On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote: > How are RCVD_IN_* rules implemented Karsten?
They are generally DNS BL checks, some of which do (and are safe for) deep header parsing. Most of them are checked against the handing-over relay's IP only, though. They are enabled (by default) by the skip_rbl_checks option, set to 0. If they have not been disabled deliberately or erroneously, missing of such rule hits indicates a DNS problem. (If you are using your ISPs DNS directly or as a forwarder, a local caching non-forwarding DNS usually solves it.) Of course, your trusted and internal networks must be correct. SA is good at guessing them in most cases, but a more complicate setup might need tweaking. I mentioned it specifically, because you stated the reported IPs to send a lot of spam. Thus, they are most likely to be listed with some of the RBLs. Can't say more, because you didn't include any information regarding your environment. > I have similar spam being sent from such addresses as > [email protected] and I don’t see that rule in the > matching rules The sender frequently is forged, or registered for abusive purposes with a freemail provider. The left-hand part after the dot looks suspiciously like a forgery. Anyway, the sender address is irrelevant in the context of relay IP checks. Like the submitting host's IP, as you mentioned. What I am missing is an answer to my question, if you are seeing *ANY* of such rule hits -- and if so, which, and how frequently. > Running mailwatch for mailscanner with spamassassin Please do not top-post, and remove unnecessary parts of the quote. Answering each question right below where it was asked would show you quickly what's missing. Like, the actual answer to my previous question. > -----Original Message----- > From: Karsten Bräckelmann [mailto:[email protected]] > Sent: Wednesday, 13 October 2010 10:05 a.m. > To: [email protected] > Subject: Re: Constant .info domain spam > > On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote: > > NOTE: I changed the domains below to 'dot info' as the mailing list > > rejected my initial submission. > > > > I'm pretty sure it's not just me but there is some constant spamming > > from dot info domains. Perhaps for the past 2 months or so. > > > > Often they send hundreds per day and consistently from the same IP's. > > > > Are people using automated IP blacklists or something like that? > > Yes. SA even uses them by default. > > What do your SA rules triggered look like? Check your identified spam. > Do you see RCVD_IN_* rules? > > If not, you are having DNS problems, or deliberately disabled those > network checks. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
