Mailing List Archive

A real spike lately, too. Send messages with full headers to
abuse@gmail.com. It might be a bit bucket since I've never heard
anything back, but it can't hurt.

On 2021-11-08 13:27, Rupert Gallagher wrote:
> Spammers are using gmail.com. Congratulations to Google for their fine
> work...
>
> -------- Original Message --------
> On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilvia6@gmail.com> wrote:
> Good day my dear,
> How are you doing and your family.I am Mrs.Marann Silvia,a sick widow
> writing from one of the America hospitals.I am suffering from a long
> time cancer of breast,my health situation is becoming worse,my life is
> no longer guaranteed hence i want to make this solemn donation.I want
> to donate my money to help the orphans, widows and handicap people
> through you because there is no more time left for me on this earth.I
> take this decision because i have no child who will inherit my wealth
> after my death.Please,i need your urgent reply so that i can tell you
> more on how you will handle my wish before i die.I will be waiting to
> hear from you immediately by God grace amen,
> yours sincerely.
> Mrs.Marann Silvia

--
For SpamAsassin Users List

On Mon, 2021-11-08 at 18:27 +0000, Rupert Gallagher wrote:
> Spammers are using gmail.com. Congratulations to Google for their fine
> work...
>
The more 'enterprising' ones are apparently sex come-ons, but contain
links to known-malicious URL shorteners.

Martin

This has been going on for a long time, Google is now one of my top spam
scources - I blacklist other servers very aggressively.

I now increase the score on mail from google.com and occasionally check the
spam catch and add any real sender to a whitelist.

That means most gets quarantined and dumped, and the rest get slowed until
I check them, and the couple of people that have asked about the delay have
been happy when I explain what is happening.

It seems that people aren't taking google as seriously any more.




*********** REPLY SEPARATOR ***********

On 8/11/2021 at 6:27 PM Rupert Gallagher wrote:
Spammers are using gmail.com. Congratulations to Google for their fine
work...

-------- Original Message --------
On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilvia6@gmail.com> wrote:
Good day my dear,
How are you doing and your family.I am Mrs.Marann Silvia,a sick widow
writing from one of the America hospitals.I am suffering from a long
time cancer of breast,my health situation is becoming worse,my life is
no longer guaranteed hence i want to make this solemn donation.I want
to donate my money to help the orphans, widows and handicap people
through you because there is no more time left for me on this earth.I
take this decision because i have no child who will inherit my wealth
after my death.Please,i need your urgent reply so that i can tell you
more on how you will handle my wish before i die.I will be waiting to
hear from you immediately by God grace amen,
yours sincerely.
Mrs.Marann Silvia

On 11/8/2021 11:36 PM, Peter wrote:
> It seems that people aren't taking google as seriously any more.
First came Freemail.  Then came SpamAssassin.  I DO think that people
take Google seriously.  There are just so many ways to deal with this
problem - none of which is better than any other.

Google touts their AI capabilities with Spam.  Too bad they don't scan
their outbound email.  Instead, they seem to have adopted a cowardly
philosophy that an old C&P Telephone tech conveyed to me decades ago:
"Problem's leaving here fine!"

Google should practice what they preach:  SANITIZE USER INPUT. Instead,
their careless attitude presents a security threat to us all.

-- Jared Hall

This is why I flood their abuse box with reports: problem comes back.
Eventually some brain cell will realize that it's not doing much for
their brand. Moments later it will become an Important Issue, because
brand is everything these days.

On 2021-11-09 08:49, Jared Hall wrote:
> On 11/8/2021 11:36 PM, Peter wrote:
>> It seems that people aren't taking google as seriously any more.
> First came Freemail.  Then came SpamAssassin.  I DO think that people
> take Google seriously.  There are just so many ways to deal with this
> problem - none of which is better than any other.
>
> Google touts their AI capabilities with Spam.  Too bad they don't scan
> their outbound email.  Instead, they seem to have adopted a cowardly
> philosophy that an old C&P Telephone tech conveyed to me decades ago:
> "Problem's leaving here fine!"
>
> Google should practice what they preach:  SANITIZE USER INPUT.
> Instead, their careless attitude presents a security threat to us all.
>
> -- Jared Hall
>
--
For SpamAsassin Users List

The same with Microsoft365...
A couple of weeks ago tons of M365 IP ranges got into their own RBLs...  good job!!! 
Pedreter.



>On Tuesday, November 9, 2021, 01:09:39 PM GMT+1, Peter <email@ace.net.au> wrote: >
>This has been going on for a long time, Google is now one of my top spam scources - I blacklist other servers very aggressively. >I now increase the score on mail from google.com and occasionally check the spam catch and add any real sender to a whitelist. >That means most gets quarantined and dumped, and the rest get slowed until I check them, and the couple of people that have asked about the delay have been happy when I explain what is happening. >It seems that people aren't taking google as seriously any more. 

On 11/9/2021 9:28 AM, Alan wrote:
> This is why I flood their abuse box with reports: problem comes back.
> Eventually some brain cell will realize that it's not doing much for
> their brand. Moments later it will become an Important Issue, because
> brand is everything these days.
>
nguyenvietcuong1234567890 ngohoangyen77 phamngocthuy956
nguyenquocdung801 nganbya0609193 vohongvan045 phamminhdong9785
nguyenhuyenanh38613 hao4252 thanhhai701 phanthithien74 nguyenngocha791
nguyenvantien034 phuonghoang0123456789 vuxuantung44 vuvanbao1972
truongvanthanh34 ngothihang0310 phamhongson858 nguyenthuthuy1971
phanvantoi39 trieuduong24g daoquockhanh643 quynhtram0382
nguyenminhhoa740 vuthiminh2608 vuthiminh2608 nguyenthihoa23091979
tranthithuan2608 nguyenvanyen814

These nice gmail users will sell anything from "Seen on TV" to
Tee-Shirts to length increasing products.  Probably all associated with
one happy Vietnamese family that sleeps in a warehouse or parking lot
along San Jose's Tasman Drive.  At least that is how things were the
last time I was there, about 11 years ago.

Whatever, I'd recommend just making a note of about how much time you
spend dealing with Gmail user spam.  Google's well aware of these
problems and at some point, they'll have to account for the damages
their service does to others.

Funny story:

So, it's the early 90's and I fly into San Fran.  I'm to meet the next
day with one of our (newer) Development Engineers.  I'd never met him
before, although we had talked many times on the phone. "Just grab a
table and call me for breakfast", he says.  No problem, I thought.

Stupidly the next morning, I go to the Front Desk and ask for Mr. Pin Lo
Chen.  The clerk types away on his keyboard then replied, "Sir, we have
11 Pin Lo Chens on staff, and 5 guests by that name. Can you be more
specific?"

I just sat down and ordered breakfast when the "real" Pin Lo Chen found me.

First thing he says is, "Why didn't you call me?"

-- Jared Hall

You can report it. Gmail is on DNSWL

@gmail.com>
RCVD_IN_DNSWL_MED=-2.3

https://www.dnswl.org/?page_id=17

As far as i know DNSWL is used by default

On 11/8/21 7:27 PM, Rupert Gallagher wrote:
> Spammers are using gmail.com. Congratulations to Google for their fine work...
>
> -------- Original Message --------
> On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilvia6@gmail.com> wrote:
> Good day my dear,
> How are you doing and your family.I am Mrs.Marann Silvia,a sick widow
> writing from one of the America hospitals.I am suffering from a long
> time cancer of breast,my health situation is becoming worse,my life is
> no longer guaranteed hence i want to make this solemn donation.I want
> to donate my money to help the orphans, widows and handicap people
> through you because there is no more time left for me on this earth.I
> take this decision because i have no child who will inherit my wealth
> after my death.Please,i need your urgent reply so that i can tell you
> more on how you will handle my wish before i die.I will be waiting to
> hear from you immediately by God grace amen,
> yours sincerely.
> Mrs.Marann Silvia
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

This is _exactly_ why I zero out whitelists. A decent portion of spam
being rejected here is from gmail, far more than from outlook and co.

Trust can only be earned, not bought and not assumed, whitelists should
have no place in SA, and why always use clear_uridnsbl_skip_domain

On 11/11/2021 21:19, Philipp Ewald wrote:

> You can report it. Gmail is on DNSWL

--

Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Philipp Ewald <philipp.ewald@digionline.de> writes:

> You can report it. Gmail is on DNSWL
>
> @gmail.com>
> RCVD_IN_DNSWL_MED=-2.3
>
> https://www.dnswl.org/?page_id=17
>
> As far as i know DNSWL is used by default

I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which
sort of nulls that out.

It would be really nice if there were an easy way to exclude a domain
from whitelist checks.

On 2021-11-11 at 07:56:59 UTC-0500 (Thu, 11 Nov 2021 07:56:59 -0500)
Greg Troxel <gdt@lexort.com>
is rumored to have said:

> Philipp Ewald <philipp.ewald@digionline.de> writes:
>
>> You can report it. Gmail is on DNSWL
>>
>> @gmail.com>
>> RCVD_IN_DNSWL_MED=-2.3
>>
>> https://www.dnswl.org/?page_id=17
>>
>> As far as i know DNSWL is used by default
>
> I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which
> sort of nulls that out.

Also: the DNSWL rules in the default ruleset are mis-scored, based apparently on a Perceptron run early in the history of SA and DNSWL. I don't know exactly how to fix this at the distribution level because the RuleQA system can't cope well with possibly labile network reputation rules. The effect of this is that the DNSWL rule scores are not routinely rescored. The fact that they've had the same scores for ~10 years means that they are probably a fixed basis for static local rules in many places. We don't want to disrupt anyone's working system by changing the default scores.

With that said, I don't think anyone should use the RCVD_IN_DNSWL* rule scores just because they are the default scores. Locally I use this:

score RCVD_IN_DNSWL_LOW 0.8
score RCVD_IN_DNSWL_MED -0.2
score RCVD_IN_DNSWL_HI -2

Those are NOT based on any formal analysis, but simply on my eyeballing a bunch of local stats and heuristically picking values, because I'm a bozo...

> It would be really nice if there were an easy way to exclude a domain
> from whitelist checks.

So, for the internal default "whitelist" this exists: unwhitelist_from (see 'perldoc Mail::SpamAssassin::Conf')

It is easy enough to construct rules that counteract DNSWL or other external reputation sources, and the addition of ad hoc internal lists (WLBLEval plugin) in 3.4.x makes it possible to do so in a well-structured manner. Basically, you can create a list of domains that should NOT get any DNSWL bonus and use a meta rule to counteract that bonus. This isn't quite the same as excluding domains from a check entirely, but you can get the same effect.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2021-11-11 13:56, Greg Troxel wrote:
> Philipp Ewald <philipp.ewald@digionline.de> writes:
>
>> You can report it. Gmail is on DNSWL
>>
>> @gmail.com>
>> RCVD_IN_DNSWL_MED=-2.3
>>
>> https://www.dnswl.org/?page_id=17
>>
>> As far as i know DNSWL is used by default
>
> I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which
> sort of nulls that out.
>
> It would be really nice if there were an easy way to exclude a domain
> from whitelist checks.

add

freemail_whitelist gmail.com

to local.cf

its not a whitelist, more a skip gmail.com as a freemail if that changes
anything

i begin to add score more then default score to freemail hits, with imho
is more desireble then class it not freemail

I use DNSWLh spamassassin plugin from http://www.chaosreigns.com/dnswl/sa_plugin/
which allows that "spamassassin --report" also reports to DNSWL, thus improving
DNSWL database for everybody.

Also, I reduce effect of RCVD_IN_DNSWL_MED to -0.5 as default seems
somewhat unreasonable.

On Thu, 11 Nov 2021 12:19:10 +0100, Philipp Ewald <philipp.ewald@digionline.de> wrote:
> You can report it. Gmail is on DNSWL
>
> @gmail.com>
> RCVD_IN_DNSWL_MED=-2.3
>
> https://www.dnswl.org/?page_id=17
>
> As far as i know DNSWL is used by default
>
> On 11/8/21 7:27 PM, Rupert Gallagher wrote:
>> Spammers are using gmail.com. Congratulations to Google for their fine work...
>>
>> -------- Original Message --------
>> On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilvia6@gmail.com> wrote:
>> Good day my dear,
>> How are you doing and your family.I am Mrs.Marann Silvia,a sick widow
>> writing from one of the America hospitals.I am suffering from a long
>> time cancer of breast,my health situation is becoming worse,my life is
>> no longer guaranteed hence i want to make this solemn donation.I want
>> to donate my money to help the orphans, widows and handicap people
>> through you because there is no more time left for me on this earth.I
>> take this decision because i have no child who will inherit my wealth
>> after my death.Please,i need your urgent reply so that i can tell you
>> more on how you will handle my wish before i die.I will be waiting to
>> hear from you immediately by God grace amen,
>> yours sincerely.
>> Mrs.Marann Silvia
>>
>


--
Opinions above are GNU-copylefted.

>On 2021-11-11 13:56, Greg Troxel wrote:
>>Philipp Ewald <philipp.ewald@digionline.de> writes:
>>
>>>You can report it. Gmail is on DNSWL
>>>
>>>@gmail.com>
>>>RCVD_IN_DNSWL_MED=-2.3
>>>
>>>https://www.dnswl.org/?page_id=17
>>>
>>>As far as i know DNSWL is used by default
>>
>>I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which
>>sort of nulls that out.
>>
>>It would be really nice if there were an easy way to exclude a domain
>>from whitelist checks.

On 11.11.21 17:24, Benny Pedersen wrote:
>add
>
>freemail_whitelist gmail.com
>
>to local.cf
>
>its not a whitelist, more a skip gmail.com as a freemail if that
>changes anything
>
>i begin to add score more then default score to freemail hits, with
>imho is more desireble then class it not freemail

i guess this just disables detection of fake reply-to which is I believe
exactly opposite of what OP needs.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:

>>>It would be really nice if there were an easy way to exclude a domain
>>>from whitelist checks.
>
> On 11.11.21 17:24, Benny Pedersen wrote:
>>add
>>
>>freemail_whitelist gmail.com
>>
>>to local.cf
>>
>> its not a whitelist, more a skip gmail.com as a freemail if that
>> changes anything
>>
>> i begin to add score more then default score to freemail hits, with
>> imho is more desireble then class it not freemail
>
> i guess this just disables detection of fake reply-to which is I believe
> exactly opposite of what OP needs.

yes, what I really want is something like

exclude_from_dnswl gmail

and then somehow, anything that is somehow from gmail, when the DNSWL
check runs, gets 0 points instead of the default score for medium.
Basically, I want "behave as if gmail is not listed in DNSWL".

This is messy because DNSWL lookups are via IP address. However, I
just looked back at some of my incoming mail, and it seems google is
delivering to me over IPv6 and the v6 addresses of their sending MTAs
are not in DNSWL.


It's a really interesting question what DNSWL_MED ought to be for score.
Given what MED is supposed to be:

Medium Rare spam occurrences, corrected promptly.

-2.3 points seems entirely reasonable.

But I don't see how gmail makes sense being medium, as spam from gmail
is not rare. Probably it happens to me every day. NONE seems more
appropriate, especially since I have no perception of google making a
serious attempt to avoid emanating spam. (I realize this comment
belongs on the DNSWL list, but for now I'm not bothered personally
because the v6 addrs aren't listed.)

Bill Cole <sausers-20150205@billmail.scconsult.com> writes:

>> I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which
>> sort of nulls that out.
>
> Also: the DNSWL rules in the default ruleset are mis-scored, based
> apparently on a Perceptron run early in the history of SA and DNSWL. I
> don't know exactly how to fix this at the distribution level because
> the RuleQA system can't cope well with possibly labile network
> reputation rules. The effect of this is that the DNSWL rule scores are
> not routinely rescored. The fact that they've had the same scores for
> ~10 years means that they are probably a fixed basis for static local
> rules in many places. We don't want to disrupt anyone's working system
> by changing the default scores.

It would be interesting to know what they would be set to, if there
weren't the concern of things built on them.

> With that said, I don't think anyone should use the RCVD_IN_DNSWL*
> rule scores just because they are the default scores.

I see your point that you think the defaults are bad, but it also seems
awkward that basically every SA user be expected to change them.

> Locally I use this:

> score RCVD_IN_DNSWL_LOW 0.8
> score RCVD_IN_DNSWL_MED -0.2
> score RCVD_IN_DNSWL_HI -2
>
> Those are NOT based on any formal analysis, but simply on my
> eyeballing a bunch of local stats and heuristically picking values,
> because I'm a bozo...

Sure, I use that process myself, and that's fine because I have to
answer to a tiny number of people.

FWIW, I haven't really found a lot of problems from DNSWL. I file <1
into INBOX, >=1 to >=5 into spam.[12345], and accept that .spam.1 is
going to have a lot of FPs as the cost of keeping FNs out of INBOX.
That's of course contrary to doctrine, but it means that I look over any
spam that makes it to INBOX carefully and I just haven't been seeing
DNSWL_MED on spam very often.

My view is that if -2.3 on DNSWL_MED leads people to want to change the
score, that's a clue that there are things in MED that should not be
listed.

>> It would be really nice if there were an easy way to exclude a domain
>> from whitelist checks.
>
> So, for the internal default "whitelist" this exists: unwhitelist_from (see 'perldoc Mail::SpamAssassin::Conf')
>
> It is easy enough to construct rules that counteract DNSWL or other
> external reputation sources, and the addition of ad hoc internal lists
> (WLBLEval plugin) in 3.4.x makes it possible to do so in a
> well-structured manner. Basically, you can create a list of domains
> that should NOT get any DNSWL bonus and use a meta rule to counteract
> that bonus. This isn't quite the same as excluding domains from a
> check entirely, but you can get the same effect.

Thanks - I realize I could do this somehow, but it feels fragile to have
all these matching inverse points. I also realize writing the feature
I want is a bunch of code and that I haven't attached a patch.

Philipp Ewald <philipp.ewald@digionline.de> writes:

> You can report it. Gmail is on DNSWL
>
> @gmail.com>
> RCVD_IN_DNSWL_MED=-2.3
>
> https://www.dnswl.org/?page_id=17

I tried to find gmail being on DNSWL_MED and I haven't been able to.
There are google.com servers on DNSWL_NONE.

Can someone explain what addresses are

part of gmail
being used to deliver spam
on DNSWL_MED

?


I went over my mail, looking for recent spam with DNSWL_MED, and also
ham. I did find 3 messages that hit DNSWL_MED that were outright spam,
and etiher those places had a rare compromise or should be listed lower.
But I also found a large amount of ham with MED.

So from my viewpoint, the issues I see with DNSWL_MED are very minor,
and I am ok with the default score.

Thanks all for the discussion as I will probably try harder to report
FNs due to DNSWL now.

On Thu, Nov 11, 2021 at 02:21:06PM -0500, Greg Troxel wrote:
> yes, what I really want is something like
>
> exclude_from_dnswl gmail

I guess you could disable default DNSWL_MED score with:

score DNSWL_MED 0

and then create your own score:

meta MY_DNSWL_MED DNSWL_MED && !FREEMAIL_FROM
score MY_DNSWL_MED -2.5

That would score MY_DNSWL_MED only if it is *not* coming from some
freemail account.

If you want it to score on all other freemail providers, but not on
GMAIL, you would replace FREEMAIL_FROM with your own header rule, of
course - like "header FROM_GMAIL From =~ /\@gmail\.com" or similar)


--
Opinions above are GNU-copylefted.

I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* scores
on spam before.
Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED.

But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
It makes me wonder just how useful a rule it is.

Especially when it includes sendgrid as part of the "HI" reputation senders.

[ 66. 70.136.180] mta1.bevocalforlocal.info
[ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com
[107.175.219. 38] dhrf266.medley.com.de
[107.175.219. 54] dhrf2106.realatelier.xyz
[107.175.219.103] dhrf2208.rollrs.xyz
[139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com
[167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
[167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
[172.104.183.201] 172-104-183-201.ip.linodeusercontent.com
[172.105.221. 77] li1875-77.members.linode.com
[178. 79.178. 52] li347-52.members.linode.com
[185. 51. 39.149] static-185-51-39-149.uludns.net

On 2021-11-11 21:15, Matija Nalis wrote:

> I guess you could disable default DNSWL_MED score with:
>
> score DNSWL_MED 0
>
> and then create your own score:
>
> meta MY_DNSWL_MED DNSWL_MED && !FREEMAIL_FROM
> score MY_DNSWL_MED -2.5

good rule if score DNSWL_MED is not zerro

keep

score DNSWL_MED 0.01

so MY_DNSWL_MED works

On 2021-11-12 00:43, Loren Wilton wrote:

> [172.105.221. 77] li1875-77.members.linode.com
> [178. 79.178. 52] li347-52.members.linode.com

imho its safe to reject *.members.linode.com

with is default for all linode vps that only need a homepage :=)

Den 11-11-2021 kl. 20:21 skrev Greg Troxel:
> It's a really interesting question what DNSWL_MED ought to be for score.
> Given what MED is supposed to be:
>
> Medium Rare spam occurrences, corrected promptly.
>
> -2.3 points seems entirely reasonable.
>
> But I don't see how gmail makes sense being medium, as spam from gmail
> is not rare. Probably it happens to me every day. NONE seems more
> appropriate, especially since I have no perception of google making a
> serious attempt to avoid emanating spam. (I realize this comment
> belongs on the DNSWL list, but for now I'm not bothered personally
> because the v6 addrs aren't listed.)

Google (Gmail) is not, and have never been on medium.

Last score change on Google's addresses, was in June 2018, demoting the
last remaining ones from "low" to "none".

Are you by any chance forwarding traffic from one server to another,
and/or potentially missing something in your trusted_networks and/or
internal_networks? This one is *very* common.

Checking up with DNSWL is actually done by checking the first server in
reverse order, that your own server does not trust, so if the inbound
message you see was sent from Gmail, relayed over your friend's server
(which is/was at medium), and then finally hitting yours, and that you
do not have set your friend's server as one of your trusted ones, the
DNSWL check will be done on your friend's server, ending up with
flagging the message as medium.


--
Med venlig hilsen / Kind regards,
Arne Jensen

Den 12-11-2021 kl. 00:43 skrev Loren Wilton:
> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_*
> scores on spam before.
[...]
> Looking at spam for last month, [...]
>
> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
> It makes me wonder just how useful a rule it is.
A pretty blatant misconfiguration of a mail server (and/or the system
running same), can unfortunately lead to various negative side effects.

According to your previous mention of paying attention, I would
initially lean towards that (some of) your configuration(s) might need
some attention.

> Especially when it includes sendgrid as part of the "HI" reputation
> senders.

This one again leads back on the previous:

a) SendGrid has never had any IP addresses on "HI".
b) No SendGrid IP addresses hasn't been published to the public from
DNSWL, since 2020-08-21.

> [ 66. 70.136.180] mta1.bevocalforlocal.info

This IP address was caught on our radars on 2021-08-25, for a very short
time, and completely gone again on 2021-09-09.

During this time frame, it had only been residing in internal DNSWL
Id's, and as such, NOT been published to the public.

>
> [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
> [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
This IP address has been seen on and off since 2015-03-14, published
with RCVD_IN_DNSWL_NONE from 2015-03-25 to 2017-02-21, and again from
from 2018-06-17 towards 2020-08-21.
Outside the mentioned time frames it hasn't been sent out to the public,
and it has NEVER been above RCVD_IN_DNSWL_NONE.

> [ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com
> [107.175.219. 38] dhrf266.medley.com.de
> [107.175.219. 54] dhrf2106.realatelier.xyz
> [107.175.219.103] dhrf2208.rollrs.xyz
> [139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com
> [172.104.183.201] 172-104-183-201.ip.linodeusercontent.com
> [172.105.221. 77] li1875-77.members.linode.com
> [178. 79.178. 52] li347-52.members.linode.com
> [185. 51. 39.149] static-185-51-39-149.uludns.net

None of those are in DNSWL, and none of them have recorded in DNSWL for
at least the past 12 months, not even in the internal DNSWL Id's, that
aren't sent out to the public.

At the time of writing this, the RFC1912 #2.1 kind of FcRDNS for several
of them is inconsistent, as forward DNS is missing, being a good reject
parameter on it's own.

The majority of them also shows the classic dynamic/generic looking PTR
records, which is also a good reject parameter on it's own.

--
Med venlig hilsen / Kind regards,
Arne Jensen

These IPs are not in dnswl.org database:

[ 66.70.136.180] mta1.bevocalforlocal.info
[ 88.80.190.164] 88-80-190-164.ip.linodeusercontent.com
[107.175.219.38] dhrf266.medley.com.de
[107.175.219.54] dhrf2106.realatelier.xyz
[107.175.219.103] dhrf2208.rollrs.xyz
[139.162.81.182] 139-162-81-182.ip.linodeusercontent.com
[172.104.183.201] 172-104-183-201.ip.linodeusercontent.com
[172.105.221.77] li1875-77.members.linode.com
[178.79.178.52] li347-52.members.linode.com
[185.51.39.149] static-185-51-39-149.uludns.net

These IPs are internally blacklisted:

[167.89.10.203] o1678910x203.outbound-mail.sendgrid.net
[167.89.10.203] o1678910x203.outbound-mail.sendgrid.net

You could at some point in time been using a nameserver (from a hosting provider?) which keeps abusing the dnswl.org <http://dnswl.org/> infrastructure.

— Matthias

> Am 12.11.2021 um 00:43 schrieb Loren Wilton <lwilton@earthlink.net>:
>
> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* scores on spam before.
> Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED.
>
> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
> It makes me wonder just how useful a rule it is.
>
> Especially when it includes sendgrid as part of the "HI" reputation senders.
>
> [ 66. 70.136.180] mta1.bevocalforlocal.info
> [ 88. 80.190.164] 88-80-190-164.ip.linodeusercontent.com
> [107.175.219. 38] dhrf266.medley.com.de
> [107.175.219. 54] dhrf2106.realatelier.xyz
> [107.175.219.103] dhrf2208.rollrs.xyz
> [139.162. 81.182] 139-162-81-182.ip.linodeusercontent.com
> [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
> [167. 89. 10.203] o1678910x203.outbound-mail.sendgrid.net
> [172.104.183.201] 172-104-183-201.ip.linodeusercontent.com
> [172.105.221. 77] li1875-77.members.linode.com
> [178. 79.178. 52] li347-52.members.linode.com
> [185. 51. 39.149] static-185-51-39-149.uludns.net
>