You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeremy Morton <ad...@game-point.net> on 2012/05/24 11:14:11 UTC
Suddenly getting lots of false positives.
I've gotten a lot of false positives coming into my inbox lately, and
the principle reason for most of them seems to be that they are matching
the following rule:
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium trust
I'm not sure why they're matching this rule, so I thought I'd ask you
guys to see whether you could figure it out. Here's a sample message
that made it through my spam filter, which is definitely spam (note that
I have it configured to attach X-Spam-Report to every message so I can
see why it was NOT marked as spam):
==================================================
From - Wed May 23 10:53:41 2012
X-Account-Key: account2
X-UIDL: UID308596-1160697276
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <ni...@etisbew.com>
Envelope-to: bugzilla@game-point.net
Delivery-date: Wed, 23 May 2012 10:37:58 +0100
Received: from [59.94.13.26]
by ip.game-point.net with esmtp (Exim 4.69)
(envelope-from <ni...@etisbew.com>)
id 1SX80z-0005qn-7r
for bugzilla@game-point.net; Wed, 23 May 2012 10:37:58 +0100
Received: from apache by etisbew.com with local (Exim 4.63)
(envelope-from <sp...@realliving.com>)
id A10PD7-HLT0O1-68
for bugzilla@game-point.net; Wed, 23 May 2012 15:07:55 +0530
To: bugzilla@game-point.net
Subject: Good afternoon,
Date: Wed, 23 May 2012 15:07:55 +0530
From: "Stella Cotton" <ni...@etisbew.com>
Message-ID: <74...@etisbew.com>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------03070800307080108050505"
X-Spam-Status: No, score=0.7
X-Spam-Score: 7
X-Spam-Bar: /
X-Spam-Flag: NO
X-Spam-Report: Spam detection software, running on the system
"ip.game-point.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: It is what a man needs to overcome the most delicate
problem.
Your power and strength of your porksword will please her! Make your body
as strong as your spirit is!Click It is what a man needs to overcome the
most delicate problem. Your power and strength of your porksword will
please
her! Make your body as strong as your spirit is! [...]
Content analysis details: (0.7 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bestinternetdancer.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bestinternetdancer.com]
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
http://www.dnswl.org/, medium
trust
[59.94.13.26 listed in list.dnswl.org]
0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[59.94.13.26 listed in dnsbl.sorbs.net]
0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6609]
0.0 HTML_MESSAGE BODY: HTML included in message
This is a multi-part message in MIME format.
--------------03070800307080108050505
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-2"
It is what a man needs to overcome the most delicate problem. Your power
and strength of your porksword will please her! Make your body as strong
as your spirit is!Click
--------------03070800307080108050505
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="us-ascii"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1250">
<STYLE></STYLE>
</HEAD>
<BODY>
<div style="width:600px;">
<div style="background: none repeat scroll 0 0 #FDF3F0; border-top: 3px
solid #E7431D; padding: 25px;">
<div style="font-size: 180%;">
<em>It is what a man needs to overcome the most delicate problem.
<br>Your power and strength of your porksword will please her! <br>Make
your body as strong as your spirit is!</em>
</div>
</div>
<div id="nav" style="background: none repeat scroll 0 0 #4D4D4F;
font-size: 90%; line-height: 40px;">
<a style="color: #FFFFFF; padding: 12px 25px;"
href="http://pijqasos.bestinternetdancer.com/page.html?Wsl7zrBeopsqjfqBjDy27csllzE">Click</a>
</div>
</div>
</BODY></HTML>
--------------03070800307080108050505--
==================================================
Any ideas why the sender would be in the dnswl with medium trust? I did
recently change my machine's hostname to ip.game-point.net.
--
Best regards,
Jeremy Morton (Jez)
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 16:06, Kevin A. McGrail skrev:
> Normally, I blame a DNS server. See pages like this for more
> information:
>
> http://www.surbl.org/faqs#dnsproxy
surbl.org is one of the problematic dns servers for me, sent a email
about it to surbl, got nothing in return
> Darxus, you wrote a good wiki about using other DNS servers, etc.
> somewhere I thought about but I can't find it.
>
> In general, I recommend running your own caching nameserver.
local dns server is good aslong as remote servers dont reject querys
from dynamic ips [1]
1: dig +trace surbl.org
2: dig +tcp +norecurse @ns100.surbl.org surbl.org any
3: dig +notcp +norecurse @ns100.surbl.org surbl.org any
none of them should be rejected
[1] dynamic in sense of ips is hard to know if its static
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 17:22, Jeremy Morton skrev:
> Not sure. I get this:
>
> http://pastebin.com/0U3WrgSS
this is working as designed, no refused or errors, if its not working
again then report it as so, with a +trace, report the last ns that fails
if it do
Re: Suddenly getting lots of false positives.
Posted by "corpus.defero" <co...@idnet.com>.
On Thu, 2012-05-24 at 16:22 +0100, Jeremy Morton wrote:
> Not sure. I get this:
>
> http://pastebin.com/0U3WrgSS
>
The answer is at the botton:
40.152.71.64.list.dnswl.org. 43200 IN A 127.0.6.3
;; Received 61 bytes from 208.67.172.131#53(c.ns.dnswl.org) in 76 ms
So, according to c.ns.dnswl.org it's a hit.
And if we do:
dig +short @208.67.172.131 40.152.71.64.list.dnswl.org
127.0.6.3
It appears to be a hit.
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
Not sure. I get this:
http://pastebin.com/0U3WrgSS
--
Best regards,
Jeremy Morton (Jez)
On 24/05/2012 16:12, Benny Pedersen wrote:
> Den 2012-05-24 17:03, Jeremy Morton skrev:
>> Nope, but it doesn't actually give an answer section as part of its
>> output.
>
> where it timeout or rejected ?, where in the dns chain is it failing ?
>
>
>
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 17:03, Jeremy Morton skrev:
> Nope, but it doesn't actually give an answer section as part of its
> output.
where it timeout or rejected ?, where in the dns chain is it failing ?
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
Nope, but it doesn't actually give an answer section as part of its output.
--
Best regards,
Jeremy Morton (Jez)
On 24/05/2012 16:06, Benny Pedersen wrote:
> Den 2012-05-24 16:41, Jeremy Morton skrev:
>
>> I actually get:
>> Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)
>
> dig +trace 40.152.71.64.list.dnswl.org
>
> refused ?
>
>
>
>
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 16:41, Jeremy Morton skrev:
> I actually get:
> Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)
dig +trace 40.152.71.64.list.dnswl.org
refused ?
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
On 24/05/2012 15:30, darxus@chaosreigns.com wrote:
> On 05/24, Kevin A. McGrail wrote:
>> Normally, I blame a DNS server. See pages like this for more information:
>>
>> http://www.surbl.org/faqs#dnsproxy
>
> Yup, that could do it. Icky.
>
> Jeremy: You could manually check if you're getting the wrong DNS results by
> running:
>
> $ host 26.13.94.59.list.dnswl.org
> Host 26.13.94.59.list.dnswl.org not found: 3(NXDOMAIN)
I actually get:
Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)
--
Best regards,
Jeremy Morton (Jez)
Re: Suddenly getting lots of false positives.
Posted by da...@chaosreigns.com.
On 05/24, Kevin A. McGrail wrote:
> Normally, I blame a DNS server. See pages like this for more information:
>
> http://www.surbl.org/faqs#dnsproxy
Yup, that could do it. Icky.
Jeremy: You could manually check if you're getting the wrong DNS results by
running:
$ host 26.13.94.59.list.dnswl.org
Host 26.13.94.59.list.dnswl.org not found: 3(NXDOMAIN)
(IP address reversed, then .list.dnswl.org.)
If an IP address is listed (as that one should not be), you'll see
something like:
$ host 40.152.71.64.list.dnswl.org
40.152.71.64.list.dnswl.org has address 127.0.6.3
> Darxus, you wrote a good wiki about using other DNS servers, etc. somewhere I thought about but I can't find it.
I did? Are you thinking of
https://wiki.apache.org/spamassassin/CachingNameserver ? I didn't write
it.
> In general, I recommend running your own caching nameserver.
Yup.
--
"Safe is anywhere a hungry person can't walk in three days." - John Titor
http://www.ChaosReigns.com
Re: Suddenly getting lots of false positives.
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/24/2012 10:02 AM, darxus@chaosreigns.com wrote:
> On 05/24, Jeremy Morton wrote:
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
>> http://www.dnswl.org/, medium
>> trust
>> [59.94.13.26 listed in list.dnswl.org]
> I don't think this was ever actually listed by dnswl.org. I have
> archives back to last June, which don't show it, and in the dnswl.org
> admin interface when a listing is removed it generally deactivated not
> deleted - and there is nothing there.
>
> That leaves interesting possibilities. I'd start by running this email
> through spamassassin again to see if it repeatably says this IP is listed
> by dnswl. SpamAssassin could be doing something wrong, a DNS server
> somewhere could be doing something wrong....
Normally, I blame a DNS server. See pages like this for more information:
http://www.surbl.org/faqs#dnsproxy
Darxus, you wrote a good wiki about using other DNS servers, etc. somewhere I thought about but I can't find it.
In general, I recommend running your own caching nameserver.
Regards,
KAM
Re: Suddenly getting lots of false positives.
Posted by da...@chaosreigns.com.
On 05/24, Jeremy Morton wrote:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
> http://www.dnswl.org/, medium
> trust
> [59.94.13.26 listed in list.dnswl.org]
I don't think this was ever actually listed by dnswl.org. I have
archives back to last June, which don't show it, and in the dnswl.org
admin interface when a listing is removed it generally deactivated not
deleted - and there is nothing there.
That leaves interesting possibilities. I'd start by running this email
through spamassassin again to see if it repeatably says this IP is listed
by dnswl. SpamAssassin could be doing something wrong, a DNS server
somewhere could be doing something wrong....
And it might be useful to provide more examples. Just IPs might be best.
And generally we prefer you provide spams via pastebin instead of including
them in emails to this list.
--
"For gasoline vapor, the explosive range is from 1.3 to 6.0% vapor
to air...useful against soft targets such as...armored vehicles...and
bunkers." - http://www.fas.org/man/dod-101/sys/dumb/fae.htm
http://www.ChaosReigns.com
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
On 24/05/2012 10:37, corpus.defero wrote:
> But that's just my default settings on every instance of SA that I work
> on. Sometimes I add points for Return Path as it seems to help BLOCK
> spam rather than pass ham - but that's a can of worms and a different
> subject.
Ham, spam, and worms. Sounds like something from a Monty Python sketch.
--
Best regards,
Jeremy Morton (Jez)
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 11:37, corpus.defero skrev:
> I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting
> site
> that anyone can kind of abuse?
as long users can report spamming ips aswell as get listed for not
sending spam at all, its fine with me that some use it, for my self its
a way to know if i have users sending spam aswell
Re: Suddenly getting lots of false positives.
Posted by "corpus.defero" <co...@idnet.com>.
On Thu, 2012-05-24 at 11:11 +0100, Jeremy Morton wrote:
> Where would the rules for these blocklists be, so I can check my rules
> files to see whether they're there?
>
In later rulesets (forget when they added it) it looks something like
this:
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_BRBL_LASTEXT
eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
tflags RCVD_IN_BRBL_LASTEXT net
endif
And tends to live in 72_active.cf
Grep for it with:
grep -Hl -r "RCVD_IN_BRBL_LASTEXT" /usr/share/spamassassin/*
or
grep -Hl -r "RCVD_IN_BRBL_LASTEXT" /*
if you get stuck (it's slow this way, but if you don't know where your
rules are, this will tell you if it's there or not)
If it's not there just add it to your local.cf file with something like
this:
header BARRACUDA_BL eval:check_rbl('Barracuda',
'b.barracudacentral.org.')
describe BARRACUDA_BL listed by BARRACUDA
tflags BARRACUDA_BL net
score BARRACUDA_BL 4.5
It's also worth adding that taking out the Spamhaus WHITELIST is worth
doing - it's rubbish and wastes a DNS lookup:
score DKIMDOMAIN_IN_DWL 0
On the subject of Spamhaus, if you are using big name resolvers (like
Google DNS servers or similar) then you will not get reliable results.
Spamhaus decided to block these and always return clear even if the IP
address is on one of their lists. Personally I've lost most of my
respect for Spamhaus, and find the Barracuda list much, much better in
any case.
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Thursday, May 24, 2012, 11:11:22 AM, you wrote:
JM> Where would the rules for these blocklists be, so I can check my rules
JM> files to see whether they're there?
Mine are in /var/lib/spamassassin/3.003002/updates_spamassassin_org
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
Where would the rules for these blocklists be, so I can check my rules
files to see whether they're there?
--
Best regards,
Jeremy Morton (Jez)
On 24/05/2012 11:09, Niamh Holding wrote:
>
> Hello Jeremy,
>
> Thursday, May 24, 2012, 10:53:33 AM, you wrote:
>
> JM> Interesting that they didn't show up in my SpamAssassin headers; do you
> JM> think I need to add some extra rules for these blocklists?
>
> Maybe the listings came after you got your email?
>
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Thursday, May 24, 2012, 10:53:33 AM, you wrote:
JM> Interesting that they didn't show up in my SpamAssassin headers; do you
JM> think I need to add some extra rules for these blocklists?
Maybe the listings came after you got your email?
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
On 24/05/2012 10:37, corpus.defero wrote:
> On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
>> I've gotten a lot of false positives coming into my inbox lately, and
>> the principle reason for most of them seems to be that they are matching
>> the following rule:
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
>> medium trust
>>
>
> Given the connecting IP is listed with an number of anti-spam
> blocklists:
>
> 59.94.13.26 Listed in Spamhaus XBL (CBL Data)
> 59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
> 59.94.13.26 Listed in Barracuda Reputation List
> 59.94.13.26 Listed in dul.dnsbl.sorbs.net
> 59.94.13.26 Listed in UCE PROTECT LEVEL 2
> 59.94.13.26 Listed in UCE PROTECT LEVEL 3
>
Interesting that they didn't show up in my SpamAssassin headers; do you
think I need to add some extra rules for these blocklists? Why would I
not currently have these rules set up; don't they come with a default SA
install?
--
Best regards,
Jeremy Morton (Jez)
Re: Suddenly getting lots of false positives.
Posted by da...@chaosreigns.com.
On 05/24, corpus.defero wrote:
> I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
> that anyone can kind of abuse?
No.
I'm a (basically inactive) dnswl.org admin.
Anybody can request to be added to the list, but all changes get looked
over pretty thoroughly by a human, using lots of available data.
> The rule is tucked away in 72_active.cf, along with the other 'pay to
> spam' whitelists from the likes of Return Path. I suggest you add this
Listing on dnswl.org does not involve payment, it is not a 'pay to spam'
whitelist.
--
"You will need: a big heavy rock, something with a bit of a swing to it...
perhaps Mars" - How to destroy the Earth
http://www.ChaosReigns.com
Re: Suddenly getting lots of false positives.
Posted by "corpus.defero" <co...@idnet.com>.
On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium trust
>
Given the connecting IP is listed with an number of anti-spam
blocklists:
59.94.13.26 Listed in Spamhaus XBL (CBL Data)
59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
59.94.13.26 Listed in Barracuda Reputation List
59.94.13.26 Listed in dul.dnsbl.sorbs.net
59.94.13.26 Listed in UCE PROTECT LEVEL 2
59.94.13.26 Listed in UCE PROTECT LEVEL 3
and that
bestinternetdancer.com
Is listed in Spamhaus domain block list & the multi.uribl.com block list
you'd have to wonder why it gets a reduction from: www.dnswl.org
I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
that anyone can kind of abuse?
The rule is tucked away in 72_active.cf, along with the other 'pay to
spam' whitelists from the likes of Return Path. I suggest you add this
to your local.cf to deal with such abuse:
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_RP_CERTIFIED 0
score RCVD_IN_RP_SAFE 0
But that's just my default settings on every instance of SA that I work
on. Sometimes I add points for Return Path as it seems to help BLOCK
spam rather than pass ham - but that's a can of worms and a different
subject.
Re: Suddenly getting lots of false positives.
Posted by RW <rw...@googlemail.com>.
On Sat, 26 May 2012 22:44:54 +0200
Wolfgang Zeikat wrote:
> In an older episode, on 2012-05-26 22:38, Wolfgang Zeikat wrote:
>
> > We had so many false positives
>
> Oops, I used your term "false positives" by accident. I and many
> others tend no call false Ham classifications
> false negatives
> (negative scores change the classification towards ham)
It depends on context. He was originally wrong because he wrote
that he was getting false positives in his inbox, which implies a false
positive in the overall spamassassin result. OTOH RCVD_IN_DNSWL_MED
hitting spam is a false positive in the individual rule which is a
test for ham.
> So:
> We had so many false negatives
> > with that rule, that I - as others who
> > replied to your post already (see below) - have come to the
> > conclusion that www.dnswl.org is not a reliable source of trust for
> > us and disabled the rule by configuring
> >
> > score RCVD_IN_DNSWL_MED RBL 0
The OP should probably update his rules first since the rule currently
scores -2.3 rather than -4, and rules haven't been updated since
February.
I don't think setting it to zero is a good idea, it wont turn-off the
lookup so you might just as well set it to -0.001 and monitor the
rule's performance.
Re: Suddenly getting lots of false positives.
Posted by Wolfgang Zeikat <wo...@desy.de>.
In an older episode, on 2012-05-26 22:38, Wolfgang Zeikat wrote:
> We had so many false positives
Oops, I used your term "false positives" by accident. I and many others
tend no call false Ham classifications
false negatives
(negative scores change the classification towards ham)
So:
We had so many false negatives
> with that rule, that I - as others who
> replied to your post already (see below) - have come to the conclusion
> that www.dnswl.org is not a reliable source of trust for us and disabled
> the rule by configuring
>
> score RCVD_IN_DNSWL_MED RBL 0
>
> 0 is zero, not uppercase o
Cheers,
wolfgang
Re: Suddenly getting lots of false positives.
Posted by Jari Fredriksson <ja...@iki.fi>.
On Mon, May 28, 2012 00:09, Matthias Leisi wrote:
> On Sat, May 26, 2012 at 10:38 PM, Wolfgang Zeikat
> <wo...@desy.de> wrote:
>> In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote:
>>>
>>> OK I continue to get this problem - lots of spam is coming through now
>>> with:
>>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
>>> medium
>>> trust
>>
>>
>> We had so many false positives with that rule, that I - as others who
>> replied to your post already (see below) - have come to the conclusion
>> that
>
> Care to share with dnswl.org (which I represent) or the list here what
> "false positives" you got?
>
> In most cases, "so many" false positives are more a question of
> setting up the trust path in SpamAssassin correctly. If it is some
> error in our data, we'd like to know (and correct).
>
> Thanks,
> -- Matthias, for dnswl.org
>
Personally I'm quite happy with dnswl.org. I have 0 spam with this rule
triggered in my corpus (which can be seen in
http://ruleqa.spamassassin.org)
Great service.
Re: Suddenly getting lots of false positives.
Posted by Matthias Leisi <ma...@leisi.net>.
On Sat, May 26, 2012 at 10:38 PM, Wolfgang Zeikat
<wo...@desy.de> wrote:
> In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote:
>>
>> OK I continue to get this problem - lots of spam is coming through now
>> with:
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
>> trust
>
>
> We had so many false positives with that rule, that I - as others who
> replied to your post already (see below) - have come to the conclusion that
Care to share with dnswl.org (which I represent) or the list here what
"false positives" you got?
In most cases, "so many" false positives are more a question of
setting up the trust path in SpamAssassin correctly. If it is some
error in our data, we'd like to know (and correct).
Thanks,
-- Matthias, for dnswl.org
Re: Suddenly getting lots of false positives.
Posted by Wolfgang Zeikat <wo...@desy.de>.
In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote:
> OK I continue to get this problem - lots of spam is coming through now
> with:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium trust
We had so many false positives with that rule, that I - as others who
replied to your post already (see below) - have come to the conclusion
that www.dnswl.org is not a reliable source of trust for us and disabled
the rule by configuring
score RCVD_IN_DNSWL_MED RBL 0
0 is zero, not uppercase o
>
> I think it's likely to have something to do with me changing the
> machine's hostname to ip.game-point.net because it started happening
> just after that.
I doubt that.
Regards,
wolfgang
---------- Forwarded Message ----------
Subject: Re: Suddenly getting lots of false positives.
Date: Thursday, 24. May 2012
From: "corpus.defero" <co...@idnet.com>
To: users@spamassassin.apache.org
On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium trust
>
Given the connecting IP is listed with an number of anti-spam
blocklists:
59.94.13.26 Listed in Spamhaus XBL (CBL Data)
59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
59.94.13.26 Listed in Barracuda Reputation List
59.94.13.26 Listed in dul.dnsbl.sorbs.net
59.94.13.26 Listed in UCE PROTECT LEVEL 2
59.94.13.26 Listed in UCE PROTECT LEVEL 3
and that
bestinternetdancer.com
Is listed in Spamhaus domain block list & the multi.uribl.com block list
you'd have to wonder why it gets a reduction from: www.dnswl.org
I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
that anyone can kind of abuse?
The rule is tucked away in 72_active.cf, along with the other 'pay to
spam' whitelists from the likes of Return Path. I suggest you add this
to your local.cf to deal with such abuse:
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_RP_CERTIFIED 0
score RCVD_IN_RP_SAFE 0
But that's just my default settings on every instance of SA that I work
on. Sometimes I add points for Return Path as it seems to help BLOCK
spam rather than pass ham - but that's a can of worms and a different
subject.
Re: Suddenly getting lots of false positives.
Posted by Jari Fredriksson <ja...@iki.fi>.
On Sun, May 27, 2012 17:51, Benny Pedersen wrote:
> Den 2012-05-27 16:27, Jari Fredriksson skrev:
>
>> Adding zones w/o forwarders will request directly them zones, thus
>> allow
>> dnseval to work. I want dnseval, but I do not want it use Google.
>
> okay, using forwards in options ?
>
> here i dont use global forwsards so i have it like you just on another
> way of doing the same
>
> hint zone is my friend :)
>
>> Google is fast and reliable cache for general use, much better than
>> bind
>> alone.
>
> okay, stats are fine, but i dont use it this way, using forwards in
> options gives more problems then it solves,
Just occurred to me, that this may be true. Some big sites optimize the
returned A record according to the query and location of it. I just
disabled my global forwarders. Did not even use my ISP, as it seems they
do not support DNSSEC.
> here i just use pr zone
> forwards if dns is not working for blocked or other stupid dns hosters
> that blocks querys from so called dynamic ips, hmp :)
>
I would be very pleased to see your zones for that. Thanks in advance ;)
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-27 16:27, Jari Fredriksson skrev:
> Adding zones w/o forwarders will request directly them zones, thus
> allow
> dnseval to work. I want dnseval, but I do not want it use Google.
okay, using forwards in options ?
here i dont use global forwsards so i have it like you just on another
way of doing the same
hint zone is my friend :)
> Google is fast and reliable cache for general use, much better than
> bind
> alone.
okay, stats are fine, but i dont use it this way, using forwards in
options gives more problems then it solves, here i just use pr zone
forwards if dns is not working for blocked or other stupid dns hosters
that blocks querys from so called dynamic ips, hmp :)
in all i have found registraded dns servers in dk-hostmaster nic that
allow public query with recurse lookups, thay are ready for ddos
and with edns0 servers that do it wrong makes another problem
Re: Suddenly getting lots of false positives.
Posted by Jari Fredriksson <ja...@iki.fi>.
On Sun, May 27, 2012 16:34, Benny Pedersen wrote:
> Den 2012-05-27 11:39, Jari Fredriksson skrev:
>
>> zone "combined.njabl.org" { type forward; forward first; forwarders
>> {}; };
> [zones]
>
> why not disable dnseval plugin in spamassassin ?
>
> saves more ram then add more zones to bind :=)
>
Adding zones w/o forwarders will request directly them zones, thus allow
dnseval to work. I want dnseval, but I do not want it use Google.
Google is fast and reliable cache for general use, much better than bind
alone.
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-27 11:39, Jari Fredriksson skrev:
> zone "combined.njabl.org" { type forward; forward first; forwarders
> {}; };
[zones]
why not disable dnseval plugin in spamassassin ?
saves more ram then add more zones to bind :=)
Re: Suddenly getting lots of false positives.
Posted by "corpus.defero" <co...@idnet.com>.
On Sun, 2012-05-27 at 12:39 +0300, Jari Fredriksson wrote:
> On Sun, May 27, 2012 12:28, Jeremy Morton wrote:
> > I don't see what relevance the DNS servers I use on my my machine have
> > to do with querying dnswl.org - surely dnswl.org shouldn't even know if
> > I'm using Google's nameservers?
> >
>
> You ask Google. Google does not know. They ask dnswl.org's DNS. dnswl.org
> does not see You. They see only Google. And lots of them. They block
> Google.
>
Exactly - just like Spamhaus. The difference with Spamhaus is you will
usually get no A record back even for a blacklisted IP or domain.
I'm sure they are not the only blocklist to do it. It's all mostly
related to revenue protection & money, but hey - their blocklist, their
rules.
I must add that the Barracuda list works flawlessly through Google's
servers and is still the best list I've found.
Re: Suddenly getting lots of false positives.
Posted by Jari Fredriksson <ja...@iki.fi>.
On Sun, May 27, 2012 12:28, Jeremy Morton wrote:
> I don't see what relevance the DNS servers I use on my my machine have
> to do with querying dnswl.org - surely dnswl.org shouldn't even know if
> I'm using Google's nameservers?
>
You ask Google. Google does not know. They ask dnswl.org's DNS. dnswl.org
does not see You. They see only Google. And lots of them. They block
Google.
Just put this to your named.conf.local if you use bind.
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first;
forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders
{}; };
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.mailspike.net" { type forward; forward first; forwarders {}; };
zone "wl.mailspike.net" { type forward; forward first; forwarders {}; };
zone "bb.barracudacentral.org" { type forward; forward first; forwarders
{}; };
zone "psbl.surriel.com" { type forward; forward first; forwarders {}; };
zone "bl.score.senderscore.com" { type forward; forward first; forwarders
{}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "ovi.com" { type forward; forward first; forwarders {}; };
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Sunday, May 27, 2012, 11:03:18 AM, you wrote:
JM> Why does this work from my Windows box at home which is using Google's
JM> nameservers?
Because google will be using a cluster of servers and the one that
handled that query might not have hit the 100,000 limit?
Why are you using Goole's servers anyway?
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-27 12:03, Jeremy Morton skrev:
> OK so that leads me to 2 questions:
>
> Why doesn't dnswl just allow big nameservers like Google?
haha, why not ask google to pay for datafeed from spamhaus so wee all
can get it for free ?
> Surely they know they're legit and lots of people use them.
incurrect, most isps force there dynamic clients to use there isp dns
servers so thay can block service as thepiratebay, if dynamic users
running bind on there own there is nothing blocked
> Why does this work from my Windows box at home which is using
> Google's nameservers?
> nslookup 40.152.71.64.list.dnswl.org
> Server: google-public-dns-a.google.com
> Address: 8.8.8.8
>
> Non-authoritative answer:
> Name: 40.152.71.64.list.dnswl.org
> Address: 127.0.6.3
try to understand dnssec ?
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Sunday, May 27, 2012, 11:03:18 AM, you wrote:
JM> Why doesn't dnswl just allow big nameservers like Google?
Did you read my quote?
Quite simply if you are placing that much load on dnswl then pay...
Google obviously don't.
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
OK so that leads me to 2 questions:
Why doesn't dnswl just allow big nameservers like Google? Surely they
know they're legit and lots of people use them.
Why does this work from my Windows box at home which is using Google's
nameservers?
nslookup 40.152.71.64.list.dnswl.org
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: 40.152.71.64.list.dnswl.org
Address: 127.0.6.3
--
Best regards,
Jeremy Morton (Jez)
On 27/05/2012 10:41, Niamh Holding wrote:
>
> Hello Jeremy,
>
> Sunday, May 27, 2012, 10:28:17 AM, you wrote:
>
> JM> surely dnswl.org shouldn't even know if
> JM> I'm using Google's nameservers?
>
> Of course it will know from which nameserver it receives a query.
>
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Sunday, May 27, 2012, 10:28:17 AM, you wrote:
JM> surely dnswl.org shouldn't even know if
JM> I'm using Google's nameservers?
Of course it will know from which nameserver it receives a query.
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-27 11:28, Jeremy Morton skrev:
> I don't see what relevance the DNS servers I use on my my machine
> have to do with querying dnswl.org - surely dnswl.org shouldn't even
> know if I'm using Google's nameservers?
you are free to use google public dns as you like, but the more users
using google dns servers the highter query hits come from google dns,
and if that limit is over 100000 query dnswl block more querys, and this
affact ALL google dns users, its fun to keep below dnswl radar there no
? :=)
this problem is gone if you have own local dns server in 127.0.0.1, but
only if you still keep below the dnswl limit pr query ip
should i say "using shared resourses, makes shared limits" ?
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
I don't see what relevance the DNS servers I use on my my machine have
to do with querying dnswl.org - surely dnswl.org shouldn't even know if
I'm using Google's nameservers?
--
Best regards,
Jeremy Morton (Jez)
On 27/05/2012 08:53, Niamh Holding wrote:
>
> Hello Jeremy,
>
> Saturday, May 26, 2012, 9:06:55 PM, you wrote:
>
> JM> OK I continue to get this problem - lots of spam is coming through now with:
> JM> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> JM> medium trust
>
> JM> I think it's likely to have something to do with me changing the
> JM> machine's hostname to ip.game-point.net because it started happening
> JM> just after that. Can anyone think of why this might have caused the
> JM> problem and how I can fix it?
>
> You are using google's servers aren't you?
>
> Could they be part of the problem? Given you previously said-
>
> JM> I actually get: Host 40.152.71.64.list.dnswl.org not found:
> JM> 5(REFUSED)
>
> And-
>
> "Access to the dnswl.org public nameservers may be blocked for all
> users doing more than 100’000 queries per day at any time. dnswl.org
> is under no obligation to contact the owners of IP addresses seen
> doing more than the specified limit before blocking such access."
>
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Saturday, May 26, 2012, 9:06:55 PM, you wrote:
JM> OK I continue to get this problem - lots of spam is coming through now with:
JM> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
JM> medium trust
JM> I think it's likely to have something to do with me changing the
JM> machine's hostname to ip.game-point.net because it started happening
JM> just after that. Can anyone think of why this might have caused the
JM> problem and how I can fix it?
You are using google's servers aren't you?
Could they be part of the problem? Given you previously said-
JM> I actually get: Host 40.152.71.64.list.dnswl.org not found:
JM> 5(REFUSED)
And-
"Access to the dnswl.org public nameservers may be blocked for all
users doing more than 100’000 queries per day at any time. dnswl.org
is under no obligation to contact the owners of IP addresses seen
doing more than the specified limit before blocking such access."
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by Jeremy Morton <ad...@game-point.net>.
OK I continue to get this problem - lots of spam is coming through now with:
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium trust
I think it's likely to have something to do with me changing the
machine's hostname to ip.game-point.net because it started happening
just after that. Can anyone think of why this might have caused the
problem and how I can fix it?
--
Best regards,
Jeremy Morton (Jez)
On 24/05/2012 10:14, Jeremy Morton wrote:
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium trust
>
> I'm not sure why they're matching this rule, so I thought I'd ask you
> guys to see whether you could figure it out. Here's a sample message
> that made it through my spam filter, which is definitely spam (note that
> I have it configured to attach X-Spam-Report to every message so I can
> see why it was NOT marked as spam):
>
> ==================================================
> From - Wed May 23 10:53:41 2012
> X-Account-Key: account2
> X-UIDL: UID308596-1160697276
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> X-Mozilla-Keys:
> Return-path: <ni...@etisbew.com>
> Envelope-to: bugzilla@game-point.net
> Delivery-date: Wed, 23 May 2012 10:37:58 +0100
> Received: from [59.94.13.26]
> by ip.game-point.net with esmtp (Exim 4.69)
> (envelope-from <ni...@etisbew.com>)
> id 1SX80z-0005qn-7r
> for bugzilla@game-point.net; Wed, 23 May 2012 10:37:58 +0100
> Received: from apache by etisbew.com with local (Exim 4.63)
> (envelope-from <sp...@realliving.com>)
> id A10PD7-HLT0O1-68
> for bugzilla@game-point.net; Wed, 23 May 2012 15:07:55 +0530
> To: bugzilla@game-point.net
> Subject: Good afternoon,
> Date: Wed, 23 May 2012 15:07:55 +0530
> From: "Stella Cotton" <ni...@etisbew.com>
> Message-ID: <74...@etisbew.com>
> X-Priority: 3
> X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="------------03070800307080108050505"
> X-Spam-Status: No, score=0.7
> X-Spam-Score: 7
> X-Spam-Bar: /
> X-Spam-Flag: NO
> X-Spam-Report: Spam detection software, running on the system
> "ip.game-point.net", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> the administrator of that system for details.
> Content preview: It is what a man needs to overcome the most delicate
> problem.
> Your power and strength of your porksword will please her! Make your body
> as strong as your spirit is!Click It is what a man needs to overcome the
> most delicate problem. Your power and strength of your porksword will
> please
> her! Make your body as strong as your spirit is! [...]
> Content analysis details: (0.7 points, 3.0 required)
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: bestinternetdancer.com]
> 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
> [URIs: bestinternetdancer.com]
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
> trust
> [59.94.13.26 listed in list.dnswl.org]
> 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
> [59.94.13.26 listed in dnsbl.sorbs.net]
> 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
> 0.2 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
> [score: 0.6609]
> 0.0 HTML_MESSAGE BODY: HTML included in message
>
> This is a multi-part message in MIME format.
> --------------03070800307080108050505
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset="iso-8859-2"
>
> It is what a man needs to overcome the most delicate problem. Your power
> and strength of your porksword will please her! Make your body as strong
> as your spirit is!Click
>
> --------------03070800307080108050505
> Content-Transfer-Encoding: 7bit
> Content-Type: text/html; charset="us-ascii"
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=Content-Type content="text/html; charset=windows-1250">
> <STYLE></STYLE>
> </HEAD>
> <BODY>
> <div style="width:600px;">
> <div style="background: none repeat scroll 0 0 #FDF3F0; border-top: 3px
> solid #E7431D; padding: 25px;">
> <div style="font-size: 180%;">
>
> <em>It is what a man needs to overcome the most delicate problem.
> <br>Your power and strength of your porksword will please her! <br>Make
> your body as strong as your spirit is!</em>
> </div>
> </div>
> <div id="nav" style="background: none repeat scroll 0 0 #4D4D4F;
> font-size: 90%; line-height: 40px;">
> <a style="color: #FFFFFF; padding: 12px 25px;"
> href="http://pijqasos.bestinternetdancer.com/page.html?Wsl7zrBeopsqjfqBjDy27csllzE">Click</a>
>
> </div>
> </div>
> </BODY></HTML>
> --------------03070800307080108050505--
> ==================================================
>
>
> Any ideas why the sender would be in the dnswl with medium trust? I did
> recently change my machine's hostname to ip.game-point.net.
>
Re: Suddenly getting lots of false positives.
Posted by da...@chaosreigns.com.
On 05/24, Benny Pedersen wrote:
> reject spf_softfail in mta, or report to http://www.dnswl.org/
SPF_SOFTFAIL kind of sucks:
http://ruleqa.spamassassin.org/?daterev=20120519-r1340375-n&rule=%2Fspf
MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 3.2640 27.9430 0.105 0.67 0.00 SPF_PASS
0 6.3320 0.6518 0.907 0.58 0.00 SPF_SOFTFAIL
0 4.0263 1.1272 0.781 0.50 0.00 SPF_NEUTRAL
0 0 0 0.500 0.50 0.00 SPF_NONE
0 1.7415 1.6254 0.517 0.39 0.00 SPF_FAIL
SPF_SOFTFAIL hits 6.3% of spam and 0.7% of ham, which is a pretty terrible
ratio, which gives it a rank of 0.58, where 1 is best (RCVD_IN_DNSWL_HI, in
fact), and 0 is worst. A rank of 0.58 sucks.
Therefore rejecting on it at your MTA is a bad idea. But it's your MTA.
I've done lots of things with my MTA on purpose that were a bad idea.
> (why
> did thay list a dynamic ip ?)
I don't think they did.
> if sender is legit why is it softfailing ?
Generally because people configure their SPF records badly. SOFTFAIL
*means* the sending domain isn't certain they have all their legit sending
IPs listed. So based on the protocol it's also inappropriate to use for
absolute blocking. (In addition to the real world statistics above.) It's
unfortunate.
--
"Wash daily from nose-tip to tail-tip; drink deeply, but never too deep;
And remember the night is for hunting, and forget not the day is for sleep."
- The Law of the Jungle, Rudyard Kipling
http://www.ChaosReigns.com
Re: Suddenly getting lots of false positives.
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-05-24 11:14, Jeremy Morton skrev:
> Any ideas why the sender would be in the dnswl with medium trust? I
> did recently change my machine's hostname to ip.game-point.net.
reject spf_softfail in mta, or report to http://www.dnswl.org/ (why did
thay list a dynamic ip ?)
if sender is legit why is it softfailing ?
Re: Suddenly getting lots of false positives.
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Jeremy,
Thursday, May 24, 2012, 10:14:11 AM, you wrote:
JM> [59.94.13.26 listed in list.dnswl.org]
Doesn't seem to be listed any more-
http://dnswl.org/s?s=59.94.13.26
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: Suddenly getting lots of false positives.
Posted by João Gouveia <jo...@anubisnetworks.com>.
----- Original Message -----
> From: "Jeremy Morton" <ad...@game-point.net>
> To: users@spamassassin.apache.org
> Sent: Thursday, May 24, 2012 10:14:11 AM
> Subject: Suddenly getting lots of false positives.
>
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are
> matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
> http://www.dnswl.org/,
> medium trust
>
I guess you mean false negatives?
Anyway, it's not listed at DNSWL ATM (maybe they cleared that entry).
I actually have it tagged with very bad reputation:
59.94.13.26 listed by bl.mailspike.net: Bad reputation - http://mailspike.org/anubis/lookup.html
--
Joao Gouveia
AnubisNetworks
Tel. : +351 21 7252110
Mobile : +351 91 9512960
Fax : +351 21 7252119
http://www.anubisnetworks.com