You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeremy McSpadden <je...@fluxlabs.net> on 2011/10/30 18:37:01 UTC
Disable a Rule
I have several MS boxes and it seems that the RCVD_IN_DNSWL_HI rule in 72_active is allowing way to much through. Running at a score of 5 for spam, and it -5 on score is pushing it as clean. How do i disable the rule completely, even on sa-updates. It seems nightly the rule is re-enabled.
--
Jeremy McSpadden
Re: Disable a Rule
Posted by Benny Pedersen <me...@junc.org>.
On Sun, 30 Oct 2011 17:37:01 +0000, Jeremy McSpadden wrote:
> I have several MS boxes and it seems that the RCVD_IN_DNSWL_HI rule
> in 72_active is allowing way to much through. Running at a score of 5
> for spam, and it -5 on score is pushing it as clean. How do i disable
> the rule completely, even on sa-updates. It seems nightly the rule is
> re-enabled.
http://www.dnswl.org/ Spam from a dnswl.org-listed IP?
its silly to fix it local
Re: Disable a Rule
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2011-10-30 18:37, Jeremy McSpadden pisze:
> I have several MS boxes and it seems that the RCVD_IN_DNSWL_HI rule in
> 72_active is allowing way to much through. Running at a score of 5 for
> spam, and it -5 on score is pushing it as clean. How do i disable the
> rule completely, even on sa-updates. It seems nightly the rule is
> re-enabled.
Hi!
Maybe rescore would be enough?
score RCVD_IN_DNSWL_HI 0
in your local conf.
Re: Disable a Rule
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
> Very well. DNSMasq setup and running local, yet still returns HI
Are you still forwarding to somebody else's DNS servers? If your ISP is
large and hosting many people using SA, you may be in the same position.
The local DNS server supporting your SA should be doing resolution by
itself, no forwarders (at least for the BL domains).
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Halloween
Re: Disable a Rule
Posted by Benny Pedersen <me...@junc.org>.
On Sun, 30 Oct 2011 20:25:25 +0000, Jeremy McSpadden wrote:
> Very well. DNSMasq setup and running local, yet still returns HI
check /etc/resolv.conf
nameserver 127.0.0.1
Re: Disable a Rule
Posted by Jim Popovitch <ji...@gmail.com>.
On Sun, Oct 30, 2011 at 21:46, RW <rw...@googlemail.com> wrote:
> On Sun, 30 Oct 2011 20:25:25 +0000
> Jeremy McSpadden wrote:
>
>> Very well. DNSMasq setup and running local, yet still returns HI
>
> AFAIK DNSMasq isn't a recursive nameserver, it's just a DNS forwarder.
Correct.
pdns_resolver is an excellent replacement (until other apps crash with
libcrypto errors, leaving pdns_resolver to report errors "Timeout from
remote TCP client 127.0.0.1)
-Jim P.
Re: Disable a Rule
Posted by RW <rw...@googlemail.com>.
On Sun, 30 Oct 2011 20:25:25 +0000
Jeremy McSpadden wrote:
> Very well. DNSMasq setup and running local, yet still returns HI
AFAIK DNSMasq isn't a recursive nameserver, it's just a DNS forwarder.
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
Very well. DNSMasq setup and running local, yet still returns HI
--
Jeremy McSpadden
Flux Labs, Inc
http://www.fluxlabs.net<http://www.fluxlabs.net/>
Endless Solutions
Office : 850-588-4626
Cell : 850-890-2543
Fax : 850-254-2955
On Oct 30, 2011, at 3:14 PM, Benny Pedersen wrote:
On Sun, 30 Oct 2011 20:05:08 +0000, Jeremy McSpadden wrote:
Then why would this rule be enabled by default, or even setup for SA
out of the box. So your telling me that in order to use this rule, i
have to setup a local dns ? i don't think so. I've run SA boxes for
years and never had to run a local dns server.
using shared dns gives shared limits, thats why, so yes to use the free service one need dns servers in loopback interface
Re: Disable a Rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 31.10.11 02:33, Jeremy McSpadden wrote:
>Thanks Ned, my question being now - why create a rule that can reduce
> the spam count
the DNSWL rules are not created to reduce spam count, but to reduce FP
count.
> when the provider decides to enforce such a policy;
any provider can enforce any policy - should we stop using shared
databases too?
You can be denied from running sa-update if you will abuse it. should
SA stop recommending using it?
> and start returning incorrect queries. Denied or not, it should
> NEVER return any value that would lower the spam count, if it cannot
> provide the correct answer to the query, it should send a null
> result; not some crap answer because they're systems cannot provide
> sufficient queries to the demand the public puts on their
> infrastructure.
afaik your problem was that you are using (or forced to use) your
providers' DNS servers. Blame your provider, not SA.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: Disable a Rule
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2011-10-31 at 02:33 +0000, Jeremy McSpadden wrote:
> Thanks Ned, my question being now - why create a rule that can reduce
> the spam count when the provider decides to enforce such a policy; and
> start returning incorrect queries.
It's almost irrelevant whether the score is negative or positive.
Almost, since FPs are much worse than FNs.
Anyway, the answer to that "why" would be very easy to answer yourself,
if you carefully would have read the links pointed out, and their
respective dates. And the release date of your SA version. DNSWL policy
changed just recently.
> Although I personally am not doing 100k look-ups, the DNS resolvers at
> the DC very well may.
My previous post early in this thread asked for exactly this. No
response, so merely a dangling pointer... *shrug*
> I have setup bind to do name-caching and no longer doing forwarding. I
> will continue to examine longs and monitor the system. Thanks for
> those who took the time to reply w/ enough information, rather than
> smart comments; or vague 1 liners.
Using a local caching resolver is mentioned in the wiki docs, as well as
semi frequently discussed on this list. Not only does it prevent exactly
such issues, but also speed up DNS RBL queries.
> On Oct 30, 2011, at 5:56 PM, Ned Slider wrote:
> > Now they have your attention, the solution if you want to continue
> > using DNSWL is to deploy your own local DNS caching server assuming
> > you can stay under the free usage terms, or buy a data feed, or
> > disable the DNSWL rules in SA by scoring them at zero:
Ned, you forgot to meta out __RCVD_IN_DNSWL to actually prevent the DNS
query at all.
> > all of which has previously been stated.
Yup, also mentioned previously. ;) And commonly forgot...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
Thanks Ned, my question being now - why create a rule that can reduce the spam count when the provider decides to enforce such a policy; and start returning incorrect queries. Denied or not, it should NEVER return any value that would lower the spam count, if it cannot provide the correct answer to the query, it should send a null result; not some crap answer because they're systems cannot provide sufficient queries to the demand the public puts on their infrastructure.
Although I personally am not doing 100k look-ups, the DNS resolvers at the DC very well may.
...
less than 0.1% are affected by this stricter enforcement
...
I have setup bind to do name-caching and no longer doing forwarding. I will continue to examine longs and monitor the system. Thanks for those who took the time to reply w/ enough information, rather than smart comments; or vague 1 liners.
--
Jeremy McSpadden
Flux Labs, Inc
On Oct 30, 2011, at 5:56 PM, Ned Slider wrote:
On 30/10/11 20:45, Jeremy McSpadden wrote:
Thanks for the help Benny. .. Anyone besides this guy have anything to say ?
--
See here:
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
and also the thread on this list from the archives dated 17th Oct 2011 with subject: DNSWL.org enforcement of free usage limits.
Benny is correct - using your providers DNS servers results in exceeding the limit at DNSWL which results in all queries hitting RCVD_IN_DNSWL_HI - that's generally how they get your attention.
Now they have your attention, the solution if you want to continue using DNSWL is to deploy your own local DNS caching server assuming you can stay under the free usage terms, or buy a data feed, or disable the DNSWL rules in SA by scoring them at zero:
score RCVD_IN_DNSWL_HI 0
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_DNSWL_LOW 0
score RCVD_IN_DNSWL_NONE 0
all of which has previously been stated.
Hope that helps.
Re: Disable a Rule
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 30/10/11 20:45, Jeremy McSpadden wrote:
> Thanks for the help Benny. .. Anyone besides this guy have anything to say ?
> --
See here:
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
and also the thread on this list from the archives dated 17th Oct 2011
with subject: DNSWL.org enforcement of free usage limits.
Benny is correct - using your providers DNS servers results in exceeding
the limit at DNSWL which results in all queries hitting RCVD_IN_DNSWL_HI
- that's generally how they get your attention.
Now they have your attention, the solution if you want to continue using
DNSWL is to deploy your own local DNS caching server assuming you can
stay under the free usage terms, or buy a data feed, or disable the
DNSWL rules in SA by scoring them at zero:
score RCVD_IN_DNSWL_HI 0
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_DNSWL_LOW 0
score RCVD_IN_DNSWL_NONE 0
all of which has previously been stated.
Hope that helps.
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
Thanks for the help Benny. .. Anyone besides this guy have anything to say ?
--
Jeremy McSpadden
Flux Labs, Inc
http://www.fluxlabs.net<http://www.fluxlabs.net/>
Endless Solutions
Office : 850-588-4626
Cell : 850-890-2543
Fax : 850-254-2955
On Oct 30, 2011, at 3:40 PM, Benny Pedersen wrote:
On Sun, 30 Oct 2011 20:36:14 +0000, Jeremy McSpadden wrote:
Yes, that is in place. (not a newbie here)
seems your hosters is not newbee either, you are firewalled to use there dns server if it still does not work, ask them :)
Re: Disable a Rule
Posted by Benny Pedersen <me...@junc.org>.
On Sun, 30 Oct 2011 20:36:14 +0000, Jeremy McSpadden wrote:
> Yes, that is in place. (not a newbie here)
seems your hosters is not newbee either, you are firewalled to use
there dns server if it still does not work, ask them :)
Re: [OT] Disable a Rule
Posted by Walter Hurry <wa...@lavabit.com>.
On Sun, 30 Oct 2011 21:48:16 +0100, Marcin Mirosław wrote:
> W dniu 2011-10-30 21:36, Jeremy McSpadden pisze:
>> Yes, that is in place. (not a newbie here)
>
> Only newbie can say "I'm not newbie".
And top post at the same time.
Re: [OT] Disable a Rule
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2011-10-30 21:36, Jeremy McSpadden pisze:
> Yes, that is in place. (not a newbie here)
Only newbie can say "I'm not newbie".
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
Yes, that is in place. (not a newbie here)
--
Jeremy McSpadden
Flux Labs, Inc
http://www.fluxlabs.net<http://www.fluxlabs.net/>
Endless Solutions
Office : 850-588-4626
Cell : 850-890-2543
Fax : 850-254-2955
On Oct 30, 2011, at 3:14 PM, Benny Pedersen wrote:
On Sun, 30 Oct 2011 20:05:08 +0000, Jeremy McSpadden wrote:
Then why would this rule be enabled by default, or even setup for SA
out of the box. So your telling me that in order to use this rule, i
have to setup a local dns ? i don't think so. I've run SA boxes for
years and never had to run a local dns server.
using shared dns gives shared limits, thats why, so yes to use the free service one need dns servers in loopback interface
Re: Disable a Rule
Posted by Benny Pedersen <me...@junc.org>.
On Sun, 30 Oct 2011 20:05:08 +0000, Jeremy McSpadden wrote:
> Then why would this rule be enabled by default, or even setup for SA
> out of the box. So your telling me that in order to use this rule, i
> have to setup a local dns ? i don't think so. I've run SA boxes for
> years and never had to run a local dns server.
using shared dns gives shared limits, thats why, so yes to use the free
service one need dns servers in loopback interface
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
Then why would this rule be enabled by default, or even setup for SA out of the box. So your telling me that in order to use this rule, i have to setup a local dns ? i don't think so. I've run SA boxes for years and never had to run a local dns server.
--
Jeremy McSpadden
Flux Labs, Inc
On Oct 30, 2011, at 2:57 PM, Benny Pedersen wrote:
On Sun, 30 Oct 2011 19:18:12 +0000, Jeremy McSpadden wrote:
I am using local dns servers. The server is at SoftLayer's DC. Using
their local DNS servers, 10.0.X
there ip need datafeed or you need to have dns server on 127.0.0.1 to get the free use at dnswl
i cant find this ip listed anywhere
Re: Disable a Rule
Posted by Benny Pedersen <me...@junc.org>.
On Sun, 30 Oct 2011 19:18:12 +0000, Jeremy McSpadden wrote:
> I am using local dns servers. The server is at SoftLayer's DC. Using
> their local DNS servers, 10.0.X
there ip need datafeed or you need to have dns server on 127.0.0.1 to
get the free use at dnswl
i cant find this ip listed anywhere
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
No, i was editing the actual rule file itself. I have done a lookup on several of the IPs that SA is stating are HI on DNSWL, yet they come back as not whitelisted.
http://www.dnswl.org/search.pl?s=98.126.47.12 = IP address 98.126.47.12 is not whitelisted at dnswl.org<http://dnswl.org>.
spamassassin -t -D < MSGID = -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, hightrust [98.126.47.12 listed in list.dnswl.org<http://list.dnswl.org>]
I am using local dns servers. The server is at SoftLayer's DC. Using their local DNS servers, 10.0.X
--
Jeremy McSpadden
Flux Labs, Inc
On Oct 30, 2011, at 1:50 PM, John Hardin wrote:
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
I am editing the local, thanks.
sa-update should not touch your local configuration file. Are you saying it is doing so?
Letting them know is fine and all, except the mail is still getting through my systems. I have noticed this on several of my MS gateways. The emails are blatant spam. This is for hundreds of emails. DNSWL thinks just because one yahoo/gmail/hotmail account is clean; all are. Does not make sense to me.
What upstream DNS are you using for your SA?
DNSWL has usage limits absent subscription, and if you're using a busy public DNS (e.g. Google's public DNS servers) for your queries then DNSWL may be returning HI for _all_ queries regardless of how the sender is actually classified in their database.
Does running your SA against a local caching DNS server that doesn't forward to an upstream DNS server change the behavior for these messages?
--
Jeremy McSpadden
Flux Labs, Inc
On Oct 30, 2011, at 12:54 PM, John Hardin wrote:
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
It seems nightly the rule is re-enabled.
Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen.
If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin.
If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org<ma...@impsec.org> FALaholic #11174 pgpk -a jhardin@impsec.org<ma...@impsec.org>
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com<http://www.darwinawards.com>
-----------------------------------------------------------------------
Tomorrow: Halloween
Re: Disable a Rule
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
> I am editing the local, thanks.
sa-update should not touch your local configuration file. Are you saying
it is doing so?
> Letting them know is fine and all, except the mail is still getting
> through my systems. I have noticed this on several of my MS gateways.
> The emails are blatant spam. This is for hundreds of emails. DNSWL
> thinks just because one yahoo/gmail/hotmail account is clean; all are.
> Does not make sense to me.
What upstream DNS are you using for your SA?
DNSWL has usage limits absent subscription, and if you're using a busy
public DNS (e.g. Google's public DNS servers) for your queries then DNSWL
may be returning HI for _all_ queries regardless of how the sender is
actually classified in their database.
Does running your SA against a local caching DNS server that doesn't
forward to an upstream DNS server change the behavior for these messages?
> --
> Jeremy McSpadden
> Flux Labs, Inc
>
>
> On Oct 30, 2011, at 12:54 PM, John Hardin wrote:
>
> On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
>
> It seems nightly the rule is re-enabled.
>
> Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen.
>
> If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin.
>
> If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Halloween
Re: Disable a Rule
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-10-30 at 18:17 +0000, Jeremy McSpadden wrote:
> This is for hundreds of emails. DNSWL thinks just because one
> yahoo/gmail/hotmail account is clean; all are. Does not make sense to
> me.
I'd be surprised to see these listed in DNSWL high. Which IPs are these
precisely?
Also, what DNS server are you using?
> > On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
> > > It seems nightly the rule is re-enabled.
Huh? Even if you did previously edit the default configuration rather
than site config, there was no daily updates. If your changes really got
reverted on a daily basis, there's something broken about your sa-update
process.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Disable a Rule
Posted by Jeremy McSpadden <je...@fluxlabs.net>.
I am editing the local, thanks.
Letting them know is fine and all, except the mail is still getting through my systems. I have noticed this on several of my MS gateways. The emails are blatant spam.
This is for hundreds of emails. DNSWL thinks just because one yahoo/gmail/hotmail account is clean; all are. Does not make sense to me.
--
Jeremy McSpadden
Flux Labs, Inc
On Oct 30, 2011, at 12:54 PM, John Hardin wrote:
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
It seems nightly the rule is re-enabled.
Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen.
If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin.
If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org<ma...@impsec.org> FALaholic #11174 pgpk -a jhardin@impsec.org<ma...@impsec.org>
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com<http://www.darwinawards.com>
-----------------------------------------------------------------------
Tomorrow: Halloween
Re: Disable a Rule
Posted by John Hardin <jh...@impsec.org>.
On Sun, 30 Oct 2011, Jeremy McSpadden wrote:
> It seems nightly the rule is re-enabled.
Don't edit the files that are deep in the SpamAssassin working
directories, they will get overwritten with updates as you have seen.
If you want to disable a rule, set its score to zero in your _local_
configuration file, typically under /etc/mail/spamassassin.
If you're getting spams from hosts in DNSWL HI, please let the DNSWL
people know so they can deal with it. Either the source MTA needs to be
cleaned up, or their listing demoted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Halloween