URIBL_RHS_DOB false positives?

[Ned Slider <ne...@unixmail.co.uk>]

Hi List,

Is anyone else seeing abnormally high instances of FP hits against 
URIBL_RHS_DOB today?

Not causing ham to be classified as spam, but I've noticed quite a few 
hits on ham today that I wouldn't expect.

Running the message through SA in debug doesn't tell me the domain 
that's hit as the message score is less that the spam threshold.

For example, it seems to be hitting on nectar.com which whois tells me 
was registered 09-mar-1995 :-/

Seems to have started today from what I can tell.

Re: URIBL_RHS_DOB false positives?

[Daniel McDonald <da...@austinenergy.com>]

On 3/25/11 10:42 AM, "Alex" <my...@gmail.com> wrote:

> Hi,
> 
>>> But it seems like there is a reset in the URIBL_RHS_DOB database or
>>> something.
>>> 
>>> A lot of domains that are not new domains are now listed.
>> 
>> It appears to be hitting on a lot of mail today:
>> $ grep DOB /var/log/mail/info.log | cut -d\  -f 1,2 | uniq -c
>>    119 Mar 20
>>    174 Mar 21
>>    168 Mar 22
>>    310 Mar 23
>>  10527 Mar 24
> 
> Isn't "DOB" a bit of a broad pattern to be matching for something like
> this? Unless there's something else than the obvious in that info.log
> file, or you know something I don't, why wouldn't you just search on
> the full rule name?

I'll accept that criticism.  Looks like I got a few quarantine tags,
message-id's, and FRT_ADOBE2 rule hits.  But it doesn't affect the order of
magnitude significantly.


$ grep URIBL_RHS_DOB /var/log/mail/info.log | cut -d\  -f 1,2 | uniq -c
    119 Mar 20
    168 Mar 21
    168 Mar 22
    276 Mar 23
  13439 Mar 24
   1844 Mar 25

And some of the discrepancy is amavis continuation lines:
Mar 24 12:08:12 sa amavis[12315]: (12315-04) ...RHS_DOB=0.276,
US_DOLLARS_3=2.523] autolearn=disabled
Mar 24 12:27:11 sa amavis[13861]: (13861-13) ...RHS_DOB=0.276,
US_DOLLARS_3=2.523] autolearn=disabled
Mar 24 14:07:33 sa amavis[29001]: (29001-04) ..._RHS_DOB=0.276,
US_DOLLARS_3=2.523] autolearn=disabled
Mar 24 18:25:07 sa amavis[11933]: (11933-02) ...DOB=0.276]
autolearn=disabled


> 
> Just curious, I guess.
> 
> Thanks,
> Alex

Re: URIBL_RHS_DOB false positives?

[Alex <my...@gmail.com>]

Hi,

>> But it seems like there is a reset in the URIBL_RHS_DOB database or
>> something.
>>
>> A lot of domains that are not new domains are now listed.
>
> It appears to be hitting on a lot of mail today:
> $ grep DOB /var/log/mail/info.log | cut -d\  -f 1,2 | uniq -c
>    119 Mar 20
>    174 Mar 21
>    168 Mar 22
>    310 Mar 23
>  10527 Mar 24

Isn't "DOB" a bit of a broad pattern to be matching for something like
this? Unless there's something else than the obvious in that info.log
file, or you know something I don't, why wouldn't you just search on
the full rule name?

Just curious, I guess.

Thanks,
Alex

Re: URIBL_RHS_DOB false positives?

[Michael Scheidell <mi...@secnap.com>]

On 3/24/11 7:05 PM, McDonald, Dan wrote:
> Scrolling through these 300, Most of them look like spam anyway...  I
> doubt I will touch it.
>
then again, if most of all email is spam (95%), then that logic says use 
the rbl: blocked.secnap.net and score it with a 3.0.

(google before you use it)  Its an ipv4 list, but it will block 100% of 
your spam if you use it in your MTA. (google before you use it)

DOB has broken so many times, from a massive delay standpoint to this 
now that we disabled it a long time ago.



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

RE: URIBL_RHS_DOB false positives?

["McDonald, Dan" <Da...@austinenergy.com>]

> -----Original Message-----
> From: RGB Camera [mailto:zauschneria@gmail.com]
> Sent: Thursday, March 24, 2011 4:34 PM
> To: users@spamassassin.apache.org
> Subject: Re: URIBL_RHS_DOB false positives?
> 
> Yes, we set the pointage to 0.01 until whatever is broken gets fixed.
> 
> We normally score that rule much higher than the default, and it
> normally works well.
> 
> But it seems like there is a reset in the URIBL_RHS_DOB database or
> something.
> 
> A lot of domains that are not new domains are now listed.

It appears to be hitting on a lot of mail today:
$ grep DOB /var/log/mail/info.log | cut -d\  -f 1,2 | uniq -c
    119 Mar 20
    174 Mar 21
    168 Mar 22
    310 Mar 23
  10527 Mar 24

But not many that are potentially blocked because of it:
$ grep DOB /var/log/mail/info.log  | grep -P 'Yes, score=[67].' | grep
-c ^Mar\ 24
317

Scrolling through these 300, Most of them look like spam anyway...  I
doubt I will touch it.

Re: URIBL_RHS_DOB false positives?

[RGB Camera <za...@gmail.com>]

Yes, we set the pointage to 0.01 until whatever is broken gets fixed.

We normally score that rule much higher than the default, and it
normally works well.

But it seems like there is a reset in the URIBL_RHS_DOB database or something.

A lot of domains that are not new domains are now listed.


>
>
>
> On Thu, Mar 24, 2011 at 2:27 PM, Ned Slider <ne...@unixmail.co.uk> wrote:
>> Hi List,
>>
>> Is anyone else seeing abnormally high instances of FP hits against
>> URIBL_RHS_DOB today?
>>
>> Not causing ham to be classified as spam, but I've noticed quite a few hits
>> on ham today that I wouldn't expect.
>>
>> Running the message through SA in debug doesn't tell me the domain that's
>> hit as the message score is less that the spam threshold.
>>
>> For example, it seems to be hitting on nectar.com which whois tells me was
>> registered 09-mar-1995 :-/
>>
>> Seems to have started today from what I can tell.
>>
>>
>>
>