You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2007/08/18 08:50:10 UTC
Query about DNS_FROM_DOB
..that seems new. I see it's an RBL that "contains domains registered
within the last five days".
Can someone explain what that means? I guess it means "seen by DOB
within the last five days" more than a domain that was registered within
the last five days?
I say that because email from my home domain (registered 4 years ago) is
currently on the list...
Anyway, emails that are on the list seem to trigger 3 different rules -
which adds up to +2 points - is that expected behaviour?
Thanks
Jason
e.g. (actual spam to the Samba mailing-list)
0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium
trust
[66.70.73.150 listed in list.dnswl.org]
0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day
Old Bread)
2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?88.232.135.123>]
1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[88.232.135.123 listed in dnsbl.sorbs.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[URIs: samba.org]
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Query about DNS_FROM_DOB
Posted by Jeff Chan <je...@surbl.org>.
Quoting Jason Haar <Ja...@trimble.co.nz>:
> I've spotted the fault - they've blacklisted the *ENTIRE* ".org"
> domain!!! (I just tested some made-up .org domains - they are all on it)
>
> I'll see if I can find an email address to notify them
Arghhh, that would do it. I'm writing to Rick Wesson about it. Maybe I'll call
him tomorrow too.
Jeff C.
Re: Query about DNS_FROM_DOB
Posted by Jason Haar <Ja...@trimble.co.nz>.
Jeff Chan wrote:
> Quoting Jason Haar <Ja...@trimble.co.nz>:
>
>> Can someone explain what that means? I guess it means "seen by DOB
>> within the last five days" more than a domain that was registered within
>> the last five days?
>>
>
> It means the domain was registered within the past 5 days.
>
>
Well that certainly isn't the case for my home domain "whanau" followed
by "org". I've had that (quick whois lookup) since 08-Jun-2004.
>> I say that because email from my home domain (registered 4 years ago) is
>> currently on the list...
>>
>
> samba.org seems to be on the list, which is an error:
>
> ;; ANSWER SECTION:
> samba.org.dob.sibl.support-intelligence.net. 2100 IN A 127.0.0.2
>
>
I've spotted the fault - they've blacklisted the *ENTIRE* ".org"
domain!!! (I just tested some made-up .org domains - they are all on it)
I'll see if I can find an email address to notify them
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Query about DNS_FROM_DOB
Posted by Jeff Chan <je...@surbl.org>.
Quoting Jason Haar <Ja...@trimble.co.nz>:
> ..that seems new. I see it's an RBL that "contains domains registered
> within the last five days".
>
> Can someone explain what that means? I guess it means "seen by DOB
> within the last five days" more than a domain that was registered within
> the last five days?
It means the domain was registered within the past 5 days.
> I say that because email from my home domain (registered 4 years ago) is
> currently on the list...
samba.org seems to be on the list, which is an error:
;; ANSWER SECTION:
samba.org.dob.sibl.support-intelligence.net. 2100 IN A 127.0.0.2
Domain ID:D2485610-LROR
Domain Name:SAMBA.ORG
Created On:10-Jan-1998 05:00:00 UTC
Last Updated On:28-Nov-2005 03:51:37 UTC
Expiration Date:09-Jan-2009 05:00:00 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:20553835-NSI
Registrant Name:Samba Team
Registrant Organization:Samba Team
Registrant Street1:26 Carstensz St
Registrant Street2:
[...]
> Anyway, emails that are on the list seem to trigger 3 different rules -
> which adds up to +2 points - is that expected behaviour?
>
> Thanks
>
> Jason
It looks like SpamAssassin is using DOB to check envelope From, received headers
and message body domains. The three different uses of DOB all give different
scores.
Jeff C.
> e.g. (actual spam to the Samba mailing-list)
>
> 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium
> trust
> [66.70.73.150 listed in list.dnswl.org]
> 0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
> 0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day
> Old Bread)
> 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> <http://www.spamcop.net/bl.shtml?88.232.135.123>]
> 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
> [88.232.135.123 listed in dnsbl.sorbs.net]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
> [URIs: samba.org]
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>