Mailing List Archive

Hi!

>> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
>> describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
>> tflags RCVD_IN_JMF_W net nice
>> score RCVD_IN_JMF_W -5

> Hopefully my comment isn't out of place with the current discussion of
> JMF/Hostkarma. I think this is not only a really bad default score,
> but it should be reduced to -0.5 or perhaps not used at all.
>
> I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
> these servers:
>
> Received: from 41.220.75.3
> Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
> Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
> Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])
>
> It also hit these other rules:
>
> X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
> tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
> LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
> RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL
>
> Unless I'm really missing something, which server has JMF/Hostkarma
> whitelisted that shouldn't be?

You are not missing anything. Its my point also.

Bye,
Raymond.

Hi!

>> Ouch, from your point of view it might be fine, but we see strange stuff
>> with DNSWL allready i certainly would not use this to shortcircuit
>> things.

> What exactly is the strange stuff you see with DNSWL?
>
> Granted, I'm not processing millions of messages, only tens of thousands,
> but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and
> DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity,
> relay from africa, bayes over 60 etc). The FP rate is abysmally low.

The regular things, whitelisted servers sending spams. So shortcircuitting
isnt an option for those and its also not whaqt DNSWL is about. they WL
sender mailservers, those could be an ISP also. You dont want to
shortcircuit them and say hey, someone put it on his whitelist, feel free
to spam me.

Bye,
Raymond.

Marc Perkel wrote:
> My NoBL list is similar to yellow except that you can skip black list
> lookup but maybe might be whitelisted somewhere.

I keep seeing IPs that are on both the NoBL *and* the blacklist. An
example of this 89.206.179.213. That IP currently returns 127.0.0.2
(blacklisted) and 127.0.0.5 (NoBL listed). Can you make sense of this
entry?

--Blaine

On Tue, Sep 29, 2009 at 10:05:57AM +0200, Raymond Dijkxhoorn wrote:
> Hi!
>
>>> Ouch, from your point of view it might be fine, but we see strange stuff
>>> with DNSWL allready i certainly would not use this to shortcircuit
>>> things.
>
>> What exactly is the strange stuff you see with DNSWL?
>>
>> Granted, I'm not processing millions of messages, only tens of thousands,
>> but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and
>> DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity,
>> relay from africa, bayes over 60 etc). The FP rate is abysmally low.
>
> The regular things, whitelisted servers sending spams. So
> shortcircuitting isnt an option for those and its also not whaqt DNSWL is
> about. they WL sender mailservers, those could be an ISP also. You dont
> want to shortcircuit them and say hey, someone put it on his whitelist,
> feel free to spam me.

Bad big mailservers sending mixed stuff are not supposed to be on MED/HI
lists. If they are, you are supposed to report it. So I kind of disagree
with you. I would imagine most people see <0.5% FP rates, even without any
further meta checks.

On 29/09/2009 05:27, MySQL Student wrote:

>> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
>> describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
>> tflags RCVD_IN_JMF_W net nice
>> score RCVD_IN_JMF_W -5
>
> Hopefully my comment isn't out of place with the current discussion of
> JMF/Hostkarma. I think this is not only a really bad default score,
> but it should be reduced to -0.5 or perhaps not used at all.
>
> I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
> these servers:
>
> Received: from 41.220.75.3
> Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
> Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
> Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])
>
> It also hit these other rules:
>
> X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
> tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
> LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
> RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL
>
> Unless I'm really missing something, which server has JMF/Hostkarma
> whitelisted that shouldn't be?
>
> This happens time after time.

I receive spam every single day from hosts listed on the HostKarma
whitelist. In comparison, it's very rare that I see any spam from hosts
listed on dnswl.org. I chose a score of -0.2 here.

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

MySQL Student wrote:
> Hi,
>
> Hopefully my comment isn't out of place with the current discussion of
> JMF/Hostkarma. I think this is not only a really bad default score,
> but it should be reduced to -0.5 or perhaps not used at all.
>
> I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
> these servers:
>
> Received: from 41.220.75.3
> Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
> Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
> Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])
>
> It also hit these other rules:
>
> X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
> tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
> LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
> RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL
>
> Unless I'm really missing something, which server has JMF/Hostkarma
> whitelisted that shouldn't be?
>
> This happens time after time.
>
>

Yep - this isn't a perfect list. however if I got some good feedback on
this I could weed out the white listes and get it more accurate. There
are also a lot of hosts I could include with more data.

Blaine Fleming wrote:

Marc Perkel wrote:

My NoBL list is similar to yellow except that you can skip black list lookup but maybe might be whitelisted somewhere.

I keep seeing IPs that are on both the NoBL *and* the blacklist. An example of this 89.206.179.213. That IP currently returns 127.0.0.2 (blacklisted) and 127.0.0.5 (NoBL listed). Can you make sense of this entry? --Blaine

That would be a bug in my system. I'll need to look into that.

On 09/29/2009 12:27 AM, MySQL Student wrote:
> Hi,
>
>> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
>> describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
>> tflags RCVD_IN_JMF_W net nice
>> score RCVD_IN_JMF_W -5
>
> Hopefully my comment isn't out of place with the current discussion of
> JMF/Hostkarma. I think this is not only a really bad default score,
> but it should be reduced to -0.5 or perhaps not used at all.

I believe spamassassin does not assign any negative score to any
whitelist by default precisely for good reason.

USER_IN_DEF_DKIM_WL has the score -7.50 because it is a lot more certain
than a mere whitelist, having done cryptographic checking on the DKIM
signature to verify that the domain is both known non-spammer and it is
not spoofed.

Warren Togami
wtogami@redhat.com

On tir 29 sep 2009 17:37:20 CEST, Warren Togami wrote
> On 09/29/2009 12:27 AM, MySQL Student wrote:
>>> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')

this one could be changed to some trusted variant for testing on local
trusted_networks

so change lastexternal to firsttrusted and if one want do please add
it to masscheck, if its not possible to test it, drop it :)

--
xpoint