Mailing List Archive

Bad entries in HOSTKARMA_W
I have generally been a fan of the HOSTKARMA DNSBL over the long term.
Fuzzy memeory is that the operator was responsive and reaasonable.

Long ago (2014) I complained somewhat generally about spamassassin's
DNSBL inclusion policy, and was (quite reasonably) asked for specifics.

This report is technically off base, because it's about
RCVD_IN_HOSTKARMA_W which is in KAM but not the standard rules. But I
think whether HOSTKARMA_W is ok is of broad interest to SA users.

I got spam with a received line:

Received: from mx31.a.outbound.createsend.com (mx31.a.outbound.createsend.com [203.55.21.31])

which is indeed on Hostkarma white. The mail has the the flavor of
pretending to be legit, but it's an ad for a book from someone who
writes Dear Friend, and I don't know them.

I found

http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists

but I cannot find a way to report IP addresses that are incorrectly
whitelisted.

In the meantime I've set the score to -1. While there is likely a very
large fraction of ham coming from the listed addresses, I'm not
comfortable with -2.5 points for lists that contain spamming IP
addresses.

It looks like the KAM ruleset already has the notion of undoing the
HOSTKARMA_W score if the address is also in a blocklist -- which makes
me think that my problem is not wicked unusual.

Looking up this IP address:

http://multirbl.valli.org/lookup/203.55.21.31.html

I see 14 blocks, and only hostkarma and abusix are positive.

So I'm curious:

Is there any documented/discoverable way to report that spam was
received from an address in HOSTKARMA_W?

Opinions on recommendations to rescore it to some value less negative
than the KAM-default -2.5?

Am I missing something?

Thanks,
Greg
Re: Bad entries in HOSTKARMA_W [ In reply to ]
My guess is if you contact the admin of hostkarma directly and offer to
host a honeypot he might take you up on it. But that still won't give
you the ability to change anything in the database.

I cannot imagine trusting a RBL that allowed any humans to blacklist
something. Whitelisting is different - you cannot trust the computer
to get it right all the time and there's going to always be IPs BLed
that shouldn't be. But allowing people to BL stuff is just opening the
door for attackers to target or retaliate against hosts.

Ted

On 4/27/2021 3:55 PM, Greg Troxel wrote:
>
> I have generally been a fan of the HOSTKARMA DNSBL over the long term.
> Fuzzy memeory is that the operator was responsive and reaasonable.
>
> Long ago (2014) I complained somewhat generally about spamassassin's
> DNSBL inclusion policy, and was (quite reasonably) asked for specifics.
>
> This report is technically off base, because it's about
> RCVD_IN_HOSTKARMA_W which is in KAM but not the standard rules. But I
> think whether HOSTKARMA_W is ok is of broad interest to SA users.
>
> I got spam with a received line:
>
> Received: from mx31.a.outbound.createsend.com (mx31.a.outbound.createsend.com [203.55.21.31])
>
> which is indeed on Hostkarma white. The mail has the the flavor of
> pretending to be legit, but it's an ad for a book from someone who
> writes Dear Friend, and I don't know them.
>
> I found
>
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
>
> but I cannot find a way to report IP addresses that are incorrectly
> whitelisted.
>
> In the meantime I've set the score to -1. While there is likely a very
> large fraction of ham coming from the listed addresses, I'm not
> comfortable with -2.5 points for lists that contain spamming IP
> addresses.
>
> It looks like the KAM ruleset already has the notion of undoing the
> HOSTKARMA_W score if the address is also in a blocklist -- which makes
> me think that my problem is not wicked unusual.
>
> Looking up this IP address:
>
> http://multirbl.valli.org/lookup/203.55.21.31.html
>
> I see 14 blocks, and only hostkarma and abusix are positive.
>
> So I'm curious:
>
> Is there any documented/discoverable way to report that spam was
> received from an address in HOSTKARMA_W?
>
> Opinions on recommendations to rescore it to some value less negative
> than the KAM-default -2.5?
>
> Am I missing something?
>
> Thanks,
> Greg
Re: Bad entries in HOSTKARMA_W [ In reply to ]
On Tue, 27 Apr 2021, Ted Mittelstaedt wrote:

> My guess is if you contact the admin of hostkarma directly and offer to host
> a honeypot he might take you up on it. But that still won't give you the
> ability to change anything in the database.
>
> I cannot imagine trusting a RBL that allowed any humans to blacklist
> something. Whitelisting is different - you cannot trust the computer
> to get it right all the time and there's going to always be IPs BLed
> that shouldn't be. But allowing people to BL stuff is just opening the
> door for attackers to target or retaliate against hosts.

IIRC the Hostkarma list is fed by people pointing a backup MX DNS host
record at *their* MTAs so that they can analyze the traffic and harvest
the spammers doing "use backup MX to avoid filtering on the primary MX". I
clearly recall being surprised that Marc assumed people would be willing
to do that with their email.

Sherman, set the wayback machine for (goodness) 2009...

Marc Perkel wrote:
> No list is perfect. Thanks for reporting it. Although I try to get
> everything right there will always be mistakes. Sometimes I do get to
> leaning white because false positives are 100 times worse than a few
> spams getting through. Probably what happened with that is that the
> sender does a pretty good job of stopping spam and after we get 25
> good emails and no spam they get white listed. So what a spam sneaks
> through is gets past.
...
> errors@junkemailfilter.com will work.

If that's still the way it works, then reducing the score to -1.0 or even
-0.5 sounds reasonable. There were a lot of "I did that too" comments back
then.

Maybe the way it works has changed since Marc died.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men, it has been well said, think in herds; it will be seen that
they go mad in herds, while they only recover their senses slowly,
and one by one. -- Charles MacKay, 1852
-----------------------------------------------------------------------
4 days until May Day - Remember 110 million people murdered by Communism
Re: Bad entries in HOSTKARMA_W [ In reply to ]
On Tue, 27 Apr 2021 19:42:22 -0700 (PDT)
John Hardin wrote:

> IIRC the Hostkarma list is fed by people pointing a backup MX DNS
> host record at *their* MTAs so that they can analyze the traffic and
> harvest the spammers doing "use backup MX to avoid filtering on the
> primary MX". I clearly recall being surprised that Marc assumed
> people would be willing to do that with their email.

I don't think that had anything to do with the whitelist.