You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daniel Quinlan <qu...@pathname.com> on 2005/01/27 01:55:33 UTC
SPEWS still sucks
I thought I'd pass this on to the users list. This is from work I was
doing on bug 4105... a quick mass-check run of SPEWS rules:
It's not even worth finishing the mass-check...
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
17895 9097 8798 0.508 0.00 0.00 (all messages)
100.000 50.8354 49.1646 0.508 0.00 0.00 (all messages as %)
12.422 21.6775 2.8529 0.884 0.00 0.01 T_RCVD_IN_L1SPEWS
12.814 22.3700 2.9325 0.884 0.00 0.01 T_RCVD_IN_L2SPEWS
Not going to add these, obviously. That's just nuts, even worse than
SPEWS used to be. Top domains among their ham blacklistings:
[in this section of my personal ham corpus]]
57 apache.org
96 ActiveState.com
114 debian.org
Also, yahoo.com, sourceforge.net, julianhaight.com (SpamCop!), etc.
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
Re: SPEWS still sucks
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, January 26, 2005, 5:08:54 PM, Daniel Quinlan wrote:
> Raymond Dijkxhoorn <ra...@prolocation.net> writes:
>> Ohw well, lists.surbl.org also. At some point they hopefully
>> understand that list will completely useless, and indeed insain for
>> people to actually use it. Sadly, people still do.
> Whatever your unstated reasons are, I beg to differ. Weekly mass-check
> results for SURBL:
I think Raymond is referring to the SPEWS list being not too
useful, given its high FP rate.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
RE: SPEWS still sucks
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>>> Whatever your unstated reasons are, I beg to differ. Weekly
>>> mass-check results for SURBL:
>>
>> Perhaps he means spews lists lists.surbl.org. I can't see anyone
>> having issues with any of the SURBL RBL's.
> I must not have things set up correctly then.
> I get many MANY false positives from the SURBL lists, in the case where the
> server that actually sent me the message records the IP from which they
> received it.
>
> For example, Joe@fubar.isp sends me email. It goes from his PC to the MTA
> of fubar.isp, and from there to my server. Fubar.isp records the PC's IP
> address in the headers, and passes the message; on my server, Spamassassin
> sees that the original IP is listed, and tags it. Never mind that it came
> to me via a reputable server, the original IP is "bad".
Sounds to me you ar emizing up things, SURBL is intended to check messages
on content (URLs) and not ment to be used on header checks. Can you
provide examples of what you are doing?
Bye,
Raymond.
RE: SPEWS still sucks
Posted by Don Levey <sp...@the-leveys.us>.
Daryl C. W. O'Shea wrote:
> Don Levey wrote:
>> An informal check does show that the IPs are indeed listed. As many
>> of them should be - there are many people using cable modems and DSL
>> who are listed in dynablocks because they are supposed to be using
>> their ISP's mail server. But in a situation where they do that, if
>> the ISP records the originating IP the message still gets flagged.
>>
>> This is not strictly list-based problem, either. If a listed IP
>> appears *anywhere* in the header, it seems to still get flagged.
>> But short of forbidding anyone in a dynablock from ever sending
>> email to me, I'm trying to find another answer. Simply not using
>> the lists (SORBS, Spamcop, etc) seems... a bit much to me. -Don
>
> You've got a broken trust path. SpamAssassin, for valid reason, can
> not automatically configure the trust path when the SpamAssassin
> machine is NATed.
>
> Add the appropriate trusted_networks lines to your local.cf. See
> man Mail::SpamAssassin::Conf for more info on trusted_networks.
>
>
> Daryl
Ah, excellent - thanks!
-Don
Re: SPEWS still sucks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Don Levey wrote:
> An informal check does show that the IPs are indeed listed. As many of them
> should be - there are many people using cable modems and DSL who are listed
> in dynablocks because they are supposed to be using their ISP's mail server.
> But in a situation where they do that, if the ISP records the originating IP
> the message still gets flagged.
>
> This is not strictly list-based problem, either. If a listed IP appears
> *anywhere* in the header, it seems to still get flagged. But short of
> forbidding anyone in a dynablock from ever sending email to me, I'm trying
> to find another answer. Simply not using the lists (SORBS, Spamcop, etc)
> seems... a bit much to me.
> -Don
You've got a broken trust path. SpamAssassin, for valid reason, can not
automatically configure the trust path when the SpamAssassin machine is
NATed.
Add the appropriate trusted_networks lines to your local.cf. See man
Mail::SpamAssassin::Conf for more info on trusted_networks.
Daryl
RE: SPEWS still sucks
Posted by Don Levey <sp...@the-leveys.us>.
martin smith wrote:
>> -----Original Message-----
>> Don Levey wrote:
>
>>
>> It was pointed out to me that SURBL lists only check URLs - I
>> apologise for that. I *am* getting the problem described
>> above with hits on Spamcop and SORBS. Additionally,
>> apparently even the mere text mention of a .biz address
>> triggers that flag - even though it talks about a URL. For
>> example, on one mailing list there is a poster who posts from
>> a .biz address. Any thread to which he posts is automatically
>> contaminated, because his address is included in the text of
>> the message - even though these are NOT URLs.
>>
>
> Just a thought but have you manualy checked these URL's against the
> SURBL list, there have been cases reported of false positives by
> spamassassin, when in fact the SURBL dosent have them listed.
> I think a bugzilla was opened on this.
>
> Martin
An informal check does show that the IPs are indeed listed. As many of them
should be - there are many people using cable modems and DSL who are listed
in dynablocks because they are supposed to be using their ISP's mail server.
But in a situation where they do that, if the ISP records the originating IP
the message still gets flagged.
This is not strictly list-based problem, either. If a listed IP appears
*anywhere* in the header, it seems to still get flagged. But short of
forbidding anyone in a dynablock from ever sending email to me, I'm trying
to find another answer. Simply not using the lists (SORBS, Spamcop, etc)
seems... a bit much to me.
-Don
RE: SPEWS still sucks
Posted by martin smith <ma...@ntlworld.com>.
|-----Original Message-----
|Don Levey wrote:
|
|It was pointed out to me that SURBL lists only check URLs - I
|apologise for that. I *am* getting the problem described
|above with hits on Spamcop and SORBS. Additionally,
|apparently even the mere text mention of a .biz address
|triggers that flag - even though it talks about a URL. For
|example, on one mailing list there is a poster who posts from
|a .biz address. Any thread to which he posts is automatically
|contaminated, because his address is included in the text of
|the message - even though these are NOT URLs.
|
Just a thought but have you manualy checked these URL's against the SURBL
list, there have been cases reported of false positives by spamassassin,
when in fact the SURBL dosent have them listed.
I think a bugzilla was opened on this.
Martin
RE: SPEWS still sucks
Posted by Don Levey <sp...@the-leveys.us>.
Don Levey wrote:
> Rick Macdougall wrote:
>> Daniel Quinlan wrote:
>>> Raymond Dijkxhoorn <ra...@prolocation.net> writes:
>>>
>>>
>>>> Ohw well, lists.surbl.org also. At some point they hopefully
>>>> understand that list will completely useless, and indeed insain for
>>>> people to actually use it. Sadly, people still do.
>>>
>>>
>>> Whatever your unstated reasons are, I beg to differ. Weekly
>>> mass-check results for SURBL:
>>
>> Perhaps he means spews lists lists.surbl.org. I can't see anyone
>> having issues with any of the SURBL RBL's.
>>
> I must not have things set up correctly then.
> I get many MANY false positives from the SURBL lists, in the case
> where the server that actually sent me the message records the IP
> from which they received it.
>
> For example, Joe@fubar.isp sends me email. It goes from his PC to
> the MTA of fubar.isp, and from there to my server. Fubar.isp records
> the PC's IP address in the headers, and passes the message; on my
> server, Spamassassin sees that the original IP is listed, and tags
> it. Never mind that it came to me via a reputable server, the
> original IP is "bad".
>
> How, then, do I fix this so that the lists are more useful: so that
> they check the most recent hop, and not (necessarily) all hops in the
> chain? -Don
It was pointed out to me that SURBL lists only check URLs - I apologise for
that. I *am* getting the problem described above with hits on Spamcop and
SORBS. Additionally, apparently even the mere text mention of a .biz
address triggers that flag - even though it talks about a URL. For example,
on one mailing list there is a poster who posts from a .biz address. Any
thread to which he posts is automatically contaminated, because his address
is included in the text of the message - even though these are NOT URLs.
-Don
RE: SPEWS still sucks
Posted by Don Levey <sp...@the-leveys.us>.
Rick Macdougall wrote:
> Daniel Quinlan wrote:
>> Raymond Dijkxhoorn <ra...@prolocation.net> writes:
>>
>>
>>> Ohw well, lists.surbl.org also. At some point they hopefully
>>> understand that list will completely useless, and indeed insain for
>>> people to actually use it. Sadly, people still do.
>>
>>
>> Whatever your unstated reasons are, I beg to differ. Weekly
>> mass-check results for SURBL:
>
> Perhaps he means spews lists lists.surbl.org. I can't see anyone
> having issues with any of the SURBL RBL's.
>
I must not have things set up correctly then.
I get many MANY false positives from the SURBL lists, in the case where the
server that actually sent me the message records the IP from which they
received it.
For example, Joe@fubar.isp sends me email. It goes from his PC to the MTA
of fubar.isp, and from there to my server. Fubar.isp records the PC's IP
address in the headers, and passes the message; on my server, Spamassassin
sees that the original IP is listed, and tags it. Never mind that it came
to me via a reputable server, the original IP is "bad".
How, then, do I fix this so that the lists are more useful: so that they
check the most recent hop, and not (necessarily) all hops in the chain?
-Don
Re: SPEWS still sucks
Posted by Rick Macdougall <ri...@nougen.com>.
Daniel Quinlan wrote:
> Raymond Dijkxhoorn <ra...@prolocation.net> writes:
>
>
>>Ohw well, lists.surbl.org also. At some point they hopefully
>>understand that list will completely useless, and indeed insain for
>>people to actually use it. Sadly, people still do.
>
>
> Whatever your unstated reasons are, I beg to differ. Weekly mass-check
> results for SURBL:
Perhaps he means spews lists lists.surbl.org. I can't see anyone having
issues with any of the SURBL RBL's.
Regards,
Rick
Re: SPEWS still sucks
Posted by Daniel Quinlan <qu...@pathname.com>.
Raymond Dijkxhoorn <ra...@prolocation.net> writes:
> Ohw well, lists.surbl.org also. At some point they hopefully
> understand that list will completely useless, and indeed insain for
> people to actually use it. Sadly, people still do.
Whatever your unstated reasons are, I beg to differ. Weekly mass-check
results for SURBL:
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
217996 164295 53701 0.754 0.00 0.00 (all messages)
100.000 75.3661 24.6339 0.754 0.00 0.00 (all messages as %)
11.644 15.4490 0.0037 1.000 0.98 3.90 URIBL_SC_SURBL
39.572 52.4976 0.0261 1.000 0.98 3.00 URIBL_JP_SURBL
51.955 68.9236 0.0391 0.999 0.96 2.00 URIBL_OB_SURBL
5.690 7.5492 0.0000 1.000 0.95 2.01 URIBL_AB_SURBL
53.948 71.5238 0.1769 0.998 0.83 0.54 URIBL_WS_SURBL
0.030 0.0396 0.0000 1.000 0.51 0.84 URIBL_PH_SURBL
Real-time hit rates for SC and OB are much better.
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
Re: SPEWS still sucks
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Not going to add these, obviously. That's just nuts, even worse than
> SPEWS used to be. Top domains among their ham blacklistings:
> [in this section of my personal ham corpus]]
>
> 57 apache.org
> 96 ActiveState.com
> 114 debian.org
>
> Also, yahoo.com, sourceforge.net, julianhaight.com (SpamCop!), etc.
Ohw well, lists.surbl.org also. At some point they hopefully understand
that list will completely useless, and indeed insain for people to
actually use it. Sadly, people still do.
Bye,
Raymond.
Re: SPEWS still sucks
Posted by Matt Kettler <mk...@comcast.net>.
At 07:55 PM 1/26/2005, Daniel Quinlan wrote:
>I thought I'd pass this on to the users list. This is from work I was
>doing on bug 4105... a quick mass-check run of SPEWS rules:
>
> It's not even worth finishing the mass-check...
>
> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
> 17895 9097 8798 0.508 0.00 0.00 (all messages)
> 100.000 50.8354 49.1646 0.508 0.00 0.00 (all messages as %)
> 12.422 21.6775 2.8529 0.884 0.00 0.01 T_RCVD_IN_L1SPEWS
> 12.814 22.3700 2.9325 0.884 0.00 0.01 T_RCVD_IN_L2SPEWS
>
> Not going to add these, obviously.
Agreed, spews is pretty much useless as a spam criteria if you have any
interest in accuracy. It's pretty much one step short of just unplugging
your mailserver (hey guys, there's an idea that blocks 100% of spam with no
false negatives! :) )
That said I do actually use spews L1 as a +0.01 rule in my spamassassin
config. To me it's really more of an informational flag that the one of the
ISPs involved is spam friendly, so don't waste any excess time trying to
file abuse reports by hand and just issue standard spamcop report and trash
the email because nobody will ever follow up on it.
Beyond the strictly informational "hosted by an ISP that is in some way
spammer or spamvertizer friendly", I don't see much point in spews.