You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex Regan <my...@gmail.com> on 2015/05/11 15:42:07 UTC
DNSWL fp and other problems
Hi,
I have a fp that was passed through thomsonreuters, hitting
RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
http://pastebin.com/5LYS7s2v
This is with v3.4.1, but an older bayes database, so perhaps it needs to
be rebuilt. Even with BAYES_99, it still wouldn't have been tagged
properly, however.
I'm curious if there's anything further that could have been done to
block this outside of a body rule matching this specific pattern?
Is it also interesting that thomsonreuters.com has no SPF information?
Thanks,
Alex
Re: DNSWL fp and other problems
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Reindl,
Monday, May 11, 2015, 2:57:57 PM, you wrote:
RH> complain at dnswl.org
Don't complain, report it and the listing will then be reviewed
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: DNSWL fp and other problems
Posted by Reindl Harald <h....@thelounge.net>.
Am 11.05.2015 um 15:42 schrieb Alex Regan:
> I have a fp that was passed through thomsonreuters, hitting
> RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
>
> http://pastebin.com/5LYS7s2v
>
> This is with v3.4.1, but an older bayes database, so perhaps it needs to
> be rebuilt. Even with BAYES_99, it still wouldn't have been tagged
> properly, however.
>
> I'm curious if there's anything further that could have been done to
> block this outside of a body rule matching this specific pattern?
>
> Is it also interesting that thomsonreuters.com has no SPF information?
complain at dnswl.org and in the meantime you can override in "local.cf"
if it's really worth because normally the high-trusted dnswl.org
response is not from spammers and likely the problem will be solved soon
by delisting or fix the hacked account
score RCVD_IN_DNSWL_HI -2.0
Re: DNSWL fp and other problems
Posted by Matthias Leisi <ma...@leisi.net>.
(writing with my dnswl.org hat on)
> Am 11.05.2015 um 15:42 schrieb Alex Regan <my...@gmail.com>:
>
> Hi,
>
> I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
>
> http://pastebin.com/5LYS7s2v <http://pastebin.com/5LYS7s2v>
IP 163.231.6.26, mailout2-trp.thomsonreuters.com <http://mailout2-trp.thomsonreuters.com/>, DNSWL Id 1251.
No abuse reports on this IP yet (overall for this DNSWL Id: one back in October 2014, two in April 2014, and four in 2012 - all but the October 2014 coming from a single IP, all different from the one reported here). History of the IP reported here:
1251/163.231.6.26 [-] 2015-05-12 00:00 Last seen
163.231.6.26 [rbl] regular-rblcheck 2015-03-06 20:31 2015-03-06 20:31:00 ix dnsbl 163.231.6.26 RBL filtered by ix.dnsbl.manitu.net: Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at Fri, 06 Mar 2015 15:03:13 +0100. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=163.231.6.26
163.231.6.26 [rbl] regular-rblcheck 2012-06-13 16:31
1251/163.231.6.26 [c] 2011-04-30 19:23 DNSWL Id 0 -> 1251
163.231.6.26 [c] 2011-04-30 19:23 Score med -> hi
163.231.6.26 [c] 2011-04-30 19:23 Score low -> med
163.231.6.26 [c] 2011-04-30 19:23 Score none -> low
163.231.6.26 [a] 2011-02-25 01:52 Added record
1251/163.231.6.26 [-] 2011-02-25 00:00 First seen
(The RBL hit from 2012 is from a source we only used for a short period of time due to the lack of accuracy, eg listing all of thomsonreuters.com <http://thomsonreuters.com/>; the actions in 2011 were done while cleaning up the whole DNSWL Id).
Two „incidents“ in the two months is quite a lot, especially for a DNSWL Id with such an overall good record as this one, and hints at some particular problem, of which we have no way of knowing whether it is solved or not.
Score now lowered to low - it will automatically be increased once sufficient time has passed and no new RBL hits / abuse reports are coming in.
> Is it also interesting that thomsonreuters.com has no SPF information?
Their email setup is… interesting. Lots of different domain names, IP ranges, ASes, and obviously different businesses/business units. I believe maintaining somewhat proper and sane SPF record would be a nightmare…
— Matthias
Re: DNSWL fp and other problems
Posted by Joe Quinn <jq...@pccc.com>.
On 5/11/2015 9:42 AM, Alex Regan wrote:
> Hi,
>
> I have a fp that was passed through thomsonreuters, hitting
> RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
>
> http://pastebin.com/5LYS7s2v
>
> This is with v3.4.1, but an older bayes database, so perhaps it needs
> to be rebuilt. Even with BAYES_99, it still wouldn't have been tagged
> properly, however.
>
> I'm curious if there's anything further that could have been done to
> block this outside of a body rule matching this specific pattern?
>
> Is it also interesting that thomsonreuters.com has no SPF information?
>
> Thanks,
> Alex
It's definitely common to find domains hitting on
KAM_LAZY_DOMAIN_SECURITY. You might bump the score of that rule into the
3-4 range in addition to fixing the Bayes classification and writing a
specific rule, however it would depend heavily on what your ham is. The
potential for FP is huge.
In an ideal world, KAM_LAZY_DOMAIN_SECURITY would be poison-pill but
there's just too many legitimate places that pay no regard to
anti-forgery mechanisms.