jongrose Posted June 9, 2007 Share Posted June 9, 2007 I have been under the assumption that for awhile the SC email system is not parsing sending IPs through all the blocklists I have selected. Today, I did a check and noticed that this does seem to be the case. I have been meaning to check into this in the past, but I haven't had time. So, for now, this post only contains 2 email examples that have slipped through the blacklist filtering system. I will post more if need be, as they come into my inbox and are not placed in Held Mail. Right now I have all blocklists enabled, except CBL since you should be able to use SpamHaus's XBL as it feeds from the CBL. SpamAssassin is set to level 5. First email: http://www.spamcop.net/sc?id=z1322355043z0...4a8be7ba5ca17cz IP: 85.108.206.134 Listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=85.108.206.134 Listed in SORBS: Dynamic IP Space (LAN, Cable, DSL & Dial Ups) Netblock: 85.108.0.0/16 (85.108.0.0-85.108.255.255) Record Created: Fri Mar 17 23:37:05 2006 GMT Record Updated: Fri Mar 17 23:37:05 2006 GMT Additional Information: Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment. Currently active and flagged to be published in DNS Second email: http://www.spamcop.net/sc?id=z1322368954z7...1b8e6f981cd79az IP: 83.5.240.245 Listed in SpamCop (prior to me reporting it): http://www.spamcop.net/w3m?action=checkblo...ip=83.5.240.245 Listed in SORBS: Dynamic IP Space (LAN, Cable, DSL & Dial Ups) Netblock: 83.5.0.0/16 (83.5.0.0-83.5.255.255) Record Created: Fri Mar 23 19:05:38 2007 GMT Record Updated: Fri Mar 23 19:05:38 2007 GMT Additional Information: [#153721 TPCERT Supplied)] Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment. Currently active and flagged to be published in DNS So, is there someone I need to contact to let them know about this problem? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 10, 2007 Share Posted June 10, 2007 So, is there someone I need to contact to let them know about this problem? That would be JT, the admin of the email service. I can not support your claim with more evidence, however as I know I have had spam held by at least the spamcop bl within the last week. There is a web link in the FAQ. I have had good luck using the support[at]spamcop.net address as well. Link to comment Share on other sites More sharing options...
jongrose Posted June 10, 2007 Author Share Posted June 10, 2007 That would be JT, the admin of the email service. I can not support your claim with more evidence, however as I know I have had spam held by at least the spamcop bl within the last week. There is a web link in the FAQ. I have had good luck using the support[at]spamcop.net address as well. It seems to be sporadic and I can't say when or why it will occur. I've noticed spams in my held mail that were blocked by SPBL and SpamHaus in the recent past, but it's almost ALWAYS blocked by SpamAssassin. If it passes through SA then it seems to make it into my inbox, even if it shows up as an open proxy/relay when I report it. I'm not 100% sure of the mechanisms behind SA, but I believe that it does check some blacklists itself. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 10, 2007 Share Posted June 10, 2007 If it passes through SA then it seems to make it into my inbox, even if it shows up as an open proxy/relay when I report it. I'm not 100% sure of the mechanisms behind SA, but I believe that it does check some blacklists itself. SA is currently checked first and if it does not pass, no further checks are made. I only have a small percentage that get checked by the DNSBL's, but have only had one spam slip by the filters in the last 60 days. To answer your PM (this is a public forum to share information), I provided the email address in my original response and you even quoted it. Also, possibly in play here, is the recent report of a DDoS against many of the DNSBL's ( http://www.channelinsider.com/article/Anti...e/209254_1.aspx ) Link to comment Share on other sites More sharing options...
jongrose Posted June 10, 2007 Author Share Posted June 10, 2007 To answer your PM (this is a public forum to share information), I provided the email address in my original response and you even quoted it. Okay, that was just a misunderstanding by me. I thought the support address was an alternate address for getting in touch with SC support. I actually don't know who JB is, although I see his/her initials posted frequently here. Also, possibly in play here, is the recent report of a DDoS against many of the DNSBL's ( http://www.channelinsider.com/article/Anti...e/209254_1.aspx ) True, and that is always an ongoing thing with DNSbls. However, I would assume that if I use their lookup interface on their website then that should indicate that the blocklist is functioning, as it is at least able to query their database. I also checked the story from ISC, and they are also reporting that an SA rules list that's widely used is offline too. Does SpamCop host it's own SA rules? http://isc.sans.org/diary.html?storyid=2940 On a side note, there are now some very effective methods to combat against DoS attacks. Service provider Prolexic has technology for hosting sites and server software/hardware to help slow and stop these kinds of attacks. Unfortunately, their services are pretty expensive, so I doubt that non-profit BLs have the kind of capital to use those kinds of defensive measures. SA is currently checked first and if it does not pass, no further checks are made. I only have a small percentage that get checked by the DNSBL's, but have only had one spam slip by the filters in the last 60 days. Let me make sure I understand you. Are you saying that all incoming emails are only checked by SA, and the sending IP address is not being passed through the DNS blacklists that the user has enabled under Options, SpamCop Tools, Select your email filtering blacklists? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 10, 2007 Share Posted June 10, 2007 However, I would assume that if I use their lookup interface on their website then that should indicate that the blocklist is functioning, as it is at least able to query their database. Not always a good assumtion. Web pages are generally designed to wait a much longer time to display the information that most DNS lookups would wait. Let me make sure I understand you. Are you saying that all incoming emails are only checked by SA, and the sending IP address is not being passed through the DNS blacklists that the user has enabled under Options, SpamCop Tools, Select your email filtering blacklists? No, but the DNSBL's are only checked if the SA rule does not "call it spam". If SA score is lower than your setting, then the first DNSBL is checked, if negative, the next one is checked, etc. Link to comment Share on other sites More sharing options...
petzl Posted June 11, 2007 Share Posted June 11, 2007 No, but the DNSBL's are only checked if the SA rule does not "call it spam". If SA score is lower than your setting, then the first DNSBL is checked, if negative, the next one is checked, etc. You can check what SpamAssasin (SA) assigns for each IP listed on a blocklist here (this is for ver 3.1 latest SA is 3.2)If listed on SpamCop's SCBL gets a score of 1.332 or 1.558 added depending on set-up. http://spamassassin.apache.org/tests_3_1_x.html I do not believe this is a dynamic link (as is SpamCop emails) for a DNSBL look-up not sure of how often it is renewed I believe SA is first checked then whitelist, if passed, SpamCop email then checks your Blacklist, and other DNBL's. If whitelisted will deliver, Your whitelist by-passes all other blocks including blacklist It helps to have in your blacklist country specific blocks like br, de, cn, pl, it, uk, mx, ro and so on if you do not on a normal basis receive email from these countries. A full email address on your whitelist will bypass such blocks Link to comment Share on other sites More sharing options...
Wazoo Posted June 11, 2007 Share Posted June 11, 2007 Okay, that was just a misunderstanding by me. I thought the support address was an alternate address for getting in touch with SC support. I actually don't know who JB is, although I see his/her initials posted frequently here. Section 8 - SpamCop's System & Active Staff User Guide Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.