You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2008/04/01 16:06:25 UTC

Re: mail from dialups via ISP MTA

> On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> > Such IP's are thus not designed to send mail directly to recipients - users
> > have to send mail through mailserver with static IP that can autenticate
> > them. 

On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> True. The problem is, thats exactly what happened but SA matched the sender 
> anyway becouse he's in the received headers.  

iirc they only matched RDNS_DYNAMIC which means "reverse DNS looks like
dynamic". That scores 0.1 points and only scores more in combination with
other rules. However changing the DNS should help.

they should ask its ISP to change the DNS not to look dynamic (generic)

> Somone mentioned trust path but i don't think it's broken. SA matched the 
> archlinux server perfectly fine as the first dynhost sending to my trusted 
> network.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

Re: mail from dialups via ISP MTA

Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.

> On 01.04.08 17:20, Arvid Ephraim Picciani wrote:
> > actually i mean SORBS and NJABL.  they matched the sender.
>
> if we are still talking about mail from 66-211-213-17.velocity.net
> [66.211.213.17], they were not matched by any dynamic lists.
>
sender! not the relay. the realy matching DRNS_DYNAMIC is perfectly fine. its 
their fault.
> your first mail indicates problem with different IP. and this IP only
> matches DRNS_DYNAMIC
that was what i was saying. i should have marked problem 1) and 2) to make it 
more clear.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

Posted by mouss <mo...@netoyen.net>.

Arvid Ephraim Picciani wrote:
> and another mail false positive:
>
>  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>               [Blocked - see <http://www.spamcop.net/bl.shtml?91.151.146.244>]
>  1.1 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server
>                             [91.151.146.244 listed in dnsbl.sorbs.net]
>
> again a perfectly valid login into gmail. 
> So if you want to damage an ISP you're going to run some open proxys on dynips 
> and voila the next user having that ip gets blocked. i dont get it.
>   

which next user? the IP is not known to be dynamic, and it has/d an open 
proxy, so it was listed as such. Until you can prove it is dynamic, 
there is nothing wrong. note that the IP is also listed at cbl (thus xbl).

also, the IP doesn't resolve, so many people don't care if it can't 
reach the network at all.

Re: mail from dialups via ISP MTA

Posted by Yet Another Ninja <sa...@alexb.ch>.

On 4/1/2008 5:43 PM, Arvid Ephraim Picciani wrote:
> and another mail false positive:
> 
>  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>               [Blocked - see <http://www.spamcop.net/bl.shtml?91.151.146.244>]
>  1.1 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server
>                             [91.151.146.244 listed in dnsbl.sorbs.net]
> 
> again a perfectly valid login into gmail. 
> So if you want to damage an ISP you're going to run some open proxys on dynips 
> and voila the next user having that ip gets blocked. i dont get it.
> 
> 
how does this apparantely infected source relate to gmail?

http://www.spamhaus.org/query/bl?ip=91.151.146.244

http://cbl.abuseat.org/lookup.cgi?ip=91.151.146.244&.submit=Lookup

It was detected at 2008-04-01 15:00 GMT (+/- 30 minutes), approximately 
3 hours ago.

if you hit that IP via HTTP you reach some home router web interface.

good thing its listed - who knows how many infected boxes sit behind 
that toy.

Its a valid bot infected botnet IP.

If this a false positive - pls re-check the meaning of "false positive"

Re: mail from dialups via ISP MTA

Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.

and another mail false positive:

 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?91.151.146.244>]
 1.1 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server
                            [91.151.146.244 listed in dnsbl.sorbs.net]

again a perfectly valid login into gmail. 
So if you want to damage an ISP you're going to run some open proxys on dynips 
and voila the next user having that ip gets blocked. i dont get it.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> On Tuesday 01 April 2008 16:06:25 Matus UHLAR - fantomas wrote:
> > > On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> > > > Such IP's are thus not designed to send mail directly to recipients -
> > > > users have to send mail through mailserver with static IP that can
> > > > autenticate them.
> >
> > On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> > > True. The problem is, thats exactly what happened but SA matched the
> > > sender anyway becouse he's in the received headers.
> >
> > iirc they only matched RDNS_DYNAMIC which means "reverse DNS looks like 
> > dynamic". That scores 0.1 points and only scores more in combination with
> > other rules. However changing the DNS should help.

On 01.04.08 17:20, Arvid Ephraim Picciani wrote:
> actually i mean SORBS and NJABL.  they matched the sender.

if we are still talking about mail from 66-211-213-17.velocity.net
[66.211.213.17], they were not matched by any dynamic lists.

your first mail indicates problem with different IP. and this IP only
matches DRNS_DYNAMIC

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: mail from dialups via ISP MTA

Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.

On Tuesday 01 April 2008 16:06:25 Matus UHLAR - fantomas wrote:
> > On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> > > Such IP's are thus not designed to send mail directly to recipients -
> > > users have to send mail through mailserver with static IP that can
> > > autenticate them.
>
> On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> > True. The problem is, thats exactly what happened but SA matched the
> > sender anyway becouse he's in the received headers.
>
> iirc they only matched RDNS_DYNAMIC which means "reverse DNS looks like 
> dynamic". That scores 0.1 points and only scores more in combination with
> other rules. However changing the DNS should help.
>
actually i mean SORBS and NJABL.  they matched the sender.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani