You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Philippe Ratté <pr...@cybergeneration.com> on 2009/09/16 19:59:30 UTC
Skip DNSBL checks for a specific IP/Net
Hi guys
I am looking for a way to ask SA to skip DNSBL checks for a specific IP /
subnet, is it possible to do this ?
Id like something like skip_rbl_checks 1 from=1.2.3.4
And Id like to keep other tests (Bayesian, Razor, ...) active.
Thanks in advance
RE: Skip DNSBL checks for a specific IP/Net
Posted by John Hardin <jh...@impsec.org>.
On Wed, 16 Sep 2009, Philippe Ratt� wrote:
>> Alternatively, without re-defining existing rules, you could write
>> similar metas on top, that counter such a rule hit.
>
> Sorry I do not understand this one, I'm not very familiar with SA rules yet
> but still learning :)
Essentially:
meta NO_RBL_HOTMAIL RBL_SORBS && FROM_HOTMAIL
score NO_RBL_HOTMAIL -2
If the source is the site of interest, balance out the RBL score.
(rule names made up for illustrative purposes only)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
Tomorrow: the 222nd anniversary of the signing of the U.S. Constitution
RE: Skip DNSBL checks for a specific IP/Net
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2009-09-16 at 15:38 -0400, Philippe Ratté wrote:
> > If it is anything else, we might be much better able to help you, if
> > we know about the issue -- rather than what you think would be the
> > best solution. ;)
>
> The situation is about Hotmail. Yesterday a customer told me he was having
> problems between his corporative account and Hotmail, the customers of my
> customer were unable to contact him.
>
> I noticed at that time 65.55.111.100 was part of SORBS BL.
> http://www.us.sorbs.net/lookup.shtml?65.55.111.100 indicates :
> Address: 65.55.111.100
> Record Created: Wed Oct 29 19:00:03 2008 GMT
> Record Updated: Mon Sep 14 08:56:51 2009 GMT
> Additional Information: [ Updated via: Report 'o Matic ] Received: from
> blu0-omc2-s25.blu0.hotmail.com (blu0-omc2-s25.blu0.hotmail.com
> [65.55.111.100]) by anaconda.sorbs.net (Postfix) with ESMTP id E0D9B2E05D
> for <[email]>; Mon, 14 Sep 2009 14:31:01 +1000 (EST) Currently active and
> flagged to be published in DNS
Ok, slow down. What rules *exactly* are hitting on these messages?
'grep SORBS 50_scores.cf'. All SORBS listings score below 1. Oddly,
SORBS SPAM is missing there, but that just means it is a default score
of 1 for the hit.
A score of <= 1 cannot be the reason for blocked mail! There's at least
another 4 points to be added by other rule hits. Well, as far as a sane
SA configuration is concerned.
A SORBS listing does NOT explain why your customer doesn't get his mail.
Also, SA merely scores. It doesn't reject, but lets all mail through.
Any action whatsoever is duty of some other tool in your mail processing
chain. Which one is the culprit responsible for "your customer not
getting his mail"? Regardless if that tool ended up rejecting the mail
or delivered it to some kind of dedicated or quarantine folder -- I'd
check back there.
You wouldn't happen to run RBL checks at SMTP stage, prior to SA, that
outright block based on a single BL hit?
Oddly enough, my own checks are inconsistent. :-/ While the sorbs.net
lookup indeed does claim exactly what you posted, my own 'host' check
returns NXDOMAIN. Two additional, independent BL lookup forms don't
agree with each other either.
> Customer asked "can you white-list them temporarly ?"
>
> We have a firewall with a network setup which allow me to bypass RBL +
> SpamAssassin easily. We did this with most of Hotmail's IPs until we started
> receiving spam from valid Hotmail accounts.
>
> I do not want to let Hotmail completely white listed, my idea was to skip
> RBL checks and keep other checks in place.
First of all, you want to skip a single BL. Not all of them. And second,
as mentioned above, there is *much* more to your problem than what you
provided in your post.
Mail is not being delivered, so go check the reason. If it is a high SA
score, you'll find lots more evil than this in the rules triggered.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Skip DNSBL checks for a specific IP/Net
Posted by Philippe Ratté <pr...@cybergeneration.com>.
> -----Message d'origine-----
> De : Karsten Bräckelmann [mailto:guenther@rudersport.de] Envoyé : 16
> septembre 2009 14:21 À : users@spamassassin.apache.org Objet : Re:
> Skip DNSBL checks for a specific IP/Net
>
> On Wed, 2009-09-16 at 13:59 -0400, Philippe Ratté wrote:
> > I am looking for a way to ask SA to skip DNSBL checks for a specific
> > IP
> /
> > subnet, is it possible to do this ?
>
> Hmm, why would you want to do that? There are pretty much two
> scenarios that immediately come to mind.
Hi Karsten.
>
> You don't want to do BL checks against an SMTP that forwards mail to
> you. In that case, you should extend your trusted and internal
> networks, so the handing-over IP to that forwarder is being checked
instead.
>
True. The IPs I'd like to remove from RBL checks do not belong to us.
> You want to get rid of PBL style hits against your own users. In which
> case the answer would be to simply not scan mail by your own, AUTH'ed
> users.
>
The IPs are not my own users.
> If it is anything else, we might be much better able to help you, if
> we know about the issue -- rather than what you think would be the
> best solution. ;)
The situation is about Hotmail. Yesterday a customer told me he was having
problems between his corporative account and Hotmail, the customers of my
customer were unable to contact him.
I noticed at that time 65.55.111.100 was part of SORBS BL.
http://www.us.sorbs.net/lookup.shtml?65.55.111.100 indicates :
Address: 65.55.111.100
Record Created: Wed Oct 29 19:00:03 2008 GMT
Record Updated: Mon Sep 14 08:56:51 2009 GMT
Additional Information: [ Updated via: Report 'o Matic ] Received: from
blu0-omc2-s25.blu0.hotmail.com (blu0-omc2-s25.blu0.hotmail.com
[65.55.111.100]) by anaconda.sorbs.net (Postfix) with ESMTP id E0D9B2E05D
for <[email]>; Mon, 14 Sep 2009 14:31:01 +1000 (EST) Currently active and
flagged to be published in DNS
65.55.111.100 is blu0-omc2-s25.blu0.hotmail.com, part of their "smtp farm".
I told my customer that he needed to tell HIS customers that they need to
tell Hotmail that they are listed in SORBS. This information is hard to
understand for a person who pays to get email support :)
Customer asked "can you white-list them temporarly ?"
We have a firewall with a network setup which allow me to bypass RBL +
SpamAssassin easily. We did this with most of Hotmail's IPs until we started
receiving spam from valid Hotmail accounts.
I do not want to let Hotmail completely white listed, my idea was to skip
RBL checks and keep other checks in place.
>
>
> > Id like something like skip_rbl_checks 1 from=1.2.3.4
>
> Such a constraint is not possible. However, if you *really* need
> something to that effect, you could re-define the existing rules in
> your site-config, meta'ed with an additional header rule that excludes
> these hosts based on the Received headers or last-external.
>
Checking against Received headers is maybe a good idea, but I am curious if
you have in mind a better solution :)
I need help to write the rules.
> Alternatively, without re-defining existing rules, you could write
> similar metas on top, that counter such a rule hit.
Sorry I do not understand this one, I'm not very familiar with SA rules yet
but still learning :)
>
>
> --
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4
> "; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){
> i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
> putchar(t[s]);h=m;s=0; }}}
>
Thanks alot for your reply.
Have a nice day
Re: Skip DNSBL checks for a specific IP/Net
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2009-09-16 at 13:59 -0400, Philippe Ratté wrote:
> I am looking for a way to ask SA to skip DNSBL checks for a specific IP /
> subnet, is it possible to do this ?
Hmm, why would you want to do that? There are pretty much two scenarios
that immediately come to mind.
You don't want to do BL checks against an SMTP that forwards mail to
you. In that case, you should extend your trusted and internal networks,
so the handing-over IP to that forwarder is being checked instead.
You want to get rid of PBL style hits against your own users. In which
case the answer would be to simply not scan mail by your own, AUTH'ed
users.
If it is anything else, we might be much better able to help you, if we
know about the issue -- rather than what you think would be the best
solution. ;)
> I’d like something like skip_rbl_checks 1 from=1.2.3.4
Such a constraint is not possible. However, if you *really* need
something to that effect, you could re-define the existing rules in your
site-config, meta'ed with an additional header rule that excludes these
hosts based on the Received headers or last-external.
Alternatively, without re-defining existing rules, you could write
similar metas on top, that counter such a rule hit.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Skip DNSBL checks for a specific IP/Net
Posted by Benny Pedersen <me...@junc.org>.
On ons 16 sep 2009 19:59:30 CEST, Philippe Ratté wrote
> I am looking for a way to ask SA to skip DNSBL checks for a
> specific IP / subnet, is it possible to do this ?
i would say no, but try
trusted_networks 0.0.0.0/0
:-)
just not 0.0.0.0/0 use the skip ip there if you sure know its trusted
newer sends spam to you or are a forwarder ip
> Id like something like skip_rbl_checks 1 from=1.2.3.4
read more on how rbl test is done, and see from this line:
spamassassin 2>&1 -D -t spam-msg | less
see untrusted ip
and later is it hitting rbls ?
good to see that dnswl now uses zone-firsttrusted
> And Id like to keep other tests (Bayesian, Razor, ...) active.
i could live with ascii chars here :)
> Thanks in advance
see 'perldoc Mail::SpamAssassin::Conf' if not already done
--
xpoint