MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: Joe on 2014-02-01, 17:18:14

Title: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 17:18:14
I just upgraded from Kloxo original to MR. Now when using Spamassassin all emails are showing false positives for the 'RDNS_NONE' rule. There seems to be a problem with reverse dns lookups.

I've used Kloxo original for years with Spamassassin on multiple servers and never had this problem. I use custom scoring and many spammers do not have reverse dns but some legitimate mail as well so I like to increase the RDNS_NONE score to prevent spam but not reject all email without reverse dns.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: MRatWork on 2014-02-01, 17:24:23
Read http://forum.mratwork.com/kloxo-mr-tips-and-tricks/(tip)-how-to-setup-qmail-on-kloxo-mr/ related to reverse-dns
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 17:52:43
I just followed those steps for qmail and spamassassin is still showing all incoming mail as RDNS_NONE.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: MRatWork on 2014-02-01, 18:09:36
Try bogofilter instead spamassassin. Setup in 'switch program'.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 18:23:32
Bogofilter can't compare to spamassassin. I have custom rules and DnsBlocklists that I have used over many years with spamassassin that has eliminated 99% of spam. All of them work except for rdns lookups and now only about 90% of spam is blocked because I had to disable RDNS_NONE.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 18:37:21
Is this a different version of Spamassassin made for Qmailtoaster? How is it different from the original Kloxo version that was installed?
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: MRatWork on 2014-02-01, 18:40:10
Spamasssin also taken from qmailtoaster.com
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 19:05:37
How do I remove this version of spamassassin?
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 19:19:58
yum remove spamassassin-toaster

Will try a newer version and see if it works.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-01, 19:33:46
I installed Spamassassin 3.3.2-7 and same problem. Kloxo MR is not performing reverse DNS lookups.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Spacedust on 2014-02-02, 15:30:45
It works fine blocking all spammers ;)
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-02, 20:32:30
It works fine blocking all spammers ;)

Nothing blocks ALL spammers without blocking some legitimate mail but Spamassassin does the best job especially if you tweak the default rules.

MRatWork,

Spamdyke's feature of Rejecting Servers Without RDNS Names works but Spamassassin for some reason isn't looking up reverse dns. Tested again with Kloxo original and the Spamassassin RDNS_NONE feature works.

I guess for now I'll use Spamdyke's setting since it should bounce the message and let the legitimate sender know why it was rejected.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Spacedust on 2014-02-02, 23:26:39
I confirm this too also checking MX is false positive ! MX exists but it shows that it doesn't and rejects mail !

Disable this to get all your e-mails !

How to fix this ?
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-03, 01:07:10
Yea, if you look at the email headers of all incoming email it shows "Received: from unknown" when it should show "Received: from hostname and ipaddress". I think all of these problems are caused by Kloxo MR's requirement to use qmail toaster compared with the original Kloxo.

Kloxo original using qmail does not show the "Received: from unkown" header. Something sure doesn't seem configured right or I'm not sure if qmail toaster handles headers differently and that creates a problem with Spamassassin.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: chrisf on 2014-02-03, 17:16:01
It appears qmail-toaster does headers differently.  The received from unknown, not sure if a bug, or if that is how they set it up, since right after that it has the (helo hostname) IP.

It appears to be a regex problem in the perl script for spamassassin.

Using spamdyke protects you from this, so enable spamdyke and disable rdns none in spamassassin.

Find and Change /etc/spamassassin/local.cf:

Code: [Select]
score RDNS_NONE 0
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-03, 20:17:37
It appears qmail-toaster does headers differently.  The received from unknown, not sure if a bug, or if that is how they set it up, since right after that it has the (helo hostname) IP.

It appears to be a regex problem in the perl script for spamassassin.

Using spamdyke protects you from this, so enable spamdyke and disable rdns none in spamassassin.

Find and Change /etc/spamassassin/local.cf:

Code: [Select]
score RDNS_NONE 0

That's what I did but about 5% of legitimate email do no have reverse ptr records setup correctly. I would prefer to increase the spam score instead of blocking those completely without RDNS. People really should learn to setup mx records, reverse dns, DKIM, and SPF.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: chrisf on 2014-02-03, 21:47:18
+1 Joe, those are all important things, and I agree.  I block them, if they are not serious enough about security, spam, and maintaining the proper records - sorry. ;)
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Spacedust on 2014-02-03, 23:43:26
Thank you !
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Spacedust on 2014-02-04, 15:12:35
It doesn't work ! Still good e-mail are rejected because no reverse DNS or MX while it works well.
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Spacedust on 2014-02-04, 15:17:37
Take a look - proper e-mail from PayPal is rejected !

Quote
Feb  4 15:15:19 onlinecity smtp: 1391523319.964820 17163 > 220 mail.mydomain.pl - Welcome to Qmail ESMTP?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139108 17163 < EHLO mx0.slc.paypal.com?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139208 17163 > 250-mail.mydomain.pl - Welcome to Qmail?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139229 17163 > 250-STARTTLS?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139232 17163 > 250-PIPELINING?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139244 17163 > 250-8BITMIME?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139254 17163 > 250-SIZE 268435456?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139257 17163 > 250 AUTH LOGIN PLAIN CRAM-MD5?
Feb  4 15:15:20 onlinecity smtp: 1391523320.760125 17163 < MAIL FROM:<service@paypal.pl>?
Feb  4 15:15:20 onlinecity smtp: 1391523320.761166 17163 > 250 Refused. The domain of your sender address has no mail exchanger (MX).?
Feb  4 15:15:20 onlinecity smtp: 1391523320.943264 17163 < RCPT TO:<admin@mydomain.pl>?
Feb  4 15:15:20 onlinecity smtp: 1391523320.943791 17163 > 421 Refused. The domain of your sender address has no mail exchanger (MX).?
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-04, 17:46:12
Take a look - proper e-mail from PayPal is rejected !

Quote
Feb  4 15:15:19 onlinecity smtp: 1391523319.964820 17163 > 220 mail.mydomain.pl - Welcome to Qmail ESMTP?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139108 17163 < EHLO mx0.slc.paypal.com?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139208 17163 > 250-mail.mydomain.pl - Welcome to Qmail?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139229 17163 > 250-STARTTLS?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139232 17163 > 250-PIPELINING?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139244 17163 > 250-8BITMIME?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139254 17163 > 250-SIZE 268435456?
Feb  4 15:15:20 onlinecity smtp: 1391523320.139257 17163 > 250 AUTH LOGIN PLAIN CRAM-MD5?
Feb  4 15:15:20 onlinecity smtp: 1391523320.760125 17163 < MAIL FROM:<service@paypal.pl>?
Feb  4 15:15:20 onlinecity smtp: 1391523320.761166 17163 > 250 Refused. The domain of your sender address has no mail exchanger (MX).?
Feb  4 15:15:20 onlinecity smtp: 1391523320.943264 17163 < RCPT TO:<admin@mydomain.pl>?
Feb  4 15:15:20 onlinecity smtp: 1391523320.943791 17163 > 421 Refused. The domain of your sender address has no mail exchanger (MX).?

Did you uncheck "Reject Messages From Server Without MX Records" in the spamdyke settings? I decided to only use the first option "Reject Servers Without RDNS Names".
Title: Re: Spamassassin RDNS_NONE Rule False Positives
Post by: Joe on 2014-02-08, 22:21:18
Here's what you need to do to get SPF checks working in Spamassassin which is really helping reduce spam and helps legitimate mail get through.

1. yum install perl-Mail-SPF

2. Create new file located here etc/mail/spamassassin/custom.pre

Add the following line:

loadplugin Mail::SpamAssassin::Plugin::SPF

3. Adjust scores accordingly in /etc/mail/spamassassin/local.cf

score   SPF_HELO_FAIL
score   SPF_FAIL
score   SPF_HELO_PASS
score   SPF_PASS