Re: Whitelist IP for SBL check

2018-02-23 Thread shridhar shetty 
Yes, I missed it.

On Sat, Feb 24, 2018 at 12:49 AM, RW  wrote:

> On Sat, 24 Feb 2018 00:36:56 +0530
> shridhar shetty wrote:
>
>
> > 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> > end.' In such case we relay our mails through an external server
> > which has clean reputation. That way our mails are delivered to the
> > recipient.
>
> That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.
>

Re: Whitelist IP for SBL check

2018-02-23 Thread RW 
On Sat, 24 Feb 2018 00:36:56 +0530
shridhar shetty wrote:


> 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> end.' In such case we relay our mails through an external server
> which has clean reputation. That way our mails are delivered to the
> recipient.

That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.

Re: Whitelist IP for SBL check

2018-02-23 Thread shridhar shetty 
Hello Axb,

Below are the response to your queries.

Why not fix the SBL issue instead of trying to work around it?
Fixing the SBL issue is the first thing we do. But it takes some time so we
do not want our outbound mail service to be affected due to this.

'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.'
In such case we relay our mails through an external server which has clean
reputation. That way our mails are delivered to the recipient.

Give us the SBL number and we may be able to help you out.
Do you mean the response code from zen.spamhaus? the response code is
127.0.0.2



On Fri, Feb 23, 2018 at 10:35 PM, Axb  wrote:

>
> On 02/23/2018 03:26 PM, shridhar shetty wrote:
>
>> Hello,
>>
>> In our infra we use spamassassin to scan our **outgoing** mails too. This
>> is to prevent spammers using our infra to send mails and get our IP's
>> blacklisted. We perform various DNSBL tests on the mail body.
>>
>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>> outgoing mails are getting detected as spam if the email body contains our
>> local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
>> We have hundreds of domainnames mapped to an single IP.
>>
>
>
> Why not fix the SBL issue instead of trying to work around it?
> Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
> Give us the SBL number and we may be able to help you out.
>
>
>

Re: Whitelist IP for SBL check

2018-02-23 Thread Markus Clardy 
Considering the issue, couldn't you in theory just add "uridnsbl_skip_domain
ip.on.blk.lst"?

I mean, according to URIBL_SBL, it would be if the IP itself is on the
blacklist, so wouldn't skipping the "domain" of a specific IP skip
detection?

On Fri, Feb 23, 2018 at 4:55 PM, David Jones  wrote:

> On 02/23/2018 10:46 AM, Axb wrote:
>
>> On 02/23/2018 04:33 PM, David Jones wrote:
>>
>>> On 02/23/2018 08:26 AM, shridhar shetty wrote:
>>>
 Hello,

 In our infra we use spamassassin to scan our **outgoing** mails too.
 This is to prevent spammers using our infra to send mails and get our IP's
 blacklisted. We perform various DNSBL tests on the mail body.


>>> We also scan outbound aggressively to keep our own IPs clean.  I monitor
>>> for our own IPs getting listed in major RBLs every 15 minutes and hourly I
>>> have a script that checks my own IPs in all RBLs listed at
>>> http://multirbl.valli.org/.  You need to make sure you have a good
>>> abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
>>> IPs.  You must setup feedback loops with all of the major platforms out
>>> there like Yahoo, AOL, Comcast, etc.
>>>
>>> We send out millions of spammy looking emails every week from from
>>> student management systems that don't have an opt-out method to lots of
>>> parents on freemail platforms.  We very rarely get listed on RBLs and have
>>> excellent delivery rates mainly because of compromised account detection
>>> and blocking of outbound mail from the single sender quickly when this is
>>> triggered.  Most sane RBLs will allow for a little junk outbound as long as
>>> you stop it quickly because compromised accounts happen.
>>>
>>>
>>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
 outgoing mails are getting detected as spam if the email body contains our
 local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
 We have hundreds of domainnames mapped to an single IP.

 Is there a way to exclude local IP from DNSBL checks. For eg: if there
 is a local domainname xyz.org  present in the mail
 body, then spamassassin should not mark it as spam even if A or NS record
 for xyz.org  is listed in SBL.


>>> Setup a quick meta rule that subtracts the same points that the local IP
>>> on Spamhaus adds until you can find a better way to handle this.
>>>
>>> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
>>> meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
>>> score SPAMHAUS_LOCAL_IP_OFFSET -1.0
>>>
>>> You will need to adjust the header rule to match your Received header
>>> format of your particular MTA and also match the actual Spamhaus rule that
>>> is getting hit.  I just guessed it was RCVD_IN_XBL.
>>>
>>>
>> you are aware that your recommendation doesn't apply to a
>> uridnssub  URIBL_SBLzen.spamhaus.org.   A   127.0.0.2
>> hit ?
>>
>>
>>
>>
> I was in a hurry, sorry.  My last paragraph had a disclaimer that 2 things
> would need to be adjusted.  Here is 1 of them corrected so the OP will only
> have to make sure the header rule matches his MTA's format:
>
> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
> meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
> score URIBL_SBL_LOCAL_IP_OFFSET -1.0
>
> --
> David Jones
>



-- 
 - Markus

Re: Whitelist IP for SBL check

2018-02-23 Thread Axb 


On 02/23/2018 03:26 PM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. This
is to prevent spammers using our infra to send mails and get our IP's
blacklisted. We perform various DNSBL tests on the mail body.

One of our IPs got listed in Spamhaus SBL for some reason, so now our
outgoing mails are getting detected as spam if the email body contains our
local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
We have hundreds of domainnames mapped to an single IP.



Why not fix the SBL issue instead of trying to work around it?
Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
Give us the SBL number and we may be able to help you out.

Re: Whitelist IP for SBL check

2018-02-23 Thread David Jones 

On 02/23/2018 10:46 AM, Axb wrote:

On 02/23/2018 04:33 PM, David Jones wrote:

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I 
monitor for our own IPs getting listed in major RBLs every 15 minutes 
and hourly I have a script that checks my own IPs in all RBLs listed 
at http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms 
out there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots 
of parents on freemail platforms.  We very rarely get listed on RBLs 
and have excellent delivery rates mainly because of compromised 
account detection and blocking of outbound mail from the single sender 
quickly when this is triggered.  Most sane RBLs will allow for a 
little junk outbound as long as you stop it quickly because 
compromised accounts happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body 
contains our local domainname whose IP is listed in SBL(hitting 
URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if 
there is a local domainname xyz.org  present in the 
mail body, then spamassassin should not mark it as spam even if A or 
NS record for xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local 
IP on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.




you are aware that your recommendation doesn't apply to a
uridnssub  URIBL_SBL    zen.spamhaus.org.   A   127.0.0.2
hit ?





I was in a hurry, sorry.  My last paragraph had a disclaimer that 2 
things would need to be adjusted.  Here is 1 of them corrected so the OP 
will only have to make sure the header rule matches his MTA's format:


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
score URIBL_SBL_LOCAL_IP_OFFSET -1.0

--
David Jones

Re: Whitelist IP for SBL check

2018-02-23 Thread Axb 

On 02/23/2018 04:33 PM, David Jones wrote:

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I monitor 
for our own IPs getting listed in major RBLs every 15 minutes and hourly 
I have a script that checks my own IPs in all RBLs listed at 
http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms out 
there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots of 
parents on freemail platforms.  We very rarely get listed on RBLs and 
have excellent delivery rates mainly because of compromised account 
detection and blocking of outbound mail from the single sender quickly 
when this is triggered.  Most sane RBLs will allow for a little junk 
outbound as long as you stop it quickly because compromised accounts 
happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body contains 
our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if there 
is a local domainname xyz.org  present in the mail 
body, then spamassassin should not mark it as spam even if A or NS 
record for xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local IP 
on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.




you are aware that your recommendation doesn't apply to a
uridnssub  URIBL_SBLzen.spamhaus.org.   A   127.0.0.2
hit ?

Re: Whitelist IP for SBL check

2018-02-23 Thread David Jones 

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I monitor 
for our own IPs getting listed in major RBLs every 15 minutes and hourly 
I have a script that checks my own IPs in all RBLs listed at 
http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms out 
there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots of 
parents on freemail platforms.  We very rarely get listed on RBLs and 
have excellent delivery rates mainly because of compromised account 
detection and blocking of outbound mail from the single sender quickly 
when this is triggered.  Most sane RBLs will allow for a little junk 
outbound as long as you stop it quickly because compromised accounts happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body contains 
our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if there 
is a local domainname xyz.org  present in the mail body, 
then spamassassin should not mark it as spam even if A or NS record for 
xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local IP 
on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.


--
David Jones