Re: what is triggering NO_DNS_FOR_FROM
On Mon, 2017-03-13 at 17:49 +0100, Andy Smith wrote: I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. Martin, On 13.03.17 18:08, Martin Gregorie wrote: Does the domain have a PTR record for every A record and, by extension, for every MX record? You should be able to check this with 'dig' or simply use 'host' to verify that the relevant reverse lookups work OK. no, he shoult not check that for any MX records. No sane software does resolve MX and A/ records to check their PTRs. There's no sane reason one should have reverse DNS records on incoming mail servers. SA does not (and should not) do that. PTR records (and matching A records) are required for outgoing mail, that's all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: what is triggering NO_DNS_FOR_FROM
On 13.03.17 17:49, Andy Smith wrote: I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. This has never been an issue, and you should never expect that to match. There's no point in checking those. Please, do not advise enyone ever to check for this combination (1). What is supposed to match: sending IP => PTR => A/ => sending IP MX => A/ => IP (public aka no private ranges) See? no reverse checks in the latter case. You would be surprised that companies like google, aol, yahoo (at the time I last checked, and I did this multiple times, see (1)) don't have rDNS for those - that's because there's no requirement (and no sane reason) for that. I've already had to ask the owners of the domain to correct an issue where their sending server's A record didn't match the PTR and was triggering the RDNS_NONE rule (as detected by Exim), so if I'm going to convince them to do more modifications I'd prefer to know what I was talking about, The sending IP is NOT the MX record - those are two separate things. Yes, it may be the same server, but the PTR is checked on incoming mail, and _never_ on the MX->A record. Simply - don't mix those, you'll lose focus on the real issue. (1) In the past I got customer complaints about them being rejected because "their MX records pointing to A's that didn't matchtheir PTRs". This never turned out to be true - they were blacklisted, they were refused because their HELO string was nonexistent, or they just made complaint without any real problem. Once the admin wasn't even able to translate clear error message from english, nor search for the error message on the net... Simply, don't do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Problems qmail + spamassassin + simscan (score 0/0)
Hi, Sometimes I get spam that has been classified correctly in spamaassin as spam, but simscan classifies it with a score different from that processed by the spamd process. Sorry for my English, but I'll try to explain .. :) Here's an example: spamd.log --> Here we see an email that was classified by the spamd process as suspect (score 14) 2017-03-13 18:10:48.998753500 Mon Mar 13 18:10:48 2017 [23159] info: spamd: processing message <20170313204338.06e7118c3...@vmi108295.contaboserver.net> for qscand:1001 2017-03-13 18:10:51.668508500 Mon Mar 13 18:10:51 2017 [23159] info: spamd: identified spam (14.5/5.0) for qscand:1001 in 2.7 seconds, 64622 bytes. 2017-03-13 18:10:51.668685500 [23159] info: spamd: result: Y 14 - BAYES_99,DCC_CHECK,HTML_MIME_NO_HTML_TAG,JAMEF_SUBJ_BOLETO_FATURA,JAMEF_ZIP_ATTACHED,MIME_HTML_ONLY,RDNS_NONE,TROJAN_JAMEF_ZIP,TVD_SPACE_RATIO scantime=2.7,size=64622,user=qscand,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57553,mid=<20170313204338.06e7118c3...@vmi108295.contaboserver.net>,bayes=0.999667,autolearn=spam simscan.log --> However, here we see that the same email, in the simscan log, received 0/0 2017-03-13 18:10:51.677616500 simscan:[25948]:CLEAN (0.00/0.00):3.8362s::213.136.86.230:finance...@admconsultoria.com.br:u...@mydomain.com So I saved the email and executed the command simscam manually (at command line, as below) with DEBUG option. Note that it also ranked the same as spam, as it should be: # env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2 /var/qmail/bin/qmail-inject u...@mydomain.com < savedspam.txt simscan: calling /usr/bin/spamc spamc -s 150 simscan:[16216]:SPAM DROPPED (14.50/5.00):2.8341s:2.via Boleto:(null):u...@server.mydomain.com:u...@mydomain.com simscan: check_spam detected spam refuse message simscan: Putting the message in quarantine: /var/qmail/quarantine/msg.1489441975.579680.16217 simscan: Message recorded in quarantine successful simscan: droping the message simscan: exit error code: 0 So I do not know where else to check for why simscan running automatically sometimes can not classify a spam, and manually, running the same command manually, works fine... Strange... I've enabled the DEBUG option in qmail-smtp.rules (SIMSCAN_DEBUG = "2"), but I saw nothing abnormal, no error or things like ... I'm going crazy here ... Any tips? I really appreciate any hint!! More information: simscan version 1.4.0 compile options: ./configure --enable-user=abc --enable-spam=y --enable-spam-hits=5 --enable-clamav=y --enable-clamdscan=/usr/bin/clamdscan --enable-clamavdb-path=/var/lib/clamav --enable-workdir=/var/qmail/simscan/work/ --enable-quarantinedir=/var/qmail/simscan/quarantine/ --enable-dropmsg=y --enable-spamc-args="-s 150" --enable-ripmime=/usr/bin/ripmime --enable-attach=y --enable-per-domain=y
Re: what is triggering NO_DNS_FOR_FROM
On Mon, 13 Mar 2017 17:49:47 +0100 Andy Smith wrote: > Hi all, > > I have a some genuine emails getting marked with NO_DNS_FOR_FROM > from one particular domain and I'd like to know exactly why. I've had > a dig in the Spamassasin Dns.pm but I can't work out exactly what > process_dnsbl_result is doing. What exactly does it check WRT MX and A > records? It does what it says it does, it checks if the envelope sender address has neither an MX nor A record. One complication is that SA has to work out what the envelope sender address is, see "envelope_sender_header" in the configuration documentation. If you have a copy of the email that failed on NO_DNS_FOR_FROM, run it through SA and see if the problem is reproducible. If it is run it through spamassassin -D and search for NO_DNS_FOR_FROM to see what address is being used.
Re: what is triggering NO_DNS_FOR_FROM
On Mon, 2017-03-13 at 17:49 +0100, Andy Smith wrote: > I can see that the domain in question does have A and MX records, > possibly issues are that the A record doesn't match the PTR for the > IP returned by the A record and that one of the MX records doesn't > have a PTR. I'd be keen to know if one or both of these are the > issue, and what the situation WRT RFCs on email DNS says about what > are required for proper operation of email. > Does the domain have a PTR record for every A record and, by extension, for every MX record? You should be able to check this with 'dig' or simply use 'host' to verify that the relevant reverse lookups work OK. Is the domain's SPF record valid and configured properly? I use this site for checking SPF records: http://www.kitterman.com/spf/validate.html Martin
Re: what is triggering NO_DNS_FOR_FROM
>From: Reindl Harald >Sent: Monday, March 13, 2017 12:11 PM >To: Andy Smith; users@spamassassin.apache.org; David Jones >Subject: Re: what is triggering NO_DNS_FOR_FROM >it's also about the FROM-HEADER and not about envelopes alone and hence >i doubt "because I reject these senders at the postfix MTA level >before SA" The rule description says "Envelope sender" which is what I was going by: 20_net_tests.cf:header NO_DNS_FOR_FROM eval:check_dns_sender() 20_net_tests.cf:describe NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS records I do block the envelope-from domain in postfix if it can't be resolved therefore I don't see any hits on that rule. http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain Dave
Re: what is triggering NO_DNS_FOR_FROM
>From: Andy Smith >Sent: Monday, March 13, 2017 11:49 AM >To: users@spamassassin.apache.org >Subject: what is triggering NO_DNS_FOR_FROM >Hi all, > I have a some genuine emails getting marked with NO_DNS_FOR_FROM from one >particular domain and I'd like to know exactly why. I've had a dig in the >>Spamassasin Dns.pm but I can't work out exactly what process_dnsbl_result is >doing. What exactly does it check WRT MX and A records? >I can see that the domain in question does have A and MX records, possibly >issues are that the A record doesn't match the PTR for the IP returned by the >A record >and that one of the MX records doesn't have a PTR. I'd be keen to >know if one or both of these are the issue, and what the situation WRT RFCs >on email DNS says >about what are required for proper operation of email. >I've already had to ask the owners of the domain to correct an issue where >their sending server's A record didn't match the PTR and was triggering the >RDNS_NONE >rule (as detected by Exim), so if I'm going to convince them to do >more modifications I'd prefer to know what I was talking about, >thanks, Andy. I have never seen this rule in SA because I reject these senders at the postfix MTA level before SA. I recommend doing this at the MTA level so the senders get a good bounce message that they can Google themselves and hopefully figure out their own problem before having to contact you. # grep NO_DNS_FOR_FROM /var/lib/spamassassin/3.004001/updates_spamassassin_org/* 20_net_tests.cf:header NO_DNS_FOR_FROM eval:check_dns_sender() 20_net_tests.cf:describe NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS records Dave
what is triggering NO_DNS_FOR_FROM
Hi all, I have a some genuine emails getting marked with NO_DNS_FOR_FROM from one particular domain and I'd like to know exactly why. I've had a dig in the Spamassasin Dns.pm but I can't work out exactly what process_dnsbl_result is doing. What exactly does it check WRT MX and A records? I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. I've already had to ask the owners of the domain to correct an issue where their sending server's A record didn't match the PTR and was triggering the RDNS_NONE rule (as detected by Exim), so if I'm going to convince them to do more modifications I'd prefer to know what I was talking about, thanks, Andy.
mk_meta_rule_scores - does it work correctly?:)
Hi! Thanks to AXB seek-in-phrases-in-log works OK. Now I'm on the next step with automated creating rules. I suspect that mk_meta_rule_scores doesn't assign scores correctly. I set in mk_meta_rule_scores: my %scoremap = ( '70' => '1.5', '4' => '2.0', '0.01' => '3.0', ); $ cat tmp/clean.cf # passed hit-rate threshold: 70 body __RULE_AUTORULE_3NILJ5 /Jeżeli zainteresowała Cię ta oferta, to odwiedź naszą stronę/ body __RULE_AUTORULE_TQJGPO /Nézzen körül OTTHON-TAKARÍTÁS ajánlataink között\!/ # passed hit-rate threshold: 4 body __RULE_AUTORULE_UG4HMS /100 W-os LED REFLEKTOR, MOZGÁSÉRZÉKELŐS FÉNYVETŐ/ body __RULE_AUTORULE_GYUXEK /MR\. WINDOW ABLAKTISZTÍTÓ KÉSZLET/ $ ./mk_meta_rule_scores rule tmp/clean.cf # Creation: 2017-03-13 14:37:19 # Note: rule names are based on a hash of the content pattern. # passed hit-rate threshold: 70 #current th: 70 outscore=1.5 meta rule1 (0) score rule1 0 describe rule1 Body contains frequently-spammed text patterns body __RULE_AUTORULE_3NILJ5 /Je\x{c5}\x{bc}eli zainteresowa\x{c5}\x{82}a Ci\x{c4}\x{99} ta oferta, to odwied\x{c5}\x{ba} nasz\x{c4}\x{85} stron\x{c4}\x{99}/ body __RULE_AUTORULE_TQJGPO /N\x{c3}\x{a9}zzen k\x{c3}\x{b6}r\x{c3}\x{bc}l OTTHON-TAKAR\x{c3}\x{8d}T\x{c3}\x{81}S aj\x{c3}\x{a1}nlataink k\x{c3}\x{b6}z\x{c3}\x{b6}tt\!/ # passed hit-rate threshold: 4 #current th: 4 outscore=2.0 meta rule2 (__RULE_AUTORULE_3NILJ5 || __RULE_AUTORULE_TQJGPO) score rule2 2.0 describe rule2 Body contains frequently-spammed text patterns body __RULE_AUTORULE_UG4HMS /100 W-os LED REFLEKTOR, MOZG\x{c3}\x{81}S\x{c3}\x{89}RZ\x{c3}\x{89}KEL\x{c5}\x{90}S F\x{c3}\x{89}NYVET\x{c5}\x{90}/ body __RULE_AUTORULE_GYUXEK /MR\. WINDOW ABLAKTISZT\x{c3}\x{8d}T\x{c3}\x{93} K\x{c3}\x{89}SZLET/ #current th: outscore=2.8 meta rule3 (__RULE_AUTORULE_UG4HMS || __RULE_AUTORULE_GYUXEK) score rule3 2.8 describe rule3 Body contains frequently-spammed text patterns Why "score rule1" is set to zero? Marcin