You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joseph Brennan <br...@columbia.edu> on 2017/12/04 20:20:18 UTC
TO_NO_BRKTS_DYNIP
New rule: TO_NO_BRKTS_DYNIP
Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is 2.639,
one gets an even 5.0 score just for sending from
ec2-54-225-189-51.compute-1.amazonaws.com without < > around the To address.
Should the amazonaws.com hosts not be in RDNS_DYNAMIC? I'm not silly enough
to say they are free of spam customers, but they are definitely servers.
Joseph Brennan / Columbia U
Re: TO_NO_BRKTS_DYNIP
Posted by Alan Hodgson <ah...@lists.simkin.ca>.
On Mon, 2017-12-04 at 15:20 -0500, Joseph Brennan wrote:
> New rule: TO_NO_BRKTS_DYNIP
>
> Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is
> 2.639, one gets an even 5.0 score just for sending from ec2-54-225-
> 189-51.compute-1.amazonaws.com without < > around the To address.
>
> Should the amazonaws.com hosts not be in RDNS_DYNAMIC? I'm not silly
> enough to say they are free of spam customers, but they are
> definitely servers.
>
> Joseph Brennan / Columbia U
>
>
Mail servers don't generally have generic reverse DNS, if they don't
want to be mistaken for end-user IPs or spambots.
https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-
addresses/
Re: TO_NO_BRKTS_DYNIP
Posted by Joseph Brennan <br...@columbia.edu>.
>> Those high scores are from the score set without Bayes or net rules
>> where there's often not a lot to go on.
>>
>> The score for TO_NO_BRKTS_DYNIP is autogenerated, the two scores
>> probably add up to exactly 5.000 for good reason.
>>
>> Maybe some special handling for amazonaws.com would be better.
>>
> --
> - Markus
>
The rule does hit a good amount of spam, judging by my logs.
I think the RDNS_DYNAMIC rule was really about spotting end-user IP blocks.
Amazon happens to use the same kind of pattern for naming its half a
billion servers, like ec2-54-225-189-51.compute-1.amazonaws.com for
54.225.189.51, since like end-user IPs they are interchangeable parts. I'd
be inclined to exclude them from RDNS_DYNAMIC.
Joseph Brennan / Columbia U
PS-- They do have nice matching PTR and A records.
Re: TO_NO_BRKTS_DYNIP
Posted by Markus Clardy <ma...@clardy.eu>.
Amazon AWS machines sending out to the Internet should have a PTR record,
or else they will be on a lot of blacklists as well. Amazon works with a
number of blacklist providers and automatically has IPs without a static
PTR record blacklisted. When you request a PTR record from Amazon, they
then report the IP as clean to a number of blacklist providers to delist
you. In addition, you have a maximum number of outbound SMTP sessions per
day you can make until you request a PTR record. These were all put into
place to prevent spammers from spinning up free tier machines, sending from
clean IPs, and then deleting the machines.
On Mon, Dec 4, 2017 at 11:57 PM, RW <rw...@googlemail.com> wrote:
> On Mon, 4 Dec 2017 12:52:29 -0800 (PST)
> John Hardin wrote:
>
> > On Mon, 4 Dec 2017, Joseph Brennan wrote:
> >
> > > New rule: TO_NO_BRKTS_DYNIP
> >
> > Old rule, perhaps newly promoted and published.
> >
> > > Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is
> > > 2.639, one gets an even 5.0 score just for sending from
> > > ec2-54-225-189-51.compute-1.amazonaws.com without < > around the To
> > > address.
> >
> > I'd be open to putting a limit on the score, say 1.5, so that the
> > combination isn't by itself a poison pill.
> >
>
> Those high scores are from the score set without Bayes or net rules
> where there's often not a lot to go on.
>
> The score for TO_NO_BRKTS_DYNIP is autogenerated, the two scores
> probably add up to exactly 5.000 for good reason.
>
> Maybe some special handling for amazonaws.com would be better.
>
--
- Markus
Re: TO_NO_BRKTS_DYNIP
Posted by RW <rw...@googlemail.com>.
On Mon, 4 Dec 2017 12:52:29 -0800 (PST)
John Hardin wrote:
> On Mon, 4 Dec 2017, Joseph Brennan wrote:
>
> > New rule: TO_NO_BRKTS_DYNIP
>
> Old rule, perhaps newly promoted and published.
>
> > Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is
> > 2.639, one gets an even 5.0 score just for sending from
> > ec2-54-225-189-51.compute-1.amazonaws.com without < > around the To
> > address.
>
> I'd be open to putting a limit on the score, say 1.5, so that the
> combination isn't by itself a poison pill.
>
Those high scores are from the score set without Bayes or net rules
where there's often not a lot to go on.
The score for TO_NO_BRKTS_DYNIP is autogenerated, the two scores
probably add up to exactly 5.000 for good reason.
Maybe some special handling for amazonaws.com would be better.
Re: TO_NO_BRKTS_DYNIP
Posted by John Hardin <jh...@impsec.org>.
On Mon, 4 Dec 2017, Joseph Brennan wrote:
> New rule: TO_NO_BRKTS_DYNIP
Old rule, perhaps newly promoted and published.
> Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is 2.639,
> one gets an even 5.0 score just for sending from
> ec2-54-225-189-51.compute-1.amazonaws.com without < > around the To address.
I'd be open to putting a limit on the score, say 1.5, so that the
combination isn't by itself a poison pill.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
3 days until The 76th anniversary of Pearl Harbor