It has been a busy few weeks since I first blogged about Communicado, here are some of the highlights of what has been going on.
- Communicado are still registering somewhere between 40 and 60 new domains a week. The blacklist is being regularly updated and currently has 5364 domains listed.
- Communicado appear to have switched registrars from DAILY to ENOM as of yesterday. Makes no difference to picking up their domains.
- Nominet has been investigating and tell me that some of Communicado’s domains have been suspended and they are in the process of suspending more.
- Please follow @Excommunicado for news and announcements on Twitter. Low volume, only on topic.
- The existing text file download will continue to be updated but, by popular demand, I have set up a DNS RBL containing their domains. As of the time of writing it is open access, that may change if it becomes too busy. Using it is easy:
martin@olga:~$ host malimanosa.co.uk.excommunicado.co.uk malimanosa.co.uk.excommunicado.co.uk has address 127.0.0.2 martin@olga:~$ host flobbletob.co.uk.excommunicado.co.uk Host flobbletob.excommunicado.co.uk not found: 3(NXDOMAIN)
If anyone wants to provide working configuration examples for SpamAssassin (or other similar tools), I will cheerfully link to them or post them here.
More news when I have it, have a Communicado-free afternoon!
Thanks for the DNS BL; I’ll give it a whirl with postfix-policyd.
I don’t do #ff, but if you run a mail server, you definitely want to keep an eye on @excommunicado’s good work. See http://t.co/8Gikj9QTsu
Here’s some quick and dirty perl for doing a lookup – it should be possible to wrap this into a plugin for spamassassin format.
#!/usr/bin/perl
use Net::DNS;
$domain = @ARGV[0];
my $res = Net::DNS::Resolver->new;
lookup_hostname();
is_it_a_spammer();
sub lookup_hostname {
$query = $res->query(“$domain”,”A”);
if ($query) {
foreach $rr ($query->answer) {
next unless $rr->type eq “A”;
our $ip = $rr->address;
}
}
}
sub is_it_a_spammer {
if ( $ip =~ /127.0.0.2/ ){
return 1;
} else {
return 0;
}
}
I’ve been looking at the FromNotReplyTo plugin for inspiration and the from address is available via:
my $from = lc($msg->get( ‘From:addr’ ));
(whilst I’ve been using $ARGV[0] for testing), so plugging the sender domain back into $domain should be possible?
Sorry for the unfinished state of this – I’m off home now 🙂
Here we go – the finished SA plugin. Please excuse any little formatting quirks that might creep in by pasting it here!
Excommunicado.cf
—–
loadplugin Excommunicado Excommunicado.pm
header EXCOMMUNICADO eval:lookup_excommunicado()
score EXCOMMUNICADO 5.0
describe EXCOMMUNICADO Sender domain is listed as a Communicado spamming domain.
—–
Excommunicado.pm
—–
package Excommunicado;
1;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);
use Net::DNS;
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new( $mailsa );
bless ($self, $class);
$self->register_eval_rule ( ‘lookup_excommunicado’ );
return $self;
}
sub lookup_excommunicado {
my ($self, $pms) = @_;
my %from_addrs = map { lc($_) => 1 } ($pms->all_from_addrs());
delete $from_addrs{”}; # no empty ones thx
foreach my $domain (keys %from_addrs) {
$domain =~ s/.*@//;
$domain = $domain . ‘.excommunicado.co.uk’;
my $res = Net::DNS::Resolver->new;
my $query = $res->query(“$domain”,”A”);
if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq “A”;
my $ip = $rr->address;
if ( $ip =~ /127.0.0.2/ ){
return 1;
} else {
return 0;
}
}
}
}
}
—–
Martin, firstly, thanks for a great service! These bitesize bastards need stopping. 🙂
Does the RBL only respond to root domains – no subdomains/hosts? At the moment, I’m requesting lookups on whatever’s to the right hands side of “@” in the smtp reverse-path but I’m thinking this might need changing…