You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by RobertH <ro...@abbacomm.net> on 2009/04/04 17:31:49 UTC
simple script idea for checking reputation disagreement
greetings...
i am working at re-learning and applying SA fine tuning.
in doing so, i have some across some real life SA scoring anomalies.
it is interesting because one public reputaion service rule offering says to
score "positive", i.e. spammy, spam, or blacklist, and another public
reputation service says the opposite, i.e. negative score aka ham, hammy, or
whitelist.
eyebrow raising to say the least... ;-)
has anyone developed a basic script they can share that goes through and
checks rule scoring logs email by email and looks for when specific types of
rules (whitelist / blacklist or other reputation rules) should be in
agreement, yet oppose each other?
i realize that it is time sensative on some types of rules yet this is
reputation based on actual domain name and ip address
- rh
Re: simple script idea for checking reputation disagreement
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 04/04/09 12:00 PM, "Michael Scheidell" <sc...@secnap.net> wrote:
> one company has a list of 'COI' (supposed to be confirmed opt in). they have
> begun a process (see the wiki) of canceling client who claimed COI but
> obviously didn't.
> that 'reputation' score has more to do with contract ($$) than actual real
> time data.
Can you give me more of a hint than "see the wiki", like a URL? If that is
us (Safelist nee. Habeas Safelist) I'd sure like to know how anyone has an
impression of $$ = rep score. I could disprove that easily and empirically.
There are plenty of people who pay us a whole lotta money with lousy rep.
scores. Ergo them paying us a whole lotta money, so we can tell them which
of their lousy practices to fix. And no, we don't put a downtick on the rep
score to drive business either. Don't need to. There's enough senders in the
world who actually do need help, we don't need to create business.
Thanks.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: simple script idea for checking reputation disagreement
Posted by Michael Scheidell <sc...@secnap.net>.
which ones? remember, DCC is 'bulk', not spam.
someone could have a BAD DCC reputation (using the commercial reputation
filter) as 99% 'bulk', even if it was 100%, double confirmed, bonded opt in.
some others judge reputation based on customer contracts (they get paid
for it). sometimes legitimate, as long as the reputation company
cancels paying clients who violated the TOS.
examples:
one company has a list of 'COI' (supposed to be confirmed opt in). they
have begun a process (see the wiki) of canceling client who claimed COI
but obviously didn't.
that 'reputation' score has more to do with contract ($$) than actual
real time data.
if company2 sees lots of 'spam' from someone on the COI list, and can't
tell (or doesn't know) if this is really COI or just a burp, they might
judge it different.
This is why there are several (We use four different reputation filters)
working on concert to bounce, block or quarantine emails.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2009 Hot Company Award Finalist, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
RE: simple script idea for checking reputation disagreement
Posted by RobertH <ro...@abbacomm.net>.
>
> Maybe they don't have the $25 or something
>
>
> ;-)
>
> --
> Neil Schwartzman
...would hope they have some money...
i found out about a nice family on the cabletv list and i was checking out
this guy and his wife that (if i recall correctly) were cable company people
making good money.
when business things started changing, they started
http://www.joyofbaking.com and are doing even better all the way around.
so, you would think a website like that one should make a lil bit of $ eh?
- rh
Re: simple script idea for checking reputation disagreement
Posted by mouss <mo...@ml.netoyen.net>.
Neil Schwartzman a écrit :
>
>
> On 06/04/09 10:53 AM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
>
>> On 04.04.09 16:30, Neil Schwartzman wrote:
>>> On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
>>>
>>>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
>>>> address
>>>> [209.92.22.130 listed in dnsbl.sorbs.net]
>>> That would be incorrect. The IP is static, not dynamic.
>> It apparently waqs dynamic in 2005 when it got listed. seems nobody asked
>> for delist yet.
>
> Maybe they don't have the $25 or something
>
come one Neil. delisting from sorbs duhl is free. and no, I am not
affiliated with sorbs.
Re: simple script idea for checking reputation disagreement
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 06/04/09 10:53 AM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:
> On 04.04.09 16:30, Neil Schwartzman wrote:
>> On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
>>
>>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
>>> address
>>> [209.92.22.130 listed in dnsbl.sorbs.net]
>>
>> That would be incorrect. The IP is static, not dynamic.
>
> It apparently waqs dynamic in 2005 when it got listed. seems nobody asked
> for delist yet.
Maybe they don't have the $25 or something
;-)
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: simple script idea for checking reputation disagreement
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 04.04.09 16:30, Neil Schwartzman wrote:
> On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
>
> > 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> > address
> > [209.92.22.130 listed in dnsbl.sorbs.net]
>
> That would be incorrect. The IP is static, not dynamic.
It apparently waqs dynamic in 2005 when it got listed. seems nobody asked
for delist yet.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
Re: simple script idea for checking reputation disagreement
Posted by mouss <mo...@ml.netoyen.net>.
Neil Schwartzman a écrit :
> On 05/04/09 7:28 AM, "mouss" <mo...@ml.netoyen.net> wrote:
>
>>> personally, i say spam
>
>> metoo. take a look at their web sites:
>> http://www.rodale.com
>> http://www.prevention.com
>> http://www.menshealth.com
>> http://www.biggestloserclub.com
>> lose what?
>>
>> (on the other hand, runningtimes.com and runnersworld.com may be "legit").
>
> Consent, not content (well, mostly), mouss. As unlikely as it sounds to you
> and me, people *do* sign up for this stuff.
>
true. I should have made it clear that it was only a kind of "it looks
spammish to me, in absence of evidence".
> Anyway, quite offtopic to this discussion group.
agreed.
Re: simple script idea for checking reputation disagreement
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 05/04/09 7:28 AM, "mouss" <mo...@ml.netoyen.net> wrote:
>> personally, i say spam
> metoo. take a look at their web sites:
> http://www.rodale.com
> http://www.prevention.com
> http://www.menshealth.com
> http://www.biggestloserclub.com
> lose what?
>
> (on the other hand, runningtimes.com and runnersworld.com may be "legit").
Consent, not content (well, mostly), mouss. As unlikely as it sounds to you
and me, people *do* sign up for this stuff.
Anyway, quite offtopic to this discussion group.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
Re: simple script idea for checking reputation disagreement
Posted by mouss <mo...@ml.netoyen.net>.
RobertH a écrit :
>
>
>>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from
>> dynamic IP
>>> address
>>> [209.92.22.130 listed in
>> dnsbl.sorbs.net]
>>
>> That would be incorrect. The IP is static, not dynamic.
>>
>> whois://209.92.22.130@whois.arin.net
>> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
>> 209.92.0.0 - 209.92.255.255
>> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
>> 209.92.22.0 - 209.92.23.255
>>
>> # ARIN WHOIS database, last updated 2009-04-03 19:10
>> --
>> Neil Schwartzman
>
> neil,
>
> you can forget the sorbs stuff. in the last coupla days i unzero'd the sorbs
> scores just to check the behavior.
>
> as i noted in the last post, it was about the difference between
> JMF_Whitelist and RCVD in Barracuda
>
> barracusa says spam, jmf whitelist is obvious.
>
> personally, i say spam
>
metoo. take a look at their web sites:
http://www.rodale.com
http://www.prevention.com
http://www.menshealth.com
http://www.biggestloserclub.com
lose what?
(on the other hand, runningtimes.com and runnersworld.com may be "legit").
also look at
http://www.senderbase.org/senderbase_queries/detailip?search_string=209.92.22.0
Re: simple script idea for checking reputation disagreement
Posted by Marc Perkel <ma...@perkel.com>.
John Hardin wrote:
> On Mon, 6 Apr 2009, Marc Perkel wrote:
>
>>> as i noted in the last post, it was about the difference between
>>> JMF_Whitelist and RCVD in Barracuda
>>>
>>> barracusa says spam, jmf whitelist is obvious.
>>
>> I agree. In fact I removed that host from my white list. I am very
>> interested in the idea of someone cross checking lists to see if my
>> JEF list disagrees with other lists because as a list owner I know
>> that my list has room for improvement. I would welcome anyone who can
>> send me an automated feed of suspected errors.
>
> ...why should you rely on someone else to do that for you? You have
> the list, can't you proactively run the IPs in it against
> JMF/Barracuda/etc. to detect disagreements?
>
I do. But sometimes something happen after I whitelist an IP than
casuses it to go black or mixed. And if I don't get spammed it doesn't
come to my attention something has changed. So other perspective helps.
We don't all get the same spam. And I've seen a number of false
positives on Barracuda so a disagreement doesn't indicate who is right.
Sometime I can even look at the message and I still can't tell.
Re: simple script idea for checking reputation disagreement
Posted by John Hardin <jh...@impsec.org>.
On Mon, 6 Apr 2009, Marc Perkel wrote:
>> as i noted in the last post, it was about the difference between
>> JMF_Whitelist and RCVD in Barracuda
>>
>> barracusa says spam, jmf whitelist is obvious.
>
> I agree. In fact I removed that host from my white list. I am very
> interested in the idea of someone cross checking lists to see if my JEF
> list disagrees with other lists because as a list owner I know that my
> list has room for improvement. I would welcome anyone who can send me an
> automated feed of suspected errors.
...why should you rely on someone else to do that for you? You have the
list, can't you proactively run the IPs in it against JMF/Barracuda/etc.
to detect disagreements?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
7 days until Thomas Jefferson's 266th Birthday
Re: simple script idea for checking reputation disagreement
Posted by Marc Perkel <ma...@perkel.com>.
RobertH wrote:
>
>
>
>>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from
>>>
>> dynamic IP
>>
>>> address
>>> [209.92.22.130 listed in
>>>
>> dnsbl.sorbs.net]
>>
>> That would be incorrect. The IP is static, not dynamic.
>>
>> whois://209.92.22.130@whois.arin.net
>> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
>> 209.92.0.0 - 209.92.255.255
>> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
>> 209.92.22.0 - 209.92.23.255
>>
>> # ARIN WHOIS database, last updated 2009-04-03 19:10
>> --
>> Neil Schwartzman
>>
>
> neil,
>
> you can forget the sorbs stuff. in the last coupla days i unzero'd the sorbs
> scores just to check the behavior.
>
> as i noted in the last post, it was about the difference between
> JMF_Whitelist and RCVD in Barracuda
>
> barracusa says spam, jmf whitelist is obvious.
>
> personally, i say spam
>
> - rh
>
>
>
I agree. In fact I removed that host from my white list. I am very
interested in the idea of someone cross checking lists to see if my JEF
list disagrees with other lists because as a list owner I know that my
list has room for improvement. I would welcome anyone who can send me an
automated feed of suspected errors.
RE: simple script idea for checking reputation disagreement
Posted by RobertH <ro...@abbacomm.net>.
>
> > 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from
> dynamic IP
> > address
> > [209.92.22.130 listed in
> dnsbl.sorbs.net]
>
> That would be incorrect. The IP is static, not dynamic.
>
> whois://209.92.22.130@whois.arin.net
> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
> 209.92.0.0 - 209.92.255.255
> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
> 209.92.22.0 - 209.92.23.255
>
> # ARIN WHOIS database, last updated 2009-04-03 19:10
> --
> Neil Schwartzman
neil,
you can forget the sorbs stuff. in the last coupla days i unzero'd the sorbs
scores just to check the behavior.
as i noted in the last post, it was about the difference between
JMF_Whitelist and RCVD in Barracuda
barracusa says spam, jmf whitelist is obvious.
personally, i say spam
- rh
Re: simple script idea for checking reputation disagreement
Posted by Duane Hill <d....@yournetplus.com>.
Actually, disregard. I see what you are stating.
On Sat, 4 Apr 2009, Duane Hill wrote:
> On Sat, 4 Apr 2009, Neil Schwartzman wrote:
>
>> On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
>>
>>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
>>> address
>>> [209.92.22.130 listed in dnsbl.sorbs.net]
>>
>> That would be incorrect. The IP is static, not dynamic.
>>
>> whois://209.92.22.130@whois.arin.net
>> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
>> 209.92.0.0 - 209.92.255.255
>> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
>> 209.92.22.0 - 209.92.23.255
>
> Can you point out how that shows it isn't dynamic? In fact, it does not look
> dynamic:
>
> %host 209.92.22.130
> 130.22.92.209.in-addr.arpa domain name pointer mta1.rodalenews.com.
>
> Perhaps maybe at one time it was.
Re: simple script idea for checking reputation disagreement
Posted by Duane Hill <d....@yournetplus.com>.
On Sat, 4 Apr 2009, Neil Schwartzman wrote:
> On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
>
>> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
>> address
>> [209.92.22.130 listed in dnsbl.sorbs.net]
>
> That would be incorrect. The IP is static, not dynamic.
>
> whois://209.92.22.130@whois.arin.net
> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
> 209.92.0.0 - 209.92.255.255
> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
> 209.92.22.0 - 209.92.23.255
Can you point out how that shows it isn't dynamic? In fact, it
does not look dynamic:
%host 209.92.22.130
130.22.92.209.in-addr.arpa domain name pointer mta1.rodalenews.com.
Perhaps maybe at one time it was.
Re: simple script idea for checking reputation disagreement
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 04/04/09 4:22 PM, "RobertH" <ro...@abbacomm.net> wrote:
> 0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> address
> [209.92.22.130 listed in dnsbl.sorbs.net]
That would be incorrect. The IP is static, not dynamic.
whois://209.92.22.130@whois.arin.net
PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
209.92.0.0 - 209.92.255.255
Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
209.92.22.0 - 209.92.23.255
# ARIN WHOIS database, last updated 2009-04-03 19:10
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038
RE: simple script idea for checking reputation disagreement
Posted by RobertH <ro...@abbacomm.net>.
michael,
i had to reply to this one as i was having a hard time replying to your
email and bottom posting.
here was the scoring on that particular email.
although it isnt really strict "reputation" issue, i found it interesting
that JMF had it whitelisted and Barracuda tells it more like it is...
i cant imagine perkel's people want that junk, yet he is a big moy and can
make his own decisions...
maybe it is a boo boo...
anyways...
-1.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
[209.92.22.130 listed in
hostkarma.junkemailfilter.com]
1.5 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL
[209.92.22.130 listed in
b.barracudacentral.org]
0.2 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[209.92.22.130 listed in dnsbl.sorbs.net]
2.1 FS_WEIGHT_LOSS Subject says Weight Loss
0.1 DIET_1 BODY: Lose Weight Spam
0.2 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
area
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 SAGREY Adds 1.0 to spam from first-time senders
- rh
Re: simple script idea for checking reputation disagreement
Posted by Marc Perkel <ma...@perkel.com>.
Neil Schwartzman wrote:
>
> On 04/04/09 11:31 AM, "RobertH" <ro...@abbacomm.net> wrote:
>
>
>> greetings...
>>
>> i am working at re-learning and applying SA fine tuning.
>>
>> in doing so, i have some across some real life SA scoring anomalies.
>>
>> it is interesting because one public reputaion service rule offering says to
>> score "positive", i.e. spammy, spam, or blacklist, and another public
>> reputation service says the opposite, i.e. negative score aka ham, hammy, or
>> whitelist.
>>
>> eyebrow raising to say the least... ;-)
>>
Yes - That's why I developed the concept of "yellow lists" in my
reputation service for hostkarma.junkemailfilter.com. One of the reasons
this is eyebrow raising is perspective. Consider 2 spam filtering
operations, one is in the USA with mostly USA customers. The other is in
France which mostly french customers. The one in the USA would see the
hosts *.orange.fr or *.yahoo.fr as primarily spam and might blacklist
it. However the French company would see mostly ham from these two sources.
But the reality is in between. These sites are a mixed source of
spam/ham and the IP address contains no information as to if it is spam
or not. My attempt in yellow listing is to create a list of sources that
should not be in an IP reputation list so as to avoid false black
listing and false white listing. Thus the name yellow list (as gray was
taken).
Re: simple script idea for checking reputation disagreement
Posted by Neil Schwartzman <ne...@returnpath.net>.
On 04/04/09 11:31 AM, "RobertH" <ro...@abbacomm.net> wrote:
>
> greetings...
>
> i am working at re-learning and applying SA fine tuning.
>
> in doing so, i have some across some real life SA scoring anomalies.
>
> it is interesting because one public reputaion service rule offering says to
> score "positive", i.e. spammy, spam, or blacklist, and another public
> reputation service says the opposite, i.e. negative score aka ham, hammy, or
> whitelist.
>
> eyebrow raising to say the least... ;-)
Well, we (they) all have different views of the reality out there.
I just ran a bunch of checks on some client IPs, they all were poor-to-good
(never above 75 on our system, but our site did indicate a very high risk
factor for the one IP I saw score a 75 ... Gotta talk to our developers
about that). on our system, but there were certainly variances from us to
SenderBase and Borderware's offerings. All depends on who sees what, when.
IMO, the reputation should have all been poor across the board, BTW.
> has anyone developed a basic script they can share that goes through and
> checks rule scoring logs email by email and looks for when specific types of
> rules (whitelist / blacklist or other reputation rules) should be in
> agreement, yet oppose each other?
>
> i realize that it is time sensative on some types of rules yet this is
> reputation based on actual domain name and ip address
Yes please. I'd love to see something like that.
--
Neil Schwartzman
Director, Accreditation Security & Standards
Certified | Safelist
Return Path Inc.
0142002038