subject:"Re\: Multiple RBLs and dynamic IPs"

Re: Multiple RBLs and dynamic IPs

2016-05-31 Thread Reindl Harald




Am 31.05.2016 um 10:43 schrieb Matus UHLAR - fantomas:

On 30 May 2016, at 15:07, Alex wrote:

Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.



Am 31.05.2016 um 03:09 schrieb Bill Cole:

Irrelevant in this case because if you trust that header not to be an
intentionally deceptive lie, the receiving server claims the mail was
received with authentication, making it very unlikely that the message
is spam


On 31.05.16 10:30, Reindl Harald wrote:

you can not trust any header not written by your own MTA and hence all
that deep header parsing is nonsense with any score above 0.01 or
below -0.01


why? If someone fakes a clear spammy sign, I see no point in giving them
higher score


the why is well explained by the FSL deep-header crap in the last few 
months and why a received header in the middle is wrong for RBL lookups 
was excessive explained in that thread, just read it




signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-31 Thread Matus UHLAR - fantomas


On 30 May 2016, at 15:07, Alex wrote:

Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.



Am 31.05.2016 um 03:09 schrieb Bill Cole:

Irrelevant in this case because if you trust that header not to be an
intentionally deceptive lie, the receiving server claims the mail was
received with authentication, making it very unlikely that the message
is spam


On 31.05.16 10:30, Reindl Harald wrote:
you can not trust any header not written by your own MTA and hence 
all that deep header parsing is nonsense with any score above 0.01 or 
below -0.01


why? If someone fakes a clear spammy sign, I see no point in giving them
higher score.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Multiple RBLs and dynamic IPs

2016-05-31 Thread Reindl Harald




Am 31.05.2016 um 03:09 schrieb Bill Cole:

On 30 May 2016, at 15:07, Alex wrote:


Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.


Irrelevant in this case because if you trust that header not to be an
intentionally deceptive lie, the receiving server claims the mail was
received with authentication, making it very unlikely that the message
is spam


you can not trust any header not written by your own MTA and hence all 
that deep header parsing is nonsense with any score above 0.01 or below 
-0.01




signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Bill Cole


On 30 May 2016, at 15:07, Alex wrote:


Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.


Irrelevant in this case because if you trust that header not to be an 
intentionally deceptive lie, the receiving server claims the mail was 
received with authentication, making it very unlikely that the message 
is spam. That is what "with esmtpa" in an Exim Received header means, 
and your other rule hits indicate that you trust 116.251.209.92 
(vio1.naveca.biz) so I don't quite get why this didn't also hit 
"ALL_TRUSTED" and why SA is doing DNSBL checks on the authenticated 
client of a trusted host.


And in ANY case, getting *a customer* to use port 587 submission with 
authentication over an encrypted channel directly to your server instead 
of trusting an intermediate machine that maybe should not be trusted 
should not be hard. Even shoddy PHP mailing scripts these days can 
handle it. If you are nominally selling any sort of email service to 
that customer and not requiring them to submit though your server to be 
treated as a trusted customer, you're making a mistake.



So even though that IP is on virtually every blacklist, you wouldn't
add any points? And there's nothing further the user could do to fix
the problem, given the dynamic nature of the IP?


I think there's a more complex problem in this case that is not evident 
in a single Received header and list of SA hits.


Note that the IP you are worried about was at the time you scanned its 
output and was still today either itself a badly compromised system or 
is a shared NAT address with one or more compromised systems behind it, 
and either way: it is an ongoing source of spam of the worst sorts to 
the outside world. It isn't listed because it's a dynamic IP, it's 
listed because it's an active ongoing spamming IP.


(and to answer the original question: I don't trust other people's mail 
servers to tell me the truth about where they get mail, so my SA 
instances don't ever hit those rules. However,  I would NEVER make a 
mailspike 'none' listing contribute to anything at all, even as a meta 
rule. LOC_MULTI_RBL seems like a bad idea, whatever it is...)

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 31.05.2016 um 00:59 schrieb Reindl Harald:



Am 31.05.2016 um 00:57 schrieb Reindl Harald:

Am 31.05.2016 um 00:49 schrieb Alex:

Hi,


So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.

Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?


DUNNO - we disabled all internal RBL's (exepct mailspike) from start
because
we feed postscreen and spamassassin from the same webinterface with
different scores for both but same lists (and some of them are
mirrored on
the local rbldnsd with different names in the own domain)


So then what were all those RBLs you listed initially with their
weights? bl.spamcop.net was among them...


can't say initailly - maintained starting summer 2014 - current state

don't use anything ending with "thelounge.net", our public nameservers
answers always with 127.0.0.2 to stop users which blind copy
because they have no access to that zones and there was a lot of useless
response-rate-limitings

in case of mirrored zones the alias contains the real list

hopefully that get somehow useable displayed in the mail


did not - attached as textfile this time


below some numbers from the current month showing why postscreen in 
front is that important (at the moment 250 MHz CPU usage on the virtual 
machine with 2% for journald/rsyslog writin gmaillog) for performance 
while the 434722 dnsbl-rejects are only a small part of the game


the "Hangup: 665860" did not wait for the result at all and closed 
connection because "postscreen_greet_wait = ${stress?2}${stress:12}s"


70% of all that crap is from the last 7 days where numbers started to 
explode, on the inbound-mx as well as on our honeypot network 
blacklisted currently 5 ip's while normally 15000-2 and lists at 
the moment 21161 blacklistings refrsehd within the last 24 hours


BAYES_0027216   73.67 %
BAYES_05  8042.17 %
BAYES_20 10672.88 %
BAYES_40  9012.43 %
BAYES_50 31108.41 %
BAYES_60  3580.96 % 8.91 % (OF TOTAL BLOCKED)
BAYES_80  3470.93 % 8.64 % (OF TOTAL BLOCKED)
BAYES_95  2930.79 % 7.29 % (OF TOTAL BLOCKED)
BAYES_99 28457.70 %70.84 % (OF TOTAL BLOCKED)
BAYES_99925036.77 %62.32 % (OF TOTAL BLOCKED)

DNSWL   52213   94.10 %
SPF 36458   65.70 %
SPF/DKIM WL 16232   29.25 %
SHORTCIRCUIT18515   33.36 %

BLOCKED  40167.23 %
SPAMMY   38436.92 %95.69 % (OF TOTAL BLOCKED)

spamhaus.org  321543
sorbs.net  60687
inps.de35828
barracudacentral.org9023
thelounge.net   5255
junkemailfilter.com  939
psbl.org 437
manitu.net   380
senderscore.com  234
mailspike.net217
spamcannibal.org 102
spamcop.net   70
swinog.ch  7
=
Total DNSBL rejections:434722
_

Connections:   806720
Postscreen WL: 29636 (3.67 %)
Delivered: 52751
Blocked:   753969
Invalid User:  7288
Disallowed User:   12
Reject Postscreen: 438583
Reject Postfix:15419
Reject Milter: 4201
Reject Temporary:  1266
Greylisted:1464
Blacklist: 436079
Pregreet:  43449
Hangup:665860
Protocol Error:1247
Illegal Syntax:7
SpamAssassin:  4016
Virus (Milter):180
Virus (SA):97
Helo:  1644
Subject:   248
From:  65
Attachment:62
Header Length: 22
Sender Regex:  90
Sender Blocked:237
Sender Verify: 168
Sender Invalid:1460
Sender Spoofed:96
Sender Parked: 13
Spam-TLD:  328
PTR Missing:   297
PTR Generic:   499
SPF:   494




signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 31.05.2016 um 00:57 schrieb Reindl Harald:

Am 31.05.2016 um 00:49 schrieb Alex:

Hi,


So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.

Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?


DUNNO - we disabled all internal RBL's (exepct mailspike) from start
because
we feed postscreen and spamassassin from the same webinterface with
different scores for both but same lists (and some of them are
mirrored on
the local rbldnsd with different names in the own domain)


So then what were all those RBLs you listed initially with their
weights? bl.spamcop.net was among them...


can't say initailly - maintained starting summer 2014 - current state

don't use anything ending with "thelounge.net", our public nameservers
answers always with 127.0.0.2 to stop users which blind copy
because they have no access to that zones and there was a lot of useless
response-rate-limitings

in case of mirrored zones the alias contains the real list

hopefully that get somehow useable displayed in the mail


did not - attached as textfile this time


+-++-+---+--+--+
| name| weight | resp| alias
 | sa_weigt | sa_resp  |
+-++-+---+--+--+
| dnsbl.thelounge.net | 16 | 127.0.0.2   | 
dnsbl.thelounge.net   |7 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  9 | 127.0.0.10  | 
dul.dnsbl.sorbs.net   |  6.5 | ^127\.0\.0\.10$  |
| dnsbl.sorbs.net |  9 | 127.0.0.14  | 
noserver.dnsbl.sorbs.net  |  6.5 | ^127\.0\.0\.14$  |
| zen.spamhaus.org|  8 | 127.0.0.[10;11] | 
pbl.spamhaus.org  |  6.5 | ^127\.0\.0\.1[01]$   |
| zen.spamhaus.org|  7 | 127.0.0.[4..7]  | 
xbl.spamhaus.org  |  5.5 | ^127\.0\.0\.[4-7]$   |
| dnsbl.sorbs.net |  7 | 127.0.0.5   | 
smtp.dnsbl.sorbs.net  |  5.5 | ^127\.0\.0\.5$   |
| b.barracudacentral.org  |  7 | 127.0.0.2   | 
b.barracudacentral.org|5 | ^127\.0\.0\.2$   |
| zen.spamhaus.org|  7 | 127.0.0.3   | 
css.spamhaus.org  |5 | ^127\.0\.0\.3$   |
| dnsbl.inps.de   |  7 | 127.0.0.2   | 
dnsbl.inps.de |5 | ^127\.0\.0\.2$   |
| dnsbl-ix.thelounge.net  |  4 | 127.0.0.2   | 
ix.dnsbl.manitu.net   |  2.5 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  4 | 127.0.0.7   | 
web.dnsbl.sorbs.net   |  4.5 | ^127\.0\.0\.7$   |
| bl.spamcop.net  |  4 | 127.0.0.2   | 
bl.spamcop.net|  2.5 | ^127\.0\.0\.2$   |
| bl.mailspike.net|  4 | 127.0.0.2   | 
z.mailspike.net   |0 |  |
| bl.mailspike.net|  4 | 127.0.0.[10;11;12]  | 
bl.mailspike.net  |0 |  |
| hostkarma.junkemailfilter.com   |  4 | 127.0.0.2   | 
hostkarma.junkemailfilter.com |  3.5 | ^127\.0\.0\.2$   |
| dnsbl-surriel.thelounge.net |  4 | 127.0.0.2   | 
psbl.surriel.com  |  2.5 | ^127\.0\.0\.2$   |
| bl.spameatingmonkey.net |  4 | 127.0.0.[2;3]   | 
bl.spameatingmonkey.net   |  2.5 | ^127\.0\.0\.[23]$|
| dnsrbl.swinog.ch|  4 | 127.0.0.3   | 
dnsrbl.swinog.ch  |  2.5 | ^127\.0\.0\.3$   |
| dnsbl-spamcannibal.thelounge.net|  3 | 127.0.0.2   | 
bl.spamcannibal.org   |  1.5 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  3 | 127.0.0.6   | 
spam.dnsbl.sorbs.net  |  1.5 | ^127\.0\.0\.6$   |
| score.senderscore.com   |  3 | 127.0.4.[0..20] | 
senderscore.com High  |  1.5 | ^127\.0\.4\.(1?[0-9]|20)$|
| zen.spamhaus.org|  3 | 127.0.0.2   | 
sbl.spamhaus.org  |  1.5 | ^127\.0\.0\.2$

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 31.05.2016 um 00:49 schrieb Alex:

Hi,


So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.

Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?


DUNNO - we disabled all internal RBL's (exepct mailspike) from start because
we feed postscreen and spamassassin from the same webinterface with
different scores for both but same lists (and some of them are mirrored on
the local rbldnsd with different names in the own domain)


So then what were all those RBLs you listed initially with their
weights? bl.spamcop.net was among them...


can't say initailly - maintained starting summer 2014 - current state

don't use anything ending with "thelounge.net", our public nameservers 
answers always with 127.0.0.2 to stop users which blind copy 
because they have no access to that zones and there was a lot of useless 
response-rate-limitings


in case of mirrored zones the alias contains the real list

hopefully that get somehow useable displayed in the mail

+-++-+---+--+--+
| name| weight | resp| 
alias | sa_weigt | sa_resp  |

+-++-+---+--+--+
| dnsbl.thelounge.net | 16 | 127.0.0.2   | 
dnsbl.thelounge.net   |7 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  9 | 127.0.0.10  | 
dul.dnsbl.sorbs.net   |  6.5 | ^127\.0\.0\.10$  |
| dnsbl.sorbs.net |  9 | 127.0.0.14  | 
noserver.dnsbl.sorbs.net  |  6.5 | ^127\.0\.0\.14$  |
| zen.spamhaus.org|  8 | 127.0.0.[10;11] | 
pbl.spamhaus.org  |  6.5 | ^127\.0\.0\.1[01]$   |
| zen.spamhaus.org|  7 | 127.0.0.[4..7]  | 
xbl.spamhaus.org  |  5.5 | ^127\.0\.0\.[4-7]$   |
| dnsbl.sorbs.net |  7 | 127.0.0.5   | 
smtp.dnsbl.sorbs.net  |  5.5 | ^127\.0\.0\.5$   |
| b.barracudacentral.org  |  7 | 127.0.0.2   | 
b.barracudacentral.org|5 | ^127\.0\.0\.2$   |
| zen.spamhaus.org|  7 | 127.0.0.3   | 
css.spamhaus.org  |5 | ^127\.0\.0\.3$   |
| dnsbl.inps.de   |  7 | 127.0.0.2   | 
dnsbl.inps.de |5 | ^127\.0\.0\.2$   |
| dnsbl-ix.thelounge.net  |  4 | 127.0.0.2   | 
ix.dnsbl.manitu.net   |  2.5 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  4 | 127.0.0.7   | 
web.dnsbl.sorbs.net   |  4.5 | ^127\.0\.0\.7$   |
| bl.spamcop.net  |  4 | 127.0.0.2   | 
bl.spamcop.net|  2.5 | ^127\.0\.0\.2$   |
| bl.mailspike.net|  4 | 127.0.0.2   | 
z.mailspike.net   |0 |  |
| bl.mailspike.net|  4 | 127.0.0.[10;11;12]  | 
bl.mailspike.net  |0 |  |
| hostkarma.junkemailfilter.com   |  4 | 127.0.0.2   | 
hostkarma.junkemailfilter.com |  3.5 | ^127\.0\.0\.2$   |
| dnsbl-surriel.thelounge.net |  4 | 127.0.0.2   | 
psbl.surriel.com  |  2.5 | ^127\.0\.0\.2$   |
| bl.spameatingmonkey.net |  4 | 127.0.0.[2;3]   | 
bl.spameatingmonkey.net   |  2.5 | ^127\.0\.0\.[23]$|
| dnsrbl.swinog.ch|  4 | 127.0.0.3   | 
dnsrbl.swinog.ch  |  2.5 | ^127\.0\.0\.3$   |
| dnsbl-spamcannibal.thelounge.net|  3 | 127.0.0.2   | 
bl.spamcannibal.org   |  1.5 | ^127\.0\.0\.2$   |
| dnsbl.sorbs.net |  3 | 127.0.0.6   | 
spam.dnsbl.sorbs.net  |  1.5 | ^127\.0\.0\.6$   |
| score.senderscore.com   |  3 | 127.0.4.[0..20] | 
senderscore.com High  |  1.5 | ^127\.0\.4\.(1?[0-9]|20)$|
| zen.spamhaus.org|  3 | 127.0.0.2   | 
sbl.spamhaus.org  |  1.5 | ^127\.0\.0\.2$   |
| hostkarma.junkemailfilter.com   |  2 | 127.0.0.4   |

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Alex

Hi,

>> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
>> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
>> part of the default ruleset, which I could of course change, but it's
>> scored 1.3 by default for that same "deep header" IP address.
>>
>> Does that rule deserve some attention to determine whether it should
>> also be reduced by default for the same reason as the SBL/XBL rule?
>
> DUNNO - we disabled all internal RBL's (exepct mailspike) from start because
> we feed postscreen and spamassassin from the same webinterface with
> different scores for both but same lists (and some of them are mirrored on
> the local rbldnsd with different names in the own domain)

So then what were all those RBLs you listed initially with their
weights? bl.spamcop.net was among them...


>
>

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 30.05.2016 um 21:49 schrieb Alex:

Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.



with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" becoming
more and more common the problem is and will be growing fast


So even though that IP is on virtually every blacklist, you wouldn't
add any points? And there's nothing further the user could do to fix
the problem, given the dynamic nature of the IP?


no, see above

with enough blacklists in the scoring for last-external you get the
offending mailservers with hacked useraccounts blacklisted fast enough and
in many cases faster because the submission ip's of a hacked account are
changing fast

saw that the very few times it happened for customers of us where the
submission clients came from all over the world - because of rate-limiting
and a good monitoring of the mailqueue (how many mails are queued to the
outside world) it was each time a short enough timeframe to shut down the
affected account and avoid blacklisting (some abuse reports answered
promptly)

so at the end of the day it's enough to check the last-external for good
results and not affect innocent clients which got a dynamic adress abused 30
minutes before by a different enduser or by a user sitting behind the same
ISP NAT


So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.

Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?


DUNNO - we disabled all internal RBL's (exepct mailspike) from start 
because we feed postscreen and spamassassin from the same webinterface 
with different scores for both but same lists (and some of them are 
mirrored on the local rbldnsd with different names in the own domain)





signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Alex

Hi,

>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>> NAT and/or submission are used as readily as they are here.
>
>
> with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" becoming
> more and more common the problem is and will be growing fast
>
>> So even though that IP is on virtually every blacklist, you wouldn't
>> add any points? And there's nothing further the user could do to fix
>> the problem, given the dynamic nature of the IP?
>
>
> no, see above
>
> with enough blacklists in the scoring for last-external you get the
> offending mailservers with hacked useraccounts blacklisted fast enough and
> in many cases faster because the submission ip's of a hacked account are
> changing fast
>
> saw that the very few times it happened for customers of us where the
> submission clients came from all over the world - because of rate-limiting
> and a good monitoring of the mailqueue (how many mails are queued to the
> outside world) it was each time a short enough timeframe to shut down the
> affected account and avoid blacklisting (some abuse reports answered
> promptly)
>
> so at the end of the day it's enough to check the last-external for good
> results and not affect innocent clients which got a dynamic adress abused 30
> minutes before by a different enduser or by a user sitting behind the same
> ISP NAT

So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
part of the default ruleset, which I could of course change, but it's
scored 1.3 by default for that same "deep header" IP address.

Does that rule deserve some attention to determine whether it should
also be reduced by default for the same reason as the SBL/XBL rule?

Thanks,
Alex

>

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 30.05.2016 um 21:07 schrieb Alex:

it's nonsense to give points for dynamic enduser machines, they are
*typically* on a lot of blacklists and the users behind are changing all the
time

when you want to know why - try to use sbl-xbl as suggested by spiderlabs
for a web-application-firewall, did that *only* for form-submissions and
reverted it after few hours on a sunday because support hell with no good
excuse


Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.


with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" 
becoming more and more common the problem is and will be growing fast



So even though that IP is on virtually every blacklist, you wouldn't
add any points? And there's nothing further the user could do to fix
the problem, given the dynamic nature of the IP?


no, see above

with enough blacklists in the scoring for last-external you get the 
offending mailservers with hacked useraccounts blacklisted fast enough 
and in many cases faster because the submission ip's of a hacked account 
are changing fast


saw that the very few times it happened for customers of us where the 
submission clients came from all over the world - because of 
rate-limiting and a good monitoring of the mailqueue (how many mails are 
queued to the outside world) it was each time a short enough timeframe 
to shut down the affected account and avoid blacklisting (some abuse 
reports answered promptly)


so at the end of the day it's enough to check the last-external for good 
results and not affect innocent clients which got a dynamic adress 
abused 30 minutes before by a different enduser or by a user sitting 
behind the same ISP NAT




signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Alex

Hi,

> "RCVD_IN_XBL_ALL" smells like deep header inspection
>

 The question was:

   "How many points do you add to an email that  *originated*
from a dynamic IP that [is] on a number of blacklists?"
>>>
>>>
>>> no - that was the question of the OP
>>> i responded long ago with config values
>>
>>
>> You're probably misunderstanding the precise meaning of "originated".
>
>
> well *no points at all* if we talk about the client using a submission
> server and not about the server itself deliver the mail to our machine
>
> you can do that only for your *personal* mail, but it's a no-go if you host
> users
>
>>> the question above is a different one while i can't parse it completly
>>
>>
>> The question is about an email from a client IP that's in a lot of
>> blacklists.
>>
>> The IP address that's in the blacklists, 180.178.104.22, authenticated
>>
>>   Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
>>   by vio1.naveca.biz with esmtpa (Exim 4.87)
>
>
> it's nonsense to give points for dynamic enduser machines, they are
> *typically* on a lot of blacklists and the users behind are changing all the
> time
>
> when you want to know why - try to use sbl-xbl as suggested by spiderlabs
> for a web-application-firewall, did that *only* for form-submissions and
> reverted it after few hours on a sunday because support hell with no good
> excuse

Yeah, that's it exactly. Particularly overseas where it doesn't appear
NAT and/or submission are used as readily as they are here.

So even though that IP is on virtually every blacklist, you wouldn't
add any points? And there's nothing further the user could do to fix
the problem, given the dynamic nature of the IP?

Thanks,
Alex

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 30.05.2016 um 20:45 schrieb RW:

On Mon, 30 May 2016 19:59:10 +0200
Reindl Harald wrote:


Am 30.05.2016 um 18:11 schrieb RW:

On Mon, 30 May 2016 14:12:27 +0200
Reindl Harald wrote:



"RCVD_IN_XBL_ALL" smells like deep header inspection



The question was:

  "How many points do you add to an email that  *originated*
   from a dynamic IP that [is] on a number of blacklists?"


no - that was the question of the OP
i responded long ago with config values


You're probably misunderstanding the precise meaning of "originated".


well *no points at all* if we talk about the client using a submission 
server and not about the server itself deliver the mail to our machine


you can do that only for your *personal* mail, but it's a no-go if you 
host users



the question above is a different one while i can't parse it completly


The question is about an email from a client IP that's in a lot of
blacklists.

The IP address that's in the blacklists, 180.178.104.22, authenticated

  Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
  by vio1.naveca.biz with esmtpa (Exim 4.87)


it's nonsense to give points for dynamic enduser machines, they are 
*typically* on a lot of blacklists and the users behind are changing all 
the time


when you want to know why - try to use sbl-xbl as suggested by 
spiderlabs for a web-application-firewall, did that *only* for 
form-submissions and reverted it after few hours on a sunday because 
support hell with no good excuse





signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread RW

On Mon, 30 May 2016 19:59:10 +0200
Reindl Harald wrote:

> Am 30.05.2016 um 18:11 schrieb RW:
> > On Mon, 30 May 2016 14:12:27 +0200
> > Reindl Harald wrote:
> >  

> >> "RCVD_IN_XBL_ALL" smells like deep header inspection
> >>  
> >
> > The question was:
> >
> >   "How many points do you add to an email that  *originated*
> >from a dynamic IP that [is] on a number of blacklists?"  
> 
> no - that was the question of the OP
> i responded long ago with config values

You're probably misunderstanding the precise meaning of "originated".
 
> the question above is a different one while i can't parse it completly

The question is about an email from a client IP that's in a lot of
blacklists.

The IP address that's in the blacklists, 180.178.104.22, authenticated

  Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
  by vio1.naveca.biz with esmtpa (Exim 4.87)


And RCVD_IN_DNSWL_NONE rules-out it being a test on outgoing mail.

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 30.05.2016 um 18:11 schrieb RW:

On Mon, 30 May 2016 14:12:27 +0200
Reindl Harald wrote:


Am 30.05.2016 um 14:10 schrieb Matthias Leisi:

Hm, that looks odd:


Am 27.05.2016 um 20:15 schrieb Alex >:



X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
http://www.dnswl.org/, no
*  trust
*  [116.251.209.92 listed in list.dnswl.org
]

-^

*  0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus
SBL-XBL
*  [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
]

-^

Why do these two different IPs show up? _NONE for 116.251.209.92
does not add any points, but if that IP ever gets a higher score at
dnswl.org , then it may effect the accuracy of
your spamfilter.

Is that a legitimate forwarder IP?


"RCVD_IN_XBL_ALL" smells like deep header inspection



The question was:

  "How many points do you add to an email that  *originated*
   from a dynamic IP that [is] on a number of blacklists?"


no - that was the question of the OP
i responded long ago with config values

the question above is a different one while i can't parse it completly

Am 27.05.2016 um 20:15 schrieb Alex:
> How many points do you add to an email that originated from a dynamic
> IP that on a number of blacklists?
>
> This 180.178.104.22 is an IP from a customer in Indonesia:
>
> Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
> by vio1.naveca.biz with esmtpa (Exim 4.87)
> (envelope-from )
> id 1b6FMu-00087L-42; Fri, 27 May 2016 18:51:52 +0800
>
> This IP is on virtually every blacklist, but it doesn't necessarily
> mean it's the result of something this particular customer/user did

don't matter - a enduser IP has no business to deliver mail on port 25 
anywhere



++---+
| spamass_weight | alias |
++---+
|6.5 | pbl.spamhaus.org  |
|6.5 | dul.dnsbl.sorbs.net   |
|6.5 | noserver.dnsbl.sorbs.net  |
|5.5 | smtp.dnsbl.sorbs.net  |
|5.5 | xbl.spamhaus.org  |
|  5 | b.barracudacentral.org|
|  5 | dnsbl.inps.de |
|  5 | css.spamhaus.org  |
|4.5 | web.dnsbl.sorbs.net   |
|3.5 | hostkarma.junkemailfilter.com |
|2.5 | ix.dnsbl.manitu.net   |
|2.5 | psbl.surriel.com  |
|2.5 | dnsrbl.swinog.ch  |
|2.5 | bl.spameatingmonkey.net   |
|2.5 | bl.spamcop.net|
|1.5 | senderscore.com High  |
|1.5 | hostkarma.junkemailfilter.com |
|1.5 | block.dnsbl.sorbs.net |
|1.5 | bl.spamcannibal.org   |
|1.5 | zombie.dnsbl.sorbs.net|
|1.5 | spam.dnsbl.sorbs.net  |
|1.5 | sbl.spamhaus.org  |
|  1 | senderscore.com Medium|
|  1 | bl.nszones.com|
|  1 | http.dnsbl.sorbs.net  |
|  1 | socks.dnsbl.sorbs.net |
|  1 | spam.spamrats.com |
|  1 | misc.dnsbl.sorbs.net  |
|  1 | dnsbl-1.uceprotect.net|
|  1 | dnsbl-2.uceprotect.net|
|0.5 | hostkarma.junkemailfilter.com |
|0.5 | virus.dnsbl.sorbs.net |
|0.1 | ips.backscatterer.org |
++---+



signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread RW

On Mon, 30 May 2016 14:12:27 +0200
Reindl Harald wrote:

> Am 30.05.2016 um 14:10 schrieb Matthias Leisi:
> > Hm, that looks odd:
> >  
> >> Am 27.05.2016 um 20:15 schrieb Alex  >> >:  
> >  
> >> X-Spam-Report:
> >> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> >> http://www.dnswl.org/, no
> >> *  trust
> >> *  [116.251.209.92 listed in list.dnswl.org
> >> ]  
> > -^  
> >> *  0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus
> >> SBL-XBL
> >> *  [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
> >> ]  
> > -^
> >
> > Why do these two different IPs show up? _NONE for 116.251.209.92
> > does not add any points, but if that IP ever gets a higher score at
> > dnswl.org , then it may effect the accuracy of
> > your spamfilter.
> >
> > Is that a legitimate forwarder IP?  
> 
> "RCVD_IN_XBL_ALL" smells like deep header inspection
> 

The question was: 

  "How many points do you add to an email that  *originated* 
   from a dynamic IP that [is] on a number of blacklists?"

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Reindl Harald




Am 30.05.2016 um 14:10 schrieb Matthias Leisi:

Hm, that looks odd:


Am 27.05.2016 um 20:15 schrieb Alex >:



X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
*  trust
*  [116.251.209.92 listed in list.dnswl.org ]

-^

*  0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus SBL-XBL
*  [180.178.104.22 listed in mykey.zen.dq.spamhaus.net
]

-^

Why do these two different IPs show up? _NONE for 116.251.209.92 does
not add any points, but if that IP ever gets a higher score at dnswl.org
, then it may effect the accuracy of your spamfilter.

Is that a legitimate forwarder IP?


"RCVD_IN_XBL_ALL" smells like deep header inspection



signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

2016-05-30 Thread Matthias Leisi

Hm, that looks odd:

> Am 27.05.2016 um 20:15 schrieb Alex :

> X-Spam-Report:
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
> *  trust
> *  [116.251.209.92 listed in list.dnswl.org]
-^
> *  0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in Spamhaus SBL-XBL
> *  [180.178.104.22 listed in mykey.zen.dq.spamhaus.net]
-^

Why do these two different IPs show up? _NONE for 116.251.209.92 does not add 
any points, but if that IP ever gets a higher score at dnswl.org, then it may 
effect the accuracy of your spamfilter.

Is that a legitimate forwarder IP? 

— Matthias

Re: Multiple RBLs and dynamic IPs

2016-05-27 Thread Reindl Harald




Am 27.05.2016 um 20:15 schrieb Alex:

How many points do you add to an email that originated from a dynamic
IP that on a number of blacklists?

This 180.178.104.22 is an IP from a customer in Indonesia:

Received: from [180.178.104.22] (port=51022 helo=CapriciousDude)
by vio1.naveca.biz with esmtpa (Exim 4.87)
(envelope-from )
id 1b6FMu-00087L-42; Fri, 27 May 2016 18:51:52 +0800

This IP is on virtually every blacklist, but it doesn't necessarily
mean it's the result of something this particular customer/user did


don't matter - a enduser IP has no business to deliver mail on port 25 
anywhere



++---+
| spamass_weight | alias |
++---+
|6.5 | pbl.spamhaus.org  |
|6.5 | dul.dnsbl.sorbs.net   |
|6.5 | noserver.dnsbl.sorbs.net  |
|5.5 | smtp.dnsbl.sorbs.net  |
|5.5 | xbl.spamhaus.org  |
|  5 | b.barracudacentral.org|
|  5 | dnsbl.inps.de |
|  5 | css.spamhaus.org  |
|4.5 | web.dnsbl.sorbs.net   |
|3.5 | hostkarma.junkemailfilter.com |
|2.5 | ix.dnsbl.manitu.net   |
|2.5 | psbl.surriel.com  |
|2.5 | dnsrbl.swinog.ch  |
|2.5 | bl.spameatingmonkey.net   |
|2.5 | bl.spamcop.net|
|1.5 | senderscore.com High  |
|1.5 | hostkarma.junkemailfilter.com |
|1.5 | block.dnsbl.sorbs.net |
|1.5 | bl.spamcannibal.org   |
|1.5 | zombie.dnsbl.sorbs.net|
|1.5 | spam.dnsbl.sorbs.net  |
|1.5 | sbl.spamhaus.org  |
|  1 | senderscore.com Medium|
|  1 | bl.nszones.com|
|  1 | http.dnsbl.sorbs.net  |
|  1 | socks.dnsbl.sorbs.net |
|  1 | spam.spamrats.com |
|  1 | misc.dnsbl.sorbs.net  |
|  1 | dnsbl-1.uceprotect.net|
|  1 | dnsbl-2.uceprotect.net|
|0.5 | hostkarma.junkemailfilter.com |
|0.5 | virus.dnsbl.sorbs.net |
|0.1 | ips.backscatterer.org |
++---+



signature.asc
Description: OpenPGP digital signature

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

Re: Multiple RBLs and dynamic IPs

19 matches

Site Navigation

Mail list logo

Footer information