Re: Fw: spam from gmail.com
On 11/12/21 00:43, Loren Wilton wrote: I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* scores on spam before. Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED. But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI. It makes me wonder just how useful a rule it is. Especially when it includes sendgrid as part of the "HI" reputation senders. When I was using my provider DNS server, I started to receive a lot of spam, mails were scored with RCVD_IN_DNSWL_HI=-5. I turned out that most queries were resolved as 127.0.0.255 (BLOCKED), but some of them as 127.0.10.3 (listed HI as "some special cases" category) So you need to use your own DNS server and make sure you are below 100k queries/day, or get a subscription. Otherwise spam occasionally starts to get in. Regards, Łukasz
Re: Fw: spam from gmail.com
Arne Jensen writes: > Den 11-11-2021 kl. 20:21 skrev Greg Troxel: >> It's a really interesting question what DNSWL_MED ought to be for score. >> Given what MED is supposed to be: >> >>MediumRare spam occurrences, corrected promptly. >> >> -2.3 points seems entirely reasonable. >> >> But I don't see how gmail makes sense being medium, as spam from gmail >> is not rare. Probably it happens to me every day. NONE seems more >> appropriate, especially since I have no perception of google making a >> serious attempt to avoid emanating spam. (I realize this comment >> belongs on the DNSWL list, but for now I'm not bothered personally >> because the v6 addrs aren't listed.) > > Google (Gmail) is not, and have never been on medium. > > Last score change on Google's addresses, was in June 2018, demoting > the last remaining ones from "low" to "none". > > Are you by any chance forwarding traffic from one server to another, > and/or potentially missing something in your trusted_networks and/or > internal_networks? This one is *very* common. Sorry for being fuzzy. What I meant, and didn't say clearly, is: I get a lot of spam from gmail (that is properly DKIM signed and passes SPF). I'm not seeing any of it get tagged as coming from DNSWL_MED. Having seen other people claim that google servers are on MED, I was opining that this didn't make sense. (It seems that everybody agrees that it doesn't make sense and also that it has never been true.) > Checking up with DNSWL is actually done by checking the first server > in reverse order, that your own server does not trust, so if the > inbound message you see was sent from Gmail, relayed over your > friend's server (which is/was at medium), and then finally hitting > yours, and that you do not have set your friend's server as one of > your trusted ones, the DNSWL check will be done on your friend's > server, ending up with flagging the message as medium. For me, the trickiness is in mailinglists, especially when they are set up without restrict-to-list-member and without good filtering. So I have put their addresses into trusted_networks. This isn't quite the same as someone MX-catching for me, but I think it works out the same. Greg signature.asc Description: PGP signature
Re: Fw: spam from gmail.com
Arne Jensen writes: > Den 12-11-2021 kl. 00:43 skrev Loren Wilton: >> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* >> scores on spam before. > [...] >> Looking at spam for last month, [...] >> >> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI. >> It makes me wonder just how useful a rule it is. > A pretty blatant misconfiguration of a mail server (and/or the system > running same), can unfortunately lead to various negative side > effects. Loren might want to check about spam received by mailinglists. I have seen spam sent to lists and then delivered to me, so that it arrives from the MTA of the org running the list. Adding that to trusted_networks moves the check points earlier and avoids treating the mail as good because it came from the list. Of course, it would be better if the list were set up for both spam filtering and rejecting non-member posts, and machines that host lists that send spam probably aren't in DNSWL anyway. Thanks for all the confirmations for what isn't listed. I have always had the view that DNSWL runs a tight ship (and fairly too), and I continue to feel that -2.3 for MED is a reasonable score. signature.asc Description: PGP signature
Re: Fw: spam from gmail.com
Den 12-11-2021 kl. 00:43 skrev Loren Wilton: I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* scores on spam before. [...] Looking at spam for last month, [...] But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI. It makes me wonder just how useful a rule it is. A pretty blatant misconfiguration of a mail server (and/or the system running same), can unfortunately lead to various negative side effects. According to your previous mention of paying attention, I would initially lean towards that (some of) your configuration(s) might need some attention. Especially when it includes sendgrid as part of the "HI" reputation senders. This one again leads back on the previous: a) SendGrid has never had any IP addresses on "HI". b) No SendGrid IP addresses hasn't been published to the public from DNSWL, since 2020-08-21. [ 66. 70.136.180] mta1.bevocalforlocal.info This IP address was caught on our radars on 2021-08-25, for a very short time, and completely gone again on 2021-09-09. During this time frame, it had only been residing in internal DNSWL Id's, and as such, NOT been published to the public. [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net This IP address has been seen on and off since 2015-03-14, published with RCVD_IN_DNSWL_NONE from 2015-03-25 to 2017-02-21, and again from from 2018-06-17 towards 2020-08-21. Outside the mentioned time frames it hasn't been sent out to the public, and it has NEVER been above RCVD_IN_DNSWL_NONE. [ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com [107.175.219. 38] dhrf266.medley.com.de [107.175.219. 54] dhrf2106.realatelier.xyz [107.175.219.103] dhrf2208.rollrs.xyz [139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com [172.104.183.201] 172-104-183-201.ip.linodeusercontent.com [172.105.221. 77] li1875-77.members.linode.com [178. 79.178. 52] li347-52.members.linode.com [185. 51. 39.149] static-185-51-39-149.uludns.net None of those are in DNSWL, and none of them have recorded in DNSWL for at least the past 12 months, not even in the internal DNSWL Id's, that aren't sent out to the public. At the time of writing this, the RFC1912 #2.1 kind of FcRDNS for several of them is inconsistent, as forward DNS is missing, being a good reject parameter on it's own. The majority of them also shows the classic dynamic/generic looking PTR records, which is also a good reject parameter on it's own. -- Med venlig hilsen / Kind regards, Arne Jensen
Re: Fw: spam from gmail.com
Den 11-11-2021 kl. 20:21 skrev Greg Troxel: It's a really interesting question what DNSWL_MED ought to be for score. Given what MED is supposed to be: Medium Rare spam occurrences, corrected promptly. -2.3 points seems entirely reasonable. But I don't see how gmail makes sense being medium, as spam from gmail is not rare. Probably it happens to me every day. NONE seems more appropriate, especially since I have no perception of google making a serious attempt to avoid emanating spam. (I realize this comment belongs on the DNSWL list, but for now I'm not bothered personally because the v6 addrs aren't listed.) Google (Gmail) is not, and have never been on medium. Last score change on Google's addresses, was in June 2018, demoting the last remaining ones from "low" to "none". Are you by any chance forwarding traffic from one server to another, and/or potentially missing something in your trusted_networks and/or internal_networks? This one is *very* common. Checking up with DNSWL is actually done by checking the first server in reverse order, that your own server does not trust, so if the inbound message you see was sent from Gmail, relayed over your friend's server (which is/was at medium), and then finally hitting yours, and that you do not have set your friend's server as one of your trusted ones, the DNSWL check will be done on your friend's server, ending up with flagging the message as medium. -- Med venlig hilsen / Kind regards, Arne Jensen
Re: Fw: spam from gmail.com
On 2021-11-12 00:43, Loren Wilton wrote: [172.105.221. 77] li1875-77.members.linode.com [178. 79.178. 52] li347-52.members.linode.com imho its safe to reject *.members.linode.com with is default for all linode vps that only need a homepage :=)
Re: Fw: spam from gmail.com
On 2021-11-11 21:15, Matija Nalis wrote: I guess you could disable default DNSWL_MED score with: score DNSWL_MED 0 and then create your own score: metaMY_DNSWL_MEDDNSWL_MED && !FREEMAIL_FROM score MY_DNSWL_MED-2.5 good rule if score DNSWL_MED is not zerro keep score DNSWL_MED 0.01 so MY_DNSWL_MED works
Re: Fw: spam from gmail.com
I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* scores on spam before. Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED. But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI. It makes me wonder just how useful a rule it is. Especially when it includes sendgrid as part of the "HI" reputation senders. [ 66. 70.136.180] mta1.bevocalforlocal.info [ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com [107.175.219. 38] dhrf266.medley.com.de [107.175.219. 54] dhrf2106.realatelier.xyz [107.175.219.103] dhrf2208.rollrs.xyz [139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net [172.104.183.201] 172-104-183-201.ip.linodeusercontent.com [172.105.221. 77] li1875-77.members.linode.com [178. 79.178. 52] li347-52.members.linode.com [185. 51. 39.149] static-185-51-39-149.uludns.net
Re: Fw: spam from gmail.com
On Thu, Nov 11, 2021 at 02:21:06PM -0500, Greg Troxel wrote: > yes, what I really want is something like > > exclude_from_dnswlgmail I guess you could disable default DNSWL_MED score with: score DNSWL_MED 0 and then create your own score: metaMY_DNSWL_MEDDNSWL_MED && !FREEMAIL_FROM score MY_DNSWL_MED-2.5 That would score MY_DNSWL_MED only if it is *not* coming from some freemail account. If you want it to score on all other freemail providers, but not on GMAIL, you would replace FREEMAIL_FROM with your own header rule, of course - like "header FROM_GMAIL From =~ /\@gmail\.com" or similar) -- Opinions above are GNU-copylefted.
Re: Fw: spam from gmail.com
Philipp Ewald writes: > You can report it. Gmail is on DNSWL > > @gmail.com> > RCVD_IN_DNSWL_MED=-2.3 > > https://www.dnswl.org/?page_id=17 I tried to find gmail being on DNSWL_MED and I haven't been able to. There are google.com servers on DNSWL_NONE. Can someone explain what addresses are part of gmail being used to deliver spam on DNSWL_MED ? I went over my mail, looking for recent spam with DNSWL_MED, and also ham. I did find 3 messages that hit DNSWL_MED that were outright spam, and etiher those places had a rare compromise or should be listed lower. But I also found a large amount of ham with MED. So from my viewpoint, the issues I see with DNSWL_MED are very minor, and I am ok with the default score. Thanks all for the discussion as I will probably try harder to report FNs due to DNSWL now. signature.asc Description: PGP signature
Re: Fw: spam from gmail.com
Matus UHLAR - fantomas writes: >>>It would be really nice if there were an easy way to exclude a domain >>>from whitelist checks. > > On 11.11.21 17:24, Benny Pedersen wrote: >>add >> >>freemail_whitelist gmail.com >> >>to local.cf >> >> its not a whitelist, more a skip gmail.com as a freemail if that >> changes anything >> >> i begin to add score more then default score to freemail hits, with >> imho is more desireble then class it not freemail > > i guess this just disables detection of fake reply-to which is I believe > exactly opposite of what OP needs. yes, what I really want is something like exclude_from_dnswl gmail and then somehow, anything that is somehow from gmail, when the DNSWL check runs, gets 0 points instead of the default score for medium. Basically, I want "behave as if gmail is not listed in DNSWL". This is messy because DNSWL lookups are via IP address. However, I just looked back at some of my incoming mail, and it seems google is delivering to me over IPv6 and the v6 addresses of their sending MTAs are not in DNSWL. It's a really interesting question what DNSWL_MED ought to be for score. Given what MED is supposed to be: MediumRare spam occurrences, corrected promptly. -2.3 points seems entirely reasonable. But I don't see how gmail makes sense being medium, as spam from gmail is not rare. Probably it happens to me every day. NONE seems more appropriate, especially since I have no perception of google making a serious attempt to avoid emanating spam. (I realize this comment belongs on the DNSWL list, but for now I'm not bothered personally because the v6 addrs aren't listed.) signature.asc Description: PGP signature
Re: Fw: spam from gmail.com
On 2021-11-11 13:56, Greg Troxel wrote: Philipp Ewald writes: You can report it. Gmail is on DNSWL @gmail.com> RCVD_IN_DNSWL_MED=-2.3 https://www.dnswl.org/?page_id=17 As far as i know DNSWL is used by default I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which sort of nulls that out. It would be really nice if there were an easy way to exclude a domain from whitelist checks. On 11.11.21 17:24, Benny Pedersen wrote: add freemail_whitelist gmail.com to local.cf its not a whitelist, more a skip gmail.com as a freemail if that changes anything i begin to add score more then default score to freemail hits, with imho is more desireble then class it not freemail i guess this just disables detection of fake reply-to which is I believe exactly opposite of what OP needs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: Fw: spam from gmail.com
I use DNSWLh spamassassin plugin from http://www.chaosreigns.com/dnswl/sa_plugin/ which allows that "spamassassin --report" also reports to DNSWL, thus improving DNSWL database for everybody. Also, I reduce effect of RCVD_IN_DNSWL_MED to -0.5 as default seems somewhat unreasonable. On Thu, 11 Nov 2021 12:19:10 +0100, Philipp Ewald wrote: > You can report it. Gmail is on DNSWL > > @gmail.com> > RCVD_IN_DNSWL_MED=-2.3 > > https://www.dnswl.org/?page_id=17 > > As far as i know DNSWL is used by default > > On 11/8/21 7:27 PM, Rupert Gallagher wrote: >> Spammers are using gmail.com. Congratulations to Google for their fine >> work... >> >> Original Message >> On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilv...@gmail.com> wrote: >> Good day my dear, >> How are you doing and your family.I am Mrs.Marann Silvia,a sick widow >> writing from one of the America hospitals.I am suffering from a long >> time cancer of breast,my health situation is becoming worse,my life is >> no longer guaranteed hence i want to make this solemn donation.I want >> to donate my money to help the orphans, widows and handicap people >> through you because there is no more time left for me on this earth.I >> take this decision because i have no child who will inherit my wealth >> after my death.Please,i need your urgent reply so that i can tell you >> more on how you will handle my wish before i die.I will be waiting to >> hear from you immediately by God grace amen, >> yours sincerely. >> Mrs.Marann Silvia >> > -- Opinions above are GNU-copylefted.
Re: Fw: spam from gmail.com
On 2021-11-11 13:56, Greg Troxel wrote: Philipp Ewald writes: You can report it. Gmail is on DNSWL @gmail.com> RCVD_IN_DNSWL_MED=-2.3 https://www.dnswl.org/?page_id=17 As far as i know DNSWL is used by default I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which sort of nulls that out. It would be really nice if there were an easy way to exclude a domain from whitelist checks. add freemail_whitelist gmail.com to local.cf its not a whitelist, more a skip gmail.com as a freemail if that changes anything i begin to add score more then default score to freemail hits, with imho is more desireble then class it not freemail
Re: Fw: spam from gmail.com
Philipp Ewald writes: > You can report it. Gmail is on DNSWL > > @gmail.com> > RCVD_IN_DNSWL_MED=-2.3 > > https://www.dnswl.org/?page_id=17 > > As far as i know DNSWL is used by default I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which sort of nulls that out. It would be really nice if there were an easy way to exclude a domain from whitelist checks. signature.asc Description: PGP signature
Re: Fw: spam from gmail.com
This is _exactly_ why I zero out whitelists. A decent portion of spam being rejected here is from gmail, far more than from outlook and co. Trust can only be earned, not bought and not assumed, whitelists should have no place in SA, and why always use clear_uridnsbl_skip_domain On 11/11/2021 21:19, Philipp Ewald wrote: You can report it. Gmail is on DNSWL -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: Fw: spam from gmail.com
You can report it. Gmail is on DNSWL @gmail.com> RCVD_IN_DNSWL_MED=-2.3 https://www.dnswl.org/?page_id=17 As far as i know DNSWL is used by default On 11/8/21 7:27 PM, Rupert Gallagher wrote: Spammers are using gmail.com. Congratulations to Google for their fine work... Original Message On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilv...@gmail.com> wrote: Good day my dear, How are you doing and your family.I am Mrs.Marann Silvia,a sick widow writing from one of the America hospitals.I am suffering from a long time cancer of breast,my health situation is becoming worse,my life is no longer guaranteed hence i want to make this solemn donation.I want to donate my money to help the orphans, widows and handicap people through you because there is no more time left for me on this earth.I take this decision because i have no child who will inherit my wealth after my death.Please,i need your urgent reply so that i can tell you more on how you will handle my wish before i die.I will be waiting to hear from you immediately by God grace amen, yours sincerely. Mrs.Marann Silvia -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Fw: spam from gmail.com
On 11/9/2021 9:28 AM, Alan wrote: This is why I flood their abuse box with reports: problem comes back. Eventually some brain cell will realize that it's not doing much for their brand. Moments later it will become an Important Issue, because brand is everything these days. nguyenvietcuong1234567890 ngohoangyen77 phamngocthuy956 nguyenquocdung801 nganbya0609193 vohongvan045 phamminhdong9785 nguyenhuyenanh38613 hao4252 thanhhai701 phanthithien74 nguyenngocha791 nguyenvantien034 phuonghoang0123456789 vuxuantung44 vuvanbao1972 truongvanthanh34 ngothihang0310 phamhongson858 nguyenthuthuy1971 phanvantoi39 trieuduong24g daoquockhanh643 quynhtram0382 nguyenminhhoa740 vuthiminh2608 vuthiminh2608 nguyenthihoa23091979 tranthithuan2608 nguyenvanyen814 These nice gmail users will sell anything from "Seen on TV" to Tee-Shirts to length increasing products. Probably all associated with one happy Vietnamese family that sleeps in a warehouse or parking lot along San Jose's Tasman Drive. At least that is how things were the last time I was there, about 11 years ago. Whatever, I'd recommend just making a note of about how much time you spend dealing with Gmail user spam. Google's well aware of these problems and at some point, they'll have to account for the damages their service does to others. Funny story: So, it's the early 90's and I fly into San Fran. I'm to meet the next day with one of our (newer) Development Engineers. I'd never met him before, although we had talked many times on the phone. "Just grab a table and call me for breakfast", he says. No problem, I thought. Stupidly the next morning, I go to the Front Desk and ask for Mr. Pin Lo Chen. The clerk types away on his keyboard then replied, "Sir, we have 11 Pin Lo Chens on staff, and 5 guests by that name. Can you be more specific?" I just sat down and ordered breakfast when the "real" Pin Lo Chen found me. First thing he says is, "Why didn't you call me?" -- Jared Hall
Re: Fw: spam from gmail.com
This is why I flood their abuse box with reports: problem comes back. Eventually some brain cell will realize that it's not doing much for their brand. Moments later it will become an Important Issue, because brand is everything these days. On 2021-11-09 08:49, Jared Hall wrote: On 11/8/2021 11:36 PM, Peter wrote: It seems that people aren't taking google as seriously any more. First came Freemail. Then came SpamAssassin. I DO think that people take Google seriously. There are just so many ways to deal with this problem - none of which is better than any other. Google touts their AI capabilities with Spam. Too bad they don't scan their outbound email. Instead, they seem to have adopted a cowardly philosophy that an old C&P Telephone tech conveyed to me decades ago: "Problem's leaving here fine!" Google should practice what they preach: SANITIZE USER INPUT. Instead, their careless attitude presents a security threat to us all. -- Jared Hall -- For SpamAsassin Users List
Re: Fw: spam from gmail.com
On 11/8/2021 11:36 PM, Peter wrote: It seems that people aren't taking google as seriously any more. First came Freemail. Then came SpamAssassin. I DO think that people take Google seriously. There are just so many ways to deal with this problem - none of which is better than any other. Google touts their AI capabilities with Spam. Too bad they don't scan their outbound email. Instead, they seem to have adopted a cowardly philosophy that an old C&P Telephone tech conveyed to me decades ago: "Problem's leaving here fine!" Google should practice what they preach: SANITIZE USER INPUT. Instead, their careless attitude presents a security threat to us all. -- Jared Hall
Re: Fw: spam from gmail.com
On Mon, 2021-11-08 at 18:27 +, Rupert Gallagher wrote: > Spammers are using gmail.com. Congratulations to Google for their fine > work... > The more 'enterprising' ones are apparently sex come-ons, but contain links to known-malicious URL shorteners. Martin
Re: Fw: spam from gmail.com
A real spike lately, too. Send messages with full headers to ab...@gmail.com. It might be a bit bucket since I've never heard anything back, but it can't hurt. On 2021-11-08 13:27, Rupert Gallagher wrote: Spammers are using gmail.com. Congratulations to Google for their fine work... Original Message On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilv...@gmail.com> wrote: Good day my dear, How are you doing and your family.I am Mrs.Marann Silvia,a sick widow writing from one of the America hospitals.I am suffering from a long time cancer of breast,my health situation is becoming worse,my life is no longer guaranteed hence i want to make this solemn donation.I want to donate my money to help the orphans, widows and handicap people through you because there is no more time left for me on this earth.I take this decision because i have no child who will inherit my wealth after my death.Please,i need your urgent reply so that i can tell you more on how you will handle my wish before i die.I will be waiting to hear from you immediately by God grace amen, yours sincerely. Mrs.Marann Silvia -- For SpamAsassin Users List