James Wilkinson wrote:
mouss wrote:
in which sublist? xbl, sbl or pbl? and when you say "a lot", how many?
can you show an example of an IP that you consider as an FP?
Well, since you asked…
I’m not the Original Poster, but I consider most of
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL60174 to be a FP *when
used with SpamAssassin rules*.
This is a /19 range of VSNL dynamic addresses, which had (correctly)
been put on the PBL. I understand that many smaller Indian companies can
only get a dynamic IP, want to run an internal mail server (often
Exchange), and forget to relay outgoing e-mail through an appropriate
external mailserver.
At least one VSNL customer ran into trouble sending e-mail due to the
PBL listing, and rather than using a suitable relay, systematically (and
repeatedly) removed the entire /19 from the PBL! Spamhaus then stuck the
whole range into the SBL.
This is fine when the SBL is merely used against the last external
relay, but SpamAssassin will test *all* IP addresses in the headers
against the SBL. So non-spamming Indian companies get hit even if they
relay through a good mailserver.
I consider it a stretch putting this range under the SBL: the “Policy &
Listing Criteria” says that the range “appear[s] to Spamhaus to be under
the control of, or made available for the use of, senders of Unsolicited
Bulk Email (“spammers”).” This doesn’t seem to be the reason in this
case: there doesn’t seem to be any evidence that the individuals who
removed the range from the PBL intended to send unsolicited bulk e-mail.
It’s abuse of the Spamhaus web site, not directly abuse of e-mail, and
would better be handled by a PBL range which can’t be edited through the
website.
I wrote to Spamhaus querying the listing, but have heard nothing
(probably not surprisingly, since I’m not VSNL. Thank goodness!) I
haven’t raised a SpamAssassin bug, since I don’t think it *is* a
SpamAssassin bug.
while I don't like seeing the listing move to an SBL instead of locking
the PBL listing, I don't really consider this as a real FP. most
probably because I don't get mail from VSNL. but also because this story
only shows that
- VSNL doesnt' care. so why should I?
- VSNL do nothing to control their network.
- the supposedly legitimate sender have generic names:
$ host 59.161.64.1
1.64.161.59.in-addr.arpa domain name pointer
59.161.64.1.del-cdma.dialup.vsnl.net.in.
[EMAIL PROTECTED] ~]$ host 59.161.64.2
2.64.161.59.in-addr.arpa domain name pointer
59.161.64.2.del-cdma.dialup.vsnl.net.in.
[EMAIL PROTECTED] ~]$ host 59.161.64.199
199.64.161.59.in-addr.arpa domain name pointer
59.161.64.199.del-cdma.dialup.vsnl.net.in.
$ host 59.161.65.199
199.65.161.59.in-addr.arpa domain name pointer
59.161.65.199.del-cdma.dialup.vsnl.net.in.
we have other things to do than watch if a
$reverse-ip-pattern.dialup.domain is a responsible mail source.
