Re: problem with RDNS_NONE: false positive

2008-11-06 Thread derHummel



nik600 hotmail wrote:
 
 I'm experiencing a strange problem with RDNS_NONE.
 
 On the same sender host, sometimes it is marked with RDNS_NONE, and
 sometimes not.
 
 The host has a reverse dns!
 
 Example:
 Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
 OK
 
 Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE
 
 But 217.199.13.2 has a reverse dns!
 2.13.199.217.in-addr.arpa. 11894 IN   PTR dns2.dadosoftware.com.
 
 Who decides the presence of RDNS_NONE ?
 A real dns check or a parsing of the email headers?
 
 And, in case of parse who decides to write dns2.dadosoftware.com
 [217.199.13.2] instead of unknown [217.199.13.2]?
 
 Thanks to all in advance.
 
 -- 
 /*/
 nik600
 http://www.kumbe.it
 
 

I don't sure will it help or not but I've faced with very similar issue:

 Received: from relay.blablabla.net (unknown [xxx.xxx.xxx.xxx])
**

host relay.blablabla.net has PTR record:

host xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer relay.blablabla.net.

then I tried: 
host relay.blablabla.net
relay.blablabla.net has address yyy.yyy.yyy.yyy

and:
host yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy.in-addr.arpa domain name pointer relay.blablabla.net.

So. I see that the host blablabla has two A records registered in DNS and
two PTR.

All I had to do in this case is:

/etc/postfix/master.cf:
smtp  unix  -   -   n   -   -   smtp -o
smtp_bind_address=yyy.yyy.yyy.yyy

It helped me.

Thank you.



-- 
View this message in context: 
http://www.nabble.com/problem-with-RDNS_NONE%3A-false-positive-tp19774673p20360888.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.



Re: problem with RDNS_NONE: false positive

2008-11-06 Thread Matus UHLAR - fantomas
 nik600 hotmail wrote:
  I'm experiencing a strange problem with RDNS_NONE.
  
  On the same sender host, sometimes it is marked with RDNS_NONE, and
  sometimes not.
  
  The host has a reverse dns!
  
  Example:
  Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
  OK
  
  Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE

well, either your MX does resolve 217.199.13.2 to a name, or it does not.
If it sometimes does resolve, sometimes not, it's a problem of DNS.

If you have different mailers of which one does not resolve DNS, it's
problem of its configuration.

SA does not resolve that IP, the MTA must do that.

  But 217.199.13.2 has a reverse dns!
  2.13.199.217.in-addr.arpa. 11894 IN PTR dns2.dadosoftware.com.

It also must point back, but it does:

dns2.dadosoftware.com has address 217.199.13.2

  Who decides the presence of RDNS_NONE ?
  A real dns check or a parsing of the email headers?
  
  And, in case of parse who decides to write dns2.dadosoftware.com
  [217.199.13.2] instead of unknown [217.199.13.2]?

it's the MTA who constructs the Received: line.

On 06.11.08 05:22, derHummel wrote:
 I don't sure will it help or not but I've faced with very similar issue:
 
  Received: from relay.blablabla.net (unknown [xxx.xxx.xxx.xxx])
 **
 
 host relay.blablabla.net has PTR record:
 
 host xxx.xxx.xxx.xxx
 xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer relay.blablabla.net.
 
 then I tried: 
 host relay.blablabla.net
 relay.blablabla.net has address yyy.yyy.yyy.yyy
 
 and:
 host yyy.yyy.yyy.yyy
 yyy.yyy.yyy.yyy.in-addr.arpa domain name pointer relay.blablabla.net.
 
 So. I see that the host blablabla has two A records registered in DNS and
 two PTR.

No. If it has to A records, the host would return them both:
  
host relay.blablabla.net  
relay.blablabla.net has address yyy.yyy.yyy.yyy  
relay.blablabla.net has address xxx.xxx.xxx.xxx 
   
If it does not, then the problem is that xxx.xxx.xxx.xxx has invalid reverse
DNS, because the name it points to does NOT resolve back to that IP.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer


Re: problem with RDNS_NONE: false positive

2008-11-06 Thread Benny Pedersen

On Thu, November 6, 2008 14:22, derHummel wrote:

 /etc/postfix/master.cf:
 smtp  unix  -   -   n   -   -   smtp
  -o smtp_bind_address=yyy.yyy.yyy.yyy
 -o smtp_helo_name=relay.blablabla.net

 It helped me.

it aint windows :)

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098



Re: problem with RDNS_NONE: false positive

2008-11-06 Thread mouss

derHummel wrote:



nik600 hotmail wrote:

I'm experiencing a strange problem with RDNS_NONE.

On the same sender host, sometimes it is marked with RDNS_NONE, and
sometimes not.

The host has a reverse dns!

Example:
Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
OK

Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE



either rdns lookup is disabled or there was a failure. This is one of 
the reasons why RDNS_NONE should have a low score.



But 217.199.13.2 has a reverse dns!
2.13.199.217.in-addr.arpa. 11894 IN PTR dns2.dadosoftware.com.

Who decides the presence of RDNS_NONE ?


the MTA added the Received header.


A real dns check or a parsing of the email headers?

And, in case of parse who decides to write dns2.dadosoftware.com
[217.199.13.2] instead of unknown [217.199.13.2]?


MTA adds Received headers.



Thanks to all in advance.

--
/*/
nik600
http://www.kumbe.it




[snip]
All I had to do in this case is:

/etc/postfix/master.cf:
smtp  unix  -   -   n   -   -   smtp -o
smtp_bind_address=yyy.yyy.yyy.yyy

It helped me.



no, it did not. you didn't test enough (you've been mystified by DNS 
caching?).


- if you have multiple PTRs for an IP, then they must all resolve back 
to the IP. otherwise, with round robin, you'll get random failures.


- if you have multiple A for a name, then it's ok as one of the IPs 
matches the client IP.


The logic is:

1- let $ip be the client IP
2- let $ptr be the first PTR for the $ip
3- resolve $ptr to IPs: you get $ip[0], $ip[1], $ip[2], ...
4- check whether $ip = $ip[k] for some k (MTA is free to only check 
first m records).


at step 2, if you have multiple PTRs and if they are returned in a round 
robin manner, steps 3 and 4 may work or not.


at any step, a DNS failure will break the test. postfix and other MTAs 
will set the rdns to unknown. so you can't distinguish rdns 
misconfiguration from temp failures, or from cases when rdns lookup is 
disabled.









Re: problem with RDNS_NONE: false positive

2008-10-02 Thread Matthias Leisi

 Example:
 Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
 OK

 Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE

I get timeouts on one of the servers (dns2.bkom.it) responsible to resolve
217.199.13.2. This may explain the inconsistent behaviour you're seeing (I
wouldn't call it a false positive).

-- Matthias




Re: problem with RDNS_NONE: false positive

2008-10-02 Thread nik600
On Thu, Oct 2, 2008 at 10:22 AM, Rasmus Haslund [EMAIL PROTECTED] wrote:
From: nik600 [mailto:[EMAIL PROTECTED]
And, in case of parse who decides to write dns2.dadosoftware.com
 [217.199.13.2] instead of unknown [217.199.13.2]?

 Your MTA decides to write unknown because it is most likely not
 configured to perform reverse dns lookups - or it could just not resolve
 it.

 NOWACO A/S
 Rasmus Haslund

i'm not pretty sure about it because on the same mail sometimes it's resolved?

Ok, this seems an MTA problem i'll investigate on it, so the RDNS_NONE
is based on header parsing and not on a real dns check?



-- 
/*/
nik600
http://www.kumbe.it


Re: problem with RDNS_NONE: false positive

2008-10-02 Thread nik600
On Thu, Oct 2, 2008 at 10:38 AM, Matthias Leisi [EMAIL PROTECTED] wrote:

 Example:
 Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
 OK

 Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE

 I get timeouts on one of the servers (dns2.bkom.it) responsible to resolve
 217.199.13.2. This may explain the inconsistent behaviour you're seeing (I
 wouldn't call it a false positive).

 -- Matthias




Yeah, i were suspecting something about timeouts.. thanks!

-- 
/*/
nik600
http://www.kumbe.it


Re: problem with RDNS_NONE: false positive

2008-10-02 Thread Quelonius


nik600 hotmail wrote:
 
 I'm experiencing a strange problem with RDNS_NONE.
 
 On the same sender host, sometimes it is marked with RDNS_NONE, and
 sometimes not.
 
 The host has a reverse dns!
 
 Example:
 Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) -
 OK
 
 Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE
 
 But 217.199.13.2 has a reverse dns!
 2.13.199.217.in-addr.arpa. 11894 IN   PTR dns2.dadosoftware.com.
 
 Who decides the presence of RDNS_NONE ?
 A real dns check or a parsing of the email headers?
 
 And, in case of parse who decides to write dns2.dadosoftware.com
 [217.199.13.2] instead of unknown [217.199.13.2]?
 
 

Hello,

I'm also experiencing some issues with RDNS_NONE, for example:


Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from mail.telcel.com (mail.telcel.com [200.38.208.219])
by server.nekotec.com.mx (Postfix) with ESMTP id 8DE0DE42BD;
Wed,  1 Oct 2008 13:10:42 -0500 (CDT)
Received: from MXVIBOFICOR04 ([10.203.6.79])
 by xiang.telcel.com (Sun Java System Messaging Server 6.2-7.05 (built Sep 
5
 2006)) with ESMTP id [EMAIL PROTECTED]; Wed,
 01 Oct 2008 13:08:20 -0500 (CDT)
Date: Wed, 01 Oct 2008 13:10:08 -0500
From: sender [EMAIL PROTECTED]
Subject: =?iso-8859-1?Q?RE:_Reuni=F3n_con_Sergio_Ruelas?=
In-reply-to:
To: [EMAIL PROTECTED], 'A Person' [EMAIL PROTECTED]
Cc: ='someone else' [EMAIL PROTECTED],
 'Another Person' [EMAIL PROTECTED]
Reply-to: [EMAIL PROTECTED]
Message-id: [EMAIL PROTECTED]
Organization: Radiomovil DIPSA S.A. DE C.V.
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: multipart/related;
boundary=Boundary_(ID_qVeDaZ+jbYnMrmKcL4ak9w)
Thread-index: AckjH+1ELYTEgSMgStiE9TLFCGpJTwAER6RgAC/RkyA=
X-TM-IMSS-Message-ID: [EMAIL PROTECTED]
X-TM-AS-Product-Ver: IMSS-7.0.0.6219-5.5.0.1027-16192.001
X-TM-AS-Result: No--29.940-7.0-31-1
X-imss-scan-details: No--29.940-7.0-31-1;No--29.940-7.0-31-1
X-Virus-Scanned: ClamAV version 0.94, clamav-milter version 0.94 on
server.nekotec.com.mx
X-Virus-Status: Clean
X-Spam-Status: No, score=-6.7 required=2.5 tests=BAYES_00,HTML_MESSAGE,
RDNS_NONE,SHORT_HELO_AND_INLINE_IMAGE,SNS_FROM_TELCEL,SNS_HAM_KEYWORDS
autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
server.nekotec.com.mx


The PTR:

;  DiG 9.3.4  -x 200.38.208.219
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 8556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;219.208.38.200.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
219.208.38.200.in-addr.arpa. 2797 INPTR mail.telcel.com.

;; AUTHORITY SECTION:
208.38.200.in-addr.arpa. 2797   IN  NS  nsmex4.uninet.net.mx.
208.38.200.in-addr.arpa. 2797   IN  NS 
dnsadm-interno.uninet.net.mx.
208.38.200.in-addr.arpa. 2797   IN  NS  nsmex3.uninet.net.mx.

;; ADDITIONAL SECTION:
nsmex3.uninet.net.mx.   97  IN  A   200.33.146.211
nsmex4.uninet.net.mx.   157 IN  A   200.33.146.217
dnsadm-interno.uninet.net.mx. 157 INA   200.33.150.193

The fwd record matches:

;  DiG 9.3.4  mail.telcel.com
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 26651
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.telcel.com.   IN  A

;; ANSWER SECTION:
mail.telcel.com.11456   IN  A   200.38.208.219

;; AUTHORITY SECTION:
telcel.com. 11456   IN  NS  dns1i.itelcel.com.
telcel.com. 11456   IN  NS  dns01.amigokit.com.

I have other hosts that trigger the RDNS_NONE rule as well. They are never
enough to classify the message as spam, though. But it's kind of bothersome
that SA fires up a false positive for rDNS.

I'm really confused as to how SA parses the email to trigger (or not) the
RDNS_NONE rule.

Dan.


-- 
View this message in context: 
http://www.nabble.com/problem-with-RDNS_NONE%3A-false-positive-tp19774673p19780402.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.



Re: problem with RDNS_NONE: false positive

2008-10-02 Thread mouss

nik600 wrote:

I'm experiencing a strange problem with RDNS_NONE.

On the same sender host, sometimes it is marked with RDNS_NONE, and
sometimes not.

The host has a reverse dns!

Example:
Received: from dadosoftware.com (dns2.dadosoftware.com [217.199.13.2]) - OK

Received: from dadosoftware.com (unknown [217.199.13.2]) - FALSE POSITIVE


you seem to have a special conception of false positive?

your MTA can decide that it is unknown for many reasons, including:
- not configured to lookup rdns
- dns lookup timeout

in these two cases, there is no point to talk about false positive.



But 217.199.13.2 has a reverse dns!
2.13.199.217.in-addr.arpa. 11894 IN PTR dns2.dadosoftware.com.


just for info, this is not enough. always check the returned name, like this

$ host dns2.dadosoftware.com
dns2.dadosoftware.com has address 217.199.13.2
so the resulting IP is the original one. otherwise, the rdns is 
irrelevant (in case of mismatch, it is unknown in postfix, tcp 
wrappers, ... etc).





Who decides the presence of RDNS_NONE ?
A real dns check or a parsing of the email headers?

And, in case of parse who decides to write dns2.dadosoftware.com
[217.199.13.2] instead of unknown [217.199.13.2]?



for one, it is your MTA that does the dns lookup, so whatever it could 
be, it's not an SA issue.


secundo, the default configuration has
score RDNS_NONE 0.1

if this causes an FP, then you must be living in a different Cantor space.