dnswl.org and phishing

Mailborder at Gmail mailborder at gmail.com
Mon Dec 3 11:26:11 GMT 2012 

While disconcerting, the email itself still scores above 10, which I would
call high-scoring. Has anyone seen something like this get through with a
score under say 3? And if it did, I've seen MS disarm legitimate links on
spam scores under 1.

I agree with Peter though. RBL's, in general, suck. Half my legitimate
email servers make the PBL simply because they reside in Rackspace's IP
address space. So I have to go scrub all these sources to make sure
legitimate resources aren't blacklisted? Yeah ... right .... right here
buddy.


Jerry Benton
http://www.mailborder.com

On Mon, Dec 3, 2012 at 11:45 AM, Peter Farrow <peter at farrows.org> wrote:

>  On 12/11/2012 01:19, Paul Welsh wrote:
>
> Hi all
>
> Bit off-topic but thought I'd mention dnswl.org which the spamassassin
> wiki describes here -http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED - and
> which describes itself as "the leading whitelist provider for email
> filtering".
>
> I was tweaking my spam.assassin.prefs.conf today and noticed
> RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default.  However,
> on doing some digging I noticed this:
>
> 2012-11-10 11:01:45 1TX8or-0008Fj-1P <= service at santander.co.uk
> H=p02c11o144.mxlogic.net [208.65.144.77] P=esmtps
> X=TLSv1:AES256-SHA:256 S=3244id=FS3rRZ1UbDBRArVc4Iu00000255 at fs3.ellison.local T="YOUR ONLINE
> ACCOUNT HAS BEEN SUSPENDED" from <service at santander.co.uk> <service at santander.co.uk> for <snip>
>
> This phishing email came from mxlogic.net, now called McAfee SaaS
> Email Protection & Continuity.  dnswl.org gives mxlogic.net a
> classification of:
> "Medium	Rare spam occurrences, corrected promptly."
>
> Fair enough, this is doubtless one of those rare occurrences but I
> just thought I'd highlight that phishing does appear to be getting
> through mxlogic.net and because of dnswl.org's treatment of it,
> spamassassin is subtracting nearly 3 points from its score.
>
> In the case of the phishing mail I saw, it still got picked up as high
> scoring spam and deleted but had the attempts to forge the Outlook
> headers been better and/or had I given RCVD_IN_DNSWL_MED a higher
> negative score (which I was seriously considering doing), this would
> have been delivered:
>
> Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from
> 208.65.144.77 (service at santander.co.uk) to <snip> is spam,
> SpamAssassin (score=10.984, required 6, autolearn=disabled,
> AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,
> FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH
> 0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,
> FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,
> HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,
> NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,
> TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)
> Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message
> 1TX8or-0008Fj-1P from service at santander.co.uk to <snip> with subject
> YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED
> Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message
> 1TX8or-0008Fj-1P actions are delete
>
>  A whitelist entry has to be earned, I trust no one by default and create
> my own whitelists - works for me..
>
>
>
>
> --
>   [image: horizontal ruler]    Peter Farrow  [image: avatar]   ______________________
> Home: 01249 654183  Fax: 01249 461 548  Mobile: 07799605617  Skype:
> peter_farrow  Web: www.peterfarrow.com
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121203/c35c34fd/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8198 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121203/c35c34fd/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 57 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121203/c35c34fd/attachment-0001.gif

More information about the MailScanner mailing list