RE: Microsoft blacklisted?
-Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 3:47 AM To: users@spamassassin.apache.org Subject: RE: Microsoft blacklisted? On Tue, November 14, 2006 12:58, Michael Scheidell wrote: in spamassassin 3.2.x thease test will not be there and we all will have less problems with spam :( Typo, you ment MORE problems with spam. less complains, less problems :-) More spam, more complaints.
RE: Microsoft blacklisted?
-Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 11:11 PM To: users@spamassassin.apache.org Subject: Re: Microsoft blacklisted? in spamassassin 3.2.x thease test will not be there and we all will have less problems with spam :( Typo, you ment MORE problems with spam.
Re: Microsoft blacklisted?
At 18:56 13-11-2006, Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: [snip] I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? Yes. Regards, -sm
Re: Microsoft blacklisted?
Benny Pedersen wrote: On Tue, November 14, 2006 03:56, Philip Prindeville wrote: Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to i hope it will reject not bounce Yes. It's just inaccurate terminology used by MIMEDefang. Somehow it ended up using action_bounce as the command to reject a message, and the log info matches that. AFAIK it hasn't been renamed for the same reason that SpamAssassin's auto-whitelist hasn't been renamed. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Microsoft blacklisted?
SM wrote: At 18:56 13-11-2006, Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: [snip] I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? Yes. Regards, -sm The problem with this is that the DNS returns the response (of the multiple PTR records) in no particular order, so looking up the rDNS can return one of three different names... # nslookup set type=any server ns4.msft.net. Default server: ns4.msft.net. Address: 207.46.66.126#53 212.115.107.131.in-addr.arpa Server: ns4.msft.net. Address:207.46.66.126#53 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = maila.microsoft.com. So, if I put: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] maila.microsoft.com will that work? Or will each command clobber the previous one? -Philip
Re: Microsoft blacklisted?
At 11:49 14-11-2006, Philip Prindeville wrote: The problem with this is that the DNS returns the response (of the multiple PTR records) in no particular order, so looking up the rDNS can return one of three different names... # nslookup set type=any server ns4.msft.net. Default server: ns4.msft.net. Address: 207.46.66.126#53 212.115.107.131.in-addr.arpa Server: ns4.msft.net. Address:207.46.66.126#53 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = maila.microsoft.com. So, if I put: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com Then use: whitelist_from_rcvd [EMAIL PROTECTED] microsoft.com Regards, -sm
Re: Microsoft blacklisted?
SM wrote: At 11:49 14-11-2006, Philip Prindeville wrote: The problem with this is that the DNS returns the response (of the multiple PTR records) in no particular order, so looking up the rDNS can return one of three different names... # nslookup set type=any server ns4.msft.net. Default server: ns4.msft.net. Address: 207.46.66.126#53 212.115.107.131.in-addr.arpa Server: ns4.msft.net. Address:207.46.66.126#53 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = maila.microsoft.com. So, if I put: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com Then use: whitelist_from_rcvd [EMAIL PROTECTED] microsoft.com Regards, -sm Yeah, in an earlier message, I considered that, but didn't want to leave myself wide open to every misbehaving host at Microsoft. So I take it the short answer is that you can't have three entries for the same mail address, and can't have multiple hostname args (which you really should be able to do... or maybe even take an IP address directly!). -Philip
Re: Microsoft blacklisted?
On Tuesday 14 November 2006 02:58, Michael Scheidell wrote: -Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 11:11 PM To: users@spamassassin.apache.org Subject: Re: Microsoft blacklisted? in spamassassin 3.2.x thease test will not be there and we all will have less problems with spam :( Typo, you ment MORE problems with spam. Michael: You should have learned early upon your arrival to Linux that Less IS More. ;-) -- _ John Andersen pgpHBBH1D83Xc.pgp Description: PGP signature
Re: Microsoft blacklisted?
Philip Prindeville wrote: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] maila.microsoft.com will that work? It should. Daryl
Re: Microsoft blacklisted?
On Tue, 14 Nov 2006, Daryl C. W. O'Shea wrote: Philip Prindeville wrote: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] maila.microsoft.com will that work? It should. A microsoft whitelist does appear in 70_sare_whitelist, though it does trust all microsoft hosts rather than just the three listed above... You might consider adding that ruleset. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- End users want eye candy and the ooo's and hhh's experience when reading mail. To them email isn't a tool, but an entertainment form. -- Steve Lake ---
Re: Microsoft blacklisted?
John D. Hardin wrote: On Tue, 14 Nov 2006, Daryl C. W. O'Shea wrote: Philip Prindeville wrote: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com whitelist_from_rcvd [EMAIL PROTECTED] maila.microsoft.com will that work? It should. A microsoft whitelist does appear in 70_sare_whitelist, though it does trust all microsoft hosts rather than just the three listed above... You might consider adding that ruleset. Can't do that. Matter of principle: I'm tired of tacitly admitting that they're the 800lb gorilla and they get to do whatever they please. When '95 came out, I was willing to cut them some slack since this whole Internetworking thing was new to them. That was 10 years ago. Why they're still struggling to comply with standards I don't know. It's not for lack of engineers. -Philip
Microsoft blacklisted?
I recently saw an email get bounced that was legitimately coming from Microsoft: Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com (131.107.115.212) said helo smtp.microsoft.com Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=[EMAIL PROTECTED], size=1207, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com [131.107.115.212] Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET Nov 13 14:59:29 mail mimedefang.pl[20521]: MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,[EMAIL PROTECTED],[EMAIL PROTECTED],Out of Office: Software Development with Microsoft Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 discard=1 Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? Where do I get the descriptions of these tests, why some sites get tagged with them, etc? -Philip
Re: Microsoft blacklisted?
Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com (131.107.115.212) said helo smtp.microsoft.com Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=[EMAIL PROTECTED], size=1207, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com [131.107.115.212] Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET Nov 13 14:59:29 mail mimedefang.pl[20521]: MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,[EMAIL PROTECTED],[EMAIL PROTECTED],Out of Office: Software Development with Microsoft Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 discard=1 Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? postmaster and abuse lists at rfc-ignorant.org. Both are wildly prone to false positives and have been removed from the 3.2 devel branch. They effectively list sites that violate the RFCs for mail hosts and refuse mail sent to postmaster or abuse. That said, neither scores very high.. Assuming set3 (bayes and network) the combined score in SA 3.1.x is only 1.908 points.. What's L_WIN_CHARSET.. that's not a stock rule I'm aware of. Looks like an add-on to me, and probably the real culprit here. I found some references to it from list conversations, and looks like it's trying to match email with a windows-specific character set (windows-1252). But it's not in any ruleset I can find anywhere. Actually, it looks like a rule you yourself were developing back in April.. What did you set the score to? http://www.gossamer-threads.com/lists/spamassassin/users/72328 Where do I get the descriptions of these tests, why some sites get tagged with them, etc?
Re: Microsoft blacklisted?
Matt Kettler wrote: Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com (131.107.115.212) said helo smtp.microsoft.com Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=[EMAIL PROTECTED], size=1207, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com [131.107.115.212] Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET Nov 13 14:59:29 mail mimedefang.pl[20521]: MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,[EMAIL PROTECTED],[EMAIL PROTECTED],Out of Office: Software Development with Microsoft Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 discard=1 Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? postmaster and abuse lists at rfc-ignorant.org. Both are wildly prone to false positives and have been removed from the 3.2 devel branch. They effectively list sites that violate the RFCs for mail hosts and refuse mail sent to postmaster or abuse. That said, neither scores very high.. Assuming set3 (bayes and network) the combined score in SA 3.1.x is only 1.908 points.. What's L_WIN_CHARSET.. that's not a stock rule I'm aware of. Looks like an add-on to me, and probably the real culprit here. I found some references to it from list conversations, and looks like it's trying to match email with a windows-specific character set (windows-1252). But it's not in any ruleset I can find anywhere. Actually, it looks like a rule you yourself were developing back in April.. What did you set the score to? http://www.gossamer-threads.com/lists/spamassassin/users/72328 Yes, it's local. I set it to 4.85. Or maybe 4.99. But why isn't the whitelisting kick in? Could it be because: # nslookup # nslookup 131.107.115.212 Server: 205.171.3.65 Address:205.171.3.65#53 Non-authoritative answer: 212.115.107.131.in-addr.arpaname = maila.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. Authoritative answers can be found from: 107.131.in-addr.arpanameserver = ns5.msft.net. 107.131.in-addr.arpanameserver = ns1.msft.net. 107.131.in-addr.arpanameserver = ns2.msft.net. 107.131.in-addr.arpanameserver = ns3.msft.net. 107.131.in-addr.arpanameserver = ns4.msft.net. ns1.msft.netinternet address = 207.68.160.190 ns2.msft.netinternet address = 65.54.240.126 ns3.msft.netinternet address = 213.199.144.151 ns4.msft.netinternet address = 207.46.66.126 ns5.msft.netinternet address = 65.55.238.126 Server: 205.171.3.65 Address:205.171.3.65#53 Non-authoritative answer: 212.115.107.131.in-addr.arpaname = maila.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. Authoritative answers can be found from: 107.131.in-addr.arpanameserver = ns5.msft.net. 107.131.in-addr.arpanameserver = ns1.msft.net. 107.131.in-addr.arpanameserver = ns2.msft.net. 107.131.in-addr.arpanameserver = ns3.msft.net. 107.131.in-addr.arpanameserver = ns4.msft.net. ns1.msft.netinternet address = 207.68.160.190 ns2.msft.netinternet address = 65.54.240.126 ns3.msft.netinternet address = 213.199.144.151 ns4.msft.netinternet address = 207.46.66.126 ns5.msft.netinternet address = 65.55.238.126 # (how hard can it be to follow $%^* RFC directions saying only one PTR record per address) What's the fix here? Set the 2nd argument to the IP address instead? The man doesn't suggest you can do that. And I don't want to wildcard it as microsoft.com -- that's way too many potential hosts. -Philip Where do I get the descriptions of these tests, why some sites get tagged with them, etc?
Re: Microsoft blacklisted?
Philip Prindeville wrote: Matt Kettler wrote: Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com (131.107.115.212) said helo smtp.microsoft.com Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=[EMAIL PROTECTED], size=1207, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com [131.107.115.212] Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET Nov 13 14:59:29 mail mimedefang.pl[20521]: MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,[EMAIL PROTECTED],[EMAIL PROTECTED],Out of Office: Software Development with Microsoft Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 discard=1 Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? postmaster and abuse lists at rfc-ignorant.org. Both are wildly prone to false positives and have been removed from the 3.2 devel branch. They effectively list sites that violate the RFCs for mail hosts and refuse mail sent to postmaster or abuse. That said, neither scores very high.. Assuming set3 (bayes and network) the combined score in SA 3.1.x is only 1.908 points.. What's L_WIN_CHARSET.. that's not a stock rule I'm aware of. Looks like an add-on to me, and probably the real culprit here. I found some references to it from list conversations, and looks like it's trying to match email with a windows-specific character set (windows-1252). But it's not in any ruleset I can find anywhere. Actually, it looks like a rule you yourself were developing back in April.. What did you set the score to? http://www.gossamer-threads.com/lists/spamassassin/users/72328 Yes, it's local. I set it to 4.85. Or maybe 4.99. But why isn't the whitelisting kick in? Because your whitelist requires the mail to have been delivered from a server named smtp.microsoft.com. This one was delivered from maila.microsoft.com.
Re: Microsoft blacklisted?
On Tue, November 14, 2006 03:56, Philip Prindeville wrote: Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to i hope it will reject not bounce Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com Resolved 131.107.115.212 to smtp.microsoft.com. to mail1.microsoft.com. to maila.microsoft.com. maila.microsoft.com. has no MX records - [microsoft.com has 3 MX records mailc.microsoft.com.(10) maila.microsoft.com.(10) mailb.microsoft.com.(10)] What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? Where do I get the descriptions of these tests, why some sites get tagged with them, etc? http://rfc-ignorant.org/policy-postmaster.php http://rfc-ignorant.org/policy-abuse.php in spamassassin 3.2.x thease test will not be there and we all will have less problems with spam :( -- This message was sent using 100% recycled spam mails.
Re: Microsoft blacklisted?
Benny Pedersen wrote: On Tue, November 14, 2006 03:56, Philip Prindeville wrote: Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because filter instructed us to i hope it will reject not bounce Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=[EMAIL PROTECTED], delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam test. I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com Resolved 131.107.115.212 to smtp.microsoft.com. to mail1.microsoft.com. to maila.microsoft.com. maila.microsoft.com. has no MX records - [microsoft.com has 3 MX records mailc.microsoft.com.(10) maila.microsoft.com.(10) mailb.microsoft.com.(10)] What really matters here is what your MTA put in the header.. did it put maila or smtp? From the logs, it looks like it used maila.
