Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/12, Greg Troxel wrote: > > dar...@chaosreigns.com writes: > > > To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report > > Abuse" section in the right column. I wrote a spamassassin plugin > > which might make it easier to report spam that matches dnswl rules: > > http://www.chaosreigns.com/dnswl/sa_plugin/ > > It would seem a good idea for reporting plugins to be part of the base > distribution, just needing credentials to be set, for all services that > are part of the base distribution. > Is there a reason (other than lack of time) for this not to be in the > main release? The bug discussing my attempts to do that is here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6545 I've found working with both SpamAssassin and DNSWL.org incredibly frustrating. The plugin is already released under the same license as spamassassin, you're welcome to try to get it included. Maybe I should set up a similar reporting plugin for my iprep project. ( http://www.chaosreigns.com/iprep/ ) Any interest? -- "If everything seems under control, you're not going fast enough" - Mario Andretti http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
dar...@chaosreigns.com writes: > To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report > Abuse" section in the right column. I wrote a spamassassin plugin > which might make it easier to report spam that matches dnswl rules: > http://www.chaosreigns.com/dnswl/sa_plugin/ It would seem a good idea for reporting plugins to be part of the base distribution, just needing credentials to be set, for all services that are part of the base distribution. Is there a reason (other than lack of time) for this not to be in the main release? pgpwrNbxdHbXj.pgp Description: PGP signature
Re: DNSWL returns _HI trust level for everything to "abusive" DNS servers Re: Spam email many have RCVD_IN_DNSWL_MED
dar...@chaosreigns.com wrote: On 10/12, Alessio Cecchi wrote: > I have found the problem: Google name server > > >On 10/11, Alessio Cecchi wrote: > >>Received: from [175.145.6.37] (unknown [175.145.6.37]) > > > >$ host 37.6.145.175.list.dnswl.org > >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN) > > > >Should not hit any RCVD_IN_DNSWL_* rules. > > In this installation: > > # cat /etc/resolv.conf > nameserver 8.8.8.8 > nameserver 8.8.4.4 > > # host 37.6.145.175.list.dnswl.org > 37.6.145.175.list.dnswl.org has address 127.0.10.3 Sorry, I should have realized this problem sooner too. Relatively recently, DNSWL started returning values that correspond to the spamassassin rule RCVD_IN_DNSWL_HI for *all* queries, for name servers that have been deemed "abusive". I found out about it 10 days ago. A year ago DNSWL announced it would start requiring payment from people doing more than 100,000 queries per day. This is tied to the determination of "abusiveness". So yes, as Jim Popovitch recommended, you should not have this problem if you run a local DNS server (without using "abusive" servers as forwarders), which I think is probably recommended practice for running spamassassin anyway. -- "every time I race I see god" - tsuwa, #motorcycles, EFNet, 7/19/06 http://www.ChaosReigns.com Although I did not think it was recommended to use Google's DNS with SA. From SA FAQ: Your DNSBL blocks nothing at all! First, check our FAQ answer for "Your DNSBL blocks the whole Internet!" and make sure you've not made a spelling mistake in your mailserver configuration. Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as Google Public DNS or Level3's public DNS servers to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. Please use your own DNS servers when doing DNSBL queries to Spamhaus. -- If you cannot beat them, try to cĂ´ntrole them.
DNSWL returns _HI trust level for everything to "abusive" DNS servers Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/12, Alessio Cecchi wrote: > I have found the problem: Google name server > > >On 10/11, Alessio Cecchi wrote: > >>Received: from [175.145.6.37] (unknown [175.145.6.37]) > > > >$ host 37.6.145.175.list.dnswl.org > >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN) > > > >Should not hit any RCVD_IN_DNSWL_* rules. > > In this installation: > > # cat /etc/resolv.conf > nameserver 8.8.8.8 > nameserver 8.8.4.4 > > # host 37.6.145.175.list.dnswl.org > 37.6.145.175.list.dnswl.org has address 127.0.10.3 Sorry, I should have realized this problem sooner too. Relatively recently, DNSWL started returning values that correspond to the spamassassin rule RCVD_IN_DNSWL_HI for *all* queries, for name servers that have been deemed "abusive". I found out about it 10 days ago. A year ago DNSWL announced it would start requiring payment from people doing more than 100,000 queries per day. This is tied to the determination of "abusiveness". So yes, as Jim Popovitch recommended, you should not have this problem if you run a local DNS server (without using "abusive" servers as forwarders), which I think is probably recommended practice for running spamassassin anyway. -- "every time I race I see god" - tsuwa, #motorcycles, EFNet, 7/19/06 http://www.ChaosReigns.com
HTML standards, off topic Re: Spam email many have RCVD_IN_DNSWL_MED
This is so off topic, I'm sorry, but the repeated accusations are hard not to respond to. On 10/12, Benny Pedersen wrote: > On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote: > >On 2011/10/11 12:30, Benny Pedersen wrote: > >>On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote: > >>>And I have my own IP reputation project that could use your data: > >>>http://www.chaosreigns.com/iprep/ > >>shame on microsoft not letting me have ie9, shame on you not let > >>me see your > >>page as html 3.2 > >Shame on you for not using Opera, FireFox, Chrome, or other. > > why not html 3.2 ?, and is supported in all browsers, incl some > versions of netscrape, firefox sooks here, oh well installed privoxy > via squid now Seriously? Your question is why I'm not writing my website in html 3.2? That wasn't sarcasm? Because in 1997, 14 years ago, the W3C, which created HTML 3.2, recommended that people stop using it. My website only requires standards in effect since January 26 2000, 11 years ago. Why are you using a browser that can't handle 11 year old standards? Specifically, the requirement to serve XML as "Content-Type: application/xhtml+xml", introduced with XHTML 1.0. And this isn't a "won't render pretty" if you don't support it standard. MSIE prior to version 9 will ask if you want to save it to a file and not even bother trying display the page. There was a time when I wrote HTML in the oldest standard I could. HTML 2.0 when I didn't need to use tables. But then it finally sunk in that old HTML standards weren't some kind of base on which new standards were built. They are crufty old garbage that needs to be eliminated and replaced with the current standards. Just like you wouldn't think it was a great idea to build a new house using 100 year old building codes. -- "We will be dead soon. Is this how we want to live?" http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
On Wed, 12 Oct 2011 08:15:03 +0200, Alessio Cecchi wrote: [snip] Why Google name server returns an incorrect value? google is free, so thay can sooks as much thay want to :) dig -4 +trace 10.223.104.2.list.dnswl.org resolved in 154 ms here does it timeout ?, then contact dnswl.org make sure you have the latest root zone file, it will not be uptodate if bind is not updated hope that helps you aswell, it did for me try loggin lame bind dns logs, contact dns admins if any are listed there
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote: On 2011/10/11 12:30, Benny Pedersen wrote: On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote: And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ shame on microsoft not letting me have ie9, shame on you not let me see your page as html 3.2 Shame on you for not using Opera, FireFox, Chrome, or other. why not html 3.2 ?, and is supported in all browsers, incl some versions of netscrape, firefox sooks here, oh well installed privoxy via squid now
Re: Spam email many have RCVD_IN_DNSWL_MED
On Wed, Oct 12, 2011 at 02:15, Alessio Cecchi wrote: > > Why Google name server returns an incorrect value? Because sometimes the Google name servers overload the upstream system and get blocked. The same thing happens if you use the Level 3 servers (4.2.2.x). You would be better served by installing a local DNS resolver like pdns_resolver. -Jim P.
Re: Spam email many have RCVD_IN_DNSWL_MED
Il 11/10/2011 20:58, dar...@chaosreigns.com ha scritto: Thanks to John Hardin for noticing one of these was off. I should've checked them before replying. *None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or even RCVD_IN_DNSWL_LOW. Alessio, you have a problem *other* than the data listed by dnswl.org. Start with the X-Spam-RelaysUntrusted header I recommended in my last post. I have found the problem: Google name server On 10/11, Alessio Cecchi wrote: Received: from [175.145.6.37] (unknown [175.145.6.37]) $ host 37.6.145.175.list.dnswl.org Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. In this installation: # cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 # host 37.6.145.175.list.dnswl.org 37.6.145.175.list.dnswl.org has address 127.0.10.3 Received: from webbox794.server-home.net (webbox794.server-home.net [195.137.213.84]) $ host 84.213.137.195.list.dnswl.org Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. # host 84.213.137.195.list.dnswl.org 84.213.137.195.list.dnswl.org has address 127.0.10.3 Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70]) $ host 70.21.86.74.list.dnswl.org Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. # host 70.21.86.74.list.dnswl.org 70.21.86.74.list.dnswl.org has address 127.0.10.3 Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) $ host 84.91.139.98.list.dnswl.org 84.91.139.98.list.dnswl.org has address 127.0.5.0 Should hit RCVD_IN_DNSWL_NONE. # host 84.91.139.98.list.dnswl.org 84.91.139.98.list.dnswl.org has address 127.0.10.3 Also from my PC I have the same behaviour if I query google name server: alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: 37.6.145.175.list.dnswl.org Address: 127.0.10.3 alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 151.99.125.2 Server: 151.99.125.2 Address:151.99.125.2#53 ** server can't find 37.6.145.175.list.dnswl.org: NXDOMAIN I usually configure "127.0.0.1" as resolver, but not in this installation. Why Google name server returns an incorrect value? Thanks! -- Alessio Cecchi is: @ ILS -> http://www.linux.it/~alessice/ on LinkedIn -> http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/ @ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED
On 2011/10/11 12:30, Benny Pedersen wrote: On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote: And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ shame on microsoft not letting me have ie9, shame on you not let me see your page as html 3.2 Shame on you for not using Opera, FireFox, Chrome, or other. {o.o}
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11, Benny Pedersen wrote: > thanks for link, but it was more info from the above sender for why > bayes 99 is not good Oh, probably just because for some reason he isn't comfortable with increasing the score of the BAYES_99 rule. Although he'd be much better off figuring out why he's getting the wrong DNSWL rule hits and fixing that. > >downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/ > >(It's also listed on > >http://wiki.apache.org/spamassassin/CustomPlugins ) > > it doe report dnswl_none, witch is imho waste reporting, dont know > if there is a new version to report on dnswl I think you tried to say "it doesn't accept reports of abuse for spam from IPs that DNSWL doesn't list." (It does work for RCVD_IN_DNSWL_NONE, because that's a listed trust level, different from an IP being unlisted.) I agree. I used to have ssh access to modify the web interface, but I didn't by the time I wrote that plugin, so I had to use what was available, the abuse reporting web form. Which doesn't accept reports of "abuse" from IPs that aren't listed by dnswl.org. I asked for my ssh access back, and asked for that form to accept reports of unlisted IPs, but that's one of the things Matthias has always been resistant to - keeping track of known spamming IPs so they don't get listed as non-spammers in the future. I think the internal data structures were eventually modified to handle it (I think there's an internal, unpublished trust level of "black"), but that web form still doesn't accept those reports. That's a large part of why I created http://www.chaosreigns.com/iprep/ Works great for people providing data, I just don't have data from enough people for it to be usefully accurate for people not sending data. -- "Every man, woman and child on the face of this earth is at the mercy of chaos." - a maxwell smart movie http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011 15:24:54 -0400, dar...@chaosreigns.com wrote: On 10/11, Benny Pedersen wrote: >BAYES_99 can to nothing against this :-( eloborate on bayes please http://wiki.apache.org/spamassassin/BayesInSpamAssassin http://en.wikipedia.org/wiki/Bayesian_spam_filtering thanks for link, but it was more info from the above sender for why bayes 99 is not good http://www.dnswl.org/ see link abuse reporting when setup, do spamassassin -r spammsg For that to work, you have to have my dnswl abuse reporting plugin installed, which is not documented on http://www.dnswl.org/ but can be downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/ (It's also listed on http://wiki.apache.org/spamassassin/CustomPlugins ) it doe report dnswl_none, witch is imho waste reporting, dont know if there is a new version to report on dnswl
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote: And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ shame on microsoft not letting me have ie9, shame on you not let me see your page as html 3.2
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11, Benny Pedersen wrote: > >BAYES_99 can to nothing against this :-( > > eloborate on bayes please http://wiki.apache.org/spamassassin/BayesInSpamAssassin http://en.wikipedia.org/wiki/Bayesian_spam_filtering > http://www.dnswl.org/ see link abuse reporting > > when setup, do spamassassin -r spammsg For that to work, you have to have my dnswl abuse reporting plugin installed, which is not documented on http://www.dnswl.org/ but can be downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/ (It's also listed on http://wiki.apache.org/spamassassin/CustomPlugins ) -- "Blades don't need reloading." - The Zombie Survival Guide by Max Brooks http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011 18:18:59 +0200, Alessio Cecchi wrote: I'm an italian user of spamassassin. During the last 3 weeks many spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also BAYES_99 can to nothing against this :-( eloborate on bayes please For now I solved the problem by disable this check, but is a common problems for many italian users. italian users is not special :-) How we can solve this problem? http://www.dnswl.org/ see link abuse reporting when setup, do spamassassin -r spammsg
Re: Spam email many have RCVD_IN_DNSWL_MED
Thanks to John Hardin for noticing one of these was off. I should've checked them before replying. *None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or even RCVD_IN_DNSWL_LOW. Alessio, you have a problem *other* than the data listed by dnswl.org. Start with the X-Spam-RelaysUntrusted header I recommended in my last post. On 10/11, Alessio Cecchi wrote: > Received: from [175.145.6.37] (unknown [175.145.6.37]) $ host 37.6.145.175.list.dnswl.org Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. > Received: from webbox794.server-home.net (webbox794.server-home.net > [195.137.213.84]) $ host 84.213.137.195.list.dnswl.org Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. > Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70]) $ host 70.21.86.74.list.dnswl.org Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN) Should not hit any RCVD_IN_DNSWL_* rules. > Received: from nm14.bullet.mail.sp2.yahoo.com > (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) $ host 84.91.139.98.list.dnswl.org 84.91.139.98.list.dnswl.org has address 127.0.5.0 Should hit RCVD_IN_DNSWL_NONE. -- "A ship in a port is safe, but that's not what ships are built for." -Grace Murray Hopper http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11, John Hardin wrote: > On Tue, 11 Oct 2011, Alessio Cecchi wrote: > >Received: from nm14.bullet.mail.sp2.yahoo.com > >(nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) > > by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1 > > for ; Tue, 11 Oct 2011 15:44:22 +0200 (CEST) > > Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM! Hah, no, that IP 98.139.91.84, listed as NONE. As it should be. $ host 84.91.139.98.list.dnswl.org 84.91.139.98.list.dnswl.org has address 127.0.5.0 0 in the last octet of the returned IP = NONE. - http://www.dnswl.org/tech So, there could be a trusted_networks / internal_networks spamassassin configuration problem, a bug in spamassassin, or a DNS server between spamassassin and dnswl.org doing something weird. Alessio, a good place to start would be to add to your spamassassin config: add_header all RelaysUntrusted _RELAYSUNTRUSTED_ This will add headers like: X-Spam-RelaysUntrusted: [ ip=140.211.11.3 rdns=hermes.apache.org That first IP listed is the IP that network tests like RCVD_IN_DNSWL_* use, so it should be the IP you got it from. In this example you'd want it to be 98.139.91.84. If it's not, you have a problem with your trusted_networks / internal_networks settings in your spamassassin config. On 10/11, Michael Scheidell wrote: > You don't have permission to access /dnswl/dl/DNSWLh.pm Thanks, fixed. Sorry about that. On 10/11, Michael Scheidell wrote: > On 10/11/11 1:47 PM, John Hardin wrote: > >Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM! > there goes the neighborhood. > > I am removing RCVD_IN_DNSWL_HI checks on our servers right now. I encourage you to develop a habit of verifying information before making decisions based on it. -- "Let's just say that if complete and utter chaos was lightning, then he'd be the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting 'All gods are bastards'." - The Color of Magic http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
Alessio Cecchi wrote: > I'm an italian user of spamassassin. During the last 3 weeks many spam > email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also > BAYES_99 can to nothing against this :-( > > For now I solved the problem by disable this check, but is a common > problems for many italian users. > > How we can solve this problem? > [...] Do you report spam you receive to spamcop.net and for dnswl.org listed hosts to dnswl.org? I have used a few free email account accounts for my usenet posts for years. I report received spam via spamcop.net and dnswl.org [I use my own custom perl scripts]. => I do not remember any long stream of spam from dnwl.org listed domain above DNSWL_NONE (gmail with DNSWL_LOW is the only noticeable exception). It seems that sporadic breaking of SMTP AUTH passwords does happens but sites >DNSWL_LOW react quite promptly after being notified. P.S. How many spam per day do you receive?
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 1:47 PM, John Hardin wrote: Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM! there goes the neighborhood. I am removing RCVD_IN_DNSWL_HI checks on our servers right now. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 1:27 PM, dar...@chaosreigns.com wrote: On 10/11, Alessio Cecchi wrote: 403 Forbidden Forbidden You don't have permission to access /dnswl/dl/DNSWLh.pm on this server. Apache/2.2.14 (Ubuntu) Server at www.chaosreigns.com Port 80 http://www.chaosreigns.com/dnswl/sa_plugin/ And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011, Alessio Cecchi wrote: Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on www-mydomain.myserver.net X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no version=3.3.1 X-Original-To: i...@mydomain.biz Delivered-To: info-mydomain@www-mydomain.myserver.net Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1 for ; Tue, 11 Oct 2011 15:44:22 +0200 (CEST) Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- 306 days since the first successful private orbital launch (SpaceX)
Re: Spam email many have RCVD_IN_DNSWL_MED
On Tue, 11 Oct 2011 12:28:53 -0400 Michael Scheidell wrote: > On 10/11/11 12:18 PM, Alessio Cecchi wrote: > > I'm an italian user of spamassassin. During the last 3 weeks many > > spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". > > Also BAYES_99 can to nothing against this :-( > college.. new year, new students, new computers, new worms. as the > old saying used to go "Its September again (tinc)" > > RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, > and will take immediate action on spams. > (I have an issue with this being applied to a university, where the > it/email admin/staff has no control over the students computers) DNSWL also encodes information about the type of business or institution, e.g. I have: header RCVD_IN_DNSWL_C11 eval:check_rbl_sub('dnswl-firsttrusted', '127.0.11.\d+') describe RCVD_IN_DNSWL_C11 Category - Academic If you want something a little more fine-grained you could replace the existing rules with meta-rules based on combinations of HI, MED and LOW with the categorys. A problem with this is that quite a lot of email is outsourced and shows as "Service/network providers", but the spam that goes through universities tends to shows as Academic.
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11, Alessio Cecchi wrote: > I'm an italian user of spamassassin. During the last 3 weeks many > spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". > Also BAYES_99 can to nothing against this :-( > > For now I solved the problem by disable this check, but is a common > problems for many italian users. (I'm an inactive dnswl.org admin.) The effectiveness of all spam filtration is highly dependent on having people providing data to the system in the languages it's used on. I bet both DNSWL and SpamAssassin would benefit from you feeding them data. I suspect neither have *any* data from Italy, which would result in terrible accuracy in Italy. I suspect spamassassin is terrible in most non-English languages due to a lack of non-English speaking people providing data via masscheck: http://wiki.apache.org/spamassassin/NightlyMassCheck Rule scores are calculated from data submitted this way, so all of the accuracy of spamassassin depends on it. Except for bayes. I bet you're heavily dependent on bayes due to lack of Italian email data via masscheck. You don't actually send in your mails, just the score hits, so it's not a privacy problem. Currently this data is only coming from about 10 people. Amazing it works. Actually, currently, it doesn't work. Score re-generation isn't happening due to a problem preventing processing of masscheck data from 3 more people (bug 6671). So what's amazing is that it works usefully when data from all 13 of those people is available. So, be #14 and make spamassassin more accurate. When bug 6671 is fixed. To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report Abuse" section in the right column. I wrote a spamassassin plugin which might make it easier to report spam that matches dnswl rules: http://www.chaosreigns.com/dnswl/sa_plugin/ And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ -- "If you want to make an apple pie from scratch, you must first create the universe." - Carl Sagan http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 12:18 PM, Alessio Cecchi wrote: I'm an italian user of spamassassin. During the last 3 weeks many spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also BAYES_99 can to nothing against this :-( college.. new year, new students, new computers, new worms. as the old saying used to go "Its September again (tinc)" RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and will take immediate action on spams. (I have an issue with this being applied to a university, where the it/email admin/staff has no control over the students computers) you can register with dnswl.org and post full emails to them, and they will act. NORMALLY, all we do with DNSWL_MED is to make sure that they don't get blacklists applied. we still spam check them. and, to prevent these from messing up bayes, put this in local.cf and restart spamd/ tflags RCVD_IN_DNSWL_HI nice net noautolearn tflags RCVD_IN_DNSWL_HI net nice noautolearn tflags RCVD_IN_DNSWL_MED net nice noautolearn tflags RCVD_IN_DNSWL_LOW net nice noautolearn -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Spam email many have RCVD_IN_DNSWL_MED
Hi, I'm an italian user of spamassassin. During the last 3 weeks many spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also BAYES_99 can to nothing against this :-( For now I solved the problem by disable this check, but is a common problems for many italian users. How we can solve this problem? Some example: == Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on www-mydomain.myserver.net X-Spam-Level: X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_DNSWL_HI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_PASS autolearn=no version=3.3.1 X-Original-To: i...@mydomain.biz Delivered-To: info-mydomain@www-mydomain.myserver.net Received: from [175.145.6.37] (unknown [175.145.6.37]) by www-mydomain.myserver.net (Postfix) with ESMTP id 33C1562AB1 for ; Tue, 11 Oct 2011 17:52:03 +0200 (CEST) Received: from (192.168.1.38) by spcollege.edu (175.145.6.37) with Microsoft SMTP Server id 8.0.685.24; Tue, 11 Oct 2011 23:52:02 +0800 Message-ID: <4e9465f8.104...@spcollege.edu> Date: Tue, 11 Oct 2011 23:52:02 +0800 From: "Emma Hinton" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24 MIME-Version: 1.0 To: Subject: Il modo sicuro da vincere successo nel letto == Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on www-mydomain.myserver.net X-Spam-Level: X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_95,HTML_IMAGE_ONLY_32, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=no version=3.3.1 X-Original-To: i...@mydomain.biz Delivered-To: info-mydomain@www-mydomain.myserver.net Received: from webbox794.server-home.net (webbox794.server-home.net [195.137.213.84]) by www-mydomain.myserver.net (Postfix) with ESMTP id E555B62AB1 for ; Tue, 11 Oct 2011 17:53:12 +0200 (CEST) Received: by webbox794.server-home.net (Postfix, from userid 33) id 69A773A57D; Tue, 11 Oct 2011 17:50:34 +0200 (CEST) To: i...@mydomain.biz Subject: Atendimento Online - E-Mail == Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on www-mydomain.myserver.net X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_99,DKIM_SIGNED, DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS autolearn=no version=3.3.1 X-Original-To: i...@mydomain.biz Delivered-To: info-mydomain@www-mydomain.myserver.net Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70]) by www-mydomain.myserver.net (Postfix) with ESMTP id 0988362AB1 for ; Tue, 11 Oct 2011 17:48:49 +0200 (CEST) Received: from AuthenticCubagateway2wirenet (unknown [69.158.30.30]) by node-sl626.smtp.com (Postfix) with ESMTPA id 6FC709AFC90 for ; Tue, 11 Oct 2011 11:48:48 -0400 (EDT) X-SMTPCOM-Spam-Policy: Authenticubatravel is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to ab...@smtp.com X-SMTPCOM-Sender-ID: 81808 X-SMTPCOM-Tracking-Number: 2158212 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtp.com; s=smtpcomcustomers; t=1318348128; bh=A6QopSgOzNZLEc2D3APRotTD3nx/BHG8LIMLc9iwHCo=; h=MIME-Version:From:Reply-To:To:Subject:Content-Type:X-Mailer:Date: Message-ID; b=n5GACTgg7Wbqzkwp1yN3t9Qot+N8RLHuLKn7VdbB6TkIlin2QwCCHzp3/WxbcGeOR Pq0h7YS7IhTQ/+4f0b2WZ6e/hi6oCf13nZdKYTU4aLQi6RJgYN2fLbVZnmMP4XVErj GmSvz6GdKVND+H55K1w18o3Q5wQYMOqs9tTeZkoI= MIME-Version: 1.0 From: "Luis - Authentic Cuba Travel" Reply-To: promoti...@havanabookfairs.ca To: i...@mydomain.biz Subject: Havana Book Fair- 5 seats left only. == Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on www-mydomain.myserver.net X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no version=3.3.1 X-Original-To: i...@mydomain.biz Delivered-To: info-mydomain@www-mydomain.myserver.net Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1 for ; Tue, 11 Oct 2011 15:44:22 +0200 (CEST) Received: from [98.139.91.68] by nm14.bullet.mail.sp2.yahoo.com with NNFMP; 11 Oct 2011 13:44:21 - Received: from [98.139.91.14] by tm8.bullet.mail.sp2.yahoo.com with NNFMP; 11 Oct 2011 13:44:21 - Received: from [127.0.0.1] by omp1014.mail.sp2.yahoo.com with NNFMP; 11 Oct 2011 13:44:21 - X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 137695.95300...@omp1014.mail.sp2.yahoo.