Re: Got dead domains that get a lot of spam?

Wed, 20 May 2009 07:49:50 -0700 

Matus UHLAR - fantomas wrote:
I've also just recently enabled these lists in SA so am still in the very early stages of testing. I initially did get one FP hit against the whitelist (spam message sent through an ISP smtp server in the whitelist) 

On 20.05.09 13:41, Mike Cardwell wrote:

Can you let us know what that IP is please? Then Marc can explain how it  
managed to get on the whitelist. No ISP SMTP server should be in a  
whitelist imho...


That really depends on the blacklist's policy. I think Marc wants to
eliminate FPs this way - an ISP can do whatever against spam, still
customers can manage to send some. Botnets and lame organizations' servers
cause much more harm that most if ISPs...



I just think that a whitelist entry should be an absolute "no spam comes 
from here unless something goes tits up" type entry, and all hosts on it 
should be manually checked...



I started querying the whitelist from spamassassin 4 hours ago. I don't 
have a high volume of mail. SpamAssassin has only scanned 273 messages 
since then, yet the hostkarma whitelist has already incorrectly tagged 2 
of that small sample of mail:



1.) May 20 13:34:34 haven spamd[4500]: spamd: result: Y 21 - 
BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_QP_LONG_LINE,PYZOR_CHECK,RCVD_IN_JMF_W,SPF_PASS,URIBL_BLACK,URIBL_SBL 
scantime=7.5,size=25057,user=doug,uid=1003,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=/var/run/spamd.sock,mid=<jbsq02c0003f3002000ceunh047...@bp06.net>,bayes=1.000000,autolearn=spam


Which came from: mail.s57.93.bp06.net, 81.252.93.57


2.) May 20 14:05:49 haven spamd[4500]: spamd: result: Y 11 - 
BAYES_99,GREPULAR_RBL_RHSBL,HTML_MESSAGE,RCVD_IN_JMF_W,SPF_HELO_PASS,SPF_PASS,URIBL_GREY 
scantime=5.1,size=36224,user=doug,uid=1003,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=/var/run/spamd.sock,mid=<uhojlfmlslzacfb2fs5hc4ljonb...@dm.msg>,bayes=1.000000,autolearn=spam


Which came from: mta242c.dm-4.com, 64.40.120.242


http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#The_Magic_is_in_the_White_Lists 
 states:



"White on our lists means that anything that comes from the source is 
good email and needs no further testing" ...


Well, I don't think the list is accurate enough to justify that statement.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)























					Reply via email to