Re: reply from sorbs
jdow wrote: It means your address is in a set of DSL addresses listed as Dial Up addresses. Ye verily thou art stuck in the fork. [...] (See why I do not like such broad brush black lists? They false alarm BADLY at times they should not, far too many times.) I must disagree. Unfortunately the number of responsible people on the other end of cable and DSL modems is vanishingly small compared to the number of zombie machines that are spewing spam and more viruses. On a typical day we get abut 340,000 delivery attempts. We block about 110,000 thanks to SORBS. That's per day. I have only gotten 4 or 5 false positives due to SORBS listings in the last 6 months. (Of 340,000 incoming messages, we pass on 7,400 to our users.) So would you have us accept 110,000 garbage messages per day for less than one a month that are responsible people running their own mail server on a cable or DSL modem? That would be a great cost to us in either processing power to analyze the messages with SA and/or lost productivity for all our users to wade through more junk. I'm sorry but you must send mail through your ISP's mail server or be blocked by an increasing number of mail servers around the Internet. If your ISP doesn't support using their mail server with your domain, find another one. My home ISP does, which is one reason I chose them. -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/
Re: reply from sorbs
On Saturday 27 November 2004 05:10 pm, jdow wrote: And indeed, it should only be used on mail that is incoming from the Internet. Local mail should bypass the SpamAssassin checks. That way cron job emails to root will not get filtered. That does not, however, help you with regards to email you send. You need a proper static IP address or else you must use your ISP's mailer. Thats just it, normally when using Kmail to check mail they're not filtered throught SA, I have a Kmail filter setup so that mail from [EMAIL PROTECTED] is sent directly to the cronmsg folder. Below is how both my spamd restart and my rkhunter log output are addressed and sent: Return-Path: [EMAIL PROTECTED] Received: from chris.localdomain ([69.68.226.5]) by mx-a065b01.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cycX75BF3NZFpK0 for [EMAIL PROTECTED]; Sat, 27 Nov 2004 16:30:08 -0800 (PST) Received: by chris.localdomain (Postfix) id 3ED06584005; Sat, 27 Nov 2004 18:30:07 -0600 (CST) Delivered-To: [EMAIL PROTECTED] Received: by chris.localdomain (Postfix, from userid 0) id 0B576584002; Sat, 27 Nov 2004 19:30:07 -0500 (EST) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] /etc/rc.d/init.d/spamassassin restart My spam-stats msg is addressed a bit different, however it also has a filter setup: Return-Path: [EMAIL PROTECTED] Received: from chris.localdomain ([69.68.226.5]) by mx-a065b28.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cxYr21la3NZFpQ0 for [EMAIL PROTECTED]; Sat, 27 Nov 2004 01:00:04 -0800 (PST) Received: by chris.localdomain (Postfix, from userid 0) id 357A1584005; Sat, 27 Nov 2004 04:00:02 -0500 (EST) From: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SpamAssassin statistics Message-Id: [EMAIL PROTECTED] Date: Sat, 27 Nov 2004 04:00:02 -0500 (EST) The only time I've had a problem was the other day while working with fetchmail which is when I found the listed in sorbs.net listing. I'm pretty sure I know now what the problem was though, I still had the Kmail filter active that will check mail 5, when I polled my /var/spool/mail/chris folder for mail, everything was ran through SA. I'm now working on a fetchmail procmail[spamc] setup, hopefully I'll get it right. -- Chris Registered Linux User 283774 http://counter.li.org 7:09pm up 23 days, 23:38, 2 users, load average: 0.64, 0.24, 0.13 The trouble with heart disease is that the first symptom is often hard to deal with: death. -- Michael Phelps
Re: reply from sorbs
On Sat, Nov 27, 2004 at 04:43:37PM -0800, Bob Amen wrote: I must disagree. Unfortunately the number of responsible people on the other end of cable and DSL modems is vanishingly small compared to the number of zombie machines that are spewing spam and more viruses. On a typical day we get abut 340,000 delivery attempts. We block about 110,000 thanks to SORBS. That's per day. I have only gotten 4 or 5 false positives due to SORBS listings in the last 6 months. (Of 340,000 incoming messages, we pass on 7,400 to our users.) So would you have us accept 110,000 garbage messages per day for less than one a month that are responsible people running their own mail server on a cable or DSL modem? That would be a great cost to us in either processing power to analyze the messages with SA and/or lost productivity for all our users to wade through more junk. I'm sorry but you must send mail through your ISP's mail server or be blocked by an increasing number of mail servers around the Internet. If your ISP doesn't support using their mail server with your domain, find another one. My home ISP does, which is one reason I chose them. -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/ Bob is right. If you want to send mail directly to mail servers without having a static IP, switch to another ISP. Or use your ISP's mail server. We don't want users to receive thousands of spam mails just in order to allow 1 or 2 guys to send their mail directly from their machine, without using their ISP's mail server... Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: reply from sorbs
On Sat, Nov 27, 2004 at 04:43:37PM -0800, Bob Amen wrote: I must disagree. Unfortunately the number of responsible people on the other end of cable and DSL modems is vanishingly small compared to the number of zombie machines that are spewing spam and more viruses. On a typical day we get abut 340,000 delivery attempts. We block about 110,000 thanks to SORBS. That's per day. I have only gotten 4 or 5 false positives due to SORBS listings in the last 6 months. (Of 340,000 incoming messages, we pass on 7,400 to our users.) So would you have us accept 110,000 garbage messages per day for less than one a month that are responsible people running their own mail server on a cable or DSL modem? That would be a great cost to us in either processing power to analyze the messages with SA and/or lost productivity for all our users to wade through more junk. I'm sorry but you must send mail through your ISP's mail server or be blocked by an increasing number of mail servers around the Internet. If your ISP doesn't support using their mail server with your domain, find another one. My home ISP does, which is one reason I chose them. -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/ Bob is right. If you want to send mail directly to mail servers without having a static IP, switch to another ISP. Or use your ISP's mail server. We don't want users to receive thousands of spam mails just in order to allow 1 or 2 guys to send their mail directly from their machine, without using their ISP's mail server... Nicolas, Paris. Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Wolfgang Hamann
Re: reply from sorbs
On Sun, Nov 28, 2004 at 10:11:12AM -, [EMAIL PROTECTED] wrote: Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Wolfgang Hamann I think he has a dynamic IP over a DSL line. That's what I understood. Am I wrong? Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: reply from sorbs
From: Nicolas [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 2004 November, 28, Sunday 02:12 Subject: Re: reply from sorbs On Sun, Nov 28, 2004 at 10:11:12AM -, [EMAIL PROTECTED] wrote: Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Wolfgang Hamann I think he has a dynamic IP over a DSL line. That's what I understood. Am I wrong? Nicolas, Paris. So because he is on an address block listed as dialup he gets no chance to issue an SPF for his site. Ah well. {o.o}
Re: reply from sorbs
I realize this is way off topic, but it is important to spam fighting. jdow wrote: On Sun, Nov 28, 2004 at 10:11:12AM -, [EMAIL PROTECTED] wrote: Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Yes, they should have a separate block of IP addresses for those that pay the added cost. And those don't get reported to the SORBS DUL list. Maybe other lists if they actually do spam but not DUL. So because he is on an address block listed as dialup he gets no chance to issue an SPF for his site. Ah well. He could but unfortunately SPF doesn't solve the problem. The very same zombie machines that are spewing spam are also DNS servers offering SPF records for the domain they claim to send from. And those domains are either registered with false or forged information or registered anonymously, thanks to the policies of some registrars, aided and abetted by ICANN. Spammers are adopting SPF faster than the rest of the Internet. It's a difficult situation we're in and there is no silver bullet. We need every resource we can use, including good block lists, SPF as a rule in SpamAssassin and more. It's very depressing and getting worse, according to my mail servers' statistics. We need everyone with a clue to help by sending mail in ways that support the resources we use instead of whining that they can't do something the way they want. Don't blame me and the other mail server admins if you can't get mail to our systems because you are sending from a machine on a DSL modem. Blame the spammers and those that buy from them! -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/
Re: My IP listed in dnsbl.sorbs.net
Chris wrote: However, I do not run a mail server, the offending msg came from the fact that every 4hrs I restart spamd and have the output of the crontab mailed to me. I also have the results of the rootkit hunter cronjob mailed to me daily. Is the problem caused by the fact that the mail is sent from chris.localdomain to EL? If that mail is from a local machine to another local machine then I would create a transport map (thinking of postfix here) so that local mail is sent completely locally. Only non-local mail would go out to the external ISP mail relay. Why require external networking for a completely local task? A postfix specific entry in the transport map would be: *.localdomain smtp: If the message is anything.localdomain then send it directly there by SMTP. Any other message falls through and does whatever you have previously configured for it to do. If you have a relayhost set to your ISP then it is sent there normally. Other MTAs have similar capabilities. Bob
sa-learn stats? Explaination?
I have not been paying attention to the bayes internals. Here is the output of a recent sa-learn --force-expire run. synced Bayes databases from journal in 0 seconds: 1248 unique entries (1790 total entries) expired old Bayes database entries in 31 seconds 156683 entries kept, 6897 deleted token frequency: 1-occurence tokens: 60.43% token frequency: less than 8 occurrences: 23.86% What is a 1-occurence token? What is the significance of less than 8 occurrences. Just trying to get a general understanding of what is happening. Thanks Bob
Re: reply from sorbs
DSL, Cable, T1, Fiber, etc. your high speed connection type shouldn't be blacklisted, your service level should, ie dynamic residential line. A business class customer paying for static ip(s) on a (a/s)dsl line should not have their ip's blacklisted. I've seen as much spam come from lines where a spammer buys 254 ip's and starts spamming, then changes ip's a month later. The RDNS of the ip matches the helo etc. It isn't the blacklister's fault in most cases to have a user's isp too lazy to properly operate their policies. If you are a business customer, your isp has blacklisted you, it's your responsibility to either find a new isp (where there ins't a monopoly on the line in case of DSL and Cable) or make sure in writing before you sign anything that your ip(s) will never be listed by the ISP as res/dynamic/dialup ip. If they do they may be in breach of contract (and you would need a lawyer for resolution.) If I'm a business customer, pay for static ip, I'd expect to not have my ip listed by default as a res/dynamic/dialup ip. Also, if AOL/Yahoo/MSN were to require you as an admin to pay $100k per year in order to be allowed to send mail to them (via from your ip), would you be willing to do this? This would in effect stop 100% spam... My 2c Thanks, JamesDR Bob Amen wrote: I realize this is way off topic, but it is important to spam fighting. jdow wrote: On Sun, Nov 28, 2004 at 10:11:12AM -, [EMAIL PROTECTED] wrote: Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Yes, they should have a separate block of IP addresses for those that pay the added cost. And those don't get reported to the SORBS DUL list. Maybe other lists if they actually do spam but not DUL. So because he is on an address block listed as dialup he gets no chance to issue an SPF for his site. Ah well. He could but unfortunately SPF doesn't solve the problem. The very same zombie machines that are spewing spam are also DNS servers offering SPF records for the domain they claim to send from. And those domains are either registered with false or forged information or registered anonymously, thanks to the policies of some registrars, aided and abetted by ICANN. Spammers are adopting SPF faster than the rest of the Internet. It's a difficult situation we're in and there is no silver bullet. We need every resource we can use, including good block lists, SPF as a rule in SpamAssassin and more. It's very depressing and getting worse, according to my mail servers' statistics. We need everyone with a clue to help by sending mail in ways that support the resources we use instead of whining that they can't do something the way they want. Don't blame me and the other mail server admins if you can't get mail to our systems because you are sending from a machine on a DSL modem. Blame the spammers and those that buy from them! smime.p7s Description: S/MIME Cryptographic Signature
Re: reply from sorbs
JamesDR wrote: make sure in writing before you sign anything that your ip(s) will never be listed by the ISP as res/dynamic/dialup ip. If they do they may be in breach of contract (and you would need a lawyer for resolution.) I doubt any ISP would agree to a contract term like that, because they don't have any control over what the blacklist maintainers do. Some of the blacklists deliberately list whole blocks of IP addresses that happen to be on the same backbone provider as a spammer, to intentionally cause collateral damage. There's little an invididual ISP can do about that.
Re: reply from sorbs
David Brodbeck wrote: make sure in writing before you sign anything that your ip(s) will never be listed by the ISP as res/dynamic/dialup ip. If they do they may be in breach of contract (and you would need a lawyer for resolution.) I doubt any ISP would agree to a contract term like that, because they don't have any control over what the blacklist maintainers do. Some of the blacklists deliberately list whole blocks of IP addresses that happen to be on the same backbone provider as a spammer, to intentionally cause collateral damage. There's little an invididual ISP can do about that. They can start by using proper rDNS. There's an awful lot of rDNS that looks like dynamic rDNS that contains statically-assigned addresses. The corollary to that is hey, stupid, don't throw your static customers and servers into blocks that are mostly dynamic. Which, believe it or not, some ISPs do. Try to get a separate allocation or sane rDNS from SBC** on a DSL line... Good luck. They do it on T-1 and other leased lines but apparently not on DSL. You are correct to a certain extent, and there are lists like the Mail Abuse Prevention System DUL (Dialup User List) where the ISPs are asked to VOLUNTEER their lists of dynamic netblocks (although that wouldn't help in the example given above), but I believe most of the dynamic lists are based on trawling rDNS (out of necessity more than anything else). Best, Steve **SBC is the USA's largest telephone company. -- JustThe.net Internet New Media Services, http://JustThe.net/ Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / [EMAIL PROTECTED] PGP Key available from your friendly local key server (0xE3AE35ED) Apple Valley, California Nothing scares me anymore. I have three kids.