Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Fri, 26 Oct 2007, Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Woick schrieb: [Spamcop] I understand the two step reporting process too, and I too find it annoying and timeconsuming to ack my (manually reviewed) 50 spams per day to them, so I ceased to do it. There exist scripts for ack'ing automatically, but this is not the intention of this process, so this is no alternative for me. I don't speak for Spamcop, but I do speak for dnswl.org. From our experience I can tell that a manual review process is very important to ensure data quality. At least in the context of dnswl.org, there is little value in reporting for the sake of reporting alone -- there needs to be some quality control involved, or otherwise we run a high risk of including unwanted IP addresses. Having said that, we of course welcome all reports on false positives, especially on IP addresses with a low, med or hi score, and we welcome all notifications of mailservers we do not yet know about. It's rather simple, really. If I'm auto-reporting spams with a score of (let's say, 15...enough that regardless of the DNSWL score's negative it would still be enough to auto-learn as spam to DNSWL (and DNSWL is passing complaints onto the original mailserver, which seems a logical thing) this serves as a reminder to the original mail server (let us say, in this case, two things). This is the kind of thing that I would suggest be an enhancement to SA (but off by default for privacy reasons), on the spamd side, at the same time as bayes auto-learning happens. 1) That they are sending spam that risks their whitelist rating. and 2) That the email they are sending is probably too spammish ANYWAY, if it's of a high enough threshhold ABOVE the DNSWL score to still be reported. If you are a spammer, this allows you not only to listwash, but also to scrub and detail your email so it hits less SA rules -- of course, if you are any kind of pro spammer, presumably you are running your mails through at least a standard SA install anyway to test them. If on the other hand you are a legitimate user of this service, *and* you are a producer of regular volumes of email, locally originated, that has some spammish tendencies (badly formed HTML parts, or being sent by a non-malicious script, then it allows you to correct other means of those false positive. Naturally, if DNSWL isn't reporting back to the mailserver user, none of the above applies. Manually reporting, on the other hand, is something that I would tie into the spamassassin -r functions, and much LIKE spamcop or the others, I'd suggest one or two extra pieces of data: Some kind of a reporting ID, which determined the severity of the report (i.e. anonymous reports were given less credence). And if the reports were going to be given back to the original mailserver again, some option to have the identifying data stripped. Also, the ability to view the number of reports for a given server helps as well. -Dan - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHIggQxbHw2nyi/okRAludAKC14sT7Ff3Ax4L9zpC/fWHx/xyUAwCfSUZ1 WB4q6mV08fa4Yhyx+aUtbEs= =3yG4 -END PGP SIGNATURE- -- Amerikanskaya firma Transceptor Technology pristupila k poizvodstu komputerov Personal'ni Sputnik Translates as: 'American company Transceptor Technology commenced the production of the computer personal sputnik' --Snap, The Power Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Henrik Krohns wrote: On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Umm, did you actually read their pages? Low Occasional spam occurrences, actively corrected but less promptly. My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. DNSWL is a cool idea, but could we also come up with some sort of reporting plugin (disabled by default, optional) that could notify them when, say, a spam of score 15 or above also hits their rules. If you dont like it, change the scores. Why not change the system? -Dan -- Why are you wearing TWO grounding straps? -John Evans, Ezzi Computers August 23, 2001 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Henrik Krohns wrote: On Wed, Oct 17, 2007 at 02:48:49AM -0400, Dan Mahoney, System Admin wrote: On Wed, 17 Oct 2007, Henrik Krohns wrote: On Tue, Oct 16, 2007 at 06:16:49PM -0400, Dan Mahoney, System Admin wrote: dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Umm, did you actually read their pages? Low Occasional spam occurrences, actively corrected but less promptly. My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. Sure, I just felt like being rude also. ;) You say at least 20 spam, but since it depends on what your total traffic is, it doesn't mean much. Actually, that was a typo, of sorts...a more accurate metric would be: Over 200 hits on that rule, with spams mostly over scores of ten, since October 8th, with total spam volume ( 5) about 1000. Or...roughly 1/5 to 1/4 of all the spam in the past couple weeks. -Dan -- Is Gushi a person or an entity? Yes -Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mahoney, System Admin schrieb: My point was more along the lines of the fact that there's no method (other than manual notification) of doing Active Correction. DNSWL is a cool idea, but could we also come up with some sort of reporting plugin (disabled by default, optional) that could notify them when, say, That is on the todo list. However, we currently prefer other feedback loops, since handling a (potentially large) number of feedback providers requires substantial work (you'll have to identify trustworthy feedback providers first!). - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHFbP1xbHw2nyi/okRAjeWAJ9jTP8fBHd0ny/i0lNe4R2GJxe/ZwCfbEHz VmXIJSP8J9TVfP3ztoLSP4I= =DzrV -END PGP SIGNATURE-
Re: [sa-list] Re: RCVD_IN_DNSWL_LOW
On Wed, 17 Oct 2007, Alex Woick wrote: Matthias Leisi schrieb am 17.10.2007 09:46: Correct. But by setting (in your local.cf or equivalent) | trusted_networks 204.9.177.18 you are telling SpamAssassin that this relay is not operated by a spammer and that it should apply all black-/whitelist rules etc. to the IP address one more hop away. Then, in the context of SpamAssassin, you regain full control of connection-oriented rules. That's not fully equivalent to having the actual spamming connection to deal with, but as close as it gets -- if you need it closer, you should not use forwarding services. Good point. I think I start to understand what trusted_network is for and how it works. Currently, I have a provider whose MX receives mail for me and forwards it to my local mail server. Spam detection improved much when I added its IP address to trusted_networks some time ago. Now, I occasionly get spam to my users.sourceforge.net account, just like Dan Mahoney is getting spam to his Livejournal account. Sourceforge is also listed with LOW at dnswl and acts as a forwarder to my own mail server. Since I never get spam from users.sourceforge.net accounts directly but only spam sent to my users.sourceforge.net account from random addresses, I suppose the Sourceforge mail server is trusted in that way that spam doesn't originate from it, and that's the purpose of trusted_network. Just like my Provider forwarding mail to me sent from random originators, but never produces spam itself. Sure, but that means each person who is a member of one of these services has to: * Look up their forwarded email address * Look up the SPF record for that domain -or- * Take a best guess as to the fact that the receiving MX will also be the sending. THEN * Translate that into trusted networks statements, which are GLOBALLY trusted (either per server or per used, but NOT per envelope-recipient) -- which is fine for Livejournal or Sourceforge, I guess, I'd imagine their MXes are pretty dedicated, but I'm sure there's smaller cases. But it might help to have some series of dynamic rule...whereby an address is DNSWL'd with a special code that lists it as a known relay for certain domains, and the trusted_networks logic extends automatically (if the relaying domain matches). Apologies if I've repeated anything already said. -Dan -- there is no loyalty in the business, so we stay away from things that piss people off -The Boss, November 12, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
