On Sat, 6 Oct 2007, Rob McEwen wrote:
Dan,
FWIW... that IP, 220.226.197.15, is currently listed on four spam blacklists
("RBLs"):
1) uceprotect
2) no-more-funn
3) psbl
4) ivmSIP.com (mine)
My problem is: blocklists come and go, and some blocklists, when they
"go", do things like "hang up because they're being flooded, thus slowing
my mail processes" or "flag all mail as spam" or "hand out stale data that
hasn't changed at all in months/years".
If you put out a popular enough blocklist, you're likely to be blocked,
period.
Personally, I'd like it if SA came with a blocklist-feeder tool, where
upon, say, two auto-learns, a blocklist (or SQL database) could be fed.
The docs here:
http://wiki.apache.org/spamassassin/DnsBlocklists?highlight=%28dnsbl%29
Are outdated.
-Dan
The first two are "FP-risky" for outright blocking, but can be useful in a
scoring environment. The latter two are much more safe for outright
blocking... particularly ivmSIP.com, which a FP rate that is almost low as
the FP rate of SpamHaus's lists.
Rob McEwen
Dan Mahoney, System Admin wrote:
Message at bottom.
I checked on this email. My system is right: it is an spf soft-fail. At
this point, ninety nine percent of people who set up SPF are going to be
setting ~all and not understanding the difference between ~all and -all.
And this did constitute a fail (i.e. a forgery), but there's no rule that
hit.
We've had the debate before, that SPF alone should not stop spam, but here
it is: a legitimate domain hijack and SA isn't hitting?
Also, what's up with RDNS_NONE? My sendmail won't accept a connection
unless your RDNS resolves, or you send in the domain literal format. I did
a quick search and found a few bugs on this.
We've already been over DKIM_POLICY_SIGNSOME -- I'm still in favor of
making a new rule for the implicit policy (DKIM_NOPOLICY or
DKIM_POLICY_ASSUMED_SIGNSSONE) rather than the explicit one.
Can we also assume the following...
The Ironport-Anti-Spam score is bogus but we have no way of checking the
result?
The Ironport-AV score is probably also bogus? Are "valid" values for i and
a documented somewhere?
The X-Originating-IP of 127.0.0.1 is probably accurate (after all, the
sending host must have had a 127.1), but useless and either the result of a
bug (i.e. a misconfigured mailserver, from which we should not accept), or
an intentional attempt to fool filters to believe it's "trusted" (for those
systems that check this header) and should be ignored or a rule created?
From [EMAIL PROTECTED] Sat Oct 6 05:40:56 2007
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on quark.gushi.org
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0
tests=BAYES_50,DKIM_POLICY_SIGNSOME,
MISSING_HEADERS,RDNS_NONE autolearn=no version=3.2.2
Received: from rx4.indiatimes.com ([220.226.197.15])
by prime.gushi.org (8.13.8/8.13.8) with ESMTP id l969eqTG063292
for <[EMAIL PROTECTED]>; Sat, 6 Oct 2007 05:40:54 -0400 (EDT)
(envelope-from [EMAIL PROTECTED])
Authentication-Results: prime.gushi.org [EMAIL PROTECTED];
sender-id=softfail; spf=softfail
Received: from unknown (HELO tilmb7.indiatimes.com) ([192.168.61.27])
by x1.indiatimes.com with ESMTP; 06 Oct 2007 15:07:38 +0530
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnoUAJL0BkfAqD0b/2dsb2JhbAAMiRw
X-IronPort-AV: i="unknown"; a="17144176:sNHT0"
Date: Sat, 6 Oct 2007 14:57:11 +0530 (IST)
From: "Mr.Craig McAfee" <[EMAIL PROTECTED]>
Reply-To: "Mr.Craig McAfee" <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Subject: Attn:YOU HAVE WON A PRIZE (1,700,000.00 Euros)!
MIME-Version: 1.0
X-Originating-IP: [127.0.0.1]
Content-Type: text/plain; charset="utf-8"
X-Greylist: Default is to whitelist mail, not delayed by
milter-greylist-3.0 (prime.gushi.org [0.0.0.0]); Sat, 06 Oct 2007 05:40:56
-0400 (EDT)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by prime.gushi.org id
l969eqTG063292
X-Envelope-To: [EMAIL PROTECTED]
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Attention!!!
Your email address has emerged as one of the winner in Euromillions
FreeDraws.Prize attached is 1,700,000.00 Euros.Contact Mr Mr Denis Ernest
Fing.Email:[EMAIL PROTECTED]
with the following information:1, Full Names: 2. Address:3. Age:4. Sex:5.
Phone /Fax number: and 6. Country:
--
My life has changed. What about yours?
Log on to the new Indiatimes Mail and Live out of the Inbox!
--
"Is Gushi a person or an entity?"
"Yes"
-Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler,
referring to Gushi
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
--
"Of course she's gonna be upset! You're dealing with a woman here Dan,
what the hell's wrong with you?"
-S. Kennedy, 11/11/01
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
