Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?)
mailings02 at ttlexceeded
Mar 10, 2004, 8:23 AM
Post #1 of 8 (820 views)
Permalink
Raquel Rice wrote:
> [...]
> This is just a request to remove the two domains, wlu.edu and
> zworg.com from blacklist.cf. I'm having false positives on two
> different email lists: php-general@lists.php.net and
> users@httpd.apache.org

IMPORTANT: I personally think Chris Santerre and William Stearns are
doing wonderful things. Please DO NOT take any of this as criticism of
their efforts!

I think we're getting into an awkward place between trying to flag
'spammy' domains and avoiding false positives. blacklist.cf is a great
tool. blacklist-uri.cf and bigevil.cf are equally wonderful for flagging
likely spam.

However, after a few bad experiences with blacklists, AWL and scoring
based on domain of origin, I'm of two opinions:

1. AWL is a great feature. I want to use it. However, it does not play
well with "insanely high" scoring (i.e. blacklists) that slam high
numbers in. The fact that this effect is persistent after the
black/whitelistlist entry is deleted is particularly bothersome. I have
perused the Wiki and manpages, but haven't seen a way to bring down the
+/- 100 scoring associated with black/whitelists. I prefer the
"moderately scored" approach. Maybe a clipping factor for scores. Am I
missing something that exists already?

2. Hitting on domain of origin alone is fine, but I want to create a
local meta rule that moderates the effect of such hits (i.e. "spammy
domain AND one or more tell-tale spam signs"). Particularly useful to
those who are on lists with the odd useful post from someone from a bad
domain. Chris' bigevil approach of adding "moderate" scores to messages
from bad origin domains is close to what I'm after. I like the idea of
downloading a list of suspect domains, but I'd like an easier way to
tweak/modify the scores without resorting to filtering the file through
sed or similar.

Ideally, I'd like to have the "blacklist adjustment" and "whitelist
adjustment" values stored in a config separate from the rulesets (i.e.
blacklist.cf, 60_whitelist.cf) so I can change it once, and have it
remain in play even when I update those files.

Similarly, I'd like to be able to create a meta that says "if a hit from
this set (i.e. bigevil) [+optional other conditions] then score X". I'm
probably after a wildcard match for rule names in metas here, but even
that seems cumbersome and error-prone.

Is there any such capability I'm missing?

Thanks all,

- Bob
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
kdeugau at webhart
Mar 10, 2004, 12:07 PM
Post #2 of 8 (796 views)
Permalink
Bob George wrote:
> 1. AWL is a great feature. I want to use it. However, it does not
> play well with "insanely high" scoring (i.e. blacklists) that slam
> high numbers in. The fact that this effect is persistent after the
> black/whitelistlist entry is deleted is particularly bothersome. I
> have perused the Wiki and manpages, but haven't seen a way to bring
> down the +/- 100 scoring associated with black/whitelists.

From the default scores in /usr/share/spamassassin/50_scores.cf:
score USER_IN_BLACKLIST 100.000
score USER_IN_WHITELIST -100.000
score USER_IN_DEF_WHITELIST -15.000
score USER_IN_BLACKLIST_TO 10.000
score USER_IN_WHITELIST_TO -6.000

Modify to taste. <g>

I changed the USER_IN_WHITELIST_TO score down to -25 a LONG time ago
(~SA 2.4something, IIRC) due to listmail getting tagged. Changes in SA
since then have probably rendered that useless, but I haven't had any
reason to remove the lower score.

-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
mailings02 at ttlexceeded
Mar 10, 2004, 12:16 PM
Post #3 of 8 (799 views)
Permalink
Kris Deugau wrote:
> [...]
>>>From the default scores in /usr/share/spamassassin/50_scores.cf:
> score USER_IN_BLACKLIST 100.000
> score USER_IN_WHITELIST -100.000
> score USER_IN_DEF_WHITELIST -15.000
> score USER_IN_BLACKLIST_TO 10.000
> score USER_IN_WHITELIST_TO -6.000
>
> Modify to taste. <g>

Augh! (In my best Charlie Brown voice) OK, it had to be simple. I swear
I checked the docs and Wiki! But of course, they are rules, so...

I thought I'd tried over-riding in local.cf, but I will try again. Thanks!

> I changed the USER_IN_WHITELIST_TO score down to -25 a LONG time ago
> (~SA 2.4something, IIRC) due to listmail getting tagged. Changes in SA
> since then have probably rendered that useless, but I haven't had any
> reason to remove the lower score.

I'm thinking +/- some small multiple of spam threshold will suffice. Any
spammy content will drive it up, non-spammy down (esp. with bayes) and
AWL won't go nuts on 1st post. Any comments?

- Bob
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
kdeugau at webhart
Mar 10, 2004, 3:17 PM
Post #4 of 8 (800 views)
Permalink
Bob George wrote:
[ re: rescoring whitelist/blacklist ]
> I'm thinking +/- some small multiple of spam threshold will suffice.
> Any spammy content will drive it up, non-spammy down (esp. with
> bayes) and AWL won't go nuts on 1st post. Any comments?

I'm a little surprised at the trouble this seems to cause some people;
in about a year and a half running the ISP filter server here, I've yet
to see much more than "simple" mail-volume-exceeds-processing-capacity
problems.

But making the whitelist and blacklist scores smaller is probably not a
bad idea.

I've yet to meet any legit mail that's scored more than ~20 (before
Bayes/RBLs/AWL), so you might want to keep the whitelist score in the
-15 to -20 range, maybe a bit larger. Most FPs have been in the 5-8
range.

The blacklist score should probably be equal magnitude in case one user
really REALLY *REALLY* doesn't want to receive nominally legit mail that
has been globally whitelisted. I've got a few of those here. :/

-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
mailings02 at ttlexceeded
Mar 10, 2004, 3:44 PM
Post #5 of 8 (805 views)
Permalink
Kris Deugau wrote:
> [...]
> I've yet to meet any legit mail that's scored more than ~20 (before
> Bayes/RBLs/AWL), so you might want to keep the whitelist score in the
> -15 to -20 range, maybe a bit larger. Most FPs have been in the 5-8
> range.

Just by coincidence, I got caught by 2 events:

1. Spam was sent to a normally spam-free list hosted on
securityfocus.com (listed in 60_whitelist.cf) resulting in the spammer's
address getting a -100/1 in AWL.

2. Non-spam was sent from a domain listed in William Stearns'
blacklist.cf, resulting in THAT address getting a +100/1 in AWL.

Neither was particularly catastrophic, except for the persistence of AWL
entries even after cleanup of the .cf entries. (AWL is NOT
white/blacklist, except for this side effect. Confusing to say the least!)

I like AWL, but can see it's an issue with white/blacklists. Perhaps
best just not to use them together? I'm not coming up with any solutions
for having AWL not used if white/blacklisted either.

> The blacklist score should probably be equal magnitude in case one user
> really REALLY *REALLY* doesn't want to receive nominally legit mail that
> has been globally whitelisted. I've got a few of those here. :/

Thanks for the insight into the provider-scale issues. Do you enable AWL
for users?

- Bob
Re[2]: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
Robert at Menschel
Mar 11, 2004, 12:04 AM
Post #6 of 8 (800 views)
Permalink
Hello Bob,

Wednesday, March 10, 2004, 7:23:55 AM, you wrote:

BG> Similarly, I'd like to be able to create a meta that says "if a hit from
BG> this set (i.e. bigevil) [+optional other conditions] then score X". I'm
BG> probably after a wildcard match for rule names in metas here, but even
BG> that seems cumbersome and error-prone.

BG> Is there any such capability I'm missing?

Yes -- simply change the scores on the rules.

I modify the scores on bigevil before installing any new copy (the
scores as distributed are too low for my systems, since we run with a
required-hits of 9).

You can also change the scores on the BLACKLIST rule to lessen the
impact of the William Stearns' contributed blacklist. (I prefer to
simply review the list before installing, and remove entries that I
know are a problem here. But then, I don't use AWL.)

Bob Menschel
Re: blacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
kdeugau at webhart
Mar 11, 2004, 8:35 AM
Post #7 of 8 (804 views)
Permalink
Bob George wrote:
> I like AWL, but can see it's an issue with white/blacklists. Perhaps
> best just not to use them together? I'm not coming up with any
> solutions for having AWL not used if white/blacklisted either.

IIRC someone posted a patch that removed white/blacklist entries from
consideration in calculating the stored AWL entries. It was quite a
while ago though; sometime while 2.4x was current I think.

> Thanks for the insight into the provider-scale issues. Do you enable
> AWL for users?

Yep. So far, I've only had one instance where the AWL caused the
problem you're seeing; somewhen a user had requested that a NYTimes
newsletter get white/blacklisted (not sure which, but it ended up
blacklisted) and recently he reported it was getting tagged as spam and
shouldn't be. I removed the blacklist entry, but completely forgot
about the AWL and so the next edition of the newsletter got tagged.

This doesn't mean to say that this hasn't happened to anyone else on the
system, but out of ~300 accounts, there are maybe 10 customers that
regularly report spam that slips through. Every so often one of the
others emails or calls to complain that "I'm getting too much spam", so
I check to see how much mail has been tagged for their account, and
usually remind them how to let me know about the spam that gets
through. That usually shuts them up. <g>

-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
Re: Reblacklist.cf FP - remove? (was Re: User Blacklist False Positives?) [ In reply to ]
mailings02 at ttlexceeded
Mar 11, 2004, 9:40 PM
Post #8 of 8 (802 views)
Permalink
Bob Menschel wrote:
> Wednesday, March 10, 2004, 7:23:55 AM, you wrote:
>
> BG> Similarly, I'd like to be able to create a meta that says "if a hit from
> BG> this set (i.e. bigevil) [+optional other conditions] then score X". I'm
> BG> probably after a wildcard match for rule names in metas here, but even
> BG> that seems cumbersome and error-prone.
>
> BG> Is there any such capability I'm missing?
>
> Yes -- simply change the scores on the rules.

I didn't explain that well. I'd essentially like two things:

1. Rules SETS like bigevil, blacklist-uri.cf to NOT score (or be able to
centrally adjust their scores). This can be done with sed filters and
the like, but that's error prone if automated. (Not a big deal if not,
but sure easier.)

2. ALSO have a meta that can detect if any rule FROM A SET (without
writing a monster-meta) matched. Something like:

meta LOCAL_BIGEMATCHED (BigEvil_* && OTHER_TESTS)

> I modify the scores on bigevil before installing any new copy (the
> scores as distributed are too low for my systems, since we run with a
> required-hits of 9).

Are you using a simle sed filter or the like? I've done that as well,
and it does work well. A large rule set is labor-intensive to write and
modify, particularly if it's complex. I think it might be handy to have
"local variables" in a set (file) for scores -- Score $LEVEL1 5pts,
$LEVEL2 10pts etc. and allow those to be over-ridden in a local.cf.
(i.e. "from ruleset X and $LEVEL1 = 7pts")

> You can also change the scores on the BLACKLIST rule to lessen the
> impact of the William Stearns' contributed blacklist. (I prefer to
> simply review the list before installing, and remove entries that I
> know are a problem here. But then, I don't use AWL.)

True enough, and though I THOUGHT I'd tested that, it is working quite
well now. I'm as concerned about defaults as any add-ons.

- Bob

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal