On Mon, 30 Nov 2015, Sebastian Arcus wrote:
On 30/11/15 16:41, Reindl Harald wrote:
Am 30.11.2015 um 17:24 schrieb Sebastian Arcus:
OK - this might be a basic question, but recently the detection rate on
my SA install has been really unreliable, so I decided that the first
step is to be sure it is using the public dns blocklists and razor. My
setup:
1. Spamassassin 3.4.1
2. I have Bind configured as recursive, non-forwarding, caching DNS
server.
3. spamassassin --lint doesn't return any errors or failures.
5. My init.pre contains "loadplugin Mail::SpamAssassin::Plugin::URIDNSBL"
Here is the report included in one of the emails which is spam, but
wasn't detected as such:
Content analysis details: (1.4 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low
trust
[212.227.15.41 listed in list.dnswl.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record
(softfail)
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
Does the above mean that the DNSBL tests were applied, but returned zero
values - or would it mean they were skipped. I'm not sure how to find
out which one is it? I'm happy to attach some sample emails which
weren't detected, or any other useful info. Thank you
RCVD_IN_DNSWL_LOW is the opposite of "returned zero values" but why not
just pass a sample against SA in debug-mode?
spamassassin -D < /path/to/spam-example.eml
Thank you Harald. I did - and it looks like SA does contact lots of DNSBL's
and it receives various messages in reply. Nothing that looks like failures
or errors. I can attach the output here - but it is a lot. Would this mean
that the DNSBL's are working correctly in my setup - but spammers somehow
manage to keep on sending from "clean" domains all the time - and I should
look into some other way of stopping this type of spam? The messages I'm
talking about are typical spam, with one or two sentences in the email body
and one or two links - usually advertising life insurance, solar panels and
similar. None of them are from proper companies or entities I have ever dealt
with.
I don't see any references to Bayes there, are you running Bayes and is it
trained?
These "snowshoe" spams are a bit difficult to nail because they keep hopping
around. After a day or two they're listed in various RBLS (both for the IP and
URL hostname) but they rarely sit still long enough for that to help much.
They often have similar characteristics so Bayes can be a big help there.
Are you running RAZOR? It works sort of like a remote Bayes but needs to
be fed and like URIBLS may lag several hours and so not help on an inital flood.
I have my own in-house DNSbls (RBL, URIBL, NSRBL) that I hand feed based upon
spamtrap hits. One thing that helps is a NSRBL (IE a list of NS servers for the
URIs, urifullnsrhssub) that I list the registrars that spammers often get their
domain names from. It has to be used carefully as legit businesses also use
these cheap registrars but when used with METAs for things like BAYES it
helps.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
