Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
FP from SORBS, NJABL, DYNABLOCK
sprior at geekster
Mar 9, 2004, 10:36 AM
Post #1 of 8 (992 views)
Permalink
This non spam went over the threshold because 68.198.15.112 is listed
on three different lists, but in fact appears to be one of the legit yahoo
mail servers (the friend who sent this to me did so from a Yahoo mail account).

Do all three blacklists need updating?

Steve

Content analysis details: (5.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.9 FROM_ENDS_IN_NUMS From: ends in numbers
0.1 TW_XS BODY: Odd Letter Triples with XS
0.1 TW_YX BODY: Odd Letter Triples with YX
1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email
0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP
[68.198.15.112 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[68.198.15.112 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[68.198.15.112 listed in dnsbl.njabl.org]
2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[68.198.15.112 listed in dnsbl.sorbs.net]

--------------------------------------------------------------------
Return-Path: XXXXXXXXXXXXXXXXXXXXXXX
Received: from web11405.mail.yahoo.com (web11405.mail.yahoo.com [216.136.131.235])
by geekster.com (8.12.1/8.12.1) with SMTP id i29HJMt9007248
for <sprior@geekster.com>; Tue, 9 Mar 2004 12:19:22 -0500
Message-ID: <20040309171921.67401.qmail@web11405.mail.yahoo.com>
Received: from [68.198.15.112] by web11405.mail.yahoo.com via HTTP; Tue, 09 Mar 2004 09:19:21 PST
Date: Tue, 9 Mar 2004 09:19:21 -0800 (PST)
From: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: Fwd: FW: Tuesday chuckle : )

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1494966760-1078852761=:66948"

--0-1494966760-1078852761=:66948
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline


Note: forwarded message attached.
Re: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
jm at jmason
Mar 9, 2004, 10:53 AM
Post #2 of 8 (981 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Steve Prior writes:
> This non spam went over the threshold because 68.198.15.112 is listed
> on three different lists, but in fact appears to be one of the legit yahoo
> mail servers (the friend who sent this to me did so from a Yahoo mail account).
>
> Do all three blacklists need updating?

that's not the Yahoo mailserver -- it's the originating machine.

Received: from [68.198.15.112] by web11405.mail.yahoo.com via HTTP; Tue, 09 Mar 2004 09:19:21 PST
^^^^
note

- --j.

> Steve
>
> Content analysis details: (5.3 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.9 FROM_ENDS_IN_NUMS From: ends in numbers
> 0.1 TW_XS BODY: Odd Letter Triples with XS
> 0.1 TW_YX BODY: Odd Letter Triples with YX
> 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email
> 0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP
> [68.198.15.112 listed in dnsbl.njabl.org]
> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
> [68.198.15.112 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
> [68.198.15.112 listed in dnsbl.njabl.org]
> 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
> [68.198.15.112 listed in dnsbl.sorbs.net]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFATgSJQTcbUG5Y7woRAmKdAJ9EVfGaFymE0CJTSXzswJPCf3676ACeO+vg
AVTpR4+9RJooHZxyhrDjpQ8=
=6xPr
-----END PGP SIGNATURE-----
RE: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
james at kcnet
Mar 9, 2004, 10:57 AM
Post #3 of 8 (989 views)
Permalink
Yep, that's an Optimum online cable modem. They have probably become black
listed for being infected with a virus.

> -----Original Message-----
> From: jm@jmason.org [mailto:jm@jmason.org]
> Sent: Tuesday, March 09, 2004 11:53 AM
> To: Steve Prior
> Cc: spamassassin-users@incubator.apache.org
> Subject: Re: FP from SORBS, NJABL, DYNABLOCK
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Steve Prior writes:
> > This non spam went over the threshold because 68.198.15.112 is listed
> > on three different lists, but in fact appears to be one of the legit
> yahoo
> > mail servers (the friend who sent this to me did so from a Yahoo mail
> account).
> >
> > Do all three blacklists need updating?
>
> that's not the Yahoo mailserver -- it's the originating machine.
>
> Received: from [68.198.15.112] by web11405.mail.yahoo.com via HTTP; Tue,
> 09 Mar 2004 09:19:21 PST
> ^^^^
> note
>
> - --j.
>
> > Steve
> >
> > Content analysis details: (5.3 points, 5.0 required)
> >
> > pts rule name description
> > ---- ---------------------- --------------------------------------------
> ------
> > 0.9 FROM_ENDS_IN_NUMS From: ends in numbers
> > 0.1 TW_XS BODY: Odd Letter Triples with XS
> > 0.1 TW_YX BODY: Odd Letter Triples with YX
> > 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer
> email
> > 0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local
> SMTP
> > [68.198.15.112 listed in dnsbl.njabl.org]
> > 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
> > [68.198.15.112 listed in dnsbl.sorbs.net]
> > 0.1 RCVD_IN_NJABL RBL: Received via a relay in
> dnsbl.njabl.org
> > [68.198.15.112 listed in dnsbl.njabl.org]
> > 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
> > [68.198.15.112 listed in dnsbl.sorbs.net]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Exmh CVS
>
> iD8DBQFATgSJQTcbUG5Y7woRAmKdAJ9EVfGaFymE0CJTSXzswJPCf3676ACeO+vg
> AVTpR4+9RJooHZxyhrDjpQ8=
> =6xPr
> -----END PGP SIGNATURE-----
Re: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
mkettler at evi-inc
Mar 9, 2004, 11:14 AM
Post #4 of 8 (991 views)
Permalink
At 12:36 PM 3/9/2004, Steve Prior wrote:
>This non spam went over the threshold because 68.198.15.112 is listed
>on three different lists, but in fact appears to be one of the legit yahoo
>mail servers (the friend who sent this to me did so from a Yahoo mail
>account).

That IP is NOT a yahoo mailserver.. it's a cablemodem block:

Optimum Online (Cablevision Systems) NETBLK-OOL-5BLK (NET-68-192-0-0-1)
68.192.0.0 - 68.199.255.255
Optimum Online (Cablevision Systems) OOL-67OSNGNY4-0821 (NET-68-198-0-0-1)
68.198.0.0 - 68.198.15.255

Host name: ool-44c60f70.dyn.optonline.net
IP address: 68.198.15.112

That IP is correctly listed in dialup lists.

The yahoo mailserver is 216.136.131.235, which is correctly not listed.


>Do all three blacklists need updating?

No, you just need to look at the mail headers closer, and you need to fix
your SA trust path.

SA is apparently getting confused (is your mailserver NATed?) and has
concluded that 216.136.131.235 is your external MX, when it's not.

Since SA thinks 216.136.131.235 is your MX, it thinks that a cable-modem
directly delivered mail to your network.. when really it was delivered to
yahoo.

You can force SA to not guess what the end of your network is by using a
trusted_networks command. Force SA to trust your mailserver IPs, and only
your mailserver IPs, and the problem should clear up.
RE: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
mkettler at evi-inc
Mar 9, 2004, 11:19 AM
Post #5 of 8 (981 views)
Permalink
At 12:57 PM 3/9/2004, James Nelson wrote:
>Yep, that's an Optimum online cable modem. They have probably become black
>listed for being infected with a virus.

No, the lists they were on are dialup-node lists.. not virus or
blacklisting related at all.

RCVD_IN_NJABL_DIALUP, which leads to RCVD_IN_NJABL by necessity.

RCVD_IN_DYNABLOCK is hosted by sorbs now, this leads to RCVD_IN_SORBS by
necessity.

The reason they false fired is likely a trust-path bug in Steve's SA
config.. It's a common problem.

Many slightly-off-norm mailserver configs such as NAT really confuse SA's
ability to decide where your network ends, and it starts thinking that an
outside mailserver (in this case yahoo) is actually part of your network..
It sees a dialup node dropping mail off to a "trusted" host, and flags it.

A simple trusted_networks command listing only your mailservers will force
SA to stop trusting anything but your own MXes and clears things up nicely.
(unless of course you need to accept mail directly from dialup nodes, in
which case you probably need to turn off these rules, but this isn't one of
those cases)
Re: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
sprior at geekster
Mar 9, 2004, 11:21 AM
Post #6 of 8 (981 views)
Permalink
Thanks, I think you got it right - my mailserver is behind a NAT.
So, do I put the external address of my mailserver in the trusted networks
config option or the behind the NAT address?

Now I guess I've got to apologize to my friends for scaring the pants
off them by telling them they might be infected...

Steve

Matt Kettler wrote:

> A simple trusted_networks command listing only your mailservers will
> force SA to stop trusting anything but your own MXes and clears things
> up nicely. (unless of course you need to accept mail directly from
> dialup nodes, in which case you probably need to turn off these rules,
> but this isn't one of those cases)
Re: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
mkettler at evi-inc
Mar 9, 2004, 11:48 AM
Post #7 of 8 (980 views)
Permalink
At 01:21 PM 3/9/2004, Steve Prior wrote:
>Thanks, I think you got it right - my mailserver is behind a NAT.
>So, do I put the external address of my mailserver in the trusted networks
>config option or the behind the NAT address?

You want the "behind the nat" address. Basically what you want in there is
the IP your mailserver inserts into the headers on inbound mail.. That's
the private IP because the server doesn't know it's NATed, and this is what
makes SA assume "that can't possibly be the internet exchanger, it's a
reserved address".

(for reference, I know all this because xanadu.evi-inc.com is NATed)
Re: FP from SORBS, NJABL, DYNABLOCK [ In reply to ]
lists at pmbx
Mar 9, 2004, 12:14 PM
Post #8 of 8 (983 views)
Permalink
We have a number of folks living and working in third world countries
and their dialups are not uncommonly the same that are used by
spammers. I don't think they are false positive as far as the IP
addresses go, but I use whitelisting for those specific cases where it
becomes a repeating issue.

On Mar 9, 2004, at 12:36 PM, Steve Prior wrote:

> This non spam went over the threshold because 68.198.15.112 is listed
> on three different lists, but in fact appears to be one of the legit
> yahoo
> mail servers (the friend who sent this to me did so from a Yahoo mail
> account).
>
> Do all three blacklists need updating?
>
> Steve
>
> Content analysis details: (5.3 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.9 FROM_ENDS_IN_NUMS From: ends in numbers
> 0.1 TW_XS BODY: Odd Letter Triples with XS
> 0.1 TW_YX BODY: Odd Letter Triples with YX
> 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer
> email
> 0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local
> SMTP
> [68.198.15.112 listed in dnsbl.njabl.org]
> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
> [68.198.15.112 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_NJABL RBL: Received via a relay in
> dnsbl.njabl.org
> [68.198.15.112 listed in dnsbl.njabl.org]
> 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
> [68.198.15.112 listed in dnsbl.sorbs.net]
>
> --------------------------------------------------------------------
> Return-Path: XXXXXXXXXXXXXXXXXXXXXXX
> Received: from web11405.mail.yahoo.com (web11405.mail.yahoo.com
> [216.136.131.235])
> by geekster.com (8.12.1/8.12.1) with SMTP id i29HJMt9007248
> for <sprior@geekster.com>; Tue, 9 Mar 2004 12:19:22 -0500
> Message-ID: <20040309171921.67401.qmail@web11405.mail.yahoo.com>
> Received: from [68.198.15.112] by web11405.mail.yahoo.com via HTTP;
> Tue, 09 Mar 2004 09:19:21 PST
> Date: Tue, 9 Mar 2004 09:19:21 -0800 (PST)
> From: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> Subject: Fwd: FW: Tuesday chuckle : )
>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="0-1494966760-1078852761=:66948"
>
> --0-1494966760-1078852761=:66948
> Content-Type: text/plain; charset=us-ascii
> Content-Id:
> Content-Disposition: inline
>
>
> Note: forwarded message attached.
>
>

Kindest regards,

Ron

"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins

The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal