You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lawren Quigley-Jones <lq...@athenium.com> on 2010/09/17 16:55:11 UTC
injected headers are triggering dns whitelists
I've been repeatedly running into problems where dns white-lists have
been causing false negatives in spam. Valid looking headers are being
injected at the beginning of emails which are tripping dns whitelists
(see below). As a result I've been slowly disabling dns whitelist rules:
score HABEAS_ACCREDITED_COI 0
score HABEAS_ACCREDITED_SOI 0
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_BSP_TRUSTED 0
score RCVD_IN_DNSWL_HI 0
I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2
Has anyone else been seeing this? Is this a mis-configuration on my
part? Is there anything I can do to get SpamAssassin to check only the
last header and ignore anything below that?
===============================================
Return-Path: <al...@robinsins.com>
Received: from murder ([unix socket])
(authenticated user=postmaster bits=0)
by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA;
Fri, 17 Sep 2010 10:15:14 -0400
X-Sieve: CMU Sieve 2.2
Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98])
by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0
for <ab...@athenium.com>; Fri, 17 Sep 2010 10:15:12 -0400 (EDT)
Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com
[151.193.64.1])
by server42.appriver.com with esmtp
id 3651BD-000812-22
for abuse@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300
Received: from microsof56e61a (10.208.60.9:76737) by
svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id
<9....@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300
Date: Fri, 17 Sep 2010 18:15:01 +0300
From: "Jerry Burton" <al...@robinsins.com>
To: abuse@athenium.com
Message-ID: <94...@microsof56e61a>
Subject: Re: Vacation
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_7403571_82314638.3159918817094"
X-Virus-Scanned: clamav-milter 0.95.3 at myservername
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
myservername.xxx.athenium.com
====================================================
Re: injected headers are triggering dns whitelists
Posted by Benny Pedersen <me...@junc.org>.
On fre 17 sep 2010 16:55:11 CEST, Lawren Quigley-Jones wrote
> I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2
is this a joke ?
:)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: injected headers are triggering dns whitelists
Posted by "Sergey Tsabolov ( aka linuxman )" <se...@greeklug.gr>.
στις 17/09/2010 09:21 μμ, O/H Neil Lazarow έγραψε:
> Sergey Tsabolov ( aka linuxman ) wrote:
>>
>>
>> στις 17/09/2010 05:55 μμ, O/H Lawren Quigley-Jones έγραψε:
>>> I've been repeatedly running into problems where dns white-lists
>>> have been causing false negatives in spam. Valid looking headers are
>>> being injected at the beginning of emails which are tripping dns
>>> whitelists (see below). As a result I've been slowly disabling dns
>>> whitelist rules:
>>> score HABEAS_ACCREDITED_COI 0
>>> score HABEAS_ACCREDITED_SOI 0
>>> score RCVD_IN_DNSWL_MED 0
>>> score RCVD_IN_BSP_TRUSTED 0
>>> score RCVD_IN_DNSWL_HI 0
>>>
>>> I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2
>> You mast to upgrade it with this way
>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201009.mbox/browser
>>
>> And after you can change configuration .
>> First step is upgrade .
>>>
>>> Has anyone else been seeing this? Is this a mis-configuration on my
>>> part? Is there anything I can do to get SpamAssassin to check only
>>> the last header and ignore anything below that?
>>>
>>> ===============================================
>>>
>>> Return-Path: <al...@robinsins.com>
>>> Received: from murder ([unix socket])
>>> (authenticated user=postmaster bits=0)
>>> by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA;
>>> Fri, 17 Sep 2010 10:15:14 -0400
>>> X-Sieve: CMU Sieve 2.2
>>> Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98])
>>> by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0
>>> for <ab...@athenium.com>; Fri, 17 Sep 2010 10:15:12 -0400 (EDT)
>>> Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com
>>> [151.193.64.1])
>>> by server42.appriver.com with esmtp
>>> id 3651BD-000812-22
>>> for abuse@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300
>>> Received: from microsof56e61a (10.208.60.9:76737) by
>>> svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id
>>> <9....@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300
>>> Date: Fri, 17 Sep 2010 18:15:01 +0300
>>> From: "Jerry Burton" <al...@robinsins.com>
>>> To: abuse@athenium.com
>>> Message-ID: <94...@microsof56e61a>
>>> Subject: Re: Vacation
>>> MIME-Version: 1.0
>>> Content-Type: multipart/mixed;
>>> boundary="----=_Part_7403571_82314638.3159918817094"
>>> X-Virus-Scanned: clamav-milter 0.95.3 at myservername
>>> X-Virus-Status: Clean
>>> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
>>> RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no
>>> version=3.2.4
>>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>>> myservername.xxx.athenium.com
>>>
>>> ====================================================
>>
> I have been getting some of those as well. I tried adjusting the
> RCVD_IN_DNSWL rules to half of
> their default values to reduce their effect on the spam score, but am
> not sure how much of an
> effect that will have yet.
>
Why , you found some not normal ?
--
--------------------------------------------------------------------------------------
Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx
Send it with ODF format : .odt , .odp , .ods or .pdf .
Try to use Open Document Format : http://www.openoffice.org/
Save you money& use GNU/Linux Distro http://distrowatch.com/
-----------------------------------------------------------------------------------------
Re: injected headers are triggering dns whitelists
Posted by "Sergey Tsabolov ( aka linuxman )" <se...@greeklug.gr>.
στις 17/09/2010 05:55 μμ, O/H Lawren Quigley-Jones έγραψε:
> I've been repeatedly running into problems where dns white-lists have
> been causing false negatives in spam. Valid looking headers are being
> injected at the beginning of emails which are tripping dns whitelists
> (see below). As a result I've been slowly disabling dns whitelist rules:
> score HABEAS_ACCREDITED_COI 0
> score HABEAS_ACCREDITED_SOI 0
> score RCVD_IN_DNSWL_MED 0
> score RCVD_IN_BSP_TRUSTED 0
> score RCVD_IN_DNSWL_HI 0
>
> I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2
You mast to upgrade it with this way
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201009.mbox/browser
And after you can change configuration .
First step is upgrade .
>
> Has anyone else been seeing this? Is this a mis-configuration on my
> part? Is there anything I can do to get SpamAssassin to check only the
> last header and ignore anything below that?
>
> ===============================================
>
> Return-Path: <al...@robinsins.com>
> Received: from murder ([unix socket])
> (authenticated user=postmaster bits=0)
> by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA;
> Fri, 17 Sep 2010 10:15:14 -0400
> X-Sieve: CMU Sieve 2.2
> Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98])
> by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0
> for <ab...@athenium.com>; Fri, 17 Sep 2010 10:15:12 -0400 (EDT)
> Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com
> [151.193.64.1])
> by server42.appriver.com with esmtp
> id 3651BD-000812-22
> for abuse@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300
> Received: from microsof56e61a (10.208.60.9:76737) by
> svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id
> <9....@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300
> Date: Fri, 17 Sep 2010 18:15:01 +0300
> From: "Jerry Burton" <al...@robinsins.com>
> To: abuse@athenium.com
> Message-ID: <94...@microsof56e61a>
> Subject: Re: Vacation
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_Part_7403571_82314638.3159918817094"
> X-Virus-Scanned: clamav-milter 0.95.3 at myservername
> X-Virus-Status: Clean
> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
> RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no
> version=3.2.4
> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
> myservername.xxx.athenium.com
>
> ====================================================
--
--------------------------------------------------------------------------------------
Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx
Send it with ODF format : .odt , .odp , .ods or .pdf .
Try to use Open Document Format : http://www.openoffice.org/
Save you money& use GNU/Linux Distro http://distrowatch.com/
-----------------------------------------------------------------------------------------
Re: injected headers are triggering dns whitelists
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/17/2010 10:55 AM, Lawren Quigley-Jones wrote:
> I've been repeatedly running into problems where dns white-lists have
> been causing false negatives in spam. Valid looking headers are being
> injected at the beginning of emails which are tripping dns whitelists
> (see below). As a result I've been slowly disabling dns whitelist rules:
> score HABEAS_ACCREDITED_COI 0
> score HABEAS_ACCREDITED_SOI 0
> score RCVD_IN_DNSWL_MED 0
> score RCVD_IN_BSP_TRUSTED 0
> score RCVD_IN_DNSWL_HI 0
>
> I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2
>
> Has anyone else been seeing this? Is this a mis-configuration on my
> part? Is there anything I can do to get SpamAssassin to check only
> the last header and ignore anything below that?
If you have your trusted_networks and internal_networks set properly,
then the whitelists should only fire on trusted headers. If you do not
specify these, then SA will take its best guess.
Fake headers inserted by the sender should not affect a properly
configured SA.
--
Bowie