You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Da...@chaosreigns.com on 2011/03/06 19:07:29 UTC
High DNSWL spam hits
I noticed that 2.5% of wt-en1's spam was hitting DNSWL_HI. I asked him
about it, and it turned out that it was all cases where he had set up
forwarding from another server and not added it to trusted_networks
(he then deleted them). I suspect this is true of others:
RCVD_IN_DNSWL_HI:
SPAM%
2.0785 bb-jhardin
0.3802 kgolding
0.1582 bernie-mix
0.1186 grenier
0.0065 <- average
RCVD_IN_DNSWL_MED:
SPAM%
20.2532 bernie-mix
2.0408 darxus
1.5012 bb-jhardin
1.0186 jarif
0.4615 wt-en1
0.3802 kgolding
0.3363 bb-guenther_fraud
0.3109 bb-jhardin_fraud
0.2372 grenier
0.0550 <- average
Interesting that I showed up second on this list. I found a bunch of stuff
I'm not happy with. One of them was an interesting spam that showed up on
a private mailing list, apparently the result of a trojan or something, so
I thought it would be good to feed it to razor, spamcop, DCC, etc. But it
didn't occur to me that I'd also be reporting the mailing list server,
because I don't have it listed as a trusted relay, because I generally
don't report spam from mailing lists.
A bunch of them were from old spams I got from the
gnuplot-bugs@lists.sourceforge.net mailing list. I ended up just removing
my old spam from mass checks, based on the log-grep-recent recommendations
on http://wiki.apache.org/spamassassin/RescoreMassCheck - 6 months for
spam, 38 months for ham. (Surely that 38 was meant to be 36?)
I'd like to get that age filtration into auto-mass-check.
I'm really curious how other people think spam from mailing lists should be
handled.
Should mailing list servers all be listed as trusted_networks?
Or should spam from a mailing list be counted against the list server in
DNSWL?
Of the 108 spams since October 19th that I'm now running through
mass-check, the DNSWL hits are: 0 high, 2 medium, 1 low, 25 none.
Which I think is reasonable, given that I reject anything SA thinks is
spam, so this is only the false negatives.
--
"I would believe only in a God that knows how to Dance." - Nietzsche
http://www.ChaosReigns.com
Re: High DNSWL spam hits
Posted by Da...@chaosreigns.com.
On 03/07, Michelle Konzack wrote:
> Hello Karsten Bräckelmann,
>
> Am 2011-03-07 18:44:07, hacktest Du folgendes herunter:
> > You have a track record of going ballistic on the users list over spam
> > waves every once in a while, which more than once [1] turned out to be a
> > problem with a single, DNSWL listed Debian server. Once the diagnosis is
> > to extend your trusted networks, you become unresponsive and outright
> > ignore the suggestion.
>
> It was NOT Debian.
>
> I have gotten tonns of spam from DNSWL_*_MED something which have goten
> a much to high negative score and gone trough.
Like that last one, which was very clearly from Debian's mailing list
server?
On 02/21, Michelle Konzack wrote:
> 2.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium
> trust
> [82.195.75.100 listed in list.dnswl.org]
^^^^^^^^^^^^^
$ host 82.195.75.100
100.75.195.82.in-addr.arpa is an alias for 100.64/26.75.195.82.in-addr.arpa.
100.64/26.75.195.82.in-addr.arpa domain name pointer liszt.debian.org.
^^^^^^^^^^
With headers that included:
X-Mailing-List: <de...@lists.debian.org> archive/latest/8989
List-Id: <debian-mips.lists.debian.org>
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201102.mbox/%3C20110221125434.GI4390@michelle1%3E
> > As long a you insist to keep your broken setup, and complain to us about
> > obviously un-moderated Debian lists or forwarder addresses, any
>
> Debian IS NOT THE PROBLEM because I get only arround 100 spams per month
> from 96 mailinglists in total.
I don't understand your logic here.
Can you please try adding the IP address for the debian mailing list server
to your trusted_networks? 82.195.75.100. Or tell me why you don't want
to?
Re: High DNSWL spam hits
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2011-03-07 at 19:27 +0100, Michelle Konzack wrote:
> > You have a track record of going ballistic on the users list over spam
> > waves every once in a while, which more than once [1] turned out to be a
> > problem with a single, DNSWL listed Debian server. Once the diagnosis is
> > to extend your trusted networks, you become unresponsive and outright
> > ignore the suggestion.
>
> It was NOT Debian.
You might want to review your own thread "Tonns of russian DOT info
spam", and the discussion "DNSWL rules downscoring spam" you joined,
both about 3 weeks ago. In particular your own samples, and the various
posts showing the issue and offering advice.
82.195.75.100 is liszt.debian.org, listed in DNSWL MED
This very server has been shown before to forward spam for you.
> > [1] Those cases where you actually cared to provide samples on request.
>
> The last five samples I posted where not Debian related...
An arbitrary number pulled out of your ass, already proven wrong by the
references above.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Karsten Bräckelmann,
Am 2011-03-07 18:44:07, hacktest Du folgendes herunter:
> You have a track record of going ballistic on the users list over spam
> waves every once in a while, which more than once [1] turned out to be a
> problem with a single, DNSWL listed Debian server. Once the diagnosis is
> to extend your trusted networks, you become unresponsive and outright
> ignore the suggestion.
It was NOT Debian.
I have gotten tonns of spam from DNSWL_*_MED something which have goten
a much to high negative score and gone trough.
> As long a you insist to keep your broken setup, and complain to us about
> obviously un-moderated Debian lists or forwarder addresses, any
Debian IS NOT THE PROBLEM because I get only arround 100 spams per month
from 96 mailinglists in total.
> statement from you, that includes the word DNSWL, cannot possibly be
> taken serious.
I get the spam on <linux4michelle> <bsd4michelle> and <michelle.konzack>
> [1] Those cases where you actually cared to provide samples on request.
The last five samples I posted where not Debian related...
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: High DNSWL spam hits
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2011-03-07 at 13:30 +0100, Michelle Konzack wrote:
> > Spam (or any mail from non-subscribers for that matter) end up in the
> > moderator's queue. Spam filtering helps in keeping the queue low, but
> > the most important concept here is subscription.
FYI, this is not a "nice idea", this is reality. I was talking about the
SA mailing lists, where I am one of the moderators. This is precisely
how it is with all ASF lists, and e.g. GNOME lists -- just to name two
large organizations, where I have insight in the internal process.
> Nice Idea but such messages come mostly one day later to the lists which
> is mostly inacceptable. Also MANY users do not want to subscribe to
> HIGH VOLUME Mailinglists like some Debian ones.
A day later? Sounds like they have been moderated through somehow.
That's a problem with the moderation process.
> However, my public used E-Mail (like this one) receive currently more
> then 12.000 spams per day... and it is realy annoying if the spames are
> sending from domains in the DNSWL and get VERY low scores.
Sorry Michelle, but I won't discuss this topic with you.
You have a track record of going ballistic on the users list over spam
waves every once in a while, which more than once [1] turned out to be a
problem with a single, DNSWL listed Debian server. Once the diagnosis is
to extend your trusted networks, you become unresponsive and outright
ignore the suggestion.
As long a you insist to keep your broken setup, and complain to us about
obviously un-moderated Debian lists or forwarder addresses, any
statement from you, that includes the word DNSWL, cannot possibly be
taken serious.
guenther
[1] Those cases where you actually cared to provide samples on request.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Karsten Bräckelmann,
Am 2011-03-06 22:38:37, hacktest Du folgendes herunter:
> Spam (or any mail from non-subscribers for that matter) end up in the
> moderator's queue. Spam filtering helps in keeping the queue low, but
> the most important concept here is subscription.
Nice Idea but such messages come mostly one day later to the lists which
is mostly inacceptable. Also MANY users do not want to subscribe to
HIGH VOLUME Mailinglists like some Debian ones.
The weird thing is, that I am subscribed to 93 Mailinglists with a
"secret" pubic unknown E-Mail and I get mostly NO SPAM.
OK the recent DOT INFO spams on the Debian mailinglists where exceptions
However, my public used E-Mail (like this one) receive currently more
then 12.000 spams per day... and it is realy annoying if the spames are
sending from domains in the DNSWL and get VERY low scores.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: High DNSWL spam hits
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 13:25 -0800, John Hardin wrote:
> On Sun, 6 Mar 2011, Darxus@chaosreigns.com wrote:
> > > Sure, it's spam. Do you want to whitelist a listserv that's relaying spam?
Yes. A list accepting mail by non-subscribers should be an exception,
and known by all subscribers.
> > Well, we whitelist servers which have been set up to forward all mail,
> > which are forwarding spam. And I'm not sure if that's different enough
> > from a mailing list, which we've effectively asked to send us everything
> > posted to the mailing list.
>
> Good point. However, I'd argue that the listserv should be behind a spam
> filter, which wouldn't apply to a blind forwarding MTA.
Subscription!
Spam (or any mail from non-subscribers for that matter) end up in the
moderator's queue. Spam filtering helps in keeping the queue low, but
the most important concept here is subscription.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by John Hardin <jh...@impsec.org>.
On Sun, 6 Mar 2011, Darxus@chaosreigns.com wrote:
> On 03/06, John Hardin wrote:
>> My corpora include messages from several different mail paths, and
>> all of my corpora masschecks are done against uploaded corpora on
>> the SA/Apache servers. How are we to provide trusted_networks data
>> in that scenario?
>>
>> (That's something I've been mildly curious about in the past - how
>> the heck does the uploaded masscheck _deal_ with setting
>> trusted_networks etc. for multiple disjoint corpora?)
>
> Maybe it doesn't, and that's enough reason to not use the corpora upload
> option, and instead run mass-check yourself with trusted_networks defined
> in spamassassin/user_prefs?
If so, that wouldn't apply to just me. The entire "upload a corpus for
central scanning" wouldn't be a valid model at all. That it is being done
suggests otherwise and I just don't understand how that part of it works.
>>> Should mailing list servers all be listed as trusted_networks?
>>
>> As "trusted" means "does not forge headers", I'd say yes.
>>
>>> Or should spam from a mailing list be counted against the list server in
>>> DNSWL?
>>
>> Sure, it's spam. Do you want to whitelist a listserv that's relaying spam?
>
> Well, we whitelist servers which have been set up to forward all mail,
> which are forwarding spam. And I'm not sure if that's different enough
> from a mailing list, which we've effectively asked to send us everything
> posted to the mailing list.
Good point. However, I'd argue that the listserv should be behind a spam
filter, which wouldn't apply to a blind forwarding MTA.
> And I think we should do one or the other, not both. Either include all
> mailing list servers in trusted_networks *or* count spam from a mailing
> list against the mailing list server.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
7 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: High DNSWL spam hits
Posted by Da...@chaosreigns.com.
On 03/06, John Hardin wrote:
> My corpora include messages from several different mail paths, and
> all of my corpora masschecks are done against uploaded corpora on
> the SA/Apache servers. How are we to provide trusted_networks data
> in that scenario?
>
> (That's something I've been mildly curious about in the past - how
> the heck does the uploaded masscheck _deal_ with setting
> trusted_networks etc. for multiple disjoint corpora?)
Maybe it doesn't, and that's enough reason to not use the corpora upload
option, and instead run mass-check yourself with trusted_networks defined
in spamassassin/user_prefs?
> >Should mailing list servers all be listed as trusted_networks?
>
> As "trusted" means "does not forge headers", I'd say yes.
>
> >Or should spam from a mailing list be counted against the list server in
> >DNSWL?
>
> Sure, it's spam. Do you want to whitelist a listserv that's relaying spam?
Well, we whitelist servers which have been set up to forward all mail,
which are forwarding spam. And I'm not sure if that's different enough
from a mailing list, which we've effectively asked to send us everything
posted to the mailing list.
And I think we should do one or the other, not both. Either include all
mailing list servers in trusted_networks *or* count spam from a mailing
list against the mailing list server.
--
"Anarchy is based on the observation that since few are fit to rule
themselves, even fewer are fit to rule others." -Edward Abbey
http://www.ChaosReigns.com
Re: High DNSWL spam hits
Posted by John Hardin <jh...@impsec.org>.
On Sun, 6 Mar 2011, Darxus@chaosreigns.com wrote:
> I noticed that 2.5% of wt-en1's spam was hitting DNSWL_HI. I asked him
> about it, and it turned out that it was all cases where he had set up
> forwarding from another server and not added it to trusted_networks
> (he then deleted them). I suspect this is true of others:
>
> RCVD_IN_DNSWL_HI:
> SPAM%
> 2.0785 bb-jhardin
> RCVD_IN_DNSWL_MED:
> SPAM%
> 1.5012 bb-jhardin
> 0.3109 bb-jhardin_fraud
My corpora include messages from several different mail paths, and all of
my corpora masschecks are done against uploaded corpora on the SA/Apache
servers. How are we to provide trusted_networks data in that scenario?
(That's something I've been mildly curious about in the past - how the
heck does the uploaded masscheck _deal_ with setting trusted_networks etc.
for multiple disjoint corpora?)
> I'm really curious how other people think spam from mailing lists should be
> handled.
>
> Should mailing list servers all be listed as trusted_networks?
As "trusted" means "does not forge headers", I'd say yes.
> Or should spam from a mailing list be counted against the list server in
> DNSWL?
Sure, it's spam. Do you want to whitelist a listserv that's relaying spam?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
7 days until Daylight Saving Time begins in U.S. - Spring Forward
ruleqa logs broken? (was: Re: High DNSWL spam hits)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 23:15 +0100, Karsten Bräckelmann wrote:
> > > > 0.3363 bb-guenther_fraud
> > Is it the entity actually sending the spam, or is it something that should
> > be in your trusted_networks?
>
> According to my original, receiving-time DNSWL results, all of them are
> correct. These are being mass-checked on the server (again, they are
> actually intended for the Sought Fraud rule-set, which exclusively uses
> the body), though the set with initial DNSWL hits are not forwarded.
Dunno if these are re-used from the receiving-time (hope so), or
actually checked against the current DNSxL listing.
Since the mass-check is being run on the server, I don't even know if I
could identify them from the logs -- just tried to have a look at it. No
joy though, logs are broken?
cannot open /export/home/ruleqadb/20110305/
r1078246-n//LOGS.all-spam-net-bb-guenther.20110305-r1078246-n.log.gz
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 17:06 -0500, Darxus@chaosreigns.com wrote:
> On 03/06, Karsten Bräckelmann wrote:
> > > 0.3363 bb-guenther_fraud
> > I just checked mine -- sure enough, yes, they ARE spam.
>
> I'm not questioning whether or not they're spam, I'm questioning if the
> right IP address is being fed to DNSWL and all other DNS white and black
> lists.
Did you actually read my full reply?
> Is it the entity actually sending the spam, or is it something that should
> be in your trusted_networks?
According to my original, receiving-time DNSWL results, all of them are
correct. These are being mass-checked on the server (again, they are
actually intended for the Sought Fraud rule-set, which exclusively uses
the body), though the set with initial DNSWL hits are not forwarded.
Scam. Usually cracked accounts. Yes, that DOES occur for DNSWL listed
outgoing SMTP servers, too.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by Da...@chaosreigns.com.
On 03/06, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 13:07 -0500, Darxus@chaosreigns.com wrote:
> > RCVD_IN_DNSWL_MED:
> > SPAM%
> > 0.3363 bb-guenther_fraud
> > 0.3109 bb-jhardin_fraud
> > 0.0550 <- average
>
> I just checked mine -- sure enough, yes, they ARE spam.
I'm not questioning whether or not they're spam, I'm questioning if the
right IP address is being fed to DNSWL and all other DNS white and black
lists.
Is it the entity actually sending the spam, or is it something that should
be in your trusted_networks?
--
"A ship in a port is safe, but that's not what ships are built for."
-Grace Murray Hopper
http://www.ChaosReigns.com
Re: High DNSWL spam hits
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 13:07 -0500, Darxus@chaosreigns.com wrote:
> RCVD_IN_DNSWL_MED:
> SPAM%
> 0.3363 bb-guenther_fraud
> 0.3109 bb-jhardin_fraud
> 0.0550 <- average
I just checked mine -- sure enough, yes, they ARE spam.
Both above are hand-classified corpora exclusively containing fraud.
Intended for the Sought Fraud rule-set. Especially fraud is commonly
sent via cracked accounts, including a high percentage of web-mail
accounts.
There are 6 fraud spam in my corpus, originally received via a system
listed in DNSWL, 5 unique systems. 2 systems listed MED (3 spams), 3
systems listed LOW (of which one has been downgraded to NONE since).
4 out of these 6 scams (3 out of 5 unique systems) are universities.
The majority of them seems to have been sent from Outlook, and/or abused
MS Exchange systems. Also kind of noteworthy, a good portion of them
*tried* spam-filtering their outgoing mail, but quite clearly failed.
> I'm really curious how other people think spam from mailing lists should be
> handled.
I do not even scan them. In my mix, there is only a single, rather
special mailing list, which is open. No spam on the other lists.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: High DNSWL spam hits
Posted by Jari Fredriksson <ja...@iki.fi>.
On 6.3.2011 20:07, Darxus@chaosreigns.com wrote:
> I noticed that 2.5% of wt-en1's spam was hitting DNSWL_HI. I asked him
> about it, and it turned out that it was all cases where he had set up
> forwarding from another server and not added it to trusted_networks
> (he then deleted them). I suspect this is true of others:
>
>
> RCVD_IN_DNSWL_MED:
> SPAM%
> 1.0186 jarif
I had 3 SPAM from mailing lists, I now "whitelisted" them by putting the
servers to trusted.
1 seemed not coming thru any mailing list, true SPAM from this host,
which triggered DNSWL_MED.
$ host 134.7.32.166
166.32.7.134.in-addr.arpa domain name pointer exfe4.staff.ad.curtin.edu.au.
So, my corpus should have 1 of those now.
--
You're definitely on their list. The question to ask next is what list
it is.