Mailing List Archive

On Tue, Feb 03, 2004 at 10:44:03AM +0100, Andy Spiegl wrote:
> Hi,
>
> I am living in Germany and all the dynamic IPs of the large ISP
> T-Online seem to be listed in NJABL and SORBS as DIALUP ips. That's
> okay of course, but I don't understand why the default score for that
> is so high:
> score RCVD_IN_NJABL_DIALUP 0 0.525 0 3.536
>
> And why only in combination with Bayes (i.e. the last score number)?
>
> This results in lots of false positives on my system. :-(

We had to lower this rule's score here because it was catching our SMTP
AUTH'd clients' mail with our spam threshold at 6. Both this rule
and DYNABLOCK were firing on a significant portion of my SMTP AUTH'd
clients.

> I am tempted to change it to something like this:
> score RCVD_IN_NJABL_DIALUP 0 0.525 0 1.0
> but I assume there is a valid reason for 3.536.
> Could some kind soul please try to explain this to me?

The valid reason is probably that you can catch a lot of spam with just
the dial-up RBLs. I've had several slip through since I lowerred the
scores.

--
Scott Lambert KC5MLE Unix SysAdmin
lambert@lambertfam.org

> -----Original Message-----
> From: Scott Lambert [mailto:lambert@lambertfam.org]
> Sent: Tuesday, February 03, 2004 8:32 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: why is RCVD_IN_NJABL_DIALUP score so high?
>
>
> On Tue, Feb 03, 2004 at 10:44:03AM +0100, Andy Spiegl wrote:
> > Hi,
> >
> > I am living in Germany and all the dynamic IPs of the large ISP
> > T-Online seem to be listed in NJABL and SORBS as DIALUP ips. That's
> > okay of course, but I don't understand why the default score for that
> > is so high:
> > score RCVD_IN_NJABL_DIALUP 0 0.525 0 3.536
> >
> > And why only in combination with Bayes (i.e. the last score number)?
> >
> > This results in lots of false positives on my system. :-(
>
> We had to lower this rule's score here because it was catching our SMTP
> AUTH'd clients' mail with our spam threshold at 6. Both this rule
> and DYNABLOCK were firing on a significant portion of my SMTP AUTH'd
> clients.
>


Wouldn't SMTP AUTH'd direct connects to your mail server be a sort of
exception to the general rule? Would it be possible to a check for
the SMTP auth connections (extracted from the Received headers at
your mail server's demarcation point), and throw in a large negative
score if you see that indication?

> From: Gary Funck [mailto:gary@intrepid.com]
> > From: Scott Lambert [mailto:lambert@lambertfam.org]
> > We had to lower this rule's score here because it was catching our SMTP
> > AUTH'd clients' mail with our spam threshold at 6. Both this rule
> > and DYNABLOCK were firing on a significant portion of my SMTP AUTH'd
> > clients.
> >
>
>
> Wouldn't SMTP AUTH'd direct connects to your mail server be a sort of
> exception to the general rule? Would it be possible to a check for
> the SMTP auth connections (extracted from the Received headers at
> your mail server's demarcation point), and throw in a large negative
> score if you see that indication?

Or better, skip spamassassin processing altogether for SMTP AUTH connections
(if possible)

> Or better, skip spamassassin processing altogether for SMTP AUTH connections
> (if possible)
But _everyone_ using spamassassin in the whole world would have to do that.
Otherwise my and my users mails get sorted out because they were sent from
a dial-up IP pool.

That's the point I don't understand about punishing dial-up connects.
Half the world connects to the internet using dial-up accounts! Okay,
lots of them are using webmailers, but everyone else who is using real mail
programs is being punished with this high score. Doesn't sound fair to me.

Or is there a way to avoid that the dynamic IP shows up in the received
lines? I'd be surprised...

Comments and sugestions more than welcome,
Andy.

PS: How come so many on this list use broken mailers which don't set the
reply-to header correctly? Most of the threads are split up which
makes the list pretty hard to read. :-(

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Thousands of years ago, cats were worshipped as gods.
Cats have never forgotten this." - Anonymous

On Tue, Feb 03, 2004 at 10:18:32PM +0100, Andy Spiegl wrote:
> > Or better, skip spamassassin processing altogether for SMTP AUTH
> > connections (if possible)
>
> But _everyone_ using spamassassin in the whole world would have to do
> that. Otherwise my and my users mails get sorted out because they
> were sent from a dial-up IP pool.

These rules aren't supposed to fire if the dialup was the first hop and
not the hop that was talking to your "trusted" mail server which is
running spamassassin.

> That's the point I don't understand about punishing dial-up connects.
> Half the world connects to the internet using dial-up accounts! Okay,
> lots of them are using webmailers, but everyone else who is using real
> mail programs is being punished with this high score. Doesn't sound
> fair to me.

Only a problem for dialups sending directly to the scanning server's
trusted hosts. This is as it should be. It's just hard to get around
for those of us using SMTP AUTH and running SpamAssassin from procmail.

> Or is there a way to avoid that the dynamic IP shows up in the
> received lines? I'd be surprised...
>
> Comments and sugestions more than welcome,
> Andy.
>
> PS: How come so many on this list use broken mailers which don't set the
> reply-to header correctly? Most of the threads are split up which
> makes the list pretty hard to read. :-(

You mean in-reply-to? It's the people who start a new thread by
replying to an existing post rather than retype the list's address and
fail to remove the references and in-reply-to headers.

--
Scott Lambert KC5MLE Unix SysAdmin
lambert@lambertfam.org

At 02:36 PM 2/3/2004, Scott Lambert wrote:
>These rules aren't supposed to fire if the dialup was the first hop and
>not the hop that was talking to your "trusted" mail server which is
>running spamassassin.

Wasn't there a bug that caused them to fire anyway? Or was that fixed in 2.63?

Kelson Vibber
SpeedGate Communications <www.speed.net>

> > That's the point I don't understand about punishing dial-up connects.
> > Half the world connects to the internet using dial-up accounts! Okay,
> > lots of them are using webmailers, but everyone else who is using real
> > mail programs is being punished with this high score. Doesn't sound
> > fair to me.
>
> Only a problem for dialups sending directly to the scanning server's
> trusted hosts. This is as it should be. It's just hard to get around
> for those of us using SMTP AUTH and running SpamAssassin from procmail.

We've been battling with this very issue of avoiding false hits for valid
users of the server who send mail to other users on the same server from
their local computer (Since the header only shows one hop from their local
computer, the same as a spammer who may have done this from their computer
directly). We also use procmail for spamc/d and sendmail (for us POP
before SMTP authentication via access.db).

One idea we had, but we are not sure how to implement it, is to alter the
header sendmail creates to include a unique text entry if sendmail knows
the sender is a valid user of the system, and then score this unique text
with a negative score in spamassassin. This was posted a bit ago as a
solution for someone using SMTP_AUTH, but we're trying to see how it could
work in sendmail with authenticating via the access.db file as well.

Thoughts/opinions?

Rob M.

Hi Scott,

thanks for the explanation!

> These rules aren't supposed to fire if the dialup was the first hop and
> not the hop that was talking to your "trusted" mail server which is
> running spamassassin.
Ah, that sounds very reasonable and explains a lot.
I always tested on my local host. Just did a test on the mailserver and
whoopie spamassassin doesn't complain about the dialup there. Great!

> > PS: How come so many on this list use broken mailers which don't set the
> > reply-to header correctly? Most of the threads are split up which
> > makes the list pretty hard to read. :-(
>
> You mean in-reply-to?
Yep, sorry, typo.

> It's the people who start a new thread by replying to an existing post
> rather than retype the list's address and fail to remove the references
> and in-reply-to headers.
No, what I meant is that the in-reply-to header is missing. For example
look at the thread "RE: Mr Wiggly has changed". I think the problem is
Outlook Express because I see a lot of
X-Mailer: Internet Mail Service (5.5.2653.19)
and am wondering why in the world spam/security-aware people would be using
MS LookOut? ;-)

Thanks,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C makes it easy to shoot yourself in the foot, C++ makes it harder,
but when you do, it blows away your whole leg." -- Bjarne Stroustrup