Re: false scoring for DNS_FROM_RFC_ABUSE
Mr. List Mail User, your efforts in this respect are ridiculous, now your are resurrecting long dead bodies. I can't believe that you read this document and still believe it could have any relevance to this. Wow. 1. this is what rfc-editor.org says about 954: RFC0954 NICNAME/WHOIS K. Harrenstien, M.K. Stahl, E.J. Feinler October 1985 ASCII Obsoletes RFC812, Obsoleted by RFC3912 DRAFT STANDARD That's pretty clear, isn't? It's obsoleted. 2. Be it obsoleted or not, there is nothing in that document that puts whois.denic.de in violation of it. I really suggest you ask someone to explain it to you. Maybe you are reading a different document, I use this one: ftp://ftp.rfc-editor.org/in-notes/rfc954.txt Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
... On Thursday 25 May 2006 21:31, Kai Schaetzl took the opportunity to write: Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. You should have explained why they where wrong from the beginning. You're=20 absolutely right. The RFC doesn't define any syntax. The evidence is totall= y=20 bogus. =2D-=20 Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) ... Um... Syntax? RFC3912 Section 3 3. Protocol Example If one places a request of the WHOIS server located at whois.nic.mil for information about Smith, the packets on the wire will look like: client server at whois.nic.mil open TCP (SYN) -- (SYN+ACK) - send query SmithCRLF get answer Info about SmithCRLF - More info about SmithCRLF close (FIN) -- - (FIN) - DeNIC does not follow this protocol; However for many (even most) domains, proper data can be gotten using *undocumented* extensions they have added to their own Whois server. A large number of whois clients do special case the DeNIC and .de domains, but this only shows that the .de TLD is indeed *not* RFC compliant. Please examine the source of any not outdated and broken client and look at the code, or better look at (previous listing): http://www.rfc-ignorant.org/tools/detail.php?domain=desubmitted=1094941143table=whois BTW. The many common clients use the ISO-8859-1 character set, which only works for a subset of the domains at DeNIC - so please don't count any of these as not broken (and US-ASCII still doesn't work for all domains either - just nearly all). Oh, and for clients that follow referrals to HTTP servers (which many country specific NICs do provide in place of Whois servers), we have: RFC3912 Section 2 2. Protocol Specification A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received. Simply, if it isn't plain text on port 43, it isn't a RFC compliant Whois server. Oh, and if anyone knows of an IANA registered Whois server for a TLD that does function (I know of several which work, but aren't listed at IANA), then an email to RFCI will get a listing removed. Paul Shupak [EMAIL PROTECTED]
Re: false scoring for DNS_FROM_RFC_ABUSE
List Mail User wrote on Thu, 25 May 2006 23:02:21 -0700 (PDT): DeNIC does not follow this protocol; 1. there's nothing which backs your claim, *nothing*. 2. example is an example and nothing else. You should know that. There are also special words in RFCs which clearly define mandatory things. What you claim is a wish, it's not defined by that RFC. There is nothing in that RFC that defines a *required* syntax other than terminating the one-line query. There is *nothing* in that RFC that *requires* a certain output volume or content volume, just that you get some text about the queried object back. BTW. The many common clients use the ISO-8859-1 character set, which only works for a subset of the domains at DeNIC - so please don't count any of these as not broken (and US-ASCII still doesn't work for all domains either - just nearly all). What's the problem with this? Non-ISO-8859-1 text isn't text? Is that what you want to say? Think about that again. Oh, and for clients that follow referrals to HTTP servers (which many country specific NICs do provide in place of Whois servers), we have: Simply, if it isn't plain text on port 43, it isn't a RFC compliant Whois server. You are making up your own rules, again. There's nothing in the text you quoted that requires plain text (whatever you mean by that) and disallows referrals. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
On Friday 26 May 2006 15:53, List Mail User took the opportunity to write: Kai, There doesn't seem to be any language barrier, so either you refuse to read and follow the RFC trail yourself, or you require spoon-feeding. What about RFC1032, page 5 VERIFICATION OF DATA The verification process can be accomplished in several ways. One of these is through the NIC WHOIS server. If he has access to WHOIS, the DA can type the commmand whois domain domain namereturn. The reply from WHOIS will supply the following: the name and address of the organization owning the domain; the name of the domain; its administrative, technical, and zone contacts; the host names and network addresses of sites providing name service for the domain. Judging from the title, RFC 1032 is a guide, not a normative reference. AFAICT, the section above describes how to use a specific WHOIS server, or rather *the* WHOIS server, which existed at the Network Information Center (NIC) of Defense Data Network (DDN) at the time. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpBifFmc43gX.pgp Description: PGP signature
Re: false scoring for DNS_FROM_RFC_ABUSE
List Mail User wrote on Fri, 26 May 2006 06:53:36 -0700 (PDT): What about RFC1032, page 5 RFC 1032 is not authoritative in any way. It never was a standard, it doesn't define anything about the whois protocol. If you think so it's wishful thinking. This RFC is not obsolete, and make quite clear that indeed certain data is required. RFC3912 greatly reduces the requirements from what was in RFC954, but *some* means of contact remains required, as does an identity of the registrant (any of a person, organization or agent will suffice). There's nothing in RFC 3912 about this. Whatever you are reading, it's not 3912. I asked the author of RFC 3912 and he clearly says that the .de whois server is *not* in violation of RFC 3912 in his opinion. He says the output could be considered suboptimal. Do you really want me to contact the author of 1032 as well? I suggest *you* do that if you want to keep backing your claims with 1032. Until that: forget about 1032. I also think you confuse protocol and query syntax. None of the quoted RFCs specifies a certain query syntax. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
On Fri, May 26, 2006 at 02:31:16PM +0200, Kai Schaetzl wrote: Jamie L. Penman-Smithson wrote on Fri, 26 May 2006 00:52:39 +0100: After some research, I came to the conclusion that .de is, indeed, still broken: ftp://ftp.isi.edu/in-notes/rfc3912.txt And *where exactly* does this RFC say that the whois input and output must behave in a different way than the .de input and output does now? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ---end quoted text--- -- .- Pablo Allietti E-mail: [EMAIL PROTECTED] | LACNIC Phone : +598 2 604 | http://LACNIC.NET
Re: false scoring for DNS_FROM_RFC_ABUSE
From: Kai Schaetzl [EMAIL PROTECTED]
Jamie L. Penman-Smithson wrote on Fri, 26 May 2006 00:52:39 +0100:
After some research, I came to the conclusion that .de is, indeed,
still broken:
ftp://ftp.isi.edu/in-notes/rfc3912.txt
And *where exactly* does this RFC say that the whois input and output must
behave in a different way than the .de input and output does now?
Kai
More to the point, Kai, in line with my earlier comment that RFCs are
Request For Comment documents not standards, where does ANYTHING say
that ANYONE MUST abide by them as if they were standards?
Of course, NOTHING says a particular anti-spam tool cannot decide to
use the formalisms from an RFC to build a filter mechanism, either. The
RFCs are good things. They just are not mandatory things, yet.
{^_-}
Re: false scoring for DNS_FROM_RFC_ABUSE
...
From: Kai Schaetzl [EMAIL PROTECTED]
Jamie L. Penman-Smithson wrote on Fri, 26 May 2006 00:52:39 +0100:
After some research, I came to the conclusion that .de is, indeed,
still broken:
ftp://ftp.isi.edu/in-notes/rfc3912.txt
And *where exactly* does this RFC say that the whois input and output must
behave in a different way than the .de input and output does now?
Kai
More to the point, Kai, in line with my earlier comment that RFCs are
Request For Comment documents not standards, where does ANYTHING say
that ANYONE MUST abide by them as if they were standards?
Of course, NOTHING says a particular anti-spam tool cannot decide to
use the formalisms from an RFC to build a filter mechanism, either. The
RFCs are good things. They just are not mandatory things, yet.
{^_-}
Actually Joanne, there is STD-1, which is exactly those RFCs which
have been adopted as standards (i.e. it is too late to make any comments
on their content). Though Kai won't like these - they *still* contain RFC954,
not RFC3912 and by that requirement DeNIC is completely in violation; RFC954
basically reads like a portion of the ICANN registrars agreement which governs
unsponsored TLDs - i.e. .aero, .arpa, .biz, .cat, .com, .coop, .edu, .info,
.int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel.
See:
http://rfc.net/std1.html
Of course, STD-1 is itself an RFC:) But the last accepted standard
for Whois is RFC954, everything later is largly attempts by DeNIC (and Chile)
to remove Whois entirely (and their lastest proposal is to do exactly that).
(Though it is clear that RFC3912 *will* become the standard in some later
version of STD-1 - but it isn't *yet*.)
Still none of any of these has the weight of law behind them except
for possibly the contractual element of the ICANN registrars agreement (but
ICANN has never really tried to do much to enforce that for most ill-behaving
registrars) and that would be civil law, not criminal; There are no net
police except the self-appointed ones (like every admin who uses a blacklist,
firewall blocks or even SA).
Paul Shupak
[EMAIL PROTECTED]
Re: false scoring for DNS_FROM_RFC_ABUSE
Mike Jackson wrote on Wed, 24 May 2006 08:44:17 -0700: Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives. You cannot trust any of the rfc-ignorant.org lists, they list whole TLDs just because they don't like something about them. These lists go by personal taste than any other. http://www.rfc-ignorant.org/tools/lookup.php?domain=something.de Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
On Thursday 25 May 2006 17:31, Kai Schaetzl took the opportunity to write: Mike Jackson wrote on Wed, 24 May 2006 08:44:17 -0700: Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives. You cannot trust any of the rfc-ignorant.org lists, they list whole TLDs just because they don't like something about them. These lists go by personal taste than any other. [...], however 'entire TLD'-based domains return a different result code in the A record (127.0.0.7 versus 127.0.0.5) so as to allow sites to differentiate between them., which SA takes into account. (http://www.rfc-ignorant.org/policy-whois.php) -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp8dmCqB4lD9.pgp Description: PGP signature
Re: false scoring for DNS_FROM_RFC_ABUSE
Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives. You cannot trust any of the rfc-ignorant.org lists, they list whole TLDs just because they don't like something about them. These lists go by personal taste than any other. http://www.rfc-ignorant.org/tools/lookup.php?domain=something.de Some of their listings are arbitrary, but the two I listed are based on solid, indisputable configuration problems that are either the sign of a clueless administrator or malicious intent, mostly the latter. I find their false positive rate to be nearly zero, and I trust them to block unwated mail before it arrives. The only - repeat, only - false positive I've seen in several years of usage was the bogusmx listing here: http://www.rfc-ignorant.org/tools/lookup.php?full=1domain=guardnet%2Ecom In that case, it was a clueless admin, but since I knew them personally, I explained the problem and told them how to fix it.
Re: false scoring for DNS_FROM_RFC_ABUSE
On 25 May 2006, at 16:31, Kai Schaetzl wrote: Mike Jackson wrote on Wed, 24 May 2006 08:44:17 -0700: Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives. You cannot trust any of the rfc-ignorant.org lists, they list whole TLDs just because they don't like something about them. These lists go by personal taste than any other. http://www.rfc-ignorant.org/tools/lookup.php?domain=something.de .de does not have a working WHOIS server, that's fundamentally broken: [Querying whois.denic.de] [whois.denic.de] Domain: something.de Status: connect -j PGP.sig Description: This is a digitally signed message part
Re: false scoring for DNS_FROM_RFC_ABUSE
Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. whois something.de [Querying whois.denic.de] [whois.denic.de] % Copyright (c)2004 by DENIC % Version: 1.05.0 % % Restricted rights. % % % Except for agreed Internet operational purposes, no part of this % information may be reproduced, stored in a retrieval system, or % transmitted, in any form or by any means, electronic, mechanical, % recording, or otherwise, without prior permission of the DENIC % on behalf of itself and/or the copyright holders. Any use of this % material to target advertising or similar activities are explicitly % forbidden and will be prosecuted. The DENIC requests to be notified % of any such activities or suspicions thereof. Domain: something.de Domain-Ace: something.de Descr: Michael Blatz Descr: Pfarrgartenstr. 18 Descr: D-65719 Hofheim Descr: Germany snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
Magnus Holmgren wrote on Thu, 25 May 2006 18:01:19 +0200: [...], however 'entire TLD'-based domains return a different result code in the A record (127.0.0.7 versus 127.0.0.5) so as to allow sites to differentiate between them. That is not of interest at all. The problem is they list TLDs because of rules they make up themselves, but pretend they use RFCs. If they want to list whatever they like: fine. But then they shouldn't claim it's in concordance with an RFC while it's not. That's simply a lie. At the moment I know of at least three TLDs they list this way, there are probably more. If you want to follow-up, better to me directly, I think it's off-topic. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: false scoring for DNS_FROM_RFC_ABUSE
You cannot trust any of the rfc-ignorant.org lists, they list whole TLDs just because they don't like something about them. These lists go by personal taste than any other. http://www.rfc-ignorant.org/tools/lookup.php?domain=something.de http://www.rfc-ignorant.org/policy-whois.php
Re: false scoring for DNS_FROM_RFC_ABUSE
On Thursday 25 May 2006 21:31, Kai Schaetzl took the opportunity to write: Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. You should have explained why they where wrong from the beginning. You're absolutely right. The RFC doesn't define any syntax. The evidence is totally bogus. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp2zjw828ru7.pgp Description: PGP signature
Re: false scoring for DNS_FROM_RFC_ABUSE
On 25 May 2006, at 20:31, Kai Schaetzl wrote: Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. Agreed, it works in a later version. snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. If you think a listing is incorrect either contact RFCi, or raise it the RFCi mailing list. Complaining about it does nothing. -j PGP.sig Description: This is a digitally signed message part
Re: false scoring for DNS_FROM_RFC_ABUSE
On 25 May 2006, at 21:54, Magnus Holmgren wrote: On Thursday 25 May 2006 21:31, Kai Schaetzl took the opportunity to write: Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. You should have explained why they where wrong from the beginning. You're absolutely right. The RFC doesn't define any syntax. The evidence is totally bogus. No, RFC 1932 defines the WHOIS protocol, including the syntax. After some research, I came to the conclusion that .de is, indeed, still broken: ftp://ftp.isi.edu/in-notes/rfc3912.txt 2. Protocol Specification A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received. 3. Protocol Example If one places a request of the WHOIS server located at whois.nic.mil for information about Smith, the packets on the wire will look like: client server at whois.nic.mil open TCP (SYN) -- (SYN+ACK) - send query SmithCRLF get answer Info about SmithCRLF - More info about SmithCRLF close (FIN) -- - (FIN) - Working WHOIS server: $ telnet whois.iana.org 43 Trying 192.0.34.118... Connected to whois.iana.org. Escape character is '^]'. example.net IANA Whois Service Domain: example.net Name: IANA_RESERVED Registrant: Name: Internet Assigned Numbers Authority (IANA) Organization: Internet Assigned Numbers Authority (IANA) Address1: 4676 Admiralty Way, Suite 330 [..] Broken WHOIS server: $ telnet whois.denic.de 43 Trying 81.91.162.8... Connected to whois.denic.de. Escape character is '^]'. something.de Domain: something.de Status: connect Connection closed by foreign host. The WHOIS server for .de is not RFC compliant, therefore it is and should be listed until it is RFC compliant. Whether some whois clients decide to cater to whatever broken syntax .de has decided to use is immaterial. -j PGP.sig Description: This is a digitally signed message part
RE: false scoring for DNS_FROM_RFC_ABUSE
Jamie L. Penman-Smithson wrote: (RFC) open TCP (SYN) -- (SYN+ACK) - send query SmithCRLF get answer Info about SmithCRLF - More info about SmithCRLF close (FIN) -- - (FIN) - Working WHOIS server: $ telnet whois.iana.org 43 Trying 192.0.34.118... Connected to whois.iana.org. Escape character is '^]'. example.net IANA Whois Service Domain: example.net Name: IANA_RESERVED Registrant: Name: Internet Assigned Numbers Authority (IANA) Organization: Internet Assigned Numbers Authority (IANA) Address1: 4676 Admiralty Way, Suite 330 [..] Broken WHOIS server: $ telnet whois.denic.de 43 Trying 81.91.162.8... Connected to whois.denic.de. Escape character is '^]'. something.de Domain: something.de Status: connect Connection closed by foreign host. The WHOIS server for .de is not RFC compliant I agree Whether some whois clients decide to cater to whatever broken syntax .de has decided to use is immaterial. I agree here too -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: false scoring for DNS_FROM_RFC_ABUSE
On May 24, 2006, at 3:01 AM, [EMAIL PROTECTED] wrote: Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST I believe the requirement is not just that the addresses exist, but that they actually get read by a human. I think hotmail doesn't do this.
RE: false scoring for DNS_FROM_RFC_ABUSE
Because Hotmail is NOTmail. Hotmail (Microsofties), does not reply to abuse and postmaster mails. That's is against RFC, not nice, anti-social etc. etc. Therefor hotmail, as the same with yahoo is SPAM by default. Some mail server admins even block mail coming from there by default. -Sietse From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 24-May-06 12:01 To: users@spamassassin.apache.org Subject: false scoring for DNS_FROM_RFC_ABUSE Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST Regards Padma ERNET Helpdesk
Re: false scoring for DNS_FROM_RFC_ABUSE
Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST Because it's listed on both of those lists at rfc-ignorant.org: http://www.rfc-ignorant.org/tools/lookup.php?full=1domain=hotmail%2Ecom Basically, even though the addresses are active, they spam-filter them, making their use almost pointless. Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives.
RE: false scoring for DNS_FROM_RFC_ABUSE
Thnks for the info! On Wed, 24 May 2006, Sietse van Zanen wrote: Because Hotmail is NOTmail. Hotmail (Microsofties), does not reply to abuse and postmaster mails. That's is against RFC, not nice, anti-social etc. etc. Therefor hotmail, as the same with yahoo is SPAM by default. Some mail server admins even block mail coming from there by default. -Sietse From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 24-May-06 12:01 To: users@spamassassin.apache.org Subject: false scoring for DNS_FROM_RFC_ABUSE Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST Regards Padma ERNET Helpdesk -- Regards Padma ERNET Helpdesk
Re: false scoring for DNS_FROM_RFC_ABUSE
that info was indeed good! On Wed, 24 May 2006, Mike Jackson wrote: Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST Because it's listed on both of those lists at rfc-ignorant.org: http://www.rfc-ignorant.org/tools/lookup.php?full=1domain=hotmail%2Ecom Basically, even though the addresses are active, they spam-filter them, making their use almost pointless. Personally, I have those two rules zero-scored in my local.cf. Even though I like RFCI, and use their bogusmx and dsn lists at the MTA level, these two create too many false positives. -- Regards Padma ERNET Helpdesk
false scoring for DNS_FROM_RFC_ABUSE
Event though hotmail.com domain has a abuse address and a postmaster address, why do mails from hotmail.com domain get trigerred for these tests 0.4 DNS_FROM_RFC_ABUSE 1.4 DNS_FROM_RFC_POST Regards Padma ERNET Helpdesk
