i receive tons of Ransonware from Google and MS Office365 IPs..
---PedroD
From: Bowie Bailey <bowie_bai...@buc.com>
To: users@spamassassin.apache.org
Sent: Friday, September 9, 2016 3:35 PM
Subject: Re: RCVD_IN_SORBS_SPAM and google IPs
On 9/9/2016 9:24 AM, li...@rhsoft.net wrote:
>
>
> Am 09.09.2016 um 15:20 schrieb Bowie Bailey:
>> On 9/8/2016 6:29 PM, RW wrote:
>>> On Thu, 8 Sep 2016 15:53:00 -0500 (CDT)
>>> Shane Williams wrote:
>>>>
>>>> I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in
>>>> digging deeper, I realize that there are zero hits on this rule for
>>>> the two weeks prior to Aug. 31, and now I'm seeing it thousands of
>>>> times per week (not just against google IPs).
>>>>
>>>> Was this rule added/changed/re-scored in a recent sa-update?
>>> It was commented out for a long time because it had a delisting fee,
>>> but was recently re-enabled.
>>>
>>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=2221#c16
>>
>> Granted, my system is fairly low volume, but out of over 15,000 messages
>> scanned, I have only seen 88 hits for SORBS rules in general and no hits
>> at all for RCVD_IN_SORBS_SPAM. If there's a problem, I'm not seeing it
>
> depends just on luck
>
> * how many mails came from gmail, yahoo, gmx & friends
> * from which server did they came
>
> sorbs don't list gmail or other freemail providers as a whole, just
> the nodes which recently was absued by spammers and contacted
> honeypots or where reported repeatly
>
> you can write the exactly same message to the same RCPT from a
> freemail provider within 5 seconds and they may hit completly
> different DNSBL/DNSWL listings
True, only 550 of my messages came from gmail or yahoo. But if Shane is
seeing thousands of hits a week, I would expect to see a few --
particularly if there is any problem with the SORBS listings or the rule
definition.
I'm not trying to draw any conclusion, I'm just providing another data
point.
--
Bowie
