You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nigel Frankcom <ni...@blue-canoe.net> on 2006/12/06 08:59:17 UTC
SURBL Returning FP's on URIs
Hi All,
I was just going through the overnight spam and cam across a load of
very definite FP's.
SURBL seems to be firing on legitimate domains. A check on
http://www.rulesemporium.com/cgi-bin/uribl.cgi showed none of the
domains listed in the headers or bodies of the emails concerned are in
any lists. I have multiple versions of all these.
> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> [URIs: clamav.net]
> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: clamav.net]
> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: clamav.net]
> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> [URIs: blue-canoe.net webmin.com]
> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: blue-canoe.net webmin.com]
> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: blue-canoe.net webmin.com]
> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> [URIs: sophos.com]
> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: sophos.com]
> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: sophos.com]
> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> [URIs: blue-canoe.net]
> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: blue-canoe.net]
> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: blue-canoe.net]
It may be I'm reading things wrong, but I don't understand why these
were scored. Am I going mad, totally missing something obvious or has
SURBL had a case of the hiccups?
KR
Nigel
Re: SURBL Returning FP's on URIs
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Wed, 6 Dec 2006 08:34:43 -0500, "Coffey, Neal"
<nc...@langeveld.com> wrote:
>Nigel Frankcom wrote:
>> I get the following off the SA box (I don't use OpenDNS or any
>> proxying, the rest of my lan uses the same dns that the SA box uses
>> and all is resolving normally)
>>
>> [...]
>>> ;; AUTHORITY SECTION:
>>> multi.surbl.org. 810 IN SOA a.surbl.org.
>
>You're not using OpenDNS for your DNS servers, are you? I know they've
>had issues in the past with DNSBL lists because of their "typo
>correction" service (which is otherwise handy for the fat-fingered like
>me, who end up typing things like "google.cmo" a lot). They say they've
>fixed the issues, others aren't so sure.
No, no OpenDNS. All my DNS are local to the lan. I'm still not at all
sure what the issue is/was, it disappeared about 3 hours after it
started.
I've since updated Net::DNS to 2.7 but that was after the fact. The
only thing I did during the problem was to run --lint on the SA
server, that didn't [provide any 'instant fixes'.
I'm curious to know what the issue is and why it decided that 5 AM
this morning was the time to show itself. My Mail/SAl setup hasn't
changed in quite some time and nothing has changed recently on my lan,
certainly nothing in the last 10 days.
As Jeff pointed out, had it been a dns failure of some kind then I
should have got no return, not a positive one. All very curious. I'm
keeping the scores low until I'm sure it's not going to recur.
Nigel
Re: SURBL Returning FP's on URIs
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, December 6, 2006, 1:41:11 AM, Nigel Frankcom wrote:
> On Wed, 06 Dec 2006 08:52:09 +0000, Nigel Frankcom
> Oookay... now it's stopped. Sometime between 08:36 and 09:33 GMT.
> The SURBL headers have stopped appearing in every mail. I've made no
> changes. I ran --lint which showed no problems but beyond that it's
> all as it was here. Now I'm really confused :-/
Is your Net::DNS up to date? Older versions may have the bug:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3997
If not, could have been some sort of intermittent DNS error, but
in general DNS errors should result in non-detection, not false
positives.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: SURBL Returning FP's on URIs
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Wed, 06 Dec 2006 08:52:09 +0000, Nigel Frankcom
<ni...@blue-canoe.net> wrote:
>On Wed, 6 Dec 2006 00:40:38 -0800, Jeff Chan <je...@surbl.org> wrote:
>
>>On Tuesday, December 5, 2006, 11:59:17 PM, Nigel Frankcom wrote:
>>> Hi All,
>>
>>> I was just going through the overnight spam and cam across a load of
>>> very definite FP's.
>>
>>> SURBL seems to be firing on legitimate domains. A check on
>>> http://www.rulesemporium.com/cgi-bin/uribl.cgi showed none of the
>>> domains listed in the headers or bodies of the emails concerned are in
>>> any lists. I have multiple versions of all these.
>>
>>[...]
>>>> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
>>>> [URIs: blue-canoe.net]
>>>> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
>>>> [URIs: blue-canoe.net]
>>>> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
>>>> [URIs: blue-canoe.net]
>>
>>> It may be I'm reading things wrong, but I don't understand why these
>>> were scored. Am I going mad, totally missing something obvious or has
>>> SURBL had a case of the hiccups?
>>
>>What happens if you, on the SpamAssasin server:
>>
>> dig blue-canoe.net.multi.surbl.org
>>
>>or
>>
>> host blue-canoe.net.multi.surbl.org
>>
>>Anything other than NXDOMAIN or "host not found" means your DNS
>>is broken.
>>
>>Are you perhaps using OpenDNS or another DNS proxying service
>>that rewrites some DNS queries?
>>
>> http://www.surbl.org/faq.html#opendns
>>
>>Jeff C.
>
>
>I get the following off the SA box (I don't use OpenDNS or any
>proxying, the rest of my lan uses the same dns that the SA box uses
>and all is resolving normally)
>
>>; <<>> DiG 9.2.4 <<>> blue-canoe.net.multi.surbl.org
>>;; global options: printcmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37326
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>>;; QUESTION SECTION:
>>;blue-canoe.net.multi.surbl.org. IN A
>>
>>;; AUTHORITY SECTION:
>>multi.surbl.org. 810 IN SOA a.surbl.org. zone.surbl.org. 1165393381 900 900 604800 411
>>
>>;; Query time: 31 msec
>>;; SERVER: 192.168.2.39#53(192.168.2.39)
>>;; WHEN: Wed Dec 6 08:49:06 2006
>>;; MSG SIZE rcvd: 91
Oookay... now it's stopped. Sometime between 08:36 and 09:33 GMT.
The SURBL headers have stopped appearing in every mail. I've made no
changes. I ran --lint which showed no problems but beyond that it's
all as it was here. Now I'm really confused :-/
KR
Nigel
RE: SURBL Returning FP's on URIs
Posted by "Coffey, Neal" <nc...@langeveld.com>.
Nigel Frankcom wrote:
> I get the following off the SA box (I don't use OpenDNS or any
> proxying, the rest of my lan uses the same dns that the SA box uses
> and all is resolving normally)
>
> [...]
>> ;; AUTHORITY SECTION:
>> multi.surbl.org. 810 IN SOA a.surbl.org.
You're not using OpenDNS for your DNS servers, are you? I know they've
had issues in the past with DNSBL lists because of their "typo
correction" service (which is otherwise handy for the fat-fingered like
me, who end up typing things like "google.cmo" a lot). They say they've
fixed the issues, others aren't so sure.
Re: SURBL Returning FP's on URIs
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Wed, 6 Dec 2006 00:40:38 -0800, Jeff Chan <je...@surbl.org> wrote:
>On Tuesday, December 5, 2006, 11:59:17 PM, Nigel Frankcom wrote:
>> Hi All,
>
>> I was just going through the overnight spam and cam across a load of
>> very definite FP's.
>
>> SURBL seems to be firing on legitimate domains. A check on
>> http://www.rulesemporium.com/cgi-bin/uribl.cgi showed none of the
>> domains listed in the headers or bodies of the emails concerned are in
>> any lists. I have multiple versions of all these.
>
>[...]
>>> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
>>> [URIs: blue-canoe.net]
>>> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
>>> [URIs: blue-canoe.net]
>>> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
>>> [URIs: blue-canoe.net]
>
>> It may be I'm reading things wrong, but I don't understand why these
>> were scored. Am I going mad, totally missing something obvious or has
>> SURBL had a case of the hiccups?
>
>What happens if you, on the SpamAssasin server:
>
> dig blue-canoe.net.multi.surbl.org
>
>or
>
> host blue-canoe.net.multi.surbl.org
>
>Anything other than NXDOMAIN or "host not found" means your DNS
>is broken.
>
>Are you perhaps using OpenDNS or another DNS proxying service
>that rewrites some DNS queries?
>
> http://www.surbl.org/faq.html#opendns
>
>Jeff C.
I get the following off the SA box (I don't use OpenDNS or any
proxying, the rest of my lan uses the same dns that the SA box uses
and all is resolving normally)
>; <<>> DiG 9.2.4 <<>> blue-canoe.net.multi.surbl.org
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37326
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;blue-canoe.net.multi.surbl.org. IN A
>
>;; AUTHORITY SECTION:
>multi.surbl.org. 810 IN SOA a.surbl.org. zone.surbl.org. 1165393381 900 900 604800 411
>
>;; Query time: 31 msec
>;; SERVER: 192.168.2.39#53(192.168.2.39)
>;; WHEN: Wed Dec 6 08:49:06 2006
>;; MSG SIZE rcvd: 91
Re: SURBL Returning FP's on URIs
Posted by Jeff Chan <je...@surbl.org>.
On Tuesday, December 5, 2006, 11:59:17 PM, Nigel Frankcom wrote:
> Hi All,
> I was just going through the overnight spam and cam across a load of
> very definite FP's.
> SURBL seems to be firing on legitimate domains. A check on
> http://www.rulesemporium.com/cgi-bin/uribl.cgi showed none of the
> domains listed in the headers or bodies of the emails concerned are in
> any lists. I have multiple versions of all these.
[...]
>> 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
>> [URIs: blue-canoe.net]
>> 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
>> [URIs: blue-canoe.net]
>> 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
>> [URIs: blue-canoe.net]
> It may be I'm reading things wrong, but I don't understand why these
> were scored. Am I going mad, totally missing something obvious or has
> SURBL had a case of the hiccups?
What happens if you, on the SpamAssasin server:
dig blue-canoe.net.multi.surbl.org
or
host blue-canoe.net.multi.surbl.org
Anything other than NXDOMAIN or "host not found" means your DNS
is broken.
Are you perhaps using OpenDNS or another DNS proxying service
that rewrites some DNS queries?
http://www.surbl.org/faq.html#opendns
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/