and seasonally), it may need more than one week to get
meaningful data.
—Matthias, for the dnswl.org <http://dnswl.org/> project
rrently on business travel (and typing this mail on my phone 😅) so I could
implement that on the weekend, and then give it a week or two to compare query
loads (and identify some of the more obnoxious commercial abusers mentioned
above).
— Matthias
> Root Cause Analysis (in order):
>
> 1) DNSWL does not provide blocked codes. That deviates from most DNS-query
> based systems.
This is wrong.
— Matthias
response.
> # DNSWL is a commercial service that requires payment for servers over 100K
> queries daily.
>
The subscriptions to dnswl.org easily covers the infrastructure cost, but not
much more.
— Matthias, for the dnswl.org project
amassassin from Debian Buster and Bullseye.
Matthias
> Maybe they could just be blocked in the firewall.
This would multiply the traffic due to retries.
g REFUSED etc). But you’d be surprised how long some admins do not act…
In these cases (ie consistent query volumes way above the limits, and prolonged
times of inactio), returning a „hi“ result is the last option. This has been
the case for maybe 10 or so years.
— Matthias
methods does
not reduce the query load on the free nameservers.
— Matthias
re using one of the nameservers who are not only blocked from
using dnswl.org free nameserver infrastructure, but where we needed to use
additional methods to make them stop (ab)using our nameservers (namely,
returning a „_HI“ result in the hope that whoever is responsible will finally
notic
g resolver who
does not forward queries) is correct and will that problem magically go away :)
— Matthias
_PASS autolearn=unavailable
> 19 autolearn_force=no version=3.4.2
It’s not immediately obvious which IP should hit RCVD_IN_DNSWL_HI. None of the
IPs mentioned are on that level at dnswl.org <http://dnswl.org/> (and I assume
also not in the mailspike data).
— Matthias
this values?
Regards,
Matthias
Hello John,
On Fri, 7 Aug 2020, John Hardin wrote:
> On Fri, 7 Aug 2020, Matthias Rieber wrote:
>
> > I'm wondering if the linter is supposed to respect the ifplugin statement.
> > I've disabled the Mail::SpamAssassin::Plugin::WLBLEval module and this
_whitelist' for USER_IN_WELCOMELIST
Aug 7 11:51:22.390 [32423] warn: rules: error: unknown eval
'check_to_in_whitelist' for USER_IN_WELCOMELIST_TO
Matthias
for „welcome“ :)
— Matthias, with the dnswl.org <http://dnswl.org/> hat on
,
Matthias
--
Matthias Egger
ETH Zurich
Department of Information Technology maeg...@ee.ethz.ch
and Electrical Engineering
IT Support Group (ISG.EE), ETF/D/102 Phone +41 (0)44 632 03 90
Sternwartstrasse 7, CH-8092 ZurichFax +41 (0)44 632 11 95
smime.p7s
Description
e
culprit? I have no clue how to isolate that, since a strace does not
really help... Or is there some strace for perl which i do not know?
Bet regards
Matthias
--
Matthias Egger
ETH Zurich
Department of Information Technology maeg...@ee.ethz.ch
and Electrical Engineering
IT Sup
Hello,
I am wondering how fixed and new rules go from the developer branch to the
official updates. The website is a bit vague in this respect.
Matthias
eds be specified as
„user\shared“ - and if both use SMTP-formatted addresses, this would look like
„u...@example.com\sharedmail...@example.com“.
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
/dnswl.org/> spamtraps.
Reporting to us also helps a lot :)
> The type of spam that is coming from Amazon SES lately is mostly people
> trying to sell contact lists. I take it as a challenge to enhance my
Also a lot of Mainsleaze.
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
to the spammer by blindly following links and redirects, which may be
tied to individual email addresses.
— Matthias
cords still point to the faulty "1822617" Version.
# dig +short TXT 0.4.3.updates.spamassassin.org
"1822617"
And since the update of the current SA rules failes because of that
error, there seems to be no need to update or patch any diff manually
(because as far as i under
lly ruling out any benefits of corruption.
Yes, about once a year there is someone claiming „i just paid a subscription,
now list me!“. In these cases, we send them a „thanks, but no thanks“ note,
give them a refund on the subscription, and remove their account.
— Matthias
with this entry. A lot of
the JPMChase IPs are on trust-level hi, a few on medium, which is enough to
result in an average medium score. There is room for improvement there :)
— Matthias
or straightforward solution for
all cases.
— Matthias
emails to admins/at/dnswl.org are also welcome, but the form helps us to
get things automatically managed and spam reports becoming more effective.
— Matthias
all DKIM-signed domain (that would obviously
be foolish). This is about whitelisting DKIM-signed domains with a positive
reputation. And „whitelisting“ here means, that some points are deducted from
the SpamAssassin result.
— Matthias
# Mail::SpamAssassin::Plugin::AskDNS
Note that this only works on DKIM-signed domains (DKIM_VALID).
Any inputs or thoughts are highly appreciated.
— Matthias, for the dnswl.org project
dnswl.org partially does that. Entities which have close administrative
control over their users get higher trust levels.
-- Matthias
On Thu, Aug 18, 2016 at 9:31 AM, Nicola Piazzi wrote:
> It can be very useful a dns service URIBL that tell if a domain is public
> or private
> If is
me user
that spamd would run as? What does spamassassin -d tell you about
(which/whether) local.cf is loaded?
— Matthias
Hello,
May I kindly ask you all discuss this off-list? Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
"Die Verkaufsschlager des Buchmarkts geben Auskunft über den Zustand einer
Gesellschaft bzw.
sind, was diese Zeiten a
cy of your spamfilter.
Is that a legitimate forwarder IP?
— Matthias
reinventing wheels. See
https://wiki.apache.org/spamassassin/HitFrequencies
<https://wiki.apache.org/spamassassin/HitFrequencies>, especially the section
about „overlap“
— Matthias
may be very different for some users, but that is what we see overall).
— Matthias
> Thanks for the response. I'm in the spam filtering business and I'm wondering
> what I can use (from the command line?) to detect if a PDF has any kind of
ClamAV?
— Matthias
now. Not Bayesian
>
> --
> Marc Perkel - Sales/Support
> supp...@junkemailfilter.com
> http://www.junkemailfilter.com
> Junk Email Filter dot com
> 415-992-3400
Some how all this thread smells as advertisement for some company, or is
it only me, who feels this?
f course, we can still be reached at admins /at/ dnswl.org for requests that
can not be solved through the Self Service Portal.
— Matthias, for the dnswl.org project
--
Matthias Leisi
Katzenrütistrasse 68, 8153 Rümlang
Mobile +41 79 377 04 43
matth...@leisi.net
Skype matthias.leisi
smime.p7s
De
El día Thursday, December 17, 2015 a las 11:47:50AM +0100, Reindl Harald
escribió:
>
> Am 17.12.2015 um 10:54 schrieb Matthias Apitz:
> > Since some days (I think(!) after I run 'sa-update') a lot of technical
> > mails are declared as SPAM due to BAYES_99 (99-100%
ens
of the lines of SA
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
gt; rh.debug
The results are here
http://www.unixarea.de/SA/rh.mail
http://www.unixarea.de/SA/rh.out
http://www.unixarea.de/SA/rh.debug
Can some kind soul help me please having a look what is now wrong with my
bayes ? Thanks in advance
matthias
--
Matthias Apitz, ✉ g...@unixarea.de,
there could be some other reason. Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
pts rule name description
-- --
1.0 NO_RDNS_FOR_LAST_EXTERNAL DNS: Last External really has no rdns
-4.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.
27;check_dsn_rdns',
^^
> 'check_dns_sender',
> ];
>
> @@ -373,6 +374,25 @@
> }
> }
>
> +sub check_dns_rdns {
^^
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
ge $packet->... by $pkt-> ...)
but it gives the following warning when I run it through -tD:
nov 25 08:12:51.207 [2017] warn: rules: failed to run NO_RDNS_FOR_LAST_EXTERNAL
RBL test, skipping:
nov 25 08:12:51.207 [2017] warn: (Can't locate object method "check_dns_rdns"
via package "Mail: [...]:SpamAssassin::PerMsgStatus" at
/usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Plugin/Check.pm line 271.)
Why I do miss?
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
open Internet again and send all answers out upstream at
once; do you get my point?
> if i would be you i would rop the ISP, point the MX to a cheap
> VPS and install my own MTA + Postscreen + SpamAssassin + IMAP there
what is a VPS?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
he reason RDNS_NONE is triggered for *every* mail
Exactly. I was asking me (and the list) why all got RDNS_NONE fired, and
now we know it: ISP's fault.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
y it would be not a "outgoing DNS request" because it's cached
>
> it's obvious that the info is missing in the header, otherwise for a
> remote IP with no PTR on that place would appear "unknown" so you can
> even fire that DNS request only when it is ne
El día Tuesday, November 24, 2015 a las 11:30:31AM +0100, Benny Pedersen
escribió:
> Matthias Apitz skrev den 2015-11-24 11:22:
>
> > As I get all my mails with this missing rDNS symbol in the Received:
> > line, I have only two options: unconfigure the RDNS_NONE test or
line, I have only two options: unconfigure the RDNS_NONE test or change
the ISP.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
e without RDNS_NONE. It's total clear: a fault in the MX of
my ISP. I contacted them already yestarday, until now without any
reaction.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
id 1a0rRx-0006CK-Gq
for g...@unixarea.de; Mon, 23 Nov 2015
14:46:33 +0100
has something todo with my local configuration? ms-10.1blu.de is the
front MX of my ISP and is not doing a rDNS for the IP addr 140.211.11.3,
or at least is not putting its result in the Receiv
rep -i 'DOMIN|GATE' /tmp/apache.d
>
> honestly *what* do you expect?
Honestly, I wanted to see if the above 'meta ...' statement has any
effect, it has no visible effect;
the same is true, when I set
meta RDNS_NONE 0
when I set 'score RDNS_NONE 0', then RDNS_NONE is switched off.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
El día Monday, November 23, 2015 a las 01:38:12PM +0100, Reindl Harald escribió:
> Am 23.11.2015 um 13:34 schrieb Matthias Apitz:
> > El día Monday, November 23, 2015 a las 01:26:25PM +0100, Benny Pedersen
> > escribió:
> >
> >> its known 2 mta that makes incorrec
))
but it still gives always RDNS_NONE
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
El día Monday, November 23, 2015 a las 01:04:07PM +0100, Benny Pedersen
escribió:
> Matthias Apitz skrev den 2015-11-23 10:43:
>
> > meta RDNS_NONE (__RDNS_NONE && !__CGATE_RCVD && !__DOMINO_RCVD)
>
> meta RDNS_NONE (__RDNS_NONE && !(__
>
> Received: from [140.211.11.3] (helo=mail.apache.org)
> by ms-10.1blu.de with smtp (Exim 4.76)
> (envelope-from
> )
> id 1a0c7H-0003WU-3m
> for g...@unixarea.de; Sun, 22 Nov 2015 22:24:11 +0100
> ____
>
//wiki.apache.org/spamassassin/Rules/RDNS_NONE
>
> RDNS_NONE checks more than just the PTR (reverse) DNS record.
> It really should be named FCRDNS_NONE
Then the wiki is wrong.
header __RDNS_NONE X-Spam-Relays-External =~ /^[^\]]+rdns= /
header __DOMINO_RCVD Received =~ /by \S+ \(Lotus Domino /
header __CGATE_RCVD Received =~ /by \S+ \(CommuniGate Pro/
meta RDNS_NONE (__RDNS_NONE && !__CGATE_RCVD && !__DOMINO_RCVD)
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
p=140.211.11.3 rdns= "
you can find the full -D output of such a mail here:
http://www.unixarea.de/apache.d.txt
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
El día Monday, November 23, 2015 a las 10:46:42AM +0200, Jari Fredriksson
escribió:
> >>> $ host 140.211.11.3
> >>> 3.11.211.140.in-addr.arpa domain name pointer hermes.apache.org.
> >>>
> >>> matthias
> >>>
> >>
> >>
El día Monday, November 23, 2015 a las 10:23:26AM +0200, Jari Fredriksson
escribió:
> On 23.11.2015 8.54, Matthias Apitz wrote:
> > El día Sunday, November 22, 2015 a las 09:23:40PM +, RW escribió:
> >>> https://wiki.apache.org/spamassassin/Rules/RDNS_NONE
> >>
.211.11.3 rdns= "
nov 23 07:46:39.203 [1927] dbg: check:
tests=FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RDNS_NONE
...
and 140.211.11.3 has a rDNS:
$ host 140.211.11.3
3.11.211.140.in-addr.arpa domain name point
use data mobile, like now.
matthias
--
Sent from my Ubuntu phone
http://www.unixarea.de/
Date: Sat, 21 Nov 2015 15:35:54 +
From: David Jones
To: spamassassin-users ,
Matthias Apitz
Subject: Re: question re/ RDNS_NONE
Read the Received headers from the bottom up.
Thanks for the reply. I did so before sending the question to the list and
could not find any IP addr
Hello,
I've sent myself an email which gets marked with RDNS_NONE. Can someone
please be so kind and explain to me which IP addr exactly triggers this
RDNS_NONE qualification? Thanks in advance.
matthias
- Forwarded message from Matthias Apitz -
X-Spam-Checker-Ve
El día Thursday, November 05, 2015 a las 04:24:04PM +0100, John Wilcock
escribió:
> Le 05/11/2015 15:54, Matthias Apitz a écrit :
> > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on c720-r276659
> > X-Spam-Flag: YES
&
TP
> > * -0.0 NO_RECEIVED Informational: message has no Received
> > * headers
> > ...
> >
> > Why auto-learn wants the mail as HAM?
Again, why it wants to declare the SPAM message as autolearn=ham?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
MTP
* -0.0 NO_RECEIVED Informational: message has no Received
* headers
...
Why auto-learn wants the mail as HAM?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
e/727/brazilian-internet-users-suffer-softlayers-security-fail>
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
> delivered are unlikely to be the kinds of organizations I want to
> hear from.
For the record, this is the reason why dnswl.org <http://dnswl.org/> does not
charge for listings (and we don’t call it certification): it always leads to
conflicts of interest.
— Matthias, for the dns
n they're sending through known servers.
The dnswl.org <http://dnswl.org/> rules should cover that. If the IPs are not
listed, we’d gladly add them.
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
mes, IP ranges,
ASes, and obviously different businesses/business units. I believe maintaining
somewhat proper and sane SPF record would be a nightmare…
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
ich may have been non-existent addresses at some
point in the past…).
— Matthias
smime.p7s
Description: S/MIME cryptographic signature
Every single one I’ve ever seen has.
>
Now you've seen one that doesn't :)
-- Matthias
y to hack together a plugin, I've reserved some time over the next
few days.
-- Matthias
even for
the fast-paced DNSBLs out there.
Maybe such a tree-walk algorithm is worth an experiment as a SpamAssassin
plugin?
-- Matthias
, and I can eg retrieve
$stmsg->{metadata}->{relays_untrusted} and so on for further analysis.
At which step and how could I configure trusted_networks from within the
code?
Thanks for any pointers.
-- Matthias
Btw., the dnswl.org project is happy to receive whatever spamtrap hits. We
are about to simplify the reporting we previously had, and want to push
this especially to detect spam coming in over IPv6.
Details off list :)
-- Matthias
willing to delay emails from prospective new paying clients *at all*.
You can mitigate this risk somewhat by avoiding greylisting for a certain
set of whitelisted mailservers.
(Yes, the project I'm affiliated with considers "greylisting avoidance" an
important use case for whitelisting.)
-- Matthias
192.87.106.230 should hit RCVD_IN_DNSWL_HI, not _LOW. Either you redefined
these rules, or something is broken.
-- Matthias (affiliated with the dnswl.org project)
On Fri, Oct 17, 2014 at 12:00 AM, Reindl Harald
wrote:
> was a reply to "getting tons of SPAM"
>
> well, the R
t on to spamc (or
whatever you use to call SpamAssassin).
-- Matthias
am comes from your MUA to SpamAssassin? I would expect the
mailflow to be something like
[actual source] => [your gateway/MTA] => [mailstore] => [your MUA]
and I would expect SpamAssassin to sit in the MTA?
-- Matthias
ke their way to SpamAssassin or are
they possibly stripped/altered by some "glue" software which calls SA?
https://wiki.apache.org/spamassassin/TrustPath
-- Matthias
P traffic would come out from
other, less well-managed networks, the situation could actually be
worse.
-- Matthias
For stats freaks:
Top Senders by Monthly Magnitude with Spamminess:
google.com 8.55 7.26
yahoo.com 8.15 7.26
mailchimp.com 8.13 6.84
hotmail.com 8.07 7.04
facebook.com 8.02 6.48
ex
A" argument does not really influence any purchase decision -
or not any more than it did in pre-Snowden times. Large european
customers who have an exposure to privacy-related risks did not and do
not outsource to US providers given the poor legal and regulatory
protection. The wave of revelations merely served to proof an already
existing sentiment.
-- Matthias
ion dates, like eg
.de? (At least they did not last time I checked.)
Whois is not a feasible data source.
-- Matthias
e operational responsibilities?
* The dnswl.org project can sponsor resources and take on some operational
aspects, but we would welcome some support.
-- Matthias
s the IPs to the
administratively responsible owner, which is admittedly somewhat vague).
Based on the useage data we gather, we can pretty accurately extract a
"last seen" date for a particular domain (or, it's associated IPs to be
exact).
*But*, again: which domains would be queried for such a list?
-- Matthias
n: which domain? HELO, MAIL FROM, From:, ...?
-- Matthias
On Thu, Jun 5, 2014 at 3:22 PM, Andreas Schulze
wrote:
> Is there something I could ask with a domainname and receive the age as
> answer?
http://support-intelligence.com/dob/
Which domain would you be interested in? MAIL FROM, From:, Body URL-domain,
...?
-- Matthias
ently
fraudulent, but it's definitely a shoddy. There are very few
exceptions of companies involved in that area (in fact, I know only a
single registrar I would turn to who is not in that league).
-- Matthias
t;we really don't want you to
> report abuse to us."
Yes, and no. The quality of abuse@ mails varies widely. Feedback through a
structured form on a website can drastically improve the quality and make
such feedback actionable. But yes, abuse@ should still be available.
-- Matthias
eing performed.
> no spam recurs. (For the purposes of this guideline, invitations
> sent by a site to an address which was taken from an uploaded
> address book or equivalent are considered to be spam.)
>
I don't think that a policy should special-case invite-spam.
-- Matthias
t to make the effort without some meaningful feedback :)
-- Matthias
or relaying spam through legitimate
intermediaries considerably less painful for recipients.
-- Matthias
Could you please share the IP address (better: relevant Received:
header)? This seems like an error in our data.
-- Matthias, for the dnswl.org project
On Sun, Aug 25, 2013 at 10:19 PM, Jason Haar wrote:
> Hi there
>
> I just received some spam - got a score below 0. The real surprise
ted_networks. This also ensures that
blacklists (and whitelists) are applied to the IPs delivering to these
forwarding systems.
-- Matthias
.
>
"REPLACE INTO" is a MySQL-specific extension and not part of standard SQL.
-- Matthias
On Mon, Feb 18, 2013 at 10:04 PM, mouss wrote:
> I hope Justin has no problems. if anybody has news, please share that
> with me.
>
He writes on his Twitter account (@jmason) from time to time. So he is
still around :)
-- Matthias
DNSxL tests are
applied to the IP _before_ the mobile.de hop.
-- Matthias
On Tue, Feb 5, 2013 at 8:27 AM, Per Jessen wrote:
> > This is what e.g. rfci-ignorant or many other rhsbl blacklists are
> > for.
>
> rfc-ignorant has gone off-line.
>
http://www.rfc-ignorant.de/
-- Matthias
1 - 100 of 535 matches
Mail list logo
