Mailing List Archive

CVD_IN_DNSWL_HI ?
I am getting tons of emails that are very obviously spam (elongation, russian beauties, etc) that are getting a -5 score added on the white list test:

CVD_IN_DNSWL_HIRBL: Sender listed athttps://www.dnswl.org/, high trust

I'm curious about the usefulness of a white list that spammers have obviously been able to defeat.
And with the -5.0 score added (subtracted) in to the total, there's almost no chance for other tests to overcome it with 10 points to get the score to 5.0

Whaat is the easiest way to disable this 'trusted white list' tester that is sabotaging so many of my spam scores?
CVD_IN_DNSWL_HI ? [ In reply to ]
I am getting tons of emails that are very obviously spam (elongation
rituals, russian beauties, etc) that are getting a -5 score added on the
white list test:

CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust

I'm curious about the usefulness of a white list that so many spammers
have obviously been able to figure out a way to defeat. And with the
-5.0 score added (subtracted) in to the total, there's almost no chance
for other tests to overcome it with +10 points to get the score back up
to a 5.0

What is the easiest way to disable this 'trusted white list' tester?
Re: CVD_IN_DNSWL_HI ? [ In reply to ]
On Mon, 11 Oct 2021, Jerry Malcolm wrote:

>
> I am getting tons of emails that are very obviously spam (elongation, russian beauties, etc) that are getting a -5 score added on the white list tes
> t:
>
> CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust
>
> I'm curious about the usefulness of a white list that spammers have obviously been able to defeat.
> And with the -5.0 score added (subtracted) in to the total, there's almost no chance for other tests to overcome it with 10 points to get the score
> to 5.0
>
> Whaat is the easiest way to disable this 'trusted white list' tester that is sabotaging so many of my spam scores?

That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test of
the "list.dnswl.org" rbl.

You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0
EG: in your local.cf add a like that looks like:

# disable RCVD_IN_DNSWL_HI
score RCVD_IN_DNSWL_HI 0

You can disable the whole kit of rules derived from that rbl by setting the base
rule to 0:

score __RCVD_IN_DNSWL 0


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ? [ In reply to ]
Thanks for the quick response.  I'll definitely start playing with that.


On 10/11/2021 10:28 PM, David B Funk wrote:
> On Mon, 11 Oct 2021, Jerry Malcolm wrote:
>
>>
>> I am getting tons of emails that are very obviously spam (elongation,
>> russian beauties, etc) that are getting a -5 score added on the white
>> list tes
>> t:
>>
>> CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust
>>
>> I'm curious about the usefulness of a white list that spammers have
>> obviously been able to defeat. And with the -5.0 score added
>> (subtracted) in to the total, there's almost no chance for other
>> tests to overcome it with 10 points to get the score to 5.0
>>
>> Whaat is the easiest way to disable this 'trusted white list' tester
>> that is sabotaging so many of my spam scores?
>
> That's one of the several sets of evals derived from the
> __RCVD_IN_DNSWL test of the "list.dnswl.org" rbl.
>
> You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0
> EG: in your local.cf add a like that looks like:
>
> # disable RCVD_IN_DNSWL_HI
> score RCVD_IN_DNSWL_HI 0
>
> You can disable the whole kit of rules derived from that rbl by
> setting the base rule to 0:
>
> score __RCVD_IN_DNSWL 0
>
>
Re: CVD_IN_DNSWL_HI ? [ In reply to ]
On Mon, 11 Oct 2021, David B Funk wrote:

> On Mon, 11 Oct 2021, Jerry Malcolm wrote:
>
>>
>> I am getting tons of emails that are very obviously spam (elongation,
>> russian beauties, etc) that are getting a -5 score added on the white list
>> tes
>> t:
>>
>> CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust
>>
>> I'm curious about the usefulness of a white list that spammers have
>> obviously been able to defeat. And with the -5.0 score added (subtracted)
>> in to the total, there's almost no chance for other tests to overcome it
>> with 10 points to get the score to 5.0
>>
>> Whaat is the easiest way to disable this 'trusted white list' tester that
>> is sabotaging so many of my spam scores?
>
> That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test
> of the "list.dnswl.org" rbl.
>
> You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0
> EG: in your local.cf add a like that looks like:
>
> # disable RCVD_IN_DNSWL_HI
> score RCVD_IN_DNSWL_HI 0
>
> You can disable the whole kit of rules derived from that rbl by setting the
> base rule to 0:
>
> score __RCVD_IN_DNSWL 0
>

The other thing you should do is to report false-positives to the dnswl.org
site.
See: https://www.dnswl.org/?page_id=17

You first might want to verify that your FPs aren't being generated by some
upstream relay that is is trusted but due to some configuration issue is
"masking" the spam source.

If you put a copy of one of the offending spams in pastebin.com and post the URL
here we can look at it with you to see if we can spot your issue.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ? [ In reply to ]
On 11.10.21 22:07, Jerry Malcolm wrote:
>I am getting tons of emails that are very obviously spam (elongation
>rituals, russian beauties, etc) that are getting a -5 score added on
>the white list test:
>
>CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust

I guess this really is RCVD_IN_DNSWL_HI

>I'm curious about the usefulness of a white list that so many spammers
>have obviously been able to figure out a way to defeat.

someone apparently broke into machine that is in dnswl list.
It's also possible that your trust path is incorrect.
Can you publish example of such mail with headers?


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: CVD_IN_DNSWL_HI ? [ In reply to ]
David B Funk <dbfunk@engineering.uiowa.edu> writes:

> The other thing you should do is to report false-positives to the
> dnswl.org site.
> See: https://www.dnswl.org/?page_id=17

That's great advice. I have found over the years that DNSWL is well
run, and I'm confident that if a listed machine is emitting spam and
it's reported, then it would either get delisted or fixed very fast.

> You first might want to verify that your FPs aren't being generated by
> some upstream relay that is is trusted but due to some configuration
> issue is "masking" the spam source.

The kind of places that get listed in HI tend to be well-managed.

> If you put a copy of one of the offending spams in pastebin.com and
> post the URL here we can look at it with you to see if we can spot
> your issue.

Putting the spam in a pastebin will let other people do a test scoring
run and that will likely shed some light on the situation.

Also, check how your DNS is set up. While DNSBLs in general don't want
to return false results on purpose, when they get abused with high query
rates there are not a lot of options to get people to stop.