Mailing List Archive

Arne Jensen <darkdevil@darkdevil.dk> writes:

> Den 12-11-2021 kl. 00:43 skrev Loren Wilton:
>> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_*
>> scores on spam before.
> [...]
>> Looking at spam for last month, [...]
>>
>> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
>> It makes me wonder just how useful a rule it is.
> A pretty blatant misconfiguration of a mail server (and/or the system
> running same), can unfortunately lead to various negative side
> effects.

Loren might want to check about spam received by mailinglists. I have
seen spam sent to lists and then delivered to me, so that it arrives
from the MTA of the org running the list. Adding that to
trusted_networks moves the check points earlier and avoids treating
the mail as good because it came from the list.

Of course, it would be better if the list were set up for both spam
filtering and rejecting non-member posts, and machines that host lists
that send spam probably aren't in DNSWL anyway.


Thanks for all the confirmations for what isn't listed. I have always
had the view that DNSWL runs a tight ship (and fairly too), and I
continue to feel that -2.3 for MED is a reasonable score.

Arne Jensen <darkdevil@darkdevil.dk> writes:

> Den 11-11-2021 kl. 20:21 skrev Greg Troxel:
>> It's a really interesting question what DNSWL_MED ought to be for score.
>> Given what MED is supposed to be:
>>
>> Medium Rare spam occurrences, corrected promptly.
>>
>> -2.3 points seems entirely reasonable.
>>
>> But I don't see how gmail makes sense being medium, as spam from gmail
>> is not rare. Probably it happens to me every day. NONE seems more
>> appropriate, especially since I have no perception of google making a
>> serious attempt to avoid emanating spam. (I realize this comment
>> belongs on the DNSWL list, but for now I'm not bothered personally
>> because the v6 addrs aren't listed.)
>
> Google (Gmail) is not, and have never been on medium.
>
> Last score change on Google's addresses, was in June 2018, demoting
> the last remaining ones from "low" to "none".
>
> Are you by any chance forwarding traffic from one server to another,
> and/or potentially missing something in your trusted_networks and/or
> internal_networks? This one is *very* common.

Sorry for being fuzzy. What I meant, and didn't say clearly, is:

I get a lot of spam from gmail (that is properly DKIM signed and
passes SPF). I'm not seeing any of it get tagged as coming from
DNSWL_MED.

Having seen other people claim that google servers are on MED, I was
opining that this didn't make sense. (It seems that everybody agrees
that it doesn't make sense and also that it has never been true.)

> Checking up with DNSWL is actually done by checking the first server
> in reverse order, that your own server does not trust, so if the
> inbound message you see was sent from Gmail, relayed over your
> friend's server (which is/was at medium), and then finally hitting
> yours, and that you do not have set your friend's server as one of
> your trusted ones, the DNSWL check will be done on your friend's
> server, ending up with flagging the message as medium.

For me, the trickiness is in mailinglists, especially when they are set
up without restrict-to-list-member and without good filtering. So I
have put their addresses into trusted_networks. This isn't quite the
same as someone MX-catching for me, but I think it works out the same.

Greg

> On Nov 9, 2021, at 6:49 AM, Jared Hall <jared@jaredsec.com> wrote:
>
> On 11/8/2021 11:36 PM, Peter wrote:
>> It seems that people aren't taking google as seriously any more.
> First came Freemail. Then came SpamAssassin. I DO think that people take Google seriously. There are just so many ways to deal with this problem - none of which is better than any other.
>
> Google touts their AI capabilities with Spam. Too bad they don't scan their outbound email. Instead, they seem to have adopted a cowardly philosophy that an old C&P Telephone tech conveyed to me decades ago: "Problem's leaving here fine!"
>
> Google should practice what they preach: SANITIZE USER INPUT. Instead, their careless attitude presents a security threat to us all.
>
> -- Jared Hall
>


What... you mean "do no evil" is just lip-service? I'm so... so... disillusioned!

-Philip

On 11/12/21 00:43, Loren Wilton wrote:
> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_*
> scores on spam before.
> Looking at spam for last month, I don't have a single RCVD_IN_DNSWL_MED.
>
> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI.
> It makes me wonder just how useful a rule it is.
>
> Especially when it includes sendgrid as part of the "HI" reputation
> senders.
>
When I was using my provider DNS server, I started to receive a lot of
spam, mails were scored with RCVD_IN_DNSWL_HI=-5.
I turned out that most queries were resolved as 127.0.0.255 (BLOCKED),
but some of them as 127.0.10.3 (listed HI as "some special cases" category)

So you need to use your own DNS server and make sure you are below 100k
queries/day, or get a subscription. Otherwise spam occasionally starts
to get in.

Regards,
?ukasz

They abandaoned the motto in 2018.


*********** REPLY SEPARATOR ***********

On 12/11/2021 at 3:33 PM Philip Prindeville wrote:

>
>What... you mean "do no evil" is just lip-service? I'm so... so...
>disillusioned!
>
>-Philip

>On 12/11/2021 at 3:33 PM Philip Prindeville wrote:
>>What... you mean "do no evil" is just lip-service? I'm so... so...
>>disillusioned!

On 26.11.21 11:07, Peter wrote:
>They abandaoned the motto in 2018.

I often think they only skipped the "Don't" part of their "Don't be evil"
motto.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.