nanogui: Thread: Mailing list issues

Everyone:

I've found the root cause of the problem with Greg and I both being 
"removed." Apparently Spam Assassin, beginning late on the 18th started 
blocking messages due to the mail server at linuxhacker.org being 
hosted on a dynamic IP and DHCP-assigned machine (is it?) The SA 
headers from a sample rejected mail:

  pts rule name              description
---- ---------------------- 
--------------------------------------------------
  0.0 NO_REAL_NAME           From: does not include a real name
  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP 
addr 1)
  1.2 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname 
(DHCP)
  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                             [score: 0.5000]
  0.1 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

Alex - is this correct that linuxhacker is hosted on a dynamic IP? This 
could be causing many, many people to miss emails from the list and not 
even realize it - especially if their ISP is doing their filtering for 
them. This is happening on a bone-stock 3.0.2 version of SA.

I'm having the linuxhacker.org domain whitelisted for now, but we 
probably need to get to the root of the problem so others can benefit.

Jason Kingan

Jason Kingan wrote:
> I've found the root cause of the problem with Greg and I both being 
> "removed." Apparently Spam Assassin, beginning late on the 18th started 

I did say to Greg earlier this afternoon that he hadn't been unsubscribed.

> blocking messages due to the mail server at linuxhacker.org being hosted 
> on a dynamic IP and DHCP-assigned machine (is it?) The SA headers from a 

Nope. I have a block of static IPs.

>  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP 
> addr 1)

The HELO is set to "dsl-62-3-116-153.zen.co.uk" which is correct because 
it matches the default reverse lookup for the IP address (I've never had 
a good reason to change it from the default). It sounds like the 
Spamassassin developers have been a bit overzealous in deciding that 
certain hostnames are more likely to be spam sources than others. I'll 
get my ISP to change the reverse lookup to a name of my own choosing; 
that should hopefully work around this dodgy rule.

-- 
------------ Alex Holden - http://www.alexholden.net/ ------------
If it doesn't work, you're not hitting it with a big enough hammer

Alex Holden wrote:

>>  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname
>> (IP addr 1)
>
>
> The HELO is set to "dsl-62-3-116-153.zen.co.uk" which is correct
> because it matches the default reverse lookup for the IP address (I've
> never had a good reason to change it from the default). It sounds like
> the Spamassassin developers have been a bit overzealous in deciding
> that certain hostnames are more likely to be spam sources than others.
> I'll get my ISP to change the reverse lookup to a name of my own
> choosing; that should hopefully work around this dodgy rule.
>
I don't think it's going to be that easy.

SpamAssassin is being arsy as your IP is probably in a block of, what
used to be called, DialUP pools.  It's considered that any SMTP server
running on said IP pool is probably a spammer, hence the high rating.

I /really/ can't recall who maintains this list right now - I tried to
get my old DSL removed from it, and it was a waste of time, at that
time, they weren't interested....

-D

On Apr 20, 2005, at 10:51 AM, Alex Holden wrote:

> Jason Kingan wrote:
>> I've found the root cause of the problem with Greg and I both being 
>> "removed." Apparently Spam Assassin, beginning late on the 18th 
>> started
>
> I did say to Greg earlier this afternoon that he hadn't been 
> unsubscribed.

Unfortunately, he probably didn't see that message either. Everything 
from linuxhacker.org was being dumped as spam.

>> blocking messages due to the mail server at linuxhacker.org being 
>> hosted on a dynamic IP and DHCP-assigned machine (is it?) The SA 
>> headers from a
>
> Nope. I have a block of static IPs.

Good.

>>  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname 
>> (IP addr 1)
>
> The HELO is set to "dsl-62-3-116-153.zen.co.uk" which is correct 
> because it matches the default reverse lookup for the IP address (I've 
> never had a good reason to change it from the default). It sounds like 
> the Spamassassin developers have been a bit overzealous in deciding 
> that certain hostnames are more likely to be spam sources than others. 
> I'll get my ISP to change the reverse lookup to a name of my own 
> choosing; that should hopefully work around this dodgy rule.

Yes - getting them both set to linuxhacker.org if possible would be the 
best thing. I've also found that in most cases setting HELO to be the 
domain name (regardless of rev DNS) seems to make things run smoother. 
My personal domain was changed to be like this a couple of years ago 
because of similar problems. Cleared right up when I did this. Don't 
know if that's the "correct" thing to do, but it certainly cured my 
blocked mail issues.

Thanks,
Jason

Jason Kingan wrote:
> Yes - getting them both set to linuxhacker.org if possible would be the 
> best thing. I've also found that in most cases setting HELO to be the 
> domain name (regardless of rev DNS) seems to make things run smoother. 

I've done that before on other servers and it triggered spam filtering 
rules which say that the HELO name needs to resolve to the IP and the IP 
needs to reverse resolve to the HELO name. ISTR that AOL in particular 
refuse all mail from servers which fail this test.

-- 
------------ Alex Holden - http://www.alexholden.net/ ------------
If it doesn't work, you're not hitting it with a big enough hammer

On Mer, 2005-04-20 at 18:00, Darran Rimron wrote:
> SpamAssassin is being arsy as your IP is probably in a block of, what
> used to be called, DialUP pools.  It's considered that any SMTP server
> running on said IP pool is probably a spammer, hence the high rating.

Not spamassassin but the block list some people are using. Its their own
fault quite honestly for using invalid and incorrect data sources. If
its being used in the default list by your package vendor please also
file bugs against their spamassassin packages.

Alan

Darran Rimron wrote:
> SpamAssassin is being arsy as your IP is probably in a block of, what
> used to be called, DialUP pools.  It's considered that any SMTP server
> running on said IP pool is probably a spammer, hence the high rating.

Ah, don't get me started on people who block based on the various 
(generally very poorly maintained) dialup blacklists. And then complain 
that they're not getting legitimate mail. But that's not what the 
HELO_DYNAMIC-IPADDR rule is about. From the SpamAssassin source:

# Interesting new feature; spamware HELO'ing, from a dialup IP addr,
# using that IP's rDNS entry.  We can catch this easily.  There aren't
# many legit mailservers calling themselves
# 'dhcp024-210-034-053.columbus.rr.com'. ;)

-- 
------------ Alex Holden - http://www.alexholden.net/ ------------
If it doesn't work, you're not hitting it with a big enough hammer

In this case, it isn't a blocklist problem. It's a Spam Assassin 
problem. The rule HELO_DYNAMIC_IPADDR and HELO_DYNAMIC_DHCP in SA is a 
regex one that catches hostnames similar to Alex's. Unfortunately, it 
also catches buckets of spam or I'd just disable it. Getting SA changed 
everywhere is an uphill battle - probably easier in the short term (and 
certainly the most reliable way) to get the rev dns delegated properly 
to linuxhacker.org.

But I agree - blocklists in general are a major pain in some cases.

Jason

On Apr 20, 2005, at 10:28 AM, Alan Cox wrote:

> On Mer, 2005-04-20 at 18:00, Darran Rimron wrote:
>> SpamAssassin is being arsy as your IP is probably in a block of, what
>> used to be called, DialUP pools.  It's considered that any SMTP server
>> running on said IP pool is probably a spammer, hence the high rating.
>
> Not spamassassin but the block list some people are using. Its their 
> own
> fault quite honestly for using invalid and incorrect data sources. If
> its being used in the default list by your package vendor please also
> file bugs against their spamassassin packages.
>
> Alan
>
>