You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Greg Troxel <gd...@ir.bbn.com> on 2008/10/05 18:19:15 UTC
DOB blocklist seems to have very old domains
I got a FP on mail to the discuss-gnuradio list and found that DOB was
firing on gnuradio.org. Now it seems to be firing on gnu.org as well:
gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2
I couldn't find anything on the DOB BL page about how to report bugs.
Below is what a sample message got. I think the SA rules are probably
fine, so I'm not including the whole message. But it seems at least my
message fired on 3 rules and that was worth 2.9 points.
Content analysis details: (-0.2 points, 1.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.5 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[199.232.76.165 listed in list.dnswl.org]
0.7 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
1.1 RCVD_IN_DOB RBL: Received via relay in new domain (Day Old Bread)
1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[URIs: gnu.org]
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
Re: DOB blocklist seems to have very old domains
Posted by mouss <mo...@netoyen.net>.
SM a écrit :
> At 11:00 05-10-2008, Ralf Hildebrandt wrote:
>> python.org is also listed:
same for ietf.org (duh!), postfix.org, debian.org, netbsd.org,
dovecot.org, ....., and anything org.
looks like a parser added "org" (and "thus" all its subdomains).
>>
>> Domain Name:PYTHON.ORG
>> Created On:27-Mar-1995 05:00:00 UTC
>> Last Updated On:07-Sep-2006 20:50:54 UTC
>> Expiration Date:28-Mar-2016 05:00:00 UTC
>
> It looks like a processing glitch. I sent them an email about the
> problem.
hope he will detect
In the meantime, it's worth disabling it.
meta DNS_FROM_DOB (0)
meta RCVD_IN_DOB (0)
meta URIBL_RHS_DOB (0)
at least, this saves a dns request ;-p
Re: DOB blocklist seems to have very old domains
Posted by SM <sm...@resistor.net>.
At 11:00 05-10-2008, Ralf Hildebrandt wrote:
>python.org is also listed:
>
>Domain Name:PYTHON.ORG
>Created On:27-Mar-1995 05:00:00 UTC
>Last Updated On:07-Sep-2006 20:50:54 UTC
>Expiration Date:28-Mar-2016 05:00:00 UTC
It looks like a processing glitch. I sent them an email about the problem.
Regards,
-sm
Re: DOB blocklist seems to have very old domains
Posted by Ralf Hildebrandt <Ra...@charite.de>.
* mouss <mo...@netoyen.net>:
> it does from here. and the page still says:
>
> "
> The dob list is a DNSRBL that contains domains registered within the last
> five days. The list is currently in BETA and should be used accordingly.
> We still have some kinks in it and occasionally domains older than five
> days, or other important domains end up in the list. CAVEAT EMPTOR
> "
python.org is also listed:
Domain Name:PYTHON.ORG
Created On:27-Mar-1995 05:00:00 UTC
Last Updated On:07-Sep-2006 20:50:54 UTC
Expiration Date:28-Mar-2016 05:00:00 UTC
So, they neither have support nor intelligence.
--
Ralf Hildebrandt (i.A. des GB IT) Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!
Re: DOB blocklist seems to have very old domains
Posted by Kai Schaetzl <ma...@conactive.com>.
Mouss wrote on Sun, 05 Oct 2008 21:40:26 +0200:
> From here too, but the .com work :-)
Right. But the normal way would be to deduce URL from the lookup URL which
ends up in .net. On the other hand that's not even mentioned in the rule
which might lead to a search for "Day Old Bread" list and avoid the wrong
net URL ;-)
> ifplugin Mail::SpamAssassin::Plugin::DNSEval
>
> with the other DNSBL checks.
yeah, that's enabled by default. Is the skip_rbl_checks option then still
useful at all?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: DOB blocklist seems to have very old domains
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl wrote:
> Mouss wrote on Sun, 05 Oct 2008 19:56:58 +0200:
>
>>> I couldn't even find a website. www.support-intelligence.net doesn't
>>> exist.
>> it does from here.
>
> From various locations in Germany:
>
> host www.support-intelligence.net
> Host www.support-intelligence.net not found: 3(NXDOMAIN)
>
From here too, but the .com work :-)
$ host www.support-intelligence.net
Host www.support-intelligence.net not found: 3(NXDOMAIN)
$ host www.support-intelligence.com
www.support-intelligence.com has address 207.7.138.219
>>> Is this a default RBL of SA?
>>>
>> yes.
>
> But not in use if I skip rbl checks, right?
>
it's inside
ifplugin Mail::SpamAssassin::Plugin::DNSEval
with the other DNSBL checks.
Re: DOB blocklist seems to have very old domains
Posted by Kai Schaetzl <ma...@conactive.com>.
Mouss wrote on Sun, 05 Oct 2008 19:56:58 +0200:
> > I couldn't even find a website. www.support-intelligence.net doesn't
> > exist.
>
> it does from here.
>From various locations in Germany:
host www.support-intelligence.net
Host www.support-intelligence.net not found: 3(NXDOMAIN)
> > Is this a default RBL of SA?
> >
>
> yes.
But not in use if I skip rbl checks, right?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: DOB blocklist seems to have very old domains
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl wrote:
> Greg Troxel wrote on Sun, 05 Oct 2008 12:19:15 -0400:
>
>> I got a FP on mail to the discuss-gnuradio list and found that DOB was
>> firing on gnuradio.org. Now it seems to be firing on gnu.org as well:
>>
>> gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
>> gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2
>
> It seems to fire on all .org domains but not on others. So, they
> apparently have some sort of problem checking the dates of org domains and
> put them all on the list.
>
>> I couldn't find anything on the DOB BL page about how to report bugs.
>
> I couldn't even find a website. www.support-intelligence.net doesn't
> exist.
it does from here. and the page still says:
"
The dob list is a DNSRBL that contains domains registered within the
last five days. The list is currently in BETA and should be used
accordingly. We still have some kinks in it and occasionally domains
older than five days, or other important domains end up in the list.
CAVEAT EMPTOR
"
> Is this a default RBL of SA?
>
yes.
$ grep _DOB 50_scores.cf
score DNS_FROM_DOB 0 0.341 0 0.732 # n=0 n=2
score RCVD_IN_DOB 0 0.835 0 1.103 # n=0 n=2
score URIBL_RHS_DOB 0 0.901 0 1.083 # n=0 n=2
See
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5768
Re: DOB blocklist seems to have very old domains
Posted by Matthias Leisi <ma...@leisi.net>.
Kai Schaetzl schrieb:
> It seems to fire on all .org domains but not on others. So, they
> apparently have some sort of problem checking the dates of org domains and
> put them all on the list.
IIRC it is not the first time that there were issues with DOB and .org,
but can't find a reference right now. Rick from DOB is following (used
to follow?) the sa-dev list, and I can ping him if the problem persists
-- Matthias
Re: DOB blocklist seems to have very old domains
Posted by Kai Schaetzl <ma...@conactive.com>.
Greg Troxel wrote on Sun, 05 Oct 2008 12:19:15 -0400:
> I got a FP on mail to the discuss-gnuradio list and found that DOB was
> firing on gnuradio.org. Now it seems to be firing on gnu.org as well:
>
> gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
> gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2
It seems to fire on all .org domains but not on others. So, they
apparently have some sort of problem checking the dates of org domains and
put them all on the list.
>
> I couldn't find anything on the DOB BL page about how to report bugs.
I couldn't even find a website. www.support-intelligence.net doesn't
exist. Is this a default RBL of SA?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: DOB blocklist seems to have very old domains
Posted by Kai Schaetzl <ma...@conactive.com>.
They seem to have resolved that problem now.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com