You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alessio Cecchi <al...@skye.it> on 2011/10/11 18:18:59 UTC
Spam email many have RCVD_IN_DNSWL_MED
Hi,
I'm an italian user of spamassassin. During the last 3 weeks many spam
email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
BAYES_99 can to nothing against this :-(
For now I solved the problem by disable this check, but is a common
problems for many italian users.
How we can solve this problem?
Some example:
==========================
Return-Path: <ma...@spcollege.edu>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
RCVD_IN_DNSWL_HI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_PASS autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from [175.145.6.37] (unknown [175.145.6.37])
by www-mydomain.myserver.net (Postfix) with ESMTP id 33C1562AB1
for <in...@mydomain.biz>; Tue, 11 Oct 2011 17:52:03 +0200 (CEST)
Received: from (192.168.1.38) by spcollege.edu (175.145.6.37) with
Microsoft SMTP Server id 8.0.685.24; Tue, 11 Oct 2011 23:52:02 +0800
Message-ID: <4E...@spcollege.edu>
Date: Tue, 11 Oct 2011 23:52:02 +0800
From: "Emma Hinton" <ma...@spcollege.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24)
Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
To: <in...@mydomain.biz>
Subject: Il modo sicuro da vincere successo nel letto
==========================
Return-Path: <we...@webbox794.server-home.net>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level:
X-Spam-Status: No, score=-0.4 required=5.0
tests=BAYES_95,HTML_IMAGE_ONLY_32,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_HI,
RP_MATCHES_RCVD autolearn=no version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from webbox794.server-home.net (webbox794.server-home.net
[195.137.213.84])
by www-mydomain.myserver.net (Postfix) with ESMTP id E555B62AB1
for <in...@mydomain.biz>; Tue, 11 Oct 2011 17:53:12 +0200 (CEST)
Received: by webbox794.server-home.net (Postfix, from userid 33)
id 69A773A57D; Tue, 11 Oct 2011 17:50:34 +0200 (CEST)
To: info@mydomain.biz
Subject: Atendimento Online - E-Mail
==========================
Return-Path: <pr...@havanabookfairs.ca>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level:
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_99,DKIM_SIGNED,
DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])
by www-mydomain.myserver.net (Postfix) with ESMTP id 0988362AB1
for <in...@mydomain.biz>; Tue, 11 Oct 2011 17:48:49 +0200 (CEST)
Received: from AuthenticCubagateway2wirenet (unknown [69.158.30.30])
by node-sl626.smtp.com (Postfix) with ESMTPA id 6FC709AFC90
for <in...@mydomain.biz>; Tue, 11 Oct 2011 11:48:48 -0400 (EDT)
X-SMTPCOM-Spam-Policy: Authenticubatravel is a paid relay service.
We do not tolerate UCE of any kind.
Please report it ASAP to abuse@smtp.com
X-SMTPCOM-Sender-ID: 81808
X-SMTPCOM-Tracking-Number: 2158212
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtp.com;
s=smtpcomcustomers; t=1318348128;
bh=A6QopSgOzNZLEc2D3APRotTD3nx/BHG8LIMLc9iwHCo=;
h=MIME-Version:From:Reply-To:To:Subject:Content-Type:X-Mailer:Date:
Message-ID;
b=n5GACTgg7Wbqzkwp1yN3t9Qot+N8RLHuLKn7VdbB6TkIlin2QwCCHzp3/WxbcGeOR
Pq0h7YS7IhTQ/+4f0b2WZ6e/hi6oCf13nZdKYTU4aLQi6RJgYN2fLbVZnmMP4XVErj
GmSvz6GdKVND+H55K1w18o3Q5wQYMOqs9tTeZkoI=
MIME-Version: 1.0
From: "Luis - Authentic Cuba Travel" <pr...@havanabookfairs.ca>
Reply-To: promotions@havanabookfairs.ca
To: info@mydomain.biz
Subject: Havana Book Fair- 5 seats left only.
==============================
Return-Path: <jo...@rocketmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from nm14.bullet.mail.sp2.yahoo.com
(nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1
for <in...@mydomain.biz>; Tue, 11 Oct 2011 15:44:22 +0200 (CEST)
Received: from [98.139.91.68] by nm14.bullet.mail.sp2.yahoo.com with
NNFMP; 11 Oct 2011 13:44:21 -0000
Received: from [98.139.91.14] by tm8.bullet.mail.sp2.yahoo.com with
NNFMP; 11 Oct 2011 13:44:21 -0000
Received: from [127.0.0.1] by omp1014.mail.sp2.yahoo.com with NNFMP; 11
Oct 2011 13:44:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 137695.95300.bm@omp1014.mail.sp2.yahoo.com
Received: (qmail 97348 invoked by uid 60001); 11 Oct 2011 13:44:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketmail.com;
s=s1024; t=1318340659; bh=1HMUhBugUW+lMVvnEdYhcU8rWTE83gS5zBnSTCkFQ4M=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=1Sl8gtfyPOlDZPCQYrlpa+fn/JVmI6k3KSJrjX0aPCQb/5+H3iLfKUHW2KRnda6EP1yNJIyGR9bSeUWncwizO8SSmvmpaweDs33YJFCObHry2+rasQTeYobsIW8s5tIQ4O+BzqEm2ONPn2iUGagbOr/pJfb9w9dFjXP2A4+g+MM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=rocketmail.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=4Rjs6ubybisIURD/dfSyiB5qE5Bhjya5G/0Xjwj2XonxEh8ivy9uNcms5GLUShwm/Rlbpp6AaGkAdFEUV45uQHWu5m0MpkCIByZ/onYqLdmWMJx0+cBxP8UJKaJe8L2T+s6JOMXdGSKQSMrhY/slSVblUwU7HYAueugQl4HHgoM=;
X-YMail-OSG: RGffxVIVM1n8CvFSmRRgQrupMMb9Oa9oAy.0JQ5H6DaqQYi
Q2LfOtZ9.
Received: from [41.218.245.138] by web190214.mail.sg3.yahoo.com via
HTTP; Tue, 11 Oct 2011 21:44:16 SGT
X-Mailer: YahooMailWebService/0.8.114.317681
Message-ID: <13...@web190214.mail.sg3.yahoo.com>
Date: Tue, 11 Oct 2011 21:44:16 +0800 (SGT)
From: Joseph Darlington <jo...@rocketmail.com>
Reply-To: Joseph Darlington <jo...@rocketmail.com>
Subject: REPLY URGENTLY
To: undisclosed recipients: ;
====================
Thanks
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
On 10/11, Benny Pedersen wrote:
> thanks for link, but it was more info from the above sender for why
> bayes 99 is not good
Oh, probably just because for some reason he isn't comfortable with
increasing the score of the BAYES_99 rule. Although he'd be much better
off figuring out why he's getting the wrong DNSWL rule hits and fixing
that.
> >downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
> >(It's also listed on
> >http://wiki.apache.org/spamassassin/CustomPlugins )
>
> it doe report dnswl_none, witch is imho waste reporting, dont know
> if there is a new version to report on dnswl
I think you tried to say "it doesn't accept reports of abuse for spam from
IPs that DNSWL doesn't list." (It does work for RCVD_IN_DNSWL_NONE,
because that's a listed trust level, different from an IP being unlisted.)
I agree. I used to have ssh access to modify the web interface, but I
didn't by the time I wrote that plugin, so I had to use what was available,
the abuse reporting web form. Which doesn't accept reports of "abuse" from
IPs that aren't listed by dnswl.org. I asked for my ssh access back, and
asked for that form to accept reports of unlisted IPs, but that's one of
the things Matthias has always been resistant to - keeping track of
known spamming IPs so they don't get listed as non-spammers in the future.
I think the internal data structures were eventually modified to handle
it (I think there's an internal, unpublished trust level of "black"),
but that web form still doesn't accept those reports.
That's a large part of why I created http://www.chaosreigns.com/iprep/
Works great for people providing data, I just don't have data from enough
people for it to be usefully accurate for people not sending data.
--
"Every man, woman and child on the face of this earth is at the mercy
of chaos." - a maxwell smart movie
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 15:24:54 -0400, darxus@chaosreigns.com wrote:
> On 10/11, Benny Pedersen wrote:
>> >BAYES_99 can to nothing against this :-(
>>
>> eloborate on bayes please
>
> http://wiki.apache.org/spamassassin/BayesInSpamAssassin
>
> http://en.wikipedia.org/wiki/Bayesian_spam_filtering
thanks for link, but it was more info from the above sender for why
bayes 99 is not good
>
>> http://www.dnswl.org/ see link abuse reporting
>>
>> when setup, do spamassassin -r spammsg
>
> For that to work, you have to have my dnswl abuse reporting plugin
> installed, which is not documented on http://www.dnswl.org/ but can
> be
> downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
> (It's also listed on
> http://wiki.apache.org/spamassassin/CustomPlugins )
it doe report dnswl_none, witch is imho waste reporting, dont know if
there is a new version to report on dnswl
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
On 10/11, Benny Pedersen wrote:
> >BAYES_99 can to nothing against this :-(
>
> eloborate on bayes please
http://wiki.apache.org/spamassassin/BayesInSpamAssassin
http://en.wikipedia.org/wiki/Bayesian_spam_filtering
> http://www.dnswl.org/ see link abuse reporting
>
> when setup, do spamassassin -r spammsg
For that to work, you have to have my dnswl abuse reporting plugin
installed, which is not documented on http://www.dnswl.org/ but can be
downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
(It's also listed on http://wiki.apache.org/spamassassin/CustomPlugins )
--
"Blades don't need reloading." - The Zombie Survival Guide by Max Brooks
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 18:18:59 +0200, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many
> spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> Also
> BAYES_99 can to nothing against this :-(
eloborate on bayes please
> For now I solved the problem by disable this check, but is a common
> problems for many italian users.
italian users is not special :-)
> How we can solve this problem?
http://www.dnswl.org/ see link abuse reporting
when setup, do spamassassin -r spammsg
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Andrzej Adam Filip <an...@gmail.com>.
Alessio Cecchi <al...@skye.it> wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many spam
> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
> BAYES_99 can to nothing against this :-(
>
> For now I solved the problem by disable this check, but is a common
> problems for many italian users.
>
> How we can solve this problem?
> [...]
Do you report spam you receive to spamcop.net and for dnswl.org listed
hosts to dnswl.org?
I have used a few free email account accounts for my usenet posts for years.
I report received spam via spamcop.net and dnswl.org [I use my own
custom perl scripts].
=>
I do not remember any long stream of spam from dnwl.org listed domain
above DNSWL_NONE (gmail with DNSWL_LOW is the only noticeable exception).
It seems that sporadic breaking of SMTP AUTH passwords does happens but
sites >DNSWL_LOW react quite promptly after being notified.
P.S. How many spam per day do you receive?
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Michael Scheidell <mi...@secnap.com>.
On 10/11/11 1:27 PM, darxus@chaosreigns.com wrote:
> On 10/11, Alessio Cecchi wrote:
>
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dnswl/dl/DNSWLh.pm
on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at www.chaosreigns.com Port
80</address>
> http://www.chaosreigns.com/dnswl/sa_plugin/
>
> And I have my own IP reputation project that could use your data:
> http://www.chaosreigns.com/iprep/
>
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
HTML standards, off topic Re: Spam email many have
RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
This is so off topic, I'm sorry, but the repeated accusations are hard not
to respond to.
On 10/12, Benny Pedersen wrote:
> On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote:
> >On 2011/10/11 12:30, Benny Pedersen wrote:
> >>On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
> >>>And I have my own IP reputation project that could use your data:
> >>>http://www.chaosreigns.com/iprep/
> >>shame on microsoft not letting me have ie9, shame on you not let
> >>me see your
> >>page as html 3.2
> >Shame on you for not using Opera, FireFox, Chrome, or other.
>
> why not html 3.2 ?, and is supported in all browsers, incl some
> versions of netscrape, firefox sooks here, oh well installed privoxy
> via squid now
Seriously? Your question is why I'm not writing my website in html 3.2?
That wasn't sarcasm? Because in 1997, 14 years ago, the W3C, which
created HTML 3.2, recommended that people stop using it.
My website only requires standards in effect since January 26 2000,
11 years ago. Why are you using a browser that can't handle 11 year
old standards? Specifically, the requirement to serve XML as
"Content-Type: application/xhtml+xml", introduced with XHTML 1.0.
And this isn't a "won't render pretty" if you don't support it standard.
MSIE prior to version 9 will ask if you want to save it to a file and
not even bother trying display the page.
There was a time when I wrote HTML in the oldest standard I could. HTML
2.0 when I didn't need to use tables. But then it finally sunk in that old
HTML standards weren't some kind of base on which new standards were
built. They are crufty old garbage that needs to be eliminated and
replaced with the current standards. Just like you wouldn't think it was
a great idea to build a new house using 100 year old building codes.
--
"We will be dead soon. Is this how we want to live?"
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote:
> On 2011/10/11 12:30, Benny Pedersen wrote:
>> On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
>>> And I have my own IP reputation project that could use your data:
>>> http://www.chaosreigns.com/iprep/
>> shame on microsoft not letting me have ie9, shame on you not let me
>> see your
>> page as html 3.2
> Shame on you for not using Opera, FireFox, Chrome, or other.
why not html 3.2 ?, and is supported in all browsers, incl some
versions of netscrape, firefox sooks here, oh well installed privoxy via
squid now
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by jdow <jd...@earthlink.net>.
On 2011/10/11 12:30, Benny Pedersen wrote:
> On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
>> And I have my own IP reputation project that could use your data:
>> http://www.chaosreigns.com/iprep/
>
> shame on microsoft not letting me have ie9, shame on you not let me see your
> page as html 3.2
>
Shame on you for not using Opera, FireFox, Chrome, or other.
{o.o}
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
> And I have my own IP reputation project that could use your data:
> http://www.chaosreigns.com/iprep/
shame on microsoft not letting me have ie9, shame on you not let me see
your page as html 3.2
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
On 10/12, Greg Troxel wrote:
>
> darxus@chaosreigns.com writes:
>
> > To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> > Abuse" section in the right column. I wrote a spamassassin plugin
> > which might make it easier to report spam that matches dnswl rules:
> > http://www.chaosreigns.com/dnswl/sa_plugin/
>
> It would seem a good idea for reporting plugins to be part of the base
> distribution, just needing credentials to be set, for all services that
> are part of the base distribution.
> Is there a reason (other than lack of time) for this not to be in the
> main release?
The bug discussing my attempts to do that is here:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6545
I've found working with both SpamAssassin and DNSWL.org incredibly
frustrating.
The plugin is already released under the same license as spamassassin,
you're welcome to try to get it included.
Maybe I should set up a similar reporting plugin for my iprep project.
( http://www.chaosreigns.com/iprep/ ) Any interest?
--
"If everything seems under control, you're not going fast enough"
- Mario Andretti
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Greg Troxel <gd...@ir.bbn.com>.
darxus@chaosreigns.com writes:
> To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> Abuse" section in the right column. I wrote a spamassassin plugin
> which might make it easier to report spam that matches dnswl rules:
> http://www.chaosreigns.com/dnswl/sa_plugin/
It would seem a good idea for reporting plugins to be part of the base
distribution, just needing credentials to be set, for all services that
are part of the base distribution.
Is there a reason (other than lack of time) for this not to be in the
main release?
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
On 10/11, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many
> spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> Also BAYES_99 can to nothing against this :-(
>
> For now I solved the problem by disable this check, but is a common
> problems for many italian users.
(I'm an inactive dnswl.org admin.)
The effectiveness of all spam filtration is highly dependent on having
people providing data to the system in the languages it's used on. I bet
both DNSWL and SpamAssassin would benefit from you feeding them data.
I suspect neither have *any* data from Italy, which would result in
terrible accuracy in Italy.
I suspect spamassassin is terrible in most non-English languages due to a
lack of non-English speaking people providing data via masscheck:
http://wiki.apache.org/spamassassin/NightlyMassCheck
Rule scores are calculated from data submitted this way, so all of the
accuracy of spamassassin depends on it. Except for bayes. I bet you're
heavily dependent on bayes due to lack of Italian email data via masscheck.
You don't actually send in your mails, just the score hits, so it's not a
privacy problem. Currently this data is only coming from about 10 people.
Amazing it works. Actually, currently, it doesn't work. Score
re-generation isn't happening due to a problem preventing processing of
masscheck data from 3 more people (bug 6671). So what's amazing is that
it works usefully when data from all 13 of those people is available. So,
be #14 and make spamassassin more accurate. When bug 6671 is fixed.
To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
Abuse" section in the right column. I wrote a spamassassin plugin
which might make it easier to report spam that matches dnswl rules:
http://www.chaosreigns.com/dnswl/sa_plugin/
And I have my own IP reputation project that could use your data:
http://www.chaosreigns.com/iprep/
--
"If you want to make an apple pie from scratch, you must first create
the universe." - Carl Sagan
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Michael Scheidell <mi...@secnap.com>.
On 10/11/11 1:47 PM, John Hardin wrote:
> Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!
there goes the neighborhood.
I am removing RCVD_IN_DNSWL_HI checks on our servers right now.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by John Hardin <jh...@impsec.org>.
On Tue, 11 Oct 2011, Alessio Cecchi wrote:
> Return-Path: <jo...@rocketmail.com>
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
> www-mydomain.myserver.net
> X-Spam-Level: *
> X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99,
> DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no
> version=3.3.1
> X-Original-To: info@mydomain.biz
> Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
> Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com
> [98.139.91.84])
> by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1
> for <in...@mydomain.biz>; Tue, 11 Oct 2011 15:44:22 +0200 (CEST)
Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
306 days since the first successful private orbital launch (SpaceX)
Re: DNSWL returns _HI trust level for everything to "abusive" DNS servers Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Simon Loewenthal <si...@klunky.co.uk>.
darxus@chaosreigns.com wrote:
On 10/12, Alessio Cecchi wrote:
> I have found the problem: Google name server
>
> >On 10/11, Alessio Cecchi wrote:
> >>Received: from [175.145.6.37] (unknown [175.145.6.37])
> >
> >$ host 37.6.145.175.list.dnswl.org
> >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
> >
> >Should not hit any RCVD_IN_DNSWL_* rules.
>
> In this installation:
>
> # cat /etc/resolv.conf
> nameserver 8.8.8.8
> nameserver 8.8.4.4
>
> # host 37.6.145.175.list.dnswl.org
> 37.6.145.175.list.dnswl.org has address 127.0.10.3
Sorry, I should have realized this problem sooner too.
Relatively recently, DNSWL started returning values that correspond to the
spamassassin rule RCVD_IN_DNSWL_HI for *all* queries, for name servers that
have been deemed "abusive". I found out about it 10 days ago.
A year ago DNSWL announced it would start requiring payment from people
doing more than 100,000 queries per day. This is tied to the determination
of "abusiveness".
So yes, as Jim Popovitch recommended, you should not have this problem
if you run a local DNS server (without using "abusive" servers as
forwarders), which I think is probably recommended practice for running
spamassassin anyway.
--
"every time I race I see god" - tsuwa, #motorcycles, EFNet, 7/19/06
http://www.ChaosReigns.com
Although I did not think it was recommended to use Google's DNS with SA. From SA FAQ:
Your DNSBL blocks nothing at all!
First, check our FAQ answer for "Your DNSBL blocks the whole Internet!" and make sure you've not made a spelling mistake in your mailserver configuration.
Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as Google Public DNS or Level3's public DNS servers to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. Please use your own DNS servers when doing DNSBL queries to Spamhaus.
--
If you cannot beat them, try to cĂ´ntrole them.
DNSWL returns _HI trust level for everything to "abusive" DNS
servers Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
On 10/12, Alessio Cecchi wrote:
> I have found the problem: Google name server
>
> >On 10/11, Alessio Cecchi wrote:
> >>Received: from [175.145.6.37] (unknown [175.145.6.37])
> >
> >$ host 37.6.145.175.list.dnswl.org
> >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
> >
> >Should not hit any RCVD_IN_DNSWL_* rules.
>
> In this installation:
>
> # cat /etc/resolv.conf
> nameserver 8.8.8.8
> nameserver 8.8.4.4
>
> # host 37.6.145.175.list.dnswl.org
> 37.6.145.175.list.dnswl.org has address 127.0.10.3
Sorry, I should have realized this problem sooner too.
Relatively recently, DNSWL started returning values that correspond to the
spamassassin rule RCVD_IN_DNSWL_HI for *all* queries, for name servers that
have been deemed "abusive". I found out about it 10 days ago.
A year ago DNSWL announced it would start requiring payment from people
doing more than 100,000 queries per day. This is tied to the determination
of "abusiveness".
So yes, as Jim Popovitch recommended, you should not have this problem
if you run a local DNS server (without using "abusive" servers as
forwarders), which I think is probably recommended practice for running
spamassassin anyway.
--
"every time I race I see god" - tsuwa, #motorcycles, EFNet, 7/19/06
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 12 Oct 2011 08:15:03 +0200, Alessio Cecchi wrote:
[snip]
> Why Google name server returns an incorrect value?
google is free, so thay can sooks as much thay want to :)
dig -4 +trace 10.223.104.2.list.dnswl.org
resolved in 154 ms here
does it timeout ?, then contact dnswl.org
make sure you have the latest root zone file, it will not be uptodate
if bind is not updated
hope that helps you aswell, it did for me
try loggin lame bind dns logs, contact dns admins if any are listed
there
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Jim Popovitch <ji...@gmail.com>.
On Wed, Oct 12, 2011 at 02:15, Alessio Cecchi <al...@skye.it> wrote:
>
> Why Google name server returns an incorrect value?
Because sometimes the Google name servers overload the upstream system
and get blocked. The same thing happens if you use the Level 3
servers (4.2.2.x). You would be better served by installing a local
DNS resolver like pdns_resolver.
-Jim P.
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Alessio Cecchi <al...@skye.it>.
Il 11/10/2011 20:58, darxus@chaosreigns.com ha scritto:
> Thanks to John Hardin for noticing one of these was off. I should've
> checked them before replying.
>
> *None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or
> even RCVD_IN_DNSWL_LOW.
>
> Alessio, you have a problem *other* than the data listed by dnswl.org.
> Start with the X-Spam-RelaysUntrusted header I recommended in my last post.
I have found the problem: Google name server
> On 10/11, Alessio Cecchi wrote:
>> Received: from [175.145.6.37] (unknown [175.145.6.37])
>
> $ host 37.6.145.175.list.dnswl.org
> Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.
In this installation:
# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
# host 37.6.145.175.list.dnswl.org
37.6.145.175.list.dnswl.org has address 127.0.10.3
>> Received: from webbox794.server-home.net (webbox794.server-home.net
>> [195.137.213.84])
>
> $ host 84.213.137.195.list.dnswl.org
> Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.
# host 84.213.137.195.list.dnswl.org
84.213.137.195.list.dnswl.org has address 127.0.10.3
>> Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])
>
> $ host 70.21.86.74.list.dnswl.org
> Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.
# host 70.21.86.74.list.dnswl.org
70.21.86.74.list.dnswl.org has address 127.0.10.3
>> Received: from nm14.bullet.mail.sp2.yahoo.com
>> (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
>
> $ host 84.91.139.98.list.dnswl.org
> 84.91.139.98.list.dnswl.org has address 127.0.5.0
>
> Should hit RCVD_IN_DNSWL_NONE.
>
# host 84.91.139.98.list.dnswl.org
84.91.139.98.list.dnswl.org has address 127.0.10.3
Also from my PC I have the same behaviour if I query google name server:
alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: 37.6.145.175.list.dnswl.org
Address: 127.0.10.3
alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 151.99.125.2
Server: 151.99.125.2
Address: 151.99.125.2#53
** server can't find 37.6.145.175.list.dnswl.org: NXDOMAIN
I usually configure "127.0.0.1" as resolver, but not in this installation.
Why Google name server returns an incorrect value?
Thanks!
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by da...@chaosreigns.com.
Thanks to John Hardin for noticing one of these was off. I should've
checked them before replying.
*None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or
even RCVD_IN_DNSWL_LOW.
Alessio, you have a problem *other* than the data listed by dnswl.org.
Start with the X-Spam-RelaysUntrusted header I recommended in my last post.
On 10/11, Alessio Cecchi wrote:
> Received: from [175.145.6.37] (unknown [175.145.6.37])
$ host 37.6.145.175.list.dnswl.org
Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
Should not hit any RCVD_IN_DNSWL_* rules.
> Received: from webbox794.server-home.net (webbox794.server-home.net
> [195.137.213.84])
$ host 84.213.137.195.list.dnswl.org
Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN)
Should not hit any RCVD_IN_DNSWL_* rules.
> Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])
$ host 70.21.86.74.list.dnswl.org
Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN)
Should not hit any RCVD_IN_DNSWL_* rules.
> Received: from nm14.bullet.mail.sp2.yahoo.com
> (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
$ host 84.91.139.98.list.dnswl.org
84.91.139.98.list.dnswl.org has address 127.0.5.0
Should hit RCVD_IN_DNSWL_NONE.
--
"A ship in a port is safe, but that's not what ships are built for."
-Grace Murray Hopper
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_HI (was MED)
Posted by Alessio Cecchi <al...@skye.it>.
Il 11/10/2011 18:28, Michael Scheidell ha scritto:
> On 10/11/11 12:18 PM, Alessio Cecchi wrote:
>> I'm an italian user of spamassassin. During the last 3 weeks many spam
>> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
>> BAYES_99 can to nothing against this :-(
> college.. new year, new students, new computers, new worms. as the old
> saying used to go "Its September again (tinc)"
:-)
> RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and
> will take immediate action on spams.
> (I have an issue with this being applied to a university, where the
> it/email admin/staff has no control over the students computers)
Sorry, I have write MED but the problem is with
RCVD_IN_DNSWL_HI
as you can see from the headers.
Thanks
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by RW <rw...@googlemail.com>.
On Tue, 11 Oct 2011 12:28:53 -0400
Michael Scheidell wrote:
> On 10/11/11 12:18 PM, Alessio Cecchi wrote:
> > I'm an italian user of spamassassin. During the last 3 weeks many
> > spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> > Also BAYES_99 can to nothing against this :-(
> college.. new year, new students, new computers, new worms. as the
> old saying used to go "Its September again (tinc)"
>
> RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much,
> and will take immediate action on spams.
> (I have an issue with this being applied to a university, where the
> it/email admin/staff has no control over the students computers)
DNSWL also encodes information about the type of business or
institution, e.g. I have:
header RCVD_IN_DNSWL_C11 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.11.\d+')
describe RCVD_IN_DNSWL_C11 Category - Academic
If you want something a little more fine-grained you could replace the
existing rules with meta-rules based on combinations of HI, MED and LOW
with the categorys. A problem with this is that quite a lot of email is
outsourced and shows as "Service/network providers", but the spam that
goes through universities tends to shows as Academic.
Re: Spam email many have RCVD_IN_DNSWL_MED
Posted by Michael Scheidell <mi...@secnap.com>.
On 10/11/11 12:18 PM, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many spam
> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
> BAYES_99 can to nothing against this :-(
college.. new year, new students, new computers, new worms. as the old
saying used to go "Its September again (tinc)"
RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and
will take immediate action on spams.
(I have an issue with this being applied to a university, where the
it/email admin/staff has no control over the students computers)
you can register with dnswl.org and post full emails to them, and they
will act.
NORMALLY, all we do with DNSWL_MED is to make sure that they don't get
blacklists applied. we still spam check them.
and, to prevent these from messing up bayes, put this in local.cf and
restart spamd/
tflags RCVD_IN_DNSWL_HI nice net noautolearn
tflags RCVD_IN_DNSWL_HI net nice noautolearn
tflags RCVD_IN_DNSWL_MED net nice noautolearn
tflags RCVD_IN_DNSWL_LOW net nice noautolearn
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________