Re: How to disable DNSWL?

2009-02-27 Thread rafa 


Michelle Konzack wrote:

Hello,

since 2009-02-25 I become bombed by arround 430.000 spams like  the  one
below and I had to decrease my  spamscore,  since  I  was  not  able  to
disable this crappy test of RCVD_IN_DNSWL_LOW which persists.


Contacting dnswl.org can help all of us. They can downgrade those 
servers from low to none.

Re: How to disable DNSWL?

2009-02-27 Thread Martin Gregorie 
On Fri, 2009-02-27 at 11:56 +0100, Michelle Konzack wrote:
> Hello,
> 
> since 2009-02-25 I become bombed by arround 430.000 spams like  the  one
> below and I had to decrease my  spamscore,  since  I  was  not  able  to
> disable this crappy test of RCVD_IN_DNSWL_LOW which persists.
> 
Have you tried editing 

score RCVD_IN_DNSWL_LOW 0

into /etc/mail.spamassassin/local.cf ?


Martin

Re: How to disable DNSWL?

2009-02-27 Thread Karsten Bräckelmann 
Subscribing to a mailing-list decreases response time drastically. No
moderation. But I guess you should know that... ;)

On Fri, 2009-02-27 at 11:56 +0100, Michelle Konzack wrote:
> since 2009-02-25 I become bombed by arround 430.000 spams like  the  one
> below and I had to decrease my  spamscore,  since  I  was  not  able  to
> disable this crappy test of RCVD_IN_DNSWL_LOW which persists.
> 
> Can someone tell me where I find it and how to disable?

Uhm, something like this?  (adjust to your SA 3.2.3)

$ cd /var/lib/spamassassin/3.002005/updates_spamassassin_org/
$ grep -l RCVD_IN_DNSWL_LOW *

Disabling this rule is about a  'score RCVD_IN_DNSWL_LOW 0'  in your
local.cf or user_prefs away. But I figured someone who used to post here
should know that...


> Content analysis details:   (4.7 points, 4.5 required)
> 
>  pts rule name  description
>  -- --
>  3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
> [score: 1.]
>  2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO
> -1.0 RCVD_IN_DNSWL_LOW  RBL: Sender listed at http://www.dnswl.org/, low 
> trust
> [70.103.162.29 listed in list.dnswl.org]

Increasing the scores for BAYES_9x would have helped, too. :)


Other than that, I agree with Rafael. Please report to dnswl.org.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to disable DNSWL?

2009-02-27 Thread Karsten Bräckelmann 
Uhm, wait -- let me re-phrase my hasty suggestion to report to dnswl.org
for removal.

> -1.0 RCVD_IN_DNSWL_LOW  RBL: Sender listed at http://www.dnswl.org/, low 
> trust
> [70.103.162.29 listed in list.dnswl.org]

IP address 70.103.162.29 is listed at dnswl.org with the following
details:
Domain: debian.org; [...]

> Received: from master.debian.org (master.debian.org [70.103.162.29])    [...]
> Received: from qa by master.debian.org with local (Exim 4.63)   [...]
> Received: from powell.debian.org ([87.106.64.223]) by master.debian.org [...]
>   for vim_cont...@packages.qa.debian.org; Thu, 26 Feb 2009 21:19:19 +

> X-Loop: v...@packages.qa.debian.org

Maybe you should tell Debian first, instead?


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to disable DNSWL?

2009-02-28 Thread Matthias Leisi 
In addition to what Karsten wrote about debian:

Michelle Konzack schrieb:

> Received: from localhost (server7.pinguin-hosting.de [127.0.0.1])
> by server7.pinguin-hosting.de (Postfix) with SMTP id D1EFC613E6
> for ; Thu, 26 Feb 2009 
> 22:19:21 +0100 (CET)
> Received: from master.debian.org (master.debian.org [70.103.162.29])
> by server7.pinguin-hosting.de (Postfix) with ESMTP id 913EF59FF2
> for ; Thu, 26 Feb 2009 
> 22:19:21 +0100 (CET)
> Received: from qa by master.debian.org with local (Exim 4.63)
> (envelope-from 
> )
> id 1LcndY-00026z-C0
> for .bts4miche...@tamay-dogan.net; Thu, 26 Feb 2009 21:19:20 
> +
> Received: from powell.debian.org ([87.106.64.223])  by master.debian.org
>  with esmtp (Exim 4.63) (envelope-from )id
>  1LcndX-00026J-89   for vim_cont...@packages.qa.debian.org; Thu,
>  26 Feb 2009 21:19:19 +
> Received: from host77-252-dynamic.35-79-r.retail.telecomitalia.it
>  ([79.35.252.77] helo=xmbxcws.telecomitalia.it) by powell.debian.org 
> with
>  smtp (Exim 4.69)   (envelope-from )id
>  1LcndT-0005qV-Ff   for v...@packages.debian.org; Thu, 26 Feb 2009 
> 21:19:17
>  +

The chain is most likely Spammer > v...@packages... > Debian-internal
forwarding > your mailserver.

You should add the debian mailservers to your trust path
(trusted_networks/internal_networks depending on circumstances) so that
RBL checks are applied to the correct IP addresses.

Speaking of which, it may actually make sense to use all of dnswl.org's
entries as trusted_networks-entries...

-- Matthias

Re: How to disable DNSWL?

2009-02-28 Thread Yet Another Ninja 

On 2/28/2009 9:20 AM, Matthias Leisi wrote:

In addition to what Karsten wrote about debian:

Michelle Konzack schrieb:


Received: from localhost (server7.pinguin-hosting.de [127.0.0.1])
by server7.pinguin-hosting.de (Postfix) with SMTP id D1EFC613E6
for ; Thu, 26 Feb 2009 22:19:21 
+0100 (CET)
Received: from master.debian.org (master.debian.org [70.103.162.29])
by server7.pinguin-hosting.de (Postfix) with ESMTP id 913EF59FF2
for ; Thu, 26 Feb 2009 22:19:21 
+0100 (CET)
Received: from qa by master.debian.org with local (Exim 4.63)
(envelope-from 
)
id 1LcndY-00026z-C0
for .bts4miche...@tamay-dogan.net; Thu, 26 Feb 2009 21:19:20 
+
Received: from powell.debian.org ([87.106.64.223])  by master.debian.org
 with esmtp (Exim 4.63) (envelope-from )id
 1LcndX-00026J-89   for vim_cont...@packages.qa.debian.org; Thu,
 26 Feb 2009 21:19:19 +
Received: from host77-252-dynamic.35-79-r.retail.telecomitalia.it
 ([79.35.252.77] helo=xmbxcws.telecomitalia.it) by powell.debian.org 
with
 smtp (Exim 4.69)   (envelope-from )id
 1LcndT-0005qV-Ff   for v...@packages.debian.org; Thu, 26 Feb 2009 21:19:17
 +


The chain is most likely Spammer > v...@packages... > Debian-internal
forwarding > your mailserver.

You should add the debian mailservers to your trust path
(trusted_networks/internal_networks depending on circumstances) so that
RBL checks are applied to the correct IP addresses.

Speaking of which, it may actually make sense to use all of dnswl.org's
entries as trusted_networks-entries...



Wouldn't that become huge and memory hungry??, (even excluding none & low)

Was wondering if the trusted_networks could be "pluginized" to use 
DNSEval so that one could query a dnswl (local or remote) - for bigger 
setups it would probably make management simpler.


just "wandering"

Re: How to disable DNSWL?

2009-02-28 Thread Jeff Chan 
On Saturday, February 28, 2009, 1:00:58 AM, Yet Ninja wrote:
> On 2/28/2009 9:20 AM, Matthias Leisi wrote:
>> In addition to what Karsten wrote about debian:

>> You should add the debian mailservers to your trust path
>> (trusted_networks/internal_networks depending on circumstances) so that
>> RBL checks are applied to the correct IP addresses.
>> 
>> Speaking of which, it may actually make sense to use all of dnswl.org's
>> entries as trusted_networks-entries...


> Wouldn't that become huge and memory hungry??, (even excluding none & low)

> Was wondering if the trusted_networks could be "pluginized" to use
> DNSEval so that one could query a dnswl (local or remote) - for bigger
> setups it would probably make management simpler.

> just "wandering"


One counterargument is that if the data are relatively static,
i.e., not updated very often, then this could generate a lot of
arguably unnecessary DNS traffic.

Jeff C.
-- 
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/

Re: How to disable DNSWL?

2009-02-28 Thread Benny Pedersen 

On Fri, February 27, 2009 11:56, Michelle Konzack wrote:
> since 2009-02-25 I become bombed by arround 430.000 spams like the
> one below and I had to decrease my  spamscore, since I was not able
> to disable this crappy test of RCVD_IN_DNSWL_LOW which persists.
> Can someone tell me where I find it and how to disable?

DNSWL Id1791 - debian.org
IP range70.103.162.29/32
Domain/Hostname master.debian.org
Score   low

ask ab...@debian.org, if no help from them, one can unsubscribe
since maillist spam being more "normal" these days

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: How to disable DNSWL?

2009-02-28 Thread Matthias Leisi 

Jeff Chan schrieb:

>> Was wondering if the trusted_networks could be "pluginized" to use
>> DNSEval so that one could query a dnswl (local or remote) - for bigger
>> setups it would probably make management simpler.
> 
> One counterargument is that if the data are relatively static,
> i.e., not updated very often, then this could generate a lot of
> arguably unnecessary DNS traffic.

dnswl.org lookups are done by the standard ruleset anyway, thus a
DNSEval would not generate additional query traffic.

Additionally, there is a pretty long TTL on dnswl.org data records -
currently around 12 hours, which could even be extended to something
like 18 hours.

-- Matthias

Re: How to disable DNSWL?

2009-03-01 Thread Michelle Konzack 
Am 2009-02-28 00:48:44, schrieb Martin Gregorie:
> Have you tried editing 
> score RCVD_IN_DNSWL_LOW 0
> into /etc/mail.spamassassin/local.cf ?

I have had it in

${HOME}/.spamassassin/local.cf

(as written in the manpage) and it was not working.  Since yesterday it
is in

${HOME}/.spamassassin/user_prefs

and now it works as expected.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-01 Thread Michelle Konzack 
Am 2009-02-27 22:36:24, schrieb rafa:
> Contacting dnswl.org can help all of us. They can downgrade those  
> servers from low to none.

How should I do this?
In the meantime I have checked ALL spams manualy from a bash script  and
it seems, there are more then 300 IP's listet on DNSWL.

Should I forward my whole spam archive (of spams in DNSWL) to them?
I have now over 18.000 goten since 2009-02-25.

OK, the spams (as in my OP) has now stoped, but maybe they come back...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-01 Thread Michelle Konzack 
Am 2009-02-28 02:22:32, schrieb Karsten Bräckelmann:
> Uhm, wait -- let me re-phrase my hasty suggestion to report to dnswl.org
> for removal.

OK, gotten...

> IP address 70.103.162.29 is listed at dnswl.org with the following
> details:
> Domain: debian.org; [...]

> Maybe you should tell Debian first, instead?

Sh..! -- I will foreward my post to them...

However, I have no build a script which extract the whole  body  of  the
message, strip the signature/whitelines and count the line and words...

Now I get 92% of it.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-01 Thread Michelle Konzack 
Am 2009-02-28 09:20:02, schrieb Matthias Leisi:
> You should add the debian mailservers to your trust path
> (trusted_networks/internal_networks depending on circumstances) so that
> RBL checks are applied to the correct IP addresses.

OK, but I have never untrusted <*.debian.org>

Is there a way, to les spamassassin  look  recursive  in  the  Received:
headers?

I mean, ignoring any domains begining of the top-most (my  INBOX),  then
the sender from a trusted list (in this case  <*.debian.org>)  and  only
after this, check the next domain/IP.

> Speaking of which, it may actually make sense to use all of dnswl.org's
> entries as trusted_networks-entries...

ACK

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-01 Thread Benny Pedersen 

On Sun, March 1, 2009 14:48, Michelle Konzack wrote:
> Am 2009-02-27 22:36:24, schrieb rafa:
>> Contacting dnswl.org can help all of us. They can downgrade those
>> servers from low to none.
> How should I do this?

http://www.dnswl.org/ se the webpage first

> In the meantime I have checked ALL spams manualy from a bash script
> and it seems, there are more then 300 IP's listet on DNSWL.

can you make them into levels of NONE, LOW, MEDIUM, HI

and then start with the LOW,MEDIUM,HI until all is listed where you
get spam from is changed to NONE, you can suggest that to dnswl, but
its still up to them to make it NONE

> Should I forward my whole spam archive (of spams in DNSWL) to them?
> I have now over 18.000 goten since 2009-02-25.

only some at dnswl knows that

> OK, the spams (as in my OP) has now stoped, but maybe they come
> back...

i report if some ips send spam and get other then none on dnswl, not
here just on dnswl homepage

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: How to disable DNSWL?

2009-03-01 Thread Michelle Konzack 
Hello Benny,

Am 2009-03-01 15:12:16, schrieb Benny Pedersen:
> http://www.dnswl.org/ se the webpage first

Already checked, but

> can you make them into levels of NONE, LOW, MEDIUM, HI
> 
> and then start with the LOW,MEDIUM,HI until all is listed where you
> get spam from is changed to NONE, you can suggest that to dnswl, but
> its still up to them to make it NONE

How to do this from within spamassassin?

I have not found an info...

OK, I can disable the stuff in spamassassin and then I have  a  procmail
include called "spamhaus" which I can use for DNSWL and then checking it
manualy for the return values...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-01 Thread Matthias Leisi 

Michelle Konzack schrieb:

> OK, but I have never untrusted <*.debian.org>

This is not about "untrusting". It's about telling SpamAssassin which
relays are trustworthy to begin with. Adding these hints greatly
improves the accuracy of SpamAssassin.

> Is there a way, to les spamassassin  look  recursive  in  the  Received:
> headers?
> 
> I mean, ignoring any domains begining of the top-most (my  INBOX),  then
> the sender from a trusted list (in this case  <*.debian.org>)  and  only
> after this, check the next domain/IP.

It works on IP addresses, and not on (easy to forge) domain names. All
details should be in the Wiki topics on TrustPath and TrustedRelays:

http://wiki.apache.org/spamassassin/TrustPath
http://wiki.apache.org/spamassassin/TrustedRelays

The shortcut answer: If you have an important forwarder (such as the
debian.org infrastructure) you should add them to your trusted_networks
setting.

-- Matthias

Re: How to disable DNSWL?

2009-03-02 Thread Jonas Eckerman 

Matthias Leisi wrote:


Speaking of which, it may actually make sense to use all of dnswl.org's
entries as trusted_networks-entries...


That seems like a way to get false positives when someone with a 
listed dynamic IP sends through the smarthost of their ISP or ESP.


By extendinmg trust to the ESP/ISP smarthost, SA will do RBL 
checks on the system that sent the mail to the smarthost. That 
system may well be a SOHO or private user with a dynamic IP 
address. Possibly even a dynamic IP address that has previously 
been used by someone else to send spam.


(Please note that I've currently got a fever and therefore may be 
tricked by a non optimally working brain into writing things thar 
simply aren't correct...)


Regards
/Jonas

--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: How to disable DNSWL?

2009-03-03 Thread Michelle Konzack 
Hello Jonas and *,

Am 2009-03-02 23:57:34, schrieb Jonas Eckerman:
> That seems like a way to get false positives when someone with a listed 
> dynamic IP sends through the smarthost of their ISP or ESP.
>
> By extendinmg trust to the ESP/ISP smarthost, SA will do RBL checks on 
> the system that sent the mail to the smarthost. That system may well be a 
> SOHO or private user with a dynamic IP address. Possibly even a dynamic 
> IP address that has previously been used by someone else to send spam.

This is what actualy happen to me...

The network in my  enterprise  is  <*.private.tamay-dogan.net>  and  the
outgoing mailserver   which  is  correctly
configured and of course, not accessibel from outside the world.  Hence,
I am sending messages over the relayfrom
my hosting provider.

Now, nearly each 6th E-Mail from me comes back as bounce since they  all
tell me, spamassassin is thinking I have a trojan/bot in my network.

This spamassassin setup is definitively crap, because if yo look in  the
header of any of my messages, you see, I am an  legitimat  authenticated
sender.

I can not even reach some of my customers, coworkers or manufacturers.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
   
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to disable DNSWL?

2009-03-03 Thread John Hardin 

On Tue, 3 Mar 2009, Michelle Konzack wrote:

The network in my enterprise is <*.private.tamay-dogan.net> and the 
outgoing mailserver  which is correctly 
configured and of course, not accessibel from outside the world. 
Hence, I am sending messages over the relay  
from my hosting provider.


Michelle:

Given the level of mail problems you're experiencing from your 
environment, I respectfully suggest you may want to investigate getting a 
hosted server for your primary MTA. A VPS with sufficient capacity can be 
had for about US$30/month.


Personally I _hate_ being at the mercy of an ISP for mail services. If I 
control the MTA at a static IP and I own the domain, then I have control 
over what happens.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 5 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: How to disable DNSWL?

2009-03-03 Thread SM 

At 04:25 03-03-2009, Michelle Konzack wrote:

The network in my  enterprise  is  <*.private.tamay-dogan.net>  and  the
outgoing mailserver   which  is  correctly
configured and of course, not accessibel from outside the world.  Hence,
I am sending messages over the relayfrom
my hosting provider.

Now, nearly each 6th E-Mail from me comes back as bounce since they  all
tell me, spamassassin is thinking I have a trojan/bot in my network.


Being listed in ZEN does not necessarily mean that the host has a 
trojan or bot.



This spamassassin setup is definitively crap, because if yo look in  the
header of any of my messages, you see, I am an  legitimat  authenticated
sender.


The headers of your message are correct.  Using ZEN for all IP 
addresses listed in the headers will result in incorrect hists.  Post 
the headers and the rules that message hit.


Regards,
-sm

Re: How to disable DNSWL? [DNSWL as trusted_networks-entries]

2009-02-28 Thread Andrzej Adam Filip 
Matthias Leisi  wrote:

> [...]
> Speaking of which, it may actually make sense to use all of
> dnswl.org's entries as trusted_networks-entries...

Do you want it even for DNSWL trust levels of "none" and "low"?
It would be a "brave" suggestion :-)

URL(s):
http://www.dnswl.org/

-- 
[pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu
When choosing between two evils, I always like to take the one I've never
tried before.
  -- Mae West, "Klondike Annie"