PDA

View Full Version : FYI: notifications being flagged as spam



Neo
-17th February 2008, 21:29
FYI, forum notifications being caught by spamassassin (Popular spam classification system - http://www.spamassassin.org ). The two tests its matching against are nothing to do with content of the email (else I'd file this as an issue with either spamassassin or vbulletin), but:

1) Something to do with malformed mail-id's
2) listing in rfc-ignorant. There's actually 3 listings - 1 for no abuse@ address, 1 for no postmaster@ address and 1 for not accepting mail from a null sender (required for bouncing mail etc).

M


Spam detection software, running on the system "socrates.firstinternetservices.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster@MAILREMOVEDNOSPAM for details.

Content preview: Dear Neo, hokers has just replied to a thread you have subscribed
to entitled - Kids accessing pornography - in the Chit-Chat forum of Fencing
Forum. This thread is located at: http://www.fencingforum.com/forum/showthread.php?t=7956&goto=newpost
[...]

Content analysis details: (6.4 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
2.5 DNS_FROM_RFC_DSN RBL: Envelope sender in dsn.rfc-ignorant.org
3.9 AXB_XMID_1212 Barbera Fingerprint

TLove
-17th February 2008, 21:42
Indeed

http://www.rfc-ignorant.org/tools/lookup.php?domain=fencingforum.com

Neo
-17th February 2008, 21:45
That notification didn't get flagged, though checking the headers its still getting caught by the DNS_FROM_RFC_DSN test (interestingly my installation of spamassassin appears to be ignoring the rest of the listings at rfc-ignorant) which puts it under the threshhold, but when combined with other tests, such as the malformed mail-id it ends up as spam.

Neo
-17th February 2008, 22:13
rfc-ignorant will remove the listings on an email from Ben (or other owner or administrator of domain) with proof that the addresses above exist (and in the case of the DSN listing, that the mail server accepts mail from null sender).

Looks like currently you're entitled to removal from DSN & postmaster blacklists, but not abuse:

root@socrates:/var/mail# telnet mail20.ixwebhosting.com 25
Trying 76.162.254.20...
Connected to mail20.ixwebhosting.com.
Escape character is '^]'.
220 mail20.opentransfer.com ESMTP
HELO
250 mail20.opentransfer.com
MAIL FROM:<>
250 ok
RCPT TO:<postmaster@fencingforum.com>
250 ok
RCPT TO:<abuse@fencingforum.com>
550 sorry, no mailbox here by that name (#5.1.1)
Connection closed by foreign host.

Including the above in email should be sufficient to get it removed from DSN & postmaster.

ps. rfc-ignorant themselves are just a website & dns blacklist, but they're used by various spam detection systems to weight/classify spam.