[opensuse] I'm getting spam that has been cleared by www.dnswl.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It appears that spamassassin does a test against www.dnswl.org to whitelist addresses: X-Spam-Status: No, score=3.2 required=5.0 tests=AWL,BAYES_99,RCVD_IN_DNSWL_HI, RDNS_NONE,SUBJ_ALL_CAPS autolearn=disabled version=3.2.4 The problem is that, the RCVD_IN_DNSWL_HI gives the email a high negative score (not spam) to an email that is clearly spam. score RCVD_IN_DNSWL_LOW 0 -1 0 -1 score RCVD_IN_DNSWL_MED 0 -4 0 -4 score RCVD_IN_DNSWL_HI 0 -8 0 -8 I have no idea how to know which of the received headers spamassassin thinks it is good. And if I learn who it is, I do not know either how to tell the folk of that white list they should blacklist it. These are the headers: Return-Path: <deacon.davd@deacons.com> ... Received: from nuevavision.com.pe (linuxnv.nuevavision.com.pe [200.60.36.128]) by mx1.suse.de (Postfix) with ESMTP id 1FCE3455AF for <carlos.e.r@opensuse.org>; Sun, 11 Jan 2009 01:30:52 +0100 (CET) Received: by nuevavision.com.pe (Postfix, from userid 33) id 6A409110BF6; Sat, 10 Jan 2009 19:24:15 -0500 (PET) To: undisclosed-recipients: ; Subject: IN GOD WE TRUST X-PHP-Script: mail.nuevavision.com.pe/webmail/index.php for 82.128.35.170, 82.128.35.170 MIME-Version: 1.0 Date: Sat, 10 Jan 2009 19:24:15 -0500 From: Deacon David <Deacon.Davd@Deacons.com> Organization: Deacons Organization Reply-To: deacon.david@Deacons.com Message-ID: <ffa929d6d054c8f42d04580b99d4d816@nuevavision.com.pe> X-Sender: Deacon.Davd@Deacons.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" X-unconfigured-debian-site-MailScanner: Found to be clean X-unconfigured-debian-site-MailScanner-SpamScore: s X-unconfigured-debian-site-MailScanner-From: deacon.davd@deacons.com And the tests are negative: cer@nimrodel:~> host linuxnv.nuevavision.com.pe linuxnv.nuevavision.com.pe has address 200.60.36.128 cer@nimrodel:~> host 128.36.60.200.list.dnswl.org Host 128.36.60.200.list.dnswl.org not found: 3(NXDOMAIN) cer@nimrodel:~> host Deacons.com Deacons.com has address 216.180.38.185 Deacons.com mail is handled by 5 mx2.fanmail.com. cer@nimrodel:~> host 185.38.180.216.list.dnswl.org Host 185.38.180.216.list.dnswl.org not found: 3(NXDOMAIN) cer@nimrodel:~> host 170.35.128.82.list.dnswl.org Host 170.35.128.82.list.dnswl.org not found: 3(NXDOMAIN) This would be a possitive result: cer@nimrodel:~> host 2.0.0.127.list.dnswl.org 2.0.0.127.list.dnswl.org has address 127.0.10.0 These people suggest the following scores for spamassassin: score RCVD_IN_DNSWL_LOW -1 score RCVD_IN_DNSWL_MED -10 score RCVD_IN_DNSWL_HI -100 We have a lower score in opensuse 11.0: score RCVD_IN_DNSWL_LOW 0 -1 0 -1 score RCVD_IN_DNSWL_MED 0 -4 0 -4 score RCVD_IN_DNSWL_HI 0 -8 0 -8 But I think I'm going to lower it even more, to -0.1, -0.2 and -0.4. :-/ - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklpUNMACgkQtTMYHG2NR9VaegCfcGAGU5t2r14ZGiN4hFJUNGNQ MfUAoJFwvysHYfN2cHJ51dOAHH0dMcPV =Xuku -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
Hi,
It appears that spamassassin does a test against www.dnswl.org to whitelist addresses:
X-Spam-Status: No, score=3.2 required=5.0 tests=AWL,BAYES_99,RCVD_IN_DNSWL_HI, RDNS_NONE,SUBJ_ALL_CAPS autolearn=disabled version=3.2.4
The problem is that, the RCVD_IN_DNSWL_HI gives the email a high negative score (not spam) to an email that is clearly spam.
Yes, that is the purpose of DNSWL. If you're absolutely positive that what you is spam, I would talk to the guys at dnswl.org.
I have no idea how to know which of the received headers spamassassin thinks it is good. And if I learn who it is, I do not know either how to tell the folk of that white list they should blacklist it.
Is it possible that that email was relayed via the suse mailserver, and that those are whitelisted by dnswl.org? /Per -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2009-01-12 at 09:35 +0100, Per Jessen wrote:
Carlos E. R. wrote:
Hi,
It appears that spamassassin does a test against www.dnswl.org to whitelist addresses:
X-Spam-Status: No, score=3.2 required=5.0 tests=AWL,BAYES_99,RCVD_IN_DNSWL_HI, RDNS_NONE,SUBJ_ALL_CAPS autolearn=disabled version=3.2.4
The problem is that, the RCVD_IN_DNSWL_HI gives the email a high negative score (not spam) to an email that is clearly spam.
Yes, that is the purpose of DNSWL. If you're absolutely positive that what you is spam, I would talk to the guys at dnswl.org.
I didn't see a reporting box. :-?
I have no idea how to know which of the received headers spamassassin thinks it is good. And if I learn who it is, I do not know either how to tell the folk of that white list they should blacklist it.
Is it possible that that email was relayed via the suse mailserver, and that those are whitelisted by dnswl.org?
Yes, I think that is the case, for the one tagged "HI"; it was sent to my opensuse.org alias. I got two others tagged MED and LO. The problem is that Spamassassin doesn't explain which "received" header it is marking as "whitelisted". What I have done is I lowered the score tenfold, I don't think we can trust that score that much as to give it "-8" points. If it gives high scores to any opensuse.org address, when it works as a remailer, it doesn't make sense. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklrSJoACgkQtTMYHG2NR9WUyQCfa+cN7+ohQ1dUuNL1ldgRxQ1G fwsAnjNzav/KXa3ndqPbK3xn2uomWKRz =p+se -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
Yes, that is the purpose of DNSWL. If you're absolutely positive that what you is spam, I would talk to the guys at dnswl.org.
I didn't see a reporting box. :-?
Maybe here: http://www.dnswl.org/request -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
I have no idea how to know which of the received headers spamassassin thinks it is good. And if I learn who it is, I do not know either how to tell the folk of that white list they should blacklist it.
Is it possible that that email was relayed via the suse mailserver, and that those are whitelisted by dnswl.org?
Yes, I think that is the case, for the one tagged "HI"; it was sent to my opensuse.org alias. I got two others tagged MED and LO.
mx1.suse.de = 195.135.220.2 is listed as HI at dnswl.org.
What I have done is I lowered the score tenfold, I don't think we can trust that score that much as to give it "-8" points. If it gives high scores to any opensuse.org address, when it works as a remailer, it doesn't make sense.
The right thing would be to have the opensuse.org mail handled by a separate server, IMHO. -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. escribió:
X-PHP-Script: mail.nuevavision.com.pe/webmail/index.php for 82.128.35.170, 82.128.35.170
There you have the guilty, a PHP webmail script.. contact server admin of mail.nuevavision.com.pe and tell them that mail.nuevavision.com.pe/webmail/index.php is being used for spamming.. either an spammer got access to an account in the server, or the script misuses php's mail() function (not uncommon, it is hard to use it correctly) -- "We have art in order not to die of the truth" - Friedrich Nietzsche Cristian Rodríguez R. Software Developer Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.00.0901130207000.5049@nimrodel.valinor> On Monday, 2009-01-12 at 15:39 -0300, Cristian Rodríguez wrote:
Carlos E. R. escribió:
X-PHP-Script: mail.nuevavision.com.pe/webmail/index.php for 82.128.35.170, 82.128.35.170
There you have the guilty, a PHP webmail script.. contact server admin of mail.nuevavision.com.pe and tell them that mail.nuevavision.com.pe/webmail/index.php is being used for spamming.. either an spammer got access to an account in the server, or the script misuses php's mail() function (not uncommon, it is hard to use it correctly)
Humm! :-} I don't think I can contact the hundred of sysadmins responsible for the hundreds of spams I receive a day. What I can do is adjust my spamassassin configuration so that it detects most spam - and it appears that I can not trust www.dnswl.org so as to give a -8 score just because the mail passed by a certain server: ie, my solution is to decrease that score ten times. The mx1.suse.de is good, but that doesn't mean that any email that passes through there is safe. Per is probably right, separating the remailer to another server could be a good thing. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklr6vcACgkQtTMYHG2NR9XFrgCfTBe81Q6DjFsk3N9gZsl7VHvY RAcAnA4Y1SLrfQv3MlQD4bl1frPhp1he =dli4 -----END PGP SIGNATURE-----
participants (4)
-
Carlos E. R. -
Carlos E. R. -
Cristian Rodríguez -
Per Jessen