Re: URIBL_RHS_DOB high hits
Am 06.10.2014 um 19:06 schrieb Axb: On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh not that it was not junk but created 10 years ago Date: Tue, 07 Oct 2014 12:00:47 +0200 1.0 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) * [URIs: emms.com] Domain Name: EMMS.COM Registrar: REGISTRYGATE GMBH Whois Server: whois.registrygate.com Referral URL: http://www.registrygate.com Name Server: NS1.DNSSOCKET.NET Name Server: NS2.DNSSOCKET.NET Status: clientTransferProhibited Updated Date: 02-jul-2014 Creation Date: 06-may-2004 Expiration Date: 06-may-2015 signature.asc Description: OpenPGP digital signature
Re: URIBL_RHS_DOB high hits
On 10/07/2014 12:40 PM, Reindl Harald wrote: Am 06.10.2014 um 19:06 schrieb Axb: On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh not that it was not junk but created 10 years ago Date: Tue, 07 Oct 2014 12:00:47 +0200 1.0 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) * [URIs: emms.com] Domain Name: EMMS.COM Registrar: REGISTRYGATE GMBH Whois Server: whois.registrygate.com Referral URL: http://www.registrygate.com Name Server: NS1.DNSSOCKET.NET Name Server: NS2.DNSSOCKET.NET Status: clientTransferProhibited Updated Date: 02-jul-2014 Creation Date: 06-may-2004 Expiration Date: 06-may-2015 host emms.com.dob.sibl.support-intelligence.net Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) funky resolver?
Re: URIBL_RHS_DOB high hits
Am 07.10.2014 um 12:53 schrieb Axb: On 10/07/2014 12:40 PM, Reindl Harald wrote: Am 06.10.2014 um 19:06 schrieb Axb: On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh not that it was not junk but created 10 years ago Date: Tue, 07 Oct 2014 12:00:47 +0200 1.0 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) * [URIs: emms.com] Domain Name: EMMS.COM Registrar: REGISTRYGATE GMBH Whois Server: whois.registrygate.com Referral URL: http://www.registrygate.com Name Server: NS1.DNSSOCKET.NET Name Server: NS2.DNSSOCKET.NET Status: clientTransferProhibited Updated Date: 02-jul-2014 Creation Date: 06-may-2004 Expiration Date: 06-may-2015 host emms.com.dob.sibl.support-intelligence.net Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) funky resolver? unbound on localhost with adjusted caching to avoid DNS mistakes hit for many hours, i get 3 respones one of them with 127.0.0.2 and two with NXDOMAIN and exactly the same result on the LAN cache running BIND while both do recursion and not forwarding cache-min-ttl: 300 cache-max-ttl: 3600 host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) signature.asc Description: OpenPGP digital signature
Re: URIBL_RHS_DOB high hits
On 10/07/2014 01:01 PM, Reindl Harald wrote: Am 07.10.2014 um 12:53 schrieb Axb: On 10/07/2014 12:40 PM, Reindl Harald wrote: Am 06.10.2014 um 19:06 schrieb Axb: On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh not that it was not junk but created 10 years ago Date: Tue, 07 Oct 2014 12:00:47 +0200 1.0 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) * [URIs: emms.com] Domain Name: EMMS.COM Registrar: REGISTRYGATE GMBH Whois Server: whois.registrygate.com Referral URL: http://www.registrygate.com Name Server: NS1.DNSSOCKET.NET Name Server: NS2.DNSSOCKET.NET Status: clientTransferProhibited Updated Date: 02-jul-2014 Creation Date: 06-may-2004 Expiration Date: 06-may-2015 host emms.com.dob.sibl.support-intelligence.net Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) funky resolver? unbound on localhost with adjusted caching to avoid DNS mistakes hit for many hours, i get 3 respones one of them with 127.0.0.2 and two with NXDOMAIN and exactly the same result on the LAN cache running BIND while both do recursion and not forwarding cache-min-ttl: 300 cache-max-ttl: 3600 host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) I'm testing from 3 different sites/networks with PowerDNS recursor and all give me a single NXDOMAIN
Re: URIBL_RHS_DOB high hits
On 10/07/2014 01:12 PM, Axb wrote: On 10/07/2014 01:01 PM, Reindl Harald wrote: Am 07.10.2014 um 12:53 schrieb Axb: On 10/07/2014 12:40 PM, Reindl Harald wrote: Am 06.10.2014 um 19:06 schrieb Axb: On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh not that it was not junk but created 10 years ago Date: Tue, 07 Oct 2014 12:00:47 +0200 1.0 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) * [URIs: emms.com] Domain Name: EMMS.COM Registrar: REGISTRYGATE GMBH Whois Server: whois.registrygate.com Referral URL: http://www.registrygate.com Name Server: NS1.DNSSOCKET.NET Name Server: NS2.DNSSOCKET.NET Status: clientTransferProhibited Updated Date: 02-jul-2014 Creation Date: 06-may-2004 Expiration Date: 06-may-2015 host emms.com.dob.sibl.support-intelligence.net Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) funky resolver? unbound on localhost with adjusted caching to avoid DNS mistakes hit for many hours, i get 3 respones one of them with 127.0.0.2 and two with NXDOMAIN and exactly the same result on the LAN cache running BIND while both do recursion and not forwarding cache-min-ttl: 300 cache-max-ttl: 3600 host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) host emms.com.dob.sibl.support-intelligence.net emms.com.dob.sibl.support-intelligence.net has address 127.0.0.2 Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Host emms.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) I'm testing from 3 different sites/networks with PowerDNS recursor and all give me a single NXDOMAIN Found it. dig A a.support-intelligence.net +short 208.67.172.17 dig A b.support-intelligence.net +short 209.23.235.22 dig emms.com.dob.sibl.support-intelligence.net @208.67.172.17 +short 127.0.0.2 The mirror on 208.67.172.17 is not in sync Shooting Rick another mail... Will take a while - he's in US west coast
rejected Null-Senders
can somebody comment in what context null-senders and so bounces and probably autorepsonders are blocked by DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST from= to=u...@example.com 3jC2XD1j8Cz1y: milter-reject: END-OF-MESSAGE a customer sends out his yearly members-invitation nad i see some bounces / autrorepsonders pass through and some are blocked with the above tags, at least one from his own outgoing mainserver what i don't completly understand is the DKIM_ADSP_NXDOMAIN since in case of NXDOMAIN the message trigger the response could not have been delivered and how the USER_IN_BLACKLIST comes with a empty sender not that i am against block some amount of backscatters, i just want to understand the conditions signature.asc Description: OpenPGP digital signature
spamd does not start
I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s user0m0.220s sys 0m0.016s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout?
Re: spamd does not start
On 10/07/2014 05:55 PM, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s user0m0.220s sys 0m0.016s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? have you tried to add -D to the init script and see what is says
Re: spamd does not start
On 7.10.2014 18:58, Axb wrote: On 10/07/2014 05:55 PM, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s user0m0.220s sys 0m0.016s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? have you tried to add -D to the init script and see what is says root@hurricane:~# service spamassassin start Starting SpamAssassin Mail Filter Daemon: Oct 7 19:49:52.142 [7498] dbg: logger: adding facilities: all Oct 7 19:49:52.146 [7498] dbg: logger: logging level is DBG Oct 7 19:49:52.275 [7498] dbg: logger: calling setlogsock(unix) Oct 7 19:49:52.275 [7498] dbg: logger: opening syslog with unix socket Oct 7 19:49:52.276 [7498] dbg: logger: successfully connected to syslog/unix Oct 7 19:49:52.276 [7498] dbg: logger: successfully added syslog method Oct 7 19:49:52.279 [7498] dbg: spamd: will perform setuids? 0 Oct 7 19:49:52.282 [7498] dbg: spamd: socket module of choice: IO::Socket::INET 1.31, Socket 2.015, have PF_INET, no PF_INET6, using Socket::getaddrinfo, AI_ADDRCONFIG is supported Oct 7 19:49:52.283 [7498] dbg: spamd: socket specification: 192.168.1.117, IP address: 192.168.1.117, port: 783 Oct 7 19:49:52.283 [7498] dbg: spamd: attempting to listen on IP addresses: 192.168.1.117, port 783 Oct 7 19:49:52.286 [7498] dbg: spamd: creating IO::Socket::INET socket: Listen: 128, LocalAddr: 192.168.1.117, LocalPort: 783, Proto: tcp, ReuseAddr: 1, Type: 1 Oct 7 19:49:52.287 [7498] dbg: spamd: server listen sockets fd bit field: 0100 Oct 7 19:49:52.288 [7498] dbg: logger: adding facilities: all Oct 7 19:49:52.290 [7498] dbg: logger: logging level is DBG Oct 7 19:49:52.291 [7498] dbg: generic: SpamAssassin version 3.4.0 Oct 7 19:49:52.292 [7498] dbg: generic: Perl 5.010001, PREFIX=/usr/local, DEF_RULES_DIR=/usr/local/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin Oct 7 19:49:52.295 [7498] dbg: config: timing enabled Oct 7 19:49:52.295 [7498] dbg: config: score set 0 chosen. child process [7500] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. Nothing new, I'm afraid.
Re: Many X- headers - possible spam sign?
Am 04.10.2014 um 15:27 schrieb Axb: On 10/04/2014 03:19 PM, Reindl Harald wrote: I removed from /trunk/rules and dumped in my sandbox till dev team gives its +1 for addition ot SA ruleset atm, you can find it http://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/sandbox/axb/23_bayes_ignore_header.cf BTW: is bayes_ignore_header case-sensitive? if not it would be easier to convert all to lowercase for get rid of duplicates while catch different spellings in real mail signature.asc Description: OpenPGP digital signature
Re: rejected Null-Senders
On Tue, 2014-10-07 at 17:46 +0200, Reindl Harald wrote: can somebody comment in what context null-senders and so bounces and probably autorepsonders are blocked by DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST SA does not block. *sigh* In this context, the DKIM_ADSP_NXDOMAIN hit is irrelevant, given its low score. The USER_IN_BLACKLIST hit is what's pushing the score beyond your STMP reject threshold. DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST from= to=u...@example.com 3jC2XD1j8Cz1y: milter-reject: END-OF-MESSAGE See whitelist_from documentation for the from / sender type mail headers SA uses for black- and whitelisting. The above seems to show SMTP stage MAIL FROM, which results in only one of the possible headers and depends on your SMTP server (and milter in your case). a customer sends out his yearly members-invitation nad i see some bounces / autrorepsonders pass through and some are blocked with the above tags, at least one from his own outgoing mainserver what i don't completly understand is the DKIM_ADSP_NXDOMAIN since in case of NXDOMAIN the message trigger the response could not have been delivered and how the USER_IN_BLACKLIST comes with a empty sender not that i am against block some amount of backscatters, i just want to understand the conditions -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: rejected Null-Senders
Am 07.10.2014 um 19:15 schrieb Karsten Bräckelmann: On Tue, 2014-10-07 at 17:46 +0200, Reindl Harald wrote: can somebody comment in what context null-senders and so bounces and probably autorepsonders are blocked by DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST SA does not block. *sigh* pure SA, yes, different story / topic In this context, the DKIM_ADSP_NXDOMAIN hit is irrelevant, given its low score. The USER_IN_BLACKLIST hit is what's pushing the score beyond your STMP reject threshold. DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST from= to=u...@example.com 3jC2XD1j8Cz1y: milter-reject: END-OF-MESSAGE See whitelist_from documentation for the from / sender type mail headers SA uses for black- and whitelisting. The above seems to show SMTP stage MAIL FROM, which results in only one of the possible headers and depends on your SMTP server (and milter in your case) a looking again some of the fools i guess sending out backscatters with postmaster@somewhere.local in the From-Header which is blocked intentional and two mistakes at the RCPT (backscatter instead reject, invalid from domain) blacklist_from *.local 40c110f0-262f-412c-b1f6-6212fe210df8@EX-AT-102.lukid.local signature.asc Description: OpenPGP digital signature
Re: spamd does not start
On Tue, 2014-10-07 at 18:55 +0300, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? It states the child process exited or timed out. Indeed, obviously not a timeout, so the child process simply exited. Anything in syslog left by the child? -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamd does not start
On 7.10.2014 20:29, Karsten Bräckelmann wrote: On Tue, 2014-10-07 at 18:55 +0300, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? It states the child process exited or timed out. Indeed, obviously not a timeout, so the child process simply exited. Anything in syslog left by the child? Thanks! Oct 7 19:49:52 hurricane spamd[7500]: spamd: successfully daemonized Oct 7 19:49:52 hurricane spamd[7500]: spamd: Preloading modules with HOME=/tmp/spamd-7500-init Oct 7 19:49:52 hurricane spamd[7500]: config: using /etc/mail/spamassassin for site rules pre files Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/init.pre Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/v310.pre Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/v312.pre Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/v320.pre Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/v330.pre Oct 7 19:49:52 hurricane spamd[7500]: config: read file /etc/mail/spamassassin/v340.pre Oct 7 19:49:52 hurricane spamd[7500]: config: using /usr/local/share/spamassassin for sys rules pre files Oct 7 19:49:52 hurricane spamd[7500]: config: using /usr/local/share/spamassassin for default rules dir Oct 7 19:49:52 hurricane spamd[7500]: config: no rules were found! Do you need to run 'sa-update'? Oct 7 19:49:53 hurricane spamd[7498]: child process [7500] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. Sad me.
Re: spamd does not start
Am 07.10.2014 um 19:34 schrieb Jari Fredrisson: On 7.10.2014 20:29, Karsten Bräckelmann wrote: On Tue, 2014-10-07 at 18:55 +0300, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? It states the child process exited or timed out. Indeed, obviously not a timeout, so the child process simply exited. Anything in syslog left by the child? Thanks! Oct 7 19:49:52 hurricane spamd[7500]: config: no rules were found! Do you need to run 'sa-update'? Sad me well, you need to run sa-update if you did not already - the rules are not part of the package because they are typically updated each day with the shipped cron script signature.asc Description: OpenPGP digital signature
Re: spamd does not start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7.10.2014 20:38, Reindl Harald wrote: Am 07.10.2014 um 19:34 schrieb Jari Fredrisson: On 7.10.2014 20:29, Karsten Bräckelmann wrote: On Tue, 2014-10-07 at 18:55 +0300, Jari Fredrisson wrote: I built SA 3.4 using cpan to my old Debian Squeeze-lts. root@hurricane:~# time service spamassassin start Starting SpamAssassin Mail Filter Daemon: child process [4868] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 2960. real0m1.230s I read that line in spamd and it talks about two bugs. And a long timeout needed. But this dies at once, hardly a timeout? It states the child process exited or timed out. Indeed, obviously not a timeout, so the child process simply exited. Anything in syslog left by the child? Thanks! Oct 7 19:49:52 hurricane spamd[7500]: config: no rules were found! Do you need to run 'sa-update'? Sad me well, you need to run sa-update if you did not already - the rules are not part of the package because they are typically updated each day with the shipped cron script Yes yes. I ran sa-update sa-compile. I just wonder how I had not done so earlier... Same head, same mistakes. Old head. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlQ0JqQACgkQKL4IzOyjSrZjOgCgzOnSDpkgHqJFU+15aL5Bbm42 UlsAnjWJJXlU8pJ6Cec0uUuN7huGeZaO =RtJx -END PGP SIGNATURE-
Re: rejected Null-Senders
On Tue, 2014-10-07 at 17:46 +0200, Reindl Harald wrote: can somebody comment in what context null-senders and so bounces and probably autorepsonders are blocked by DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST DKIM_ADSP_NXDOMAIN is checking a domain in a From header field, not the envelope sender address. Mark
Re: rejected Null-Senders
Am 07.10.2014 um 20:12 schrieb Mark Martinec: On Tue, 2014-10-07 at 17:46 +0200, Reindl Harald wrote: can somebody comment in what context null-senders and so bounces and probably autorepsonders are blocked by DKIM_ADSP_NXDOMAIN,USER_IN_BLACKLIST DKIM_ADSP_NXDOMAIN is checking a domain in a From header field, not the envelope sender address OK, that matchs my guess that i found another collection of incompetent admins using @local as sender and blow out bounces - so the mitler rejects are intentional and fine - wish they could also blow a fist in the face of the other servers admin signature.asc Description: OpenPGP digital signature
Re: New TLDs, time to update RegistrarBoundaries
Kevin A. McGrail: We are working on solutions expected for the 3.4.1 release on ~9/30. are the any updates on the release plan?
AXB_URI_HCKD_MUHMADEMAD
Please welcome Muhmademad back to his daily spam run... .-)
Re: recent channel update woes
Am 06.10.2014 um 19:22 schrieb Benny Pedersen: On October 6, 2014 6:39:21 PM Eric Cunningham e...@whoi.edu wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past And spammassin only tags mail, it does not reject, so stop saying it an sa issue when its not on a sane setup it is part of a milter and rejects above a specific level because it makes little sense to accept high score spam and only move it in a different folder frankly 3 weeks ago we had about 3 junk attemps per day and now we have the same per week - guess why - because delayes, postscreen and reject highscore spam instead sign 250 OK to the bot client X-Spam-Status: No, score=-106.2, tag-level=4.5, block-level=8.0 Is there a way to configure URIBL_RHS_DOB conditionally such that if there are issues with dob.sibl.support-intelligence.net like we're seeing, that associated scoring remains neutral rather than increasing (or decreasing)?
Re: recent channel update woes
Am 08.10.2014 um 00:49 schrieb Eric Cunningham: Am 06.10.2014 um 19:22 schrieb Benny Pedersen: On October 6, 2014 6:39:21 PM Eric Cunningham e...@whoi.edu wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past And spammassin only tags mail, it does not reject, so stop saying it an sa issue when its not on a sane setup it is part of a milter and rejects above a specific level because it makes little sense to accept high score spam and only move it in a different folder frankly 3 weeks ago we had about 3 junk attemps per day and now we have the same per week - guess why - because delayes, postscreen and reject highscore spam instead sign 250 OK to the bot client X-Spam-Status: No, score=-106.2, tag-level=4.5, block-level=8.0 Is there a way to configure URIBL_RHS_DOB conditionally such that if there are issues with dob.sibl.support-intelligence.net like we're seeing, that associated scoring remains neutral rather than increasing (or decreasing)? not really - if you get the response from the DNS - well, you are done the only exception are dnslists which stop to answer if you excedd the free limit but in that case they answer with a different response what is caught by the rules what happens here is unintentional and so you can't say if the response is wrong - if you would know the answer you would not ask the server signature.asc Description: OpenPGP digital signature
Re: recent channel update woes
On Tue, 2014-10-07 at 18:49 -0400, Eric Cunningham wrote: Is there a way to configure URIBL_RHS_DOB conditionally such that if there are issues with dob.sibl.support-intelligence.net like we're seeing, that associated scoring remains neutral rather than increasing (or decreasing)? No. As-is, a correct DNSxL listing is indistinguishable from a false positive listing. One possible strategy to detect FP listings would be an additional DNSxL query of a test-point or known-to-be not listed value. This comes at the cost of increased load both for the DNSxL as well as SA instance, and will lag behind due to TTL and DNS caching. The lower the lag, the lower the caching, the higher the additional load. By doing such tests not on a per message basis but per spamd child. or even having the parent process monitor for possible world-listed situations, the additional overhead and load could be massively reduced. Simply monitoring real results (without test queries) likely would not work. It is entirely possible that really large chunks of the mail stream continuously result in positive DNSxL listings. Prime candidates would be PBL hitting botnet spew, or exclusively DNSWL trusted messages during otherwise low traffic conditions. Distinguishing lots of consecutive correct listings from false positives would be really hard and prone to errors. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: recent channel update woes
On 2014-10-07 16:18, Reindl Harald wrote: what happens here is unintentional and so you can't say if the response is wrong - if you would know the answer you would not ask the server If you're paranoid, you can monitor the DNSBLs that you use via script (externally from SpamAssassin) and generate something that reports to you when there's a possible issue. If you're really paranoid, you can have it write a .cf that would 0 out the scores, but I assure you that you'll spend more time building, testing and maintaining such a system than it's worth in the long run, in my experience it's better to just page an admin. I monitor positive and negative responses, for IP based DNS BLs, I use the following by default: 127.0.0.1 should not be listed. 127.0.0.2 should be listed. $MYIP should not be listed. Obviously these need to be tweaked and configured per-list, not all lists list 127.0.0.2, and some lists use status codes, so should not be listed and should be listed are really match/do-not-match some condition In the case of DNSWL, $MYIP should be listed, if I get de-listed, I want to know about that too. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: recent channel update woes
On Wed, 2014-10-08 at 01:18 +0200, Reindl Harald wrote: Am 08.10.2014 um 00:49 schrieb Eric Cunningham: Is there a way to configure URIBL_RHS_DOB conditionally such that if there are issues with dob.sibl.support-intelligence.net like we're seeing, that associated scoring remains neutral rather than increasing (or decreasing)? not really - if you get the response from the DNS - well, you are done the only exception are dnslists which stop to answer if you excedd the free limit but in that case they answer with a different response what is caught by the rules Exceeding free usage limit is totally different from the recent DOB listing the world issue. Also, exceeding limit is handled differently in lots of ways. It ranges from specific limit exceeded results, up to listing the world at the hostile end or in extreme situations to finally get the admin's attention. It also includes simply no results other than NXDOMAIN, which is hard to distinguish from proper operation in certain low-listing conditions. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: recent channel update woes
On Tue, 2014-10-07 at 16:37 -0700, Dave Warren wrote: If you're paranoid, you can monitor the DNSBLs that you use via script (externally from SpamAssassin) and generate something that reports to you when there's a possible issue. If you're really paranoid, you can have it write a .cf that would 0 out the scores, but I assure you that you'll spend more time building, testing and maintaining such a system than it's worth in the long run, in my experience it's better to just page an admin. I monitor positive and negative responses, for IP based DNS BLs, I use the following by default: 127.0.0.1 should not be listed. 127.0.0.2 should be listed. Depending on how the DNSBL implements such static test-points, they might not be affected by the issue causing the false listings. Similarly, domains likely to appear on exonerate lists (compare uridnsbl_skip_domain e.g.) might also not be affected. For paranoid monitoring, low-profile domains that definitely do not and will not match the listing criteria might be better suited for the task. $MYIP should not be listed. Obviously these need to be tweaked and configured per-list, not all lists list 127.0.0.2, and some lists use status codes, so should not be listed and should be listed are really match/do-not-match some condition In the case of DNSWL, $MYIP should be listed, if I get de-listed, I want to know about that too. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamd does not start
On 07 Oct 2014, at 11:45 , Jari Fredrisson ja...@iki.fi wrote: I ran sa-update sa-compile. Should sa-compile be run after sa-update? I have a crontab entry: 16 1 * * * /usr/local/bin/sa-update /usr/local/etc/rc.d/sa-spamd restart should I add an sa-compile call? -- 'It's still a lie. Like the lie about masks.' 'What lie about masks?' 'The way people say they hide faces.' 'They do hide faces,' said Nanny Ogg. 'Only the one on the outside.' --Maskerade