Re: DNS again

[Patrick Ben Koetter]

* Reindl Harald :
> 
> 
> Am 03.06.2016 um 18:40 schrieb Benny Pedersen:
> >On 2016-06-03 18:33, Andy Balholm wrote:
> >>I was using unbound as a local resolver. All queries were going to
> >>127.0.0.1, and there was no forwarding set up.
> >
> >that disqullify unbound then
> 
> please stop spreading bullshit
> unbound works perfectly as recursive nameserver

ACk for unbound.

Is is a very versatile, fast and stable recursive nameserver. We run it as
Recursive DNS at ISPs where, for example at one location, it serves +20
million customers.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: DNS again

[Reindl Harald]

Am 03.06.2016 um 18:40 schrieb Benny Pedersen:

On 2016-06-03 18:33, Andy Balholm wrote:

I was using unbound as a local resolver. All queries were going to
127.0.0.1, and there was no forwarding set up.


that disqullify unbound then


please stop spreading bullshit
unbound works perfectly as recursive nameserver

unbound.conf:
 cache-min-ttl: 120

and oh wonder - even URIBL/DNSBL responses with a exreme low TTL of a 
few seconds got cached - show me a different resolver with that option




signature.asc
Description: OpenPGP digital signature

Re: Rule updates are too old - 2016-06-03

[Kim Roar Foldøy Hauge]

If you join, you might relax a bit on rejecting spam, but saving it
for masschecks.Thats what I do... I do reject something, but not
everything I could.


That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.


That would tend to *under*score those rules for sites that have SA but
few or no MTA-time DNSBL checks, wouldn't it?

Yes, I know, "proper admin"; but such sites probably do exist - should
we punish them by underscoring those rules?


Okay. Now we need a consensus on this subtopic, right? I do not want to
do harm to the project or users of it.


The spam scores should be tuned for a well-configured server. Mail that 
can be trivially rejected by greylisting, rbl, spf and similar tools isn't 
all that interesting to use as a basis for the scores.


--
Kim Roar Foldøy Hauge
Event:Presse - The Gathering 2016
webmas...@samfunnet.no
Root@HC,HX,JH,LZ,OT,P,VH

Re: Rule updates are too old - 2016-06-03

[Jari Fredriksson]

On 3.6.2016 19.21, John Hardin wrote:
> On Fri, 3 Jun 2016, RW wrote:
> 
>> On Fri, 03 Jun 2016 17:54:59 +0300
>> Jari Fredriksson wrote:
>>>
>>> If you join, you might relax a bit on rejecting spam, but saving it
>>> for masschecks.Thats what I do... I do reject something, but not
>>> everything I could.
>>
>> That's probably not a good idea if it leads to unrepresentative spam.
>>
>> In particular it may lead to botnet related tests being seriously
>> overscored, causing extra  FPs for little benefit to the TP rate. This
>> seems to be already happening.
>>
>> There's could be a similar problem  with spamtrap spam too. For RBLs and
>> hashing it's OK to look at everything that goes to the address. SA
>> QA  should only use the spam that would have made it through to SA.
> 
> That would tend to *under*score those rules for sites that have SA but
> few or no MTA-time DNSBL checks, wouldn't it?
> 
> Yes, I know, "proper admin"; but such sites probably do exist - should
> we punish them by underscoring those rules?
> 
> 

Okay. Now we need a consensus on this subtopic, right? I do not want to
do harm to the project or users of it.

-- 
jarif.bit



signature.asc
Description: OpenPGP digital signature

Re: DNS again

[Andy Balholm]

I was wondering if your mail server is an on-premises physical machine, or 
something hosted in a data center somewhere. If it’s in a data center, what 
data center?

> On Jun 3, 2016, at 10:47 AM, John  wrote:
> 
> The mail server is my machine with no other server, unless I have 
> misunderstood the question 
> ==John ff
> On 3 Jun 2016, at 17:23, Andy Balholm  > wrote:
> Where is your mail server hosted. URIBL blocks queries from some cloud 
> providers (including DigitalOcean) unless you have a subscription. For a 
> while I had a mail server hosted on DO, and I was paying more for my URIBL 
> subscription than for my hosting.
> 
> Andy

Re: DNS again

[Daniel J. Luke]

On Jun 3, 2016, at 12:51 PM, Daniel J. Luke  wrote:
>> if the first hop in dns is 127.0.0.1 it works
> 
> that's not how +trace works

oh, nevermind - you are right. It will query for the root servers from your 
configured resolvers.

-- 
Daniel J. Luke

Re: DNS again

[Daniel J. Luke]

On Jun 3, 2016, at 12:30 PM, Benny Pedersen  wrote:
> dig +trace ipv4.google.com
> 
> if the first hop in dns is 127.0.0.1 it works

that's not how +trace works

from the manpage:

   When tracing is enabled, dig makes iterative queries to resolve
   the name being looked up. It will follow referrals from the root
   servers, showing the answer from each server that was used to
   resolve the lookup.

   If @server is also specified, it affects only the initial query
   for the root zone name servers.

> make sure /etc/resolv.conf only have one single line with nameserver 
> 127.0.0.1 nothing more nothing less

good advise.

> drop unbound if it cant make it right, replace it with bind9

either works fine if configured correctly (and not so well if configured 
incorrectly).

-- 
Daniel J. Luke

OT - RBLs and postwhite

[David Jones]

This is a little off topic to SA but a good RBL setup is crucial
to making SA successful.  For those using Postfix, check
the list archives for postscreen settings to use weighted
RBLs which allows using of somewhat unreliable RBLs
in combination with reliable ones which works very well
to block ~98 of the junk using very light weight DNS
checks.

Then you can allow whitelisting of trusted senders based
on their SPF record which allows you to crank up the RBLs
and their weights a little more aggressively in postscreen.

https://github.com/stevejenkins/postwhite

I have had to add comcast.net and other major ISPs
that don't take care of their own outbound mail filtering
which puts them on RBLs that I use in postscreen.  These
large ISPs can't be blocked without major collateral
damage so I have to let these be handed by SA.

Latest example is radware.com and 47.19.108.100
which has been up to some mischief the past 2 weeks
so my senderscore.org score check blocked it in postscreen.

http://multirbl.valli.org/lookup/47.19.108.100.html
https://senderscore.org/lookup.php?lookup=47.19.108.100

Dave

Re: DNS again

[Benny Pedersen]

On 2016-06-03 18:33, Andy Balholm wrote:

I was using unbound as a local resolver. All queries were going to
127.0.0.1, and there was no forwarding set up.


that disqullify unbound then

Re: DNS again

[Andy Balholm]

I was using unbound as a local resolver. All queries were going to 127.0.0.1, 
and there was no forwarding set up.

Andy

Re: DNS again

[Benny Pedersen]

On 2016-06-03 18:23, Andy Balholm wrote:

Where is your mail server hosted. URIBL blocks queries from some cloud
providers (including DigitalOcean) unless you have a subscription. For
a while I had a mail server hosted on DO, and I was paying more for my
URIBL subscription than for my hosting.


how did you configure dns there ?

all can pay, its just not needed, not even on DO

Re: DNS again

[Benny Pedersen]

On 2016-06-03 18:19, jpff wrote:


I as still seeing the occasional URIBL_BLOCKED


do your homework :=)

dig +trace ipv4.google.com

if the first hop in dns is 127.0.0.1 it works

make sure /etc/resolv.conf only have one single line with nameserver 
127.0.0.1 nothing more nothing less


dig is part of bind9-tools

drop unbound if it cant make it right, replace it with bind9

possible your unbound have forward servers ?, doh

i am happy with bind9

Re: DNS again

[Andy Balholm]

Where is your mail server hosted. URIBL blocks queries from some cloud 
providers (including DigitalOcean) unless you have a subscription. For a while 
I had a mail server hosted on DO, and I was paying more for my URIBL 
subscription than for my hosting.

Andy

Re: Rule updates are too old - 2016-06-03

[John Hardin]

On Fri, 3 Jun 2016, RW wrote:


On Fri, 03 Jun 2016 17:54:59 +0300
Jari Fredriksson wrote:


If you join, you might relax a bit on rejecting spam, but saving it
for masschecks.Thats what I do... I do reject something, but not
everything I could.


That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.


That would tend to *under*score those rules for sites that have SA but few 
or no MTA-time DNSBL checks, wouldn't it?


Yes, I know, "proper admin"; but such sites probably do exist - should we 
punish them by underscoring those rules?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  There is no better measure of the unthinking contempt of the
  environmentalist movement for civilization than their call to
  turn off the lights and sit in the dark.-- Sultan Knish
---
 3 days until the 72nd anniversary of D-Day

DNS again

[jpff]

X-Originating-<%= hostname %>-IP: [217.155.197.248]

OK I expect to get flamed but anyway

I run a couple of mailers, one of which is small with ~5 users.  For
years I ran dnsmasq which was easy to set up and only gave occasional
troubles with the RBL lookups being rejected from my ISP (hi Zen!).  I
knew why but it did not seem to cause much problem in stopping spam.
But with the latest outbreak of discussion and some spare time I
changed to use unbound which was suggested by someone.  Apart from one
semi-error in the instructions it was easy to deploy

BUT

I as still seeing the occasional URIBL_BLOCKED

  0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.
 See
 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
  for more information.
 [URIs: zakofr.top]

I thought the recursive caching dns system was supposed to remove
this.  Just seeking enlightenment.
==John ffitch

Re: How do I tell if SPF plugin is loaded?

[Benny Pedersen]

On 2016-06-03 12:14, Robert Chalmers wrote:

How do I tell if SPF is loaded ? Is there a command or a header to
look for?


spamassassin 2>&1 -D --lint

hope you have bash shell on mac

else

perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::SPF

Re: Rule updates are too old - 2016-06-03

[RW]

On Fri, 03 Jun 2016 17:54:59 +0300
Jari Fredriksson wrote:


> 
> If you join, you might relax a bit on rejecting spam, but saving it
> for masschecks.Thats what I do... I do reject something, but not
> everything I could. 

That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.

Re: Rule updates are too old - 2016-06-03

[Jari Fredriksson]

3. kesäkuuta 2016 16.46.59 GMT+03:00 "Kim Roar Foldøy Hauge" 
 kirjoitti:
>On Fri, 3 Jun 2016, John Hardin wrote:
>
>> On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:
>>
>>>  20160602:  Spam or ham is below threshold of 150,000:
>>>  http://ruleqa.spamassassin.org/?daterev=20160602
>>>  20160602:  Spam: 589792, Ham: 138721
>>
>> We've been hovering *just* below the ham threshold for a week or so
>now.
>>
>> Anyone who can contribute to masscheck please get in touch with Kevin
>
>> McGrail! Non-English ham is especially welcome. Even a little.
>>
>
>I have non-english ham and spam. I sent a mail ages ago about joining
>the 
>masscheck. I don't think I got a reply.
>
>The traffic on the server isn't that high, 2500 connections per day.
>Most 
>of the mail attempts are blocked by spf, rbl and greylisting. SA does 
>however catch 5-10 norwegian UCBM per day, mostly thanks to custom
>rules.
>

If you join, you might relax a bit on rejecting spam, but saving it for 
masschecks.Thats what I do... I do reject something, but not everything I 
could. Quite low volume site, but still I think I do provide a considerable 
part of the ham we have in ruleqa.spamassassin.org. Most of that ham is finnish 
bulk, but also personal mails from several persons. I rely heavily SA 
cotegorization, but DO screen all ham and spam myself.

That said, spam is not so important anyway, as we are not short on that. 
Norwegian spam of course would be really cool!

>>
>> --
>>  John Hardin KA7OHZ   
>http://www.impsec.org/~jhardin/
>>  jhar...@impsec.orgFALaholic #11174 pgpk -a
>jhar...@impsec.org
>>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873
>2E79
>>
>---
>>   From the Liberty perspective, it doesn't matter if it's a
>>   jackboot or a Birkenstock smashing your face. -- Robb Allen
>>
>---
>>  3 days until the 72nd anniversary of D-Day
>>
>>

-- 
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.

Re: Rule updates are too old - 2016-06-03

[Kim Roar Foldøy Hauge]

On Fri, 3 Jun 2016, John Hardin wrote:


On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:


 20160602:  Spam or ham is below threshold of 150,000:
 http://ruleqa.spamassassin.org/?daterev=20160602
 20160602:  Spam: 589792, Ham: 138721


We've been hovering *just* below the ham threshold for a week or so now.

Anyone who can contribute to masscheck please get in touch with Kevin 
McGrail! Non-English ham is especially welcome. Even a little.




I have non-english ham and spam. I sent a mail ages ago about joining the 
masscheck. I don't think I got a reply.


The traffic on the server isn't that high, 2500 connections per day. Most 
of the mail attempts are blocked by spf, rbl and greylisting. SA does 
however catch 5-10 norwegian UCBM per day, mostly thanks to custom rules.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 3 days until the 72nd anniversary of D-Day




--
Kim Roar Foldøy Hauge
Event:Presse - The Gathering 2016
webmas...@samfunnet.no
Root@HC,HX,JH,LZ,OT,P,VH

Re: Rule updates are too old - 2016-06-03

[John Hardin]

On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:


20160602:  Spam or ham is below threshold of 150,000:  
http://ruleqa.spamassassin.org/?daterev=20160602
20160602:  Spam: 589792, Ham: 138721


We've been hovering *just* below the ham threshold for a week or so now.

Anyone who can contribute to masscheck please get in touch with Kevin 
McGrail! Non-English ham is especially welcome. Even a little.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 3 days until the 72nd anniversary of D-Day

Re: How do I tell if SPF plugin is loaded?

[Reindl Harald]

Am 03.06.2016 um 12:14 schrieb Robert Chalmers:

How do I tell if SPF is loaded ? Is there a command or a header to look for?

# Requires the Mail::SpamAssassin::Plugin::SPF plugin be loaded


it is normally loaded but just look in spamd-logs or report-headers for

SPF_PASS
SPF_FAIL
SPF_SOFTFAIL
SPF_NONE



signature.asc
Description: OpenPGP digital signature

How do I tell if SPF plugin is loaded?

[Robert Chalmers]

How do I tell if SPF is loaded ? Is there a command or a header to look for?

# Requires the Mail::SpamAssassin::Plugin::SPF plugin be loaded.

Thanks


Robert Chalmers
rob...@chalmers.com .au  
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  
XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. 
Lower Bay