Re: RCVD_IN_SBL_CSS FP

Wed, 11 Jan 2023 13:18:57 -0800

46.183.103.8 is listed because it's an emitter of spam, it has been heloing with "host-41.36.37.63.tedata.net" and it is hitting traps. I could tell you exactly what botnet family these type of heloes comes from, but I can't. Believe me, that host is infected.
So you have an emitter that is infected by something, sending both good and bad traffic. We signal that by giving it a "3" score, and I don't know where you get that 3.6 score, as we define that by 

sh_scores.cf:  score    RCVD_IN_SBL_CSS         3


If math doesn't fail me, 3 is less than 3.6 , and the total would have 
scored less than 5, so, from my POV, "working as expected"



There is also SPF_NONE and SPF_HELO_NONE that, from standard SA (3.4.6) 
rules, updated as yesterday, both scores 0.001 instead of 1.6. I can't 
understand the logic of assigning a score so high just for *not* having 
an SPF record, and I hope you didn't do it on purpose.



Of course, if you are not using DQS (meaning you are using Spamhaus 
public mirrors), you are on your own.


PSA: everyone using public mirrors should switch to free DQS

On 11/01/23 19:43, Benny Pedersen wrote:

Riccardo Alfieri skrev den 2023-01-11 18:36:

No.

it checks if an emission is done by an IP that is listed in SBL, and
add 3 points if it is (in our DQS implementation at least). IPs listed
in SBL are deemed "bad" by default, so an emission from them, even if
it's not direct to mx, is bad enough.

If you found an FP I encourage you to open a ticket through
https://check.spamhaus.org/ . We review all FPs and act accordingly.
On 11/01/23 17:56, Benny Pedersen wrote:


it should only check received last ip, not deeap all ips :/

 -lastexternal is done by ZEN



X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on 
localhost.junc.eu

X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,
    MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
    RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,RELAYCOUNTRY_GREY,SPF_HELO_NONE,

    SPF_NONE shortcircuit=no autolearn=no autolearn_force=no 
version=4.0.0

X-Spam-Report:

    * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at 
https://www.dnswl.org/, low

    *      trust
    *      [168.100.1.4 listed in list.dnswl.org]
    *  3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
    *      [46.183.103.8 listed in zen.spamhaus.org]
    *  1.6 SPF_NONE SPF: sender does not publish an SPF Record
    *  0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
    *      [168.100.1.4 listed in wl.mailspike.net]
    *  1.6 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
necessarily

    *      valid

    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
author's

    *       domain
    *  0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
    *  0.1 RELAYCOUNTRY_GREY Relayed through at some point

    *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd 
level mail

    *      domains are different

    * -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen 
list

    *      manager
    * -0.1 DMARC_PASS DMARC pass policy
X-Spam-AWL: AWL= MEAN= COUNT= PRESCORE=
X-Spam-Relay-Country: US ** ** ** ** DE DE
X-Spam-ASN: AS3700 168.100.0.0/22
X-Fuglu-Incomingport: 10025
X-Fuglu-Suspect: 6a8f891e8b134a9f92cd83617788ebc7
X-Greylist: whitelisted by SQLgrey-1.8.0

Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net 
[168.100.1.4])

    by mx.junc.eu (Postfix) with ESMTPS
    for <m...@junc.eu>; Wed, 11 Jan 2023 15:58:34 +0100 (CET)




/var/lib/spamassassin/4.000000/spamassassin_snb_it/20_ITA.cf: 
header        __ITA_RCVD_IN_SENDERSCORE_0_29 
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header 
__RCVD_IN_HOSTKARMA 
eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header 
RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', 
'127.0.0.1')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header 
RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', 
'127.0.0.2')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header 
RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', 
'127.0.0.4')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_SORBS_DUL        eval:check_rbl('sorbs-lastexternal', 
'dnsbl.sorbs.net.', '127.0.0.10')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_XBL              eval:check_rbl('zen-lastexternal', 
'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_PBL              eval:check_rbl('zen-lastexternal', 
'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal', 
'zen.spamhaus.org.', '^127\.255\.255\.254$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_ZEN_BLOCKED    eval:check_rbl('zen-lastexternal', 
'zen.spamhaus.org.', '^127\.255\.255\.255$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_MAPS_DUL         eval:check_rbl('rblplus-lastexternal', 
'activationcode.r.mail-abuse.com.', '2')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_VALIDITY_RPBL 
eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
__RCVD_IN_MSPIKE_B    eval:check_rbl('mspikeb-lastexternal', 
'bl.mailspike.net.')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
__RCVD_IN_MSPIKE_Z    eval:check_rbl_sub('mspikeb-lastexternal', 
'127.0.0.2')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
RCVD_IN_MSPIKE_L5    eval:check_rbl_sub('mspikeb-lastexternal', 
'127.0.0.10')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
RCVD_IN_MSPIKE_L4    eval:check_rbl_sub('mspikeb-lastexternal', 
'127.0.0.11')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
RCVD_IN_MSPIKE_L3    eval:check_rbl_sub('mspikeb-lastexternal', 
'127.0.0.12')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header 
RCVD_IN_MSPIKE_L2    eval:check_rbl_sub('mspikeb-lastexternal', 
'127.0.0.13')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/72_active.cf:header 
  RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')



/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header 
RCVD_IN_SBL_CSS        eval:check_rbl_sub('zen', '127.0.0.3')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:describe 
RCVD_IN_SBL_CSS    Received via a relay in Spamhaus SBL-CSS
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:tflags 
RCVD_IN_SBL_CSS        net
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:reuse 
 RCVD_IN_SBL_CSS
/var/lib/spamassassin/4.000000/updates_spamassassin_org/50_scores.cf:score 
RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/






















					Reply via email to