Re: DNSWL fp and other problems

2015-05-12 Thread Matthias Leisi 
(writing with my dnswl.org hat on)

 Am 11.05.2015 um 15:42 schrieb Alex Regan mysqlstud...@gmail.com:
 
 Hi,
 
 I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI, 
 receiving -5 points, from an obvious hacked account.
 
 http://pastebin.com/5LYS7s2v http://pastebin.com/5LYS7s2v

IP 163.231.6.26, mailout2-trp.thomsonreuters.com 
http://mailout2-trp.thomsonreuters.com/, DNSWL Id 1251. 

No abuse reports on this IP yet (overall for this DNSWL Id: one back in October 
2014, two in April 2014, and four in 2012 - all but the October 2014 coming 
from a single IP, all different from the one reported here). History of the IP 
reported here:


 1251/163.231.6.26 [-]  2015-05-12 00:00Last seen
 163.231.6.26 [rbl] regular-rblcheck2015-03-06 20:31
2015-03-06 20:31:00 ix dnsbl 163.231.6.26 RBL filtered by ix.dnsbl.manitu.net: 
Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at 
Fri, 06 Mar 2015 15:03:13 +0100. Your admin should visit 
http://www.dnsbl.manitu.net/lookup.php?value=163.231.6.26
 163.231.6.26 [rbl] regular-rblcheck2012-06-13 16:31
 1251/163.231.6.26 [c]  2011-04-30 19:23DNSWL Id 0 - 1251
 163.231.6.26 [c]   2011-04-30 19:23Score med - hi
 163.231.6.26 [c]   2011-04-30 19:23Score low - med
 163.231.6.26 [c]   2011-04-30 19:23Score none - low
 163.231.6.26 [a]   2011-02-25 01:52Added record
 1251/163.231.6.26 [-]  2011-02-25 00:00First seen

(The RBL hit from 2012 is from a source we only used for a short period of time 
due to the lack of accuracy, eg listing all of thomsonreuters.com 
http://thomsonreuters.com/; the actions in 2011 were done while cleaning up 
the whole DNSWL Id). 

Two „incidents“ in the two months is quite a lot, especially for a DNSWL Id 
with such an overall good record as this one, and hints at some particular 
problem, of which we have no way of knowing whether it is solved or not. 

Score now lowered to low - it will automatically be increased once sufficient 
time has passed and no new RBL hits / abuse reports are coming in.

 Is it also interesting that thomsonreuters.com has no SPF information?

Their email setup is… interesting. Lots of different domain names, IP ranges, 
ASes, and obviously different businesses/business units. I believe maintaining 
somewhat proper and sane SPF record would be a nightmare…

— Matthias



smime.p7s
Description: S/MIME cryptographic signature

Fwd: Where to download the latest KAM rules?

2015-05-12 Thread Sergio 
Thank you, Larry.

-- Forwarded message --
From:
Date: Sun, May 10, 2015 at 2:19 PM
Subject: Re: Where to download the latest KAM rules?

On 2015-05-10 15:11, Sergio wrote:

  Hi,
where is the best place to download the lastest KAM rules?

Thanks in advance.

Sergio

http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
 --
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Turning off queries to SORBS

2015-05-12 Thread Chris 
Is there a way to turn off queries to SORBS so I don't keep seeing this
in my logs:

error (connection refused) resolving
'23.164.11.209.dnsbl.sorbs.net/A/IN': 67.228.187.34#53

I have Bind9 setup as a caching name server and am using 127.0.0.1 as my
DNS.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
20:47:11 up 1 day, 14:56, 1 user, load average: 0.66, 0.43, 0.33
Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar
31 02:07:04 UTC 2015

Re: Turning off queries to SORBS

2015-05-12 Thread Jeremy McSpadden 
dig +trace and see if your ISP is intercepting queries.

--
Jeremy McSpadden | Flux Labs
Local - 850-250-5590x501tel:850-250-5590;501 | Mobile - 
850-890-2543tel:850-890-2543
Fax - 850-254-2955tel:850-254-2955 | Toll Free - 
877-699-FLUXtel:877-699-FLUX
Web - http://www.fluxlabs.nethttp://www.fluxlabs.net/


On May 12, 2015, at 8:49 PM, Chris 
cpoll...@embarqmail.commailto:cpoll...@embarqmail.com wrote:

Is there a way to turn off queries to SORBS so I don't keep seeing this
in my logs:

error (connection refused) resolving
'23.164.11.209.dnsbl.sorbs.net/A/IN':http://dnsbl.sorbs.net/A/IN': 
67.228.187.34#53

I have Bind9 setup as a caching name server and am using 127.0.0.1 as my
DNS.

Chris

--
Chris
KeyID 0xE372A7DA98E6705C
31.11?N 97.89?W (Elev. 1092 ft)
20:47:11 up 1 day, 14:56, 1 user, load average: 0.66, 0.43, 0.33
Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar
31 02:07:04 UTC 2015