Jump to content

brazil.blackoles.us filter not working right


axlq

Recommended Posts

I have had brazil.blackholes.us selected as one of my filters for over a year. Yet, every day more and more spam from Brazil slips through. I don't have anything whitelisted except for two personal addresses. The ratio of filtered Brazilian spam to the amount reaching my inbox isn't 1:1 yet, but it's approaching that level. In the last 4 hours alone, the spam from the following IP addresses arrived in my mailbox, all from Brazil:

200.222.88.249 telemar.net.br

200.140.59.68 brasiltelecom.net.br

201.10.183.66 brasiltelecom.net.br

200.171.11.65 telesp.net.br

200.242.217.131 embratel.net.br

201.8.206.227 telemar.net.br

200.223.167.57 telemar.net.br

I verified this by moving the spam into the "Held Mail" folder, and then queueing all the held mail for reporting. The analysis showed all of it originated from Brazil, and the mail headers did not indicate that brazil.blackholes.us filtering was taking place.

I verified that all of the IP addresses above are included in brazil.blackholes.us.

The "leaky filter" draft FAQ at http://forum.spamcop.net/forums/index.php?showtopic=1895 was no help; in fact I sense a bit of denial that there might be a problem with the filtering. The user is not to blame in this case.

The brazil.blackholes.us filter is clearly selected, and has been for over a year. In the list of available filters, the only ones I have NOT selected are SPEWS level 1, South Korea, and China.

Somebody, please look into this. From the slow increase in the ratio of slipped-through Brazilian spam to filtered Brazilian spam, something appears to be breaking slowly.

-A

Link to comment
Share on other sites

The one item that I do not know how to verify is the date that those addresses were added to the BL.

It is possible that they were added after you received them but before you had a chance to report them.

What would help is to see if you get any more spam from any of the listed IP's and if they are still not being caught by the filters.

Link to comment
Share on other sites

The brazil.blackholes.us is a third-party BL.  Have you checked that resource to see if the IPs exist there?

18731[/snapback]

Yes. Please re-read my original message (quote) "I verified that all of the IP addresses above are included in brazil.blackholes.us."

This 3rd-party BL doesn't change often, because the IPs allocated to an entire country don't change often. As I said, I am seeing spam leak through with greater frequency every week. The IP addresses that slipped through are listed as /16 networks the BL (e.g. 200.171.*.*), and have been listed that way for ages.

Does spamcop keep its own local copy of this BL? If so, how often is it updated?

-Alex

Link to comment
Share on other sites

I just did some testing on my trash folder, which holds 2+ (almost 3 right now, 572 total messages) days worth of spam and other assorted deleted messages.

Here are my results of how many were held be each bl (I have all enabled and SA set to 5)

Total DNS Zone

402 bl.spamcop.net

0 l1.spews.dnsbl.sorbs.net

17 list.dsbl.org dsbl.org

12 sbl.spamhaus.org

14 korea.services.net

15 cn.rbl.cluecentral.net

0 nigeria.blackholes.us

0 argentina.blackholes.us

0 brazil.blackholes.us

0 cbl.abuseat.org

13 xbl.spamhaus.org

5 dnsbl.sorbs.net

37 SpamAssassin

Couple of things... I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly. Other confirmation would be nice before goint to JT, however.

This test might be interesting to compare to other peoples results. It was done using the filtering of spamcop webmail with the following rule as the only one enabled:

For an incoming message that matches:

All of the following

  Self-Defined Header:   Contains dns.zone

   X-Spamcop-Disposition  

and     Select a field

Do this:

Deliver to mailbox: DNSBLTest

where dns.zone was replaced with the exact phrase above and DNSBLTest is a folder I had already created.

One other note, though I did not test extensively, it seems the the Doesn't Contain option in the filter did not work as I ended up having to transfer all 400+ messages back into the trash folder :angry:

Link to comment
Share on other sites

I just did some testing on my trash folder, which holds 2+ (almost 3 right now, 572 total messages) days worth of spam and other assorted deleted messages.

Here are my results of how many were held be each bl (I have all enabled and SA set to 5)

Total DNS Zone

402 bl.spamcop.net

0 l1.spews.dnsbl.sorbs.net

17 list.dsbl.org dsbl.org

12 sbl.spamhaus.org

14 korea.services.net

15 cn.rbl.cluecentral.net

0 nigeria.blackholes.us

0 argentina.blackholes.us

0 brazil.blackholes.us

0 cbl.abuseat.org

13 xbl.spamhaus.org

5 dnsbl.sorbs.net

37 SpamAssassin

Couple of things... I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly.  Other confirmation would be nice before goint to JT, however.

This test might be interesting to compare to other peoples results.  It was done using the filtering of spamcop webmail with the following rule as the only one enabled:

where dns.zone was replaced with the exact phrase above and DNSBLTest is a folder I had already created.

One other note, though I did not test extensively, it seems the the Doesn't Contain option in the filter did not work as I ended up having to transfer all 400+ messages back into the trash folder  :angry:

18767[/snapback]

Note: your test is a bit missing leading. If you change the order of the filters and make blackholes.us the first entry and bl.spamcop.net the last entry that the results will be quite different.

Edit: disregard previous comment, it is not possible to change the order of the Blocking Lists used. You can change the order of your personal filters and for some stupid reason I got the two confused, sorry about that Steve

As far as the "Doesn't Contain option in the filter" it only works within the webmail interface not at the local client. (Not sure how you are using it)

PS: Steve, I am sure you already understand this, but have included it for others who might not be so well informed.

Link to comment
Share on other sites

I got no messages caught by any of the blackholes.us dnsbls, so it is possible they are not working correctly.

You may be right. I have noticed that none of the Brazilian spams in the Held Mail folder were caught by brazil.blackholes.us. And I get a lot of Brazil spam in my inbox, indicating that SpamCop's implementation of this filter is broken.

I have disabled all filters but that one, to make sure. I should know in a few hours.

-Alex

Link to comment
Share on other sites

Note: your test is a bit missing leading. If you change the order of the filters and make blackholes.us the first entry and bl.spamcop.net the last entry that the results will be quite different.

Except there is no way for users to change the order that spamcop processes the dnsbl's and I assume it is the same order for every account.

If you are talking about my filtering the messages, I did one at a time and then moved all messages back into the trash folder. Also, spamcop only posts the first bl seen in the disposition header. There are never 2 bl's listed.

Link to comment
Share on other sites

Popping open the iBook, running some tests, agree that the IPs identified exist and brazil.blackholes.us responds as expected.  Will go ahead and kick a note to JT and ask for a look at his end.

I can confirm now that something is indeed broken. I enabled only one filter, brazil.blackholes.us, disabled all other filters, and waited an hour or so.

3 Brazilian spams came into my inbox.

None were caught.

All are listed in brazil.blackholes.us.

All should have been caught by that filter, which was the only one active.

201.4.187.147 telemar.net.br

200.103.71.216 braziltelecom.net.br

201.11.171.170 braziltelecom.net.br

Thanks for looking into this. Brazilian spam, for some reason I can't fathom, constitutes over 90% of the spam received by my spamcop address.

-Alex

Link to comment
Share on other sites

Except there is no way for users to change the order that spamcop processes the dnsbl's and I assume it is the same order for every account.

If you are talking about my filtering the messages, I did one at  a time and then moved all messages back into the trash folder.  Also, spamcop only posts the first bl seen in the disposition header.  There are never 2 bl's listed.

18772[/snapback]

Thanks for correcting my error. I confused the personal filters where the order can be changed with the blocking lists where there is not way of changing the order.
Link to comment
Share on other sites

Popping open the iBook, running some tests, agree that the IPs identified exist and brazil.blackholes.us responds as expected.  Will go ahead and kick a note to JT and ask for a look at his end.

18773[/snapback]

200.138.215.183

is another of very many gettiing past brazil (also china)?

Some time ago JT was claiming he would create his own list? Suggest he adds entire block

Link to comment
Share on other sites

just back from JT .. turns out that it was more than just Brazil, and the continuing solution is going to require that some of you cross your fingers really, really hard <g>

-=-=-=-=-=-

Those blacklists (the blackholes.us ones) were all internally disabled

because at one point they were responding very slowly and that was causing

us problems. I've re-enabled them. Assuming their DNS is working correctly

again, we'll be able to leave them on.

Jeff

--On Thursday, October 14, 2004 10:22 PM -0500 GwazoO wrote:

> http://forum.spamcop.net/forums/index.php?showtopic=2846

> references the possibility that this external DNSBL

> isn't actually working. The IPs listed are in the

> subject BL and the results come back as expected

> on a lookup from here. Is it possible that though

> the users have these selected, the servers aren't

> running these checks?

Link to comment
Share on other sites

fingers crossed here

P.S.  Red Sox WIN :)

18899[/snapback]

I cannot see why the full block is not downloaded and "hardwired"?

Save banwidth connect problems

And good luck to George Bush from OZ :rolleyes:

Link to comment
Share on other sites

Those blacklists (the blackholes.us ones) were all internally disabled

because at one point they were responding very slowly and that was causing

us problems. I've re-enabled them. Assuming their DNS is working correctly

again, we'll be able to leave them on.

Thanks Jeff, it's working again!

As I replied to you in email, I think a more effective solution would be to maintain the three country-specific blackholes.us lists locally on SpamCop's server. The IP allocations per country don't change much, and these aren't huge lists. Downloading an update every 3 months or so should be sufficient to remain effective.

The advantages are, it would reduce the load on blackholes.us DNS, and it would probably be faster to maintain copies of the lists locally, with only occasional updates. Unlike other lists which undergo many daily changes, these lists are pretty static.

-Alex

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...