Mailing List Archive

Users shouldn't be running their own smpt server on a DUL. That's why they are listed. If they used their ISP's smtp host like they are supposed then it would be an issue. Users on DULs shouldn't even run their own smtp server since they can't even keep their systems patched and maintain sufficient virus defs.

As for your example, all the other guys are labeling it as open proxy/open relay. Sorbs has a DUL database and since it's DUL, it goes in their DUL database and their open-relay database. So if 6 RBLS have it as an open-relay then you can bet that it probably is. You could test it openness if you don't believe them


-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Jens Benecke
Sent: Thursday, February 05, 2004 4:43 AM
To: spamassassin-users@incubator.apache.org
Subject: Lost of FPs because of IPs listed in DUL + "open Proxy"

Hi,

this seems to be an emerging problem with some RBLs (e.g. SORBS). There are seemingly lots of dialup IPs listed in SORBS 'open proxy' and 'open relay'
database, which belong to dialup users. Those users may once have had an insecure machine or a virus, but now completely DIFFERENT users get punished just because they happen to have received the listed dynamic IP from their ISP.

I rely on RBls quite heavily (about 50% of my mail input is blocked by RBLs, and lots of SPAM that did not come directly via is scored based on RBL information), but I begin having my doubts.


IMHO dialup IPs should not be listed in "open proxy" or "open relay" RBLs for months (as the case with e.g. http://openrbl.org/#213.39.202.12)

Any ideas?



--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

> -----Original Message-----
> From: Jens Benecke [mailto:jens-sender-8130a1@spamfreemail.de]
> Sent: Thursday, February 05, 2004 4:43 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Lost of FPs because of IPs listed in DUL + "open Proxy"
>
>
> Hi,
>
> this seems to be an emerging problem with some RBLs (e.g.
> SORBS). There are
> seemingly lots of dialup IPs listed in SORBS 'open proxy' and
> 'open relay'
> database, which belong to dialup users. Those users may once
> have had an
> insecure machine or a virus, but now completely DIFFERENT users get
> punished just because they happen to have received the listed
> dynamic IP
> from their ISP.
>
> I rely on RBls quite heavily (about 50% of my mail input is
> blocked by RBLs,
> and lots of SPAM that did not come directly via is scored based on RBL
> information), but I begin having my doubts.
>
>
> IMHO dialup IPs should not be listed in "open proxy" or "open
> relay" RBLs
> for months (as the case with e.g. http://openrbl.org/#213.39.202.12)
>
> Any ideas?
>
>

WHy would you want to recieve email from dialup IPs??

The best thing to do is enable delay checks. Which won't block it until
after it checks your access list. (Well this is how it works with Sendmail
anyway.) This way even though it is listed, you can whitelist it in your own
server. Then you can get all the tasty Novarg stuff you've been missing ;)

--Chris

Rose, Bobby wrote:

> Users shouldn't be running their own smpt server on a DUL. That's why
> they are listed. If they used their ISP's smtp host like they are
> supposed then it would be an issue.

It would. Exactly. because Spamassassin doesn't care if only the _first_
host in the relay chain was a DUL or if any other host was a DUL. If I send
my mail from my dialup host to my ISP and it relays it, I will still get
scored by SpamAssassin. And that is the problem.

SA also lacks a system to not score IPs from users that connect e.g. via
SMTP AUTH (and are therefore usually legit users) but that is another
issue.

> Users on DULs shouldn't even run their own smtp server since they can't
> even keep their systems patched and maintain sufficient virus defs.

I agree. But users on DUL _must_ be able to send mail to their ISPs mail
servers without getting scores from SA users. And that is currently not the
case.

> As for your example, all the other guys are labeling it as open proxy/open
> relay. Sorbs has a DUL database and since it's DUL, it goes in their DUL
> database and their open-relay database. So if 6 RBLS have it as an
> open-relay then you can bet that it probably is. You could test it
> openness if you don't believe them

You don't understand. I bet it was an open relay _at the time they checked_.
The spammer noticed he was being blocked, he hung up, redialed, got a new
IP and *bang* somebody else got the blocked IP.

Long term open relay/proxy lists DO NOT MAKE SENSE with dial up IPs. So
dialup IPs should not get listed in those lists - at least not for longer
than 24h, which is the maximum connection time every DSL provider I know
allows before forcing hang-up.



PS: Please reply the right way around (below the original text) and use
References: and In-Reply-To: headers (or fix your mail client). Your answer
was scattered with lots of new subjects and not sorted after my original
posting.
Thanks!


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

> Users shouldn't be running their own smpt server on a DUL.
Just because some ignorants don't know how to setup and maintain an MTA
cannot be a reason to ban the large rest of them who do.

Do you have any idea how many companies (primarily small companies) are
hooked up to the internet via dialup lines? And basically all of these
companies have their own little machine which serves their intranet, and
downloads and sends their mails to the "smarthost".
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A bus stops at a bus station; a train stops at a train station.
On my desk I have a workstation...

Chris Santerre wrote:

> WHy would you want to recieve email from dialup IPs??

Because otherwise my users would complain. They have dialup IPs. Doh.

And because I want to be able to receive mail which went DUL -> ISP1 -> ISP2
-> my server. This currently gets scored by SA which (IMHO) is wrong.

> The best thing to do is enable delay checks. Which won't block it until
> after it checks your access list. (Well this is how it works with Sendmail
> anyway.) This way even though it is listed, you can whitelist it in your
> own server. Then you can get all the tasty Novarg stuff you've been
> missing ;)

My "access list" is empty. My users use SMTP AUTH.

So: I want to whitelist users who use SMTP AUTH on my server to send their
mail. Otherwise, they will get punished by SA because they are
(legitimately) sending from a DUL (because they don't have a NOC in their
basement).

Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the
headers.

Any ideas?


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

On Thu, 5 Feb 2004, Rose, Bobby wrote:

> Users shouldn't be running their own smpt server on a DUL. That's
> why they are listed. If they used their ISP's smtp host like they
> are supposed then it would be an issue. Users on DULs shouldn't
> even run their own smtp server since they can't even keep their
> systems patched and maintain sufficient virus defs.

Hmm... Can you point to an RFC that states all these shoulds and
shouldn'ts? I would suspect that the greater problem on dynamic IPs
is not users who are running their own servers, but users who get
infected with some form of malware that then starts spewing spam
and/or viruses out to the rest of the world.

Because of this (and yes, also the occasional dumb-ass who doesn't
lock their mail server down), some list-keepers have decided it's more
effective to just block all of them indiscriminately, tossing out the
baby with the bathwater. That's certainly their prerogative, but
don't make it sound like people running their own mail servers and
bypassing their ISP's are somehow breaking the rules.

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew

On Thu, 5 Feb 2004, Chris Santerre wrote:

> WHy would you want to recieve email from dialup IPs??

It's not just dialup IPs in the sense of telephone lines, but even if
it was...

Perhaps because someone is responding to your mailing list post, like
mine to Bobby that bounced back.

My favorite part was the SMTP error telling me to go to a SORBS web
page that then tells me to get in touch with the admin of the blocking
host. Can anyone say Catch-22?

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew

That's their problem. If they have an ISP that doesn't have a separate
non-dynamic IP pool for business class customers then they should find
someone else. As the SORBS faq says, their DUL is really a dynamic IP
DUL.


-----Original Message-----
From: Andy Spiegl [mailto:spamassassin.andy@spiegl.de]
Sent: Thursday, February 05, 2004 10:19 AM
To: spamassassin-users@incubator.apache.org
Subject: Re: Lost of FPs because of IPs listed in DUL + "open Proxy"

> Users shouldn't be running their own smpt server on a DUL.
Just because some ignorants don't know how to setup and maintain an MTA
cannot be a reason to ban the large rest of them who do.

Do you have any idea how many companies (primarily small companies) are
hooked up to the internet via dialup lines? And basically all of these
companies have their own little machine which serves their intranet, and
downloads and sends their mails to the "smarthost".
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A bus stops at a bus station; a train stops at a train station.
On my desk I have a workstation...

Jens Benecke said:
> Chris Santerre wrote:
>
>> WHy would you want to recieve email from dialup IPs??
>
> Because otherwise my users would complain. They have dialup IPs. Doh.
>
> And because I want to be able to receive mail which went DUL -> ISP1 ->
> ISP2
> -> my server. This currently gets scored by SA which (IMHO) is wrong.

Pardon my ignorance, but isn't the scenario above exactly the same as a
"typical" mail transaction? From what I understand, SMTP AUTH can be used
to allow users to send mail through your server from outside your server's
configured "trusted" netblocks. However, since your trusted netblock
configuration are not visible to the outside world wouldn't an
authenticated Received list look exactly like a "non-authenticated but
inside the trusted block" Received list?


> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the
> headers.
>

Additionally, even if qmail did indicate that the transaction was via SMTP
AUTH, SpamAssassin really couldn't trust that information in the Received
line. A spammer could simply inject a fake Received line with the AUTH
markup. SA really can't trust any headers other than those that the end
MTA (or any configured trusted servers) have added, right?



--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/

The SORBS DUL score is on .10 and wouldn't be causing your problems by itself. As pointed out that IP provided earlier is in multiple RBLs as being an open-relay including the SoRBS Open relay list.

-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Jens Benecke
Sent: Thursday, February 05, 2004 10:44 AM
To: spamassassin-users@incubator.apache.org
Subject: RE: Lost of FPs because of IPs listed in DUL + "open Proxy"

Chris Santerre wrote:

> WHy would you want to recieve email from dialup IPs??

Because otherwise my users would complain. They have dialup IPs. Doh.

And because I want to be able to receive mail which went DUL -> ISP1 -> ISP2
-> my server. This currently gets scored by SA which (IMHO) is wrong.

> The best thing to do is enable delay checks. Which won't block it
> until after it checks your access list. (Well this is how it works
> with Sendmail
> anyway.) This way even though it is listed, you can whitelist it in
> your own server. Then you can get all the tasty Novarg stuff you've
> been missing ;)

My "access list" is empty. My users use SMTP AUTH.

So: I want to whitelist users who use SMTP AUTH on my server to send their mail. Otherwise, they will get punished by SA because they are
(legitimately) sending from a DUL (because they don't have a NOC in their basement).

Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the headers.

Any ideas?


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

This thread should've been broken into several others ....

- Yahoo! groups at the moment is generating spam -- by mis-diagnosing posts
to
yahoogroups as [spam]. The resulting MIME-encapsulated messages wrap the
original
message, add [spam] to the subject line, and this sort of wee-little
header line
in the outsider wrapper's header:

X-eGroups-Rocket-Track: 1: 100 ; SFLAG=OPENRELAY ; IPCR=g-w0,n0,g100 ;
SERVER=66.218.86.248

See that OPENRELAY tag above? That is apparently the thing that flipped
out Yahoo!.
I did an adhoc check on a couple of those IP's that Yahoo! complained
about and they
did show signs of being an open relay (weak signs. The test message which
attempted
relay was accepted, but not delivered back to me).

But the problem here is that the messages that Yahoo! has tagged as spam,
no longer
have the mailing list headers in the wrapper (thus even my filing
recipes), and now
I'm faced with first unwrapping the message to get the original so I can
run my own
spam filtering on it. And ... all the messages I've seen were in fact
innoucous and
their only problem is they were sent from an IP listed as an open relay.

So, from my perspective, Yahoo!'s anti-spam filters are at the moment
creating spam.

There is a possible positive -- by tagging so many dial up, real or just
listed
open relays perhaps those users will (1) decontaminate their PC's, and (2)
lean on
their ISP to clean up its act and start helping its users determine if
their PC's
have been misappropriated by a virus/zombie harvester.

- Does this help with the problem of SA chasing too many Received lines back
to the
originating unlucky dial-up user?

num_check_received { integer } (default: 9)

How many received lines from and including the original mail relay do we
check in RBLs (at least 1 or 2 is recommended).
Note that for checking against dialup lists, you can call check_rbl() with a
special set name of set-notfirsthop and this rule will only be matched
against the relays except for the very first one; this allows SpamAssassin
to catch dialup-sent spam, without penalizing people who properly relay
through their ISP.

This option is deprecated in version 2.60 and later. It will be removed in a
future version. Please use the trusted_networks option instead (it is a much
better way to control DNSBL-checking behaviour).

-----

- if you set that to 2, or somethinng like that you should be able to just
include your
local mail's demarcation point?

On Thu, 2004-02-05 at 07:44, Jens Benecke wrote:
> My "access list" is empty. My users use SMTP AUTH.
>
> So: I want to whitelist users who use SMTP AUTH on my server to send their
> mail. Otherwise, they will get punished by SA because they are
> (legitimately) sending from a DUL (because they don't have a NOC in their
> basement).
>
> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the
> headers.
>

Even if it did, what prevents spammers from injecting a fake "Received"
header with SMTP AUTH in it? The fundamental thing about SMTP is that
you can't trust anyone before you in the delivery chain...

I'd suggest that you just set the scores of the dial-up rules to 0 so
they aren't evaluated.

- Jon

--
jon@tgpsolutions.com

Administrator, tgpsolutions
http://www.tgpsolutions.com

On Thursday 05 February 2004 16:28, Shane Williams wrote:
> My favorite part was the SMTP error telling me to go to a SORBS web
> page that then tells me to get in touch with the admin of the blocking
> host. Can anyone say Catch-22?

This is why I have a rule that states that any mail to postmaster is accepted,
regardless of origin (open relay etc). It means the account does get a bit
more spam than I'd like, but if someone is in a RBL I use, they can contact
me. YMMV.

Rose, Bobby wrote:

> That's their problem. If they have an ISP that doesn't have a separate
> non-dynamic IP pool for business class customers then they should find
> someone else. As the SORBS faq says, their DUL is really a dynamic IP
> DUL.

Yes. fixed IP accounts usually are available and cost about ten times as
much.

Look: I'm not complaining about DUL IPs getting listed in the DUL lists.

I'm complaining about DUL IPs being stuck in "open relay" lists FOR MONTHS,
although it only hurts legitimate customers: the spammer just hangs up,
dials in again, gets a new IP and goes on spamming, once his IP is listed.


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

>Date: Thu, 5 Feb 2004 10:28:26 -0600 (CST)
>From: Shane Williams <shanew@shanew.net>
>To: Chris Santerre <csanterre@merchantsoverseas.com>
>cc: spamassassin-users@incubator.apache.org
>Subject: RE: Lost of FPs because of IPs listed in DUL + "open Proxy"
>
>On Thu, 5 Feb 2004, Chris Santerre wrote:
>
>> WHy would you want to recieve email from dialup IPs??
>
>It's not just dialup IPs in the sense of telephone lines, but even if
>it was...
>
>Perhaps because someone is responding to your mailing list post, like
>mine to Bobby that bounced back.
>
>My favorite part was the SMTP error telling me to go to a SORBS web
>page that then tells me to get in touch with the admin of the blocking
>host. Can anyone say Catch-22?

No. See "4.5.1 Minimum Implementation" of RFC2821 which says:

SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
In extreme cases --such as to contain a denial of service attack or
other breach of security-- an SMTP server may block mail directed to
Postmaster. However, such arrangements SHOULD be narrowly tailored
so as to avoid blocking messages which are not part of such attacks.

I certainly take the above to imply the postmaster address is
exempt from RBL blocking etc. About the only thing we won't do is
accept viruses send to postmaster.

Can you point out an RFC that says mail servers must accept from DULs?
I know that the user agreement on my home broadband connection with
Comcast does say that it's a residential service and isn't to be used
for running webservers and the like. Granted they don't go looking, but
I'm sure they'd notice if the traffic stats made them look in that
direction. So they could be breaking their agreement with their ISP.

Regardless, this is the same old arguments. There isn't anything that
says you have to use the RBLS. If it's giving you FPs or you don't like
it then turn it off in SA by setting the score.


-----Original Message-----
From: Shane Williams [mailto:shanew@shanew.net]
Sent: Thursday, February 05, 2004 11:06 AM
To: Rose, Bobby
Cc: Jens Benecke; spamassassin-users@incubator.apache.org
Subject: RE: Lost of FPs because of IPs listed in DUL + "open Proxy"

On Thu, 5 Feb 2004, Rose, Bobby wrote:

> Users shouldn't be running their own smpt server on a DUL. That's why

> they are listed. If they used their ISP's smtp host like they are
> supposed then it would be an issue. Users on DULs shouldn't even run
> their own smtp server since they can't even keep their systems patched

> and maintain sufficient virus defs.

Hmm... Can you point to an RFC that states all these shoulds and
shouldn'ts? I would suspect that the greater problem on dynamic IPs is
not users who are running their own servers, but users who get infected
with some form of malware that then starts spewing spam and/or viruses
out to the rest of the world.

Because of this (and yes, also the occasional dumb-ass who doesn't lock
their mail server down), some list-keepers have decided it's more
effective to just block all of them indiscriminately, tossing out the
baby with the bathwater. That's certainly their prerogative, but don't
make it sound like people running their own mail servers and bypassing
their ISP's are somehow breaking the rules.

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew

Are you talking about my rejection message which says "Open-Relay
Rejected for xxx.xxx.xxx.xxx found in dnsbl.sorbs.net - Give this
message to your email adminstrator who should go to
(http://www.dnsbl.us.sorbs.net/) for instructions"

Is says, "your email admin". Even if rejecting, RFCs say that domains
should have a functioning postmaster@domain and abuse@domain which I do.

If you replied to Jens message, you'd be greating by that verification
message that you sent the message. Using something like that makes me
wonder why their using Spamassassin if they're using a email
verification system.

Respond to just the list instead of the person.





-----Original Message-----
From: Shane Williams [mailto:shanew@shanew.net]
Sent: Thursday, February 05, 2004 11:28 AM
To: Chris Santerre
Cc: spamassassin-users@incubator.apache.org
Subject: RE: Lost of FPs because of IPs listed in DUL + "open Proxy"

On Thu, 5 Feb 2004, Chris Santerre wrote:

> WHy would you want to recieve email from dialup IPs??

It's not just dialup IPs in the sense of telephone lines, but even if it
was...

Perhaps because someone is responding to your mailing list post, like
mine to Bobby that bounced back.

My favorite part was the SMTP error telling me to go to a SORBS web page
that then tells me to get in touch with the admin of the blocking host.
Can anyone say Catch-22?

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew

> That's their problem.
No, it's not! (as already pointed out by several other postings in this thread)

> The SORBS DUL score is on .10
No, in combination with Bayes it's a lot higher.

> As pointed out that IP provided earlier is in multiple RBLs as being an
> open-relay including the SoRBS Open relay list.
Please just keep your statements to yourself as long as you don't
understand what this thread is about.
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Linux. Because life is too short to reboot.

Simply put. Spammers use dialups to send their email. As ISP's or end users we are not required to accept spam and thus have the right to block all mail origining from those addresses. Most dialup ISP's require that users send email through their SMTP systems. This keeps you in compliance with their AUP as well as ensuring that your email is not hitting an RBL. For postfix it would be something like "relay=whateverytheirsmtpserveris.yourispserver.whatevertheirextentionis".

BTW, RFC's are guidelines for the community but surely not laws. So, if someone says nothing from that IP address will come through there server then they have that right.

Right now every web site that I host has a webmaster, postmaster and an abuse account. I have always received spam in the webmaster account. Most of the spams are for web site posistioning, email marketing and web hosting. Now, we block them but then we say that it's okay to send to postmaster. Do you think that they wouldn't spam that account as well?

Gary Smith


-----Original Message-----
From: Dennis Davis [mailto:D.H.Davis@bath.ac.uk]
Sent: Thu 2/5/2004 10:15 AM
To: Shane Williams
Cc: spamassassin-users@incubator.apache.org
Subject: Re: Lost of FPs because of IPs listed in DUL + "open Proxy"




No. See "4.5.1 Minimum Implementation" of RFC2821 which says:

SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
In extreme cases --such as to contain a denial of service attack or
other breach of security-- an SMTP server may block mail directed to
Postmaster. However, such arrangements SHOULD be narrowly tailored
so as to avoid blocking messages which are not part of such attacks.

I certainly take the above to imply the postmaster address is
exempt from RBL blocking etc. About the only thing we won't do is
accept viruses send to postmaster.

Rose, Bobby wrote:

> The SORBS DUL score is on .10 and wouldn't be causing your problems by
> itself. As pointed out that IP provided earlier is in multiple RBLs as
> being an open-relay including the SoRBS Open relay list.

Look.

It's not the IP that is the open relay.
It's the machine behind it.

And, on dialup accounts, the "machine <-> IP" connection is *SO* short-term
that it is STUPID to make any connection whatsoever between them that lasts
more than a couple hours, perhaps a day at most.

That IP, has been released back into the dialup pool when the open relay
machine behind it hung up, probably hours after it was listed, and given to
somebody else. And then somebody else. And then...

... and all those 'sombody's now see their mail bounced all over the world,
although they have nothing to do with the first machine, and have no idea
WTF is going on with their mail.


Is this so hard to understand? Maybe my English sucks more than I thought.
If you still don't get it please ask again, what part is unclear.



--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

Chris Thielen wrote:

> Jens Benecke said:
>> Chris Santerre wrote:
>>
>>> WHy would you want to recieve email from dialup IPs??
>>
>> Because otherwise my users would complain. They have dialup IPs. Doh.
>>
>> And because I want to be able to receive mail which went DUL -> ISP1 ->
>> ISP2 -> my server. This currently gets scored by SA which (IMHO) is
>> wrong.
>
> Pardon my ignorance, but isn't the scenario above exactly the same as a
> "typical" mail transaction?

Yes. And if the first IP is listed as an open relay, it gets tagged as SPAM.
Even if the user that has the IP is no open relay, but a _different_ user
that _had_ the (dynamic) IP a couple weeks ago _was_.

That is my problem. It can only be fixed (IMHO) by seperating open relay
lists on dynamic and static IPs.

> From what I understand, SMTP AUTH can be used
> to allow users to send mail through your server from outside your server's
> configured "trusted" netblocks.

Yes. And because my "trusted" block consists only of 127.0.0.1, everyone
*has* to use SMTP AUTH or he can't relay.

> However, since your trusted netblock
> configuration are not visible to the outside world wouldn't an
> authenticated Received list look exactly like a "non-authenticated but
> inside the trusted block" Received list?

No. qmail actually puts "Received ..... by (username@host)" in the headers
if it was authenticated. And all my usernames have a "user@domain"
structure, where "domain" is one of the couple hundred domains I host. So I
have "Received ... by (username@domain@kiste.hitchhikers.de)" in the
headers and that's what I currently look for.

It's weak, I know. But otherwise my users would get punished for using
dynamic IPs, by _my_ spamassassin. (This problem is unrelated to the one I
talked about above, btw). And I don't know how to differentiate between
known SMTP AUTH users using dialup IPs and unknown SMTP users sending via
dialup IPs - yet.

>> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the

actually, it does (see above) but weakly.

> Additionally, even if qmail did indicate that the transaction was via SMTP
> AUTH, SpamAssassin really couldn't trust that information in the Received
> line. A spammer could simply inject a fake Received line with the AUTH
> markup. SA really can't trust any headers other than those that the end
> MTA (or any configured trusted servers) have added, right?

Yup.

I need a way to find whether my header is the _first_ Received: header. But
then I'd punish people who have their SMTP local server configured to relay
via mine (which can be perfectly legitimate if they have an account).


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

On Thursday 05 February 2004 12:40 pm, Gary Smith wrote:
> Right now every web site that I host has a webmaster, postmaster and an
> abuse account. I have always received spam in the webmaster account. Most
> of the spams are for web site posistioning, email marketing and web
> hosting. Now, we block them but then we say that it's okay to send to
> postmaster. Do you think that they wouldn't spam that account as well?

The do and will. I routinely receive spam (several 10's a day) to postmaster,
mailer-daemon, and abuse, someone else handles webmaster.

Postmaster because it's always supposed to exist and in the case of domain
hosting is usually an alias to the same account that handles webmaster.

Mailer-Daemon because spammers add bounces to their never-washed-lists.

Abuse because it's listed in various public abuse related contact database,
meaning spammers don't care that they are sending their spam to the very
people that filter it.

If the issue is that your users are being punished for using a DUL or Open Proxy by your spamassassin, then why not just disable those checks by changing the RCVD_IN_DYNABLOCK or the RCVD_IN_SORBS_SOCKS scores?



-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Jens Benecke
Sent: Thursday, February 05, 2004 3:40 PM
To: spamassassin-users@incubator.apache.org
Subject: RE: Lost of FPs because of IPs listed in DUL +

Chris Thielen wrote:

> Jens Benecke said:
>> Chris Santerre wrote:
>>
>>> WHy would you want to recieve email from dialup IPs??
>>
>> Because otherwise my users would complain. They have dialup IPs. Doh.
>>
>> And because I want to be able to receive mail which went DUL -> ISP1
>> ->
>> ISP2 -> my server. This currently gets scored by SA which (IMHO) is
>> wrong.
>
> Pardon my ignorance, but isn't the scenario above exactly the same as
> a "typical" mail transaction?

Yes. And if the first IP is listed as an open relay, it gets tagged as SPAM.
Even if the user that has the IP is no open relay, but a _different_ user that _had_ the (dynamic) IP a couple weeks ago _was_.

That is my problem. It can only be fixed (IMHO) by seperating open relay lists on dynamic and static IPs.

> From what I understand, SMTP AUTH can be used to allow users to send
> mail through your server from outside your server's configured
> "trusted" netblocks.

Yes. And because my "trusted" block consists only of 127.0.0.1, everyone
*has* to use SMTP AUTH or he can't relay.

> However, since your trusted netblock
> configuration are not visible to the outside world wouldn't an
> authenticated Received list look exactly like a "non-authenticated but
> inside the trusted block" Received list?

No. qmail actually puts "Received ..... by (username@host)" in the headers if it was authenticated. And all my usernames have a "user@domain"
structure, where "domain" is one of the couple hundred domains I host. So I have "Received ... by (username@domain@kiste.hitchhikers.de)" in the headers and that's what I currently look for.

It's weak, I know. But otherwise my users would get punished for using dynamic IPs, by _my_ spamassassin. (This problem is unrelated to the one I talked about above, btw). And I don't know how to differentiate between known SMTP AUTH users using dialup IPs and unknown SMTP users sending via dialup IPs - yet.

>> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in
>> the

actually, it does (see above) but weakly.

> Additionally, even if qmail did indicate that the transaction was via
> SMTP AUTH, SpamAssassin really couldn't trust that information in the
> Received line. A spammer could simply inject a fake Received line
> with the AUTH markup. SA really can't trust any headers other than
> those that the end MTA (or any configured trusted servers) have added, right?

Yup.

I need a way to find whether my header is the _first_ Received: header. But then I'd punish people who have their SMTP local server configured to relay via mine (which can be perfectly legitimate if they have an account).


--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic

>No. qmail actually puts "Received .....
by (username@host)" in the headers
>if it was authenticated. And all my
usernames have a "user@domain"
>structure, where "domain" is one of the
couple hundred domains I host. So I
>have "Received ... by
(username@domain@kiste.hitchhikers.de)"
in the
>headers and that's what I currently
look for.

>It's weak, I know. But otherwise my
users would get punished for using
>dynamic IPs, by _my_ spamassassin.
(This problem is unrelated to the one I
>talked about above, btw). And I don't
know how to differentiate between
>known SMTP AUTH users using dialup IPs
and unknown SMTP users sending via
>dialup IPs - yet.

>>> Unfortunately, qmail doesn't really
mark the useage of SMTP AUTH in the

>actually, it does (see above) but
weakly.

>> Additionally, even if qmail did
indicate that the transaction was via
SMTP
>> AUTH, SpamAssassin really couldn't
trust that information in the Received
>> line. A spammer could simply inject
a fake Received line with the AUTH
>> markup. SA really can't trust any
headers other than those that the end
>> MTA (or any configured trusted
servers) have added, right?

>Yup.

>I need a way to find whether my header
is the _first_ Received: header. But
>then I'd punish people who have their
SMTP local server configured to relay
>via mine (which can be perfectly
legitimate if they have an account).

For any mail SMTP_AUTH'd by your local
system and outbound, you might be
able to set up a separate SMTP deamon
which accepts SMTP_AUTH connections
exclusively, and only relay non-DUL
local trusted networks on your
"original"
SMTP daemon. It seems you're using qmail
( i don't) but with Sendmail and
MIMEDefang
you could pass Sendmamil Macros (such as
${if_addr}) to a filter to determine
how, if , and from where a connection
was authenticated, and use this
information
to adjust the score accordingly. I
suppose you could additionally get
really
creative(?) and mangle the headers of
SMTP_AUTH'd messages so that the
DUL footprints of outbound mail
dissappear to foreign mail systems, but
methinks
that's probably about as Evil as
self-modifying code. :)