You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/05/27 18:15:58 UTC
Multiple RBLs and dynamic IPs
Hi all,
How many points do you add to an email that originated from a dynamic
IP that on a number of blacklists?
This 180.178.104.22 is an IP from a customer in Indonesia:
Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
by vio1.naveca.biz with esmtpa (Exim 4.87)
(envelope-from <it...@example.com>)
id 1b6FMu-00087L-42; Fri, 27 May 2016 18:51:52 +0800
This IP is on virtually every blacklist, but it doesn't necessarily
mean it's the result of something this particular customer/user did. I
also can't just make them send from a static IP or pick a different
provider.
At the same time, it's difficult to just let this go without adding
some points to the email.
I'm using XBL, PSKY (which is probably not necessary), spamcop, and
mailspike "deep-header" rules. Maybe I'm using them wrong?
Ideas for how to handle this would be appreciated.
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
* trust
* [116.251.209.92 listed in list.dnswl.org]
* 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus SBL-XBL
* [180.178.104.22 listed in mykey.zen.dq.spamhaus.net]
* 0.4 RCVD_IN_PSKY_ALL3 RBL: Any header IP in Testing RBL bad.psky.me
* "reject"
* [180.178.104.22 listed in bad.psky.me]
* 0.8 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
* [180.178.104.22 listed in dnsbl.sorbs.net]
* 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?180.178.104.22>]
* 0.4 RCVD_IN_BL_MSPIKE_ALL RBL: No description available.
* [180.178.104.22 listed in bl.mailspike.net]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5000]
* 0.2 RELAYCOUNTRY_MED Relayed by an improbable email source country
* 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
* anti-forgery methods
* 1.5 LOC_MULTI_RBL Multiple RBLs including spamcop, psky, XBL and mspike
* 0.0 T_DMARC_TESTS_FAIL No description available.
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 27.05.2016 um 20:15 schrieb Alex:
> How many points do you add to an email that originated from a dynamic
> IP that on a number of blacklists?
>
> This 180.178.104.22 is an IP from a customer in Indonesia:
>
> Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
> by vio1.naveca.biz with esmtpa (Exim 4.87)
> (envelope-from <it...@example.com>)
> id 1b6FMu-00087L-42; Fri, 27 May 2016 18:51:52 +0800
>
> This IP is on virtually every blacklist, but it doesn't necessarily
> mean it's the result of something this particular customer/user did
don't matter - a enduser IP has no business to deliver mail on port 25
anywhere
+----------------+-------------------------------+
| spamass_weight | alias |
+----------------+-------------------------------+
| 6.5 | pbl.spamhaus.org |
| 6.5 | dul.dnsbl.sorbs.net |
| 6.5 | noserver.dnsbl.sorbs.net |
| 5.5 | smtp.dnsbl.sorbs.net |
| 5.5 | xbl.spamhaus.org |
| 5 | b.barracudacentral.org |
| 5 | dnsbl.inps.de |
| 5 | css.spamhaus.org |
| 4.5 | web.dnsbl.sorbs.net |
| 3.5 | hostkarma.junkemailfilter.com |
| 2.5 | ix.dnsbl.manitu.net |
| 2.5 | psbl.surriel.com |
| 2.5 | dnsrbl.swinog.ch |
| 2.5 | bl.spameatingmonkey.net |
| 2.5 | bl.spamcop.net |
| 1.5 | senderscore.com High |
| 1.5 | hostkarma.junkemailfilter.com |
| 1.5 | block.dnsbl.sorbs.net |
| 1.5 | bl.spamcannibal.org |
| 1.5 | zombie.dnsbl.sorbs.net |
| 1.5 | spam.dnsbl.sorbs.net |
| 1.5 | sbl.spamhaus.org |
| 1 | senderscore.com Medium |
| 1 | bl.nszones.com |
| 1 | http.dnsbl.sorbs.net |
| 1 | socks.dnsbl.sorbs.net |
| 1 | spam.spamrats.com |
| 1 | misc.dnsbl.sorbs.net |
| 1 | dnsbl-1.uceprotect.net |
| 1 | dnsbl-2.uceprotect.net |
| 0.5 | hostkarma.junkemailfilter.com |
| 0.5 | virus.dnsbl.sorbs.net |
| 0.1 | ips.backscatterer.org |
+----------------+-------------------------------+
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 31.05.2016 um 10:43 schrieb Matus UHLAR - fantomas:
>>> On 30 May 2016, at 15:07, Alex wrote:
>>>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>>>> NAT and/or submission are used as readily as they are here.
>
>> Am 31.05.2016 um 03:09 schrieb Bill Cole:
>>> Irrelevant in this case because if you trust that header not to be an
>>> intentionally deceptive lie, the receiving server claims the mail was
>>> received with authentication, making it very unlikely that the message
>>> is spam
>
> On 31.05.16 10:30, Reindl Harald wrote:
>> you can not trust any header not written by your own MTA and hence all
>> that deep header parsing is nonsense with any score above 0.01 or
>> below -0.01
>
> why? If someone fakes a clear spammy sign, I see no point in giving them
> higher score
the why is well explained by the FSL deep-header crap in the last few
months and why a received header in the middle is wrong for RBL lookups
was excessive explained in that thread, just read it
Re: Multiple RBLs and dynamic IPs
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On 30 May 2016, at 15:07, Alex wrote:
>>>Yeah, that's it exactly. Particularly overseas where it doesn't appear
>>>NAT and/or submission are used as readily as they are here.
>Am 31.05.2016 um 03:09 schrieb Bill Cole:
>>Irrelevant in this case because if you trust that header not to be an
>>intentionally deceptive lie, the receiving server claims the mail was
>>received with authentication, making it very unlikely that the message
>>is spam
On 31.05.16 10:30, Reindl Harald wrote:
>you can not trust any header not written by your own MTA and hence
>all that deep header parsing is nonsense with any score above 0.01 or
>below -0.01
why? If someone fakes a clear spammy sign, I see no point in giving them
higher score.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 31.05.2016 um 03:09 schrieb Bill Cole:
> On 30 May 2016, at 15:07, Alex wrote:
>
>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>> NAT and/or submission are used as readily as they are here.
>
> Irrelevant in this case because if you trust that header not to be an
> intentionally deceptive lie, the receiving server claims the mail was
> received with authentication, making it very unlikely that the message
> is spam
you can not trust any header not written by your own MTA and hence all
that deep header parsing is nonsense with any score above 0.01 or below
-0.01
Re: Multiple RBLs and dynamic IPs
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 30 May 2016, at 15:07, Alex wrote:
> Yeah, that's it exactly. Particularly overseas where it doesn't appear
> NAT and/or submission are used as readily as they are here.
Irrelevant in this case because if you trust that header not to be an
intentionally deceptive lie, the receiving server claims the mail was
received with authentication, making it very unlikely that the message
is spam. That is what "with esmtpa" in an Exim Received header means,
and your other rule hits indicate that you trust 116.251.209.92
(vio1.naveca.biz) so I don't quite get why this didn't also hit
"ALL_TRUSTED" and why SA is doing DNSBL checks on the authenticated
client of a trusted host.
And in ANY case, getting *a customer* to use port 587 submission with
authentication over an encrypted channel directly to your server instead
of trusting an intermediate machine that maybe should not be trusted
should not be hard. Even shoddy PHP mailing scripts these days can
handle it. If you are nominally selling any sort of email service to
that customer and not requiring them to submit though your server to be
treated as a trusted customer, you're making a mistake.
> So even though that IP is on virtually every blacklist, you wouldn't
> add any points? And there's nothing further the user could do to fix
> the problem, given the dynamic nature of the IP?
I think there's a more complex problem in this case that is not evident
in a single Received header and list of SA hits.
Note that the IP you are worried about was at the time you scanned its
output and was still today either itself a badly compromised system or
is a shared NAT address with one or more compromised systems behind it,
and either way: it is an ongoing source of spam of the worst sorts to
the outside world. It isn't listed because it's a dynamic IP, it's
listed because it's an active ongoing spamming IP.
(and to answer the original question: I don't trust other people's mail
servers to tell me the truth about where they get mail, so my SA
instances don't ever hit those rules. However, I would NEVER make a
mailspike 'none' listing contribute to anything at all, even as a meta
rule. LOC_MULTI_RBL seems like a bad idea, whatever it is...)
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 31.05.2016 um 00:59 schrieb Reindl Harald:
>
>
> Am 31.05.2016 um 00:57 schrieb Reindl Harald:
>> Am 31.05.2016 um 00:49 schrieb Alex:
>>> Hi,
>>>
>>>>> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
>>>>> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
>>>>> part of the default ruleset, which I could of course change, but it's
>>>>> scored 1.3 by default for that same "deep header" IP address.
>>>>>
>>>>> Does that rule deserve some attention to determine whether it should
>>>>> also be reduced by default for the same reason as the SBL/XBL rule?
>>>>
>>>> DUNNO - we disabled all internal RBL's (exepct mailspike) from start
>>>> because
>>>> we feed postscreen and spamassassin from the same webinterface with
>>>> different scores for both but same lists (and some of them are
>>>> mirrored on
>>>> the local rbldnsd with different names in the own domain)
>>>
>>> So then what were all those RBLs you listed initially with their
>>> weights? bl.spamcop.net was among them...
>>
>> can't say initailly - maintained starting summer 2014 - current state
>>
>> don't use anything ending with "thelounge.net", our public nameservers
>> answers always with 127.0.0.2 to stop users which blind copy&paste
>> because they have no access to that zones and there was a lot of useless
>> response-rate-limitings
>>
>> in case of mirrored zones the alias contains the real list
>>
>> hopefully that get somehow useable displayed in the mail
>
> did not - attached as textfile this time
below some numbers from the current month showing why postscreen in
front is that important (at the moment 250 MHz CPU usage on the virtual
machine with 2% for journald/rsyslog writin gmaillog) for performance
while the 434722 dnsbl-rejects are only a small part of the game
the "Hangup: 665860" did not wait for the result at all and closed
connection because "postscreen_greet_wait = ${stress?2}${stress:12}s"
70% of all that crap is from the last 7 days where numbers started to
explode, on the inbound-mx as well as on our honeypot network
blacklisted currently 50000 ip's while normally 15000-20000 and lists at
the moment 21161 blacklistings refrsehd within the last 24 hours
BAYES_00 27216 73.67 %
BAYES_05 804 2.17 %
BAYES_20 1067 2.88 %
BAYES_40 901 2.43 %
BAYES_50 3110 8.41 %
BAYES_60 358 0.96 % 8.91 % (OF TOTAL BLOCKED)
BAYES_80 347 0.93 % 8.64 % (OF TOTAL BLOCKED)
BAYES_95 293 0.79 % 7.29 % (OF TOTAL BLOCKED)
BAYES_99 2845 7.70 % 70.84 % (OF TOTAL BLOCKED)
BAYES_999 2503 6.77 % 62.32 % (OF TOTAL BLOCKED)
DNSWL 52213 94.10 %
SPF 36458 65.70 %
SPF/DKIM WL 16232 29.25 %
SHORTCIRCUIT 18515 33.36 %
BLOCKED 4016 7.23 %
SPAMMY 3843 6.92 % 95.69 % (OF TOTAL BLOCKED)
spamhaus.org 321543
sorbs.net 60687
inps.de 35828
barracudacentral.org 9023
thelounge.net 5255
junkemailfilter.com 939
psbl.org 437
manitu.net 380
senderscore.com 234
mailspike.net 217
spamcannibal.org 102
spamcop.net 70
swinog.ch 7
=================================
Total DNSBL rejections: 434722
_____________________________________________________
Connections: 806720
Postscreen WL: 29636 (3.67 %)
Delivered: 52751
Blocked: 753969
Invalid User: 7288
Disallowed User: 12
Reject Postscreen: 438583
Reject Postfix: 15419
Reject Milter: 4201
Reject Temporary: 1266
Greylisted: 1464
Blacklist: 436079
Pregreet: 43449
Hangup: 665860
Protocol Error: 1247
Illegal Syntax: 7
SpamAssassin: 4016
Virus (Milter): 180
Virus (SA): 97
Helo: 1644
Subject: 248
From: 65
Attachment: 62
Header Length: 22
Sender Regex: 90
Sender Blocked: 237
Sender Verify: 168
Sender Invalid: 1460
Sender Spoofed: 96
Sender Parked: 13
Spam-TLD: 328
PTR Missing: 297
PTR Generic: 499
SPF: 494
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 31.05.2016 um 00:57 schrieb Reindl Harald:
> Am 31.05.2016 um 00:49 schrieb Alex:
>> Hi,
>>
>>>> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
>>>> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
>>>> part of the default ruleset, which I could of course change, but it's
>>>> scored 1.3 by default for that same "deep header" IP address.
>>>>
>>>> Does that rule deserve some attention to determine whether it should
>>>> also be reduced by default for the same reason as the SBL/XBL rule?
>>>
>>> DUNNO - we disabled all internal RBL's (exepct mailspike) from start
>>> because
>>> we feed postscreen and spamassassin from the same webinterface with
>>> different scores for both but same lists (and some of them are
>>> mirrored on
>>> the local rbldnsd with different names in the own domain)
>>
>> So then what were all those RBLs you listed initially with their
>> weights? bl.spamcop.net was among them...
>
> can't say initailly - maintained starting summer 2014 - current state
>
> don't use anything ending with "thelounge.net", our public nameservers
> answers always with 127.0.0.2 to stop users which blind copy&paste
> because they have no access to that zones and there was a lot of useless
> response-rate-limitings
>
> in case of mirrored zones the alias contains the real list
>
> hopefully that get somehow useable displayed in the mail
did not - attached as textfile this time
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 31.05.2016 um 00:49 schrieb Alex:
> Hi,
>
>>> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
>>> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
>>> part of the default ruleset, which I could of course change, but it's
>>> scored 1.3 by default for that same "deep header" IP address.
>>>
>>> Does that rule deserve some attention to determine whether it should
>>> also be reduced by default for the same reason as the SBL/XBL rule?
>>
>> DUNNO - we disabled all internal RBL's (exepct mailspike) from start because
>> we feed postscreen and spamassassin from the same webinterface with
>> different scores for both but same lists (and some of them are mirrored on
>> the local rbldnsd with different names in the own domain)
>
> So then what were all those RBLs you listed initially with their
> weights? bl.spamcop.net was among them...
can't say initailly - maintained starting summer 2014 - current state
don't use anything ending with "thelounge.net", our public nameservers
answers always with 127.0.0.2 to stop users which blind copy&paste
because they have no access to that zones and there was a lot of useless
response-rate-limitings
in case of mirrored zones the alias contains the real list
hopefully that get somehow useable displayed in the mail
+-------------------------------------+--------+---------------------+-------------------------------+----------+------------------------------+
| name | weight | resp |
alias | sa_weigt | sa_resp |
+-------------------------------------+--------+---------------------+-------------------------------+----------+------------------------------+
| dnsbl.thelounge.net | 16 | 127.0.0.2 |
dnsbl.thelounge.net | 7 | ^127\.0\.0\.2$ |
| dnsbl.sorbs.net | 9 | 127.0.0.10 |
dul.dnsbl.sorbs.net | 6.5 | ^127\.0\.0\.10$ |
| dnsbl.sorbs.net | 9 | 127.0.0.14 |
noserver.dnsbl.sorbs.net | 6.5 | ^127\.0\.0\.14$ |
| zen.spamhaus.org | 8 | 127.0.0.[10;11] |
pbl.spamhaus.org | 6.5 | ^127\.0\.0\.1[01]$ |
| zen.spamhaus.org | 7 | 127.0.0.[4..7] |
xbl.spamhaus.org | 5.5 | ^127\.0\.0\.[4-7]$ |
| dnsbl.sorbs.net | 7 | 127.0.0.5 |
smtp.dnsbl.sorbs.net | 5.5 | ^127\.0\.0\.5$ |
| b.barracudacentral.org | 7 | 127.0.0.2 |
b.barracudacentral.org | 5 | ^127\.0\.0\.2$ |
| zen.spamhaus.org | 7 | 127.0.0.3 |
css.spamhaus.org | 5 | ^127\.0\.0\.3$ |
| dnsbl.inps.de | 7 | 127.0.0.2 |
dnsbl.inps.de | 5 | ^127\.0\.0\.2$ |
| dnsbl-ix.thelounge.net | 4 | 127.0.0.2 |
ix.dnsbl.manitu.net | 2.5 | ^127\.0\.0\.2$ |
| dnsbl.sorbs.net | 4 | 127.0.0.7 |
web.dnsbl.sorbs.net | 4.5 | ^127\.0\.0\.7$ |
| bl.spamcop.net | 4 | 127.0.0.2 |
bl.spamcop.net | 2.5 | ^127\.0\.0\.2$ |
| bl.mailspike.net | 4 | 127.0.0.2 |
z.mailspike.net | 0 | |
| bl.mailspike.net | 4 | 127.0.0.[10;11;12] |
bl.mailspike.net | 0 | |
| hostkarma.junkemailfilter.com | 4 | 127.0.0.2 |
hostkarma.junkemailfilter.com | 3.5 | ^127\.0\.0\.2$ |
| dnsbl-surriel.thelounge.net | 4 | 127.0.0.2 |
psbl.surriel.com | 2.5 | ^127\.0\.0\.2$ |
| bl.spameatingmonkey.net | 4 | 127.0.0.[2;3] |
bl.spameatingmonkey.net | 2.5 | ^127\.0\.0\.[23]$ |
| dnsrbl.swinog.ch | 4 | 127.0.0.3 |
dnsrbl.swinog.ch | 2.5 | ^127\.0\.0\.3$ |
| dnsbl-spamcannibal.thelounge.net | 3 | 127.0.0.2 |
bl.spamcannibal.org | 1.5 | ^127\.0\.0\.2$ |
| dnsbl.sorbs.net | 3 | 127.0.0.6 |
spam.dnsbl.sorbs.net | 1.5 | ^127\.0\.0\.6$ |
| score.senderscore.com | 3 | 127.0.4.[0..20] |
senderscore.com High | 1.5 | ^127\.0\.4\.(1?[0-9]|20)$ |
| zen.spamhaus.org | 3 | 127.0.0.2 |
sbl.spamhaus.org | 1.5 | ^127\.0\.0\.2$ |
| hostkarma.junkemailfilter.com | 2 | 127.0.0.4 |
hostkarma.junkemailfilter.com | 1.5 | ^127\.0\.0\.4$ |
| dnsbl-uce.thelounge.net | 2 | 127.0.0.2 |
dnsbl-1.uceprotect.net | 1 | ^127\.0\.0\.2$ |
| dnsbl.sorbs.net | 2 | 127.0.0.9 |
zombie.dnsbl.sorbs.net | 1.5 | ^127\.0\.0\.9$ |
| dnsbl.sorbs.net | 2 | 127.0.0.8 |
block.dnsbl.sorbs.net | 1.5 | ^127\.0\.0\.8$ |
| all.spamrats.com | 2 | 127.0.0.38 |
spam.spamrats.com | 1 | ^127\.0\.0\.38$ |
| dnsbl.sorbs.net | 1 | 127.0.0.4 |
misc.dnsbl.sorbs.net | 1 | ^127\.0\.0\.4$ |
| dnsbl.sorbs.net | 1 | 127.0.0.3 |
socks.dnsbl.sorbs.net | 1 | ^127\.0\.0\.3$ |
| dnsbl.sorbs.net | 1 | 127.0.0.2 |
http.dnsbl.sorbs.net | 1 | ^127\.0\.0\.2$ |
| dnsbl-uce-2.thelounge.net | 1 | 127.0.0.2 |
dnsbl-2.uceprotect.net | 1 | ^127\.0\.0\.2$ |
| score.senderscore.com | 1 | 127.0.4.[0..69] |
senderscore.com Medium | 1 | ^127\.0\.4\.(0?[0-6]?[0-9])$ |
| dnsbl-backscatterer.thelounge.net | 1 | 127.0.0.2 |
ips.backscatterer.org | 0.1 | ^127\.0\.0\.2$ |
| dnsbl.sorbs.net | 1 | 127.0.0.15 |
virus.dnsbl.sorbs.net | 0.5 | ^127\.0\.0\.15$ |
| bl.nszones.com | 1 | 127.0.0.[2;3] |
bl.nszones.com | 1 | ^127\.0\.0\.[23]$ |
| hostkarma.junkemailfilter.com | 1 | 127.0.1.2 |
hostkarma.junkemailfilter.com | 0.5 | ^127\.0\.1\.2$ |
| score.senderscore.com | -1 | 127.0.4.[90..100] |
Low Trust | -0.1 | ^127\.0\.4\.(9[0-9]|100)$ |
| bl.nszones.com | -1 | 127.0.0.5 |
Low Trust | -0.1 | ^127\.0\.0\.5$ |
| hostkarma.junkemailfilter.com | -2 | 127.0.0.1 |
Low Trust | -0.1 | ^127\.0\.0\.1$ |
| list.dnswl.org | -2 | 127.0.[0..255].0 |
No Trust | -0.1 | ^127\.0\.\d+\.0$ |
| wl.mailspike.net | -2 | 127.0.0.[18;19;20] |
Good Reputation | 0 | |
| dnswl-whitelisted-org.thelounge.net | -2 | 127.0.0.2 |
No Trust | -0.1 | ^127\.0\.0\.2$ |
| dnswl.inps.de | -2 | 127.0.[0;1].[2..10] |
Low Trust | -0.3 | ^127\.0\.[01]\.[2-9]$ |
| dnswl-aggregate.thelounge.net | -3 | 127.0.0.5 |
Low Trust | -0.6 | ^127\.0\.0\.5$ |
| dnswl-aggregate.thelounge.net | -3 | 127.0.0.6 |
No Trust | -0.2 | ^127\.0\.0\.6$ |
| list.dnswl.org | -3 | 127.0.[0..255].1 |
Low Trust | -0.1 | ^127\.0\.\d+\.1$ |
| list.dnswl.org | -4 | 127.0.[0..255].2 |
Medium Trust | -0.3 | ^127\.0\.\d+\.2$ |
| list.dnswl.org | -5 | 127.0.[0..255].3 |
High Trust | -0.5 | ^127\.0\.\d+\.3$ |
| dnswl-aggregate.thelounge.net | -8 | 127.0.0.4 |
Medium Trust | -1.5 | ^127\.0\.0\.4$ |
| dnswl-aggregate.thelounge.net | -16 | 127.0.0.3 |
High Trust | -3.5 | ^127\.0\.0\.3$ |
| dnswl-aggregate.thelounge.net | -24 | 127.0.0.2 |
Full Trust | -4.5 | ^127\.0\.0\.2$ |
+-------------------------------------+--------+---------------------+-------------------------------+----------+------------------------------+
51 rows in set (0.00 sec)
Re: Multiple RBLs and dynamic IPs
Posted by Alex <my...@gmail.com>.
Hi,
>> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
>> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
>> part of the default ruleset, which I could of course change, but it's
>> scored 1.3 by default for that same "deep header" IP address.
>>
>> Does that rule deserve some attention to determine whether it should
>> also be reduced by default for the same reason as the SBL/XBL rule?
>
> DUNNO - we disabled all internal RBL's (exepct mailspike) from start because
> we feed postscreen and spamassassin from the same webinterface with
> different scores for both but same lists (and some of them are mirrored on
> the local rbldnsd with different names in the own domain)
So then what were all those RBLs you listed initially with their
weights? bl.spamcop.net was among them...
>
>
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.05.2016 um 21:49 schrieb Alex:
>>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>>> NAT and/or submission are used as readily as they are here.
>>
>>
>> with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" becoming
>> more and more common the problem is and will be growing fast
>>
>>> So even though that IP is on virtually every blacklist, you wouldn't
>>> add any points? And there's nothing further the user could do to fix
>>> the problem, given the dynamic nature of the IP?
>>
>> no, see above
>>
>> with enough blacklists in the scoring for last-external you get the
>> offending mailservers with hacked useraccounts blacklisted fast enough and
>> in many cases faster because the submission ip's of a hacked account are
>> changing fast
>>
>> saw that the very few times it happened for customers of us where the
>> submission clients came from all over the world - because of rate-limiting
>> and a good monitoring of the mailqueue (how many mails are queued to the
>> outside world) it was each time a short enough timeframe to shut down the
>> affected account and avoid blacklisting (some abuse reports answered
>> promptly)
>>
>> so at the end of the day it's enough to check the last-external for good
>> results and not affect innocent clients which got a dynamic adress abused 30
>> minutes before by a different enduser or by a user sitting behind the same
>> ISP NAT
>
> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
> part of the default ruleset, which I could of course change, but it's
> scored 1.3 by default for that same "deep header" IP address.
>
> Does that rule deserve some attention to determine whether it should
> also be reduced by default for the same reason as the SBL/XBL rule?
DUNNO - we disabled all internal RBL's (exepct mailspike) from start
because we feed postscreen and spamassassin from the same webinterface
with different scores for both but same lists (and some of them are
mirrored on the local rbldnsd with different names in the own domain)
Re: Multiple RBLs and dynamic IPs
Posted by Alex <my...@gmail.com>.
Hi,
>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>> NAT and/or submission are used as readily as they are here.
>
>
> with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" becoming
> more and more common the problem is and will be growing fast
>
>> So even though that IP is on virtually every blacklist, you wouldn't
>> add any points? And there's nothing further the user could do to fix
>> the problem, given the dynamic nature of the IP?
>
>
> no, see above
>
> with enough blacklists in the scoring for last-external you get the
> offending mailservers with hacked useraccounts blacklisted fast enough and
> in many cases faster because the submission ip's of a hacked account are
> changing fast
>
> saw that the very few times it happened for customers of us where the
> submission clients came from all over the world - because of rate-limiting
> and a good monitoring of the mailqueue (how many mails are queued to the
> outside world) it was each time a short enough timeframe to shut down the
> affected account and avoid blacklisting (some abuse reports answered
> promptly)
>
> so at the end of the day it's enough to check the last-external for good
> results and not affect innocent clients which got a dynamic adress abused 30
> minutes before by a different enduser or by a user sitting behind the same
> ISP NAT
So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.
Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?
Thanks,
Alex
>
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.05.2016 um 21:07 schrieb Alex:
>> it's nonsense to give points for dynamic enduser machines, they are
>> *typically* on a lot of blacklists and the users behind are changing all the
>> time
>>
>> when you want to know why - try to use sbl-xbl as suggested by spiderlabs
>> for a web-application-firewall, did that *only* for form-submissions and
>> reverted it after few hours on a sunday because support hell with no good
>> excuse
>
> Yeah, that's it exactly. Particularly overseas where it doesn't appear
> NAT and/or submission are used as readily as they are here.
with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4"
becoming more and more common the problem is and will be growing fast
> So even though that IP is on virtually every blacklist, you wouldn't
> add any points? And there's nothing further the user could do to fix
> the problem, given the dynamic nature of the IP?
no, see above
with enough blacklists in the scoring for last-external you get the
offending mailservers with hacked useraccounts blacklisted fast enough
and in many cases faster because the submission ip's of a hacked account
are changing fast
saw that the very few times it happened for customers of us where the
submission clients came from all over the world - because of
rate-limiting and a good monitoring of the mailqueue (how many mails are
queued to the outside world) it was each time a short enough timeframe
to shut down the affected account and avoid blacklisting (some abuse
reports answered promptly)
so at the end of the day it's enough to check the last-external for good
results and not affect innocent clients which got a dynamic adress
abused 30 minutes before by a different enduser or by a user sitting
behind the same ISP NAT
Re: Multiple RBLs and dynamic IPs
Posted by Alex <my...@gmail.com>.
Hi,
>>>>> "RCVD_IN_XBL_ALL" smells like deep header inspection
>>>>>
>>>>
>>>> The question was:
>>>>
>>>> "How many points do you add to an email that *originated*
>>>> from a dynamic IP that [is] on a number of blacklists?"
>>>
>>>
>>> no - that was the question of the OP
>>> i responded long ago with config values
>>
>>
>> You're probably misunderstanding the precise meaning of "originated".
>
>
> well *no points at all* if we talk about the client using a submission
> server and not about the server itself deliver the mail to our machine
>
> you can do that only for your *personal* mail, but it's a no-go if you host
> users
>
>>> the question above is a different one while i can't parse it completly
>>
>>
>> The question is about an email from a client IP that's in a lot of
>> blacklists.
>>
>> The IP address that's in the blacklists, 180.178.104.22, authenticated
>>
>> Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
>> by vio1.naveca.biz with esmtpa (Exim 4.87)
>
>
> it's nonsense to give points for dynamic enduser machines, they are
> *typically* on a lot of blacklists and the users behind are changing all the
> time
>
> when you want to know why - try to use sbl-xbl as suggested by spiderlabs
> for a web-application-firewall, did that *only* for form-submissions and
> reverted it after few hours on a sunday because support hell with no good
> excuse
Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.
So even though that IP is on virtually every blacklist, you wouldn't
add any points? And there's nothing further the user could do to fix
the problem, given the dynamic nature of the IP?
Thanks,
Alex
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.05.2016 um 20:45 schrieb RW:
> On Mon, 30 May 2016 19:59:10 +0200
> Reindl Harald wrote:
>
>> Am 30.05.2016 um 18:11 schrieb RW:
>>> On Mon, 30 May 2016 14:12:27 +0200
>>> Reindl Harald wrote:
>
>>>> "RCVD_IN_XBL_ALL" smells like deep header inspection
>>>>
>>>
>>> The question was:
>>>
>>> "How many points do you add to an email that *originated*
>>> from a dynamic IP that [is] on a number of blacklists?"
>>
>> no - that was the question of the OP
>> i responded long ago with config values
>
> You're probably misunderstanding the precise meaning of "originated".
well *no points at all* if we talk about the client using a submission
server and not about the server itself deliver the mail to our machine
you can do that only for your *personal* mail, but it's a no-go if you
host users
>> the question above is a different one while i can't parse it completly
>
> The question is about an email from a client IP that's in a lot of
> blacklists.
>
> The IP address that's in the blacklists, 180.178.104.22, authenticated
>
> Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
> by vio1.naveca.biz with esmtpa (Exim 4.87)
it's nonsense to give points for dynamic enduser machines, they are
*typically* on a lot of blacklists and the users behind are changing all
the time
when you want to know why - try to use sbl-xbl as suggested by
spiderlabs for a web-application-firewall, did that *only* for
form-submissions and reverted it after few hours on a sunday because
support hell with no good excuse
Re: Multiple RBLs and dynamic IPs
Posted by RW <rw...@googlemail.com>.
On Mon, 30 May 2016 19:59:10 +0200
Reindl Harald wrote:
> Am 30.05.2016 um 18:11 schrieb RW:
> > On Mon, 30 May 2016 14:12:27 +0200
> > Reindl Harald wrote:
> >
> >> "RCVD_IN_XBL_ALL" smells like deep header inspection
> >>
> >
> > The question was:
> >
> > "How many points do you add to an email that *originated*
> > from a dynamic IP that [is] on a number of blacklists?"
>
> no - that was the question of the OP
> i responded long ago with config values
You're probably misunderstanding the precise meaning of "originated".
> the question above is a different one while i can't parse it completly
The question is about an email from a client IP that's in a lot of
blacklists.
The IP address that's in the blacklists, 180.178.104.22, authenticated
Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
by vio1.naveca.biz with esmtpa (Exim 4.87)
And RCVD_IN_DNSWL_NONE rules-out it being a test on outgoing mail.
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.05.2016 um 18:11 schrieb RW:
> On Mon, 30 May 2016 14:12:27 +0200
> Reindl Harald wrote:
>
>> Am 30.05.2016 um 14:10 schrieb Matthias Leisi:
>>> Hm, that looks odd:
>>>
>>>> Am 27.05.2016 um 20:15 schrieb Alex <mysqlstudent@gmail.com
>>>> <ma...@gmail.com>>:
>>>
>>>> X-Spam-Report:
>>>> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>>>> http://www.dnswl.org/, no
>>>> * trust
>>>> * [116.251.209.92 listed in list.dnswl.org
>>>> <http://list.dnswl.org>]
>>> ---------------------^
>>>> * 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus
>>>> SBL-XBL
>>>> * [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
>>>> <http://mykey.zen.dq.spamhaus.net>]
>>> ---------------------^
>>>
>>> Why do these two different IPs show up? _NONE for 116.251.209.92
>>> does not add any points, but if that IP ever gets a higher score at
>>> dnswl.org <http://dnswl.org>, then it may effect the accuracy of
>>> your spamfilter.
>>>
>>> Is that a legitimate forwarder IP?
>>
>> "RCVD_IN_XBL_ALL" smells like deep header inspection
>>
>
> The question was:
>
> "How many points do you add to an email that *originated*
> from a dynamic IP that [is] on a number of blacklists?"
no - that was the question of the OP
i responded long ago with config values
the question above is a different one while i can't parse it completly
Am 27.05.2016 um 20:15 schrieb Alex:
> How many points do you add to an email that originated from a dynamic
> IP that on a number of blacklists?
>
> This 180.178.104.22 is an IP from a customer in Indonesia:
>
> Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
> by vio1.naveca.biz with esmtpa (Exim 4.87)
> (envelope-from <it...@example.com>)
> id 1b6FMu-00087L-42; Fri, 27 May 2016 18:51:52 +0800
>
> This IP is on virtually every blacklist, but it doesn't necessarily
> mean it's the result of something this particular customer/user did
don't matter - a enduser IP has no business to deliver mail on port 25
anywhere
+----------------+-------------------------------+
| spamass_weight | alias |
+----------------+-------------------------------+
| 6.5 | pbl.spamhaus.org |
| 6.5 | dul.dnsbl.sorbs.net |
| 6.5 | noserver.dnsbl.sorbs.net |
| 5.5 | smtp.dnsbl.sorbs.net |
| 5.5 | xbl.spamhaus.org |
| 5 | b.barracudacentral.org |
| 5 | dnsbl.inps.de |
| 5 | css.spamhaus.org |
| 4.5 | web.dnsbl.sorbs.net |
| 3.5 | hostkarma.junkemailfilter.com |
| 2.5 | ix.dnsbl.manitu.net |
| 2.5 | psbl.surriel.com |
| 2.5 | dnsrbl.swinog.ch |
| 2.5 | bl.spameatingmonkey.net |
| 2.5 | bl.spamcop.net |
| 1.5 | senderscore.com High |
| 1.5 | hostkarma.junkemailfilter.com |
| 1.5 | block.dnsbl.sorbs.net |
| 1.5 | bl.spamcannibal.org |
| 1.5 | zombie.dnsbl.sorbs.net |
| 1.5 | spam.dnsbl.sorbs.net |
| 1.5 | sbl.spamhaus.org |
| 1 | senderscore.com Medium |
| 1 | bl.nszones.com |
| 1 | http.dnsbl.sorbs.net |
| 1 | socks.dnsbl.sorbs.net |
| 1 | spam.spamrats.com |
| 1 | misc.dnsbl.sorbs.net |
| 1 | dnsbl-1.uceprotect.net |
| 1 | dnsbl-2.uceprotect.net |
| 0.5 | hostkarma.junkemailfilter.com |
| 0.5 | virus.dnsbl.sorbs.net |
| 0.1 | ips.backscatterer.org |
+----------------+-------------------------------+
Re: Multiple RBLs and dynamic IPs
Posted by RW <rw...@googlemail.com>.
On Mon, 30 May 2016 14:12:27 +0200
Reindl Harald wrote:
> Am 30.05.2016 um 14:10 schrieb Matthias Leisi:
> > Hm, that looks odd:
> >
> >> Am 27.05.2016 um 20:15 schrieb Alex <mysqlstudent@gmail.com
> >> <ma...@gmail.com>>:
> >
> >> X-Spam-Report:
> >> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> >> http://www.dnswl.org/, no
> >> * trust
> >> * [116.251.209.92 listed in list.dnswl.org
> >> <http://list.dnswl.org>]
> > ---------------------^
> >> * 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus
> >> SBL-XBL
> >> * [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
> >> <http://mykey.zen.dq.spamhaus.net>]
> > ---------------------^
> >
> > Why do these two different IPs show up? _NONE for 116.251.209.92
> > does not add any points, but if that IP ever gets a higher score at
> > dnswl.org <http://dnswl.org>, then it may effect the accuracy of
> > your spamfilter.
> >
> > Is that a legitimate forwarder IP?
>
> "RCVD_IN_XBL_ALL" smells like deep header inspection
>
The question was:
"How many points do you add to an email that *originated*
from a dynamic IP that [is] on a number of blacklists?"
Re: Multiple RBLs and dynamic IPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.05.2016 um 14:10 schrieb Matthias Leisi:
> Hm, that looks odd:
>
>> Am 27.05.2016 um 20:15 schrieb Alex <mysqlstudent@gmail.com
>> <ma...@gmail.com>>:
>
>> X-Spam-Report:
>> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
>> * trust
>> * [116.251.209.92 listed in list.dnswl.org <http://list.dnswl.org>]
> ---------------------^
>> * 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus SBL-XBL
>> * [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
>> <http://mykey.zen.dq.spamhaus.net>]
> ---------------------^
>
> Why do these two different IPs show up? _NONE for 116.251.209.92 does
> not add any points, but if that IP ever gets a higher score at dnswl.org
> <http://dnswl.org>, then it may effect the accuracy of your spamfilter.
>
> Is that a legitimate forwarder IP?
"RCVD_IN_XBL_ALL" smells like deep header inspection
Re: Multiple RBLs and dynamic IPs
Posted by Matthias Leisi <ma...@leisi.net>.
Hm, that looks odd:
> Am 27.05.2016 um 20:15 schrieb Alex <my...@gmail.com>:
> X-Spam-Report:
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
> * trust
> * [116.251.209.92 listed in list.dnswl.org]
---------------------^
> * 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus SBL-XBL
> * [180.178.104.22 listed in mykey.zen.dq.spamhaus.net]
---------------------^
Why do these two different IPs show up? _NONE for 116.251.209.92 does not add any points, but if that IP ever gets a higher score at dnswl.org, then it may effect the accuracy of your spamfilter.
Is that a legitimate forwarder IP?
— Matthias