RE: [Declude.JunkMail] REVDNS and HELOBOGUS
Thanks for your reply. I was surprised to learn of your success rate with admins. Though I'd never made any attempts to notify admins, I would have expected a lower response rate figuring that most admins that have problems today, are ignorant of how to fix them. Do you find yourself having to talk other admins through the process? Also it seems that alot of the problem senders are bulk subscriptions and replies would go to non-existent accounts. I'll give it a try on a case by case basis. Thanks -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] REVDNS and HELOBOGUS We only white list after emailing the user and the mail admin. It is in their best interest to fix the RDNS and HELO bogus issues. Attached is the email I send to them. Why should I slow the processing of email on our server for a few ignorant admins. I also send an automated email to all users on our server telling them what email has been held and giving them the option to recover the mesages. In sending the automated email I no longer have to go through the held emails, the users do it. I get about 1/3 of the admins thanking me for telling them of their config issues, 1/3 who think they have it configured that way for security reasons, and 1/3 who do not even reply. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Agid, Corby > Sent: Tuesday, September 02, 2003 4:11 PM > To: 'Declude. Junkmail (E-mail) > Subject: [Declude.JunkMail] REVDNS and HELOBOGUS > > > Hello, > > We get a lot of false postives from sites that fail two of three simple > tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just > enough weight (10 to12 ), to get tagged as spam. I have been whitelisting > as I learn about them, which seems to be approx one to three entries per > day. > > Do most people reduce the weight of these tests or increase the > threshold of > what's considered spam, or just whitelist as needed? > > Just curious. > > Corby > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REVDNS and HELOBOGUS
I reduced the scores of those test's. Messages that fail BAHDEADERS seem to often fail HELOBOGUS in my experience. It would be good to know the error code returned by the BADHEADERS test because this shouldn't be failed by most mailing applications (even automated ones). If you look in your log for the messages in question, you will find a code for the BAHEADERS failure which can be looked up through the following page: http://www.declude.com/tools/header.php One bug was caught last week that dealt with too many characters on the To: line, which Scott promptly fixed in an interim release. Another issue that I was experiencing with BADHEADERS was related to not having a To: address in an E-mail, which IE and Exchange's Web Mail among others were allowing now despite the RFC's clearly saying it was necessary even if not a valid address (Netscape 7 is compliant). This was an issue with mailing lists and other broadcast messages that make use of the CC or BCC lines and no use of the To line. I believe Scott might be thinking about modifying this test as well, but I'll let him speak for himself. I found these issues on my system with I recently did a capture on the BADHEADERS test. It is a wonderful test though, tagging about half of all spam received, and the false positive rate was ain incredibly low 0.5% (10 false positives out of 1,834 test failures in all). 9 of the 10 false positives though were from errors possible from popular (enough) mail clients. Knowing your error codes would help in determining if you were suffering from similar issues, and possibly there is a fix out now. My only issue with BADHEADERS is that messages that fail it, will almost definitely fail at least one other technical test, especially SPAMHEADERS and HELOBOGUS. If your BADHEADERS failures are the responsibility of bad software on the sender's end, I would reduce the test scores so that both BADHEADERS (I score 3) and HELOBOGUS (I score 5) needs to fail another small test in order to get blocked. The small tests that I see working in this case are NOPOSTMASTER, NOABUSE and DSN, each of which I score as 1, and BASE64 which I score as 3. Regarding your REVDNS test, this is one of the tests that I turned off because it has a very high false positive rate and I perceived it as giving no real value as a result, even my server sat without reverse DNS entries until recently because my co-location provider was slow in delegating responsibility for that class C over to my DNS server, and those with smaller blocks tend to not bother at all. There are many valid mail servers without these lookups. This is of course just my methodology, your mileage may vary. Matt Agid, Corby wrote: Hello, We get a lot of false postives from sites that fail two of three simple tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just enough weight (10 to12 ), to get tagged as spam. I have been whitelisting as I learn about them, which seems to be approx one to three entries per day. Do most people reduce the weight of these tests or increase the threshold of what's considered spam, or just whitelist as needed? Just curious. Corby --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS and HELOBOGUS
We only white list after emailing the user and the mail admin. It is in their best interest to fix the RDNS and HELO bogus issues. Attached is the email I send to them. Why should I slow the processing of email on our server for a few ignorant admins. I also send an automated email to all users on our server telling them what email has been held and giving them the option to recover the mesages. In sending the automated email I no longer have to go through the held emails, the users do it. I get about 1/3 of the admins thanking me for telling them of their config issues, 1/3 who think they have it configured that way for security reasons, and 1/3 who do not even reply. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Agid, Corby > Sent: Tuesday, September 02, 2003 4:11 PM > To: 'Declude. Junkmail (E-mail) > Subject: [Declude.JunkMail] REVDNS and HELOBOGUS > > > Hello, > > We get a lot of false postives from sites that fail two of three simple > tests such as REVDNS, HELOBOGUS and BADHEADERS which combined have just > enough weight (10 to12 ), to get tagged as spam. I have been whitelisting > as I learn about them, which seems to be approx one to three entries per > day. > > Do most people reduce the weight of these tests or increase the > threshold of > what's considered spam, or just whitelist as needed? > > Just curious. > > Corby > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives. We are having some issues receiving email from your mail server. I would appreciate it if you could help me out. Your mail server is missing a few DNS entries that are required to validate that email is coming from your server and not someone pretending to be you. About 60% of the mail coming into our server is unsolicited (SPAM) so being able to identify legitimate email is important to us. These items are outlined below. X-RBL-Warning: HELOBOGUS: Domain lwtc_nt_1.linweld.com has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.197.31.34 with no reverse DNS entry. This is the link to the Internet Engineering Task Force site and the RFC for Common DNS Operational and Configuration Errors section 2.1. It discusses DNS and common configuration errors pertaining to mail servers. http://www.ietf.org/rfc/rfc1912.txt?number=1912 If you could forward this to your IT department or send me contact information for them, I would appreciate it. Mail from your server is not lost, it is delayed 1 day while waiting for review. If it is found to not be spam, the recipient has the option to recover the message. If they do not recover it in 14 days, it is purged from the system. I understand that mail from your server is not spam and is legitimate business email. But our spam filter cannot make that determination without the above fixes, so human intervention is involved to complete delivery to the final recipient. Thank you for your assistance in this matter, Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works.