You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/01/07 00:05:53 UTC
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
snowcrash+spamassassin writes:
> reading at the spamhaus site abt PBL i note,
wow dude, that's quick -- I hear it went live only a few hours
ago ;)
> "WARNING! Some post-delivery filters use "full Received line
> traversal" or "deep parsing", where the filter reads all the IPs in
> the Received lines. Legitimate users, correctly sending good mail out
> through their ISP's smarthost, will have PBL-listed IPs show up in the
> first (lowest) Received header where their ISP picks it up. Such mail
> should not be blocked! So, you should tell your filters to stop
> comparing IPs against PBL at the IP which hands off to your mail
> server! That last hand-off IP is the one which PBL is designed to
> check. If you cannot configure your filters that way, then do not use
> PBL to filter your mail."
>
> with the ever-smarter filters available with SA & SARE etc, what -- if
> anything -- should 'we' do/configure differently in SA's confs/ops to
> avoid this issue?
As long as "trusted_networks" and "internal_networks" are configured
correctly, it'll be fine.
--j.
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Phil Barnett <ph...@philb.us>.
On Sunday 07 January 2007 13:00, John Rudd wrote:
> Have you put your own server into your trusted networks?
It's a Plesk install and I generally don't edit their configuration files.
I'll look into it.
> Have you put your own server into any of the various configs in
> Botnet.cf (the skip or pass lists)?
Haven't touched these at all. I'll also look at this when time permits.
Thanks for the feedback.
--
My other computer is your Windows machine
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by John Rudd <jr...@ucsc.edu>.
Phil Barnett wrote:
> On Sunday 07 January 2007 08:22, Sander Holthaus wrote:
>
>> But, to get back on topic, the new PBL in ZEN marks mail originating
>> from ip's and netblocks which should not be running (mail-sending)
>> mailservers, such as dynamic ip-ranges for cable/dsl/dailup-access (at
>> least, that is my understanding). So unless you customers try to
>> connect to mailservers directly to deliver mail (which is something
>> most ISP's block btw) you shouldn't be in trouble.
>
> For example, I send myself a mail and I see this:
>
> ***************
> Received: (qmail 20532 invoked from network); 7 Jan 2007 11:24:43 -0500
> Received: from fl-69-34-131-91.dyn.embarqhsd.net (HELO ?192.168.100.209?)
> (69.34.131.91)
> by vhost.fiberhosting.com with SMTP; 7 Jan 2007 11:24:43 -0500
> From: Phil Barnett <philb at philb.us>
> To: philb at philb.us
> Subject: test
> Date: Sun, 7 Jan 2007 11:24:46 -0500
> ****************
>
> Now, to me, this certianly looks like the mail originated from my machine, not
> the server, and it's from a DSL high speed network. And, I typically send
> mail directly to my server, not the earthlink servers.
>
> What keeps this mail from being marked?
>
> Botnet has been marking these mails.
>
Have you put your own server into your trusted networks?
Have you put your own server into any of the various configs in
Botnet.cf (the skip or pass lists)?
Either of these might keep Botnet from marking your mail.
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Phil Barnett <ph...@philb.us>.
On Sunday 07 January 2007 08:22, Sander Holthaus wrote:
> But, to get back on topic, the new PBL in ZEN marks mail originating
> from ip's and netblocks which should not be running (mail-sending)
> mailservers, such as dynamic ip-ranges for cable/dsl/dailup-access (at
> least, that is my understanding). So unless you customers try to
> connect to mailservers directly to deliver mail (which is something
> most ISP's block btw) you shouldn't be in trouble.
For example, I send myself a mail and I see this:
***************
Received: (qmail 20532 invoked from network); 7 Jan 2007 11:24:43 -0500
Received: from fl-69-34-131-91.dyn.embarqhsd.net (HELO ?192.168.100.209?)
(69.34.131.91)
by vhost.fiberhosting.com with SMTP; 7 Jan 2007 11:24:43 -0500
From: Phil Barnett <philb at philb.us>
To: philb at philb.us
Subject: test
Date: Sun, 7 Jan 2007 11:24:46 -0500
****************
Now, to me, this certianly looks like the mail originated from my machine, not
the server, and it's from a DSL high speed network. And, I typically send
mail directly to my server, not the earthlink servers.
What keeps this mail from being marked?
Botnet has been marking these mails.
--
My other computer is your Windows machine
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by Sander Holthaus <in...@orangexl.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Phil Barnett wrote:
> On Saturday 06 January 2007 23:05, Theo Van Dinter wrote:
>> On Sat, Jan 06, 2007 at 05:24:35PM -0800, snowcrash+spamassassin wrote:
>>> i regularly run updates via cron on the hour.
>>>
>> :)
>> :
>>> running it again, or at all, will change what/where?
>> The recent 3.1 updates include the ZEN rules. If you're asking what files
>> are changed by sa-update, please see "man sa-update" and the other
>> documentation referenced therein.
>>
>>> i'm asking what *specifically* needs to change, if anything, in SA ...
>>> i'd prefer NOT to be blind about it.
>> Nothing needs to be changed, the update has everything necessary.
>
> From what I read, I have to be concerned with my setup. I provide
mailboxes,
> but I'm not an ISP, so no mail originates on my server.
>
> From what I have read, the new ZEN rules will negatively impact my
scores on
> all legitimate mail coming from my server.
>
> Is that really the case?
I'm confused:
- - ...no mail originates on my server.
- -...negatively impact my scores on all legitimate mail coming from my
server.
Even if you provide only mailboxes, there will still be mail
originating from your server. DSN's, bounces, etc.
But, to get back on topic, the new PBL in ZEN marks mail originating
from ip's and netblocks which should not be running (mail-sending)
mailservers, such as dynamic ip-ranges for cable/dsl/dailup-access (at
least, that is my understanding). So unless you customers try to
connect to mailservers directly to deliver mail (which is something
most ISP's block btw) you shouldn't be in trouble.
But you can always check your IP's against the ZEN-blocklist
(something you should do or automate in any case) and optionally
request an unblock.
Kind regards,
Sander Holthaus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFFoPQlVf373DysOTURAtndAJ43gqebGdVC30MZuY72af/lbJi/JwCfbcow
eN3bLCECkT+kN4twRXdajaw=
=k16z
-----END PGP SIGNATURE-----
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Phil Barnett <ph...@philb.us>.
On Saturday 06 January 2007 23:05, Theo Van Dinter wrote:
> On Sat, Jan 06, 2007 at 05:24:35PM -0800, snowcrash+spamassassin wrote:
> > i regularly run updates via cron on the hour.
> >
> :)
> :
> > running it again, or at all, will change what/where?
>
> The recent 3.1 updates include the ZEN rules. If you're asking what files
> are changed by sa-update, please see "man sa-update" and the other
> documentation referenced therein.
>
> > i'm asking what *specifically* needs to change, if anything, in SA ...
> > i'd prefer NOT to be blind about it.
>
> Nothing needs to be changed, the update has everything necessary.
From what I read, I have to be concerned with my setup. I provide mailboxes,
but I'm not an ISP, so no mail originates on my server.
From what I have read, the new ZEN rules will negatively impact my scores on
all legitimate mail coming from my server.
Is that really the case?
--
My other computer is your Windows machine
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Panagiotis Christias <ch...@gmail.com>.
On 1/7/07, snowcrash+spamassassin <sc...@gmail.com> wrote:
> > The recent 3.1 updates include the ZEN rules. If you're asking what files are
> > changed by sa-update, please see "man sa-update" and the other documentation
> > referenced therein.
>
> no, i was asking what files need to be changed in order for the
> referenced 'warning' abt PBL usages w/ filtering/scanning apps -- such
> as SA -- to NOT be a problem.
As long as you run sa-update in order to download and use the latest
spamassassin rules you do not have to change any configuration files.
Sit back, relax and enjoy. Trust SA for the rest ;).
Panagiotis
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> The recent 3.1 updates include the ZEN rules. If you're asking what files are
> changed by sa-update, please see "man sa-update" and the other documentation
> referenced therein.
no, i was asking what files need to be changed in order for the
referenced 'warning' abt PBL usages w/ filtering/scanning apps -- such
as SA -- to NOT be a problem.
as in the following post by Phil, i had read this, and the exchange
bet jw & john, as indicating that we, at least, need to ensure -- and
possible change something -- that something's done a particular way.
> Nothing needs to be changed, the update has everything necessary.
again, that was NOT clear. it was made MORE unclear by their exchange.
anyway, from my perspective, i've now followed advice, simply run
sa-update, enusred it --lint'ed correctly as usual, and expect that
this will _not_ be a problem.
thanks.
p.s. ($1 says that there _will_ be others that ask, again, in the future ...)
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Theo Van Dinter <fe...@apache.org>.
On Sat, Jan 06, 2007 at 05:24:35PM -0800, snowcrash+spamassassin wrote:
> i regularly run updates via cron on the hour.
:)
> running it again, or at all, will change what/where?
The recent 3.1 updates include the ZEN rules. If you're asking what files are
changed by sa-update, please see "man sa-update" and the other documentation
referenced therein.
> i'm asking what *specifically* needs to change, if anything, in SA ...
> i'd prefer NOT to be blind about it.
Nothing needs to be changed, the update has everything necessary.
--
Randomly Selected Tagline:
"Cry, and the world cries with you. Laugh at the world, and you get
another appointment with the school psychiatrist. Oh damn." - MB
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
snowcrash+spamassassin wrote:
>> In any case, why the fuss? You've had three SA developers tell you the
>> rules that are published are fine how they are.
>
> wow.
>
> what "fuss" ? i've been polite in my intent and in my asking. this
> *is* the "users" list after all.
Nah, I'm probably just in a really pissy mood waiting for snow, staring
at my skis. Sorry.
> i'm asking questions so that i understand. contrary to what you may
> believe, i actually read those comments several times and still wasn't
> clear. "lastexternal" had *not* been mentioned, "notfirsthop" *had*.
It wasn't clear to me what you wanted to know. It looked like you were
looking to add or change some rule since. lastexternal and notfirsthop
are both explained in the documentation.
In any case, I think my explanation of why lastexternal was used rather
than notfirsthop answered your query.
Regards,
Daryl
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> In any case, why the fuss? You've had three SA developers tell you the
> rules that are published are fine how they are.
wow.
what "fuss" ? i've been polite in my intent and in my asking. this
*is* the "users" list after all.
i'm asking questions so that i understand. contrary to what you may
believe, i actually read those comments several times and still wasn't
clear. "lastexternal" had *not* been mentioned, "notfirsthop" *had*.
it may come as a surpirse to you, but just cause you 'say' it, doens't
mean that we all understand it.
i'm sorry if you find me too dense for your standards; i'll make sure
not to bother _you_ further.
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
snowcrash+spamassassin wrote:
> now, given John Rudd's comment of
>
> > ah, I didnt' know about notfirsthop. That addresses it completely.
>
> i still see no instance,
>
> % grep -rlni notfirsthop Updates/
> %
>
> is notfirsthop *necessary*, or just the _right_way_ for that specific
> example?
Necessary for what? I don't see a specific example quoted. If you're
referring to jm's post, I think he just made those rules up as they're
not what we're publishing for 3.1.
-lastexternal is exactly what they're asking for. In the case where the
client connects directly to their MSA which then connects directly to
your MX, -lastexternal is functionally equivalent to -notfirsthop.
-lastexternal is almost definitely what you want to use for any dynamic
client sort of list as it allows for people running their own MSA that
has a dynamic-listed IP which then forwards to a smarthost which in turn
connects to your MX. -notfirsthop would FP for this setup.
In any case, why the fuss? You've had three SA developers tell you the
rules that are published are fine how they are. What exactly is it that
you want to know, if not that the rules are correct?
Daryl
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> Specifically, nothing. The updates already include it:
>
> updates_spamassassin_org/20_dnsbl_tests.cf:header __RCVD_IN_ZEN
> eval:check_rbl('zen', 'zen.spamhaus.org.')
> updates_spamassassin_org/20_dnsbl_tests.cf:header RCVD_IN_XBL
> eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.[456]')
> updates_spamassassin_org/20_dnsbl_tests.cf:header RCVD_IN_PBL
> eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')
and, that's it,
% grep PBL Dist/* | grep RCVD
%
% grep ZEN Updates/3.001008/updates_spamassassin_org/* | grep RCVD
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:header
__RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:describe
__RCVD_IN_ZEN Received via a relay in Spamhaus ZEN
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:tflags
__RCVD_IN_ZEN net
% grep PBL Updates/3.001008/updates_spamassassin_org/* | grep RCVD
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '127.0.0.1[01]')
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:describe
RCVD_IN_PBL Received via a relay in Spamhaus PBL
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:tflags
RCVD_IN_PBL net
Updates/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf:#reuse RCVD_IN_PBL
Updates/3.001008/updates_spamassassin_org/30_text_de.cf:lang de
describe RCVD_IN_PBL Transportiert via Rechner in PBL-Liste
(http://www.spamhaus.org/pbl/)
Updates/3.001008/updates_spamassassin_org/30_text_nl.cf:lang nl
describe RCVD_IN_PBL Ontvangen via een relay die
gevonden is in Spamhaus PBL
Updates/3.001008/updates_spamassassin_org/50_scores.cf:score
RCVD_IN_PBL 0 0.001 0 0.001
now, given John Rudd's comment of
> ah, I didnt' know about notfirsthop. That addresses it completely.
i still see no instance,
% grep -rlni notfirsthop Updates/
%
is notfirsthop *necessary*, or just the _right_way_ for that specific example?
thanks much.
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
snowcrash+spamassassin wrote:
> i'm asking what *specifically* needs to change, if anything, in SA ...
> i'd prefer NOT to be blind about it.
Specifically, nothing. The updates already include it:
updates_spamassassin_org/20_dnsbl_tests.cf:header __RCVD_IN_ZEN
eval:check_rbl('zen', 'zen.spamhaus.org.')
updates_spamassassin_org/20_dnsbl_tests.cf:header RCVD_IN_XBL
eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.[456]')
updates_spamassassin_org/20_dnsbl_tests.cf:header RCVD_IN_PBL
eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')
Daryl
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> run sa-update.
i regularly run updates via cron on the hour.
running it again, or at all, will change what/where?
again, i see no traces of "zen"/"pbl" anywhere other than in my local.cf, atm.
i'm asking what *specifically* needs to change, if anything, in SA ...
i'd prefer NOT to be blind about it.
thanks.
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by Theo Van Dinter <fe...@apache.org>.
On Sat, Jan 06, 2007 at 04:48:12PM -0800, snowcrash+spamassassin wrote:
> is there something we "normal, non-sa-godlike humans" need to do to
> distro (sa, sare, etc) files? or *just* make said mod in our local.cf
> rules?
run sa-update.
--
Randomly Selected Tagline:
"Besides, I wasn't envisioning building the full scale, "hurl flaming tar
filled pottery at peasants over castle walls" type of trebuchet. More
like the "hurl flaming jet puffed marshmallows at chipmunks over the
picnic table" trebuchet. :-)" - Timothy MacDonald
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> That would be the case if the PBL rule looked like:
>
> header RCVD_IN_PBL eval:check_rbl('zen', 'zen.spamhaus.org.', '127.0.0.1[01]')
>
> instead of
>
> header RCVD_IN_PBL eval:check_rbl('zen-notfirsthop', 'zen.spamhaus.org.', '127.0.0.1[01]')
grep'ing in my dist files & rules, there's no trace of 'zen' (well,
except for the polish and dutch cf's ... those folks need more vowels!
:-) ) or 'notfirsthop', so, to my first question ...
is there something we "normal, non-sa-godlike humans" need to do to
distro (sa, sare, etc) files? or *just* make said mod in our local.cf
rules?
thanks.
Re: spamhaus' PBL is now *active* (in beta ... but still active).
now what?
Posted by John Rudd <jr...@ucsc.edu>.
Justin Mason wrote:
> snowcrash+spamassassin writes:
>> reading at the spamhaus site abt PBL i note,
>
> wow dude, that's quick -- I hear it went live only a few hours
> ago ;)
>
>> "WARNING! Some post-delivery filters use "full Received line
>> traversal" or "deep parsing", where the filter reads all the IPs in
>> the Received lines. Legitimate users, correctly sending good mail out
>> through their ISP's smarthost, will have PBL-listed IPs show up in the
>> first (lowest) Received header where their ISP picks it up. Such mail
>> should not be blocked! So, you should tell your filters to stop
>> comparing IPs against PBL at the IP which hands off to your mail
>> server! That last hand-off IP is the one which PBL is designed to
>> check. If you cannot configure your filters that way, then do not use
>> PBL to filter your mail."
>>
>> with the ever-smarter filters available with SA & SARE etc, what -- if
>> anything -- should 'we' do/configure differently in SA's confs/ops to
>> avoid this issue?
>
> As long as "trusted_networks" and "internal_networks" are configured
> correctly, it'll be fine.
>
I don't think that's true.
SA's RBL support looks at all of the received headers, last time I
checked. So, if you have a received header pattern like this:
Trusted Local Machine
Untrusted Remote ISP
Untrusted Remote Client*
(* in PBL because this is what the PBL lists: ISP clients)
Then SA will trigger PBL on it, even though it really shouldn't. The
fact that the trusted_networks and internal_networks are set properly
doesn't help the situation.
Either the PBL mechanism should _only_ look at the first untrusted
header, or the PBL rule is going to need to be set to a VERY low score
(because if the PBL is a success, virtually every end client will be in
it, and thus it will trigger on a lot of ham), or there needs to be no
PBL rule at all**.
(** and in that last case, a "ZEN" rule should not include PBL results)
Of the 3 choices, I think the first one is the best candidate, but also
the most complex implement (and, also,I should probably write a
BOTNET_PBL rule that does exactly that, since it's a different strategy
for the same goal, and Botnet is already trying to do that "look at the
first untrusted" approach). Otherwise, I think the 3rd one is kind of
inevitable ... so many hosts will eventually be listed, and it will
match so many received headers, that it wont be a useful SA spam sign.
Re: spamhaus' PBL is now *active* (in beta ... but still active). now what?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> wow dude, that's quick -- I hear it went live only a few hours
> ago ;)
i've waited long with baited breath for
"JHFKJDG1054521@verizonwireless.com" et. al. to leave me the fsck
alone :-)
> As long as "trusted_networks" and "internal_networks" are configured
> correctly
"correctly" ?!
oh heck ... here we go again! ;-)