You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Zinder <zi...@ztechz.com> on 2008/01/28 23:19:18 UTC
Can anyone help me?
I think my problem is related to surbl.org, but I can't figure out how
to reach them. list.surbl.org times out, and has for several weeks.
I had been using Spamassassin 3.1.5 under RHEL 3. Works great, until Jan
1, 2008. I started getting false positives from surbl. These are emails
I have received for years, such as newsletter.varbusiness.com and
newsletter.crn.com. If I remove file /usr/share/spamassassin/25_uribl.cf
and restart spamd, the false positives stop, but more real spam gets
through. I upgraded all the perl utilities SA needs and I am now running
SA 3.2.4, but the problem is still there. I can't find anything on the
SA or surbl web sites that address this problem. Anyone have any ideas?
Thanks in advance,
David
Re: Can anyone help me?
Posted by Adam Lanier <ad...@krusty.madoff.com>.
On Mon, 2008-01-28 at 17:19 -0500, David Zinder wrote:
> I think my problem is related to surbl.org, but I can't figure out how
> to reach them. list.surbl.org times out, and has for several weeks.
>
> I had been using Spamassassin 3.1.5 under RHEL 3. Works great, until Jan
> 1, 2008. I started getting false positives from surbl. These are emails
> I have received for years, such as newsletter.varbusiness.com and
> newsletter.crn.com. If I remove file /usr/share/spamassassin/25_uribl.cf
> and restart spamd, the false positives stop, but more real spam gets
> through. I upgraded all the perl utilities SA needs and I am now running
> SA 3.2.4, but the problem is still there. I can't find anything on the
> SA or surbl web sites that address this problem. Anyone have any ideas?
Neither of those domains are listed on surbl. The surbl web site does
list some bugs with DNS responses under some circumstances. Not sure
those apply to you.
Re: Can anyone help me? surbl.org FP problems?
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Jan 29, 2008 at 06:07:08PM +0100, Karsten Bräckelmann wrote:
> This looks fishy. Your problem doesn't seem to be specific to SURBL. All
> URIBL tests are hitting.
http://wiki.apache.org/spamassassin/OpenDnsAndUribls
?
--
Randomly Selected Tagline:
You will have good luck and overcome many hardships.
Re: Can anyone help me? surbl.org FP problems?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2008-01-29 at 11:34 -0500, David Zinder wrote:
> If I understand the request for more info... It seems to get caught by
> all the lists. Here is an example from an email this morning. I'm not
> sure how to munge, but I think this is what you requested.
>
> Content analysis details: (5.2 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
> [URIs: techweb.com]
> 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
> [URIs: techweb.com]
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: techweb.com]
> 0.0 URIBL_RED Contains an URL listed in the URIBL redlist
This looks fishy. Your problem doesn't seem to be specific to SURBL. All
URIBL tests are hitting.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can anyone help me? surbl.org FP problems?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
David Zinder wrote:
> Is this a correct response from dig? If so, changing the DNS servers in
> /etc/resolve.conf does not fix my problem. The techweb.com email is
> still reported on the blocklists.
Did you restart SA after editing resolv.conf?
> I have also tried dig from two other
> email servers I control. They both have different DNS servers in
> /etc/resolve.conf and different ISPs. Both return similar dig results to
> what I pasted above and the techweb.com email gets the same results.
"and the techweb.com email gets the same results"... the same as what
results?
Daryl
Re: Can anyone help me? surbl.org FP problems?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 31 Jan 2008, David Zinder wrote:
> What should dig return? I too have Verizon fios. If /etc/resolve.conf
> contains their DNS servers I get similar dig results as you. If I change
> it to DNS servers I trust I get:
>
> $ dig techweb.com.multi.surbl.org
>
> ; <<>> DiG 9.2.4 <<>> techweb.com.multi.surbl.org
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11053
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
[snip..]
^^^^^^^^^^^^^^^^^
That is the correct answer from dig.
Note the part that says: "status: NXDOMAIN"
That's dig's way of saying "Non-eXistant DOMAIN" (IE no such critter).
In other words, "techweb.com" is not found in multi.surbl.org.
So your SA should -not- be listing it.
> Is this a correct response from dig? If so, changing the DNS servers in
> /etc/resolve.conf does not fix my problem. The techweb.com email is
> still reported on the blocklists. I have also tried dig from two other
> email servers I control. They both have different DNS servers in
> /etc/resolve.conf and different ISPs. Both return similar dig results to
> what I pasted above and the techweb.com email gets the same results.
>
Then there's something else that is broken, your dig query clearly
shows multi.surbl.org not listing techweb.com.
Take one of your messages that contain a techweb.com, save it as a text
file, feed it to spamassassin with the -D flag and look for rbl parts.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Can anyone help me? surbl.org FP problems?
Posted by Matt Kettler <mk...@verizon.net>.
David Zinder wrote:
> What should dig return? I too have Verizon fios. If /etc/resolve.conf
> contains their DNS servers I get similar dig results as you. If I
> change it to DNS servers I trust I get:
>
> $ dig techweb.com.multi.surbl.org
>
> ; <<>> DiG 9.2.4 <<>> techweb.com.multi.surbl.org
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11053
<snip>
>
>
>
> Is this a correct response from dig?
Yes, that's the correct result. You want NXDOMAIN (ie: not in the
blacklist).
> If so, changing the DNS servers in /etc/resolve.conf does not fix my
> problem. The techweb.com email is still reported on the blocklists. I
> have also tried dig from two other email servers I control. They both
> have different DNS servers in /etc/resolve.conf and different ISPs.
> Both return similar dig results to what I pasted above and the
> techweb.com email gets the same results.
You can also force dig to use a specific DNS server for the lookup. .you
might want to check all the servers in your resolv.conf. Perhaps SA is
using a different one than the command-line is picking:
ie:
dig @192.168.1.1 techweb.com.multi.surbl.org
will force it to use 192.168.1.1 as a DNS server (note the space between
dig and @.. that's important)
You should see poisoned results from:
dig @71.242.0.12 techweb.com.multi.surbl.org
And good results from:
dig @71.242.0.14 techweb.com.multi.surbl.org
Re: Can anyone help me? surbl.org FP problems?
Posted by David Zinder <zi...@ztechz.com>.
What should dig return? I too have Verizon fios. If /etc/resolve.conf
contains their DNS servers I get similar dig results as you. If I change
it to DNS servers I trust I get:
$ dig techweb.com.multi.surbl.org
; <<>> DiG 9.2.4 <<>> techweb.com.multi.surbl.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11053
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;techweb.com.multi.surbl.org. IN A
;; AUTHORITY SECTION:
multi.surbl.org. 900 IN SOA dev.null.
zone.surbl.org. 120181
4821 900 900 604800 900
;; Query time: 40 msec
;; SERVER: 165.176.32.3#53(165.176.32.3)
;; WHEN: Thu Jan 31 16:41:38 2008
;; MSG SIZE rcvd: 94
Is this a correct response from dig? If so, changing the DNS servers in
/etc/resolve.conf does not fix my problem. The techweb.com email is
still reported on the blocklists. I have also tried dig from two other
email servers I control. They both have different DNS servers in
/etc/resolve.conf and different ISPs. Both return similar dig results to
what I pasted above and the techweb.com email gets the same results.
Matt Kettler wrote:
> David Zinder wrote:
>> Thank you for the response and suggestions.
>>
>> Yes - lists.surbl.org - I was using the link Contacts->mailing lists
>> from www.surbl.org
>>
>> If I understand the request for more info... It seems to get caught
>> by all the lists. Here is an example from an email this morning. I'm
>> not sure how to munge, but I think this is what you requested.
>>
>> Content analysis details: (5.2 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
>> blocklist
>> [URIs: techweb.com]
> <snip, every surbl and uribl listed>
>
> Well, that's really odd. It's *VERY* unusual for a domain to be in
> every surbl and uribl list.
>
> Checking using uribl.com's multi-checker, they've got techweb
> whitelisted. They also show surbl as not listing the domain (but they
> can't see surbl's whitelists).
>
> However, locally I get some *VERY* strange results:
>
> $dig techweb.com.multi.surbl.org
> <snip>
>
> ;; ANSWER SECTION:
> techweb.com.multi.surbl.org. 0 IN A 63.251.179.13
> techweb.com.multi.surbl.org. 0 IN A 66.150.2.134
> techweb.com.multi.surbl.org. 0 IN A 8.15.7.117
> techweb.com.multi.surbl.org. 0 IN A 66.150.2.134
> None of which are appropriate answers for multi.surbl.org.
>
> I get the same results for URIBL.com:
>
> These were sent via the built-in DNS in my verizon fios router.. but
> that's really odd.. Perhaps Verizon is screwing up their DNS?
>
> Ahh, yes they are:
>
> http://www.freedom-to-tinker.com/?p=1227
>
> Connecting to those IP's, they're redirects to
> "verizonsearch.infospace.com", so Verizon is actively engaging in
> hijacking failed DNS lookups..
>
> When I use the local named on my Linux box, which doesn't forward to
> the fios router but does the full recursive lookup all on its own, I
> get a correct no-answer.
>
> You might want to try running that dig and see what answers you get
> back. If you're not running your own DNS, you might want to yell at
> your isp..
>
>
>
>
>
Re: DNS hijacking
Posted by Rob McEwen <ro...@invaluement.com>.
Better yet, avoid being a victim of dns hijacking by accessing SURBL &
URIBL (and other dnsbls!) via RSYNC. If implemented correctly, this will
result in performance gains as well!
--Rob McEwen
DNS hijacking (was: Can anyone help me? surbl.org FP problems?)
Posted by SM <sm...@resistor.net>.
At 11:40 31-01-2008, John Hardin wrote:
>Do any of the DNSBLs or URIBLs that return bitmapped results bitmap
>into the first octet? If not, then this sounds like the best
>solution, even though it doesn't give the administrator any feedback
>that DNS hijacking is taking place...
This hijacking may affect other RBL related network tests as
well. It's better to use a test point at startup and log a warning.
Regards,
-sm
Re: Re: Can anyone help me? surbl.org FP problems?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 31 Jan 2008, Dallas Engelken wrote:
> Or better yet, just fix the URIBLDNS plugin code to expect responses
> matching ^127\.
>
> Anything else is a dns monetizer.
Do any of the DNSBLs or URIBLs that return bitmapped results bitmap into
the first octet? If not, then this sounds like the best solution, even
though it doesn't give the administrator any feedback that DNS hijacking
is taking place...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You are in a maze of twisty little protocols,
all written by Microsoft.
----------------------------------------------------------------------
2 days until the 5th anniversary of the loss of STS-107 Columbia
Re: Re: Can anyone help me? surbl.org FP problems?
Posted by Dallas Engelken <da...@uribl.com>.
John Hardin wrote:
> On Tue, 2008-01-29 at 15:25 -0800, John Hardin wrote:
>
>> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
>>
>>> Perhaps Verizon is screwing up their DNS?
>>>
>>> Ahh, yes they are:
>>>
>>> http://www.freedom-to-tinker.com/?p=1227
>>>
>> Hrm.
>>
>> As a troubleshooting hack for this increasingly-common "feature",
>> perhaps a URIBL/DNSBL rule could be defined that checks a domain that
>> will *never* be in the zones (apache.org maybe) and if it ever hit then
>> add -20 to the score (to override all the FP hits) and emit a warning to
>> inspect your DNS service for ISP hijacking?
>>
>
> ...duh, that won't work. Where would the domain name to test come from?
>
> Perhaps a check for ISP DNS tomfoolery could be put in the --lint checks
> somehow?
>
>
Or better yet, just fix the URIBLDNS plugin code to expect responses
matching ^127\.
Anything else is a dns monetizer.
--
Dallas Engelken
dallase@uribl.com
http://uribl.com
Re: Can anyone help me? surbl.org FP problems?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2008-01-29 at 15:25 -0800, John Hardin wrote:
> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
> > Perhaps Verizon is screwing up their DNS?
> >
> > Ahh, yes they are:
> >
> > http://www.freedom-to-tinker.com/?p=1227
>
> Hrm.
>
> As a troubleshooting hack for this increasingly-common "feature",
> perhaps a URIBL/DNSBL rule could be defined that checks a domain that
> will *never* be in the zones (apache.org maybe) and if it ever hit then
> add -20 to the score (to override all the FP hits) and emit a warning to
> inspect your DNS service for ISP hijacking?
...duh, that won't work. Where would the domain name to test come from?
Perhaps a check for ISP DNS tomfoolery could be put in the --lint checks
somehow?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
Today: Wolfgang Amadeus Mozart's 252nd Birthday
Re: Can anyone help me? surbl.org FP problems?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 2008-01-30 at 08:49 +0100, mouss wrote:
> >> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
> >>
> >>> Perhaps Verizon is screwing up their DNS?
> >>>
> >>> Ahh, yes they are:
> >>>
> >>> http://www.freedom-to-tinker.com/?p=1227
>
> does their "opt-out" (setting the DNS server to 68.238.0.14) work?
When I read the "opt-out" instructions a while back they listed
68.238.128.14 and 68.238.64.14 - I have been successfully using those as
my forwarders for a couple of months now.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence. -- Robert A. Matern
-----------------------------------------------------------------------
3 days until the 5th anniversary of the loss of STS-107 Columbia
Re: Can anyone help me? surbl.org FP problems?
Posted by Matt Kettler <mk...@verizon.net>.
mouss wrote:
> Matt Kettler wrote:
>> John Hardin wrote:
>>> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
>>>
>>>> Perhaps Verizon is screwing up their DNS?
>>>>
>>>> Ahh, yes they are:
>>>>
>>>> http://www.freedom-to-tinker.com/?p=1227
>>>>
>>>
>>> Hrm.
>>>
>>> As a troubleshooting hack for this increasingly-common "feature",
>>> perhaps a URIBL/DNSBL rule could be defined that checks a domain that
>>> will *never* be in the zones (apache.org maybe) and if it ever hit then
>>> add -20 to the score (to override all the FP hits) and emit a
>>> warning to
>>> inspect your DNS service for ISP hijacking?
>> The problem is they're not hijacking everything... Only "interesting"
>> domains.
>>
>> I can do a dig for several other domains against verizon's poison DNS
>> and get a NXDOMAIN. In fact, I tried to find another domain that gets
>> redirected, and couldn't.
>>
>>
>>
>>
>
> does their "opt-out" (setting the DNS server to 68.238.0.14) work?
In my area the opt-out DNS servers are:
71.242.0.14
71.252.0.14
and they do work although their procedures for doing so on their website
are broken.
I'm a Fios customer with a MI424WR router, where you're supposed to
follow this procedure:
http://netservices.verizon.net/portal/link/help/index.jsp?epi_menuItemID=c567d167631f692124525d7253295c48&objId=23995
They tell you to go to your lan network and over-ride the DNS there by
changing the last octet. The problem is, just like in their own picture,
the defaults are 0.0.0.0, which causes it to advertise the router itself
as a DNS. The router has a mini-dns that winds up using the DNS servers
it discovered on the WAN side as forwarders. So you've got to go to the
wan interface, copy down those DNS IP's, change the last octets from 12
to 14, and enter those on the LAN side as servers to advertise in DHCP.
Or you can just tell your clients to not use DHCP for dns, and manually
configure those two resolvers.
Clearly they're not expecting your average Joe to be able to opt out.
The instructions are complicated, and inaccurate. It's probably very
intentional on their part that they've spent very little effort trying
to make opting out easy.
Re: Can anyone help me? surbl.org FP problems?
Posted by mouss <mo...@netoyen.net>.
Matt Kettler wrote:
> John Hardin wrote:
>> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
>>
>>> Perhaps Verizon is screwing up their DNS?
>>>
>>> Ahh, yes they are:
>>>
>>> http://www.freedom-to-tinker.com/?p=1227
>>>
>>
>> Hrm.
>>
>> As a troubleshooting hack for this increasingly-common "feature",
>> perhaps a URIBL/DNSBL rule could be defined that checks a domain that
>> will *never* be in the zones (apache.org maybe) and if it ever hit then
>> add -20 to the score (to override all the FP hits) and emit a warning to
>> inspect your DNS service for ISP hijacking?
> The problem is they're not hijacking everything... Only "interesting"
> domains.
>
> I can do a dig for several other domains against verizon's poison DNS
> and get a NXDOMAIN. In fact, I tried to find another domain that gets
> redirected, and couldn't.
>
>
>
>
does their "opt-out" (setting the DNS server to 68.238.0.14) work?
Re: Can anyone help me? surbl.org FP problems?
Posted by Matt Kettler <mk...@verizon.net>.
John Hardin wrote:
> On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
>
>> Perhaps Verizon is screwing up their DNS?
>>
>> Ahh, yes they are:
>>
>> http://www.freedom-to-tinker.com/?p=1227
>>
>
> Hrm.
>
> As a troubleshooting hack for this increasingly-common "feature",
> perhaps a URIBL/DNSBL rule could be defined that checks a domain that
> will *never* be in the zones (apache.org maybe) and if it ever hit then
> add -20 to the score (to override all the FP hits) and emit a warning to
> inspect your DNS service for ISP hijacking?
>
The problem is they're not hijacking everything... Only "interesting"
domains.
I can do a dig for several other domains against verizon's poison DNS
and get a NXDOMAIN. In fact, I tried to find another domain that gets
redirected, and couldn't.
Re: Can anyone help me? surbl.org FP problems?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2008-01-29 at 17:51 -0500, Matt Kettler wrote:
> Perhaps Verizon is screwing up their DNS?
>
> Ahh, yes they are:
>
> http://www.freedom-to-tinker.com/?p=1227
Hrm.
As a troubleshooting hack for this increasingly-common "feature",
perhaps a URIBL/DNSBL rule could be defined that checks a domain that
will *never* be in the zones (apache.org maybe) and if it ever hit then
add -20 to the score (to override all the FP hits) and emit a warning to
inspect your DNS service for ISP hijacking?
Not that the latter would be easy using stock SA... Maybe just name the
rule appropriately, perhaps WARNING_ISP_DNS_HIJACK ?
Or would the traffic from this be worse than the FPs when hijacking
occurs?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
Today: Wolfgang Amadeus Mozart's 252nd Birthday
Re: Can anyone help me? surbl.org FP problems?
Posted by Matt Kettler <mk...@verizon.net>.
David Zinder wrote:
> Thank you for the response and suggestions.
>
> Yes - lists.surbl.org - I was using the link Contacts->mailing lists
> from www.surbl.org
>
> If I understand the request for more info... It seems to get caught by
> all the lists. Here is an example from an email this morning. I'm not
> sure how to munge, but I think this is what you requested.
>
> Content analysis details: (5.2 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> [URIs: techweb.com]
<snip, every surbl and uribl listed>
Well, that's really odd. It's *VERY* unusual for a domain to be in every
surbl and uribl list.
Checking using uribl.com's multi-checker, they've got techweb
whitelisted. They also show surbl as not listing the domain (but they
can't see surbl's whitelists).
However, locally I get some *VERY* strange results:
$dig techweb.com.multi.surbl.org
<snip>
;; ANSWER SECTION:
techweb.com.multi.surbl.org. 0 IN A 63.251.179.13
techweb.com.multi.surbl.org. 0 IN A 66.150.2.134
techweb.com.multi.surbl.org. 0 IN A 8.15.7.117
techweb.com.multi.surbl.org. 0 IN A 66.150.2.134
None of which are appropriate answers for multi.surbl.org.
I get the same results for URIBL.com:
These were sent via the built-in DNS in my verizon fios router.. but
that's really odd.. Perhaps Verizon is screwing up their DNS?
Ahh, yes they are:
http://www.freedom-to-tinker.com/?p=1227
Connecting to those IP's, they're redirects to
"verizonsearch.infospace.com", so Verizon is actively engaging in
hijacking failed DNS lookups..
When I use the local named on my Linux box, which doesn't forward to the
fios router but does the full recursive lookup all on its own, I get a
correct no-answer.
You might want to try running that dig and see what answers you get
back. If you're not running your own DNS, you might want to yell at your
isp..
Re: Can anyone help me? surbl.org FP problems?
Posted by David Zinder <zi...@ztechz.com>.
Thank you for the response and suggestions.
Yes - lists.surbl.org - I was using the link Contacts->mailing lists
from www.surbl.org
If I understand the request for more info... It seems to get caught by
all the lists. Here is an example from an email this morning. I'm not
sure how to munge, but I think this is what you requested.
Content analysis details: (5.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: techweb.com]
0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: techweb.com]
1.8 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
[URIs: techweb.com]
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: techweb.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: techweb.com]
1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: techweb.com]
1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[URIs: techweb.com]
0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: techweb.com]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: techweb.com]
0.0 URIBL_RED Contains an URL listed in the URIBL redlist
[URIs: techweb.com]
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-5.6 AWL AWL: From: address is in the auto white-list
Matt Kettler wrote:
> Note: I fixed your subject line to try to draw the attention of the
> right people. Generic subject lines tend to get overlooked by folks
> with specific interests, since many just skim the subject lines.
>
> David Zinder wrote:
>> I think my problem is related to surbl.org, but I can't figure out
>> how to reach them. list.surbl.org times out, and has for several weeks.
> I assume you mean lists.surbl.org.
>
>>
>> I had been using Spamassassin 3.1.5 under RHEL 3. Works great, until
>> Jan 1, 2008. I started getting false positives from surbl. These are
>> emails I have received for years, such as newsletter.varbusiness.com
>> and newsletter.crn.com.
> It would help if you can indicate which domains in these emails are
> triggering it. Try running one through spamassassin and look at the
> body report. The surbl match in the body report should tell you what
> domain is matching. You might have to munge it to post, but something
> like example*MUNGED*.com is a typical way of being able to post it
> here without trouble.
>
> It would also be helpful if you indicated which surbl list is a
> problem.. WS? OB? SC? JP? AB? PH?
>
>> If I remove file /usr/share/spamassassin/25_uribl.cf and restart
>> spamd, the false positives stop, but more real spam gets through. I
>> upgraded all the perl utilities SA needs and I am now running SA
>> 3.2.4, but the problem is still there.
> That's unsurprising..
>> I can't find anything on the SA or surbl web sites that address this
>> problem. Anyone have any ideas?
> I know some of the surbl.org folks crawl this list, that's why I fixed
> your subject line to indicate it was surbl.org related. Hopefully one
> of them will jump in.
>>
>> Thanks in advance,
>> David
>>
>
Re: Can anyone help me? surbl.org FP problems?
Posted by Matt Kettler <mk...@verizon.net>.
Note: I fixed your subject line to try to draw the attention of the
right people. Generic subject lines tend to get overlooked by folks with
specific interests, since many just skim the subject lines.
David Zinder wrote:
> I think my problem is related to surbl.org, but I can't figure out how
> to reach them. list.surbl.org times out, and has for several weeks.
I assume you mean lists.surbl.org.
>
> I had been using Spamassassin 3.1.5 under RHEL 3. Works great, until
> Jan 1, 2008. I started getting false positives from surbl. These are
> emails I have received for years, such as newsletter.varbusiness.com
> and newsletter.crn.com.
It would help if you can indicate which domains in these emails are
triggering it. Try running one through spamassassin and look at the body
report. The surbl match in the body report should tell you what domain
is matching. You might have to munge it to post, but something like
example*MUNGED*.com is a typical way of being able to post it here
without trouble.
It would also be helpful if you indicated which surbl list is a
problem.. WS? OB? SC? JP? AB? PH?
> If I remove file /usr/share/spamassassin/25_uribl.cf and restart
> spamd, the false positives stop, but more real spam gets through. I
> upgraded all the perl utilities SA needs and I am now running SA
> 3.2.4, but the problem is still there.
That's unsurprising..
> I can't find anything on the SA or surbl web sites that address this
> problem. Anyone have any ideas?
I know some of the surbl.org folks crawl this list, that's why I fixed
your subject line to indicate it was surbl.org related. Hopefully one
of them will jump in.
>
> Thanks in advance,
> David
>