Re: Multiple rules for dynamic-looking IP addresses
On 2007-08-29 23:16, Dan Fulbright wrote: > I'm having problems with high scores from messages sent from IP > addresses that appear to be dynamic, but in fact are static. Here's an > example: > > * 4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious > hostname (Split > * IP) > * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious > hostname (IP addr > * 2) > * 1.6 TVD_RCVD_IP TVD_RCVD_IP > * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used > for HELO > > Here are the Received lines, with specific information cleaned: > > Received: from 1.2.3.4.static.vsnl.net.in [1.2.3.4] by mail5.example2.com > with SMTP; >Sat, 25 Aug 2007 04:11:59 -0500 > Received: from gbd07 ([192.168.96.107]) by mail.example1.com with Microsoft > SMTPSVC(6.0.3790.1830); > Sat, 25 Aug 2007 14:48:07 +0530 > > I realize that 1.2.3.4 should have a better reverse DNS, but it seems > that it causes the SA score to be artificially high. I know I could > disable some of these tests, but I feel like that would artificially > lower scores. > > How can I adjust the scores or write/fix rules so that static IP > addresses are recognized as such? > > I am an admin for example2.com. Thank you for the replies, however, I think I'll restate my own question. Why are there so many rules that seem to check for the same thing? I'm seeing this more and more often. xo.net seems to be a common domain that uses hostnames like this to send mail. I feel like the right thing to do would be to tell the sender to get a better reverse DNS, but that just isn't feasible. Received: from 1.2.3.4.ptr.us.xo.net [1.2.3.4] by mail4.example2.com with SMTP; Tue, 4 Sep 2007 12:10:07 -0500 Is anyone familiar with xo.net? If so, do you know why I am seeing so many messages from hostnames that look like this? Are these dynamic or static IP addresses? Thanks. --df
RBL checks not working
I'm having a hard time getting RBL checks to work right. I don't have
anything in my local config files regarding RBLs. I'm using
SpamAssassin 3.1.5. Here is some debugging output, trimmed for
brevity:
dbg: generic: SpamAssassin version 3.1.5
dbg: config: score set 0 chosen.
dbg: util: running in taint mode? yes
dbg: util: taint mode: deleting unsafe environment variables, resetting PATH
dbg: util: final PATH set to:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dbg: dns: is Net::DNS::Resolver available? yes
dbg: dns: Net::DNS version: 0.59
dbg: config: using "/etc/mail/spamassassin" for site rules pre files
dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf
dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
dbg: reporter: network tests on, attempting SpamCop
dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x93ae3f4)
dbg: dns: checking RBL bl.spamcop.net., set spamcop
dbg: dns: IPs found: full-external: 201.139.53.111, 70.84.192.18 untrusted:
201.139.53.111, 70.84.192.18 originating:
dbg: dns: only inspecting the following IPs: 70.84.192.18, 201.139.53.111
dbg: dns: launching DNS TXT query for 18.192.84.70.bl.spamcop.net. in background
dbg: dns: launching DNS TXT query for 111.53.139.201.bl.spamcop.net. in
background
dbg: dns: success for 18 of 18 queries
dbg: check: tests=SPF_HELO_SOFTFAIL,SPF_SOFTFAIL
dbg: check:
subtests=__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__HAS_MIMEOLE,__HAS_MSGID,__HAS_MSMAIL_PRI,__HAS_OUTLOOK_IN_MAILER,__HAS_RCVD,__HAS_SUBJECT,__HAS_X_MAILER,__HAS_X_PRIORITY,__MIMEOLE_MS,__MIME_VERSION,__MSGID_DOLLARS_MAYBE,__MSGID_DOLLARS_OK,__MSGID_OK_HEX,__MSGID_OK_HOST,__MSGID_RANDY,__NONEMPTY_BODY,__OE_MSGID_2,__SANE_MSGID,__TOCC_EXISTS
The host 201.139.53.111 is listed by SpamCop at the time of this
writing.
It looks like DNS is working fine (dns: success for 18 of 18 queries), but
using dig, it is clear to see that it should be triggering the SpamCop rule.
# dig 111.53.139.201.bl.spamcop.net
; <<>> DiG 9.2.4 <<>> 111.53.139.201.bl.spamcop.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65060
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 8
;; QUESTION SECTION:
;111.53.139.201.bl.spamcop.net. IN A
;; ANSWER SECTION:
111.53.139.201.bl.spamcop.net. 2100 IN A 127.0.0.2
Here are the SpamCop lines in my stock config files:
/usr/local/share/spamassassin/20_dnsbl_tests.cf:header RCVD_IN_BL_SPAMCOP_NET
eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
/usr/local/share/spamassassin/50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 1.332
0 1.558
Any clues?
Re: RBL checks not working
> I'm having a hard time getting RBL checks to work right. I don't have > anything in my local config files regarding RBLs. I'm using > SpamAssassin 3.1.5. Here is some debugging output, trimmed for > brevity: My apologies. Someone had updated our firewall without my knowledge, and it was effecting DNS queries. RBL checks are working fine now.
Scanning outgoing e-mails
I know this is a somewhat unusual configuration, but we need SpamAssassin to scan outgoing e-mails. We are doing this so that we can stop spam from being sent by several web-hosting servers. This results in our servers being blacklisted. I'm having trouble having SpamAssassin treat outgoing mail as potential spam. SA sees the messages coming from only internal networks, so it marks it as "ALL_TRUSTED." I have read these pages: http://wiki.apache.org/spamassassin/FixingAllTrusted and http://wiki.apache.org/spamassassin/TrustPath, but the solutions don't seem to apply to our situation. Basically, all messages passing through SA on this server are from internal addresses, but they still may be spam. Obviously, I don't need to do any RBL tests, but I need to do all the regular content checks. Thanks in advance. --df
