RE: Blocking based on ALL IPs in the header
Magnus Holmgren said: It depends on the blacklist. Some, like Spamhaus SBL, only list IP addresses known to be operated by spammers (and not unsuspecting home users with hijacked computers). SA scores mail with such IP addresses in ANY Received line. For other lists, the first hop is ignored unless it's the *only* hop. The software this company uses for spam filtering is **not** SA. And it treats all RBLs the same... ANY RBL that is set up in a user's system will check against ALL IPs in the header. Therefore, in this situation, if the solution is to disable RBLs which target zombies, and ONLY keep RBLs like SBL, then that is like getting a lobotomy to fix a headache. Sure, the FP problem would go away, but the spam caught by RBL lookups would decrease dramatically. In contrast, if ONLY the sending server's IP were checked... and RBLs like XBL were ALSO used, then the FP problem would ALSO go away, but without any noticeable decrease in the percent of spam caught by RBL lookups. You might ask, why did I post this in the first place... forgive me for being so off-topic... but I have these guys at this big software company and this big bank who seem to think I'm the one who has lost his mind... So I was hoping for to feedback to make sure that I'm not the one who is crazy here! Rob McEwen
Re: Blocking based on ALL IPs in the header
From: Rob McEwen [EMAIL PROTECTED]
Magnus Holmgren said:
It depends on the blacklist. Some, like Spamhaus SBL,
only list IP addresses known to be operated
by spammers (and not unsuspecting home users with
hijacked computers). SA scores mail with such IP
addresses in ANY Received line. For other lists, the
first hop is ignored unless it's the *only* hop.
The software this company uses for spam filtering is **not** SA. And it
treats all RBLs the same... ANY RBL that is set up in a user's system will
check against ALL IPs in the header.
Therefore, in this situation, if the solution is to disable RBLs which
target zombies, and ONLY keep RBLs like SBL, then that is like getting a
lobotomy to fix a headache.
Sure, the FP problem would go away, but the spam caught by RBL lookups would
decrease dramatically.
In contrast, if ONLY the sending server's IP were checked... and RBLs like
XBL were ALSO used, then the FP problem would ALSO go away, but without any
noticeable decrease in the percent of spam caught by RBL lookups.
You might ask, why did I post this in the first place... forgive me for
being so off-topic... but I have these guys at this big software company and
this big bank who seem to think I'm the one who has lost his mind... So I
was hoping for to feedback to make sure that I'm not the one who is crazy
here!
Rob McEwen
jdow
TOP SPAM RULES FIRED
RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM
18 HOST_EQ_D_D_D_D 45 0.010.06 19.320.08
42 HOST_EQ_D_D_D_DB 1341 0.461.898.230.07
The first is the header rule. It's fairly good with few false alarms.
The second is the body rule. It's not as effective with the same
small false alarm rate.
If you mean what this rule catches (an all numeric helo):
header HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
then I'd say it was pretty good but not perfect.
I'd also say that a company using a nest of BLs with no ranking on their
performance is a dumb company. Banks are known to be dumber than dirt in
many instances. Greylisting on the basis if the BLs makes some sense.
Blocking outright makes no sense. Scoring systems such as SpamAssassin
give you a soft fail from which you can recover. It's like the commercial
power to the bank's computers failing. The SpamAssassin scoring allows you
to continue after a first line or even second or third line failure. Sort
by scores and check the low scores for potential mis-marked ham. Otherwise
the bank may be throwing away money.
{^_^} Joanne Dow
Re: Blocking based on ALL IPs in the header
On Tuesday 08 August 2006 21:32, Rob McEwen (PowerView Systems) took the opportunity to say: Just thought ya'll would be interested to know that I just spent about 45 minutes trying to convince an I.T. guy at one of the largest regional banks in my area that a spam filter should ONLY check the IP address of the sending mail server against RBLs, NOT every single IP contained within the header. I told him that often, dynamically assigned IPs will show up in blacklists even if they've never sent spam and I explained that on any given day, a person's own computer can get reassigned a blacklisted IP which was previously used by a spammer or by a worm-infected computer even if that computer has never had a worm and the user never had sent a spam. It depends on the blacklist. Some, like Spamhaus SBL, only list IP addresses known to be operated by spammers (and not unsuspecting home users with hijacked computers). SA scores mail with such IP addresses in ANY Received line. For other lists, the first hop is ignored unless it's the *only* hop. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp2nqBODb14B.pgp Description: PGP signature
Blocking based on ALL IPs in the header
Just thought ya'll would be interested to know that I just spent about 45 minutes trying to convince an I.T. guy at one of the largest regional banks in my area that a spam filter should ONLY check the IP address of the sending mail server against RBLs, NOT every single IP contained within the header. I told him that often, dynamically assigned IPs will show up in blacklists even if they've never sent spam and I explained that on any given day, a person's own computer can get reassigned a blacklisted IP which was previously used by a spammer or by a worm-infected computer even if that computer has never had a worm and the user never had sent a spam. I also explained how he doesn't have to worry about what might happen if he didn't check other IPs in the header because if that person's computer were spewing out spams, he still be able to block them if one were to happen to head his way. My client who couldn't send to this bank uses **my** server for sending mail and they are only allowed to do so based on authentication. But the messages are getting blocked because that bank's spam filter is checking every IP in the header and my client's IP is blacklisted. Unbelievable. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
RE: Blocking based on ALL IPs in the header
FOLLOW-UP: This bank is using GFI for spam filtering: http://www.gfi.com/ And looking at GFI's manual, it seems that GFI treats ALL IPs in the header the same and any one blacklisted is treated just the same as if the sending mail server's IP were blacklisted... with NO option to **only** check the sending server's IP. I've posted a message on GFI's forum to clarify and so far I've seen no response. CHECK IT OUT: http://forums.gfi.com/Checking_ALL_IPs_in_header_against_blacklists/m_900736 438/tm.htm Does anyone here have any knowledge of this software? This is almost like The Twilight Zone... Either (1) I have gone insane (2) GFI has made a critical error in the fundamentals of their architecture. Please read that post above and let me know which is the case. Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
