You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney, System Admin" <da...@prime.gushi.org> on 2007/10/17 00:16:49 UTC
RCVD_IN_DNSWL_LOW
dnswl.org is either full of it, or not well maintained.
I've gotten at least 20 spams which I see are listed in dnswl.org as "low
trust" (which still merits -1.0).
Could we maybe please add a feature to spamassassin -r (or some other hook
to the generic whitelisting code) which reports this to the appropriate
whitelist owner?
-Dan Mahoney
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by Henrik Krohns <he...@hege.li>.
On Wed, Oct 17, 2007 at 09:55:02AM +0300, Henrik Krohns wrote:
> On Wed, Oct 17, 2007 at 02:48:49AM -0400, Dan Mahoney, System Admin wrote:
> > On Wed, 17 Oct 2007, Henrik Krohns wrote:
> >
> >> On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote:
> >>> dnswl.org is either full of it, or not well maintained.
> >>>
> >>> I've gotten at least 20 spams which I see are listed in dnswl.org as "low
> >>> trust" (which still merits -1.0).
> >>
> >> Umm, did you actually read their pages?
> >>
> >> Low Occasional spam occurrences, actively corrected but less promptly.
> >
> > My point was more along the lines of the fact that there's no method (other
> > than manual notification) of doing "Active Correction".
>
> Sure, I just felt like being rude also. ;) You say "at least 20 spam", but
> since it depends on what your total traffic is, it doesn't mean much.
>
> Ofcourse I have no problem if someone should improve the reporting.
Just FYI, some of my stats..
HAM SPAMMY SPAM
141 0 0 RCVD_IN_DNSWL_HI
1889 4 2 RCVD_IN_DNSWL_MED
3355 37 20 RCVD_IN_DNSWL_LOW
To me it seems pretty well maintainted.
Re: [sa-list] Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Henrik Krohns wrote:
> On Wed, Oct 17, 2007 at 02:48:49AM -0400, Dan Mahoney, System Admin wrote:
>> On Wed, 17 Oct 2007, Henrik Krohns wrote:
>>
>>> On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote:
>>>> dnswl.org is either full of it, or not well maintained.
>>>>
>>>> I've gotten at least 20 spams which I see are listed in dnswl.org as "low
>>>> trust" (which still merits -1.0).
>>>
>>> Umm, did you actually read their pages?
>>>
>>> Low Occasional spam occurrences, actively corrected but less promptly.
>>
>> My point was more along the lines of the fact that there's no method (other
>> than manual notification) of doing "Active Correction".
>
> Sure, I just felt like being rude also. ;) You say "at least 20 spam", but
> since it depends on what your total traffic is, it doesn't mean much.
Actually, that was a typo, of sorts...a more accurate metric would be:
Over 200 hits on that rule, with spams mostly over scores of ten, since
October 8th, with total spam volume (< 5) about 1000.
Or...roughly 1/5 to 1/4 of all the spam in the past couple weeks.
-Dan
--
"Is Gushi a person or an entity?"
"Yes"
-Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by Henrik Krohns <he...@hege.li>.
On Wed, Oct 17, 2007 at 02:48:49AM -0400, Dan Mahoney, System Admin wrote:
> On Wed, 17 Oct 2007, Henrik Krohns wrote:
>
>> On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote:
>>> dnswl.org is either full of it, or not well maintained.
>>>
>>> I've gotten at least 20 spams which I see are listed in dnswl.org as "low
>>> trust" (which still merits -1.0).
>>
>> Umm, did you actually read their pages?
>>
>> Low Occasional spam occurrences, actively corrected but less promptly.
>
> My point was more along the lines of the fact that there's no method (other
> than manual notification) of doing "Active Correction".
Sure, I just felt like being rude also. ;) You say "at least 20 spam", but
since it depends on what your total traffic is, it doesn't mean much.
Ofcourse I have no problem if someone should improve the reporting.
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Mahoney, System Admin schrieb:
> My point was more along the lines of the fact that there's no method
> (other than manual notification) of doing "Active Correction". DNSWL is
> a cool idea, but could we also come up with some sort of "reporting"
> plugin (disabled by default, optional) that could notify them when, say,
That is on the todo list. However, we currently prefer other feedback
loops, since handling a (potentially large) number of feedback providers
requires substantial work (you'll have to identify trustworthy feedback
providers first!).
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHFbP1xbHw2nyi/okRAjeWAJ9jTP8fBHd0ny/i0lNe4R2GJxe/ZwCfbEHz
VmXIJSP8J9TVfP3ztoLSP4I=
=DzrV
-----END PGP SIGNATURE-----
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Henrik Krohns wrote:
> On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote:
>> dnswl.org is either full of it, or not well maintained.
>>
>> I've gotten at least 20 spams which I see are listed in dnswl.org as "low
>> trust" (which still merits -1.0).
>
> Umm, did you actually read their pages?
>
> Low Occasional spam occurrences, actively corrected but less promptly.
My point was more along the lines of the fact that there's no method
(other than manual notification) of doing "Active Correction". DNSWL is a
cool idea, but could we also come up with some sort of "reporting" plugin
(disabled by default, optional) that could notify them when, say, a spam
of score 15 or above also hits their rules.
> If you dont like it, change the scores.
Why not change the system?
-Dan
--
"Why are you wearing TWO grounding straps?"
-John Evans, Ezzi Computers August 23, 2001
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by Henrik Krohns <he...@hege.li>.
On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote:
> dnswl.org is either full of it, or not well maintained.
>
> I've gotten at least 20 spams which I see are listed in dnswl.org as "low
> trust" (which still merits -1.0).
Umm, did you actually read their pages?
Low Occasional spam occurrences, actively corrected but less promptly.
If you dont like it, change the scores.
Re: RCVD_IN_DNSWL_LOW
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 10/25/2007 9:13 AM, Dan Mahoney, System Admin wrote:
> On Wed, 17 Oct 2007, ram wrote:
>
>> Sorry I meant "like spamcop" .. I think I must proof-read my own mail
>> now before Ctrl-Enter :-)
>
> The problem with SpamCop is: the two step reporting process makes things
> a bear to do. I understand the logic behind it, but once or twice I've
> taken a couple hundred spam emails and spamassassin -r'd it...annoying
> as hell.
>
> I'd like it if they open-sourced their analysis engine so people could
> use it to report spam privately, but I know it's not happening.
>
every thought about getting "quick" reporting status?
(inluding "mole"?)
I haven't ACKD'd a report in years :-)
Alex
Re: RCVD_IN_DNSWL_LOW
Posted by ram <ra...@netcore.co.in>.
On Thu, 2007-10-25 at 03:13 -0400, Dan Mahoney, System Admin wrote:
> On Wed, 17 Oct 2007, ram wrote:
>
> > Sorry I meant "like spamcop" .. I think I must proof-read my own mail
> > now before Ctrl-Enter :-)
>
> The problem with SpamCop is: the two step reporting process makes things a
> bear to do. I understand the logic behind it, but once or twice I've
> taken a couple hundred spam emails and spamassassin -r'd it...annoying as
> hell.
>
But people still report to spamcop. And you must agree spamcop has got
*much* better now.
If DNSWL has an automated reporting system like that I can vouch I will
myself use such a reporting system without hassles. Especially because I
would not like the excellent idea of DNSWL to fail
> I'd like it if they open-sourced their analysis engine so people could use
> it to report spam privately, but I know it's not happening.
>
I know we opensource guys despise anything that is not. Anyway that is
not rocket science , it seems pretty straightforward to use one of our
own
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Fri, 26 Oct 2007, Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Alex Woick schrieb:
>> [Spamcop]
>> I understand the two step reporting process too, and I too find it
>> annoying and timeconsuming to ack my (manually reviewed) 50 spams per
>> day to them, so I ceased to do it. There exist scripts for ack'ing
>> automatically, but this is not the intention of this process, so this is
>> no alternative for me.
>
> I don't speak for Spamcop, but I do speak for dnswl.org. From our
> experience I can tell that a manual review process is very important to
> ensure data quality.
>
> At least in the context of dnswl.org, there is little value in reporting
> for the sake of reporting alone -- there needs to be some quality
> control involved, or otherwise we run a high risk of including unwanted
> IP addresses.
>
> Having said that, we of course welcome all reports on false positives,
> especially on IP addresses with a "low", "med" or "hi" score, and we
> welcome all notifications of mailservers we do not yet know about.
It's rather simple, really.
If I'm auto-reporting spams with a score of (let's say, 15...enough that
regardless of the DNSWL score's "negative" it would still be enough to
auto-learn as "spam" to DNSWL (and DNSWL is passing complaints onto the
original mailserver, which seems a logical thing) this serves as a
reminder to the original mail server (let us say, in this case, two
things). This is the kind of thing that I would suggest be an enhancement
to SA (but off by default for privacy reasons), on the spamd side, at the
same time as bayes auto-learning happens.
1) That they are sending spam that risks their whitelist rating.
and
2) That the email they are sending is probably too spammish ANYWAY, if
it's of a high enough threshhold ABOVE the DNSWL score to still be
reported.
If you are a spammer, this allows you not only to listwash, but also to
scrub and detail your email so it hits less SA rules -- of course, if you
are any kind of pro spammer, presumably you are running your mails through
at least a standard SA install anyway to test them.
If on the other hand you are a legitimate user of this service, *and* you
are a producer of regular volumes of email, locally originated, that has
some spammish tendencies (badly formed HTML parts, or being sent by a
non-malicious script, then it allows you to correct other means of those
false positive.
Naturally, if DNSWL isn't reporting back to the mailserver user, none of
the above applies.
Manually reporting, on the other hand, is something that I would tie into
the "spamassassin -r" functions, and much LIKE spamcop or the others, I'd
suggest one or two extra pieces of data:
Some kind of a reporting ID, which determined the severity of the report
(i.e. anonymous reports were given less credence). And if the reports
were going to be given back to the original mailserver again, some option
to have the identifying data stripped.
Also, the ability to view the number of reports for a given server helps
as well.
-Dan
>
> - -- Matthias
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFHIggQxbHw2nyi/okRAludAKC14sT7Ff3Ax4L9zpC/fWHx/xyUAwCfSUZ1
> WB4q6mV08fa4Yhyx+aUtbEs=
> =3yG4
> -----END PGP SIGNATURE-----
>
--
Amerikanskaya firma Transceptor Technology pristupila k poizvodstu komputerov "Personal'ni Sputnik"
Translates as: 'American company Transceptor Technology commenced the production of the computer "personal sputnik"'
--Snap, "The Power"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex Woick schrieb:
> [Spamcop]
> I understand the two step reporting process too, and I too find it
> annoying and timeconsuming to ack my (manually reviewed) 50 spams per
> day to them, so I ceased to do it. There exist scripts for ack'ing
> automatically, but this is not the intention of this process, so this is
> no alternative for me.
I don't speak for Spamcop, but I do speak for dnswl.org. From our
experience I can tell that a manual review process is very important to
ensure data quality.
At least in the context of dnswl.org, there is little value in reporting
for the sake of reporting alone -- there needs to be some quality
control involved, or otherwise we run a high risk of including unwanted
IP addresses.
Having said that, we of course welcome all reports on false positives,
especially on IP addresses with a "low", "med" or "hi" score, and we
welcome all notifications of mailservers we do not yet know about.
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHIggQxbHw2nyi/okRAludAKC14sT7Ff3Ax4L9zpC/fWHx/xyUAwCfSUZ1
WB4q6mV08fa4Yhyx+aUtbEs=
=3yG4
-----END PGP SIGNATURE-----
Re: RCVD_IN_DNSWL_LOW
Posted by Alex Woick <al...@wombaz.de>.
Dan Mahoney, System Admin schrieb am 25.10.2007 09:13:
> The problem with SpamCop is: the two step reporting process makes things
> a bear to do. I understand the logic behind it, but once or twice I've
> taken a couple hundred spam emails and spamassassin -r'd it...annoying
> as hell.
I understand the two step reporting process too, and I too find it
annoying and timeconsuming to ack my (manually reviewed) 50 spams per
day to them, so I ceased to do it. There exist scripts for ack'ing
automatically, but this is not the intention of this process, so this is
no alternative for me.
Additionally, the loading time of the website to acknowledge the spam is
very slow. And it is not optimized to ack with the minimum count of
clicks and scrolling within the pages. At least this was the case when I
first tried it a few months ago. Haven't checked back since.
Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, ram wrote:
> Sorry I meant "like spamcop" .. I think I must proof-read my own mail
> now before Ctrl-Enter :-)
The problem with SpamCop is: the two step reporting process makes things a
bear to do. I understand the logic behind it, but once or twice I've
taken a couple hundred spam emails and spamassassin -r'd it...annoying as
hell.
I'd like it if they open-sourced their analysis engine so people could use
it to report spam privately, but I know it's not happening.
-Dan
--
"there is no loyalty in the business, so we stay away from things that piss people off"
-The Boss, November 12, 2002
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by ram <ra...@netcore.co.in>.
On Wed, 2007-10-17 at 16:46 +0530, ram wrote:
> On Wed, 2007-10-17 at 08:38 +0200, Matthias Leisi wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Dan Mahoney, System Admin schrieb:
> > > dnswl.org is either full of it, or not well maintained.
> > >
> > > I've gotten at least 20 spams which I see are listed in dnswl.org as
> > > "low trust" (which still merits -1.0).
> >
> > All different IP addresses or some specific network?
> > >
> > > Could we maybe please add a feature to spamassassin -r (or some other
> > > hook to the generic whitelisting code) which reports this to the
> > > appropriate whitelist owner?
> >
> > Can you forward such "false positives" to admins -at- dnswl.org, please?
>
> I have reported the spams hiting DNSWL_LOW on the dnswl.org site. But
> there is no decent way of reporting
>
> I think dnswl is an excellent idea but there must be an easier way of
> reporting FPs. Probably forward mail as attachment ( like
> spamassassin )
Sorry I meant "like spamcop" .. I think I must proof-read my own mail
now before Ctrl-Enter :-)
> , or an online form etc. If this is not being done for
> want of developers I can help.
>
>
> Thanks
> Ram
>
>
>
Re: RCVD_IN_DNSWL_LOW
Posted by ram <ra...@netcore.co.in>.
On Wed, 2007-10-17 at 08:38 +0200, Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dan Mahoney, System Admin schrieb:
> > dnswl.org is either full of it, or not well maintained.
> >
> > I've gotten at least 20 spams which I see are listed in dnswl.org as
> > "low trust" (which still merits -1.0).
>
> All different IP addresses or some specific network?
> >
> > Could we maybe please add a feature to spamassassin -r (or some other
> > hook to the generic whitelisting code) which reports this to the
> > appropriate whitelist owner?
>
> Can you forward such "false positives" to admins -at- dnswl.org, please?
I have reported the spams hiting DNSWL_LOW on the dnswl.org site. But
there is no decent way of reporting
I think dnswl is an excellent idea but there must be an easier way of
reporting FPs. Probably forward mail as attachment ( like
spamassassin ) , or an online form etc. If this is not being done for
want of developers I can help.
Thanks
Ram
Re: RCVD_IN_DNSWL_LOW
Posted by Henrik Krohns <he...@hege.li>.
On Wed, Oct 17, 2007 at 09:46:07AM +0200, Matthias Leisi wrote:
>
> Correct. But by setting (in your local.cf or equivalent)
>
> | trusted_networks 204.9.177.18
>
> you are telling SpamAssassin that this relay is not operated by a
> spammer and that it should apply all black-/whitelist rules etc. to the
> IP address one more hop away. Then, in the context of SpamAssassin, you
> regain full control of connection-oriented rules.
Actually, blacklisting (dnsbl) is to be done by internal_networks
(-lastexternal). Since you don't know if someone connecting to a remote host
is legimate in their mind or not.
Whitelisting rules seem to use the trusted_networks (-firsttrusted), which seems
sensible.
Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dan Mahoney, System Admin schrieb:
>
>> Livejournal's purely a mail forwarding service (i.e. there's no way to
>> POP/IMAP that account)
>
> As far as I know, there are mails originating from LJ itself (eg
> notifications etc)?
No, Livejournal also gives you a yourusername@livejournal.com email
address. Yes, they do also originate mail (for which we have things like
SPF (which they do), DomainKeys, DKIM (which they don't, and in fact they
may have an error for) -- as well as some of the more esoteric things like
HashCash, GnuPG-signing, etc etc.)
>> and if they can't effect proper controls on how
>> mail is sent through them, then they shouldn't be trusted at all.
>> On my end, I have degrees of control (false MXes, Blacklists,
>> whitelists, greylists, sender callbacks, etc). I have no such control
>> over the LJ MX'es.
>
> Correct. But by setting (in your local.cf or equivalent)
>
> | trusted_networks 204.9.177.18
>
> you are telling SpamAssassin that this relay is not operated by a
> spammer and that it should apply all black-/whitelist rules etc. to the
> IP address one more hop away. Then, in the context of SpamAssassin, you
> regain full control of connection-oriented rules.
interesting point, I suppose. Kinda breaks the logic of "trusted
networks". On the same note, would it not be more useful to, instead of
using the static trusted_networks configuration, to use the DNSWL to
determine if that logic should be in play? Or some kind of database of
known forwarding services that work in such a manner?
> That's not fully equivalent to having the actual "spamming connection"
> to deal with, but as close as it gets -- if you need it "closer", you
> should not use forwarding services.
>
> Forwarding services are edge case in spamfiltering. Usually, such a
> service is itself perfectly trustworthy and not the actual source of
> spam, and care must be taken not to unduly penalize these services for
> forwarded spam.
The problem therein lies in the fact that LJ notifications (comment
notifications, friendslist notifications, account verification emails,
etc) are passed through the exact same MXes as the
username@livejournal.com forwarding service.
>> I've proposed a reporting plugin on the sa-users list, that allows (both
>> for yourself, as well as other whitelists) for the list-owner to be
>> notified with details of high-spam activity (at which point, I guess,
>> you guys could pass that on to your whitelisted groups, and/or adjust
>> categories accordingly.
>
> As I've answered before: That's already on the todo list. However, the
> main problem is not the plugin per se (technically, that is rather
> simple), but identifying trustworthy submitters.
I suppose that depends on what we submit. If it's something verifiable
(like, messageID:originating ip:spam level, it's easy). Just as with
spamcop, one can choose to omit the message-id so that the spammers cannot
track who is the spamtrap and listwash, but such reports could be given a
lower precedence.
--
"You're a nomad billygoat!"
-Juston, July 18th, 2002
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Alex Woick wrote:
> Matthias Leisi schrieb am 17.10.2007 09:46:
>
>> Correct. But by setting (in your local.cf or equivalent)
>>
>> | trusted_networks 204.9.177.18
>>
>> you are telling SpamAssassin that this relay is not operated by a
>> spammer and that it should apply all black-/whitelist rules etc. to the
>> IP address one more hop away. Then, in the context of SpamAssassin, you
>> regain full control of connection-oriented rules.
>>
>> That's not fully equivalent to having the actual "spamming connection"
>> to deal with, but as close as it gets -- if you need it "closer", you
>> should not use forwarding services.
>
> Good point. I think I start to understand what trusted_network is for and how
> it works. Currently, I have a provider whose MX receives mail for me and
> forwards it to my local mail server. Spam detection improved much when I
> added its IP address to trusted_networks some time ago.
>
> Now, I occasionly get spam to my users.sourceforge.net account, just like Dan
> Mahoney is getting spam to his Livejournal account. Sourceforge is also
> listed with LOW at dnswl and acts as a forwarder to my own mail server.
>
> Since I never get spam from users.sourceforge.net accounts directly but only
> spam sent to my users.sourceforge.net account from random addresses, I
> suppose the Sourceforge mail server is trusted in that way that spam doesn't
> originate from it, and that's the purpose of trusted_network. Just like my
> Provider forwarding mail to me sent from random originators, but never
> produces spam itself.
Sure, but that means each person who is a member of one of these services
has to:
* Look up their forwarded email address
* Look up the SPF record for that domain
-or-
* Take a best guess as to the fact that the receiving MX will also be the
sending.
THEN
* Translate that into trusted networks statements, which are GLOBALLY
trusted (either per server or per used, but NOT per envelope-recipient) --
which is fine for Livejournal or Sourceforge, I guess, I'd imagine their
MXes are pretty dedicated, but I'm sure there's smaller cases.
But it might help to have some series of dynamic rule...whereby an address
is DNSWL'd with a special code that lists it as a known relay for certain
domains, and the trusted_networks logic extends automatically (if the
relaying domain matches).
Apologies if I've repeated anything already said.
-Dan
--
"there is no loyalty in the business, so we stay away from things that piss people off"
-The Boss, November 12, 2002
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by Alex Woick <al...@wombaz.de>.
Matthias Leisi schrieb am 17.10.2007 09:46:
> Correct. But by setting (in your local.cf or equivalent)
>
> | trusted_networks 204.9.177.18
>
> you are telling SpamAssassin that this relay is not operated by a
> spammer and that it should apply all black-/whitelist rules etc. to the
> IP address one more hop away. Then, in the context of SpamAssassin, you
> regain full control of connection-oriented rules.
>
> That's not fully equivalent to having the actual "spamming connection"
> to deal with, but as close as it gets -- if you need it "closer", you
> should not use forwarding services.
Good point. I think I start to understand what trusted_network is for
and how it works. Currently, I have a provider whose MX receives mail
for me and forwards it to my local mail server. Spam detection improved
much when I added its IP address to trusted_networks some time ago.
Now, I occasionly get spam to my users.sourceforge.net account, just
like Dan Mahoney is getting spam to his Livejournal account. Sourceforge
is also listed with LOW at dnswl and acts as a forwarder to my own mail
server.
Since I never get spam from users.sourceforge.net accounts directly but
only spam sent to my users.sourceforge.net account from random
addresses, I suppose the Sourceforge mail server is trusted in that way
that spam doesn't originate from it, and that's the purpose of
trusted_network. Just like my Provider forwarding mail to me sent from
random originators, but never produces spam itself.
Tschau
Alex
Re: RCVD_IN_DNSWL_LOW
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Mahoney, System Admin schrieb:
> Livejournal's purely a mail forwarding service (i.e. there's no way to
> POP/IMAP that account)
As far as I know, there are mails originating from LJ itself (eg
notifications etc)?
> and if they can't effect proper controls on how
> mail is sent through them, then they shouldn't be trusted at all.
>
> On my end, I have degrees of control (false MXes, Blacklists,
> whitelists, greylists, sender callbacks, etc). I have no such control
> over the LJ MX'es.
Correct. But by setting (in your local.cf or equivalent)
| trusted_networks 204.9.177.18
you are telling SpamAssassin that this relay is not operated by a
spammer and that it should apply all black-/whitelist rules etc. to the
IP address one more hop away. Then, in the context of SpamAssassin, you
regain full control of connection-oriented rules.
That's not fully equivalent to having the actual "spamming connection"
to deal with, but as close as it gets -- if you need it "closer", you
should not use forwarding services.
Forwarding services are edge case in spamfiltering. Usually, such a
service is itself perfectly trustworthy and not the actual source of
spam, and care must be taken not to unduly penalize these services for
forwarded spam.
> I've proposed a reporting plugin on the sa-users list, that allows (both
> for yourself, as well as other whitelists) for the list-owner to be
> notified with details of high-spam activity (at which point, I guess,
> you guys could pass that on to your whitelisted groups, and/or adjust
> categories accordingly.
As I've answered before: That's already on the todo list. However, the
main problem is not the plugin per se (technically, that is rather
simple), but identifying trustworthy submitters.
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHFb2/xbHw2nyi/okRAoA7AKDUID8Zyc1vBt+w1qmbP3rrCuxkbQCdFonl
PQENNrT9wkrCjvJ2qgnC4K4=
=oEOM
-----END PGP SIGNATURE-----
Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Matthias Leisi wrote:
>> I forwarded over 200 of them earlier today (as an attachment -- total
>> email size was about one meg).
>
> OK, I now could have a look at them (well, a sample of them, not each of
> the > 200 individually).
>
> All samples in that set have been forwarded through your livejournal.com
> account, and consequently sent to your server through a dnswl.org-listed
> server of livejournal.com (204.9.177.18, see
> http://www.dnswl.org/search.pl?s=1409).
Livejournal's purely a mail forwarding service (i.e. there's no way to
POP/IMAP that account) and if they can't effect proper controls on how
mail is sent through them, then they shouldn't be trusted at all.
On my end, I have degrees of control (false MXes, Blacklists, whitelists,
greylists, sender callbacks, etc). I have no such control over the LJ
MX'es.
I've proposed a reporting plugin on the sa-users list, that allows (both
for yourself, as well as other whitelists) for the list-owner to be
notified with details of high-spam activity (at which point, I guess, you
guys could pass that on to your whitelisted groups, and/or adjust
categories accordingly.
> Please configure your trusted_networks/internal_networks -- like that,
Like what? I think I missed what you want me to do.
> you'll even get the benefit that all RBL lookups, whitelist_from_rcvd
> etc. profit from the correct information.
-Dan
--
"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."
--Cali and Gushi, 6/23/02
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Mahoney, System Admin schrieb:
> I forwarded over 200 of them earlier today (as an attachment -- total
> email size was about one meg).
OK, I now could have a look at them (well, a sample of them, not each of
the > 200 individually).
All samples in that set have been forwarded through your livejournal.com
account, and consequently sent to your server through a dnswl.org-listed
server of livejournal.com (204.9.177.18, see
http://www.dnswl.org/search.pl?s=1409).
Please configure your trusted_networks/internal_networks -- like that,
you'll even get the benefit that all RBL lookups, whitelist_from_rcvd
etc. profit from the correct information.
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHFbgsxbHw2nyi/okRAkyDAJ9iNFrMh+2my/gq7OX7sDYVzJjegwCgkHFA
woDSsSoqdB5V5OqMiiTHXII=
=lFYH
-----END PGP SIGNATURE-----
Re: RCVD_IN_DNSWL_LOW
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Wed, 17 Oct 2007, Matthias Leisi wrote:
I forwarded over 200 of them earlier today (as an attachment -- total
email size was about one meg).
It would have been from this address.
-Dan
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dan Mahoney, System Admin schrieb:
>> dnswl.org is either full of it, or not well maintained.
>>
>> I've gotten at least 20 spams which I see are listed in dnswl.org as
>> "low trust" (which still merits -1.0).
>
> All different IP addresses or some specific network?
>>
>> Could we maybe please add a feature to spamassassin -r (or some other
>> hook to the generic whitelisting code) which reports this to the
>> appropriate whitelist owner?
>
> Can you forward such "false positives" to admins -at- dnswl.org, please?
>
> Thanks,
> - -- Matthias, for dnswl.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFHFa31xbHw2nyi/okRAueXAJ9v7bs40kAz4UEry7dCKxYqWVnWFwCgjte/
> N/CrJ3V4V3X1H+jkGhf/nb8=
> =kIQd
> -----END PGP SIGNATURE-----
>
--
"Oh, and we just recently got an invoice..."
"Congratulations!"
-JC and DM, regarding Unpredictable Billing, 8/18/2001
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: RCVD_IN_DNSWL_LOW
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Mahoney, System Admin schrieb:
> dnswl.org is either full of it, or not well maintained.
>
> I've gotten at least 20 spams which I see are listed in dnswl.org as
> "low trust" (which still merits -1.0).
All different IP addresses or some specific network?
>
> Could we maybe please add a feature to spamassassin -r (or some other
> hook to the generic whitelisting code) which reports this to the
> appropriate whitelist owner?
Can you forward such "false positives" to admins -at- dnswl.org, please?
Thanks,
- -- Matthias, for dnswl.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHFa31xbHw2nyi/okRAueXAJ9v7bs40kAz4UEry7dCKxYqWVnWFwCgjte/
N/CrJ3V4V3X1H+jkGhf/nb8=
=kIQd
-----END PGP SIGNATURE-----