Mailing List Archive

Spam email many have RCVD_IN_DNSWL_MED
Hi,

I'm an italian user of spamassassin. During the last 3 weeks many spam
email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
BAYES_99 can to nothing against this :-(

For now I solved the problem by disable this check, but is a common
problems for many italian users.

How we can solve this problem?

Some example:

==========================
Return-Path: <malingeringe89@spcollege.edu>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
RCVD_IN_DNSWL_HI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_PASS autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from [175.145.6.37] (unknown [175.145.6.37])
by www-mydomain.myserver.net (Postfix) with ESMTP id 33C1562AB1
for <info@mydomain.biz>; Tue, 11 Oct 2011 17:52:03 +0200 (CEST)
Received: from (192.168.1.38) by spcollege.edu (175.145.6.37) with
Microsoft SMTP Server id 8.0.685.24; Tue, 11 Oct 2011 23:52:02 +0800
Message-ID: <4E9465F8.104080@spcollege.edu>
Date: Tue, 11 Oct 2011 23:52:02 +0800
From: "Emma Hinton" <malingeringe89@spcollege.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24)
Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
To: <info@mydomain.biz>
Subject: Il modo sicuro da vincere successo nel letto

==========================

Return-Path: <web0@webbox794.server-home.net>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level:
X-Spam-Status: No, score=-0.4 required=5.0
tests=BAYES_95,HTML_IMAGE_ONLY_32,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_HI,
RP_MATCHES_RCVD autolearn=no version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from webbox794.server-home.net (webbox794.server-home.net
[195.137.213.84])
by www-mydomain.myserver.net (Postfix) with ESMTP id E555B62AB1
for <info@mydomain.biz>; Tue, 11 Oct 2011 17:53:12 +0200 (CEST)
Received: by webbox794.server-home.net (Postfix, from userid 33)
id 69A773A57D; Tue, 11 Oct 2011 17:50:34 +0200 (CEST)
To: info@mydomain.biz
Subject: Atendimento Online - E-Mail

==========================

Return-Path: <promotions@havanabookfairs.ca>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level:
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_99,DKIM_SIGNED,
DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])
by www-mydomain.myserver.net (Postfix) with ESMTP id 0988362AB1
for <info@mydomain.biz>; Tue, 11 Oct 2011 17:48:49 +0200 (CEST)
Received: from AuthenticCubagateway2wirenet (unknown [69.158.30.30])
by node-sl626.smtp.com (Postfix) with ESMTPA id 6FC709AFC90
for <info@mydomain.biz>; Tue, 11 Oct 2011 11:48:48 -0400 (EDT)
X-SMTPCOM-Spam-Policy: Authenticubatravel is a paid relay service.
We do not tolerate UCE of any kind.
Please report it ASAP to abuse@smtp.com
X-SMTPCOM-Sender-ID: 81808
X-SMTPCOM-Tracking-Number: 2158212
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtp.com;
s=smtpcomcustomers; t=1318348128;
bh=A6QopSgOzNZLEc2D3APRotTD3nx/BHG8LIMLc9iwHCo=;
h=MIME-Version:From:Reply-To:To:Subject:Content-Type:X-Mailer:Date:
Message-ID;
b=n5GACTgg7Wbqzkwp1yN3t9Qot+N8RLHuLKn7VdbB6TkIlin2QwCCHzp3/WxbcGeOR
Pq0h7YS7IhTQ/+4f0b2WZ6e/hi6oCf13nZdKYTU4aLQi6RJgYN2fLbVZnmMP4XVErj
GmSvz6GdKVND+H55K1w18o3Q5wQYMOqs9tTeZkoI=
MIME-Version: 1.0
From: "Luis - Authentic Cuba Travel" <promotions@havanabookfairs.ca>
Reply-To: promotions@havanabookfairs.ca
To: info@mydomain.biz
Subject: Havana Book Fair- 5 seats left only.

==============================

Return-Path: <josephdarlington@rocketmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
www-mydomain.myserver.net
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no
version=3.3.1
X-Original-To: info@mydomain.biz
Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
Received: from nm14.bullet.mail.sp2.yahoo.com
(nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1
for <info@mydomain.biz>; Tue, 11 Oct 2011 15:44:22 +0200 (CEST)
Received: from [98.139.91.68] by nm14.bullet.mail.sp2.yahoo.com with
NNFMP; 11 Oct 2011 13:44:21 -0000
Received: from [98.139.91.14] by tm8.bullet.mail.sp2.yahoo.com with
NNFMP; 11 Oct 2011 13:44:21 -0000
Received: from [127.0.0.1] by omp1014.mail.sp2.yahoo.com with NNFMP; 11
Oct 2011 13:44:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 137695.95300.bm@omp1014.mail.sp2.yahoo.com
Received: (qmail 97348 invoked by uid 60001); 11 Oct 2011 13:44:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketmail.com;
s=s1024; t=1318340659; bh=1HMUhBugUW+lMVvnEdYhcU8rWTE83gS5zBnSTCkFQ4M=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=1Sl8gtfyPOlDZPCQYrlpa+fn/JVmI6k3KSJrjX0aPCQb/5+H3iLfKUHW2KRnda6EP1yNJIyGR9bSeUWncwizO8SSmvmpaweDs33YJFCObHry2+rasQTeYobsIW8s5tIQ4O+BzqEm2ONPn2iUGagbOr/pJfb9w9dFjXP2A4+g+MM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=rocketmail.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;

b=4Rjs6ubybisIURD/dfSyiB5qE5Bhjya5G/0Xjwj2XonxEh8ivy9uNcms5GLUShwm/Rlbpp6AaGkAdFEUV45uQHWu5m0MpkCIByZ/onYqLdmWMJx0+cBxP8UJKaJe8L2T+s6JOMXdGSKQSMrhY/slSVblUwU7HYAueugQl4HHgoM=;
X-YMail-OSG: RGffxVIVM1n8CvFSmRRgQrupMMb9Oa9oAy.0JQ5H6DaqQYi
Q2LfOtZ9.
Received: from [41.218.245.138] by web190214.mail.sg3.yahoo.com via
HTTP; Tue, 11 Oct 2011 21:44:16 SGT
X-Mailer: YahooMailWebService/0.8.114.317681
Message-ID: <1318340656.62151.YahooMailNeo@web190214.mail.sg3.yahoo.com>
Date: Tue, 11 Oct 2011 21:44:16 +0800 (SGT)
From: Joseph Darlington <josephdarlington@rocketmail.com>
Reply-To: Joseph Darlington <josephdarlington@rocketmail.com>
Subject: REPLY URGENTLY
To: undisclosed recipients: ;
====================

Thanks
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11/11 12:18 PM, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many spam
> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
> BAYES_99 can to nothing against this :-(
college.. new year, new students, new computers, new worms. as the old
saying used to go "Its September again (tinc)"

RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and
will take immediate action on spams.
(I have an issue with this being applied to a university, where the
it/email admin/staff has no control over the students computers)

you can register with dnswl.org and post full emails to them, and they
will act.

NORMALLY, all we do with DNSWL_MED is to make sure that they don't get
blacklists applied. we still spam check them.
and, to prevent these from messing up bayes, put this in local.cf and
restart spamd/

tflags RCVD_IN_DNSWL_HI nice net noautolearn
tflags RCVD_IN_DNSWL_HI net nice noautolearn
tflags RCVD_IN_DNSWL_MED net nice noautolearn
tflags RCVD_IN_DNSWL_LOW net nice noautolearn



--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
Re: Spam email many have RCVD_IN_DNSWL_HI (was MED) [ In reply to ]
Il 11/10/2011 18:28, Michael Scheidell ha scritto:
> On 10/11/11 12:18 PM, Alessio Cecchi wrote:
>> I'm an italian user of spamassassin. During the last 3 weeks many spam
>> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
>> BAYES_99 can to nothing against this :-(
> college.. new year, new students, new computers, new worms. as the old
> saying used to go "Its September again (tinc)"

:-)

> RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and
> will take immediate action on spams.
> (I have an issue with this being applied to a university, where the
> it/email admin/staff has no control over the students computers)

Sorry, I have write MED but the problem is with

RCVD_IN_DNSWL_HI

as you can see from the headers.

Thanks
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many
> spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> Also BAYES_99 can to nothing against this :-(
>
> For now I solved the problem by disable this check, but is a common
> problems for many italian users.

(I'm an inactive dnswl.org admin.)

The effectiveness of all spam filtration is highly dependent on having
people providing data to the system in the languages it's used on. I bet
both DNSWL and SpamAssassin would benefit from you feeding them data.
I suspect neither have *any* data from Italy, which would result in
terrible accuracy in Italy.

I suspect spamassassin is terrible in most non-English languages due to a
lack of non-English speaking people providing data via masscheck:
http://wiki.apache.org/spamassassin/NightlyMassCheck
Rule scores are calculated from data submitted this way, so all of the
accuracy of spamassassin depends on it. Except for bayes. I bet you're
heavily dependent on bayes due to lack of Italian email data via masscheck.
You don't actually send in your mails, just the score hits, so it's not a
privacy problem. Currently this data is only coming from about 10 people.
Amazing it works. Actually, currently, it doesn't work. Score
re-generation isn't happening due to a problem preventing processing of
masscheck data from 3 more people (bug 6671). So what's amazing is that
it works usefully when data from all 13 of those people is available. So,
be #14 and make spamassassin more accurate. When bug 6671 is fixed.

To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
Abuse" section in the right column. I wrote a spamassassin plugin
which might make it easier to report spam that matches dnswl rules:
http://www.chaosreigns.com/dnswl/sa_plugin/

And I have my own IP reputation project that could use your data:
http://www.chaosreigns.com/iprep/

--
"If you want to make an apple pie from scratch, you must first create
the universe." - Carl Sagan
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On Tue, 11 Oct 2011 12:28:53 -0400
Michael Scheidell wrote:

> On 10/11/11 12:18 PM, Alessio Cecchi wrote:
> > I'm an italian user of spamassassin. During the last 3 weeks many
> > spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> > Also BAYES_99 can to nothing against this :-(
> college.. new year, new students, new computers, new worms. as the
> old saying used to go "Its September again (tinc)"
>
> RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much,
> and will take immediate action on spams.
> (I have an issue with this being applied to a university, where the
> it/email admin/staff has no control over the students computers)


DNSWL also encodes information about the type of business or
institution, e.g. I have:

header RCVD_IN_DNSWL_C11 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.11.\d+')
describe RCVD_IN_DNSWL_C11 Category - Academic

If you want something a little more fine-grained you could replace the
existing rules with meta-rules based on combinations of HI, MED and LOW
with the categorys. A problem with this is that quite a lot of email is
outsourced and shows as "Service/network providers", but the spam that
goes through universities tends to shows as Academic.
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On Tue, 11 Oct 2011, Alessio Cecchi wrote:

> Return-Path: <josephdarlington@rocketmail.com>
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
> www-mydomain.myserver.net
> X-Spam-Level: *
> X-Spam-Status: No, score=1.8 required=5.0 tests=ADVANCE_FEE_3_NEW,BAYES_99,
> DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_HI,SUBJ_ALL_CAPS,T_TO_NO_BRKTS_FREEMAIL autolearn=no
> version=3.3.1
> X-Original-To: info@mydomain.biz
> Delivered-To: info-mydomain.biz@www-mydomain.myserver.net
> Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com
> [98.139.91.84])
> by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1
> for <info@mydomain.biz>; Tue, 11 Oct 2011 15:44:22 +0200 (CEST)

Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
306 days since the first successful private orbital launch (SpaceX)
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11/11 1:27 PM, darxus@chaosreigns.com wrote:
> On 10/11, Alessio Cecchi wrote:
>
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dnswl/dl/DNSWLh.pm
on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at www.chaosreigns.com Port
80</address>
> http://www.chaosreigns.com/dnswl/sa_plugin/
>
> And I have my own IP reputation project that could use your data:
> http://www.chaosreigns.com/iprep/
>


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11/11 1:47 PM, John Hardin wrote:
> Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!
there goes the neighborhood.

I am removing RCVD_IN_DNSWL_HI checks on our servers right now.


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
Alessio Cecchi <alessio@skye.it> wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many spam
> email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also
> BAYES_99 can to nothing against this :-(
>
> For now I solved the problem by disable this check, but is a common
> problems for many italian users.
>
> How we can solve this problem?
> [...]

Do you report spam you receive to spamcop.net and for dnswl.org listed
hosts to dnswl.org?

I have used a few free email account accounts for my usenet posts for years.
I report received spam via spamcop.net and dnswl.org [I use my own
custom perl scripts].
=>
I do not remember any long stream of spam from dnwl.org listed domain
above DNSWL_NONE (gmail with DNSWL_LOW is the only noticeable exception).
It seems that sporadic breaking of SMTP AUTH passwords does happens but
sites >DNSWL_LOW react quite promptly after being notified.

P.S. How many spam per day do you receive?
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11, John Hardin wrote:
> On Tue, 11 Oct 2011, Alessio Cecchi wrote:
> >Received: from nm14.bullet.mail.sp2.yahoo.com
> >(nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
> > by www-mydomain.myserver.net (Postfix) with SMTP id 8889762AB1
> > for <info@mydomain.biz>; Tue, 11 Oct 2011 15:44:22 +0200 (CEST)
>
> Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!

Hah, no, that IP 98.139.91.84, listed as NONE. As it should be.

$ host 84.91.139.98.list.dnswl.org
84.91.139.98.list.dnswl.org has address 127.0.5.0

0 in the last octet of the returned IP = NONE.
- http://www.dnswl.org/tech


So, there could be a trusted_networks / internal_networks spamassassin
configuration problem, a bug in spamassassin, or a DNS server between
spamassassin and dnswl.org doing something weird.

Alessio, a good place to start would be to add to your spamassassin config:

add_header all RelaysUntrusted _RELAYSUNTRUSTED_

This will add headers like:

X-Spam-RelaysUntrusted: [ ip=140.211.11.3 rdns=hermes.apache.org

That first IP listed is the IP that network tests like RCVD_IN_DNSWL_* use,
so it should be the IP you got it from. In this example you'd want it to
be 98.139.91.84. If it's not, you have a problem with your
trusted_networks / internal_networks settings in your spamassassin config.


On 10/11, Michael Scheidell wrote:
> <p>You don't have permission to access /dnswl/dl/DNSWLh.pm

Thanks, fixed. Sorry about that.


On 10/11, Michael Scheidell wrote:
> On 10/11/11 1:47 PM, John Hardin wrote:
> >Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM!
> there goes the neighborhood.
>
> I am removing RCVD_IN_DNSWL_HI checks on our servers right now.

I encourage you to develop a habit of verifying information before making
decisions based on it.

--
"Let's just say that if complete and utter chaos was lightning, then
he'd be the sort to stand on a hilltop in a thunderstorm wearing wet
copper armour and shouting 'All gods are bastards'." - The Color of Magic
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
Thanks to John Hardin for noticing one of these was off. I should've
checked them before replying.

*None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or
even RCVD_IN_DNSWL_LOW.

Alessio, you have a problem *other* than the data listed by dnswl.org.
Start with the X-Spam-RelaysUntrusted header I recommended in my last post.


On 10/11, Alessio Cecchi wrote:
> Received: from [175.145.6.37] (unknown [175.145.6.37])

$ host 37.6.145.175.list.dnswl.org
Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)

Should not hit any RCVD_IN_DNSWL_* rules.

> Received: from webbox794.server-home.net (webbox794.server-home.net
> [195.137.213.84])

$ host 84.213.137.195.list.dnswl.org
Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN)

Should not hit any RCVD_IN_DNSWL_* rules.

> Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])

$ host 70.21.86.74.list.dnswl.org
Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN)

Should not hit any RCVD_IN_DNSWL_* rules.

> Received: from nm14.bullet.mail.sp2.yahoo.com
> (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])

$ host 84.91.139.98.list.dnswl.org
84.91.139.98.list.dnswl.org has address 127.0.5.0

Should hit RCVD_IN_DNSWL_NONE.

--
"A ship in a port is safe, but that's not what ships are built for."
-Grace Murray Hopper
http://www.ChaosReigns.com
Re: Spam email many have RCVD IN DNSWL MED [ In reply to ]
On Tue, 11 Oct 2011 18:18:59 +0200, Alessio Cecchi wrote:
> I'm an italian user of spamassassin. During the last 3 weeks many
> spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED".
> Also
> BAYES_99 can to nothing against this :-(

eloborate on bayes please

> For now I solved the problem by disable this check, but is a common
> problems for many italian users.

italian users is not special :-)

> How we can solve this problem?

http://www.dnswl.org/ see link abuse reporting

when setup, do spamassassin -r spammsg
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11, Benny Pedersen wrote:
> >BAYES_99 can to nothing against this :-(
>
> eloborate on bayes please

http://wiki.apache.org/spamassassin/BayesInSpamAssassin

http://en.wikipedia.org/wiki/Bayesian_spam_filtering

> http://www.dnswl.org/ see link abuse reporting
>
> when setup, do spamassassin -r spammsg

For that to work, you have to have my dnswl abuse reporting plugin
installed, which is not documented on http://www.dnswl.org/ but can be
downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
(It's also listed on http://wiki.apache.org/spamassassin/CustomPlugins )

--
"Blades don't need reloading." - The Zombie Survival Guide by Max Brooks
http://www.ChaosReigns.com
Re: Spam email many have RCVD IN DNSWL MED [ In reply to ]
On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
> And I have my own IP reputation project that could use your data:
> http://www.chaosreigns.com/iprep/

shame on microsoft not letting me have ie9, shame on you not let me see
your page as html 3.2
Re: Spam email many have RCVD IN DNSWL MED [ In reply to ]
On Tue, 11 Oct 2011 15:24:54 -0400, darxus@chaosreigns.com wrote:
> On 10/11, Benny Pedersen wrote:
>> >BAYES_99 can to nothing against this :-(
>>
>> eloborate on bayes please
>
> http://wiki.apache.org/spamassassin/BayesInSpamAssassin
>
> http://en.wikipedia.org/wiki/Bayesian_spam_filtering

thanks for link, but it was more info from the above sender for why
bayes 99 is not good

>
>> http://www.dnswl.org/ see link abuse reporting
>>
>> when setup, do spamassassin -r spammsg
>
> For that to work, you have to have my dnswl abuse reporting plugin
> installed, which is not documented on http://www.dnswl.org/ but can
> be
> downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
> (It's also listed on
> http://wiki.apache.org/spamassassin/CustomPlugins )

it doe report dnswl_none, witch is imho waste reporting, dont know if
there is a new version to report on dnswl
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/11, Benny Pedersen wrote:
> thanks for link, but it was more info from the above sender for why
> bayes 99 is not good

Oh, probably just because for some reason he isn't comfortable with
increasing the score of the BAYES_99 rule. Although he'd be much better
off figuring out why he's getting the wrong DNSWL rule hits and fixing
that.

> >downloaded from http://www.chaosreigns.com/dnswl/sa_plugin/
> >(It's also listed on
> >http://wiki.apache.org/spamassassin/CustomPlugins )
>
> it doe report dnswl_none, witch is imho waste reporting, dont know
> if there is a new version to report on dnswl

I think you tried to say "it doesn't accept reports of abuse for spam from
IPs that DNSWL doesn't list." (It does work for RCVD_IN_DNSWL_NONE,
because that's a listed trust level, different from an IP being unlisted.)

I agree. I used to have ssh access to modify the web interface, but I
didn't by the time I wrote that plugin, so I had to use what was available,
the abuse reporting web form. Which doesn't accept reports of "abuse" from
IPs that aren't listed by dnswl.org. I asked for my ssh access back, and
asked for that form to accept reports of unlisted IPs, but that's one of
the things Matthias has always been resistant to - keeping track of
known spamming IPs so they don't get listed as non-spammers in the future.
I think the internal data structures were eventually modified to handle
it (I think there's an internal, unpublished trust level of "black"),
but that web form still doesn't accept those reports.

That's a large part of why I created http://www.chaosreigns.com/iprep/
Works great for people providing data, I just don't have data from enough
people for it to be usefully accurate for people not sending data.

--
"Every man, woman and child on the face of this earth is at the mercy
of chaos." - a maxwell smart movie
http://www.ChaosReigns.com
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 2011/10/11 12:30, Benny Pedersen wrote:
> On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
>> And I have my own IP reputation project that could use your data:
>> http://www.chaosreigns.com/iprep/
>
> shame on microsoft not letting me have ie9, shame on you not let me see your
> page as html 3.2
>
Shame on you for not using Opera, FireFox, Chrome, or other.

{o.o}
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
Il 11/10/2011 20:58, darxus@chaosreigns.com ha scritto:
> Thanks to John Hardin for noticing one of these was off. I should've
> checked them before replying.
>
> *None* of these should be hitting RCVD_IN_DNSWL_HI or RCVD_IN_DNSWL_MED, or
> even RCVD_IN_DNSWL_LOW.
>
> Alessio, you have a problem *other* than the data listed by dnswl.org.
> Start with the X-Spam-RelaysUntrusted header I recommended in my last post.

I have found the problem: Google name server

> On 10/11, Alessio Cecchi wrote:
>> Received: from [175.145.6.37] (unknown [175.145.6.37])
>
> $ host 37.6.145.175.list.dnswl.org
> Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.

In this installation:

# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

# host 37.6.145.175.list.dnswl.org
37.6.145.175.list.dnswl.org has address 127.0.10.3

>> Received: from webbox794.server-home.net (webbox794.server-home.net
>> [195.137.213.84])
>
> $ host 84.213.137.195.list.dnswl.org
> Host 84.213.137.195.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.

# host 84.213.137.195.list.dnswl.org
84.213.137.195.list.dnswl.org has address 127.0.10.3

>> Received: from node-sl626.smtp.com (node-sl626.smtp.com [74.86.21.70])
>
> $ host 70.21.86.74.list.dnswl.org
> Host 70.21.86.74.list.dnswl.org not found: 3(NXDOMAIN)
>
> Should not hit any RCVD_IN_DNSWL_* rules.

# host 70.21.86.74.list.dnswl.org
70.21.86.74.list.dnswl.org has address 127.0.10.3

>> Received: from nm14.bullet.mail.sp2.yahoo.com
>> (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84])
>
> $ host 84.91.139.98.list.dnswl.org
> 84.91.139.98.list.dnswl.org has address 127.0.5.0
>
> Should hit RCVD_IN_DNSWL_NONE.
>

# host 84.91.139.98.list.dnswl.org
84.91.139.98.list.dnswl.org has address 127.0.10.3

Also from my PC I have the same behaviour if I query google name server:

alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: 37.6.145.175.list.dnswl.org
Address: 127.0.10.3

alessice@pc1-linux:~$ nslookup 37.6.145.175.list.dnswl.org 151.99.125.2
Server: 151.99.125.2
Address: 151.99.125.2#53

** server can't find 37.6.145.175.list.dnswl.org: NXDOMAIN

I usually configure "127.0.0.1" as resolver, but not in this installation.

Why Google name server returns an incorrect value?

Thanks!
--
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
on LinkedIn -> http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> Socio http://www.lolug.net
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On Wed, Oct 12, 2011 at 02:15, Alessio Cecchi <alessio@skye.it> wrote:
>
> Why Google name server returns an incorrect value?

Because sometimes the Google name servers overload the upstream system
and get blocked. The same thing happens if you use the Level 3
servers (4.2.2.x). You would be better served by installing a local
DNS resolver like pdns_resolver.

-Jim P.
Re: Spam email many have RCVD IN DNSWL MED [ In reply to ]
On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote:
> On 2011/10/11 12:30, Benny Pedersen wrote:
>> On Tue, 11 Oct 2011 13:27:04 -0400, darxus@chaosreigns.com wrote:
>>> And I have my own IP reputation project that could use your data:
>>> http://www.chaosreigns.com/iprep/
>> shame on microsoft not letting me have ie9, shame on you not let me
>> see your
>> page as html 3.2
> Shame on you for not using Opera, FireFox, Chrome, or other.

why not html 3.2 ?, and is supported in all browsers, incl some
versions of netscrape, firefox sooks here, oh well installed privoxy via
squid now
Re: Spam email many have RCVD IN DNSWL MED [ In reply to ]
On Wed, 12 Oct 2011 08:15:03 +0200, Alessio Cecchi wrote:
[snip]
> Why Google name server returns an incorrect value?

google is free, so thay can sooks as much thay want to :)

dig -4 +trace 10.223.104.2.list.dnswl.org

resolved in 154 ms here

does it timeout ?, then contact dnswl.org

make sure you have the latest root zone file, it will not be uptodate
if bind is not updated

hope that helps you aswell, it did for me

try loggin lame bind dns logs, contact dns admins if any are listed
there
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
darxus@chaosreigns.com writes:

> To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> Abuse" section in the right column. I wrote a spamassassin plugin
> which might make it easier to report spam that matches dnswl rules:
> http://www.chaosreigns.com/dnswl/sa_plugin/

It would seem a good idea for reporting plugins to be part of the base
distribution, just needing credentials to be set, for all services that
are part of the base distribution.
Is there a reason (other than lack of time) for this not to be in the
main release?
Re: Spam email many have RCVD_IN_DNSWL_MED [ In reply to ]
On 10/12, Greg Troxel wrote:
>
> darxus@chaosreigns.com writes:
>
> > To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> > Abuse" section in the right column. I wrote a spamassassin plugin
> > which might make it easier to report spam that matches dnswl rules:
> > http://www.chaosreigns.com/dnswl/sa_plugin/
>
> It would seem a good idea for reporting plugins to be part of the base
> distribution, just needing credentials to be set, for all services that
> are part of the base distribution.
> Is there a reason (other than lack of time) for this not to be in the
> main release?

The bug discussing my attempts to do that is here:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6545

I've found working with both SpamAssassin and DNSWL.org incredibly
frustrating.

The plugin is already released under the same license as spamassassin,
you're welcome to try to get it included.


Maybe I should set up a similar reporting plugin for my iprep project.
( http://www.chaosreigns.com/iprep/ ) Any interest?

--
"If everything seems under control, you're not going fast enough"
- Mario Andretti
http://www.ChaosReigns.com