Re: Fw: spam from gmail.com

Thu, 11 Nov 2021 18:57:37 -0800 


Den 12-11-2021 kl. 00:43 skrev Loren Wilton:

I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* 
scores on spam before.

[...]

Looking at spam for last month, [...]

But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
It makes me wonder just how useful a rule it is.

A pretty blatant misconfiguration of a mail server (and/or the system 
running same), can unfortunately lead to various negative side effects.



According to your previous mention of paying attention, I would 
initially lean towards that (some of) your configuration(s) might need 
some attention.



Especially when it includes sendgrid as part of the "HI" reputation 
senders.


This one again leads back on the previous:

a) SendGrid has never had any IP addresses on "HI".

b) No SendGrid IP addresses hasn't been published to the public from 
DNSWL, since 2020-08-21.



[ 66. 70.136.180] mta1.bevocalforlocal.info



This IP address was caught on our radars on 2021-08-25, for a very short 
time, and completely gone again on 2021-09-09.



During this time frame, it had only been residing in internal DNSWL 
Id's, and as such, NOT been published to the public.




[167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
[167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net

This IP address has been seen on and off since 2015-03-14, published 
with RCVD_IN_DNSWL_NONE from 2015-03-25 to 2017-02-21, and again from 
from 2018-06-17 towards 2020-08-21.
Outside the mentioned time frames it hasn't been sent out to the public, 
and it has NEVER been above RCVD_IN_DNSWL_NONE.



[ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com
[107.175.219. 38] dhrf266.medley.com.de
[107.175.219. 54] dhrf2106.realatelier.xyz
[107.175.219.103] dhrf2208.rollrs.xyz
[139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com
[172.104.183.201] 172-104-183-201.ip.linodeusercontent.com
[172.105.221. 77] li1875-77.members.linode.com
[178. 79.178. 52] li347-52.members.linode.com
[185. 51. 39.149] static-185-51-39-149.uludns.net



None of those are in DNSWL, and none of them have recorded in DNSWL for 
at least the past 12 months, not even in the internal DNSWL Id's, that 
aren't sent out to the public.



At the time of writing this, the RFC1912 #2.1 kind of FcRDNS for several 
of them is inconsistent, as forward DNS is missing, being a good reject 
parameter on it's own.



The majority of them also shows the classic dynamic/generic looking PTR 
records, which is also a good reject parameter on it's own.


--
Med venlig hilsen / Kind regards,
Arne Jensen

























					Reply via email to