You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex Regan <my...@gmail.com> on 2015/05/11 15:42:07 UTC

DNSWL fp and other problems

Hi,

I have a fp that was passed through thomsonreuters, hitting 
RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.

http://pastebin.com/5LYS7s2v

This is with v3.4.1, but an older bayes database, so perhaps it needs to 
be rebuilt. Even with BAYES_99, it still wouldn't have been tagged 
properly, however.

I'm curious if there's anything further that could have been done to 
block this outside of a body rule matching this specific pattern?

Is it also interesting that thomsonreuters.com has no SPF information?

Thanks,
Alex

Re: DNSWL fp and other problems

Posted by Niamh Holding <ni...@fullbore.co.uk>.

Hello Reindl,

Monday, May 11, 2015, 2:57:57 PM, you wrote:

RH> complain at dnswl.org

Don't complain, report it and the listing will then be reviewed

-- 
Best regards,
 Niamh                            mailto:niamh@fullbore.co.uk

Re: DNSWL fp and other problems

Posted by Reindl Harald <h....@thelounge.net>.

Am 11.05.2015 um 15:42 schrieb Alex Regan:
> I have a fp that was passed through thomsonreuters, hitting
> RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
>
> http://pastebin.com/5LYS7s2v
>
> This is with v3.4.1, but an older bayes database, so perhaps it needs to
> be rebuilt. Even with BAYES_99, it still wouldn't have been tagged
> properly, however.
>
> I'm curious if there's anything further that could have been done to
> block this outside of a body rule matching this specific pattern?
>
> Is it also interesting that thomsonreuters.com has no SPF information?

complain at dnswl.org and in the meantime you can override in "local.cf" 
if it's really worth because normally the high-trusted dnswl.org 
response is not from spammers and likely the problem will be solved soon 
by delisting or fix the hacked account

score RCVD_IN_DNSWL_HI -2.0

Re: DNSWL fp and other problems

Posted by Matthias Leisi <ma...@leisi.net>.

(writing with my dnswl.org hat on)

> Am 11.05.2015 um 15:42 schrieb Alex Regan <my...@gmail.com>:
> 
> Hi,
> 
> I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
> 
> http://pastebin.com/5LYS7s2v <http://pastebin.com/5LYS7s2v>

IP 163.231.6.26, mailout2-trp.thomsonreuters.com <http://mailout2-trp.thomsonreuters.com/>, DNSWL Id 1251. 

No abuse reports on this IP yet (overall for this DNSWL Id: one back in October 2014, two in April 2014, and four in 2012 - all but the October 2014 coming from a single IP, all different from the one reported here). History of the IP reported here:


 1251/163.231.6.26 [-]		2015-05-12 00:00	Last seen
 163.231.6.26 [rbl]	regular-rblcheck	2015-03-06 20:31	2015-03-06 20:31:00 ix dnsbl 163.231.6.26 RBL filtered by ix.dnsbl.manitu.net: Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at Fri, 06 Mar 2015 15:03:13 +0100. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=163.231.6.26
 163.231.6.26 [rbl]	regular-rblcheck	2012-06-13 16:31	
 1251/163.231.6.26 [c]		2011-04-30 19:23	DNSWL Id 0 -> 1251
 163.231.6.26 [c]		2011-04-30 19:23	Score med -> hi
 163.231.6.26 [c]		2011-04-30 19:23	Score low -> med
 163.231.6.26 [c]		2011-04-30 19:23	Score none -> low
 163.231.6.26 [a]		2011-02-25 01:52	Added record
 1251/163.231.6.26 [-]		2011-02-25 00:00	First seen

(The RBL hit from 2012 is from a source we only used for a short period of time due to the lack of accuracy, eg listing all of thomsonreuters.com <http://thomsonreuters.com/>; the actions in 2011 were done while cleaning up the whole DNSWL Id). 

Two „incidents“ in the two months is quite a lot, especially for a DNSWL Id with such an overall good record as this one, and hints at some particular problem, of which we have no way of knowing whether it is solved or not. 

Score now lowered to low - it will automatically be increased once sufficient time has passed and no new RBL hits / abuse reports are coming in.

> Is it also interesting that thomsonreuters.com has no SPF information?

Their email setup is… interesting. Lots of different domain names, IP ranges, ASes, and obviously different businesses/business units. I believe maintaining somewhat proper and sane SPF record would be a nightmare…

— Matthias

Re: DNSWL fp and other problems

Posted by Joe Quinn <jq...@pccc.com>.

On 5/11/2015 9:42 AM, Alex Regan wrote:
> Hi,
>
> I have a fp that was passed through thomsonreuters, hitting 
> RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
>
> http://pastebin.com/5LYS7s2v
>
> This is with v3.4.1, but an older bayes database, so perhaps it needs 
> to be rebuilt. Even with BAYES_99, it still wouldn't have been tagged 
> properly, however.
>
> I'm curious if there's anything further that could have been done to 
> block this outside of a body rule matching this specific pattern?
>
> Is it also interesting that thomsonreuters.com has no SPF information?
>
> Thanks,
> Alex
It's definitely common to find domains hitting on 
KAM_LAZY_DOMAIN_SECURITY. You might bump the score of that rule into the 
3-4 range in addition to fixing the Bayes classification and writing a 
specific rule, however it would depend heavily on what your ham is. The 
potential for FP is huge.

In an ideal world, KAM_LAZY_DOMAIN_SECURITY would be poison-pill but 
there's just too many legitimate places that pay no regard to 
anti-forgery mechanisms.