Re: HELO_DYNAMIC_IPADDR false positive
Matus UHLAR - fantomas a écrit : >>> On 19.08.09 00:48, mouss wrote: The name of the rule is worng, but the result is ok. Instead of "dynamic", I suggest: "UMO" for "Unidentifiable Mailing Object". whether static-ip- is static or not doesn't matter. a lot of junk comes from such hosts, and we can't report/complain to a domain, since the domain is that of the SP (and getting SPs to block abuse sources have proven vain). > >> Matus UHLAR - fantomas a écrit : >>> I'd be glad to see if there's any difference in percentage of spam from >>> dynamic and static (generic) IP addresses. > >> http://enemieslist.com/news/archives/2009/07/why_we_suspect.html > > it says something very close to nothing. from SA point of view, the ham/spam > ratio is important and that is what I am curious about... > >>> There's also __RDNS_STATIC rule which excludes those "static" from being >>> considered as dynamic. There should be one for HELO rules too - >>> It would make me angry if I got scored more just because my server is >>> properly configured and uses proper helo which is the same as RDNS >>> (some helo checks have higher score than RCVD_HELO_IP_MISMATCH) > > On 19.08.09 09:55, mouss wrote: >> if your PTR is generic, then it is better to set the HELO to a >> "non-generic" value. just make it resolve to the same IP. while it is >> not always possible to set a "custom" rdns, there is no excuse for not >> setting a "meaningful" HELO. > > I wouldn't say so. Automatic helo string is much easier to configure and > requires less work than manual... > Then helo is useless. but that's not what we are about: if you are smtp.google.com, then I don't care about your helo. but if your PTR is joe-192-1-2-3.example.com, then I am not very open to accept your transaction. if you do an effrot and helo with "flower.example.net", then I'll give you a better treatment. said otherwise: if I reject your mail because you helo with a generic name, don't ever try to complain. first, if you can't get a "custom" rdns, it is _your_ problem. I might listen to you blaming your provider. but if you can't set a "custom" helo, then I won't listen to you at all. for the same reasons, I reject mail hosts helo-ing as "localhost", *.localdomain", "*.arpa", "*.firewall", "*.myfirwall", ... etc. It's more effective to get them fix their helo than ask the whole world to accept the junk. and this is no different than any rule in SA. I find it easier to ask an admin to fix his helo than to tell someone that the message was tagged because "the subject is all caps and foo is bar and bar is foo". > Yes, with current SA setting it may be true. But since we are complaining > about this, this ain't an answer... I block such stuff at smtp transaction. if I get junk from joe-1-2-3-4.domain.tld, I add a rule to block this in helo check. if helo check is not enough, the rule is applied to the PTR.
Re: HELO_DYNAMIC_IPADDR false positive
> > On 19.08.09 00:48, mouss wrote: > >> The name of the rule is worng, but the result is ok. Instead of > >> "dynamic", I suggest: "UMO" for "Unidentifiable Mailing Object". whether > >> static-ip- is static or not doesn't matter. a lot of junk comes from > >> such hosts, and we can't report/complain to a domain, since the domain > >> is that of the SP (and getting SPs to block abuse sources have proven > >> vain). > Matus UHLAR - fantomas a écrit : > > I'd be glad to see if there's any difference in percentage of spam from > > dynamic and static (generic) IP addresses. > http://enemieslist.com/news/archives/2009/07/why_we_suspect.html it says something very close to nothing. from SA point of view, the ham/spam ratio is important and that is what I am curious about... > > There's also __RDNS_STATIC rule which excludes those "static" from being > > considered as dynamic. There should be one for HELO rules too - > > It would make me angry if I got scored more just because my server is > > properly configured and uses proper helo which is the same as RDNS > > (some helo checks have higher score than RCVD_HELO_IP_MISMATCH) On 19.08.09 09:55, mouss wrote: > if your PTR is generic, then it is better to set the HELO to a > "non-generic" value. just make it resolve to the same IP. while it is > not always possible to set a "custom" rdns, there is no excuse for not > setting a "meaningful" HELO. I wouldn't say so. Automatic helo string is much easier to configure and requires less work than manual... Yes, with current SA setting it may be true. But since we are complaining about this, this ain't an answer... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: HELO_DYNAMIC_IPADDR false positive
Matus UHLAR - fantomas a écrit :
>> Bob Proulx a écrit :
>>> The following header line:
>>>
>>> Received: from static-96-254-126-11.tampfl.fios.verizon.net
>>> [96.254.126.11] by
>>> windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
>>>
>>> Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
>>>
>>> $ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
>>> /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) {
>>> print "Yes" } else { print "No" };'
>>> Yes
>>>
>>> But the address doesn't appear to be in a dynamic block. And it
>>> doesn't look like a dynamic address pattern to me.
>
> On 19.08.09 00:48, mouss wrote:
>> The name of the rule is worng, but the result is ok. Instead of
>> "dynamic", I suggest: "UMO" for "Unidentifiable Mailing Object". whether
>> static-ip- is static or not doesn't matter. a lot of junk comes from
>> such hosts, and we can't report/complain to a domain, since the domain
>> is that of the SP (and getting SPs to block abuse sources have proven
>> vain).
>
> I'd be glad to see if there's any difference in percentage of spam from
> dynamic and static (generic) IP addresses.
>
http://enemieslist.com/news/archives/2009/07/why_we_suspect.html
> There's also __RDNS_STATIC rule which excludes those "static" from being
> considered as dynamic. There should be one for HELO rules too -
> It would make me angry if I got scored more just because my server is
> properly configured and uses proper helo which is the same as RDNS
> (some helo checks have higher score than RCVD_HELO_IP_MISMATCH)
>
if your PTR is generic, then it is better to set the HELO to a
"non-generic" value. just make it resolve to the same IP. while it is
not always possible to set a "custom" rdns, there is no excuse for not
setting a "meaningful" HELO.
Re: HELO_DYNAMIC_IPADDR false positive
> Bob Proulx a écrit :
> > The following header line:
> >
> > Received: from static-96-254-126-11.tampfl.fios.verizon.net
> > [96.254.126.11] by
> > windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
> >
> > Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
> >
> > $ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
> > /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) {
> > print "Yes" } else { print "No" };'
> > Yes
> >
> > But the address doesn't appear to be in a dynamic block. And it
> > doesn't look like a dynamic address pattern to me.
On 19.08.09 00:48, mouss wrote:
> The name of the rule is worng, but the result is ok. Instead of
> "dynamic", I suggest: "UMO" for "Unidentifiable Mailing Object". whether
> static-ip- is static or not doesn't matter. a lot of junk comes from
> such hosts, and we can't report/complain to a domain, since the domain
> is that of the SP (and getting SPs to block abuse sources have proven
> vain).
I'd be glad to see if there's any difference in percentage of spam from
dynamic and static (generic) IP addresses.
There's also __RDNS_STATIC rule which excludes those "static" from being
considered as dynamic. There should be one for HELO rules too -
It would make me angry if I got scored more just because my server is
properly configured and uses proper helo which is the same as RDNS
(some helo checks have higher score than RCVD_HELO_IP_MISMATCH)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
Re: HELO_DYNAMIC_IPADDR false positive
Michael Scheidell wrote: > if this is a client of yours, you might help them get a VALID RDNS and > setup the FQDN for their mail server. > (more likely, its a zombie spambot anyway, ) Not related to me in any way. The mail message generated from there was legitimate. It came *to* a client of mine but one I have little control over either. It came from a human to another human and was caught as a false positive and that is all that I know about it. Bob
Re: HELO_DYNAMIC_IPADDR false positive
Bob Proulx a écrit :
> The following header line:
>
> Received: from static-96-254-126-11.tampfl.fios.verizon.net [96.254.126.11]
> by
> windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
>
> Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
>
> $ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
> /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) {
> print "Yes" } else { print "No" };'
> Yes
>
> But the address doesn't appear to be in a dynamic block. And it
> doesn't look like a dynamic address pattern to me.
>
> Bob
The name of the rule is worng, but the result is ok. Instead of
"dynamic", I suggest: "UMO" for "Unidentifiable Mailing Object". whether
static-ip- is static or not doesn't matter. a lot of junk comes from
such hosts, and we can't report/complain to a domain, since the domain
is that of the SP (and getting SPs to block abuse sources have proven
vain).
Re: HELO_DYNAMIC_IPADDR false positive
On Tue, 18 Aug 2009 16:51:46 +0200 Per Jessen wrote: > Matus UHLAR - fantomas wrote: > > > another serious question: should IPs with statically assigned IP > > addresses get the same processing as if they were dynamically > > assigned? > > Probably not, but there's no guaranteed way of telling them apart. > > > Of course it's much better to have personalised DNS name than > > generic one, but *DYNAMIC* should still not match, becausse the ip > > is just not dynamic. > > How do you know that? Presumably because the reverse DNS contains "STATIC" The SORBS DUL listing criteria contains this line: "Generic reverse DNS naming is the most important criterion for determining if an address range should be considered dynamically assigned." I think that makes sense, there are plenty of ordinary domestic Windows boxes running on static addresses - it means practically nothing.
Re: HELO_DYNAMIC_IPADDR false positive
> Matus UHLAR - fantomas wrote: > > another serious question: should IPs with statically assigned IP > > addresses get the same processing as if they were dynamically > > assigned? On 18.08.09 16:51, Per Jessen wrote: > Probably not, but there's no guaranteed way of telling them apart. there is - if they contain word 'static' or at least 'sta', they are, surprise, static... > > Of course it's much better to have personalised DNS name than generic > > one, but *DYNAMIC* should still not match, becausse the ip is just not > > dynamic. > How do you know that? know what? that a static IP is static? That's from definition. I know ISPs who use this static naming scheme. And if an ISP lies (I can't imagine other reason than being completely idiot), well, all their IPs will get blocked, thgey will get flooded by reports etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: HELO_DYNAMIC_IPADDR false positive
Matus UHLAR - fantomas wrote: > another serious question: should IPs with statically assigned IP > addresses get the same processing as if they were dynamically > assigned? Probably not, but there's no guaranteed way of telling them apart. > Of course it's much better to have personalised DNS name than generic > one, but *DYNAMIC* should still not match, becausse the ip is just not > dynamic. How do you know that? /Per Jessen, Zürich
Re: HELO_DYNAMIC_IPADDR false positive
> Bob Proulx wrote:
>> The following header line:
>>
>> Received: from static-96-254-126-11.tampfl.fios.verizon.net
>> [96.254.126.11] by
>> windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
>>
>> Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
>>
>> $ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
>> /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) {
>> print "Yes" } else { print "No" };'
>> Yes
>>
>> But the address doesn't appear to be in a dynamic block. And it
>> doesn't look like a dynamic address pattern to me.
On 18.08.09 05:37, Michael Scheidell wrote:
> says 'static', but, a serious question: is the mail server at that ip
> REALLY setup with a FQDN of
>
> static-96-254-126-11.tampfl.fios.verizon.net
another serious question: should IPs with statically assigned IP addresses
get the same processing as if they were dynamically assigned?
I don't think so. Dynamic IP addresses are often in dynamic blacklists and
other blacklists don't have value there, since spamming clients may reconnect
and get other IP.
> the helo_dynamic_ipaddr rule also catches 'static' ip addresses used by
> spambots that are operating on static workstation ip addresses.
>
> if this is a client of yours, you might help them get a VALID RDNS and
> setup the FQDN for their mail server.
> (more likely, its a zombie spambot anyway, )
Of course it's much better to have personalised DNS name than generic one,
but *DYNAMIC* should still not match, becausse the ip is just not dynamic.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: HELO_DYNAMIC_IPADDR false positive
Bob Proulx wrote:
The following header line:
Received: from static-96-254-126-11.tampfl.fios.verizon.net
[96.254.126.11] by
windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
$ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
/[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) { print "Yes" } else {
print "No" };'
Yes
But the address doesn't appear to be in a dynamic block. And it
doesn't look like a dynamic address pattern to me.
says 'static', but, a serious question: is the mail server at that ip
REALLY setup with a FQDN of
static-96-254-126-11.tampfl.fios.verizon.net
the helo_dynamic_ipaddr rule also catches 'static' ip addresses used by
spambots that are operating on static workstation ip addresses.
if this is a client of yours, you might help them get a VALID RDNS and
setup the FQDN for their mail server.
(more likely, its a zombie spambot anyway, )
Bob
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
HELO_DYNAMIC_IPADDR false positive
The following header line:
Received: from static-96-254-126-11.tampfl.fios.verizon.net [96.254.126.11] by
windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400
Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way:
$ perl -le 'if ("static-96-254-126-11.tampfl.fios.verizon.net" =~
/[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) {
print "Yes" } else { print "No" };'
Yes
But the address doesn't appear to be in a dynamic block. And it
doesn't look like a dynamic address pattern to me.
Bob
