrating to get your mail blocked.
To get removed, send an email to wstearns@pobox.com , again, with the word "blacklist" somewhere in the subject (if you forget this, the message may land in Bill's spam folder, delaying your request by hours or days). Say which domain you're writing about. You're not required to justify the removal request, but if you send along some supporting evidence of why you should be removed, it'll make the process a little faster.
Your request will be looked into as quickly as possible; we want to resolve the mistake as much as you do; false positives hurt us all.
This project has had an immense amount of support. I want to thank all the contributors; the sa-backlist could never have covered as many domains as it had if it had stayed a one-man show.
I'd like to especially thank Panagiotis Christias of the National Technical University of Athens , Raymond Dijkxhoorn of Prolocation.net, and Jens and Guido of Intergenia.de. Since the downloads of the sa-blacklist have crossed the terabyte/month mark, these generous organizations have offered to host the list. Without their generousity, I wouldn't be able to continue to provide the list.
Ironport and Barracuda Networks have also been very generous in donating a number of servers to help the entire project. We truly appreciate the donation.
Barracuda Networks