Re: DOB timeouts?
One more thing: email to them, ar.com alices-registery, ANYTHING bounces. Any DNS blacklist provider who is not transparent and accessible needs to stop being used. (example: blocked.secnap.net They rules for use are VERY explicit) and we are VERY easy go get ahold of -- Michael Scheidell, CTO >|SECNAP Network Security _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: DOB timeouts?
> From: Fletcher Mattox <[EMAIL PROTECTED]> > Date: Fri, 4 Jan 2008 17:25:04 -0600 > To: > Subject: DOB timeouts? > > Yesterday spamassassin started getting DNS timeouts from the DOB (Day > Old Bread) server at a.support-intelligence.net: > > dbg: dns: timeout for URIBL_RHS_DOB, URI-DNSBL, > DNSBL:dob.sibl.support-intelligence.net:akoucq.com after 3 seconds > dbg: dns: timeout for dob, DNSBL-A, > dns:A:80.109.50.74.dob.sibl.support-intelligence.net. after 3 seconds > dbg: dns: timeout for dob, DNS_FROM_DOB, DNSBL-A, > dns:A:akoucq.com.dob.sibl.support-intelligence.net. after 3 seconds > dbg: async: aborting remaining lookups > > At about the same time, my name server started logging copious TCP reset > errors: > > named: dispatch 309a6f0: shutting down due to TCP receive error: connection > reset > > It turns out the DOB name server at a.support-intelligence.net is > sending us a premature TCP reset on every DNS query we make. > > I wonder why we are using TCP? Is that normal? No. > > More importantly, are DOB lookups failing for anyone else? > Perhaps we have exceeded some threshold query rate and have > been blacklisted by the service? > Looks like it is happening here to us also. We originally through it was a DOS directed toward us (that is what our IPS said). Looks like its YABB (yet another Bogus Blacklist) what will go the way of others that have not been able to keep up with traffic. I am disableing the DOB tests till I hear different. I suggest a SA bugzilla entry as well since I suspect many people have same problem. -- Michael Scheidell, CTO >|SECNAP Network Security > Thanks > Fletcher > _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Patches for DCC.pm for Commercial Reputation scores
I am looking for people who want to try patches for the DCC plugin that
can look at and score emails from the commercial version of DCC.
The one that implements the commercial 'reputation' values.
(If you don't know what I mean, you don't have it)
Currently, the DCC.pm filter will return a true or false, depending on
if the 'fuzzy checksums' of the email you just received are already
listed in the dcc database.
The commercial version also implements a reputation score of the sending
ip address.
It keeps a percentage of 'spam vs ham' based on all of the dcc agents
that check the database.
These patches can be used two ways:
Patch #1 will also allow you to set a percentage 'score' to also trigger
the check_dcc() (or DCC_CHECK) rule.
For example, if you set it to 90 (90%) that means that you want to score
the DCC_CHECK score on every email from any server that 90% of the
emails are 'bulk' according to the DCC server.
(you set dcc_rep_score 90 in local.cf)
Patch #2 allows you to selectively score emails based on the reputation
RANGES, similar to razor ranges or Bayesian ranges.
something in local.cf like:
full DCC_CHECK70 check_dcc_rep('70','')
score DCC_CHECK70 7.0
describe DCC_CHECK70 The email send from the IP address of the first
untrusted ip address is 70% bulk email.
full DCC_CHECK0 check_dcc_rep('','1')
score DCC_CHECK0 -1.0
describe DCC_CHECK0 No spam has been seen from this ip address in the
last few days.
Why this? why not RBL's? Ok, you can use them (I do), but checking a
commercial DCC server using dccifd is a lot faster than checking rbl's.
(see: http://www.dcc-servers.net/dcc/reputations.html there are
currently over 1 million ip addresses in the database)
I am the official ports maintainer of the FreeBSD SpamAssassin port, and
I might put this patch in as an optional 'knob' for the next update.
Note: these patches should be 100% upward compatible. ie, you don't put
a dcc_rep_score in local.cf or don't enable new rules that implement the
check_dcc_rep() function, it should not change your scores at all. Also
note, that it does absolutely nothing for you if you don't have and are
not paying for the commercial DCC product.
I will send these patches to anyone who emails me from a valid corporate
account (I will NOT send them to freebie and 'home' isp accounts like
hotmail,gmail,yahoo, rr,bellsouth, etc)
If you can use this patch, you are running your own mail servers and
either run your own DCC server, or you contract with someone to access a
commercial dcc server.
I won't add you to our email list (since I am assuming that most people
using the commercial DCC service are in business selling or supporting
anti-spam systems)
Eventually, after testing and feedback, I will send these patches to
Apache/SpamAssassin group.
--
Michael Scheidell, CTO
SECNAP Network Security
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_
Re: Whitelist_from_rcvd not working
Loren Wilton wrote: >> d) Most of you guys are going to say "Get a decent MTA". Some of you >> might > > Didn't you say you were using qmail? Or am I > misremembering/misinterpreting? If you are using qmail for MTA, I'm > reasonably sure I recall discussion of patches to qmail to make it Do > The Right Thing that are available on some web site. The discussion I > seem to recall is that it does the Wrong Thing by default, but someone > had a functional and (I think) simple fix. Received: from gadental.org [67.104.179.147] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A16054AA0026; Thu, 03 Jan 2008 15:11:12 -0500 ... I'd say this is an IMail server.
