Incorrect DNSBL evaluation

Hello,

I just received an e-mail with the following report:

(...) contains information about the sending host that should not matter
here.

The message is a reply to a message from me. It contains my text quoted,
complete with my previous signature that also has the link to
http://unclassified.de. I was a bit surprised about the high spam score
of 5.0 and looked at the report. It says that "unclassified.de" is on
URIBL. I could not believe that and checked in at their site. But they
say it is *not* on the list. So what happened here? How can SA (3.2.4)
give spam points for a problem that is completely wrong?

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

This could be a DNS problem returning a .2 (positive response) for all
queries.

what DNS are you using for your queries?




On 7/20/2008 4:03 PM, Yves Goergen wrote:

On Sun, 2008-07-20 at 16:03 +0200, Yves Goergen wrote:
It strikes me as odd that the URI should be listed in all these BLs. DNS
hiccup?

> > 5.0 BOTNET                 Relay might be a spambot or virusbot
> > [botnet0.8,ip=(...)]
> > 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
> > [89.183.23.141 listed in zen.spamhaus.org]

This is your real problem that accounts for the lions share of the
score. +5.9 because the sender MUA directly sent to your MX.

> > -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
> > [score: 0.0000]
> > 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
> > dynamic-looking rDNS
> > -1.6 AWL                    AWL: From: address is in the auto white-list
>
> (...) contains information about the sending host that should not matter
> here.

Doesn't matter for the URIBL / DNS issue, right. But it indeed DOES
matter for the total score and the reason why this particular mail ended
up classified as spam -- and triggered your attention in the first
place.

The full Received headers would be necessary to track down this.


> The message is a reply to a message from me. It contains my text quoted,
> complete with my previous signature that also has the link to
> http://unclassified.de. I was a bit surprised about the high spam score
> of 5.0 and looked at the report. It says that "unclassified.de" is on
> URIBL. I could not believe that and checked in at their site. But they
> say it is *not* on the list. So what happened here? How can SA (3.2.4)
> give spam points for a problem that is completely wrong?

Bad DNS response? That probably would explain why the domain ended up on
RED, GRAY and BLACK. See above. Do you see hits like these with other
mail, too? Does it happen frequently / occasionally or is it an isolated
incident? Necessary info to start hunt this down.

However, even though that result indeed is odd, appears to be a bug, and
is worth investigation -- it is not the reason for the mail being
classified spammy. Bayes and AWL single-handedly would have gotten the
score back below 0.

The reason this mail ended up flagged as spam is because the sender sent
it from a dial-up IP directly to your MX. Resulting score for this
alone: 6.0.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Yves Goergen wrote:
> [snip]
> The message is a reply to a message from me. It contains my text quoted,
> complete with my previous signature that also has the link to
> http://unclassified.de. I was a bit surprised about the high spam score
> of 5.0 and looked at the report. It says that "unclassified.de" is on
> URIBL. I could not believe that and checked in at their site. But they
> say it is *not* on the list. So what happened here? How can SA (3.2.4)
> give spam points for a problem that is completely wrong?
>

on the host running SA, try
$ host 1.0.0.127.zen.spamhaus.org

if this returns an IP instead of NXDOMAIN, then you have a DNS problem.
either you're using a "toy" dns server/proxy or you are forwarding DNS
queries to your ISP and the ISP replaces NXDOMAIN by an IP or their choice.

On 20.07.2008 17:10 CE(S)T, mouss wrote:
> on the host running SA, try
> $ host 1.0.0.127.zen.spamhaus.org

It says:

1.0.0.127.zen.spamhaus.org does not exist (Authoritative answer)

The server is located in a well-known computing centre in Nuremberg,
Germany. I assume they know how to handle DNS services.

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

On 20.07.2008 16:39 CE(S)T, Karsten Bräckelmann wrote:
> It strikes me as odd that the URI should be listed in all these BLs. DNS
> hiccup?

Maybe.

> Bad DNS response? That probably would explain why the domain ended up on
> RED, GRAY and BLACK. See above. Do you see hits like these with other
> mail, too? Does it happen frequently / occasionally or is it an isolated
> incident? Necessary info to start hunt this down.

This is the first time I see it, but I don't look into the report very
often because only very few messages get flagged as spam in error. I let
my server flag anything from 5.0 points on and deny anything from a
higher score that is defined per incoming mail address.

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

On Sun, 2008-07-20 at 20:07 +0200, Yves Goergen wrote:
Oh, I didn't mean to ask if you have seen it before, but if it happened
before. You asked about an anomaly, so start investigating and hunting
down this issue... Go grep your logs. :)

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Sun, 20 Jul 2008, Yves Goergen wrote:

Are you sure it's 127.0.0.1? This is at the top of all Spamhaus zones:

   :127.0.0.2:http://www.spamhaus.org/SBL/

Which does yield correct results:

   smtpgate# host 2.0.0.127.zen.spamhaus.org
   2.0.0.127.zen.spamhaus.org has address 127.0.0.10
   2.0.0.127.zen.spamhaus.org has address 127.0.0.4
   2.0.0.127.zen.spamhaus.org has address 127.0.0.2

-d

On 20.07.2008 20:21 CE(S)T, Karsten Bräckelmann wrote:
Correct. My fault. I've looked through the e-mails that I have received
today and that contain my quoted signature. All of them I could find
from today have this issue. All messages from today that contain the
link show the same 3 matches. The URL would be in all 3 lists.

I can remember that I have run 'sa-update' sometime the last days, not
sure when it was exactly. I just ran it again but now it didn't find an
update.

I need to think about disabling these rules until the cause has been found.

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

On 20.07.2008 20:54 CE(S)T, Duane Hill wrote:
>    smtpgate# host 2.0.0.127.zen.spamhaus.org
>    2.0.0.127.zen.spamhaus.org has address 127.0.0.10
>    2.0.0.127.zen.spamhaus.org has address 127.0.0.4
>    2.0.0.127.zen.spamhaus.org has address 127.0.0.2

Same here, for whatever it's worth.

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

On Sun, 2008-07-20 at 22:21 +0200, Yves Goergen wrote:

> Correct. My fault. I've looked through the e-mails that I have received
> today and that contain my quoted signature. All of them I could find
> from today have this issue. All messages from today that contain the
> link show the same 3 matches. The URL would be in all 3 lists.

Run such a message through 'spamassassin' again, to see what it reports
*now*. Do you still see these strange, multiple URIBL hits?
  spamassassin  < message  > out

If you don't, it may have been an erroneous listing that has been fixed
already. After all, that domain currently is *not* listed in URIBL. Or
it might have been a temporary DNS issue.

If you still do see these multiple hits however, you will have to
investigate further why it is hitting.


Also, check other email (including spam!) for multiple URIBL hits in the
existing report headers. Does / did it happen for that one domain only?


> I can remember that I have run 'sa-update' sometime the last days, not
> sure when it was exactly. I just ran it again but now it didn't find an
> update.
>
> I need to think about disabling these rules until the cause has been found.

If you find that domain to be the only instance showing such weird
results, (temporarily) working around it would be easy. Something like
this -- beware, NOT tested.

uri   __UNCLASSIFIED_DE  /unclassified.de/

meta  WORKAROUND  URIBL_BLACK && URIBL_RED && URIBL_GRAY && __UNCLASSIFIED_DE
score WORKAROUND  -5.0


Also, even if you do see these *occasionally* for other domains, too,
but there also are good (single) URIBL_* hits, something like the above
without the uri rule constraint might help as a quick fix, too. Without
losing all URIBL hits. I believe these lists generally should be
mutually exclusive.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Duane Hill wrote:
the goal aws to test an _unlisted_ IP, to detect NXDOMAIN "hijacking"
(aka "ISP error page") and 127.0.0.1 is a good example.

http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html

you can of course use any name that is known to return NXDOMAIN.


> Which does yield correct results:
>
>   smtpgate# host 2.0.0.127.zen.spamhaus.org
>   2.0.0.127.zen.spamhaus.org has address 127.0.0.10
>   2.0.0.127.zen.spamhaus.org has address 127.0.0.4
>   2.0.0.127.zen.spamhaus.org has address 127.0.0.2

On Mon, 21 Jul 2008, mouss wrote:

I figured as much after I hit send.

>> Which does yield correct results:
>>
>>   smtpgate# host 2.0.0.127.zen.spamhaus.org
>>   2.0.0.127.zen.spamhaus.org has address 127.0.0.10
>>   2.0.0.127.zen.spamhaus.org has address 127.0.0.4
>>   2.0.0.127.zen.spamhaus.org has address 127.0.0.2

-d

On 20.07.2008 22:42 CE(S)T, Karsten Bräckelmann wrote:
> Run such a message through 'spamassassin' again, to see what it reports
> *now*. Do you still see these strange, multiple URIBL hits?
>   spamassassin  < message  > out

It still reports that.

> Also, check other email (including spam!) for multiple URIBL hits in the
> existing report headers. Does / did it happen for that one domain only?

How can I do that? I don't have any dedicated tools or methods for
testing a spam filter.

FYI, I have IMAP accounts in Maildir format on the server, but most of
my e-mail is stored on my computer, with Thunderbird in mbox format (on
Windows).

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

On 20.07.2008 16:18 CE(S)T, Yet Another Ninja wrote:
> This could be a DNS problem returning a .2 (positive response) for all
> queries.
>
> what DNS are you using for your queries?

What do you mean? My mail server uses the DNS servers of the computing
centre. What SpamAssassin does, I don't know. The IP addresses are:

# cat /etc/resolv.conf
nameserver 213.133.100.100
nameserver 213.133.99.99
nameserver 213.133.98.98
nameserver 213.133.98.97

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

Yves Goergen wrote:
view source (CTRL-U) and copy-paste to a file on your server. then run
# spamassassin -t < message.eml

(the .eml part is not important).

to see debug infos, use -D.

On 21.07.2008 22:10 CE(S)T, mouss wrote:
> view source (CTRL-U) and copy-paste to a file on your server. then run
> # spamassassin -t < message.eml

Look through each single message from all my folders that I have
received within the last two weeks, view the source, copy it into a
file, upload it to the server, and run a command against that file? That
seems to be a bit too much work, and I really don't have the time for that.

I have disabled the rules URIBL_{RED,GREY,BLACK} for now and will see
how it impacts on spam detection. I usually deny messages with more than
7...12 points and see a lot messages with 20+ points in my filter log.

--
Yves Goergen "LonelyPixel" <nospam.list@...>
Visit my web laboratory at http://beta.unclassified.de

Yves Goergen schrieb:

> # cat /etc/resolv.conf
> nameserver 213.133.100.100
> nameserver 213.133.99.99
> nameserver 213.133.98.98
> nameserver 213.133.98.97

Ah, Hetzner. I had a lot less problems since I started to run my own:

main:~> cat /etc/resolv.conf
nameserver 127.0.0.1
#nameserver 213.133.100.100
#nameserver 213.133.99.99
#nameserver 213.133.98.97

and then have the appropriate "allow-recursion" statement in
/etc/named.conf.

-- Matthias

On Mon, 2008-07-21 at 21:50 +0200, Yves Goergen wrote:
> On 20.07.2008 22:42 CE(S)T, Karsten Bräckelmann wrote:
> > Run such a message through 'spamassassin' again, to see what it reports
> > *now*. Do you still see these strange, multiple URIBL hits?
> >   spamassassin  < message  > out
>
> It still reports that.

You do have a problem. There are pretty much 2 possible reasons left:

(a) Your DNS is broken. Your domain unclassified.de is not listed on
URIBL, yet your DNS answers that it is.

(b) The DNS you're using is a *heavy* hitter on URIBL, and they started
responding with a positive match on all your queries. URIBL warns the NS
operators a couple times by mail, and resorts to this only, if their
mail is being ignored multiple times.

In both cases, go talk to the guy running your DNS servers.


> > Also, check other email (including spam!) for multiple URIBL hits in the
> > existing report headers. Does / did it happen for that one domain only?
>
> How can I do that? I don't have any dedicated tools or methods for
> testing a spam filter.

grep. :)  You can do this type of checks easily by grepping through your
mail, possibly using other tools like formail for multi-line header
wrapping.

OK, I told you to check previously received mail for the same broken
URIBL hit pattern. So you could just have a look at the X-Spam headers
using you