Results 1 to 7 of 7

Thread: [SOLVED] spamassassin: false positives from openwhois

  1. #1
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default [SOLVED] spamassassin: false positives from openwhois

    I've noticed that all of a sudden, the antispam system is scoring DNS_FROM_OPENWHOIS=1.13 for all mail. Based on my own mail, this started happening sometime between 16:17:43 -0700 (PDT) and 19:24:24 -0700 (PDT) on March 16.

    According to https://issues.apache.org/SpamAssass...ug.cgi?id=6157, the particular lookup was removed in July of last year.

    However a grep of the files in /opt/zimbra/conf/spamassassin turns up

    50_scores.cf:score DNS_FROM_OPENWHOIS 0 2.431 0 1.130 # n=0 n=2
    72_active.cf:##{ DNS_FROM_OPENWHOIS
    72_active.cf:header DNS_FROM_OPENWHOIS eval:check_rbl_envfrom('openwhois', 'bl.open-whois.org.')
    72_active.cf:describe DNS_FROM_OPENWHOIS Envelope sender listed in bl.open-whois.org.
    72_active.cf:tflags DNS_FROM_OPENWHOIS net publish
    72_active.cf:##} DNS_FROM_OPENWHOIS
    active.list:DNS_FROM_OPENWHOIS
    STATISTICS-set1.txt: 1.202 1.8584 0.0455 0.976 0.69 2.43 DNS_FROM_OPENWHOIS
    STATISTICS-set3.txt: 1.202 1.8584 0.0455 0.976 0.69 1.13 DNS_FROM_OPENWHOIS

    Not sure if this affects Zimbra builds other than what I'm running (5.0.20).

    Apparently sa-update isn't provided with Franklin, but Bug 27844 - Please provide sa-update and spamassassin command line tools was addressed in 6.0.5. Since I plan to upgrade to that tomorrow, I will try that.

    If anyone else is experiencing this issue and is running a pre-6.0.5 version of zimbra, these threads may help:

    [SOLVED] Can I manually update SpamAssassin rules!
    [SOLVED] sa-update spamassassin
    Last edited by ewilen; 03-20-2010 at 09:14 AM. Reason: left off the date of the first occurrence

  2. #2
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Okay, I think I've found how the problem could have suddenly appeared.

    WHOIS for open-whois.org gives the authoritative nameservers as

    Name Server:NS57.DOMAINCONTROL.COM
    Name Server:NS58.DOMAINCONTROL.COM

    If I query those, bl.open-whois.org resolves to 127.0.0.1.

    The owner of the domain must have inserted this record the other day.

    BTW, if updating SA isn't an option for some reason, one could instead write custom rules to reverse the score. But that would be inefficient. I suppose you could also mess around with your local DNS server and/or .hosts, but that would be even worse.

  3. #3
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    After upgrading from 5.0.20 to 6.0.5 the false positives are gone without having to run sa-update.

  4. #4
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    181
    Rep Power
    8

    Default

    anyone installed sa-update on 5.x? I did, however I'm still triggering this rule. Do I have to remove the nn_*.cf files in the /opt/zimbra/conf/spamassassin/ directory? The ones coming in via sa-update are there, but in this case, this rule is still in effect.

    TIA.

  5. #5
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    See Bug 45625 – remove OPENWHOIS references from spamassasin config

    Several workarounds are mentioned. Also, this will be fixed in 5.0.23 if you don't want to go to GnR yet.

    Finally, sometimes after doing a change to the antispam system, you need to stop/start zimbra, or at least zmantispamctl or zmamavisdctl. Probably doesn't apply in this case since you're modifying the actual files used by SA, but it couldn't hurt.

  6. #6
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    181
    Rep Power
    8

    Default

    Quote Originally Posted by ewilen View Post
    See Bug 45625 – remove OPENWHOIS references from spamassasin config

    Several workarounds are mentioned. Also, this will be fixed in 5.0.23 if you don't want to go to GnR yet.

    Finally, sometimes after doing a change to the antispam system, you need to stop/start zimbra, or at least zmantispamctl or zmamavisdctl. Probably doesn't apply in this case since you're modifying the actual files used by SA, but it couldn't hurt.
    On 5.x running sa-update pulls down the updated rules into /opt/zimbra/conf/spamassassin/updates_spamassassin_org/ directory. But the original rules persist.

    Since the rules have been removed, I assume the update rules are merged with the original ones. New rules take precedence, but rules removed stay.

    So in this case, a sa-update is not sufficient... Looks like they must be removed/tweaked...

  7. #7
    wooby is offline Loyal Member
    Join Date
    Nov 2009
    Posts
    89
    Rep Power
    5

    Default

    SHould we comment the lines
    ifplugin Mail::SpamAssassin::Plugin:NSEval

    endif

    in the file 72_active.cf?
    Pelase respond ..

    Thanks.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 02-20-2010, 06:06 PM
  2. sanesecurity false positives
    By vtx624 in forum Administrators
    Replies: 0
    Last Post: 08-06-2009, 04:43 PM
  3. New Installation. Server running very slow
    By arindam in forum Administrators
    Replies: 1
    Last Post: 06-02-2009, 08:52 AM
  4. Migration OSS to NE
    By elibre in forum Administrators
    Replies: 0
    Last Post: 04-12-2009, 01:57 AM
  5. Mail arriving on wrong server
    By oliware in forum Administrators
    Replies: 16
    Last Post: 02-04-2009, 07:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •