Re: improving detection to cloudmark-like levels?

[Jari Fredriksson]

I don't use Kam.cf as it is very prone to false positives and way too 
aggressively scored by default. I'm pretty happy with my current setup with 
3.4.1 though. 

12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail" 
 kirjoitti:
>On 10/12/2017 9:25 AM, AJ Weber wrote:
>> I'm open to new rules, plug-ins, etc.  Spam volume is only getting 
>> worse, and these spammers are getting more creative. 
>
>Hi AJ,
>
>I have to say that 3.3.0 is pretty old.  I'd look to run a newer 
>version, invest some time into researching a few RBLs and consider 
>adding my KAM.cf file.
>
>Regards,
>KAM

-- 
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.
-- 
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.

Re: improving detection to cloudmark-like levels?

[David Jones]

On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
I don't use Kam.cf  as it is very prone to false 
positives and way too aggressively scored by default. I'm pretty happy 
with my current setup with 3.4.1 though.




If you are happy with your SA accuracy, don't change a thing.  :)  Have 
you tried the KAM.cf lately?


KAM.cf does have high scores when you first look at it but if you have 
other SA add-ons that subtract points for being "good", then the high 
KAM.cf scores complement things well.  Also, I am using MailScanner and 
the default block score is 6.0 which helps a bit too.  My custom rule 
scores tend to be high on both ends.


12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail" 
 kirjoitti:

 >On 10/12/2017 9:25 AM, AJ Weber wrote:
 >> I'm open to new rules, plug-ins, etc.  Spam volume is only getting
 >> worse, and these spammers are getting more creative.
 >
 >Hi AJ,
 >
 >I have to say that 3.3.0 is pretty old.  I'd look to run a newer
 >version, invest some time into researching a few RBLs and consider
 >adding my KAM.cf  file.
 >
 >Regards,
 >KAM


--
David Jones

URIBL_BLOCKED - which one?

[AJ Weber]

I guess this qualifies as a newbie question...I've been running SA for a 
while, but haven't really dug into some of the workings...


I occasionally see the URIBL_BLOCKED notice in some of my spam results.  
I read the related web page, and started using unbound as a local DNS, 
but I'm still seeing this.


Since I have a number of RBL's setup, is there a way to determine which 
of the RBLs blocked my query?  Maybe I have one configured that I need 
to "license" or subscribe-to in some way?


Thanks for the troubleshooting assistance.

-AJ

Re: URIBL_BLOCKED - which one?

[Markus Clardy]

URIBL_BLOCKED is in reference to multi.uribl.com.

On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber  wrote:

> I guess this qualifies as a newbie question...I've been running SA for a
> while, but haven't really dug into some of the workings...
>
> I occasionally see the URIBL_BLOCKED notice in some of my spam results.  I
> read the related web page, and started using unbound as a local DNS, but
> I'm still seeing this.
>
> Since I have a number of RBL's setup, is there a way to determine which of
> the RBLs blocked my query?  Maybe I have one configured that I need to
> "license" or subscribe-to in some way?
>
> Thanks for the troubleshooting assistance.
>
> -AJ
>
>


-- 
 - Markus

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 07:47 AM, Markus Clardy wrote:

URIBL_BLOCKED is in reference to multi.uribl.com .

On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber > wrote:


I guess this qualifies as a newbie question...I've been running SA
for a while, but haven't really dug into some of the workings...

I occasionally see the URIBL_BLOCKED notice in some of my spam
results.  I read the related web page, and started using unbound as
a local DNS, but I'm still seeing this.

Since I have a number of RBL's setup, is there a way to determine
which of the RBLs blocked my query?  Maybe I have one configured
that I need to "license" or subscribe-to in some way?

Thanks for the troubleshooting assistance.

-AJ




--
  - Markus


To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and IVM 
do most of the heavy lifting on my mail filters.


--
David Jones

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 08:01 AM, Reindl Harald wrote:



Am 13.10.2017 um 14:57 schrieb David Jones:
To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and 
IVM do most of the heavy lifting on my mail filters


terrible bad idea and not a solution at all when likely his server is 
not using 127.0.0.1 as the only DNS and so other RBL's also won#t work 
as expected - when you see URIBL_BLACK you have a problem which needs to 
be solved and not burried




His server's /etc/resolv.conf could be pointed to 127.0.0.1 and still 
have too high of volume to hit URLBL_BLOCKED like mine was years ago.


But yes, make sure you have unbound setup and working properly and 
/etc/resolv.conf is pointing to 127.0.0.1.  Then do a manual query to 
127.0.0.1 to confirm it's working:


# dig @127.0.0.1 test.dbl.spamhaus.org

;; ANSWER SECTION:
test.dbl.spamhaus.org.  60  IN  A   127.0.1.2

be sure i scored it not to 6.5 just for fun based on a 8.0 milter-reject 
score


BLOCKED: 1512
URIBL_BLACK: 512

[root@mail-gw:~]$ sa-score.sh URIBL_BLACK
/usr/share/spamassassin
score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2

/etc/mail/spamassassin/local-*.cf
score URIBL_BLACK 6.5


Like I said, disabling URIBL didn't impact my mail filtering because of 
other RBLs and my specific mail flow.  Different mail flow from 
different locations around the world/Internet will cause SA to be a 
little different for everyone.  There's no one-size-fits-all with mail 
filtering and SA but we have common issues like URIBL_BLOCKED that are 
generally solved the same way.  If your volume is low enough, you can 
keep it and setup your local DNS server to do full recursive lookups. 
If you volume is too high for their free usage limit, then disable it an 
use other RBLs that could be better for your locale.


--
David Jones

Re: URIBL_BLOCKED - which one?

[AJ Weber]

On 10/13/2017 8:57 AM, David Jones wrote:

On 10/13/2017 07:47 AM, Markus Clardy wrote:
URIBL_BLOCKED is in reference to multi.uribl.com 
.

--
  - Markus


To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and 
IVM do most of the heavy lifting on my mail filters.


@Markus, @David: Thank you both.  I started digging into the .cf files 
and did find that reference to multi.uribl.com.


Strange that they are denying my queries.  Maybe because I have a DHCP 
address from a major ISP and that's a problem?  I don't really 
understand how they determine who is querying their RBLs.  I thought 
running unbound locally would help mitigate that problem, but I guess not.


Thanks again.

Re: URIBL_BLOCKED - which one?

[AJ Weber]

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1



On 10/13/2017 8:48 AM, Reindl Harald wrote:



Am 13.10.2017 um 14:40 schrieb AJ Weber:
I guess this qualifies as a newbie question...I've been running SA 
for a while, but haven't really dug into some of the workings...


I occasionally see the URIBL_BLOCKED notice in some of my spam 
results. I read the related web page, and started using unbound as a 
local DNS, but I'm still seeing this


then your machine is *not* using 127.0.0.1 as the only DNS server

Re: URIBL_BLOCKED - which one?

[AJ Weber]

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, maybe 
it should be mentioned in the docs?



Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.

Re: URIBL_BLOCKED - which one?

[Bowie Bailey]

On 10/13/2017 9:45 AM, AJ Weber wrote:

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, 
maybe it should be mentioned in the docs?


This may be an issue with getting your outgoing mail accepted on other 
mail servers, but it shouldn't make a difference with DNSBL lookups.





Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf. This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.


As far as I know, it should work.  I just have it set in my 
/etc/resolv.conf so it is used for everything on the machine.  This is 
the simplest setup unless you have some reason to need a different type 
of DNS for other things.


The main thing with setting up a DNS server for DNSBL lookups is not 
"caching", it is "non-forwarding".  Take a look at your unbound settings 
and make sure it is doing all of the lookups itself and not forwarding 
to another server.


--
Bowie

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 08:45 AM, AJ Weber wrote:

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, maybe 
it should be mentioned in the docs?



Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.


It should.  Do a test dig @127.0.0.1 to make sure unbound is resolving 
properly.  I am trying to do a test query from my mail servers to 
multi.uribl.com and not getting any response right now.  I have tried 
from multiple locations on the Internet so I could show you exactly how 
to tell you when you are blocked.


According to the SA rules, if you get back a response with xxx.xxx.xxx.1 
then your query volume is too high and you hit URIBL_BLOCKED.  The way 
to resolve this is to run your own local DNS that does it's own full 
recursive lookup and does not forward to any other DNS server.


Forwarding to other DNS servers combines your queries with potentially 
other queries to the RBL and you don't want that.  You want your DNS 
queries to be independent from any other so they are as few as possible 
to stay under free usage limits.


If you are sure your DNS queries are isolated (not forwarding) and you 
still hit URIBL_BLOCKED, then your only option is to disable those RBLs 
by scoring them as 0.


--
David Jones

Re: URIBL_BLOCKED - which one?

[John Hardin]

I just want to call this out as the critical detail in all the 
back-and-forth:


The main thing with setting up a DNS server for DNSBL lookups is not 
"caching", it is "non-forwarding".  Take a look at your unbound settings 
and make sure it is doing all of the lookups itself and not forwarding 
to another server.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The tree of freedom must be freshened from time to time
  with the blood of tyrants and tyrannosaurs.
 -- DW, commenting on the GM6 Lynx .50BMG bullpup
---
 197 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URIBL_BLOCKED - which one?

[Tom Hendrikx]

Hi,

Note that on at least Ubuntu from some time ago, unbound was
automatically configured to take the dns servers that were received from
an upstream server during DHCP, and configure those as forwarders.

Can you show us output of: unbound-control list_forwards

Kind regards,
Tom

On 13-10-17 18:59, John Hardin wrote:
> 
> I just want to call this out as the critical detail in all the
> back-and-forth:
> 
>> The main thing with setting up a DNS server for DNSBL lookups is not
>> "caching", it is "non-forwarding".  Take a look at your unbound
>> settings and make sure it is doing all of the lookups itself and not
>> forwarding to another server.
> 




signature.asc
Description: OpenPGP digital signature