Spamassassin don't block spam

F

fmortara

Verified User
Joined
Jul 4, 2006
Messages
87
Hi,
I've a serious problem with SA.
More spam email pass check, and go into inbox without any filter.
I receive hundred of this spam email a day per account

Headers in email say that spamassassin's score is negative... like this:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 13 Oct 2011 10:17:23 +0200
Received: from mail by HOST.SERVER.EXT with spam-scanned (Exim 4.76)
(envelope-from <[email protected]>)
id 1REGTh-0005NL-9N
for [email protected]; Thu, 13 Oct 2011 10:17:23 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on HOST.SERVER.EXT
X-Spam-Level:
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_20,HS_INDEX_PARAM,
NO_DNS_FOR_FROM,RCVD_IN_BRBL_LASTEXT,RCVD_IN_DNSWL _HI,RDNS_NONE autolearn=ham
version=3.3.2
Received: from [115.74.156.153] (helo=adsl.viettel.vn)
by HOST.SERVER.EXT with esmtp (Exim 4.76)
(envelope-from <[email protected]>)
id 1REGTg-0005NG-IS
for [email protected]; Thu, 13 Oct 2011 10:17:21 +0200
Message-ID: <SKoD0tS2MsquWN0lx6BYVw6M8Mkj8b@hqblnetcc>
Date: Thu, 13 Oct 2011 15:17:09 +0700
From: "Taddeo" <[email protected]>
To: <[email protected]>
Subject: Non dovrai installare alcun software: gioca nella versione flash!
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAhkwhIoZMVfU
X-Brightmail-Tracker: AAAAAA==
Click to expand...

How can i do for resolve this problem?
 
Nobody have the same problem?
SA, mark most of spam messages, with negative score...
 
First make sure you're using latest version of SpamAssassin.

Second, make sure you're also using SpamBlocker. When I use both, SpamAssassin catches about ten spams per week. Most of the rest are caught by SpamBlocker. Only one or two a day get through.

Jeff
 
jlasman said:
First make sure you're using latest version of SpamAssassin.

Second, make sure you're also using SpamBlocker. When I use both, SpamAssassin catches about ten spams per week. Most of the rest are caught by SpamBlocker. Only one or two a day get through.

Jeff
Click to expand...

The problem was that spamassassin received by list.dnswl.org a positive listing, with high trust, for any request:
Like this:
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [123.20.184.184 listed in list.dnswl.org]
Click to expand...

I've write to dnswl and this is reply:

You are using a nameserver to access our services who has been doing millions of queries per day since months. Since the abuse departments of these nameservers did not take any action, we had to temporarily return a "listed" result for all requests from these nameservers in order to protect our infrastructure for all other users of our free service.

Please switch to using a local nameserver or, if you are doing more than 100'000 queries/24 hours, consider a subscription at https://subscription.dnswl.org/

Regards,
--
Bernd, for dnswl.org

Am Fr 14. Okt 2011, 20:20:30, [email protected] schrieb:
> Hi,
> I receive hundreds a day of spam emails from IP addresses included in
> your whitelist These are just some of the IPs that send spam ...
>
>
>
> Have you any problem?
Click to expand...
I've forwarded this reply to my server admin, and now i'm waiting for solutions...

However
How spamassassin works to check the dnslwl.org?
Which is the nameservers used?
Depends by my server or other factors?

And, if i want to temporarily skip this check how can i to do?
 
Last edited:
fmortara said:
How spamassassin works to check the dnslwl.org?
Click to expand...
The same way SpamBlocker does; it uses your local DNS server to look up the listing.
Which is the nameservers used?
Depends by my server or other factors?
Click to expand...
Your server uses the nameservers in your /etc/resolv.conf file. You may want to try using these nameservers: 8.8.8.8 and 8.8.8.4; I just tested from these nameservers and it appears they're not whitelisting arbitrarily; for requests from these nameservers, owned by Google.
And, if i want to temporarily skip this check how can i to do?
Click to expand...
We use the dnswl servers in our recent SpamBlocker exim.conf file. You can follow instructions in our ReadMe to learn how to disable specific lists.

I don't know the specifics in changing rules for SpamAssassin; perhaps someone else does.

Jeff
 
Can I disable only dnswl by exim.conf?

If i change my dns

from
search mydomain.it
nameserver 213.92.5.54
nameserver 8.8.8.8

to
search mydomain.it
nameserver 8.8.8.8
nameserver 8.8.8.4

can i have any problems?
 
No one can guarantee that except dnswl.org. At this moment neither of your current nameservers appear to be returning false whitelistings.

Jeff
 
Sorry, i not understand...

I ask if, by my exim.conf configuration, i can disable only dnswl.org check into my spamassassin setup. By local.cf, i put a line that assign score 0 to listing and it rub, but is a temporarily solution. now I have put into my resolv.conf my server ip address as first dns, and now, i not receive other false listing as high trust from dnswl...

it is a good solution?

EDIT: You have tried if for verify?
 
Exim has no control over SpamAssassin. All you can do from exim.conf is use SpamAssassin or not use it. You can rewrite any SpamAssassin rules, but SpamAssassin updates will probably overwrite your rewrites. Or you can create local rules to override the SpamAssassin rules, which is generally the preferred method. My understanding is that's what you've done.

The right way to solve the problem is to not use dns-based whitelists and blacklists that don't want you to use them; unfortunately SpamAssassin gives you no easy control over that.

Jeff
 
How to Disable DNSWL.ORG

I'm having the same problem with DNSWL.ORG checks on Mailscanner and Spam Assassin. Recently DNSWL.ORG started assigning a default negative score of -5 to incoming messages on nameservers which exceed their 100,000 requests per 24 hours limit, which causes a lot of spam to get through on busy servers.

Does anyone know how to disable or remove the DNSWL.ORG check?
 
Simplest is to create a local rule to give the check a much lower score. I'm not sure how.

Which nameservers are in your /etc/resolv.conf file?

How many emails are you getting a day (roughly)?

I have some ideas; answering these questions may help me figure out a best solution.

Jeff
 
Hi, I was having an issue relating to this problem. After digging around, this thread saved my ass.

I noticed spam levels increased dramatically this past month. My clients complained so much, it became a priority to find a solution (one of them was to move everyone to Google Apps...). Eventually, I realized that dnswl.org was returning scores of -5.0 in SpamAssassin, even though the message was clearly spam.

This thread mentions about using other nameservers, namely Google's 8.8.8.8/8.8.4.4. I will come out and say this is a terrible idea, because I was using them! This was the reason why I was getting so much spam. The amount of lookups from Google's DNS definitely surpasses the 100,000+ mark for dnswl.org. When you do that many queries, you must go commercial, or else they return results with false positives.

I went ahead and put my colocation facility's nameservers in /etc/resolv.conf. No more spam.
 
Interesting. I'm using openDNS nameservers, and they don't have the problem.

Note that later versions of SpamBlocker exim.conf file for DirectAdmin also use dnswl.

I'm going to go ahead and build my own resolving nameserver inside my local network.

Jeff
 
I put in resolv.conf my server ip. no more spam.
But i don't know if it's a good solution for an hosting server.
 
The problem is that it's insecure to use your own nameserver as both an authoritative nameserver and a cacheing nameserver; it makes it possible for a malicious attacker to poison the DNS for all your hosted domains.

Search these forums for cacheing nameserver for more information.

Jeff
 
You must log in or register to reply here.
Back
Top