Mailing List Archive

On 1/8/2023 3:50 PM, joe a wrote:
> SA version 3.4.5
>
> Gears are clashing, clutch is slipping, among other things.
>
> Trying to exclude certain checks, via spamhouse services "by the book"
>
> When placing these values in local.cf:
>
> RCVD_IN_ZEN 0
> RCVD_IN_XBL 0
> RCVD_IN_PBL 0
>
> "spamassassin --lint" complains. Yet SA starts without complaint and
> seems to not run those tests.
>
> Placing "score" at the beginning of the line makes lint happy and SA
> seems to start fine and also does not run those tests.
>
> So, one assumes it is a typo in the docs, or, one is expected to infer
> the "score" word.
>
> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>
> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>
> Which suggests that one runs despite the directive or, I am using the
> wrong one.
>
>

And the answer to the latter is "I had the wrong directive". Which is
obvious. Now.

What did you end up with?

I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen.

The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me.

I've grown to this huge list and still get the warnings.

# remove spamhaus tests, they want us to pay
# need to include the first base rule or DNS still triggers but is ignored
score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0

Until I can get around to updating I'm considering just nuking the actual tests from the ruleset.

Charles

> On Jan 8, 2023, at 4:00 PM, joe a <joea-lists@j4computers.com> wrote:
>
> On 1/8/2023 3:50 PM, joe a wrote:
>> SA version 3.4.5
>> Gears are clashing, clutch is slipping, among other things.
>> Trying to exclude certain checks, via spamhouse services "by the book"
>> When placing these values in local.cf:
>> RCVD_IN_ZEN 0
>> RCVD_IN_XBL 0
>> RCVD_IN_PBL 0
>> "spamassassin --lint" complains. Yet SA starts without complaint and seems to not run those tests.
>> Placing "score" at the beginning of the line makes lint happy and SA seems to start fine and also does not run those tests.
>> So, one assumes it is a typo in the docs, or, one is expected to infer the "score" word.
>> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>> Which suggests that one runs despite the directive or, I am using the wrong one.
>
> And the answer to the latter is "I had the wrong directive". Which is obvious. Now.
>

joe a skrev den 2023-01-08 21:50:
> SA version 3.4.5
>
> Gears are clashing, clutch is slipping, among other things.
>
> Trying to exclude certain checks, via spamhouse services "by the book"

what book ?

> When placing these values in local.cf:
>
> RCVD_IN_ZEN 0
> RCVD_IN_XBL 0
> RCVD_IN_PBL 0
>
> "spamassassin --lint" complains. Yet SA starts without complaint and
> seems to not run those tests.

you miss score in 3 lines ?

> Placing "score" at the beginning of the line makes lint happy and SA
> seems to start fine and also does not run those tests.

so lint passed ?

> So, one assumes it is a typo in the docs, or, one is expected to infer
> the "score" word.

what docs ?

anythin on web is fake news, only valid docs is perldoc
Mail::SpamAssassin::Conf

and all related plugins

> Yet I still see this while "skip_rbl_checks 1" (in both above
> scenarios):

clear your config :)

> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
> Which suggests that one runs despite the directive or, I am using the
> wrong one.

make /etc/resolv.conf only have nameserver 127.0.0.1 and you ether have
bind, unbound, pdns-recursor as of your own choise

still problems ?, lets hear them

Charles Sprickman skrev den 2023-01-08 22:23:
> What did you end up with?
>
> I have a bunch of zero rules for these yet still keep getting the
> "administrative notice" from sbl/zen.
>
> The fact that those guys don't just send out a "yes, this is on by
> default in spamassassin, here is copy pasta to turn us off" email bugs
> me.
>
> I've grown to this huge list and still get the warnings.
>
> # remove spamhaus tests, they want us to pay
> # need to include the first base rule or DNS still triggers but is
> ignored
> score __RCVD_IN_ZEN 0
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
> score URIBL_SBL 0
> score URIBL_CSS 0
> score URIBL_SBL_A 0
> score URIBL_CSS_A 0
> score URIBL_DBL_SPAM 0
> score URIBL_DBL_PHISH 0
> score URIBL_DBL_MALWARE 0
> score URIBL_DBL_BOTNETCC 0
> score URIBL_DBL_ABUSE_SPAM 0
> score URIBL_DBL_ABUSE_REDIR 0
> score URIBL_DBL_ABUSE_PHISH 0
> score URIBL_DBL_ABUSE_MALW 0
> score URIBL_DBL_ABUSE_BOTCC 0

oh, i bet spamhaus is still queryed sadly :(

but with score 0 its not known or have any effect

if yuo have bind installed then do "rndc querylog" this is a togle so
one more call shift state of querylog, do "rndc status" to see current
state

veryfy now its does not query undesired rbls

if you can verify this i can help solve the remaining problem

On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
> What did you end up with?
>
> I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen.
>
> The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me.
>
> I've grown to this huge list and still get the warnings.
>
> # remove spamhaus tests, they want us to pay
> # need to include the first base rule or DNS still triggers but is ignored
> score __RCVD_IN_ZEN 0
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
> score URIBL_SBL 0
> score URIBL_CSS 0
> score URIBL_SBL_A 0
> score URIBL_CSS_A 0
> score URIBL_DBL_SPAM 0
> score URIBL_DBL_PHISH 0
> score URIBL_DBL_MALWARE 0
> score URIBL_DBL_BOTNETCC 0
> score URIBL_DBL_ABUSE_SPAM 0
> score URIBL_DBL_ABUSE_REDIR 0
> score URIBL_DBL_ABUSE_PHISH 0
> score URIBL_DBL_ABUSE_MALW 0
> score URIBL_DBL_ABUSE_BOTCC 0
>
> Until I can get around to updating I'm considering just nuking the actual tests from the ruleset.

Much easier and reliable way:

dns_query_restriction deny spamhaus.org

On 1/8/2023 4:00 PM, joe a wrote:
> On 1/8/2023 3:50 PM, joe a wrote:
>> SA version 3.4.5
>>
>> Gears are clashing, clutch is slipping, among other things.
>>
>> Trying to exclude certain checks, via spamhouse services "by the book"
>>
>> When placing these values in local.cf:
>>
>> RCVD_IN_ZEN 0
>> RCVD_IN_XBL 0
>> RCVD_IN_PBL 0
>>
>> "spamassassin --lint" complains. Yet SA starts without complaint and
>> seems to not run those tests.
>>
>> Placing "score" at the beginning of the line makes lint happy and SA
>> seems to start fine and also does not run those tests.
>>
>> So, one assumes it is a typo in the docs, or, one is expected to infer
>> the "score" word.
>>
>> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>>
>> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>>
>> Which suggests that one runs despite the directive or, I am using the
>> wrong one.
>>
>>
>
> And the answer to the latter is "I had the wrong directive".  Which is
> obvious.  Now.
>

Correcting myself, yet again, "score" needs to be specified, it seems,
otherwise this is seen in /var/log/mail:

2023-01-08T15:00:42.854109-05:00 auxilary spamd[14937]: config: failed
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_ZEN 0
2023-01-08T15:00:42.854573-05:00 auxilary spamd[14937]: config: failed
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_XBL 0
2023-01-08T15:00:42.854908-05:00 auxilary spamd[14937]: config: failed
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_PBL 0

Contrary to some, there is value in following logs when making changes.
who'd have thought that.

On 1/8/2023 4:23 PM, Charles Sprickman wrote:
> What did you end up with?

score RCVD_IN_ZEN_BLOCKED_OPENDNS 0

I am not certain if that stops the test or simply reporting of the
message. Looks like I will need to do some packet capture after all.

> I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen.
>
> The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me.
>
> I've grown to this huge list and still get the warnings.
>
> # remove spamhaus tests, they want us to pay
> # need to include the first base rule or DNS still triggers but is ignored
> score __RCVD_IN_ZEN 0

Is that a typo? There should be no underscore before RCVD, correct?

> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
> score URIBL_SBL 0
> score URIBL_CSS 0
> score URIBL_SBL_A 0
> score URIBL_CSS_A 0
> score URIBL_DBL_SPAM 0
> score URIBL_DBL_PHISH 0
> score URIBL_DBL_MALWARE 0
> score URIBL_DBL_BOTNETCC 0
> score URIBL_DBL_ABUSE_SPAM 0
> score URIBL_DBL_ABUSE_REDIR 0
> score URIBL_DBL_ABUSE_PHISH 0
> score URIBL_DBL_ABUSE_MALW 0
> score URIBL_DBL_ABUSE_BOTCC 0
>
> Until I can get around to updating I'm considering just nuking the actual tests from the ruleset.
>
> Charles
>

On 1/8/2023 4:38 PM, Benny Pedersen wrote:
> joe a skrev den 2023-01-08 21:50:
>> SA version 3.4.5
>>
>> Gears are clashing, clutch is slipping, among other things.
>>
>> Trying to exclude certain checks, via spamhouse services "by the book"
>
> what book ?

The good one? Several places. Most looked like cut and paste from each
other. Trying to find the exact place now and cannot. Saw it most
recently on another list, where others happened to be having similar dns
issues.

>> When placing these values in local.cf:
>>
>> RCVD_IN_ZEN 0
>> RCVD_IN_XBL 0
>> RCVD_IN_PBL 0
>>
>> "spamassassin --lint" complains. Yet SA starts without complaint and
>> seems to not run those tests.
>
> you miss score in 3 lines ?

Yep.

>> Placing "score" at the beginning of the line makes lint happy and SA
>> seems to start fine and also does not run those tests.
>
> so lint passed ?

Yes, with score.

>> So, one assumes it is a typo in the docs, or, one is expected to infer
>> the "score" word.
>
> what docs ?
>
> anythin on web is fake news, only valid docs is perldoc
> Mail::SpamAssassin::Conf


I only know of https://spamassassin.apache.org/full/3.4.x/doc/ which I
though I was referencing. Seems likely I just allowed myself to be
misled, "chaff".

> and all related plugins
>
>> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>
> clear your config :)
>
>> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>> Which suggests that one runs despite the directive or, I am using the
>> wrong one.
>
> make /etc/resolv.conf only have nameserver 127.0.0.1 and you ether have
> bind, unbound, pdns-recursor as of your own choise

Certainly worth a try and much simpler that what I was trying.

> still problems ?, lets hear them

On 1/8/2023 10:35 PM, Henrik K wrote:
> On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
>> . . .
>> # remove spamhaus tests,. . .
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0. . .
> Much easier and reliable way:
>
> dns_query_restriction deny spamhaus.org
>

Ah Hah! Seems to work for me. See? I CAN be taught!

joe a.

> On Jan 8, 2023, at 10:44 PM, joe a <joea-lists@j4computers.com> wrote:
>
> On 1/8/2023 4:23 PM, Charles Sprickman wrote:
>> What did you end up with?
>
> score RCVD_IN_ZEN_BLOCKED_OPENDNS 0
>
> I am not certain if that stops the test or simply reporting of the message. Looks like I will need to do some packet capture after all.
>
>> I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen.
>> The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me.
>> I've grown to this huge list and still get the warnings.
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
>
> Is that a typo? There should be no underscore before RCVD, correct?

That's copypasta from the wiki page spamhaus references. No explanation on the page why the underscores...

C

>
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>> Until I can get around to updating I'm considering just nuking the actual tests from the ruleset.
>> Charles

> On Jan 8, 2023, at 10:35 PM, Henrik K <hege@hege.li> wrote:
>
> On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
>> What did you end up with?
>>
>> I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen.
>>
>> The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me.
>>
>> I've grown to this huge list and still get the warnings.
>>
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>>
>> Until I can get around to updating I'm considering just nuking the actual tests from the ruleset.
>
> Much easier and reliable way:
>
> dns_query_restriction deny spamhaus.org

Trying this on half the pair, I assume this hits all subdomains of spamhaus.org?

Never ran into that parameter in my searches for this.

Thanks!

Charles

Charles Sprickman skrev den 2023-01-09 08:04:

>>> Until I can get around to updating I'm considering just nuking the
>>> actual tests from the ruleset.
>> Much easier and reliable way:
>>
>> dns_query_restriction deny spamhaus.org
>
> Trying this on half the pair, I assume this hits all subdomains of
> spamhaus.org?
>
> Never ran into that parameter in my searches for this.

never read perldoc Mail::SpamAssassin::Conf ?

Henrik forgot this is pr domain, so fully domain including subdomain
seen in "rndc querylog" in bind logs !

spamassassin -D -t spamtestmsg 2>&1 | less

dns_query_restriction deny dwl.dnswl.org list.dnswl.org
dns_query_restriction deny multi.uribl.com

imho score foo 0 is a bug

>>>>Until I can get around to updating I'm considering just nuking
>>>>the actual tests from the ruleset.
>>>Much easier and reliable way:
>>>
>>>dns_query_restriction deny spamhaus.org

>Charles Sprickman skrev den 2023-01-09 08:04:
>>Trying this on half the pair, I assume this hits all subdomains of
>>spamhaus.org?
>>
>>Never ran into that parameter in my searches for this.

On 09.01.23 09:26, Benny Pedersen wrote:
>never read perldoc Mail::SpamAssassin::Conf ?

some people don't repeatedly read it thorough.

>Henrik forgot this is pr domain, so fully domain including subdomain
>seen in "rndc querylog" in bind logs !
>
>spamassassin -D -t spamtestmsg 2>&1 | less
>
>dns_query_restriction deny dwl.dnswl.org list.dnswl.org
>dns_query_restriction deny multi.uribl.com
>
>imho score foo 0 is a bug

no, it's documented feature - rules with score 0 are not run.

However, joe a aka the OP should be more interested in finding out why are his
DNS queries going through an open resolver and fixing the real issue.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

On 1/9/2023 3:55 AM, Matus UHLAR - fantomas wrote:
>>>>> Until I can get around to updating I'm considering just nuking the
>>>>> actual tests from the ruleset.
>>>> Much easier and reliable way:
>>>>
>>>> dns_query_restriction deny spamhaus.org
>
>> Charles Sprickman skrev den 2023-01-09 08:04:
>>> Trying this on half the pair, I assume this hits all subdomains of
>>> spamhaus.org?
>>>
>>> Never ran into that parameter in my searches for this.
>
> On 09.01.23 09:26, Benny Pedersen wrote:
>> never read perldoc Mail::SpamAssassin::Conf ?
>
> some people don't repeatedly read it thorough.
>
>> Henrik forgot this is pr domain, so fully domain including subdomain
>> seen in "rndc querylog" in bind logs !
>>
>> spamassassin -D -t spamtestmsg 2>&1 | less
>>
>> dns_query_restriction deny dwl.dnswl.org list.dnswl.org
>> dns_query_restriction deny multi.uribl.com
>>
>> imho score foo 0 is a bug
>
> no, it's documented feature - rules with score 0 are not run.
>
> However, joe a aka the OP should be more interested in finding out why
> are his DNS queries going through an open resolver and fixing the real
> issue.
>

Right you are. It now appears resolved (cough, cough . . .).

Spamhaus site provided this quick test: "dig 2.0.0.127.zen.spamhaus.org
+short" which with variant "dig @my.local.dns.serv
2.0.0.127.zen.spamhaus.org +short", allowed me to pretty quickly sort it
out.

A lot of cobwebs needed to be cleared out, but, seems to be working as
advertised.

Thanks to all for their patience and suggestions.

joe a.