Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
If it helps, here's what I wrote for the SURBL FAQ: http://www.surbl.org/faq.html#opendns I'm using OpenDNS and getting wrong answers to SURBL DNS queries OpenDNS is a service that changes the responses to some DNS queries in order to prevent users from visiting spam, phishing, etc., sites. It also has a typo correction feature that directs mistyped domain names to custom sites controlled by OpenDNS instead of sites controlled by typosquatters, phishers, etc. When using SURBLs with an OpenDNS nameserver it's important to disable the typo correction feature, or the responses to non-matching SURBL queries will be incorrect to a SURBL application. The reason is that the OpenDNS nameservers return an IP address of their own web site in those cases, and that modified IP address will have an incorrect effect on SURBL list identification that depends on where the bit patterns happen to be in the modified response. SURBLs will work with OpenDNS if their typo correction feature is disabled on servers or clients doing SURBL queries. Alternatively, consider using non-OpenDNS nameservers on those systems. Note also that SURBL applications may be incompatible with other DNS modification or proxy services that change the DNS query results of non-matches (NXDOMAIN results). Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
thanks Jeff! here's the new FAQ entry: http://wiki.apache.org/spamassassin/OpenDnsAndUribls feel free to modify, guys. --j. Jeff Chan writes: If it helps, here's what I wrote for the SURBL FAQ: http://www.surbl.org/faq.html#opendns I'm using OpenDNS and getting wrong answers to SURBL DNS queries OpenDNS is a service that changes the responses to some DNS queries in order to prevent users from visiting spam, phishing, etc., sites. It also has a typo correction feature that directs mistyped domain names to custom sites controlled by OpenDNS instead of sites controlled by typosquatters, phishers, etc. When using SURBLs with an OpenDNS nameserver it's important to disable the typo correction feature, or the responses to non-matching SURBL queries will be incorrect to a SURBL application. The reason is that the OpenDNS nameservers return an IP address of their own web site in those cases, and that modified IP address will have an incorrect effect on SURBL list identification that depends on where the bit patterns happen to be in the modified response. SURBLs will work with OpenDNS if their typo correction feature is disabled on servers or clients doing SURBL queries. Alternatively, consider using non-OpenDNS nameservers on those systems. Note also that SURBL applications may be incompatible with other DNS modification or proxy services that change the DNS query results of non-matches (NXDOMAIN results). Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
David Ulevitch writes: On Sep 30, 2006, at 3:30 AM, Justin Mason wrote: David Ulevitch writes: Donald, We handle DNSBLs but not URIBLs, at the moment. Passing along to Noah to see what he can do. Sorry you had this happen to your SpamAssassin scoring. (Time to check mine... :-) ) You can resolve this behavior by turning off typo correction in your preferences page and it'll work again with us returning NXDOMAIN (RCODE=3) instead of doing the typo correction service. Hopefully we can get more granular with that in the future. If you are on a dynamic IP, well, just sit tight for a couple more weeks or email me to start beta testing some code this week to handle dynamic IPs (and that offer is for anyone). David -- Thanks for commenting, and good to hear it doesn't affect traditional DNSBL lookups. It sounds like we should probably add a temporary SpamAssassin FAQ entry for this? Justin, That sounds like a good idea. Want me to write one up for you in the style of the SA FAQ or is there enough in my post above to toss one in until we are better able to address URIBLs? David -- if you could add it to the FAQ at http://wiki.apache.org/spamassassin/FixingErrors that'd be great -- it's a wiki, so editing is easy. I'm not quite sure of all the details, so I'd prefer if someone with more knowledge could write it up. cheers ;) --j.
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
David Ulevitch writes:
From: Chris [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Date: Friday, September 29, 2006, 3:59:03 PM
Subject: Non-blocklisted embedded URLs are getting hits on
URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
===8==Original message text===
On Thursday 28 September 2006 1:17 am, Donald Craig wrote:
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS,
are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks
back.
Time to return from whence I came. Thank you,
Donald,
We handle DNSBLs but not URIBLs, at the moment. Passing along to
Noah to see what he can do. Sorry you had this happen to your
SpamAssassin scoring. (Time to check mine... :-) )
You can resolve this behavior by turning off typo correction in your
preferences page and it'll work again with us returning NXDOMAIN
(RCODE=3) instead of doing the typo correction service. Hopefully we
can get more granular with that in the future.
If you are on a dynamic IP, well, just sit tight for a couple more
weeks or email me to start beta testing some code this week to handle
dynamic IPs (and that offer is for anyone).
David --
Thanks for commenting, and good to hear it doesn't affect traditional
DNSBL lookups. It sounds like we should probably add a temporary
SpamAssassin FAQ entry for this?
--j.
Thanks,
David Ulevitch (from OpenDNS)
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Yes, OpenDNS definitely caused problems for me also:
Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for
domain=otwaloow.com, rule=URIBL_XS_SURBL, id=8880
rr=otwaloow.com.xs.surbl.org. 1 IN A 208.67.219.40
at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/
URIDNSBL.pm line
626.
Theo pointed out the errors of my ways:
The error is saying that it's looking for a 127/8 result, but it gets
208.67.219.40 (which resolves to a *.opendns.com name btw). So I
would
say that yes, the problems are related to changing your nameservers.
--
Chris
===8===End of original message text===
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
On Sep 30, 2006, at 3:30 AM, Justin Mason wrote: David Ulevitch writes: Donald, We handle DNSBLs but not URIBLs, at the moment. Passing along to Noah to see what he can do. Sorry you had this happen to your SpamAssassin scoring. (Time to check mine... :-) ) You can resolve this behavior by turning off typo correction in your preferences page and it'll work again with us returning NXDOMAIN (RCODE=3) instead of doing the typo correction service. Hopefully we can get more granular with that in the future. If you are on a dynamic IP, well, just sit tight for a couple more weeks or email me to start beta testing some code this week to handle dynamic IPs (and that offer is for anyone). David -- Thanks for commenting, and good to hear it doesn't affect traditional DNSBL lookups. It sounds like we should probably add a temporary SpamAssassin FAQ entry for this? Justin, That sounds like a good idea. Want me to write one up for you in the style of the SA FAQ or is there enough in my post above to toss one in until we are better able to address URIBLs? -david
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
On Wednesday, September 27, 2006, 11:17:59 PM, Donald Craig wrote:
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back.
Time to return from whence I came. Thank you,
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Thanks for the reminder guys. I've added the following note
about OpenDNS compatibility to the SURBL FAQ:
__
http://www.surbl.org/faq.html#opendns
I'm using OpenDNS and getting wrong answers to SURBL DNS queries
OpenDNS is a service that changes the responses to some DNS
queries in order to prevent users from visiting spam, phishing,
etc., sites. It also has a typo correction feature that directs
mistyped domain names to custom sites controlled by OpenDNS
instead of sites controlled by typosquatters, phishers, etc.
When using SURBLs with an OpenDNS nameserver it's important to
disable the typo correction feature, or the responses to
non-matching SURBL queries will be incorrect to a SURBL
application. The reason is that the OpenDNS nameservers return an
IP address of their own web site in those cases, and that
modified IP address will have an incorrect effect on SURBL list
identification that depends on where the bit patterns happen to
be in the modified response.
SURBLs will work with OpenDNS if their typo correction feature is
disabled on servers or clients doing SURBL queries.
__
Does that look about right?
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
Well I think the FAQ note is a good idea, since a hyperactive
DNS server wasn't the first thing I thought of when I saw
this problem. However, turning off the OpenDNS hyperactivity
does require a fixed IP address to originate the queries - I
found it easier to use OpenDNS for my desktops, and switch
to something else for the SpamAssassin server.
cheers,
Don Craig
Jeff Chan wrote:
On Wednesday, September 27, 2006, 11:17:59 PM, Donald Craig wrote:
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back.
Time to return from whence I came. Thank you,
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.c
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Thanks for the reminder guys. I've added the following note
about OpenDNS compatibility to the SURBL FAQ:
__
http://www.surbl.org/faq.html#opendns
"I'm using OpenDNS and getting wrong answers to SURBL DNS queries
OpenDNS is a service that changes the responses to some DNS
queries in order to prevent users from visiting spam, phishing,
etc., sites. It also has a "typo correction" feature that directs
mistyped domain names to custom sites controlled by OpenDNS
instead of sites controlled by typosquatters, phishers, etc.
When using SURBLs with an OpenDNS nameserver it's important to
disable the typo correction feature, or the responses to
non-matching SURBL queries will be incorrect to a SURBL
application. The reason is that the OpenDNS nameservers return an
IP address of their own web site in those cases, and that
modified IP address will have an incorrect effect on SURBL list
identification that depends on where the bit patterns happen to
be in the modified response.
SURBLs will work with OpenDNS if their typo correction feature is
disabled on servers or clients doing SURBL queries."
__
Does that look about right?
Jeff C.
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
On Thursday 28 September 2006 1:17 am, Donald Craig wrote:
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back.
Time to return from whence I came. Thank you,
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Yes, OpenDNS definitely caused problems for me also:
Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for
domain=otwaloow.com, rule=URIBL_XS_SURBL, id=8880
rr=otwaloow.com.xs.surbl.org. 1 IN A 208.67.219.40
at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line
626.
Theo pointed out the errors of my ways:
The error is saying that it's looking for a 127/8 result, but it gets
208.67.219.40 (which resolves to a *.opendns.com name btw). So I would
say that yes, the problems are related to changing your nameservers.
--
Chris
pgpiCQ7T2K9Ew.pgp
Description: PGP signature
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
From: Chris [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Date: Friday, September 29, 2006, 3:59:03 PM
Subject: Non-blocklisted embedded URLs are getting hits on
URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
===8==Original message text===
On Thursday 28 September 2006 1:17 am, Donald Craig wrote:
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS,
are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks
back.
Time to return from whence I came. Thank you,
Donald,
We handle DNSBLs but not URIBLs, at the moment. Passing along to
Noah to see what he can do. Sorry you had this happen to your
SpamAssassin scoring. (Time to check mine... :-) )
You can resolve this behavior by turning off typo correction in your
preferences page and it'll work again with us returning NXDOMAIN
(RCODE=3) instead of doing the typo correction service. Hopefully we
can get more granular with that in the future.
If you are on a dynamic IP, well, just sit tight for a couple more
weeks or email me to start beta testing some code this week to handle
dynamic IPs (and that offer is for anyone).
Thanks,
David Ulevitch (from OpenDNS)
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Yes, OpenDNS definitely caused problems for me also:
Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for
domain=otwaloow.com, rule=URIBL_XS_SURBL, id=8880
rr=otwaloow.com.xs.surbl.org. 1 IN A 208.67.219.40
at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/
URIDNSBL.pm line
626.
Theo pointed out the errors of my ways:
The error is saying that it's looking for a 127/8 result, but it gets
208.67.219.40 (which resolves to a *.opendns.com name btw). So I
would
say that yes, the problems are related to changing your nameservers.
--
Chris
===8===End of original message text===
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?
Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back.
Time to return from whence I came. Thank you,
Don Craig
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly. I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi
This is SpamAssassin 3.1.5, all was fine in 3.1.2.
For now I have set both those tests to 0.00.
Don Craig
Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
I'm getting matches whenever I have an embedded URL on URIBL_AB_SURBL and URIBL_PH_SURBL - unless the URL is actually in URIBL_SBL, in which case the logic for all the flavors of URIBL_XX_SURBL seems to work correctly. I have verified the absence of the incorrectly matching URLs from SURBL with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi This is SpamAssassin 3.1.5, all was fine in 3.1.2. For now I have set both those tests to 0.00. Don Craig
