Matt Kettler wrote:
Philip Prindeville wrote:
Karsten Bräckelmann wrote:
Please, do not paste a gigantic blob of multipart MIME messages. Put it
up somewhere, raw, and simply provide a link.
On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote:
Anyway, I have no idea why I'm seeing some of these scores. URL
matches when there aren't even URL's in my message?
There are. Self-inflicted. The ones in square brackets with the leading
550 code, which you seem to keep sending back and forth. :)
And just *mentioning* the domain name, without any sort of valid URL
(ftp: or http: or anything of the sort) is going to match it as a
URL? That's highly bogus.
A domain name alone does not a URL make.
You tell that to most windows-based clients, which will automatically
make clickalble URLs out of things like www.google.com in text sections.
<snip>
Oh, and DNS_FROM_OPENWHOIS probably is http://open-whois.org/, which
gives you a hint about what it actually is. The hit itself pretty much
mentions this...
Yeah, I read this. And I don't get that either.
How does having your domain be anonymous (for whatever reason...
maybe you're a small company operating below the radar) make your
email any more likely to be spam????
Decidedly so. The people with the strongest reason to hide their
contact information are the spammers, and other shady businesses.
That's not to say they're aren't some legitimate folks that use this
kind of anonymization. However, the "domains by proxy" model is a
questionable practice, as it violates the spirit of the whois
requirements. Also, many of them violate the letter of the
requirements, such as the phone issue noted on the open-whois main
page. (ie: anyone registered using securewhois is not correctly
reigstered, per ICANN requirements for whois)
Well, what's ironic here is this:
I go to the open-whois web-site, and read their blurb:
"What do you have against privacy?
"In a word: nothing. This is not about privacy, but about
accountability. The Internet is built upon cooperation and
accountability, anything which undermines accountability is a bad thing.
The usability of the WHOIS database is seriously undermined by anonymous
domains."
Ah... But filtering your spam reports so no one can ever report spam to
you... that's a lot more accountable, clearly. :-)
TVD_STOCK1? There's no mention of stock anywhere in the message.
Not sure, you migth want to try running it with debugging on.
The debug message from the code would be:
dbg("eval: stock info hit: $1");
That should tell you what exact substring matched the stock info code.
From a quick glimpse of the code, it appears to identify common words
used in stock (as in stock exchange, pump-n-dump penny stocks) spam. It
does not search for the word "stock". Just as pretty much no rule in SA
ever searches for single words only...
Again, I didn't see anything that should legitimately be causing this
rule to fire, and certainly not with such a high score for such an
unreliable rule.
Why am I seeing all of these bogus matches?
From what I can tell, and what you sent us, they don't appear to be
bogus.
Depends on whether you equate bare domains with URL's, I suppose.
If MUA's equate them with URLs, spammers will use this, and
SpamAssassin will use it.
There is only so much braindeath in UA's that you can bend the rules
for. Clearly, this involves breaking them.
I looked on the wiki for some of these, but couldn't find
descriptions.
What should I do? Just block their domain? I don't want to deal with
their misconfiguration issues.
Apparently you already exchanged messages? Try not sending the
offensive
mail in question. Put it up somewhere as reference, if need be. Hmm,
sounds familiar... ;)
guenther
No, I sent them back the offending email, initially. Which they
marked as spam (bloody brilliant, of course it's spam, otherwise I
wouldn't be bothering to report it.... what else do they expect to
come to their "Abuse" mailbox, anyway???).
So I sent back the SA scores back to them, and that's the part that I
pasted previously.
How do you report Spam to such a site that's going to block your Spam
reports for being... well, Spam!
Well, it's stupid, and probably a RFC violation to perform such
filtering on your abuse box. So, I'm not saying the domain in question
isn't behaving foolishly. You might want to point this out to them,
and suggest they whitelist their abuse address. At the very least, ask
them if they have an alternate reporting address that isn't filtered.
I'll give it another try. If not, their CIDR range and domain name will
go into my blacklist. I don't want to open myself up to them if I can't
reasonably expect them to respond to spam issues when/if they occur (again).
-Philip
