Re: Spamassassin reporting IP address is whitelisted by DNSWL.org but DNSWL.org reports it is not
On 2021-04-10 03:20 PM, Bill Cole wrote: On 10 Apr 2021, at 14:53, Steve Dondley wrote: I'm very, very sorry to beat a dead horse, but I'm deeply confused by the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on my system. STOP USING ANY PUBLIC DNS RESOLVERS WITH ANY MAIL SERVERS! For the record, my nameserver setting in /etc/resolv.conf was some local IP address which presumably used an Amazon Web Service (AWS) DNS server. After changing the IP address to 127.0.0.1 in that file, it changed itself back to the original IP address after some short period of time. To fix this, follow the appropriate instructions here: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/
Re: Spamassassin reporting IP address is whitelisted by DNSWL.org but DNSWL.org reports it is not
On 10 Apr 2021, at 14:53, Steve Dondley wrote: I'm very, very sorry to beat a dead horse, but I'm deeply confused by the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on my system. STOP USING ANY PUBLIC DNS RESOLVERS WITH ANY MAIL SERVERS! Some of these will return bogus values instead of a proper NXDOMAIN, SERVFAIL, or REFUSED when asked questions that they cannot answer or don't want to answer. Quad9 is one such. It is UNFIT for any use by any mail system. It tells you lies about DNS, supposedly for what its operators deem to be your own good. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Spamassassin reporting IP address is whitelisted by DNSWL.org but DNSWL.org reports it is not
I'm very, very sorry to beat a dead horse, but I'm deeply confused by the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on my system. I ran this command: sudo -u s -- spamassassin -t -d < some_email It gives me this report: pts rule name description -- -- 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist [URIs: bizgrouplinknews.com] 1.7 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: bizgrouplinknews.com] 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist [URIs: bizgrouplinknews.com] 0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [50.30.46.135 listed in bl.mailspike.net] -2.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [50.30.46.135 listed in list.dnswl.org] 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <https://www.spamcop.net/bl.shtml?50.30.46.135>] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.6 DEAR_FRIENDBODY: Dear Friend? That's not very dear! 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTTPS_HTTP_MISMATCHBODY: No description available. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 3.5 URI_PHP_REDIR PHP redirect to different URL (link obfuscation) So it's showing the IP address 50.30.46.135 is whitelisted as shown by the RCVD_IN_DNSWL_HI rule. However, the dnswl.org domain shows that the 50.30.46.135 is *not* whitelisted: https://www.dnswl.org/s/?s=50.30.46.135 So what would account for my system reporting it as whitelisted when the dnswl.org domain does not report it as whitelisted?
Re: ddos dnswl.org ?
On Sat, 28 Sep 2019 01:58:47 +0200
Benny Pedersen wrote:
> RW skrev den 2019-09-28 01:26:
> > On Sat, 28 Sep 2019 00:16:04 +0200
> > Benny Pedersen wrote:
> >
> >> Sep 27 00:17:51 localhost named[17415]: connection refused
> >> resolving '_.45.list.dnswl.org/A/IN': 2a01:7e00:e000:293::a:1000#53
> >> ...
> >> is it dkimdomain lookup with ips in a askdns rule ?
> >
> >
> > No, list.dnswl.org is used for a first-trusted IP look-up.
>
> there is no ip in this queury
>
> temp fix disable askdns
>
> rule maintainers please check it
list.dnswl.org is only used in the rule
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
'list.dnswl.org.')
this doesn't involve askdns.
You problem is most likely caused by a local rule.
Re: ddos dnswl.org ?
RW skrev den 2019-09-28 01:26: On Sat, 28 Sep 2019 00:16:04 +0200 Benny Pedersen wrote: Sep 27 00:17:51 localhost named[17415]: connection refused resolving '_.45.list.dnswl.org/A/IN': 2a01:7e00:e000:293::a:1000#53 ... is it dkimdomain lookup with ips in a askdns rule ? No, list.dnswl.org is used for a first-trusted IP look-up. there is no ip in this queury temp fix disable askdns rule maintainers please check it
Re: ddos dnswl.org ?
On Sat, 28 Sep 2019 00:16:04 +0200 Benny Pedersen wrote: > Sep 27 00:17:51 localhost named[17415]: connection refused resolving > '_.45.list.dnswl.org/A/IN': 2a01:7e00:e000:293::a:1000#53 > ... > is it dkimdomain lookup with ips in a askdns rule ? No, list.dnswl.org is used for a first-trusted IP look-up.
ddos dnswl.org ?
Sep 27 00:17:51 localhost named[17415]: connection refused resolving '_.45.list.dnswl.org/A/IN': 2a01:7e00:e000:293::a:1000#53 more lines in my log, same problem am i the only one that see it ? is it dkimdomain lookup with ips in a askdns rule ?
News at dnswl.org - Self Service Portal
Hello SA list, I believe that this list reaches quite a few active users of dnswl.org: — Announcement — News from the dnswl.org <https://www.dnswl.org/> team: For the past years we used an e-mail based approach for user requests to add, change or remove data. This was rather time-consuming and we decided that we need a better process to handle such requests. That new process is in the new dnswl.org Self Service Portal. Users can use it to “claim” a DNSWL Id (or create a new DNSWL Id and claim this one right away), to request changes to the meta-data associated with such a DNSWL Id, and most important to add/remove IP addresses. It should be noted that merely “adding a domain” is pointless. You need to add IP addresses, since the reputation that dnswl.org publishes relies only on IP addresses. No IP address, no reputation data. Users who successfully claimed a DNSWL Id will get regular reports about changes observed that may negatively impact the reputation of “their” IP addresses, eg DNS becoming inconsistent, and about the approval (or rejection) of change requests. While users can request certain changes, the dnswl.org admin team reserves full editorial independence on any and all changes. We intend to add further features and functions to the Self Service Portal over time, so stay tuned You can give the Self Service Portal a try here: https://www.dnswl.org/selfservice/ <https://www.dnswl.org/selfservice/> — End Announcement — Of course, we can still be reached at admins /at/ dnswl.org for requests that can not be solved through the Self Service Portal. — Matthias, for the dnswl.org project -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang Mobile +41 79 377 04 43 matth...@leisi.net Skype matthias.leisi smime.p7s Description: S/MIME cryptographic signature
Do you want to support the dnswl.org project?
Hello SA users list, The SpamAssassin rules are an important input for the dnswl.org project; in turn, the dnswl.org project helps to reduce the chance of false positives through the SA ruleset. The SpamAssassin and the dnswl.org projects have a significant overlap in the user base, and an improvement in the data quality for dnswl.org would thus directly improve the accuracy for the SpamAssassin user base. To this end, we (as in "the dnswl.org project") are looking to expand the number and diversity of editors working on the project, and also some additional technical work (eg in improving our home-grown data import tools). Below you'll find the text we posted today in the news section of the project website with more details. Please contact me or admins /at/ dnswl.org if you have further questions or to discuss on how to get engaged with the dnswl.org project. Thanks for your time, -- Matthias PS: We are currently doing fine in terms of hardware/network connectivity. --- cut --- At dnswl.org we serve over 80'000 organisations with our database which contains 150'000 (and growing) entries of "good mailservers". In order to maintain the quality of the data and of our infrastructure, we are looking for additional volunteers to support the community and the project. While there is a lot of work to do, we have the most pressing needs in three categories: * Operation of infrastructure (rented or donated hardware, some flavours of Linux, DNS and other software) * Development of admin tools (both the web GUI and batch processing) * Data editing and interaction with requestors If you would like to work in one of the areas, or in some combination, please contact the admin team (admins/at/dnswl.org) or Matthias (matthias/at/leisi.net). This is mostly volunteer work (but financing for infrastructure is assured), but it would be good if you could spend a handful of hours a week on the project. Below is a description of what we see as the priorities in the three areas. This list is not exhaustive, and you have all the freedom to tinker as long as it serves the goal of the project :) dnswl.org infrastructure We operate a number of servers for public access via DNS, and for editing the data. There is a significant amount of code (Perl and PHP) involved for editing data, aggregating and enriching log and usage data, and operating the infrastructure. We need to "keep the stuff running" and fix occasional bugs. In order to simplify the systems management tasks, we would need to introduce new tools or improve the existing ones. We use a mostly standard tool chain (Apache, Perl, PHP, Postgres, Bind, rbldnsd, rsync, Nagios, Smokeping, Request Tracker, Postfix and so on). dnswl.org development * Improve the public request form to allow better interaction and more automation. * Improve the public search interface to expose more of our internal data. * Improve the currently minimal IPv6 support. * Improve abuse reporting capabilities (which are currently pretty crude). * Implement URIBL lookups. * Rewrite the "reputation overview" GUI. dnswl.org data editing Although we use a number of tools to help with the maintenance and the growth of our data, most of our actions are manual in nature (ie, involve a manual verification click or some similar action). We interact with requestors and other stakeholders, we assess the trustworthiness of entries, we maintain the quality of our data. We want to expand the number and diversity of our editors. If you maintain your own local reputation list which you want to offer for import into dnswl.org data, or if you are willing to spend a few hours a week for data editing and related tasks, please get in touch with us. --- cut ---
Re: DNSWL.org enforcement of free usage limits
On Tue, 18 Oct 2011 21:55:11 -0400, David F. Skoll wrote: X-CanIt-Geo: No geolocation information available for 192.168.10.23 bill me for that one :-) My original measurements and script are here: http://article.gmane.org/gmane.mail.spam.spamassassin.general/132047/match=cache bind can use syslog, so its possible to make perl parse logs in live time, or simply rndc querylog, lots of logging dns, default disabled
Re: DNSWL.org enforcement of free usage limits
On Tue, 2011-10-18 at 21:55 -0400, David F. Skoll wrote:
> On Wed, 19 Oct 2011 03:12:34 +0200, Karsten Bräckelmann wrote:
>
> > > That's true, though caching is much less effective than you may
> > > suppose. In real-life measurements on real mail servers, I found a
> > > very low cache hit rate for common DNS{B,W}Ls, on the order of only
> > > 25-50% hits.
>
> > As in cache hits? That's quite substantial.
>
> I didn't think so. It means that between 50-75% of DNS lookups must
> go all the way to the authoritative name server.
With more than 90% spam of the mail volume (according to almost any
published stats), even 25% cache hits mean, that caching does not only
work for ham, but spam, too.
Anyway, it means that the volume of messages before hitting the free
usage limit is 25-50% higher than the commonly perceived and frequently
incorrectly claimed limit (where one message does equal one query for IP
based lists). These numbers tell differently -- up to half the query
limit in addition in terms of mail.
> > Also, is this overall, somehow a mix of both black and white-lists, as
> > well as different types (IP vs URI)?
>
> My measurements were against IP blacklists.
>
> > Given the very different TTL for different types of lists, I suspect
> > actual cache hit rates vary a lot.
>
> Not without pretty high TTLs, in our experience. And DNSBL operators
I was talking about different *types*. As in IP vs URI. Where TTLs do
vary a lot -- 3 minutes for SURBL, 12 hours for DNSWL.
> have two motivations for having relatively low TTLs: One is to make
> sure the data is fresh, and two is to detect high-volume users so they
> can be billed.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: DNSWL.org enforcement of free usage limits
On Wed, 19 Oct 2011 03:12:34 +0200
Karsten Bräckelmann wrote:
> > That's true, though caching is much less effective than you may
> > suppose. In real-life measurements on real mail servers, I found a
> > very low cache hit rate for common DNS{B,W}Ls, on the order of only
> > 25-50% hits.
> As in cache hits? That's quite substantial.
I didn't think so. It means that between 50-75% of DNS lookups must
go all the way to the authoritative name server.
> Also, is this overall, somehow a mix of both black and white-lists, as
> well as different types (IP vs URI)?
My measurements were against IP blacklists.
> Given the very different TTL for different types of lists, I suspect
> actual cache hit rates vary a lot.
Not without pretty high TTLs, in our experience. And DNSBL operators
have two motivations for having relatively low TTLs: One is to make
sure the data is fresh, and two is to detect high-volume users so they
can be billed.
My original measurements and script are here:
http://article.gmane.org/gmane.mail.spam.spamassassin.general/132047/match=cache
Regards,
David.
Re: DNSWL.org enforcement of free usage limits
On Tue, 2011-10-18 at 20:24 -0400, David F. Skoll wrote:
> On Tue, 18 Oct 2011 23:55:41 +0200, Karsten Bräckelmann wrote:
>
> > The DNS TTL appears to be 12 hours, and a good share of mail
> > (definitely true for ham, only partly for spam) is received from a
> > rather limited number of distinct SMTP servers, only. With a local,
> > caching DNS server the number of mail a system can handle per day
> > before exceeding the free usage limit is *much* higher.
>
> > number of mail != number of DNS lookups
>
> That's true, though caching is much less effective than you may
> suppose. In real-life measurements on real mail servers, I found a
> very low cache hit rate for common DNS{B,W}Ls, on the order of only
> 25-50% hits.
As in cache hits? That's quite substantial.
Also, is this overall, somehow a mix of both black and white-lists, as
well as different types (IP vs URI)? Given the very different TTL for
different types of lists, I suspect actual cache hit rates vary a lot.
Your users and their peers can make a huge difference, too.
And of course other related filtering, like blocking at SMTP level.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: DNSWL.org enforcement of free usage limits
On Tue, 18 Oct 2011 23:55:41 +0200
Karsten Bräckelmann wrote:
> The DNS TTL appears to be 12 hours, and a good share of mail
> (definitely true for ham, only partly for spam) is received from a
> rather limited number of distinct SMTP servers, only. With a local,
> caching DNS server the number of mail a system can handle per day
> before exceeding the free usage limit is *much* higher.
> number of mail != number of DNS lookups
That's true, though caching is much less effective than you may
suppose. In real-life measurements on real mail servers, I found a
very low cache hit rate for common DNS{B,W}Ls, on the order of only
25-50% hits.
Regards,
David.
Re: DNSWL.org enforcement of free usage limits
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
> The DNS TTL appears to be 12 hours, and a good share of mail (definitely
> true for ham, only partly for spam) is received from a rather limited
> number of distinct SMTP servers, only. With a local, caching DNS server
> the number of mail a system can handle per day before exceeding the free
> usage limit is *much* higher.
Oops -- higher, though not that much higher. Unless your local, caching
DNS also does negative caching...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: DNSWL.org enforcement of free usage limits
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
> > Basically, free use only allows 100,000 queries per organization per day.
> > If you're handling more than 100,000 emails a day,
>
> That's a theoretical lower bound, and incorrect in real life.
>
> The DNS TTL appears to be 12 hours, and a good share of mail (definitely
> true for ham, only partly for spam) is received from a rather limited
> number of distinct SMTP servers, only. With a local, caching DNS server
> the number of mail a system can handle per day before exceeding the free
> usage limit is *much* higher.
>
> number of mail != number of DNS lookups
... at the dnswl.org DNS mirror infrastructure I mean, obviously.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: DNSWL.org enforcement of free usage limits
On Mon, 2011-10-17 at 18:03 -0400, dar...@chaosreigns.com wrote:
> http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
> Basically, free use only allows 100,000 queries per organization per day.
> If you're handling more than 100,000 emails a day,
That's a theoretical lower bound, and incorrect in real life.
The DNS TTL appears to be 12 hours, and a good share of mail (definitely
true for ham, only partly for spam) is received from a rather limited
number of distinct SMTP servers, only. With a local, caching DNS server
the number of mail a system can handle per day before exceeding the free
usage limit is *much* higher.
number of mail != number of DNS lookups
> and don't want to pay
> for dnswl.org data, add to your spamassassin config:
>
> score RCVD_IN_DNSWL_HI 0
> score RCVD_IN_DNSWL_MED 0
> score RCVD_IN_DNSWL_LOW 0
> score RCVD_IN_DNSWL_NONE 0
You missed the eval rule actually doing the DNS lookup...
meta __RCVD_IN_DNSWL 0
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
DNSWL.org enforcement of free usage limits
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html This came up in the "Spam email many have RCVD_IN_DNSWL_MED" thread. DNSWL.org made an announcement about it with more details. Basically, free use only allows 100,000 queries per organization per day. Go over that enough, and you may get "RCVD_IN_DNSWL_HI" hitting all your email. If you're handling more than 100,000 emails a day, and don't want to pay for dnswl.org data, add to your spamassassin config: score RCVD_IN_DNSWL_HI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_NONE 0 Disclaimer: I'm a dnswl.org admin. More discussion of network test free usage limits here: http://www.spamtips.org/2011/01/usage-limits-of-spamassassin-network.html Yes, it would still be nice if spamassassin had an option to just disable all of these. Maybe just commented out options in a config file? Something like this, based on that last link: # spamhaus.org score DKIMDOMAIN_IN_DWL 0 score DKIMDOMAIN_IN_DWL_UNKNOWN 0 score RCVD_IN_CSS 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score URIBL_DBL_ERROR 0 score URIBL_DBL_SPAM 0 score URIBL_SBL 0 # Others set RCVD_IN_PSBL 0 set RCVD_IN_BL_SPAMCOP_NET 0 set RCVD_IN_BRBL_LASTEXT 0 set DNS_FROM_AHBL_RHSBL 0 # Sorbs.net set RCVD_IN_SORBS_HTTP0 set RCVD_IN_SORBS_SOCKS 0 set RCVD_IN_SORBS_MISC0 set RCVD_IN_SORBS_SMTP0 set RCVD_IN_SORBS_WEB 0 set RCVD_IN_SORBS_BLOCK 0 set RCVD_IN_SORBS_ZOMBIE 0 set RCVD_IN_SORBS_DUL 0 # NJABL.org set RCVD_IN_NJABL_RELAY 0 set RCVD_IN_NJABL_SPAM 0 set RCVD_IN_NJABL_MULTI 0 set RCVD_IN_NJABL_CGI 0 set RCVD_IN_NJABL_PROXY 0 # rfc-ignorant.org DNS_FROM_RFC_DSN DNS_FROM_RFC_BOGUSMX # DNSWL.org score RCVD_IN_DNSWL_HI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_NONE 0 # ReturnPath.net set RCVD_IN_RP_CERTIFIED 0 set RCVD_IN_RP_RNBL 0 set RCVD_IN_RP_SAFE 0 # SuretyMail / isipp.com set RCVD_IN_IADB_VOUCHED 0 set RCVD_IN_IADB_DK 0 set RCVD_IN_IADB_DOPTIN 0 set RCVD_IN_IADB_DOPTIN_GT50 0 set RCVD_IN_IADB_DOPTIN_LT50 0 set RCVD_IN_IADB_EDDB 0 set RCVD_IN_IADB_EPIA 0 set RCVD_IN_IADB_GOODMAIL 0 set RCVD_IN_IADB_LISTED 0 set RCVD_IN_IADB_LOOSE 0 set RCVD_IN_IADB_MI_CPEAR 0 set RCVD_IN_IADB_MI_CPR_30 0 set RCVD_IN_IADB_MI_CPR_MAT 0 set RCVD_IN_IADB_ML_DOPTIN 0 set RCVD_IN_IADB_NOCONTROL 0 set RCVD_IN_IADB_OOO 0 set RCVD_IN_IADB_OPTIN 0 set RCVD_IN_IADB_OPTIN_GT50 0 set RCVD_IN_IADB_OPTIN_LT50 0 set RCVD_IN_IADB_OPTOUTONLY 0 set RCVD_IN_IADB_RDNS 0 set RCVD_IN_IADB_SENDERID 0 set RCVD_IN_IADB_SPF 0 set RCVD_IN_IADB_UNVERIFIED_1 0 set RCVD_IN_IADB_UNVERIFIED_2 0 set RCVD_IN_IADB_UT_CPEAR 0 set RCVD_IN_IADB_UT_CPR_30 0 set RCVD_IN_IADB_UT_CPR_MAT 0 # SURBL.org set URIBL_SC_SURBL 0 set URIBL_WS_SURBL 0 set URIBL_PH_SURBL 0 set URIBL_OB_SURBL 0 set URIBL_AB_SURBL 0 set URIBL_JP_SURBL 0 # DCC set DCC_CHECK 0 set DCC_REPUT_00_12 0 set DCC_REPUT_70_89 0 set DCC_REPUT_90_94 0 set DCC_REPUT_95_98 0 set DCC_REPUT_99_100 0 -- "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man." - George Bernard Shaw http://www.ChaosReigns.com
Change at dnswl.org
Hello all, dnswl.org has been running as a pure volunteer project since 2006. However, given the changing anti-spam industry and the challenges ahead, we decided that we need some sound financial basis. In a number of steps, we will introduce a subscription model for "heavy" users and vendors of anti-spam solutions using our data. The vast majority of our 50'000 users will not be affected by this change, since they neither need rsync access nor are they "heavy" users (which we define as above 100'000 queries / 24 hours on our public nameserver mirrors). Those who contribute to the project (eg with resources, data, time, know how) will get a free subscription, and we plan to introduce a reduced rate for educational and not-for-profit organisations. The current implementation schedule is in this blog posting: http://www.dnswl.org/news/archives/18-Changes-at-dnswl.org.html (http://goo.gl/info/T0j3) Any inputs are of course appreciated - and you are very welcome to contribute to the project :) -- Matthias
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On Fri, 2010-02-26 at 17:09 -0500, dar...@chaosreigns.com wrote:
> On 02/26, Karsten Bräckelmann wrote:
> > opinions there. If the code and idea is deemed good, eventually sign a
> > CLA (assuming it's a non-trivial change), so the code can be accepted
> > for upstream inclusion.
>
> Thanks. I'm looking more for the requirements for the code being accepted
> into SA. It looks nice and straight forward, I'd just like some
> confirmation that it's likely to be accepted before I do the work.
Write nice and clean code. Good documentation strongly preferred. Sign
CLA. Be sure the service is OK with the usage / reporting feature. (OK,
we got the latter. ;)
If it requires an account, be sure the code doesn't just fail if there
is none given, but simply make it a no-op in that case, failing
transparently without harming anything else.
Other than that, there's not too much we can say in advance.
> Maybe I should start by filing a feature request bug against SA for this
> feature?
Feel free to create a bug report to track progress and attach the actual
code or patches. However, do not expect a lot of comments before there's
any substance.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On Fri, 2010-02-26 at 22:59 +0100, Matthias Leisi wrote:
> Am 26.02.10 22:53, schrieb Karsten Bräckelmann:
>
> > code? Then this would seem to be a general sketch: Write the plugin,
> > while keeping DNSWL tightly in the loop to sync the process. Submit the
>
> Actually, Darxus is editor at dnswl.org and contributes a nameserver -
> he is very much in the loop with the project. "--report" would be a good
> addition to abuse reporting through the webinterface, that's why Darxus
> is investigating.
So my second attempt at interpreting a single-sentence question was
successful. Yay. :) Why didn't he just say that in the first place?
I guess the stated requirement still stands. Though shouldn't be much of
an obstacle in this case.
Anyway, my initial comments probably also still stand. For the reporting
to actually be accepted en-masse, the user likely needs to register with
you, no? And of course, the part about forwarding [1] and network setup
is important, too. [2]
guenther
[1] Open Source projects love to give out forwarding addresses at their
domain. Gathers spam, even if one doesn't use them.
And then there are moderation and role accounts. Same.
[2] I've fallen into this myself, though not with reporting. Changed
SMTP servers for the forwarding service resulted in the wrong IPs
being checked, and less accurate DNS BL results.
This also affects exactly this point of handing-over SMTP.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On 02/26, Karsten Bräckelmann wrote: > opinions there. If the code and idea is deemed good, eventually sign a > CLA (assuming it's a non-trivial change), so the code can be accepted > for upstream inclusion. Thanks. I'm looking more for the requirements for the code being accepted into SA. It looks nice and straight forward, I'd just like some confirmation that it's likely to be accepted before I do the work. Maybe I should start by filing a feature request bug against SA for this feature? -- "Every normal man must be tempted at times to spit upon his hands, hoist the black flag, and begin slitting throats." - Henry Louis Mencken (1880-1956) http://www.ChaosReigns.com
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
Karsten, Am 26.02.10 22:53, schrieb Karsten Bräckelmann: > code? Then this would seem to be a general sketch: Write the plugin, > while keeping DNSWL tightly in the loop to sync the process. Submit the Actually, Darxus is editor at dnswl.org and contributes a nameserver - he is very much in the loop with the project. "--report" would be a good addition to abuse reporting through the webinterface, that's why Darxus is investigating. -- Matthias
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On Fri, 2010-02-26 at 16:40 -0500, dar...@chaosreigns.com wrote:
> On 02/26, Karsten Bräckelmann wrote:
> > I assume you're talking about reporting abuse? If you actually would go
> > to dnswl.org, you'll see a Report Abuse link right hand, which tells you
> > what's needed.
>
> No. Matthias (DNSWL) asked me to "try to get us included in that process".
"No" what? Not reporting abuse? You're pretty confusing. Mind taking a
whopping minute or three to explain in full what you really have in
mind?
> If I create the necessary plugin, etc., what will it take to get it
> included in SA?
Wow, I seriously fail to read any possible meaning of that sentence into
your original subject -- err, rather, original full post.
"Included in SA" in the sense of getting the functionality into upstream
code? Then this would seem to be a general sketch: Write the plugin,
while keeping DNSWL tightly in the loop to sync the process. Submit the
plugin as an attachment to a feature request bug report. Gather some
opinions there. If the code and idea is deemed good, eventually sign a
CLA (assuming it's a non-trivial change), so the code can be accepted
for upstream inclusion.
If that's not it again -- please go back to my first paragraph.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On 02/26, Karsten Bräckelmann wrote: > I assume you're talking about reporting abuse? If you actually would go > to dnswl.org, you'll see a Report Abuse link right hand, which tells you > what's needed. No. Matthias (DNSWL) asked me to "try to get us included in that process". If I create the necessary plugin, etc., what will it take to get it included in SA? -- "It's never too late to panic." http://www.ChaosReigns.com
Re: What's necessary to get "spamassassin --report" data to dnswl.org?
On Fri, 2010-02-26 at 16:09 -0500, dar...@chaosreigns.com wrote:
> Beyond creating the plugin?
I assume you're talking about reporting abuse? If you actually would go
to dnswl.org, you'll see a Report Abuse link right hand, which tells you
what's needed.
If you want to regularly report spam samples to us, please register as
a spam reporter. This currently has a simple web interface to copy&paste
the source of an email; more comfortable solutions are planned for the
future.
http://www.dnswl.org/report.shtml
Yes, I also assumed you won't fall into the "once in a while" category,
given your mentioning automated mechanisms.
As a side-note, you absolutely have to have your internal and trusted
networks set up correctly. That includes *any* SMTPs for forwarding
addresses, if the mail gets checked for spam. (Including mailing list
servers, if you pass posts through SA.)
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
What's necessary to get "spamassassin --report" data to dnswl.org?
Beyond creating the plugin? (Also interested in the --revoke data.) -- "Of course there's strength in numbers. But there's strength in sharp weaponry too. Ironically, this lead to what we call 'civilization'." - spore http://www.ChaosReigns.com
RE: Using DNSWL.org with Icewarp Merak's SpamAssassin
Hi Matthias, Thank you for taking time to respond to me. >From the headers our SpamAssassin is creating I can see X-Spam-Checker-Version: SpamAssassin 3.2.1 (1.0). We are also using several URI lists that are configured in the same local.cf file as the DNSWL configuration and those URI lists are successfully used - hence I am very confident SpamAssassin is actually using this file. Unfortunately the supporters are Icewarp has chosen to ignore my request for support on this issue. In that light I have made a post on their forum instead: http://forum.icewarp.com/Implementing_DNSWL%25org_into_SpamAssassin_loca l%25cf/m_661/tm.htm I know people working for Icewarp look and respond in the forum so there is a good chance you could reach them there. If they eventually respond to my support ticket I will refer them to you. Best Regards NOWACO A/S Rasmus Haslund -Original Message- From: Matthias Leisi [mailto:[EMAIL PROTECTED] Sent: 8. august 2008 10:45 To: users@spamassassin.apache.org Subject: Re: Using DNSWL.org with Icewarp Merak's SpamAssassin -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rasmus Haslund schrieb: | I have tried without luck to get any support from Icewarp in this | manner and instead hope someone on the list can be of assistance. | | I am trying to use DNSWL in our local.cf and have copied the | configuration from their website: I don't know which version of SpamAssassin is used by Icewarp, but dnswl.org rules are part of SA's default ruleset since 3.2.0. | However it seems SpamAssassin is not using the configuration. | Any ideas on what could be going wrong? Is SA looking at the same .cf file which you are editing? - -- Matthias, for dnswl.org PS: If you do have a contact at Icewarp, could you please refer them to me (or to admins /at/ dnswl.org)? Thanks. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFInAd9xbHw2nyi/okRAsuKAJ9yRDZ+89vrbfUevmNAsXvhKVoWaACdHLPX 65eYKbIr+BWfKLVQfLIKNeQ= =VqGV -END PGP SIGNATURE-
Re: Using DNSWL.org with Icewarp Merak's SpamAssassin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rasmus Haslund schrieb: | I have tried without luck to get any support from Icewarp in this manner | and instead hope someone on the list can be of assistance. | | I am trying to use DNSWL in our local.cf and have copied the | configuration from their website: I don't know which version of SpamAssassin is used by Icewarp, but dnswl.org rules are part of SA's default ruleset since 3.2.0. | However it seems SpamAssassin is not using the configuration. | Any ideas on what could be going wrong? Is SA looking at the same .cf file which you are editing? - -- Matthias, for dnswl.org PS: If you do have a contact at Icewarp, could you please refer them to me (or to admins /at/ dnswl.org)? Thanks. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFInAd9xbHw2nyi/okRAsuKAJ9yRDZ+89vrbfUevmNAsXvhKVoWaACdHLPX 65eYKbIr+BWfKLVQfLIKNeQ= =VqGV -END PGP SIGNATURE-
Using DNSWL.org with Icewarp Merak's SpamAssassin
Hi all,
I have tried without luck to get any support from Icewarp in this manner
and instead hope someone on the list can be of assistance.
I am trying to use DNSWL in our local.cf and have copied the
configuration from their website:
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
'list.dnswl.org.')
header RCVD_IN_DNSWL_LOWeval:check_rbl_sub('dnswl-firsttrusted',
'127.0.\d+.1')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/,
low trust
tflags RCVD_IN_DNSWL_LOWnice net
header RCVD_IN_DNSWL_MEDeval:check_rbl_sub('dnswl-firsttrusted',
'127.0.\d+.2')
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/,
medium trust
tflags RCVD_IN_DNSWL_MEDnice net
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.\d+.3')
describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/,
high trust
tflags RCVD_IN_DNSWL_HI nice net
score RCVD_IN_DNSWL_LOW -1
score RCVD_IN_DNSWL_MED -10
score RCVD_IN_DNSWL_HI -100
However it seems SpamAssassin is not using the configuration.
Any ideas on what could be going wrong?
Thank you all in advance.
Best Regards
Rasmus Haslund
NOWACO A/S
Prinsensgade 15
9100 Aalborg, Denmark
Phone: +45 96 30 80 80
Direct: +45 96 30 80 83
Mobile: +45 40 59 94 94
Fax: +45 96 30 80 90
www.nowaco.com
<>
Re: dnswl.org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sujit Acharyya-Choudhury wrote:
> We are currently running SpamAssassin 3.1.7. Can we run dnswl.org with
> this version of SpamAssassin?
Sure - it uses regular DNSBL-style lookups. dnswl.org data (and the
rules) should work in almost any version of SA.
> Can I put in lines like this in local.cf?
If you took the lines from <http://www.dnswl.org/tech#spamassassin>
(which it seems you did), you should be fine.
Note that there are two differeneces to the rules now distributed with
SA 3.2.0:
1) The 3.2.0 ruleset misses the actual lookup, which you can add to your
local.cf:
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
'list.dnswl.org.')
2) The distributed scores are -1, -4 and -8 for low, med and hi; on our
webpage, we have -1, -10 and -100. I guess it depends on your philosophy
and other (whitelisting/blocking) rules to decide which scores to choose.
- -- Matthias
PS: I've seen a number of requests for .ac.uk domains to be included in
dnswl.org -- I will not get around to handle them today.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGQfnKxbHw2nyi/okRArE8AJ9Wz6Ux/zx+V+DswEnVrcTuq13WzgCfY3TY
JRHIgTnH3zDr0ofw3dDXUYQ=
=xlsQ
-END PGP SIGNATURE-
dnswl.org
We are currently running SpamAssassin 3.1.7. Can we run dnswl.org with
this version of SpamAssassin?
Can I put in lines like this in local.cf?
# dnswl.org file
header __RCVD_IN_DNSWL
eval:check_rbl('dnswl-firsttrusted,'127.0.\d+.1')
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.\d+.1')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low
trust
tflags RCVD_IN_DNSWL_LOW nice net
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.
\d+.2')
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/,
medium trust
tflags RCVD_IN_DNSWL_MED nice net
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.
\d+.3')
describe RCVD_IN_DNSWL_HISender listed at http://www.dnswl.org/,
high trust
tflags RCVD_IN_DNSWL_HI nice net
score RCVD_IN_DNSWL_LOW -1
score RCVD_IN_DNSWL_MEDIUM -10
score RCVD_IN_DNSWL_HI -100
Regards
--
Sujit Choudhury
ISLS
University of Westminster
Ext 3851 / 1779
Re: How to use dnswl.org whitelisting with SA 3.2.0 (quick-fix)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jack L. Stone wrote: > When I run manual test: > [EMAIL PROTECTED]>> host 2.0.0.127.list.dnswl.org > ...I get > 2.0.0.127.list.dnswl.org has address 127.0.10.0 > Not return of 127.0.0.2??? There was a doc error on http://www.dnswl.org/tech telling that the 2.0.0.127... lookup would return 127.0.0.2, while in reality it returns 127.0.10.0 - fixed. (And now off to working on the requests that came in to our request tracker after I posted here ;) ) Thanks, - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGP0NLxbHw2nyi/okRAukWAKDNSpBH9eWRNpB24tZR/diY8ibEqQCgoyUq ON2wN66zXG/9DFBigTj1Sno= =2FGO -END PGP SIGNATURE-
Re: How to use dnswl.org whitelisting with SA 3.2.0 (quick-fix)
Jack L. Stone wrote:
> At 01:46 PM 5.7.2007 +0200, Matthias Leisi wrote:
>
>> [Disclosure: I'm involved with the dnswl.org project]
>>
>> SA 3.2.0 misses one rule to get the actual dnswl.org lookup rules working
>> (reported in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5450,
>> targetted for resolution in 3.2.1).
>>
>> In order to use dnswl.org lookups already today, add the following to your
>> local.cf or other appropriate location:
>>
>> header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
>> 'list.dnswl.org.')
>>
>> For additional information on the project, see http://www.dnswl.org/.
>>
>> -- Matthias
>>
>>
>
> When I run manual test:
> [EMAIL PROTECTED]>> host 2.0.0.127.list.dnswl.org
> ...I get
> 2.0.0.127.list.dnswl.org has address 127.0.10.0
> Not return of 127.0.0.2???
>
That makes perfect sense if you read the return-codes for DSWL:
http://www.dnswl.org/tech
127.0.10.0 decodes as "special case" "not trustworthy for blocking".
Re: How to use dnswl.org whitelisting with SA 3.2.0 (quick-fix)
At 01:46 PM 5.7.2007 +0200, Matthias Leisi wrote:
>[Disclosure: I'm involved with the dnswl.org project]
>
>SA 3.2.0 misses one rule to get the actual dnswl.org lookup rules working
>(reported in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5450,
>targetted for resolution in 3.2.1).
>
>In order to use dnswl.org lookups already today, add the following to your
>local.cf or other appropriate location:
>
>header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
>'list.dnswl.org.')
>
>For additional information on the project, see http://www.dnswl.org/.
>
>-- Matthias
>
When I run manual test:
[EMAIL PROTECTED]>> host 2.0.0.127.list.dnswl.org
...I get
2.0.0.127.list.dnswl.org has address 127.0.10.0
Not return of 127.0.0.2???
(^_^)
Happy trails,
Jack L. Stone
System Admin
Sage-american
How to use dnswl.org whitelisting with SA 3.2.0 (quick-fix)
[Disclosure: I'm involved with the dnswl.org project]
SA 3.2.0 misses one rule to get the actual dnswl.org lookup rules working
(reported in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5450,
targetted for resolution in 3.2.1).
In order to use dnswl.org lookups already today, add the following to your
local.cf or other appropriate location:
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
'list.dnswl.org.')
For additional information on the project, see http://www.dnswl.org/.
-- Matthias
