[SOLVED] spamassassin: false positives from openwhois

[ewilen]

I've noticed that all of a sudden, the antispam system is scoring DNS_FROM_OPENWHOIS=1.13 for all mail. Based on my own mail, this started happening sometime between 16:17:43 -0700 (PDT) and 19:24:24 -0700 (PDT) on March 16.

According to https://issues.apache.org/SpamAssass...ug.cgi?id=6157, the particular lookup was removed in July of last year.

However a grep of the files in /opt/zimbra/conf/spamassassin turns up

50_scores.cf:score DNS_FROM_OPENWHOIS 0 2.431 0 1.130 # n=0 n=2
72_active.cf:##{ DNS_FROM_OPENWHOIS
72_active.cf:header DNS_FROM_OPENWHOIS eval:check_rbl_envfrom('openwhois', 'bl.open-whois.org.')
72_active.cf:describe DNS_FROM_OPENWHOIS Envelope sender listed in bl.open-whois.org.
72_active.cf:tflags DNS_FROM_OPENWHOIS net publish
72_active.cf:##} DNS_FROM_OPENWHOIS
active.list:DNS_FROM_OPENWHOIS
STATISTICS-set1.txt: 1.202 1.8584 0.0455 0.976 0.69 2.43 DNS_FROM_OPENWHOIS
STATISTICS-set3.txt: 1.202 1.8584 0.0455 0.976 0.69 1.13 DNS_FROM_OPENWHOIS

Not sure if this affects Zimbra builds other than what I'm running (5.0.20).

Apparently sa-update isn't provided with Franklin, but Bug 27844 - Please provide sa-update and spamassassin command line tools was addressed in 6.0.5. Since I plan to upgrade to that tomorrow, I will try that.

If anyone else is experiencing this issue and is running a pre-6.0.5 version of zimbra, these threads may help:

[SOLVED] Can I manually update SpamAssassin rules!
[SOLVED] sa-update spamassassin

[ewilen]

Okay, I think I've found how the problem could have suddenly appeared.

WHOIS for open-whois.org gives the authoritative nameservers as

Name Server:NS57.DOMAINCONTROL.COM
Name Server:NS58.DOMAINCONTROL.COM

If I query those, bl.open-whois.org resolves to 127.0.0.1.

The owner of the domain must have inserted this record the other day.

BTW, if updating SA isn't an option for some reason, one could instead write custom rules to reverse the score. But that would be inefficient. I suppose you could also mess around with your local DNS server and/or .hosts, but that would be even worse.

[ewilen]

After upgrading from 5.0.20 to 6.0.5 the false positives are gone without having to run sa-update.

[su_A_ve]

anyone installed sa-update on 5.x? I did, however I'm still triggering this rule. Do I have to remove the nn_*.cf files in the /opt/zimbra/conf/spamassassin/ directory? The ones coming in via sa-update are there, but in this case, this rule is still in effect.

TIA.

[ewilen]

See Bug 45625 – remove OPENWHOIS references from spamassasin config

Several workarounds are mentioned. Also, this will be fixed in 5.0.23 if you don't want to go to GnR yet.

Finally, sometimes after doing a change to the antispam system, you need to stop/start zimbra, or at least zmantispamctl or zmamavisdctl. Probably doesn't apply in this case since you're modifying the actual files used by SA, but it couldn't hurt.

[su_A_ve]

Quote:

Originally Posted by ewilen

See Bug 45625 – remove OPENWHOIS references from spamassasin config

Several workarounds are mentioned. Also, this will be fixed in 5.0.23 if you don't want to go to GnR yet.

Finally, sometimes after doing a change to the antispam system, you need to stop/start zimbra, or at least zmantispamctl or zmamavisdctl. Probably doesn't apply in this case since you're modifying the actual files used by SA, but it couldn't hurt.

On 5.x running sa-update pulls down the updated rules into /opt/zimbra/conf/spamassassin/updates_spamassassin_org/ directory. But the original rules persist.

Since the rules have been removed, I assume the update rules are merged with the original ones. New rules take precedence, but rules removed stay.

So in this case, a sa-update is not sufficient... Looks like they must be removed/tweaked...

[wooby]

SHould we comment the lines
ifplugin Mail::SpamAssassin::Plugin:NSEval

endif

in the file 72_active.cf?
Pelase respond ..

Thanks.