Re: ATTENTION: DNSWL to be disabled by default.

(Answering on the SA Dev list, but Cc: to SA users since this list was also involved. I’d appreciate follow-ups on the SA dev list - Reply-To: set.) > I can suggest that we run a statistical experiment by turning all non-.255 > responses into .255 responses and then compare the rate of queries.

Re: ATTENTION: DNSWL to be disabled by default.

> > The situation is that dnswl has four possible responses when it acts on a > query that it has flagged as exceeding the limits of unpaid use: 1) reject > with SERVFAIL, 2) reject with BLOCKED, 3) return 127.0.0.255 which is code > for blocked, 4) return 127.0.10.3 which is code for "other

Re: ATTENTION: DNSWL to be disabled by default.

> Root Cause Analysis (in order): > > 1) DNSWL does not provide blocked codes. That deviates from most DNS-query > based systems. This is wrong. — Matthias

Re: ATTENTION: DNSWL to be disabled by default.

> > people who don't configure it correctly, in a way that is *almost invisible.* > The lower rate limit which they established in March of this year isn't > inherently bad, it just meant that enough people were hitting the limit that > someone bothered opened a bug about it. > There is none

Re: RCVD_IN_DNSWL_HI false positives

> Maybe they could just be blocked in the firewall. This would multiply the traffic due to retries.

Re: RCVD_IN_DNSWL_HI false positives

> I would suggest to follow rfc’s. So return 127.0.0.1 for example. Or don’t > answer at all. Deliberate giving ‘yes to any request’ is something I can > understand you would do but it’s plain wrong. We do follow RFCs, and have a number of methods (not returning an answer, returning REFUSED et

Re: RCVD_IN_DNSWL_HI false positives

> That is unfortunate. It's not entirely crystal clear to me that > deliberately returning false positives that allow potentially > destructive SPAM to get through filters is a good way to enforce usage > policy. We use the „return hi“ in cases where long times of using other methods does not red

Re: RCVD_IN_DNSWL_HI false positives

e). — Matthias -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang Mobile +41 79 377 04 43 matth...@leisi.net Skype matthias.leisi

Re: DNSWL overriding bayes_99 and bayes_999 rules

>> -2.0 RCVD_IN_DNSWL_HI RBL: Sender listed at >> https://www.dnswl.org/, >>high trust >>[203.160.71.180 listed in list.dnswl.org] > I looked up this, and the other one, and didn't find them in dnswl. As > others said, if you are usin

Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

> > 15 X-Spam-Status: No, score=-2.7 required=4.0 tests=BAYES_50,DKIM_SIGNED, > 16 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID, > 17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI, > 18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=unavai

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

Not responding to any of the messages in particular, but it may be worth to weigh in. dnswl.org will do a rebranding to a socially less loaded terminology. We have not decided on a new branding yet and do not yet have a timeline (renaming a project with 14 years of history

Re: SpamSender with 2 @-signs in the address

> Am 03.12.2018 um 17:56 schrieb Andreas Galatis : > since several weeks I keep getting mails with sender-addresses like „Harald > Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de > “ > The first part „Haral

Re: DKIMWL_WL_MED spams

> Amazon has either loosened up their security or they have some customers > that weren't properly vetted. I have noticed an uptick in SES spam > lately too. I report them to SpamCop which reports them to Amazon's We’ve also noticed this on our dnswl.org spamtraps. Report

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

> Hi Guys! We provide an URIBL that already have a script in Perl to expand > redirections until no more redirections: I would be uneasy to follow such redirections on a production email system (as opposed to eg a spamtrap system). You are likely „confirming“ live email addresses to the spammer

Re: Whitelisting DKIM-signed domains

I’ll just pick out one particular argument, as RW touched upon the others: | Why would you trust list B and W knowing that they can be corrupted? That was one specific concern in the design of dnswl.org , which we documented eg here: https://www.dnswl.org/?page_id=23

Re: Whitelisting DKIM-signed domains

> I assume that eventually this DNS query would respond with high trust: > > # dig alertsp.chase.com.dwl.dnswl.org I wondered why this query suddenly appeared from dozens and dozens of sources in the log :) That is a good example, in that it shows one point to discuss: subdomains. At least i

Re: Whitelisting DKIM-signed domains

> I have a primary and several secondary domains tied to a DNSWL ID. All Currently, all domains in a given DNSWL Id share the same trust score. This may change over time, but we want to get some experience first. As a starting point, the trust of the domains is derived from the trust in the IPs

Re: Whitelisting DKIM-signed domains

> Am 08.10.2017 um 01:01 schrieb Benny Pedersen : > > so report spam to dnswl ? That’s always very welcome :) This was recently updated and included in the self service. If logged in on https://www.dnswl.org/selfservice/ you’ll see a section labelled „Spam Reporting“. Simple emails to admins

Re: Whitelisting DKIM-signed domains

> Am 08.10.2017 um 00:55 schrieb Rupert Gallagher : > > Whitelisting DKIM-signed domains is a bad idea for at least two reasons: > mass-mailing services, and spammers who send from real addresses of people > whose passwords were easy to guess. This is not whitelisting any and all DKIM-signed

Whitelisting DKIM-signed domains

Last week at the 41st M3AAWG meeting in Toronto there was considerable interest in domain-based whitelisting information when I presented the dnswl.org project. Obviously, this needs to be authenticated, and that’s what we have DKIM for. We created an experimental list dwl.dnswl.org (subject t

Re: Advice: why one relay evaluated and not the other

> > Did you restart spamd? > > > > Effectively yes (but no not really). I am using commandline scanner > whilst doing the tests so the LOCAL.CF is being loaded each time I run > the test. When it is all working then I will restart my spamd daemon to > take effect for all incoming mail. P

Re: Multiple RBLs and dynamic IPs

Hm, that looks odd: > Am 27.05.2016 um 20:15 schrieb Alex : > X-Spam-Report: > * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no > * trust > * [116.251.209.92 listed in list.dnswl.org] -^ > * 0.0 RCVD_IN_XBL_ALL RBL: Received via a relay in S

Re: Interesting rule combo results

> I've generated the following rules combination lists. > > The ham list are rule combinations sorted by the number of ham hits that > have 0 spam hits. > The spam list are rule combinations sorted by the number of spam hits that > have 0 ham hits. You’re sort of reinventing wheels. See htt

Re: Anyone using ASN data

> Am 05.03.2016 um 07:36 schrieb Marc Perkel : > > Just wondering if anyone is using ASN information and is so - what are you > doing? At dnswl.org we use ASN data to identify potential „bad actors“, by aggregating reputation data over ASes. The gain in accuracy is not as big as we originally

Re: PDF files containing executables?

> Thanks for the response. I'm in the spam filtering business and I'm wondering > what I can use (from the command line?) to detect if a PDF has any kind of ClamAV? — Matthias

News at dnswl.org - Self Service Portal

f course, we can still be reached at admins /at/ dnswl.org for requests that can not be solved through the Self Service Portal. — Matthias, for the dnswl.org project -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang Mobile +41 79 377 04 43 matth...@leisi.net Skype matthias.leisi smime.p7s De

Re: any reason not to block every Softlayer allocation?

> Am 06.10.2015 um 04:33 schrieb Jo Rhett : > > Looking at my spam block statistics, not a single IP I’ve reported to > SoftLayer over the last two years has been shut down. Is there any reason I > shouldn’t just block all their allocations and save myself some effort? If there are any not yet

Re: Return Path (TM) whitelists

> Am 10.07.2015 um 00:07 schrieb Dianne Skoll : > > On Fri, 10 Jul 2015 07:58:39 +1000 > Noel Butler wrote: > >> +1 > > I'll throw my +1 in on this also. Almost by definition, the kinds of > organizations who buy into these certifications to get their mail > delivered are unlikely to be the

Re: Write a custom rule to match sender's ip address.

> I want to do this because there are some senders who are vulnerable to > phishing or forgery but still don't bother to use SPF or DKIM. I can work out > who they use as outbound servers through by learning from traffic patterns, > and I want to give some SA credit when they're sending through

Re: DNSWL fp and other problems

(writing with my dnswl.org hat on) > Am 11.05.2015 um 15:42 schrieb Alex Regan : > > Hi, > > I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI, > receiving -5 points, from an obvious hacked account. > > http://pastebin.com/5LYS7s2v IP

Re: Bayes learning for legitimate users

> > Am 14.03.2015 um 16:45 schrieb Matus UHLAR - fantomas : > ...but as I mentioned before, training spam from mail to non-existent > recipients may be even a good thing… I would not train from mail to non-existent recipients, but would restrict to a defined set of spamtraps (which may have bee

Re: Honeypot email addresses

On Tue, Dec 2, 2014 at 3:19 PM, LuKreme wrote: > On Dec 1, 2014, at 10:28 PM, Ted Mittelstaedt wrote: > > This is assuming of course that your instantly blocking everything from > a sender that happens to email a honeypot. > > Right. That i the *point* of a honeypot. The only thing going to a >

Re: Honeypot email addresses

On Wed, Nov 26, 2014 at 6:05 PM, Franck Martin wrote: > As for /64, yes there are hosting providers that have all their customers > in the same /64 and other cases like this where infrastructure is not > separated by /64 boundaries. I think IPv6 blocking list will be more last > resort, than fir

Re: Honeypot email addresses

On Wed, Nov 26, 2014 at 3:45 AM, Franck Martin wrote: > You may want to read > https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf I'm well aware of the issues of cache efficiency and query volumes due to the vast address space. The solution to just cut

Programmatically accessing trusted_networks

I'm using Mail::SpamAssassin as part of the tool chain for managing dnswl.org data - basically to verify spam samples. I would like to add trusted_networks configurations programmatically, ie without having to write them to a config file first. What I currently have (reduced to the bare minimum c

Re: Honeypot email addresses

Btw., the dnswl.org project is happy to receive whatever spamtrap hits. We are about to simplify the reporting we previously had, and want to push this especially to detect spam coming in over IPv6. Details off list :) -- Matthias

Re: dealing with mail not yet listed in network tests

On Fri, Nov 14, 2014 at 6:35 AM, John Hardin wrote: > if you're in a business environment you may have an uphill battle with > managing expectations, to wit: email is *not* intended to be instant > messaging - and may run up against the brick wall of management not being > willing to delay email

Re: SA list mail rejected by URIBL?

SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL) > > > > -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang 043 211 03 55 / 079 377 04 43

Re: writing own rbl rules

On Tue, Aug 26, 2014 at 9:25 PM, Reindl Harald wrote: >> spamc -your_normal_spamc_options > are we really talking about the same? > that won't involve the network You need a full message, include any Received: etc headers, as it would appear on your MTA when it would pass it on to spamc (or wha

Re: drop of score after update tonight

On Tue, Aug 26, 2014 at 10:16 AM, Reindl Harald wrote: ADVANCE_FEE_4_NEW,ADVANCE_FEE_4_NEW_MONEY,ADVANCE_FEE_5_NEW,ADVANCE_FEE_5_NEW_MONEY,ALL_TRUSTED,BAYES_99,BAYES_999,DEAR_SOMETHING,DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,LOTS_OF_MONEY,T_MONEY_PERCENT,URG_BIZ >>> scantime=0.3,size=4760,user=sa-milt

Re: drop of score after update tonight

On Tue, Aug 26, 2014 at 12:08 AM, Reindl Harald wrote: > Aug 26 00:01:32 mail-gw spamd[6836]: spamd: result: Y 5 - > ADVANCE_FEE_4_NEW,ADVANCE_FEE_4_NEW_MONEY,ADVANCE_FEE_5_NEW,ADVANCE_FEE_5_NEW_MONEY,ALL_TRUSTED,BAYES_99,BAYES_999,DEAR_SOMETHING,DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,LOTS_OF_MONEY,T

Re: RBL effectiveness (was Re: Ready to throw in the towel on email providing...)

On Thu, Jul 31, 2014 at 1:06 AM, Noel Butler wrote: > There is no such thing as 'too big' when it comes to handling the shit storm > of spam that gets spewed out of some organisations, and I'll treat Gmail and > the likes the same as a ma 'n pa run outback country dialup ISP, there is At dnswl.

Re: Ready to throw in the towel on email providing...

On Mon, Jul 28, 2014 at 6:10 PM, Ted Mittelstaedt wrote: > Just lost another one, dammit. Small company with about 6 mailboxes who > some consultant gave them a song and dance about how Gmail's such a > better mail service since "they don't get any spam" The trend towards email service provid

Re: Domain ages (was Re: SPAM from a registrar)

On Mon, Jun 9, 2014 at 11:31 PM, Richard Doyle wrote: > A caching whois client (jwhois, for example) can significantly reduce > the volume of queries. > You will need to query potentially hundreds or thousands of domains *per day* - mostly throw away domains from spammers. 1) What are the typi

Re: Domain ages (was Re: SPAM from a registrar)

On Mon, Jun 9, 2014 at 9:11 PM, David F. Skoll wrote: > The DNS software that serves the zone newdomain.example.net runs > the following pseudo-code when "example.org" is looked up: > [..] So who's volunteering to do this? :) > *raises hand* I still have an experimental DNS server (writte

Re: Domain ages (was Re: SPAM from a registrar)

On Mon, Jun 9, 2014 at 9:11 PM, David F. Skoll wrote: > The clever part is that once lots of sites begin using this in their > SA setups, we'll very quickly build up quite an accurate database of > newly-seen domains that's completely independent of any registrar for > a data source. > dnswl.or

Re: Domain ages (was Re: SPAM from a registrar)

On Mon, Jun 9, 2014 at 8:43 PM, Kevin A. McGrail wrote: > I think the core issue is that age of domains is a good indicator of spam. > So there is merit in building a distributed look-up system using SA. > > I have more ideas than resources, of course... > I repeat my question: which domain? H

Re: Domain Age

On Thu, Jun 5, 2014 at 3:22 PM, Andreas Schulze wrote: > Is there something I could ask with a domainname and receive the age as > answer? http://support-intelligence.com/dob/ Which domain would you be interested in? MAIL FROM, From:, Body URL-domain, ...? -- Matthias

Re: Enom strikes back?

On Mon, May 26, 2014 at 10:42 PM, James B. Byrne wrote: > Regardless of Enom's purported size, what does this say about the registrar's > ethics and the domains it hosts? Should such companies and their clients be > boycotted and thereby coerced into dealing with these frauds? Even though Enom

Re: RCVD_IN_IADB_VOUCHED pushed spam into false negatives

On Wed, Apr 16, 2014 at 8:58 PM, John Hardin wrote: abuse@ should be available. >> Wiki and docs are fine, but should not be needed if possible. >> > > Oh my god, yes! Sites who force you to go through a web page rather than > having a working abuse@ address are saying "we really don't want you t

Re: RCVD_IN_IADB_VOUCHED pushed spam into false negatives

(FTR & transparency, speaking for dnswl.org - a whitelist without paid-for-listing model, but with a pay-for-heavy-use model) On Wed, Apr 16, 2014 at 6:43 PM, Greg Troxel wrote: > b) meet the following transparency and responsiveness rules > i) Have a page on the SA wiki which poi

Re: Detecting very recently registered domain names

Going back to the OP of this thread after some thinking: On Thu, Dec 19, 2013 at 4:02 PM, Joe Quinn wrote: > We are noticing a lot of spam coming from domains that are less than two > months old. Is there a good way to detect this automatically? > > We've thought about whois, but do not want to

Re: Whitelisting based on IP address of last external relay

On Thu, Oct 31, 2013 at 9:59 AM, Henrik K wrote: I shortcircuit ALL_TRUSTED with a huge trusted_networks list. :-) So yes > it's a whitelist for me. I add networks known to be spam free and operated > by "friends" (other govenment entities, consulting firms etc). Everything > works fine, I've a

Re: RCVD_IN_DNSWL_MED whitelisting FREEMAIL

Could you please share the IP address (better: relevant Received: header)? This seems like an error in our data. -- Matthias, for the dnswl.org project On Sun, Aug 25, 2013 at 10:19 PM, Jason Haar wrote: > Hi there > > I just received some spam - got a score below 0. The real surprise was > the

Re: Spam via whitelists

On Tue, Jul 2, 2013 at 7:09 PM, Andreas Schamanek wrote: > 2) What's currently more annoying are colleagues of mine operating > large mail servers (tu-graz.ac.at and ethz.ch are 2 examples) who > forward their former users' mail to external addresses without prior > filtering. Thus, we see spam c

Re: SQL error: Duplicate entry

On Thu, Apr 25, 2013 at 1:47 PM, Matus UHLAR - fantomas wrote: > I don't think so... IIRC the "REPLACE INTO" deletes existing record and > inserts new one, does not update existing. This caused some issues for me > some ~10 years ago, so i switched to the update or insert. > "REPLACE INTO" is a

Re: Sought/Rules.yerp.org problem - Re: [Fwd: Cron /usr/share/spamassassin/sa-update.cron -D 2>&1 | tee -a /var/log/sa-update.log]

On Mon, Feb 18, 2013 at 10:04 PM, mouss wrote: > I hope Justin has no problems. if anybody has news, please share that > with me. > He writes on his Twitter account (@jmason) from time to time. So he is still around :) -- Matthias

Re: RCVD_IN_DNSWL_HI false negatives (my solution)

On Thu, Feb 7, 2013 at 11:31 AM, Lutz Petersen wrote: > It makes no sense to point this to dnswl - mobile.de itself is not a spam > source > itself > If you use mobile.de as a forwarder, it may make sense to add there IPs to your trusted_networks configuration. If you do this, the DNSxL tests a

Re: Whitelist and DNS blacklists in SpamAssassin

On Tue, Feb 5, 2013 at 8:27 AM, Per Jessen wrote: > > This is what e.g. rfci-ignorant or many other rhsbl blacklists are > > for. > > rfc-ignorant has gone off-line. > http://www.rfc-ignorant.de/ -- Matthias

Re: Spamassin error related to bayes and writing files

> 2012-11-22T19:16:18.323410+00:**00 localhost spamd[24393]: spamd: setuid > to spamd succeeded > 2012-11-22T19:16:18.323802+00:**00 localhost spamd[24393]: spamd: > creating default_prefs: /var/lib/spamassassin/.**spamassassin/user_prefs > 2012-11-22T19:16:18.324189+00:**00 localhost spamd[24393]:

Re: How to check from that is not on the header?

On Wed, Sep 26, 2012 at 5:09 PM, Sergio wrote: > FROM THE HEADERS: > Received: from (127.0.0.1) by mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id > hcc8go0lj3g4 for ; Wed, 26 Sep 2012 14:28:26 > + (envelope-from > ) An alternative view: For quite some time (>> 6 years, actually), I've had th

Do you want to support the dnswl.org project?

Hello SA users list, The SpamAssassin rules are an important input for the dnswl.org project; in turn, the dnswl.org project helps to reduce the chance of false positives through the SA ruleset. The SpamAssassin and the dnswl.org projects have a significant overlap in the user base, and an improv

Re: Exclude from RCVD_IN_DNSWL_MED

On Mon, Sep 10, 2012 at 8:34 PM, Helmut Schneider wrote: >> It looks like RCVD_IN_DNSWL_MED examines "firstuntrusted" and if he >> trusts his MX/relays correctly then this shouldn't be happening. In general, setting up the trustpath correctly is sufficient. > If I understood you correctly I'd n

Re: Anyone from ReturnPath want to deal with this

On Wed, Sep 5, 2012 at 8:58 PM, Kevin A. McGrail wrote: > OK, it's better than nothing though I don't know the percentage of people > with Ham reporting is very high. Can you recommend some exact verbiage on >From experience with the dnswl.org request queue, I can tell you that the number of re

Re: RCVD_IN_DNSWL_BLOCKED

On Tue, Aug 14, 2012 at 4:30 PM, Ben Johnson wrote: > The majority of the spam that our users receive is a direct result of > this one rule; it seems that plenty of spammers are white-listed in this > database, and it is a weighty test (it reduces the score by as much as 2 > or 3 points in some c

Re: Suddenly getting lots of false positives.

On Sat, May 26, 2012 at 10:38 PM, Wolfgang Zeikat wrote: > In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote: >> >> OK I continue to get this problem - lots of spam is coming through now >> with: >> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium >> trust > >

Re: DNSWL will be disabled by default as of tomorrow

On Tue, Dec 13, 2011 at 3:00 PM, Michael Scheidell wrote: > [..] Blocking the ip address by firewall > will save bandwidth and cpu cycles. Firewalling will have the same effect as returning no answer - it will cause retries and thus will roughly triple the amount of queries received (although th

Re: RFC 5966 and rbldnsd

On Sun, Dec 4, 2011 at 6:17 PM, Matus UHLAR - fantomas wrote: >> |  -d     Dump  all  zones to stdout in BIND format and exit.  This may be >> >> That's what we use for the BIND export of dnswl.org data (create >> rbldnsd-formatted file, and let rbldnsd -d create the BIND file). > > hmmm didn't k

Re: RFC 5966 and rbldnsd

On Fri, Dec 2, 2011 at 4:02 PM, Matus UHLAR - fantomas wrote: > 1: use rbldnsd to dump zone to bind.zone (Gigaram usage) >> > > I doubt rbldns is able to dump zone content. > many DNSBL providers support also BIND format. > Note that BIND takes much more RAM space man rbldnsd: | -d Dump

Re: DNSWL spam reporting plugin for spamassassin

On Mon, Feb 21, 2011 at 8:56 PM, Matthias Leisi wrote: > On Mon, Feb 21, 2011 at 6:56 PM,   wrote: > >> Create account here:  http://www.dnswl.org/registerreporter.pl >> ( http//www.dnswl.org / Report Abuse, Register as Reporter ) > > Just realized that the signup proc

Re: DNSWL spam reporting plugin for spamassassin

On Mon, Feb 21, 2011 at 6:56 PM, wrote: > Create account here:  http://www.dnswl.org/registerreporter.pl > ( http//www.dnswl.org / Report Abuse, Register as Reporter ) Just realized that the signup process is broken. Should be fixed later today. Sorry for the inconvenience, -- Matthias

Re: DNSWL rules downscoring spam

On Mon, Feb 21, 2011 at 1:54 PM, Michelle Konzack wrote: > Pkte Regelname              Beschreibung > -- -- >  2.0 RCVD_IN_DNSWL_MED      RBL: Sender listed at http://www.dnswl.org/, > medium >                             t

Re: DNSWL rules downscoring spam

On Sun, Feb 20, 2011 at 7:51 PM, Warren Togami Jr. wrote: > Matthias, we really need a method to auto-report violations of DNSWL. My > spam traps receive dozens or more every week. At what score? Any noteworthy patterns? > But I don't have time to file > a web form every time it happens. The H

Re: DNSWL rules downscoring spam

On Sun, Feb 20, 2011 at 8:11 PM, Michelle Konzack wrote: >> Looking at my spam folder, I have received roughly 550 spam emails >> to my email account since last tuesday (15th). Out of those 550, >> *345* have been downscored by RCVD_IN_DNSWL_MED. Annoyingly, a This issue has been resolved (missi

Re: DNSWL rules downscoring spam

On Sun, Feb 20, 2011 at 4:22 PM, Pasi Hirvonen wrote: > Hello, > > I just recently moved our mail setup to new hardware and I've been > paying close attention to what gets marked as spam and what > doesn't. > > Looking at my spam folder, I have received roughly 550 spam emails > to my email accoun

Re: DNS cache efficiency for low-TTL records (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

On Tue, Jan 4, 2011 at 9:24 PM, David F. Skoll wrote: > (Spamhaus could greatly lower the load on its servers by using much > bigger TTLs, especially for lists that don't change often like the PBL. > But as another posted mentioned, sometimes DNSBL owners want to see > the queries, particularly i

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

On Tue, Jan 4, 2011 at 8:27 AM, Jason Haar wrote: > This is a great topic! Is this been discussed at the IETF level? This is > much bigger than SA. From the sounds of this thread, spam under ipv6 is > going to be almost an *infinitely* bigger problem than ipv4. What about The IETF is where it's

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

> John, I agree that your draft is clever.  But I think it's really > stretching DNS way beyond what it was designed for and it might be > time to look at a different approach.  To paraphrase the old saying, > when all you have is DNS, every problem looks like a lookup. To be honest, my first reac

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>>(3) A shifting of focus on whitelists is important... but some of those >>shouldn't really be "whitelists" in the traditional sense. Instead, they >>should merely indicate that an IP is a candidate for sending mail. > > This one I agree with.  The Spamhaus whitelist is intended only for > very vi

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

(Same error on this mail, I should pay more attention to To: and the reply button. Sorry for the mess) On Thu, Dec 30, 2010 at 8:10 PM, Matthias Leisi wrote: > On Thu, Dec 30, 2010 at 7:43 PM, John Levine wrote: > >>>Any protocol that makes lookups in a huge adress spac

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

(Sorry, sent to David only by error) On Thu, Dec 30, 2010 at 8:05 PM, Matthias Leisi wrote: > On Thu, Dec 30, 2010 at 7:26 PM, David F. Skoll > wrote: > >> The real problem is the human effort needed to monitor the enormous IPv6 >> address spave for abuse.  I think it

Re: Fwd: [Asrg] draft-levine-iprangepub-01

On Thu, Dec 30, 2010 at 12:42 AM, Ted Mittelstaedt wrote: > Thus, we can safely make the assumption that any mailserver is going > to follow the model of a single host per /64.  Thus it will ALSO be > just as useful for whitelists to have the same granularity - a /64 - > as it would be for blackl

Re: [Asrg] draft-levine-iprangepub-01

On Wed, Dec 29, 2010 at 9:52 PM, David F. Skoll wrote: >> and shared hosting providers may >> allocate smaller ranges to their customers (why not an individual IP >> to each customer?). > > Because then your routing table gets insane. They may allocate the IPs in a virtualisation layer. > If dn

Re: [Asrg] draft-levine-iprangepub-01

On Wed, Dec 29, 2010 at 9:26 PM, David F. Skoll wrote: > I'm not sure I agree with that.  The smallest unit of IPv6 address > space allocated by a provider (even to an end-user) is likely to be a > /64, so I don't see why whitelists can't list /64's too.  Essentially, > I disagree with the phrase

Fwd: [Asrg] draft-levine-iprangepub-01

Hi all, I'm not sure whether that would be more appropriate for the dev list, but I guess this is relevant/of interest to the SpamAssassin project, and I don't know whether this has caught attention here yet. John in his draft mentioned below is very right to point out that simply applying the IP

Change at dnswl.org

Hello all, dnswl.org has been running as a pure volunteer project since 2006. However, given the changing anti-spam industry and the challenges ahead, we decided that we need some sound financial basis. In a number of steps, we will introduce a subscription model for "heavy" users and vendors of a

Re: What's necessary to get "spamassassin --report" data to dnswl.org?

Karsten, Am 26.02.10 22:53, schrieb Karsten Bräckelmann: > code? Then this would seem to be a general sketch: Write the plugin, > while keeping DNSWL tightly in the loop to sync the process. Submit the Actually, Darxus is editor at dnswl.org and contributes a nameserver - he is very much in the

Re: MTX - How does it stop spam?

Am 16.02.10 21:23, schrieb Kris Deugau: > *nod* This is the biggest question I still see remaining; who > maintains the blacklist? How many spams can come from an "MTX-approved" > IP before it can/should be blacklisted? It does not necessarily or exclusively need to be a manually maintained b

Re: More Whitelist thoughts...

Am 19.12.09 04:18, schrieb Warren Togami: > DNSWL > To my surprise, Matthias has begun to implement my recommendations of > improved manual abuse reporting, and automated abuse reporting. Their > accuracy even without automated abuse detection isn't too bad. In the current testing phase, the re

Re: habeas - tainted white list

dnswl.org does offer trusted_networks-formatted files (separated by our trust levels), but beware of bug 5931 for older versions of SA: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5931 -- Matthias Am 18.12.2009 um 10:17 schrieb Benny Pedersen: > On fre 18 dec 2009 10:07:55 CET, "Da

Re: Constant Contact

Rob McEwen schrieb: > Just what I said. If an IP whitelist cause too many spams to get a "free > pass", then instead of using that whitelist as a free pass to the > inbox... instead... use it to bypass all checking of the sender IPs > against blacklists, but still do content spam filtering on the

Re: Other DNSBL's

Henrik K schrieb: > IMO a centralized rsync datasource for all the mass checked BLs would be > nice. Wonder if someone had the connections to pull it off? It would save > resources from all and speed up the checks. Spamhaus etc would only need to > "donate" the data once a week. We don't see any

Re: dns query timed out while sa-update

wild_oscar schrieb: > I might leave it at that. The problem that I've been scratching my head > about is why does it work when using the nameserver directly but not when > using the router's IP address, which is forwarding to the same address. > It might be a problem with the router, although it

Re: [SA] DNSBL Comparison 20091010

Adam Katz schrieb: > I've had myriads of falsely whitelisted messages hit DNSWL (.org) and Did you report them to us? If there are *myriads*, there must be some serious error which we need to fix (IPs/ranges falsely listed, inappropriate trust levels listed, sometimes also errors in eg how trus

Re: How to disable DNSWL?

Michelle Konzack schrieb: > OK, but I have never untrusted <*.debian.org> This is not about "untrusting". It's about telling SpamAssassin which relays are trustworthy to begin with. Adding these hints greatly improves the accuracy of SpamAssassin. > Is there a way, to les spamassassin look re

Re: How to disable DNSWL?

Jeff Chan schrieb: >> Was wondering if the trusted_networks could be "pluginized" to use >> DNSEval so that one could query a dnswl (local or remote) - for bigger >> setups it would probably make management simpler. > > One counterargument is that if the data are relatively static, > i.e., not u

Re: DNSWL as trusted_networks-entries

Andrzej Adam Filip schrieb: >> Speaking of which, it may actually make sense to use all of >> dnswl.org's entries as trusted_networks-entries... > > Do you want it even for DNSWL trust levels of "none" and "low"? > It would be a "brave" suggestion :-) Surprisingly, I *am* suggesting to do exact

Re: How to disable DNSWL?

In addition to what Karsten wrote about debian: Michelle Konzack schrieb: > Received: from localhost (server7.pinguin-hosting.de [127.0.0.1]) > by server7.pinguin-hosting.de (Postfix) with SMTP id D1EFC613E6 > for ; Thu, 26 Feb 2009 > 22:19:21 +0100 (CET) > Received: from master.

Re: Spam hitting Bayes_99?

mouss schrieb: one way would be to train all "hammy" mail (mail tagged as "ham" and not "corrected" by the user) as ham, Or a script could grep/sed all hosts delivering the hammy emails and feed the resulting list into a whitelist ;-) -- Matthias

Re: (newbie question) Increasing SA effectiveness

Mark Martinec schrieb: > or construct custom rules to whitelist (=add negative score points) > based on some other specific chraracteristic of mail to be passed. Your own (your companys) street address, phone number, or some hopefully unique token which you typically add in footers of outgoing e

  1   2   >