axlq Posted October 14, 2004 Posted October 14, 2004 I have had brazil.blackholes.us selected as one of my filters for over a year. Yet, every day more and more spam from Brazil slips through. I don't have anything whitelisted except for two personal addresses. The ratio of filtered Brazilian spam to the amount reaching my inbox isn't 1:1 yet, but it's approaching that level. In the last 4 hours alone, the spam from the following IP addresses arrived in my mailbox, all from Brazil: 200.222.88.249 telemar.net.br 200.140.59.68 brasiltelecom.net.br 201.10.183.66 brasiltelecom.net.br 200.171.11.65 telesp.net.br 200.242.217.131 embratel.net.br 201.8.206.227 telemar.net.br 200.223.167.57 telemar.net.br I verified this by moving the spam into the "Held Mail" folder, and then queueing all the held mail for reporting. The analysis showed all of it originated from Brazil, and the mail headers did not indicate that brazil.blackholes.us filtering was taking place. I verified that all of the IP addresses above are included in brazil.blackholes.us. The "leaky filter" draft FAQ at http://forum.spamcop.net/forums/index.php?showtopic=1895 was no help; in fact I sense a bit of denial that there might be a problem with the filtering. The user is not to blame in this case. The brazil.blackholes.us filter is clearly selected, and has been for over a year. In the list of available filters, the only ones I have NOT selected are SPEWS level 1, South Korea, and China. Somebody, please look into this. From the slow increase in the ratio of slipped-through Brazilian spam to filtered Brazilian spam, something appears to be breaking slowly. -A
dbiel Posted October 14, 2004 Posted October 14, 2004 The one item that I do not know how to verify is the date that those addresses were added to the BL. It is possible that they were added after you received them but before you had a chance to report them. What would help is to see if you get any more spam from any of the listed IP's and if they are still not being caught by the filters.
Wazoo Posted October 14, 2004 Posted October 14, 2004 The brazil.blackholes.us is a third-party BL. Have you checked that resource to see if the IPs exist there?
axlq Posted October 14, 2004 Author Posted October 14, 2004 The brazil.blackholes.us is a third-party BL. Have you checked that resource to see if the IPs exist there? 18731[/snapback] Yes. Please re-read my original message (quote) "I verified that all of the IP addresses above are included in brazil.blackholes.us." This 3rd-party BL doesn't change often, because the IPs allocated to an entire country don't change often. As I said, I am seeing spam leak through with greater frequency every week. The IP addresses that slipped through are listed as /16 networks the BL (e.g. 200.171.*.*), and have been listed that way for ages. Does spamcop keep its own local copy of this BL? If so, how often is it updated? -Alex
StevenUnderwood Posted October 15, 2004 Posted October 15, 2004 I just did some testing on my trash folder, which holds 2+ (almost 3 right now, 572 total messages) days worth of spam and other assorted deleted messages. Here are my results of how many were held be each bl (I have all enabled and SA set to 5) Total DNS Zone 402 bl.spamcop.net 0 l1.spews.dnsbl.sorbs.net 17 list.dsbl.org dsbl.org 12 sbl.spamhaus.org 14 korea.services.net 15 cn.rbl.cluecentral.net 0 nigeria.blackholes.us 0 argentina.blackholes.us 0 brazil.blackholes.us 0 cbl.abuseat.org 13 xbl.spamhaus.org 5 dnsbl.sorbs.net 37 SpamAssassin Couple of things... I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly. Other confirmation would be nice before goint to JT, however. This test might be interesting to compare to other peoples results. It was done using the filtering of spamcop webmail with the following rule as the only one enabled: For an incoming message that matches: All of the following Self-Defined Header: Contains dns.zone X-Spamcop-Disposition and Select a field Do this: Deliver to mailbox: DNSBLTest where dns.zone was replaced with the exact phrase above and DNSBLTest is a folder I had already created. One other note, though I did not test extensively, it seems the the Doesn't Contain option in the filter did not work as I ended up having to transfer all 400+ messages back into the trash folder :angry:
dbiel Posted October 15, 2004 Posted October 15, 2004 I just did some testing on my trash folder, which holds 2+ (almost 3 right now, 572 total messages) days worth of spam and other assorted deleted messages. Here are my results of how many were held be each bl (I have all enabled and SA set to 5) Total DNS Zone 402 bl.spamcop.net 0 l1.spews.dnsbl.sorbs.net 17 list.dsbl.org dsbl.org 12 sbl.spamhaus.org 14 korea.services.net 15 cn.rbl.cluecentral.net 0 nigeria.blackholes.us 0 argentina.blackholes.us 0 brazil.blackholes.us 0 cbl.abuseat.org 13 xbl.spamhaus.org 5 dnsbl.sorbs.net 37 SpamAssassin Couple of things... I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly. Other confirmation would be nice before goint to JT, however. This test might be interesting to compare to other peoples results. It was done using the filtering of spamcop webmail with the following rule as the only one enabled: where dns.zone was replaced with the exact phrase above and DNSBLTest is a folder I had already created. One other note, though I did not test extensively, it seems the the Doesn't Contain option in the filter did not work as I ended up having to transfer all 400+ messages back into the trash folder :angry: 18767[/snapback] Note: your test is a bit missing leading. If you change the order of the filters and make blackholes.us the first entry and bl.spamcop.net the last entry that the results will be quite different. Edit: disregard previous comment, it is not possible to change the order of the Blocking Lists used. You can change the order of your personal filters and for some stupid reason I got the two confused, sorry about that Steve As far as the "Doesn't Contain option in the filter" it only works within the webmail interface not at the local client. (Not sure how you are using it) PS: Steve, I am sure you already understand this, but have included it for others who might not be so well informed.
axlq Posted October 15, 2004 Author Posted October 15, 2004 I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly. You may be right. I have noticed that none of the Brazilian spams in the Held Mail folder were caught by brazil.blackholes.us. And I get a lot of Brazil spam in my inbox, indicating that SpamCop's implementation of this filter is broken. I have disabled all filters but that one, to make sure. I should know in a few hours. -Alex
StevenUnderwood Posted October 15, 2004 Posted October 15, 2004 Note: your test is a bit missing leading. If you change the order of the filters and make blackholes.us the first entry and bl.spamcop.net the last entry that the results will be quite different. Except there is no way for users to change the order that spamcop processes the dnsbl's and I assume it is the same order for every account. If you are talking about my filtering the messages, I did one at a time and then moved all messages back into the trash folder. Also, spamcop only posts the first bl seen in the disposition header. There are never 2 bl's listed.
Wazoo Posted October 15, 2004 Posted October 15, 2004 Popping open the iBook, running some tests, agree that the IPs identified exist and brazil.blackholes.us responds as expected. Will go ahead and kick a note to JT and ask for a look at his end.
axlq Posted October 15, 2004 Author Posted October 15, 2004 Popping open the iBook, running some tests, agree that the IPs identified exist and brazil.blackholes.us responds as expected. Will go ahead and kick a note to JT and ask for a look at his end. I can confirm now that something is indeed broken. I enabled only one filter, brazil.blackholes.us, disabled all other filters, and waited an hour or so. 3 Brazilian spams came into my inbox. None were caught. All are listed in brazil.blackholes.us. All should have been caught by that filter, which was the only one active. 201.4.187.147 telemar.net.br 200.103.71.216 braziltelecom.net.br 201.11.171.170 braziltelecom.net.br Thanks for looking into this. Brazilian spam, for some reason I can't fathom, constitutes over 90% of the spam received by my spamcop address. -Alex
dbiel Posted October 15, 2004 Posted October 15, 2004 Except there is no way for users to change the order that spamcop processes the dnsbl's and I assume it is the same order for every account. If you are talking about my filtering the messages, I did one at a time and then moved all messages back into the trash folder. Also, spamcop only posts the first bl seen in the disposition header. There are never 2 bl's listed. 18772[/snapback] Thanks for correcting my error. I confused the personal filters where the order can be changed with the blocking lists where there is not way of changing the order.
DavidT Posted October 15, 2004 Posted October 15, 2004 I can confirm now that something is indeed broken. Then you should write to: support <at> spamcop.net DT
michaelanglo Posted October 15, 2004 Posted October 15, 2004 Thanks for all your hard work on brazil.blackholes.us I am not enough of a geek to know how to check a IP for inclusion, but I do note that on just one day 2004/09/27 some spam was noted as being held due to it. HTH
petzl Posted October 16, 2004 Posted October 16, 2004 Popping open the iBook, running some tests, agree that the IPs identified exist and brazil.blackholes.us responds as expected. Will go ahead and kick a note to JT and ask for a look at his end. 18773[/snapback] 200.138.215.183 is another of very many gettiing past brazil (also china)? Some time ago JT was claiming he would create his own list? Suggest he adds entire block
Wazoo Posted October 18, 2004 Posted October 18, 2004 just back from JT .. turns out that it was more than just Brazil, and the continuing solution is going to require that some of you cross your fingers really, really hard <g> -=-=-=-=-=- Those blacklists (the blackholes.us ones) were all internally disabled because at one point they were responding very slowly and that was causing us problems. I've re-enabled them. Assuming their DNS is working correctly again, we'll be able to leave them on. Jeff --On Thursday, October 14, 2004 10:22 PM -0500 GwazoO wrote: > http://forum.spamcop.net/forums/index.php?showtopic=2846 > references the possibility that this external DNSBL > isn't actually working. The IPs listed are in the > subject BL and the results come back as expected > on a lookup from here. Is it possible that though > the users have these selected, the servers aren't > running these checks?
StevenUnderwood Posted October 18, 2004 Posted October 18, 2004 fingers crossed here P.S. Red Sox WIN
petzl Posted October 18, 2004 Posted October 18, 2004 fingers crossed here P.S. Red Sox WIN 18899[/snapback] I cannot see why the full block is not downloaded and "hardwired"? Save banwidth connect problems And good luck to George Bush from OZ
axlq Posted October 18, 2004 Author Posted October 18, 2004 Those blacklists (the blackholes.us ones) were all internally disabled because at one point they were responding very slowly and that was causing us problems. I've re-enabled them. Assuming their DNS is working correctly again, we'll be able to leave them on. Thanks Jeff, it's working again! As I replied to you in email, I think a more effective solution would be to maintain the three country-specific blackholes.us lists locally on SpamCop's server. The IP allocations per country don't change much, and these aren't huge lists. Downloading an update every 3 months or so should be sufficient to remain effective. The advantages are, it would reduce the load on blackholes.us DNS, and it would probably be faster to maintain copies of the lists locally, with only occasional updates. Unlike other lists which undergo many daily changes, these lists are pretty static. -Alex
Recommended Posts
Archived
This topic is now archived and is closed to further replies.