List Info

Thread: RCVD_IN_DNSWL_MED rule
RCVD_IN_DNSWL_MED rule
country flaguser name
United States		 2007-08-23 12:11:19 
One of my users noticed that this rule:

-4.000 RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/,
medium
trust

..seems to be firing on a lot of spams we are receiving. I
confirmed
this by looking into my own spam cache. From that
description (I haven't
yet checked out this web site) it would appear that this
rule is
intended to identify that a sender is known good, but it
would also
appear that at least some "known good" sites are
in fact originating
spam. Before I just tweak the score or remove this rule, has
anybody
else seen this and know what's up?

What's happening now is that the -4 score from this rule is
overwhelming
the +3.5 for Bayes 99-100% spam probability, and we're
getting a lot of
false negatives.

--Greg


_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: RCVD_IN_DNSWL_MED rule
country flaguser name
United States		 2007-08-23 14:47:24 
On Thu, 2007-08-23 at 11:11 -0600, Greg Woods wrote:
> One of my users noticed that this rule:
> 
> -4.000 RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/,
medium
> trust
> 
> ..seems to be firing on a lot of spams we are
receiving.

It's tacky to answer yourself (not the first time I've done
it 
but I
think I know what's happening, and the answer is that it's
more of a
philosophical issue than a technical one.

The way this works is that the IP address of the sending
server is
looked up in the DNSWL (DNS White List) database. If it is
found there,
it will have a level of trust ranging from Low to High (our
servers are
listed as "medium", which according to the web
site means "Extremely
rare spam occurrences, corrected promptly", an accurate
enough
description for us). This will in turn trip one of the
SpamAssassin
rules and add a (large) negative score to the overall spam
score for
that message.

What's happening is that the spam is being relayed through
an alias or
mailing list on another server. That server is listed in the
DNSWL with
a medium trust level, so the spam they are relaying is
tripping the
RCVD_IN_DNSWL_MED rule. What using this rule essentially
means is that
you are going to trust the combination of the accuracy of
dnswl.org
listings and the spam filtering being done by any server
that runs
mailing lists or aliases. I'm not really sure I want do to
that, so I
should probably drop these rules. 

The alternative would be to report these servers as spam
relays to the
dnswl.org people. I hesitate to do that however, since one
of these
servers is the moderators.isc.org site (we receive postings
for a number
of moderated USENET groups). But maybe that's exactly what I
SHOULD do?
The purpose of this dnswl.org site might be to encourage
sites that run
mailing lists to filter it for spam before sending it on?

--Greg


_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )