RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Hi there I just received some spam - got a score below 0. The real surprise was the -2 points it got from RCVD_IN_DNSWL_MED - a surprise because the domain was yahoo.co.uk! I have no idea why DNSWL would ever give a negative score to any FREEMAIL (I use the SA rulename there) server - all free mail services will be prone to misuse So I'm thinking of trying to counteract that via metaUNDO_DNSWL_WHITELIST ( (RCVD_IN_DNSWL_MED) && FREEMAIL_FROM) describeUNDO_DNSWL_WHITELIST don't allow RCVD_IN_DNSWL_MED to whitelist freemail score UNDO_DNSWL_WHITELIST 2.0 Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Could you please share the IP address (better: relevant Received: header)? This seems like an error in our data. -- Matthias, for the dnswl.org project On Sun, Aug 25, 2013 at 10:19 PM, Jason Haar wrote: > Hi there > > I just received some spam - got a score below 0. The real surprise was > the -2 points it got from RCVD_IN_DNSWL_MED - a surprise because the > domain was yahoo.co.uk! > > I have no idea why DNSWL would ever give a negative score to any > FREEMAIL (I use the SA rulename there) server - all free mail services > will be prone to misuse > > So I'm thinking of trying to counteract that via > > metaUNDO_DNSWL_WHITELIST ( (RCVD_IN_DNSWL_MED) && > FREEMAIL_FROM) > describeUNDO_DNSWL_WHITELIST don't allow RCVD_IN_DNSWL_MED > to whitelist freemail > score UNDO_DNSWL_WHITELIST 2.0 > > > Anyone see anything fundamentally wrong with that? It seems so obvious, > I'm thinking I've overlooked something :-) > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
Jason Haar skrev den : Anyone see anything fundamentally wrong with that? It seems so obvious, I'm thinking I've overlooked something :-) using domain names in iptables ? dnswl is based on ips, freemail is based on domain names, if you see stable results then it works :-) best option is to sign up as a dnswl reporter, and the report is as spam
Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL
On 26/08/13 20:16, Benny Pedersen wrote: > Jason Haar skrev den : > >> Anyone see anything fundamentally wrong with that? It seems so obvious, >> I'm thinking I've overlooked something :-) > > using domain names in iptables ? > > dnswl is based on ips, freemail is based on domain names, if you see > stable results then it works :-) > > d'oh! So it is. The IP was whitelisted - nothing to do with yahoo.co.uk Yep - looks like it was a good thing I asked ;-) Thanks! And I'll report the spam to DNSWL too -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
