Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

DOB blocklist seems to have very old domains

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


gdt at ir

Oct 5, 2008, 9:19 AM

Post #1 of 11 (302 views)
Permalink
DOB blocklist seems to have very old domains
I got a FP on mail to the discuss-gnuradio list and found that DOB was
firing on gnuradio.org. Now it seems to be firing on gnu.org as well:

gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2

I couldn't find anything on the DOB BL page about how to report bugs.


Below is what a sample message got. I think the SA rules are probably
fine, so I'm not including the whole message. But it seems at least my
message fired on 3 rules and that was worth 2.9 points.



Content analysis details: (-0.2 points, 1.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.5 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[199.232.76.165 listed in list.dnswl.org]
0.7 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
1.1 RCVD_IN_DOB RBL: Received via relay in new domain (Day Old Bread)
1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[URIs: gnu.org]
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]


maillists at conactive

Oct 5, 2008, 10:31 AM

Post #2 of 11 (291 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Greg Troxel wrote on Sun, 05 Oct 2008 12:19:15 -0400:

> I got a FP on mail to the discuss-gnuradio list and found that DOB was
> firing on gnuradio.org. Now it seems to be firing on gnu.org as well:
>
> gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
> gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2

It seems to fire on all .org domains but not on others. So, they
apparently have some sort of problem checking the dates of org domains and
put them all on the list.

>
> I couldn't find anything on the DOB BL page about how to report bugs.

I couldn't even find a website. www.support-intelligence.net doesn't
exist. Is this a default RBL of SA?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com


mouss at netoyen

Oct 5, 2008, 10:56 AM

Post #3 of 11 (290 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Kai Schaetzl wrote:
> Greg Troxel wrote on Sun, 05 Oct 2008 12:19:15 -0400:
>
>> I got a FP on mail to the discuss-gnuradio list and found that DOB was
>> firing on gnuradio.org. Now it seems to be firing on gnu.org as well:
>>
>> gnuradio.org.dob.sibl.support-intelligence.net. 249 IN A 127.0.0.2
>> gnu.org.dob.sibl.support-intelligence.net. 1460 IN A 127.0.0.2
>
> It seems to fire on all .org domains but not on others. So, they
> apparently have some sort of problem checking the dates of org domains and
> put them all on the list.
>
>> I couldn't find anything on the DOB BL page about how to report bugs.
>
> I couldn't even find a website. www.support-intelligence.net doesn't
> exist.

it does from here. and the page still says:

"
The dob list is a DNSRBL that contains domains registered within the
last five days. The list is currently in BETA and should be used
accordingly. We still have some kinks in it and occasionally domains
older than five days, or other important domains end up in the list.
CAVEAT EMPTOR
"

> Is this a default RBL of SA?
>

yes.

$ grep _DOB 50_scores.cf
score DNS_FROM_DOB 0 0.341 0 0.732 # n=0 n=2
score RCVD_IN_DOB 0 0.835 0 1.103 # n=0 n=2
score URIBL_RHS_DOB 0 0.901 0 1.083 # n=0 n=2

See
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5768


Ralf.Hildebrandt at charite

Oct 5, 2008, 11:00 AM

Post #4 of 11 (290 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
* mouss <mouss[at]netoyen.net>:

> it does from here. and the page still says:
>
> "
> The dob list is a DNSRBL that contains domains registered within the last
> five days. The list is currently in BETA and should be used accordingly.
> We still have some kinks in it and occasionally domains older than five
> days, or other important domains end up in the list. CAVEAT EMPTOR
> "

python.org is also listed:

Domain Name:PYTHON.ORG
Created On:27-Mar-1995 05:00:00 UTC
Last Updated On:07-Sep-2006 20:50:54 UTC
Expiration Date:28-Mar-2016 05:00:00 UTC

So, they neither have support nor intelligence.

--
Ralf Hildebrandt (i.A. des GB IT) Ralf.Hildebrandt[at]charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!


sm at resistor

Oct 5, 2008, 11:46 AM

Post #5 of 11 (292 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
At 11:00 05-10-2008, Ralf Hildebrandt wrote:
>python.org is also listed:
>
>Domain Name:PYTHON.ORG
>Created On:27-Mar-1995 05:00:00 UTC
>Last Updated On:07-Sep-2006 20:50:54 UTC
>Expiration Date:28-Mar-2016 05:00:00 UTC

It looks like a processing glitch. I sent them an email about the problem.

Regards,
-sm


matthias at leisi

Oct 5, 2008, 12:09 PM

Post #6 of 11 (290 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Kai Schaetzl schrieb:

> It seems to fire on all .org domains but not on others. So, they
> apparently have some sort of problem checking the dates of org domains and
> put them all on the list.

IIRC it is not the first time that there were issues with DOB and .org,
but can't find a reference right now. Rick from DOB is following (used
to follow?) the sa-dev list, and I can ping him if the problem persists

-- Matthias


maillists at conactive

Oct 5, 2008, 12:31 PM

Post #7 of 11 (290 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Mouss wrote on Sun, 05 Oct 2008 19:56:58 +0200:

> > I couldn't even find a website. www.support-intelligence.net doesn't
> > exist.
>
> it does from here.

From various locations in Germany:

host www.support-intelligence.net
Host www.support-intelligence.net not found: 3(NXDOMAIN)

> > Is this a default RBL of SA?
> >
>
> yes.

But not in use if I skip rbl checks, right?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com


mouss at netoyen

Oct 5, 2008, 12:40 PM

Post #8 of 11 (289 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Kai Schaetzl wrote:
> Mouss wrote on Sun, 05 Oct 2008 19:56:58 +0200:
>
>>> I couldn't even find a website. www.support-intelligence.net doesn't
>>> exist.
>> it does from here.
>
> From various locations in Germany:
>
> host www.support-intelligence.net
> Host www.support-intelligence.net not found: 3(NXDOMAIN)
>

From here too, but the .com work :-)

$ host www.support-intelligence.net
Host www.support-intelligence.net not found: 3(NXDOMAIN)
$ host www.support-intelligence.com
www.support-intelligence.com has address 207.7.138.219


>>> Is this a default RBL of SA?
>>>
>> yes.
>
> But not in use if I skip rbl checks, right?
>

it's inside

ifplugin Mail::SpamAssassin::Plugin::DNSEval

with the other DNSBL checks.


mouss at netoyen

Oct 5, 2008, 3:33 PM

Post #9 of 11 (280 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
SM a écrit :
> At 11:00 05-10-2008, Ralf Hildebrandt wrote:
>> python.org is also listed:

same for ietf.org (duh!), postfix.org, debian.org, netbsd.org,
dovecot.org, ....., and anything org.

looks like a parser added "org" (and "thus" all its subdomains).

>>
>> Domain Name:PYTHON.ORG
>> Created On:27-Mar-1995 05:00:00 UTC
>> Last Updated On:07-Sep-2006 20:50:54 UTC
>> Expiration Date:28-Mar-2016 05:00:00 UTC
>
> It looks like a processing glitch. I sent them an email about the
> problem.

hope he will detect

In the meantime, it's worth disabling it.

meta DNS_FROM_DOB (0)
meta RCVD_IN_DOB (0)
meta URIBL_RHS_DOB (0)

at least, this saves a dns request ;-p


maillists at conactive

Oct 6, 2008, 5:59 AM

Post #10 of 11 (278 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
They seem to have resolved that problem now.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com


maillists at conactive

Oct 6, 2008, 5:59 AM

Post #11 of 11 (275 views)
Permalink
Re: DOB blocklist seems to have very old domains [In reply to]
Mouss wrote on Sun, 05 Oct 2008 21:40:26 +0200:

> From here too, but the .com work :-)

Right. But the normal way would be to deduce URL from the lookup URL which
ends up in .net. On the other hand that's not even mentioned in the rule
which might lead to a search for "Day Old Bread" list and avoid the wrong
net URL ;-)

> ifplugin Mail::SpamAssassin::Plugin::DNSEval
>
> with the other DNSBL checks.

yeah, that's enabled by default. Is the skip_rbl_checks option then still
useful at all?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.