You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by zespri <na...@brutsoft.com> on 2014/06/06 01:35:38 UTC
Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Below is one example of an emails I'm getting. I substituted my domain for
"domain.com" in this example.
Can someone explain, why I have both URIBL_DBL_SPAM /and/ URIBL_BLOCKED in
the same message?
I'm running spamassassin 3.4.0 on Ubuntu Trusty as an lda from postfix to
dovecot lda.
Cheers
Return-Path: <MAILER-DAEMON>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
ip-172-31-14-136.us-west-2.compute.internal
X-Spam-Flag: YES
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.2 required=5.0 tests=DCC_CHECK,MISSING_DATE,
MISSING_MID,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_XBL,RCVD_NUMERIC_HELO,
RDNS_NONE,TVD_RCVD_IP,TVD_RCVD_IP4,T_FSL_HELO_BARE_IP_2,URIBL_BLOCKED,
URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_PH_SURBL autolearn=spam
autolearn_force=no version=3.4.0
X-Spam-Report:
* 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
* [URIs: wnqmxubt.eu]
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
* See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: wnqmxubt.eu]
* 0.0 TVD_RCVD_IP Message was received from an IP address
* 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address
* 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
* [37.214.184.30 listed in bb.barracudacentral.org]
* 0.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
* [URIs: wnqmxubt.eu]
* 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: wnqmxubt.eu]
* 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [37.214.184.30 listed in zen.spamhaus.org]
* 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* 0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
* 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
* 1.4 MISSING_DATE Missing Date: header
* 0.1 MISSING_MID Missing Message-Id: header
* 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 T_FSL_HELO_BARE_IP_2 No description available.
Delivered-To: my@domain.com
Received: from 37.214.184.30 (unknown [37.214.184.30])
by mail.domain.com (Postfix) with SMTP id 8AD613422
for <my...@domain.com>; Fri, 6 Jun 2014 06:59:38 +1200 (NZST)
Received: from unknown (HELO localhost)
(pilatus@randeleye.com@62.162.126.77)
by 37.214.184.30 with ESMTPA; Thu, 5 Jun 2014 23:00:15 +0300
From: pilatus@randeleye.com
To: my@domain.com
Subject: Perfect way to satisfy your ladies
http://endurance.wnqmxubt.eu/ Keep her pleased this night
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Why-do-I-get-both-URIBL-DBL-SPAM-and-URIBL-BLOCKED-tp109457.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by zespri <na...@brutsoft.com>.
Anthony Cartmell-2 wrote
> The caching aspect isn't particularly relevant.
>
> The problem is that your ISP's name server will be querying the URIBL
> server on behalf of perhaps thousands of SpamAssassin instances on other
> machines. So it's blocked because it's making too many queries from a
> single IP address.
Yep, thank you, already figured this out. My problem was that I was not sure
how exactly DNS works, and by studying dnsmasq configuration I incorrectly
assumed that a dns server is always supposed to have an upstream server.
Apparently this is the case for dnsmasq but not the case in general. So now
with djbdns setup that I have in place that perform recursive queries
starting from the root servers this all makes sense. Thank you again.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Why-do-I-get-both-URIBL-DBL-SPAM-and-URIBL-BLOCKED-tp109457p109466.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Anthony Cartmell <li...@fonant.com>.
> Also, it appears to me that the ISP provider caches not any worse than
> the
> local server dns server would cache, so could you please explain, what
> benefit caching them locally provides over using already set up DNS
> server at ISP?
The caching aspect isn't particularly relevant.
The problem is that your ISP's name server will be querying the URIBL
server on behalf of perhaps thousands of SpamAssassin instances on other
machines. So it's blocked because it's making too many queries from a
single IP address.
In contrast, if you run your own name server it will only be querying the
URIBL server for your own queries. Which will hopefully be well under the
threshold for being blocked for over-use.
Anthony
--
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex,
BN11 1QR
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> > On Fri, 6 Jun 2014 16:42:50 +0200 Matus UHLAR - fantomas wrote:
>> >> I would not be surprised... I have already met people having
>> >> problem because of djbdns (and that's why I don't recommend using
>> >> it)
>> RW wrote:
>> > What problem did they have specifically with dnscache?
>On Fri, 06 Jun 2014 11:35:52 -0400 Kris Deugau wrote:
>> Seconded; I'd be interested in this as well since I have not yet run
>> into operational issues with djbdns.
On 06.06.14 16:47, RW wrote:
>He sent me an email in which he quoted the "dnscache doesn't fully
>implement "forwardonly" mode" bug from
>
>http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/djbdns-problems.html
>
>That's not relevant to the OP.
Sorry, seems I had to post it to the list (not sure why i didn't...)
Whether it's relevant (now) to the OP or not, I think this may change very
soon andf along with other djbdns issues mentioned there I still think
people should avoid it as much as possible.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Bowie Bailey <Bo...@BUC.com>.
On 6/6/2014 5:11 AM, zespri wrote:
> Matus UHLAR - fantomas wrote
>> djbdns?
>> I really wonder, when more alternatives were advised to you,
>> why did you choose the oldest, worst, most buggy and years unsupported
>> alternative?
> Well, on the page that the original link led to this page was linked:
> http://wiki.apache.org/spamassassin/CachingNameserver
> It suggested some alternative, and I started working through them from the
> top. I dismissed bind outright because it looks heavyweight and hard to
> configure to me.
Bind configuration can be a bit complex when you have authoritative
domains, secondary servers, and other such complications. But if all
you want is a caching name server, you should be able to simply install
the package and start it up. I don't think there is any configuration
required at all. The only things I can think of that you might have to
do is to grab the root hints file and set resolv.conf to point to the
local nameserver. The first might be done automatically by the
installation and the second (if not also done by the install) would need
to be done regardless of which dns server you use.
--
Bowie
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 11:39 +0200, Matus UHLAR - fantomas wrote:
> On 06.06.14 02:11, a pseudonymous Nabble user wrote:
> > Well, on the page that the original link led to this page was linked:
> > http://wiki.apache.org/spamassassin/CachingNameserver
It also clearly states to use a *non-forwarding* caching nameserver,
immediately preceding the link you followed.
> I must admin that the page is quite obsolete, and incorrect:
Matus, and everyone else involved in the DNS sub-thread: Care to correct
and update that wiki page? :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas wrote
>> djbdns?
>> I really wonder, when more alternatives were advised to you,
>> why did you choose the oldest, worst, most buggy and years unsupported
>> alternative?
On 06.06.14 02:11, zespri wrote:
>Well, on the page that the original link led to this page was linked:
>http://wiki.apache.org/spamassassin/CachingNameserver
I must admin that the page is quite obsolete, and incorrect:
- dnsmasq is only DNS query forwarder, although it supports forwarding to
(local) authoritative DNS server(s).
- rbldnsd is NOT caching, it's authoritative-only DNS server, and it's good
for providing local BL copies
- djbdns is crappy and should not be used at all.
>In short: when you get several options offered to you, and you have no prior
>knowledge you've got to pick one randomly. That's what I did.
I am sorry but you have chosen the worst onem when people advised you others
on this list.
Really, BIND, unbound or powerdns-recursor should do what you need.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by RW <rw...@googlemail.com>.
On Fri, 06 Jun 2014 11:35:52 -0400
Kris Deugau wrote:
> RW wrote:
> > On Fri, 6 Jun 2014 16:42:50 +0200
> > Matus UHLAR - fantomas wrote:
> >> I would not be surprised... I have already met people having
> >> problem because of djbdns (and that's why I don't recommend using
> >> it)
> >
> > What problem did they have specifically with dnscache?
>
> Seconded; I'd be interested in this as well since I have not yet run
> into operational issues with djbdns.
He sent me an email in which he quoted the "dnscache doesn't fully
implement "forwardonly" mode" bug from
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/djbdns-problems.html
That's not relevant to the OP.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Kris Deugau <kd...@vianet.ca>.
RW wrote:
> On Fri, 6 Jun 2014 16:42:50 +0200
> Matus UHLAR - fantomas wrote:
>> I would not be surprised... I have already met people having problem
>> because of djbdns (and that's why I don't recommend using it)
>
> What problem did they have specifically with dnscache?
Seconded; I'd be interested in this as well since I have not yet run
into operational issues with djbdns.
-kgd
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by RW <rw...@googlemail.com>.
On Fri, 6 Jun 2014 16:42:50 +0200
Matus UHLAR - fantomas wrote:
> >On Fri, 6 Jun 2014 02:11:47 -0700 (PDT) zespri wrote:
> >> In short: when you get several options offered to you, and you have
> >> no prior knowledge you've got to pick one randomly. That's what I
> >> did.
>
> On 06.06.14 15:14, RW wrote:
> >If you've already installed djbdns I'd leave it. I'm still using it
> >and a lot of people only migrated away because they needed dnssec.
> >If you are just running a soho server or desktop you aren't going to
> >come under the kind of concerted poisoning attack that ISP caches
> >would attract.
> >
> >It might not be under active development, but it was programmed
> >very conservatively, and has a security history that's as impressive
> >as bind's is dismal. Most of the criticism against djbdns are either
> >myths or don't apply to the dnscache component. I'd be very
> >surprised if you have a problem with it.
>
> I would not be surprised... I have already met people having problem
> because of djbdns (and that's why I don't recommend using it)
What problem did they have specifically with dnscache?
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Fri, 6 Jun 2014 02:11:47 -0700 (PDT) zespri wrote:
>> In short: when you get several options offered to you, and you have
>> no prior knowledge you've got to pick one randomly. That's what I did.
On 06.06.14 15:14, RW wrote:
>If you've already installed djbdns I'd leave it. I'm still using it and
>a lot of people only migrated away because they needed dnssec. If you
>are just running a soho server or desktop you aren't going to come
>under the kind of concerted poisoning attack that ISP caches would
>attract.
>
>It might not be under active development, but it was programmed
>very conservatively, and has a security history that's as impressive as
>bind's is dismal. Most of the criticism against djbdns are either
>myths or don't apply to the dnscache component. I'd be very surprised
>if you have a problem with it.
I would not be surprised... I have already met people having problem because
of djbdns (and that's why I don't recommend using it)
I still find having supported and recent version of DNS server better
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by RW <rw...@googlemail.com>.
On Fri, 6 Jun 2014 02:11:47 -0700 (PDT)
zespri wrote:
> Matus UHLAR - fantomas wrote
> > djbdns?
> > I really wonder, when more alternatives were advised to you,
> > why did you choose the oldest, worst, most buggy and years
> > unsupported alternative?
>
> In short: when you get several options offered to you, and you have
> no prior knowledge you've got to pick one randomly. That's what I did.
If you've already installed djbdns I'd leave it. I'm still using it and
a lot of people only migrated away because they needed dnssec. If you
are just running a soho server or desktop you aren't going to come
under the kind of concerted poisoning attack that ISP caches would
attract.
It might not be under active development, but it was programmed
very conservatively, and has a security history that's as impressive as
bind's is dismal. Most of the criticism against djbdns are either
myths or don't apply to the dnscache component. I'd be very surprised
if you have a problem with it.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by zespri <na...@brutsoft.com>.
Matus UHLAR - fantomas wrote
> djbdns?
> I really wonder, when more alternatives were advised to you,
> why did you choose the oldest, worst, most buggy and years unsupported
> alternative?
Well, on the page that the original link led to this page was linked:
http://wiki.apache.org/spamassassin/CachingNameserver
It suggested some alternative, and I started working through them from the
top. I dismissed bind outright because it looks heavyweight and hard to
configure to me. Now I'm not an expert and my opinion does not have much
weight, but since mine is only one that I had at the time and considering
that I'm the person who ultimately will need to configure and run the thing
I moved one. The second one was dnsmasq. After a few painful hours I
discovered that it is not suitable at all for the reasons you can find
above. The third in the list was djbdns.
The installation was almost without a hitch. The only two things (both of
witch stemmed from the same issue) is that it is incompatible with
resolvconf ubuntu package so I had to unistall that. The next thing was that
in the absence of resolvconf, resolve.conf got overwritten every type a dhcp
lease would be renewed so I would lose the nameserver record.
When I got through these two no further configuration was necessary, it just
worked. So I'm pretty happy with the result so far.
In short: when you get several options offered to you, and you have no prior
knowledge you've got to pick one randomly. That's what I did.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Why-do-I-get-both-URIBL-DBL-SPAM-and-URIBL-BLOCKED-tp109457p109469.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 06.06.14 00:28, zespri wrote:
>Thank you all. I've installed djbdns and now the URIBL_BLOCKED is gone! Yay!
djbdns?
I really wonder, when more alternatives were advised to you,
why did you choose the oldest, worst, most buggy and years unsupported
alternative?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by zespri <na...@brutsoft.com>.
Thank you all. I've installed djbdns and now the URIBL_BLOCKED is gone! Yay!
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Why-do-I-get-both-URIBL-DBL-SPAM-and-URIBL-BLOCKED-tp109457p109463.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Axb <ax...@gmail.com>.
On 06/06/2014 08:33 AM, Dave Warren wrote:
> On 2014-06-05 21:48, zespri wrote:
>> As I read it, it means that "non-forwarding dnsmasq" is simply
>> nonsensical.
>> What am I missing?
>
> Yeah... I don't believe dnsmasq would be a good choice, unbound or BIND
> would be better choices.
>
or Powerdns-recursor
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Dave Warren <da...@hireahit.com>.
On 2014-06-05 21:48, zespri wrote:
> As I read it, it means that "non-forwarding dnsmasq" is simply nonsensical.
> What am I missing?
Yeah... I don't believe dnsmasq would be a good choice, unbound or BIND
would be better choices.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by zespri <na...@brutsoft.com>.
Thank you for this, this is most helpful. Yes, I read the link. On this
related note, it appears that mentioning dnsmasq as a non-forwarding caching
Nameserver on this page
http://wiki.apache.org/spamassassin/CachingNameserver is a mistake. From the
dnsmasq documentation
<http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html> :
> Dnsmasq is a DNS query forwarder: it it not capable of recursively
> answering arbitrary queries starting from the root servers but forwards
> such queries to a fully recursive upstream DNS server which is typically
> provided by an ISP
As I read it, it means that "non-forwarding dnsmasq" is simply nonsensical.
What am I missing?
Also, it appears to me that the ISP provider caches not any worse than the
local server dns server would cache, so could you please explain, what
benefit caching them locally provides over using already set up DNS server
at ISP? Even if we imagine that ISP's DNS is non-caching, I can't see an
apparent benefit: TTLs on uribl.com is 2 hours, my system may be get 20
emails during this time span or less, probability that some of them come
from the same ip is quite low, so benefits of caching look non-existent.
Now I'm not a linux person at all less so a system administrator, and I
learned about spamassassin just a few days ago, so clearly I'm missing
something, could you please fill in the gaps please?
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Why-do-I-get-both-URIBL-DBL-SPAM-and-URIBL-BLOCKED-tp109457p109460.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why do I get both URIBL_DBL_SPAM and URIBL_BLOCKED?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2014-06-05 at 16:35 -0700, a pseudonymous Nabble user wrote:
> Below is one example of an emails I'm getting. I substituted my domain for
> "domain.com" in this example.
> Can someone explain, why I have both URIBL_DBL_SPAM /and/ URIBL_BLOCKED in
> the same message?
Despite the URIBL prefix, they are NOT part of the same DNSBL.
That prefix generally refers to DNSBLs listing URIs. Stock SA rules
include three URI blocklist provider (with multiple lists each):
SpamHaus, SURBL and URIBL.
The URIBL_DBL_* rule is the SpamHaus DBL blocklist. With a single
exception, all plain URIBL_* rules are uribl.com.
In practical terms, one DNSBL considers the volume of queries abusive.
Others don't (yet), or may simply return no hits at all.
> * 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
> * [URIs: wnqmxubt.eu]
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
> * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> * for more information.
> * [URIs: wnqmxubt.eu]
Did you follow that link we provided you with? That *_BLOCKED rule
exists for a reason. For the single reason to inform you about the
situation, to help you fix your issue and by that way improve your SA
results.
The problem is, you are using your ISP's DNS server, just like a million
other SA installations.
Run your own local, caching, resolving (non-forwarding) DNS.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}