Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
RCVD_IN_SBL_CSS FP
me at junc
Jan 11, 2023, 8:56 AM
Post #1 of 5 (202 views)
Permalink
it should only check received last ip, not deeap all ips :/
Re: RCVD_IN_SBL_CSS FP [ In reply to ]
riccardo.alfieri at spamteq
Jan 11, 2023, 9:36 AM
Post #2 of 5 (202 views)
Permalink
No.

it checks if an emission is done by an IP that is listed in SBL, and add
3 points if it is (in our DQS implementation at least). IPs listed in
SBL are deemed "bad" by default, so an emission from them, even if it's
not direct to mx, is bad enough.

If you found an FP I encourage you to open a ticket through
https://check.spamhaus.org/ . We review all FPs and act accordingly.

On 11/01/23 17:56, Benny Pedersen wrote:
>
> it should only check received last ip, not deeap all ips :/
-lastexternal is done by ZEN

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/
Re: RCVD_IN_SBL_CSS FP [ In reply to ]
me at junc
Jan 11, 2023, 10:43 AM
Post #3 of 5 (202 views)
Permalink
Riccardo Alfieri skrev den 2023-01-11 18:36:
> No.
>
> it checks if an emission is done by an IP that is listed in SBL, and
> add 3 points if it is (in our DQS implementation at least). IPs listed
> in SBL are deemed "bad" by default, so an emission from them, even if
> it's not direct to mx, is bad enough.
>
> If you found an FP I encourage you to open a ticket through
> https://check.spamhaus.org/ . We review all FPs and act accordingly.
> On 11/01/23 17:56, Benny Pedersen wrote:
>
>> it should only check received last ip, not deeap all ips :/
> -lastexternal is done by ZEN

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on
localhost.junc.eu
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,RELAYCOUNTRY_GREY,SPF_HELO_NONE,
SPF_NONE shortcircuit=no autolearn=no autolearn_force=no version=4.0.0
X-Spam-Report:
* -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low
* trust
* [168.100.1.4 listed in list.dnswl.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [46.183.103.8 listed in zen.spamhaus.org]
* 1.6 SPF_NONE SPF: sender does not publish an SPF Record
* 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
* [168.100.1.4 listed in wl.mailspike.net]
* 1.6 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
* domain
* 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
* 0.1 RELAYCOUNTRY_GREY Relayed through at some point
* 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
* domains are different
* -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
* manager
* -0.1 DMARC_PASS DMARC pass policy
X-Spam-AWL: AWL= MEAN= COUNT= PRESCORE=
X-Spam-Relay-Country: US ** ** ** ** DE DE
X-Spam-ASN: AS3700 168.100.0.0/22
X-Fuglu-Incomingport: 10025
X-Fuglu-Suspect: 6a8f891e8b134a9f92cd83617788ebc7
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net
[168.100.1.4])
by mx.junc.eu (Postfix) with ESMTPS
for <me@junc.eu>; Wed, 11 Jan 2023 15:58:34 +0100 (CET)



/var/lib/spamassassin/4.000000/spamassassin_snb_it/20_ITA.cf:
header __ITA_RCVD_IN_SENDERSCORE_0_29 eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
__RCVD_IN_HOSTKARMA
eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.1')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.2')
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.4')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal',
'dnsbl.sorbs.net.', '127.0.0.10')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.255\.255\.254$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_ZEN_BLOCKED eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.255\.255\.255$')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal',
'activationcode.r.mail-abuse.com.', '2')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_VALIDITY_RPBL
eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
__RCVD_IN_MSPIKE_B eval:check_rbl('mspikeb-lastexternal',
'bl.mailspike.net.')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
__RCVD_IN_MSPIKE_Z eval:check_rbl_sub('mspikeb-lastexternal',
'127.0.0.2')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
RCVD_IN_MSPIKE_L5 eval:check_rbl_sub('mspikeb-lastexternal',
'127.0.0.10')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
RCVD_IN_MSPIKE_L4 eval:check_rbl_sub('mspikeb-lastexternal',
'127.0.0.11')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
RCVD_IN_MSPIKE_L3 eval:check_rbl_sub('mspikeb-lastexternal',
'127.0.0.12')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
RCVD_IN_MSPIKE_L2 eval:check_rbl_sub('mspikeb-lastexternal',
'127.0.0.13')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/72_active.cf:header
RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')

/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3')
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:describe
RCVD_IN_SBL_CSS Received via a relay in Spamhaus SBL-CSS
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:tflags
RCVD_IN_SBL_CSS net
/var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:reuse
RCVD_IN_SBL_CSS
/var/lib/spamassassin/4.000000/updates_spamassassin_org/50_scores.cf:score
RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2
Re: RCVD_IN_SBL_CSS FP [ In reply to ]
riccardo.alfieri at spamteq
Jan 11, 2023, 1:18 PM
Post #4 of 5 (202 views)
Permalink
46.183.103.8 is listed because it's an emitter of spam, it has been
heloing with "host-41.36.37.63.tedata.net" and it is hitting traps. I
could tell you exactly what botnet family these type of heloes comes
from, but I can't. Believe me, that host is infected.

So you have an emitter that is infected by something, sending both good
and bad traffic. We signal that by giving it a "3" score, and I don't
know where you get that 3.6 score, as we define that by

sh_scores.cf:  score    RCVD_IN_SBL_CSS         3

If math doesn't fail me, 3 is less than 3.6 , and the total would have
scored less than 5, so, from my POV, "working as expected"

There is also SPF_NONE and SPF_HELO_NONE that, from standard SA (3.4.6)
rules, updated as yesterday, both scores 0.001 instead of 1.6. I can't
understand the logic of assigning a score so high just for *not* having
an SPF record, and I hope you didn't do it on purpose.

Of course, if you are not using DQS (meaning you are using Spamhaus
public mirrors), you are on your own.

PSA: everyone using public mirrors should switch to free DQS

On 11/01/23 19:43, Benny Pedersen wrote:
> Riccardo Alfieri skrev den 2023-01-11 18:36:
>> No.
>>
>> it checks if an emission is done by an IP that is listed in SBL, and
>> add 3 points if it is (in our DQS implementation at least). IPs listed
>> in SBL are deemed "bad" by default, so an emission from them, even if
>> it's not direct to mx, is bad enough.
>>
>> If you found an FP I encourage you to open a ticket through
>> https://check.spamhaus.org/ . We review all FPs and act accordingly.
>> On 11/01/23 17:56, Benny Pedersen wrote:
>>
>>> it should only check received last ip, not deeap all ips :/
>>  -lastexternal is done by ZEN
>
> X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on
> localhost.junc.eu
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
>     DKIM_VALID_AU,DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,
>     MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
>     RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,RELAYCOUNTRY_GREY,SPF_HELO_NONE,
>     SPF_NONE shortcircuit=no autolearn=no autolearn_force=no
> version=4.0.0
> X-Spam-Report:
>     * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
> https://www.dnswl.org/, low
>     *      trust
>     *      [168.100.1.4 listed in list.dnswl.org]
>     *  3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
>     *      [46.183.103.8 listed in zen.spamhaus.org]
>     *  1.6 SPF_NONE SPF: sender does not publish an SPF Record
>     *  0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
>     *      [168.100.1.4 listed in wl.mailspike.net]
>     *  1.6 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
>     * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>     *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
>     *      valid
>     * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
>     *       domain
>     *  0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
>     *  0.1 RELAYCOUNTRY_GREY Relayed through at some point
>     *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd
> level mail
>     *      domains are different
>     * -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen
> list
>     *      manager
>     * -0.1 DMARC_PASS DMARC pass policy
> X-Spam-AWL: AWL= MEAN= COUNT= PRESCORE=
> X-Spam-Relay-Country: US ** ** ** ** DE DE
> X-Spam-ASN: AS3700 168.100.0.0/22
> X-Fuglu-Incomingport: 10025
> X-Fuglu-Suspect: 6a8f891e8b134a9f92cd83617788ebc7
> X-Greylist: whitelisted by SQLgrey-1.8.0
> Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net
> [168.100.1.4])
>     by mx.junc.eu (Postfix) with ESMTPS
>     for <me@junc.eu>; Wed, 11 Jan 2023 15:58:34 +0100 (CET)
>
>
>
> /var/lib/spamassassin/4.000000/spamassassin_snb_it/20_ITA.cf:
> header        __ITA_RCVD_IN_SENDERSCORE_0_29
> eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
> /var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
> __RCVD_IN_HOSTKARMA
> eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
> /var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
> RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.1')
> /var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
> RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.2')
> /var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
> RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.4')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_SORBS_DUL        eval:check_rbl('sorbs-lastexternal',
> 'dnsbl.sorbs.net.', '127.0.0.10')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_XBL              eval:check_rbl('zen-lastexternal',
> 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_PBL              eval:check_rbl('zen-lastexternal',
> 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal',
> 'zen.spamhaus.org.', '^127\.255\.255\.254$')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_ZEN_BLOCKED    eval:check_rbl('zen-lastexternal',
> 'zen.spamhaus.org.', '^127\.255\.255\.255$')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_MAPS_DUL         eval:check_rbl('rblplus-lastexternal',
> 'activationcode.r.mail-abuse.com.', '2')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_VALIDITY_RPBL
> eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> __RCVD_IN_MSPIKE_B    eval:check_rbl('mspikeb-lastexternal',
> 'bl.mailspike.net.')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> __RCVD_IN_MSPIKE_Z    eval:check_rbl_sub('mspikeb-lastexternal',
> '127.0.0.2')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> RCVD_IN_MSPIKE_L5    eval:check_rbl_sub('mspikeb-lastexternal',
> '127.0.0.10')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> RCVD_IN_MSPIKE_L4    eval:check_rbl_sub('mspikeb-lastexternal',
> '127.0.0.11')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> RCVD_IN_MSPIKE_L3    eval:check_rbl_sub('mspikeb-lastexternal',
> '127.0.0.12')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_mailspike.cf:header
> RCVD_IN_MSPIKE_L2    eval:check_rbl_sub('mspikeb-lastexternal',
> '127.0.0.13')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/72_active.cf:header
>   RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
>
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:header
> RCVD_IN_SBL_CSS        eval:check_rbl_sub('zen', '127.0.0.3')
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:describe
> RCVD_IN_SBL_CSS    Received via a relay in Spamhaus SBL-CSS
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:tflags
> RCVD_IN_SBL_CSS        net
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/20_dnsbl_tests.cf:reuse
>  RCVD_IN_SBL_CSS
> /var/lib/spamassassin/4.000000/updates_spamassassin_org/50_scores.cf:score
> RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/
Re: RCVD_IN_SBL_CSS FP [ In reply to ]
me at junc
Jan 11, 2023, 4:59 PM
Post #5 of 5 (202 views)
Permalink
Riccardo Alfieri skrev den 2023-01-11 22:18:
> 46.183.103.8 is listed because it's an emitter of spam, it has been

> PSA: everyone using public mirrors should switch to free DQS

current spamassassin rule sets uses multiple check_rbl where most of
them should be check_rbl_sub to avoid overloading servers at spamhaus,
see example mailspike rules that does work

if the listed ip did direct to mx it would be fair to list this, but not
on postfix maillisted in deep header listnings, this will always give fp
no matter what rules used

i do dqs in mta stage, not in spamassassin, i consider disabled rbl
plugin in spamassassin, but nothing more then that, i see rbl checks is
abuse on listnings, good or bad does not matter

hopefully Patrick Ben Koetter at sys4.de knows how to handle it

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal