Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Dave Warren 

> On Oct 2, 2018, at 13:49, Bill Cole  
> wrote:
> 
> On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:
> 
>>> On 2 Oct 2018, at 9:36, Rob McEwen wrote:
 SIDE NOTE: I don't think there was any domain my message that was 
 blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
 only scored 0.001, so that was innocuous. I suspect that that rule is 
 malfunctioning on their end, and then they changed the score to .001 - so 
 just please ignore that for the purpose of this discussion.
>> 
>> On 02.10.18 11:48, Bill Cole wrote:
>>> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
>>> supposed to be a message to a mail admin that they are using URIBL wrong
>> 
>>> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
>>> filtering system that gets them chronically is mismanaged.
>> 
>> Nonsense. There is no such implication here. While URIBL_BLOCKED may and
>> most of the time apparently does mean that system uses DNS server shared
>> with too many clients, any system that receives and checks too much mail may
>> get URIBL_BLOCKED just because they have crossed the limit, withous using it
>> wrong or being broken.
> 
> Operating a system in a manner which chronically crosses that limit is 
> abusive.
> 
> The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL 
> operators and depending on their software may be as expensive as sending a 
> real reply. It has the advantage over simply dropping abusive queries that it 
> does not impose timeout delays on abusive queriers and sends a clear signal 
> that can and should be acted upon.


The DNSBL operator can also choose to use a frontend firewall/router/etc system 
to redirect the queries to a dedicated server which can reduce the packet per 
second rate that the authoritative DNS servers need to cope with.

Abusive queries can almost definitely be handled much faster by a 
small/dedicated server that does nothing but return one single wild carded 
response, reducing the impact that abusive users can have on the primary 
infrastructure.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Bill Cole 

On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:


On 2 Oct 2018, at 9:36, Rob McEwen wrote:
SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


On 02.10.18 11:48, Bill Cole wrote:
No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL 
wrong


A mail filtering system that gets URIBL_BLOCKED hits is broken. A 
mail filtering system that gets them chronically is mismanaged.


Nonsense. There is no such implication here. While URIBL_BLOCKED may 
and
most of the time apparently does mean that system uses DNS server 
shared
with too many clients, any system that receives and checks too much 
mail may
get URIBL_BLOCKED just because they have crossed the limit, withous 
using it

wrong or being broken.


Operating a system in a manner which chronically crosses that limit is 
abusive.


The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL 
operators and depending on their software may be as expensive as sending 
a real reply. It has the advantage over simply dropping abusive queries 
that it does not impose timeout delays on abusive queriers and sends a 
clear signal that can and should be acted upon.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread John Hardin 

On Tue, 2 Oct 2018, Matus UHLAR - fantomas wrote:


On 2 Oct 2018, at 9:36, Rob McEwen wrote:
SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
only scored 0.001, so that was innocuous. I suspect that that rule is 
malfunctioning on their end, and then they changed the score to .001 - so 
just please ignore that for the purpose of this discussion.


On 02.10.18 11:48, Bill Cole wrote:
No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL wrong 


A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
filtering system that gets them chronically is mismanaged.


Nonsense. There is no such implication here. While URIBL_BLOCKED may and
most of the time apparently does mean that system uses DNS server shared
with too many clients, any system that receives and checks too much mail may
get URIBL_BLOCKED just because they have crossed the limit, withous using it
wrong or being broken.


And just to actually provide useful information to the OP:

Tell them that they need to set up a local, recursive, 
***NON-FORWARDING*** DNS server for the use of SA (and likely their MTA).


Searching for URIBL_BLOCKED in the mailing list archives will cover it in 
*excruciating* detail. It's a VFAQ.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 551 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Matus UHLAR - fantomas 

On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:

can you post the headers?
or at least the Message-Id?


On 02.10.18 11:07, Rob McEwen wrote:
Here is the message as THEIR system saw it (with my client's info 
masked)  - but it looks like their Kerio (or the customer's email 
client?) might be not be storing everything as it was originally sent? 


it's possible. It _could_ cause the problem. 


...but this is what my client sent me, fwiw:


Received: from mail.powerviewmail.com 
([204.9.77.40])

by with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for ;
Mon, 1 Oct 2018 15:17:10 +0200
DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616; 
s=ivm_invaluement; d=invaluement.com ; 
c=relaxed/relaxed; v=1; 
bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;

b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
Received: from [204.9.77.40] ([204.9.77.40])
        by mail.powerviewmail.com 
(IceWarp 12.0.2.1 x64) with ASMTP id 
201810010916565985

        for ; Mon, 01 Oct 2018 09:16:


No message-id here, but also no X-Spam headers.

Here is an excerpt from the headers, copied from the message in my 
Thunderbird "sent" folder:


unwrapped:


Message-ID: <39397904-9830-5010-a3d2-a62af8326...@invaluement.com>


this does seem to match:
MESSAGEID =~ 
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m

8h-4h-4h-4h-12h@

hmmm we need to look at

(__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER ||
__WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER ||
__HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Re: iXhash service issues

2018-10-02 Thread sebast...@debianfan.de 
Soweit ich das richtig verstanden habe, ist

http://www.dnsbl.manitu.net/

der „inhaltliche Nachfolger“ dieser Liste oder ?

Gruß

Sebastian 

> Am 02.10.2018 um 14:37 schrieb Jakob Hirsch :
> 
> Hi,
> 
>> On 2018-09-30 18:06, Alex wrote:
>> 30-Sep-2018 12:03:24.249 query-errors: client @0x7ff3f01a43d0
>> 68.195.193.45#44607
>> (230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net): query failed
>> (SERVFAIL) for 230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net/IN/A
>> at query.c:8580
> 
> According to a posting in the German ixHash forum, generic.ixhash.net
> was deprecated since end of 2014 (it still answered, but was not updated
> any more), so maybe it went completely offline now.
> 
> [2] also lists hosteurope.ixhash.net and ixhash.spameatingmonkey.net. as
> being shut down, which leaves ix.dnsbl.manitu.net as the only remaining
> ixhash source (I know of). It is operated by the German hosting company
> manitu, which is not a big player, but reputable, known as reliable and
> exists for more than 20 years, and they have partners[3] to run it (no,
> I'm not affiliated with them in any way).
> The whole ixhash stuff looks a little abandoned, but the stats in [4]
> still look kind of okay, so I'll keep using it for now.
> 
> 
> Regards,
> Jakob
> 
> 
> 
> [1]
> https://www.heise.de/forum/iX/Kommentare/Gemeinsam-stark/iXhash-Blacklist-geht-ausser-Betrieb/posting-2215803/show/
> [2] https://www.intra2net.com/en/support/antispam/latest-news.php.html
> [3] http://www.dnsbl.manitu.net/partners.php?language=en
> [4]
> https://www.intra2net.com/de/support/antispam/blacklist.php_dnsbl=hash_ix.html

mailingliste_2018_10_02...@akademikerball.de

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Rob McEwen 
Bill,

Even though this part wasn't the main purpose of the thread, that is still very 
helpful information. I will pass that along to my client so that they can 
hopefully fix their configuration problem with regards to their usage of URIBL.

Thanks!

Rob McEwen


Sent from my Verizon Motorola Droid
On Oct 2, 2018 11:48 AM, Bill Cole  
wrote:
>
> On 2 Oct 2018, at 9:36, Rob McEwen wrote: 
>
> > SIDE NOTE: I don't think there was any domain my message that was 
> > blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
> > that only scored 0.001, so that was innocuous. I suspect that that 
> > rule is malfunctioning on their end, and then they changed the score 
> > to .001 - so just please ignore that for the purpose of this 
> > discussion. 
>
> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
> supposed to be a message to a mail admin that they are using URIBL wrong 
> and will nevewr get a useful answer without either (1) paying for a feed 
> to support their usage volume or (2) using their own recursive resolver 
> instead of forwarding queries to the likes of Google, OpenDNS, & 
> CloudFlare. 
>
> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
> filtering system that gets them chronically is mismanaged.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Bill Cole 

On 2 Oct 2018, at 9:36, Rob McEwen wrote:

SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL wrong 
and will nevewr get a useful answer without either (1) paying for a feed 
to support their usage volume or (2) using their own recursive resolver 
instead of forwarding queries to the likes of Google, OpenDNS, & 
CloudFlare.


A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
filtering system that gets them chronically is mismanaged.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Rob McEwen 

On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:

can you post the headers?
or at least the Message-Id?



Matus... first, THANKS for your help with this!

Here is the message as THEIR system saw it (with my client's info 
masked)  - but it looks like their Kerio (or the customer's email 
client?) might be not be storing everything as it was originally sent? 
...but this is what my client sent me, fwiw:



Received: from mail.powerviewmail.com 
([204.9.77.40])

by with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for ;
Mon, 1 Oct 2018 15:17:10 +0200
DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616; 
s=ivm_invaluement; d=invaluement.com ; 
c=relaxed/relaxed; v=1; bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=; 
h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;

b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
Received: from [204.9.77.40] ([204.9.77.40])
        by mail.powerviewmail.com 
(IceWarp 12.0.2.1 x64) with ASMTP id 
201810010916565985

        for ; Mon, 01 Oct 2018 09:16:


Here is an excerpt from the headers, copied from the message in my 
Thunderbird "sent" folder:



References: <55521fa7.8080...@invaluement.com> 
<7c8ad385-8b3d-74d9-7d34-ca2ca9236...@invaluement.com> 
 
<1b8ad5ec-18b7-90db-5cad-d86ffa5aa...@invaluement.com> Message-ID: 
<39397904-9830-5010-a3d2-a62af8326...@invaluement.com> 
Disposition-Notification-To: Rob McEwen  Date: Mon, 
1 Oct 2018 09:16:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; 
WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 
In-Reply-To: <1b8ad5ec-18b7-90db-5cad-d86ffa5aa...@invaluement.com> 
Content-Type: multipart/mixed; 
boundary="54AEB3A413950E8E0A41E1A8" Content-Language: en-US




The time difference makes sense because their time zone is 6 hours ahead of 
mine.


--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032

Re: sa-update and signature verification

2018-10-02 Thread Kevin A. McGrail 
Hi Daniele, You are correct.  3.4.2 does not support rule channels that
only use SHA1.

Please contact the other rule channels and tell them to add sha256.  We
have moved away from SHA1.  It should be trivial on their end to
generate a sha256sum.

Regards,
KAM

On 10/2/2018 10:00 AM, Daniele Duca wrote:
> Hello,
>
> since updating to 3.4.2 I can't download rules from unofficial
> channels. The problem is that in version 3.4.1 sa-update checks the
> hash of the downloaded file using file.sha1 , while version 3.4.2 uses
> file.sha256 or file.sha512. See the relevant differences in the
> following sa-update --help:
>
>
> 3.4.1:
> sa-update --help
> ...
> --install filename  Install updates directly from this file.
> Signature verification will use "file.asc" and "file.sha1"
> ...
>
> 3.4.2
> sa-update --help
> ...
> --install filename  Install updates directly from this file.
> Signature verification will use "file.asc", "file.sha256", and
> "file.sha512".
> ...
>
>
> Using the --nogpg option doesn't help, sa-update still hardfails if it
> doesn't find one of the .sha(256|512) files.
>
> Reading the code in sa-update I found that even if --nogpg is
> specified, the signature file is still tried to be downloaded even if
> it's not used afterwards, and that is what basically causes the update
> procedure to fail.
> For the moment I brutally hacked sa-update to don't care about
> signatures when using unofficial channels, but I'd like to understand
> if I'm missing something obvious that doesn't require code mangling to
> use "old" update channels.
>
> Thanks
>
> Daniele Duca
>

-- 
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

sa-update and signature verification

2018-10-02 Thread Daniele Duca 

Hello,

since updating to 3.4.2 I can't download rules from unofficial channels. 
The problem is that in version 3.4.1 sa-update checks the hash of the 
downloaded file using file.sha1 , while version 3.4.2 uses file.sha256 
or file.sha512. See the relevant differences in the following sa-update 
--help:



3.4.1:
sa-update --help
...
--install filename  Install updates directly from this file. 
Signature verification will use "file.asc" and "file.sha1"

...

3.4.2
sa-update --help
...
--install filename  Install updates directly from this file. 
Signature verification will use "file.asc", "file.sha256", and 
"file.sha512".

...


Using the --nogpg option doesn't help, sa-update still hardfails if it 
doesn't find one of the .sha(256|512) files.


Reading the code in sa-update I found that even if --nogpg is specified, 
the signature file is still tried to be downloaded even if it's not used 
afterwards, and that is what basically causes the update procedure to fail.
For the moment I brutally hacked sa-update to don't care about 
signatures when using unofficial channels, but I'd like to understand if 
I'm missing something obvious that doesn't require code mangling to use 
"old" update channels.


Thanks

Daniele Duca

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Matus UHLAR - fantomas 

On 02.10.18 09:36, Rob McEwen wrote:
A client of mine wasn't getting my own hand-typed messages. 
Unfortunately, they had their SA set to block on a score of 3 (which 
is aggressive), and this particular rule hit plus a tiny bit of other 
things put it above 3. But what is weird - is that it was hitting on 
hand typed-messages from me - that I sent directly from my 
latest-version of Thunderbird. So this was NOT "forged" at all! (Also, 
I suspect that the bayes hit was due to previous such messages from me 
getting blocked and feeding his bayes?)


Any suggestions? Could my client be using a very old version of SA - 
where this is fixed already? (they are using SA from Kerio).


Here are the headers:

X-Kerio-Anti-Spam:  Build: [Engines: 2.15.8.1169, Stamp: 3], Multi: 
[Enabled, t: (0.12,0.017258)], BW: [Enabled, t: (0.13)], RTDA: 
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id: 
15.1i65djr.1conscun2.ocr1k], total: 0(700)

X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no

Suggestions?


can you post the headers?
or at least the Message-Id?

metaFORGED_MUA_MOZILLA  (__MOZILLA_MUA && !__UNUSABLE_MSGID && 
!__MOZILLA_MSGID)
header  __MOZILLA_MUA   User-Agent =~ /^mozilla\b/i
header  __MOZILLA_MSGID MESSAGEID =~ 
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta__UNUSABLE_MSGID(__LYRIS_EZLM_REMAILER || 
__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || 
__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
header  __HOTMAIL_BAYDAV_MSGID  MESSAGEID =~ 
/^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header  __IPLANET_MESSAGING_SERVER  Received =~ /iPlanet Messaging Server/
header  __LYRIS_EZLM_REMAILER   List-Unsubscribe =~ 
/$/
header  __SYMPATICO_MSGID   MESSAGEID =~ 
/^$/m
header  __WACKY_SENDMAIL_VERSIONReceived =~ /\/CWT\/DCE\)/


SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.

FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread Rob McEwen 
A client of mine wasn't getting my own hand-typed messages. 
Unfortunately, they had their SA set to block on a score of 3 (which is 
aggressive), and this particular rule hit plus a tiny bit of other 
things put it above 3. But what is weird - is that it was hitting on 
hand typed-messages from me - that I sent directly from my 
latest-version of Thunderbird. So this was NOT "forged" at all! (Also, I 
suspect that the bayes hit was due to previous such messages from me 
getting blocked and feeding his bayes?)


Any suggestions? Could my client be using a very old version of SA - 
where this is fixed already? (they are using SA from Kerio).


Here are the headers:

X-Kerio-Anti-Spam:  Build: [Engines: 2.15.8.1169, Stamp: 3], Multi: 
[Enabled, t: (0.12,0.017258)], BW: [Enabled, t: (0.13)], RTDA: 
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id: 
15.1i65djr.1conscun2.ocr1k], total: 0(700)

X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no

Suggestions?

SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
only scored 0.001, so that was innocuous. I suspect that that rule is 
malfunctioning on their end, and then they changed the score to .001 - 
so just please ignore that for the purpose of this discussion.


--
Rob McEwen
https://www.invaluement.com

Re: iXhash service issues

2018-10-02 Thread Jakob Hirsch 
Hi,

On 2018-09-30 18:06, Alex wrote:
> 30-Sep-2018 12:03:24.249 query-errors: client @0x7ff3f01a43d0
> 68.195.193.45#44607
> (230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net): query failed
> (SERVFAIL) for 230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net/IN/A
> at query.c:8580

According to a posting in the German ixHash forum, generic.ixhash.net
was deprecated since end of 2014 (it still answered, but was not updated
any more), so maybe it went completely offline now.

[2] also lists hosteurope.ixhash.net and ixhash.spameatingmonkey.net. as
being shut down, which leaves ix.dnsbl.manitu.net as the only remaining
ixhash source (I know of). It is operated by the German hosting company
manitu, which is not a big player, but reputable, known as reliable and
exists for more than 20 years, and they have partners[3] to run it (no,
I'm not affiliated with them in any way).
The whole ixhash stuff looks a little abandoned, but the stats in [4]
still look kind of okay, so I'll keep using it for now.


Regards,
Jakob



[1]
https://www.heise.de/forum/iX/Kommentare/Gemeinsam-stark/iXhash-Blacklist-geht-ausser-Betrieb/posting-2215803/show/
[2] https://www.intra2net.com/en/support/antispam/latest-news.php.html
[3] http://www.dnsbl.manitu.net/partners.php?language=en
[4]
https://www.intra2net.com/de/support/antispam/blacklist.php_dnsbl=hash_ix.html

Re: Unexpected error spotted by --lint check

2018-10-02 Thread Martin Gregorie 
On Tue, 2018-10-02 at 12:20 +0300, Henrik K wrote:
> Are you talking about the .cf file and line that contains rule being
> warned about?  I don't see how it could be done, looking at how the
> cf and stuff are processed.
> 
Yes I was, but if it can';t be done, fair enough.

> I already patched the warning to mention rulename, so atleast that's
> more verbose.
>
Yes, that will be very helpful. Thanks.

Martin

Re: Unexpected error spotted by --lint check

2018-10-02 Thread Henrik K 
On Tue, Oct 02, 2018 at 09:44:41AM +0100, Martin Gregorie wrote:
> On Tue, 2018-10-02 at 07:57 +0300, Henrik K wrote:
> > This is also nothing else than a warn, the rule works regardless.
> > 
> That makes warnings like this somewhat useless because this makes
> locating them rather difficult. Is there any possibility of showing the
> filename and line number in the --lint report? 

Are you talking about the .cf file and line that contains rule being warned
about?  I don't see how it could be done, looking at how the cf and stuff
are processed.

I already patched the warning to mention rulename, so atleast that's more
verbose.  Seems the warn itself is good, now we know decimal numbers were
missing from the check..  :-)

Re: iXhash service issues

2018-10-02 Thread Alessio Cecchi 

Il 30/09/2018 18:06, Alex ha scritto:

Hi all, I'm pretty sure this is a problem on their side, but can
anyone else confirm ixhash is having a problem? Anyone else using the
iXhash plugin? Their site http://www.ixhash.net/ also appears to be
down.

30-Sep-2018 12:03:24.249 query-errors: client @0x7ff3f01a43d0
68.195.193.45#44607
(230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net): query failed
(SERVFAIL) for 230fe40b1401cf8c3fe2b8699cdb91bf.generic.ixhash.net/IN/A
at query.c:8580

ixhashdnsbl GENERIC_IXHASH  generic.ixhash.net.
bodyGENERIC_IXHASH  eval:check_ixhash('GENERIC_IXHASH')
describeGENERIC_IXHASH  http://www.ixhash.net/listinfo.html
tflags  GENERIC_IXHASH  net
score   GENERIC_IXHASH  1.5

ixhashdnsbl NIXSPAM_IXHASH  ix.dnsbl.manitu.net.
bodyNIXSPAM_IXHASH  eval:check_ixhash('NIXSPAM_IXHASH')
describeNIXSPAM_IXHASH  http://www.ixhash.net/listinfo.html
tflags  NIXSPAM_IXHASH  net
score   NIXSPAM_IXHASH  1.5

Hello,

we have the same issue and we disabled ixhash.net query.

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

Re: Unexpected error spotted by --lint check

2018-10-02 Thread Martin Gregorie 
On Tue, 2018-10-02 at 07:57 +0300, Henrik K wrote:
> This is also nothing else than a warn, the rule works regardless.
> 
That makes warnings like this somewhat useless because this makes
locating them rather difficult. Is there any possibility of showing the
filename and line number in the --lint report? 
 
> The warning is also fixed now:
> 
http://svn.apache.org/viewvc?view=revision=date=1842593
> 
Many thanks for the fix.

Martin