Re: RCVD_IN_DNSWL

[Łukasz Michalski]

On 5/13/22 23:42, Jeff Koch wrote:


Hi:

We're getting numerous false positives on 'RCVD_IN_DNSWL_HI RBL'. When 
I check these IP's (193.106.175.39, for example) at 
https://www.dnswl.org they are NOT listed.


   * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at 
https://www.dnswl.org/, high

   *  trust
   *  [193.106.175.39 listed in list.dnswl.org]

How can I fix this?  I've run sa-update and it does not help.

TIA - Jeff


My case:
https://www.mail-archive.com/users@spamassassin.apache.org/msg108935.html

Yours may or may not be the same.

Regards,
Łukasz

Re: Fw: spam from gmail.com

[Łukasz Michalski]

On 11/12/21 00:43, Loren Wilton wrote:
I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* 
scores on spam before.

Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED.

But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
It makes me wonder just how useful a rule it is.

Especially when it includes sendgrid as part of the "HI" reputation 
senders.


When I was using my provider DNS server, I started to receive a lot of 
spam, mails were scored with RCVD_IN_DNSWL_HI=-5.
I turned out that most queries were resolved as 127.0.0.255 (BLOCKED), 
but some of them as 127.0.10.3 (listed HI as "some special cases" category)


So you need to use your own DNS server and make sure you are below 100k 
queries/day, or get a subscription. Otherwise spam occasionally starts 
to get in.


Regards,
Łukasz