You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alan Premselaar <al...@12inch.com> on 2006/06/12 05:10:46 UTC
RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I was using 3.1.0 until today on my mail server at work and after the
upgrade suddenly I'm seeing a lot of RCVD_IN_WHOIS_BOGONS misfiring.
one example of a sender domain that triggered is d.dena.ne.jp which
doesn't directly resolve, but ns.dena.ne.jp resolves to 64.56.174.130
which shows as a network that appears in the
allocated-netrange-arin_after1995.txt on completewhois.com [1]
I've checked my trusted_networks and that seems to be OK... if i let the
trusted_network be auto-determined (i.e. not set manually) or if i set
it manually I get the same results.
The machine is on a global network with a separate interface on an
internal network.
DISGUISE_PORN_MUNDANE appears to be hitting on Japanese text as well.
I'm only seeing the tests in the mail logs so I don't have any actual
headers at the moment.
can anyone offer any ideas as to where I should look or what might be
happening?
here's some debug info that might be useful:
[4392] dbg: dns: is Net::DNS::Resolver available? yes
[4392] dbg: dns: Net::DNS version: 0.57
[4392] dbg: diag: perl platform: 5.008005 linux
[4392] dbg: diag: module installed: Digest::SHA1, version 2.11
[4392] dbg: diag: module installed: Net::SMTP, version 2.29
[4392] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[4392] dbg: diag: module installed: IP::Country::Fast, version 604.001
[4392] dbg: diag: module installed: Razor2::Client::Agent, version 2.67
[4392] dbg: diag: module not installed: Net::Ident ('require' failed)
[4392] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[4392] dbg: diag: module installed: IO::Socket::SSL, version 0.97
[4392] dbg: diag: module installed: Time::HiRes, version 1.87
[4392] dbg: diag: module installed: DBI, version 1.45
[4392] dbg: diag: module installed: Getopt::Long, version 2.34
[4392] dbg: diag: module installed: LWP::UserAgent, version 2.032
[4392] dbg: diag: module installed: HTTP::Date, version 1.46
[4392] dbg: diag: module installed: Archive::Tar, version 1.29
[4392] dbg: diag: module installed: IO::Zlib, version 1.04
[4392] dbg: diag: module installed: MIME::Base64, version 3.07
[4392] dbg: diag: module installed: HTML::Parser, version 3.54
[4392] dbg: diag: module installed: DB_File, version 1.810
[4392] dbg: diag: module installed: Net::DNS, version 0.57
Thanks,
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEjNs2E2gsBSKjZHQRAkMhAJ40RgtMeXak2enbljP0PQGQR4xh/wCgtmcd
dfZ7z+wtX2oVtrQR90L4lpI=
=BxhD
-----END PGP SIGNATURE-----
Re: RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade
Posted by Alan Premselaar <al...@12inch.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rolf wrote:
> I have just noticed the same thing.
>
> Increase in false positives due to that rule telling me the upstream
> mail server addresses (which I don't control) have been listed in
> combined-HIB.dnsiplists.completewhois.com.
>
> Which is not right for any reason - they ought not be there. Looking
> around at www.completewhois.com I cannot find those addresses at all.
>
> I've had to change the score of the rule to zero as its hitting every
> piece of mail as they all pass through those upstream servers.
>
> Any suggestions would be appreciated.
>
> thanks
>
[snip]
I've filed a bug report on this issue, if you'd care to contribute any
details or useful information.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4951
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEjSv4E2gsBSKjZHQRAlB3AKCV48WtvKs4N4MbVHTzykjzKgTiOQCfbFQP
VPCbjK+UCT2GA7hpRg5Dj1s=
=SbWk
-----END PGP SIGNATURE-----
Re: RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade
Posted by Rolf <ro...@ses.tas.gov.au>.
I have just noticed the same thing.
Increase in false positives due to that rule telling me the upstream
mail server addresses (which I don't control) have been listed in
combined-HIB.dnsiplists.completewhois.com.
Which is not right for any reason - they ought not be there. Looking
around at www.completewhois.com I cannot find those addresses at all.
I've had to change the score of the rule to zero as its hitting every
piece of mail as they all pass through those upstream servers.
Any suggestions would be appreciated.
thanks
r.
> I was using 3.1.0 until today on my mail server at work and after the
> upgrade suddenly I'm seeing a lot of RCVD_IN_WHOIS_BOGONS misfiring.
>
> one example of a sender domain that triggered is d.dena.ne.jp which
> doesn't directly resolve, but ns.dena.ne.jp resolves to 64.56.174.130
> which shows as a network that appears in the
> allocated-netrange-arin_after1995.txt on completewhois.com [1]
>
> I've checked my trusted_networks and that seems to be OK... if i
> let the
> trusted_network be auto-determined (i.e. not set manually) or if i set
> it manually I get the same results.
>
> The machine is on a global network with a separate interface on an
> internal network.
>
> DISGUISE_PORN_MUNDANE appears to be hitting on Japanese text as well.
>
> I'm only seeing the tests in the mail logs so I don't have any actual
> headers at the moment.
>
> can anyone offer any ideas as to where I should look or what might be
> happening?
>
> here's some debug info that might be useful:
>
> [4392] dbg: dns: is Net::DNS::Resolver available? yes
> [4392] dbg: dns: Net::DNS version: 0.57
> [4392] dbg: diag: perl platform: 5.008005 linux
> [4392] dbg: diag: module installed: Digest::SHA1, version 2.11
> [4392] dbg: diag: module installed: Net::SMTP, version 2.29
> [4392] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
> [4392] dbg: diag: module installed: IP::Country::Fast, version 604.001
> [4392] dbg: diag: module installed: Razor2::Client::Agent, version
> 2.67
> [4392] dbg: diag: module not installed: Net::Ident ('require' failed)
> [4392] dbg: diag: module not installed: IO::Socket::INET6
> ('require' failed)
> [4392] dbg: diag: module installed: IO::Socket::SSL, version 0.97
> [4392] dbg: diag: module installed: Time::HiRes, version 1.87
> [4392] dbg: diag: module installed: DBI, version 1.45
> [4392] dbg: diag: module installed: Getopt::Long, version 2.34
> [4392] dbg: diag: module installed: LWP::UserAgent, version 2.032
> [4392] dbg: diag: module installed: HTTP::Date, version 1.46
> [4392] dbg: diag: module installed: Archive::Tar, version 1.29
> [4392] dbg: diag: module installed: IO::Zlib, version 1.04
> [4392] dbg: diag: module installed: MIME::Base64, version 3.07
> [4392] dbg: diag: module installed: HTML::Parser, version 3.54
> [4392] dbg: diag: module installed: DB_File, version 1.810
> [4392] dbg: diag: module installed: Net::DNS, version 0.57
>
> Thanks,
>
> Alan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFEjNs2E2gsBSKjZHQRAkMhAJ40RgtMeXak2enbljP0PQGQR4xh/wCgtmcd
> dfZ7z+wtX2oVtrQR90L4lpI=
> =BxhD
> -----END PGP SIGNATURE-----
This message may contain confidential information which is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or copy this email.
Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system.
Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message which arise as a result of email transmission.
If verification is required please request a hard copy version.