Re: RCVD_IN_DNSWL_LOW
On Thu, 2007-10-25 at 03:13 -0400, Dan Mahoney, System Admin wrote: On Wed, 17 Oct 2007, ram wrote: Sorry I meant like spamcop .. I think I must proof-read my own mail now before Ctrl-Enter :-) The problem with SpamCop is: the two step reporting process makes things a bear to do. I understand the logic behind it, but once or twice I've taken a couple hundred spam emails and spamassassin -r'd it...annoying as hell. But people still report to spamcop. And you must agree spamcop has got *much* better now. If DNSWL has an automated reporting system like that I can vouch I will myself use such a reporting system without hassles. Especially because I would not like the excellent idea of DNSWL to fail I'd like it if they open-sourced their analysis engine so people could use it to report spam privately, but I know it's not happening. I know we opensource guys despise anything that is not. Anyway that is not rocket science , it seems pretty straightforward to use one of our own
Re: RCVD_IN_DNSWL_LOW
Alex Woick writes: Dan Mahoney, System Admin schrieb am 25.10.2007 09:13: The problem with SpamCop is: the two step reporting process makes things a bear to do. I understand the logic behind it, but once or twice I've taken a couple hundred spam emails and spamassassin -r'd it...annoying as hell. I understand the two step reporting process too, and I too find it annoying and timeconsuming to ack my (manually reviewed) 50 spams per day to them, so I ceased to do it. There exist scripts for ack'ing automatically, but this is not the intention of this process, so this is no alternative for me. They will turn this requirement off for you on their side, if you ask, if I recall correctly. --j.
Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Woick schrieb: [Spamcop] I understand the two step reporting process too, and I too find it annoying and timeconsuming to ack my (manually reviewed) 50 spams per day to them, so I ceased to do it. There exist scripts for ack'ing automatically, but this is not the intention of this process, so this is no alternative for me. I don't speak for Spamcop, but I do speak for dnswl.org. From our experience I can tell that a manual review process is very important to ensure data quality. At least in the context of dnswl.org, there is little value in reporting for the sake of reporting alone -- there needs to be some quality control involved, or otherwise we run a high risk of including unwanted IP addresses. Having said that, we of course welcome all reports on false positives, especially on IP addresses with a low, med or hi score, and we welcome all notifications of mailservers we do not yet know about. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHIggQxbHw2nyi/okRAludAKC14sT7Ff3Ax4L9zpC/fWHx/xyUAwCfSUZ1 WB4q6mV08fa4Yhyx+aUtbEs= =3yG4 -END PGP SIGNATURE-
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Fri, 26 Oct 2007, Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Woick schrieb: [Spamcop] I understand the two step reporting process too, and I too find it annoying and timeconsuming to ack my (manually reviewed) 50 spams per day to them, so I ceased to do it. There exist scripts for ack'ing automatically, but this is not the intention of this process, so this is no alternative for me. I don't speak for Spamcop, but I do speak for dnswl.org. From our experience I can tell that a manual review process is very important to ensure data quality. At least in the context of dnswl.org, there is little value in reporting for the sake of reporting alone -- there needs to be some quality control involved, or otherwise we run a high risk of including unwanted IP addresses. Having said that, we of course welcome all reports on false positives, especially on IP addresses with a low, med or hi score, and we welcome all notifications of mailservers we do not yet know about. It's rather simple, really. If I'm auto-reporting spams with a score of (let's say, 15...enough that regardless of the DNSWL score's negative it would still be enough to auto-learn as spam to DNSWL (and DNSWL is passing complaints onto the original mailserver, which seems a logical thing) this serves as a reminder to the original mail server (let us say, in this case, two things). This is the kind of thing that I would suggest be an enhancement to SA (but off by default for privacy reasons), on the spamd side, at the same time as bayes auto-learning happens. 1) That they are sending spam that risks their whitelist rating. and 2) That the email they are sending is probably too spammish ANYWAY, if it's of a high enough threshhold ABOVE the DNSWL score to still be reported. If you are a spammer, this allows you not only to listwash, but also to scrub and detail your email so it hits less SA rules -- of course, if you are any kind of pro spammer, presumably you are running your mails through at least a standard SA install anyway to test them. If on the other hand you are a legitimate user of this service, *and* you are a producer of regular volumes of email, locally originated, that has some spammish tendencies (badly formed HTML parts, or being sent by a non-malicious script, then it allows you to correct other means of those false positive. Naturally, if DNSWL isn't reporting back to the mailserver user, none of the above applies. Manually reporting, on the other hand, is something that I would tie into the spamassassin -r functions, and much LIKE spamcop or the others, I'd suggest one or two extra pieces of data: Some kind of a reporting ID, which determined the severity of the report (i.e. anonymous reports were given less credence). And if the reports were going to be given back to the original mailserver again, some option to have the identifying data stripped. Also, the ability to view the number of reports for a given server helps as well. -Dan - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHIggQxbHw2nyi/okRAludAKC14sT7Ff3Ax4L9zpC/fWHx/xyUAwCfSUZ1 WB4q6mV08fa4Yhyx+aUtbEs= =3yG4 -END PGP SIGNATURE- -- Amerikanskaya firma Transceptor Technology pristupila k poizvodstu komputerov Personal'ni Sputnik Translates as: 'American company Transceptor Technology commenced the production of the computer personal sputnik' --Snap, The Power Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, ram wrote: Sorry I meant like spamcop .. I think I must proof-read my own mail now before Ctrl-Enter :-) The problem with SpamCop is: the two step reporting process makes things a bear to do. I understand the logic behind it, but once or twice I've taken a couple hundred spam emails and spamassassin -r'd it...annoying as hell. I'd like it if they open-sourced their analysis engine so people could use it to report spam privately, but I know it's not happening. -Dan -- there is no loyalty in the business, so we stay away from things that piss people off -The Boss, November 12, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: RCVD_IN_DNSWL_LOW
On 10/25/2007 9:13 AM, Dan Mahoney, System Admin wrote: On Wed, 17 Oct 2007, ram wrote: Sorry I meant like spamcop .. I think I must proof-read my own mail now before Ctrl-Enter :-) The problem with SpamCop is: the two step reporting process makes things a bear to do. I understand the logic behind it, but once or twice I've taken a couple hundred spam emails and spamassassin -r'd it...annoying as hell. I'd like it if they open-sourced their analysis engine so people could use it to report spam privately, but I know it's not happening. every thought about getting quick reporting status? (inluding mole?) I haven't ACKD'd a report in years :-) Alex
Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). All different IP addresses or some specific network? Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? Can you forward such false positives to admins -at- dnswl.org, please? Thanks, - -- Matthias, for dnswl.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFa31xbHw2nyi/okRAueXAJ9v7bs40kAz4UEry7dCKxYqWVnWFwCgjte/ N/CrJ3V4V3X1H+jkGhf/nb8= =kIQd -END PGP SIGNATURE-
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Henrik Krohns wrote: On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Umm, did you actually read their pages? Low Occasional spam occurrences, actively corrected but less promptly. My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. DNSWL is a cool idea, but could we also come up with some sort of reporting plugin (disabled by default, optional) that could notify them when, say, a spam of score 15 or above also hits their rules. If you dont like it, change the scores. Why not change the system? -Dan -- Why are you wearing TWO grounding straps? -John Evans, Ezzi Computers August 23, 2001 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Matthias Leisi wrote: I forwarded over 200 of them earlier today (as an attachment -- total email size was about one meg). It would have been from this address. -Dan -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). All different IP addresses or some specific network? Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? Can you forward such false positives to admins -at- dnswl.org, please? Thanks, - -- Matthias, for dnswl.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFa31xbHw2nyi/okRAueXAJ9v7bs40kAz4UEry7dCKxYqWVnWFwCgjte/ N/CrJ3V4V3X1H+jkGhf/nb8= =kIQd -END PGP SIGNATURE- -- Oh, and we just recently got an invoice... Congratulations! -JC and DM, regarding Unpredictable Billing, 8/18/2001 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Henrik Krohns wrote: On Wed, Oct 17, 2007 at 02:48:49AM -0400, Dan Mahoney, System Admin wrote: On Wed, 17 Oct 2007, Henrik Krohns wrote: On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Umm, did you actually read their pages? Low Occasional spam occurrences, actively corrected but less promptly. My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. Sure, I just felt like being rude also. ;) You say at least 20 spam, but since it depends on what your total traffic is, it doesn't mean much. Actually, that was a typo, of sorts...a more accurate metric would be: Over 200 hits on that rule, with spams mostly over scores of ten, since October 8th, with total spam volume ( 5) about 1000. Or...roughly 1/5 to 1/4 of all the spam in the past couple weeks. -Dan -- Is Gushi a person or an entity? Yes -Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. DNSWL is a cool idea, but could we also come up with some sort of reporting plugin (disabled by default, optional) that could notify them when, say, That is on the todo list. However, we currently prefer other feedback loops, since handling a (potentially large) number of feedback providers requires substantial work (you'll have to identify trustworthy feedback providers first!). - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFbP1xbHw2nyi/okRAjeWAJ9jTP8fBHd0ny/i0lNe4R2GJxe/ZwCfbEHz VmXIJSP8J9TVfP3ztoLSP4I= =DzrV -END PGP SIGNATURE-
Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: I forwarded over 200 of them earlier today (as an attachment -- total email size was about one meg). OK, I now could have a look at them (well, a sample of them, not each of the 200 individually). All samples in that set have been forwarded through your livejournal.com account, and consequently sent to your server through a dnswl.org-listed server of livejournal.com (204.9.177.18, see http://www.dnswl.org/search.pl?s=1409). Please configure your trusted_networks/internal_networks -- like that, you'll even get the benefit that all RBL lookups, whitelist_from_rcvd etc. profit from the correct information. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFbgsxbHw2nyi/okRAkyDAJ9iNFrMh+2my/gq7OX7sDYVzJjegwCgkHFA woDSsSoqdB5V5OqMiiTHXII= =lFYH -END PGP SIGNATURE-
Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Matthias Leisi wrote: I forwarded over 200 of them earlier today (as an attachment -- total email size was about one meg). OK, I now could have a look at them (well, a sample of them, not each of the 200 individually). All samples in that set have been forwarded through your livejournal.com account, and consequently sent to your server through a dnswl.org-listed server of livejournal.com (204.9.177.18, see http://www.dnswl.org/search.pl?s=1409). Livejournal's purely a mail forwarding service (i.e. there's no way to POP/IMAP that account) and if they can't effect proper controls on how mail is sent through them, then they shouldn't be trusted at all. On my end, I have degrees of control (false MXes, Blacklists, whitelists, greylists, sender callbacks, etc). I have no such control over the LJ MX'es. I've proposed a reporting plugin on the sa-users list, that allows (both for yourself, as well as other whitelists) for the list-owner to be notified with details of high-spam activity (at which point, I guess, you guys could pass that on to your whitelisted groups, and/or adjust categories accordingly. Please configure your trusted_networks/internal_networks -- like that, Like what? I think I missed what you want me to do. you'll even get the benefit that all RBL lookups, whitelist_from_rcvd etc. profit from the correct information. -Dan -- The first annual 5th of July party...have you been invited? It's a Jack Party. Okay, so Long Island's been invited. --Cali and Gushi, 6/23/02 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: Livejournal's purely a mail forwarding service (i.e. there's no way to POP/IMAP that account) As far as I know, there are mails originating from LJ itself (eg notifications etc)? and if they can't effect proper controls on how mail is sent through them, then they shouldn't be trusted at all. On my end, I have degrees of control (false MXes, Blacklists, whitelists, greylists, sender callbacks, etc). I have no such control over the LJ MX'es. Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. That's not fully equivalent to having the actual spamming connection to deal with, but as close as it gets -- if you need it closer, you should not use forwarding services. Forwarding services are edge case in spamfiltering. Usually, such a service is itself perfectly trustworthy and not the actual source of spam, and care must be taken not to unduly penalize these services for forwarded spam. I've proposed a reporting plugin on the sa-users list, that allows (both for yourself, as well as other whitelists) for the list-owner to be notified with details of high-spam activity (at which point, I guess, you guys could pass that on to your whitelisted groups, and/or adjust categories accordingly. As I've answered before: That's already on the todo list. However, the main problem is not the plugin per se (technically, that is rather simple), but identifying trustworthy submitters. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFb2/xbHw2nyi/okRAoA7AKDUID8Zyc1vBt+w1qmbP3rrCuxkbQCdFonl PQENNrT9wkrCjvJ2qgnC4K4= =oEOM -END PGP SIGNATURE-
Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: Livejournal's purely a mail forwarding service (i.e. there's no way to POP/IMAP that account) As far as I know, there are mails originating from LJ itself (eg notifications etc)? No, Livejournal also gives you a [EMAIL PROTECTED] email address. Yes, they do also originate mail (for which we have things like SPF (which they do), DomainKeys, DKIM (which they don't, and in fact they may have an error for) -- as well as some of the more esoteric things like HashCash, GnuPG-signing, etc etc.) and if they can't effect proper controls on how mail is sent through them, then they shouldn't be trusted at all. On my end, I have degrees of control (false MXes, Blacklists, whitelists, greylists, sender callbacks, etc). I have no such control over the LJ MX'es. Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. interesting point, I suppose. Kinda breaks the logic of trusted networks. On the same note, would it not be more useful to, instead of using the static trusted_networks configuration, to use the DNSWL to determine if that logic should be in play? Or some kind of database of known forwarding services that work in such a manner? That's not fully equivalent to having the actual spamming connection to deal with, but as close as it gets -- if you need it closer, you should not use forwarding services. Forwarding services are edge case in spamfiltering. Usually, such a service is itself perfectly trustworthy and not the actual source of spam, and care must be taken not to unduly penalize these services for forwarded spam. The problem therein lies in the fact that LJ notifications (comment notifications, friendslist notifications, account verification emails, etc) are passed through the exact same MXes as the [EMAIL PROTECTED] forwarding service. I've proposed a reporting plugin on the sa-users list, that allows (both for yourself, as well as other whitelists) for the list-owner to be notified with details of high-spam activity (at which point, I guess, you guys could pass that on to your whitelisted groups, and/or adjust categories accordingly. As I've answered before: That's already on the todo list. However, the main problem is not the plugin per se (technically, that is rather simple), but identifying trustworthy submitters. I suppose that depends on what we submit. If it's something verifiable (like, messageID:originating ip:spam level, it's easy). Just as with spamcop, one can choose to omit the message-id so that the spammers cannot track who is the spamtrap and listwash, but such reports could be given a lower precedence. -- You're a nomad billygoat! -Juston, July 18th, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: RCVD_IN_DNSWL_LOW
Matthias Leisi schrieb am 17.10.2007 09:46: Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. That's not fully equivalent to having the actual spamming connection to deal with, but as close as it gets -- if you need it closer, you should not use forwarding services. Good point. I think I start to understand what trusted_network is for and how it works. Currently, I have a provider whose MX receives mail for me and forwards it to my local mail server. Spam detection improved much when I added its IP address to trusted_networks some time ago. Now, I occasionly get spam to my users.sourceforge.net account, just like Dan Mahoney is getting spam to his Livejournal account. Sourceforge is also listed with LOW at dnswl and acts as a forwarder to my own mail server. Since I never get spam from users.sourceforge.net accounts directly but only spam sent to my users.sourceforge.net account from random addresses, I suppose the Sourceforge mail server is trusted in that way that spam doesn't originate from it, and that's the purpose of trusted_network. Just like my Provider forwarding mail to me sent from random originators, but never produces spam itself. Tschau Alex
Re: RCVD_IN_DNSWL_LOW
Dan Mahoney, System Admin writes: On Wed, 17 Oct 2007, Matthias Leisi wrote: On my end, I have degrees of control (false MXes, Blacklists, whitelists, greylists, sender callbacks, etc). I have no such control over the LJ MX'es. Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. interesting point, I suppose. Kinda breaks the logic of trusted networks. actually, this was exactly what trusted_networks was designed to do ;) --j.
Re: RCVD_IN_DNSWL_LOW
On Wed, 2007-10-17 at 08:38 +0200, Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). All different IP addresses or some specific network? Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? Can you forward such false positives to admins -at- dnswl.org, please? I have reported the spams hiting DNSWL_LOW on the dnswl.org site. But there is no decent way of reporting I think dnswl is an excellent idea but there must be an easier way of reporting FPs. Probably forward mail as attachment ( like spamassassin ) , or an online form etc. If this is not being done for want of developers I can help. Thanks Ram
Re: RCVD_IN_DNSWL_LOW
On Wed, 2007-10-17 at 16:46 +0530, ram wrote: On Wed, 2007-10-17 at 08:38 +0200, Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). All different IP addresses or some specific network? Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? Can you forward such false positives to admins -at- dnswl.org, please? I have reported the spams hiting DNSWL_LOW on the dnswl.org site. But there is no decent way of reporting I think dnswl is an excellent idea but there must be an easier way of reporting FPs. Probably forward mail as attachment ( like spamassassin ) Sorry I meant like spamcop .. I think I must proof-read my own mail now before Ctrl-Enter :-) , or an online form etc. If this is not being done for want of developers I can help. Thanks Ram
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Alex Woick wrote: Matthias Leisi schrieb am 17.10.2007 09:46: Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. That's not fully equivalent to having the actual spamming connection to deal with, but as close as it gets -- if you need it closer, you should not use forwarding services. Good point. I think I start to understand what trusted_network is for and how it works. Currently, I have a provider whose MX receives mail for me and forwards it to my local mail server. Spam detection improved much when I added its IP address to trusted_networks some time ago. Now, I occasionly get spam to my users.sourceforge.net account, just like Dan Mahoney is getting spam to his Livejournal account. Sourceforge is also listed with LOW at dnswl and acts as a forwarder to my own mail server. Since I never get spam from users.sourceforge.net accounts directly but only spam sent to my users.sourceforge.net account from random addresses, I suppose the Sourceforge mail server is trusted in that way that spam doesn't originate from it, and that's the purpose of trusted_network. Just like my Provider forwarding mail to me sent from random originators, but never produces spam itself. Sure, but that means each person who is a member of one of these services has to: * Look up their forwarded email address * Look up the SPF record for that domain -or- * Take a best guess as to the fact that the receiving MX will also be the sending. THEN * Translate that into trusted networks statements, which are GLOBALLY trusted (either per server or per used, but NOT per envelope-recipient) -- which is fine for Livejournal or Sourceforge, I guess, I'd imagine their MXes are pretty dedicated, but I'm sure there's smaller cases. But it might help to have some series of dynamic rule...whereby an address is DNSWL'd with a special code that lists it as a known relay for certain domains, and the trusted_networks logic extends automatically (if the relaying domain matches). Apologies if I've repeated anything already said. -Dan -- there is no loyalty in the business, so we stay away from things that piss people off -The Boss, November 12, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RCVD_IN_DNSWL_LOW
dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---