Re: Suddenly getting lots of false positives.

Sat, 26 May 2012 13:39:06 -0700 

In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote:
OK I continue to get this problem - lots of spam is coming through now with: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust 


We had so many false positives with that rule, that I - as others who 
replied to your post already (see below) - have come to the conclusion 
that www.dnswl.org is not a reliable source of trust for us and disabled 
the rule by configuring


score RCVD_IN_DNSWL_MED RBL 0

0 is zero, not uppercase o




I think it's likely to have something to do with me changing the 
machine's hostname to ip.game-point.net because it started happening 
just after that.


I doubt that.

Regards,

wolfgang

----------  Forwarded Message  ----------

Subject: Re: Suddenly getting lots of false positives.
Date: Thursday, 24. May 2012
From: "corpus.defero" <corpus.def...@idnet.com>
To: users@spamassassin.apache.org

On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED      RBL: Sender listed at http://www.dnswl.org/,
> medium trust
>

Given the connecting IP is listed with an number of anti-spam
blocklists:

59.94.13.26 Listed in Spamhaus XBL (CBL Data)
59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
59.94.13.26 Listed in Barracuda Reputation List
59.94.13.26 Listed in dul.dnsbl.sorbs.net
59.94.13.26 Listed in UCE PROTECT LEVEL 2
59.94.13.26 Listed in UCE PROTECT LEVEL 3

and that

bestinternetdancer.com

Is listed in Spamhaus domain block list & the multi.uribl.com block list
you'd have to wonder why it gets a reduction  from: www.dnswl.org

I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
that anyone can kind of abuse?

The rule is tucked away in 72_active.cf, along with the other 'pay to
spam' whitelists from the likes of Return Path. I suggest you add this
to your local.cf to deal with such abuse:

score RCVD_IN_DNSWL_MED 0
score RCVD_IN_RP_CERTIFIED 0
score RCVD_IN_RP_SAFE 0

But that's just my default settings on every instance of SA that I work
on. Sometimes I add points for Return Path as it seems to help BLOCK
spam rather than pass ham - but that's a can of worms and a different
subject.




























					Reply via email to