Mailing List Archive: SpamAssassin: users

Suddenly getting lots of false positives.

1 2

View All

Index | Next | Previous | View Threaded

admin at game-point

May 24, 2012, 2:14 AM

Post #1 of 45 (633 views)
Permalink

Suddenly getting lots of false positives.

I've gotten a lot of false positives coming into my inbox lately, and
the principle reason for most of them seems to be that they are matching
the following rule:
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium trust

I'm not sure why they're matching this rule, so I thought I'd ask you
guys to see whether you could figure it out. Here's a sample message
that made it through my spam filter, which is definitely spam (note that
I have it configured to attach X-Spam-Report to every message so I can
see why it was NOT marked as spam):

==================================================
From - Wed May 23 10:53:41 2012
X-Account-Key: account2
X-UIDL: UID308596-1160697276
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-path: <niw9 [at] etisbew>
Envelope-to: bugzilla [at] game-point
Delivery-date: Wed, 23 May 2012 10:37:58 +0100
Received: from [59.94.13.26]
by ip.game-point.net with esmtp (Exim 4.69)
(envelope-from <niw9 [at] etisbew>)
id 1SX80z-0005qn-7r
for bugzilla [at] game-point; Wed, 23 May 2012 10:37:58 +0100
Received: from apache by etisbew.com with local (Exim 4.63)
(envelope-from <splashedoo6 [at] realliving>)
id A10PD7-HLT0O1-68
for bugzilla [at] game-point; Wed, 23 May 2012 15:07:55 +0530
To: bugzilla [at] game-point
Subject: Good afternoon,
Date: Wed, 23 May 2012 15:07:55 +0530
From: "Stella Cotton" <niw9 [at] etisbew>
Message-ID: <74FC52565ECB52BB625FD430CB8D155D [at] etisbew>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------03070800307080108050505"
X-Spam-Status: No, score=0.7
X-Spam-Score: 7
X-Spam-Bar: /
X-Spam-Flag: NO
X-Spam-Report: Spam detection software, running on the system
"ip.game-point.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: It is what a man needs to overcome the most delicate
problem.
Your power and strength of your porksword will please her! Make your body
as strong as your spirit is!Click It is what a man needs to overcome the
most delicate problem. Your power and strength of your porksword will
please
her! Make your body as strong as your spirit is! [...]
Content analysis details: (0.7 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bestinternetdancer.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bestinternetdancer.com]
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
http://www.dnswl.org/, medium
trust
[59.94.13.26 listed in list.dnswl.org]
0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[59.94.13.26 listed in dnsbl.sorbs.net]
0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6609]
0.0 HTML_MESSAGE BODY: HTML included in message

This is a multi-part message in MIME format.
--------------03070800307080108050505
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-2"

It is what a man needs to overcome the most delicate problem. Your power
and strength of your porksword will please her! Make your body as strong
as your spirit is!Click

--------------03070800307080108050505
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="us-ascii"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1250">
<STYLE></STYLE>
</HEAD>
<BODY>
<div style="width:600px;">
<div style="background: none repeat scroll 0 0 #FDF3F0; border-top: 3px
solid #E7431D; padding: 25px;">
<div style="font-size: 180%;">

<em>It is what a man needs to overcome the most delicate problem.
<br>Your power and strength of your porksword will please her! <br>Make
your body as strong as your spirit is!</em>
</div>
</div>
<div id="nav" style="background: none repeat scroll 0 0 #4D4D4F;
font-size: 90%; line-height: 40px;">
<a style="color: #FFFFFF; padding: 12px 25px;"
href="http://pijqasos.bestinternetdancer.com/page.html?Wsl7zrBeopsqjfqBjDy27csllzE">Click</a>

</div>
</div>
</BODY></HTML>
--------------03070800307080108050505--
==================================================

Any ideas why the sender would be in the dnswl with medium trust? I did
recently change my machine's hostname to ip.game-point.net.

--
Best regards,
Jeremy Morton (Jez)

niamh at fullbore

May 24, 2012, 2:28 AM

Post #2 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Hello Jeremy,

Thursday, May 24, 2012, 10:14:11 AM, you wrote:

JM> [59.94.13.26 listed in list.dnswl.org]

Doesn't seem to be listed any more-
http://dnswl.org/s?s=59.94.13.26

--
Best regards,
Niamh mailto:niamh [at] fullbore

joao.gouveia at anubisnetworks

May 24, 2012, 2:32 AM

Post #3 of 45 (631 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

----- Original Message -----
> From: "Jeremy Morton" <admin [at] game-point>
> To: users [at] spamassassin
> Sent: Thursday, May 24, 2012 10:14:11 AM
> Subject: Suddenly getting lots of false positives.
>
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are
> matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
> http://www.dnswl.org/,
> medium trust
>

I guess you mean false negatives?
Anyway, it's not listed at DNSWL ATM (maybe they cleared that entry).

I actually have it tagged with very bad reputation:

59.94.13.26 listed by bl.mailspike.net: Bad reputation - http://mailspike.org/anubis/lookup.html

--
Joao Gouveia
AnubisNetworks
Tel. : +351 21 7252110
Mobile : +351 91 9512960
Fax : +351 21 7252119
http://www.anubisnetworks.com

corpus.defero at idnet

May 24, 2012, 2:37 AM

Post #4 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
> I've gotten a lot of false positives coming into my inbox lately, and
> the principle reason for most of them seems to be that they are matching
> the following rule:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium trust
>

Given the connecting IP is listed with an number of anti-spam
blocklists:

59.94.13.26 Listed in Spamhaus XBL (CBL Data)
59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
59.94.13.26 Listed in Barracuda Reputation List
59.94.13.26 Listed in dul.dnsbl.sorbs.net
59.94.13.26 Listed in UCE PROTECT LEVEL 2
59.94.13.26 Listed in UCE PROTECT LEVEL 3

and that

bestinternetdancer.com

Is listed in Spamhaus domain block list & the multi.uribl.com block list
you'd have to wonder why it gets a reduction from: www.dnswl.org

I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
that anyone can kind of abuse?

The rule is tucked away in 72_active.cf, along with the other 'pay to
spam' whitelists from the likes of Return Path. I suggest you add this
to your local.cf to deal with such abuse:

score RCVD_IN_DNSWL_MED 0
score RCVD_IN_RP_CERTIFIED 0
score RCVD_IN_RP_SAFE 0

But that's just my default settings on every instance of SA that I work
on. Sometimes I add points for Return Path as it seems to help BLOCK
spam rather than pass ham - but that's a can of worms and a different
subject.

admin at game-point

May 24, 2012, 2:40 AM

Post #5 of 45 (625 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 24/05/2012 10:37, corpus.defero wrote:
> But that's just my default settings on every instance of SA that I work
> on. Sometimes I add points for Return Path as it seems to help BLOCK
> spam rather than pass ham - but that's a can of worms and a different
> subject.

Ham, spam, and worms. Sounds like something from a Monty Python sketch.

--
Best regards,
Jeremy Morton (Jez)

admin at game-point

May 24, 2012, 2:53 AM

Post #6 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 24/05/2012 10:37, corpus.defero wrote:
> On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote:
>> I've gotten a lot of false positives coming into my inbox lately, and
>> the principle reason for most of them seems to be that they are matching
>> the following rule:
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
>> medium trust
>>
>
> Given the connecting IP is listed with an number of anti-spam
> blocklists:
>
> 59.94.13.26 Listed in Spamhaus XBL (CBL Data)
> 59.94.13.26 Listed in Spamhaus PBL (ISP Maintained)
> 59.94.13.26 Listed in Barracuda Reputation List
> 59.94.13.26 Listed in dul.dnsbl.sorbs.net
> 59.94.13.26 Listed in UCE PROTECT LEVEL 2
> 59.94.13.26 Listed in UCE PROTECT LEVEL 3
>

Interesting that they didn't show up in my SpamAssassin headers; do you
think I need to add some extra rules for these blocklists? Why would I
not currently have these rules set up; don't they come with a default SA
install?

--
Best regards,
Jeremy Morton (Jez)

niamh at fullbore

May 24, 2012, 3:09 AM

Post #7 of 45 (623 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Hello Jeremy,

Thursday, May 24, 2012, 10:53:33 AM, you wrote:

JM> Interesting that they didn't show up in my SpamAssassin headers; do you
JM> think I need to add some extra rules for these blocklists?

Maybe the listings came after you got your email?

--
Best regards,
Niamh mailto:niamh [at] fullbore

admin at game-point

May 24, 2012, 3:11 AM

Post #8 of 45 (622 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Where would the rules for these blocklists be, so I can check my rules
files to see whether they're there?

--
Best regards,
Jeremy Morton (Jez)

On 24/05/2012 11:09, Niamh Holding wrote:
>
> Hello Jeremy,
>
> Thursday, May 24, 2012, 10:53:33 AM, you wrote:
>
> JM> Interesting that they didn't show up in my SpamAssassin headers; do you
> JM> think I need to add some extra rules for these blocklists?
>
> Maybe the listings came after you got your email?
>

niamh at fullbore

May 24, 2012, 3:31 AM

Post #9 of 45 (628 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Hello Jeremy,

Thursday, May 24, 2012, 11:11:22 AM, you wrote:

JM> Where would the rules for these blocklists be, so I can check my rules
JM> files to see whether they're there?

Mine are in /var/lib/spamassassin/3.003002/updates_spamassassin_org

--
Best regards,
Niamh mailto:niamh [at] fullbore

corpus.defero at idnet

May 24, 2012, 3:43 AM

Post #10 of 45 (627 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On Thu, 2012-05-24 at 11:11 +0100, Jeremy Morton wrote:
> Where would the rules for these blocklists be, so I can check my rules
> files to see whether they're there?
>
In later rulesets (forget when they added it) it looks something like
this:

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_BRBL_LASTEXT
eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
tflags RCVD_IN_BRBL_LASTEXT net
endif

And tends to live in 72_active.cf

Grep for it with:
grep -Hl -r "RCVD_IN_BRBL_LASTEXT" /usr/share/spamassassin/*
or
grep -Hl -r "RCVD_IN_BRBL_LASTEXT" /*
if you get stuck (it's slow this way, but if you don't know where your
rules are, this will tell you if it's there or not)

If it's not there just add it to your local.cf file with something like
this:

header BARRACUDA_BL eval:check_rbl('Barracuda',
'b.barracudacentral.org.')
describe BARRACUDA_BL listed by BARRACUDA
tflags BARRACUDA_BL net
score BARRACUDA_BL 4.5

It's also worth adding that taking out the Spamhaus WHITELIST is worth
doing - it's rubbish and wastes a DNS lookup:

score DKIMDOMAIN_IN_DWL 0

On the subject of Spamhaus, if you are using big name resolvers (like
Google DNS servers or similar) then you will not get reliable results.
Spamhaus decided to block these and always return clear even if the IP
address is on one of their lists. Personally I've lost most of my
respect for Spamhaus, and find the Barracuda list much, much better in
any case.

me at junc

May 24, 2012, 4:36 AM

Post #11 of 45 (620 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 11:14, Jeremy Morton skrev:

> Any ideas why the sender would be in the dnswl with medium trust? I
> did recently change my machine's hostname to ip.game-point.net.

reject spf_softfail in mta, or report to http://www.dnswl.org/ (why did
thay list a dynamic ip ?)

if sender is legit why is it softfailing ?

me at junc

May 24, 2012, 4:40 AM

Post #12 of 45 (626 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 11:37, corpus.defero skrev:

> I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting
> site
> that anyone can kind of abuse?

as long users can report spamming ips aswell as get listed for not
sending spam at all, its fine with me that some use it, for my self its
a way to know if i have users sending spam aswell

darxus at chaosreigns

May 24, 2012, 6:54 AM

Post #13 of 45 (622 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 05/24, corpus.defero wrote:
> I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site
> that anyone can kind of abuse?

No.

I'm a (basically inactive) dnswl.org admin.

Anybody can request to be added to the list, but all changes get looked
over pretty thoroughly by a human, using lots of available data.

> The rule is tucked away in 72_active.cf, along with the other 'pay to
> spam' whitelists from the likes of Return Path. I suggest you add this

Listing on dnswl.org does not involve payment, it is not a 'pay to spam'
whitelist.

--
"You will need: a big heavy rock, something with a bit of a swing to it...
perhaps Mars" - How to destroy the Earth
http://www.ChaosReigns.com

darxus at chaosreigns

May 24, 2012, 7:02 AM

Post #14 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 05/24, Jeremy Morton wrote:
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
> http://www.dnswl.org/, medium
> trust
> [59.94.13.26 listed in list.dnswl.org]

I don't think this was ever actually listed by dnswl.org. I have
archives back to last June, which don't show it, and in the dnswl.org
admin interface when a listing is removed it generally deactivated not
deleted - and there is nothing there.

That leaves interesting possibilities. I'd start by running this email
through spamassassin again to see if it repeatably says this IP is listed
by dnswl. SpamAssassin could be doing something wrong, a DNS server
somewhere could be doing something wrong....

And it might be useful to provide more examples. Just IPs might be best.
And generally we prefer you provide spams via pastebin instead of including
them in emails to this list.

--
"For gasoline vapor, the explosive range is from 1.3 to 6.0% vapor
to air...useful against soft targets such as...armored vehicles...and
bunkers." - http://www.fas.org/man/dod-101/sys/dumb/fae.htm
http://www.ChaosReigns.com

KMcGrail at PCCC

May 24, 2012, 7:06 AM

Post #15 of 45 (623 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 5/24/2012 10:02 AM, darxus [at] chaosreigns wrote:
> On 05/24, Jeremy Morton wrote:
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at
>> http://www.dnswl.org/, medium
>> trust
>> [59.94.13.26 listed in list.dnswl.org]
> I don't think this was ever actually listed by dnswl.org. I have
> archives back to last June, which don't show it, and in the dnswl.org
> admin interface when a listing is removed it generally deactivated not
> deleted - and there is nothing there.
>
> That leaves interesting possibilities. I'd start by running this email
> through spamassassin again to see if it repeatably says this IP is listed
> by dnswl. SpamAssassin could be doing something wrong, a DNS server
> somewhere could be doing something wrong....
Normally, I blame a DNS server. See pages like this for more information:

http://www.surbl.org/faqs#dnsproxy

Darxus, you wrote a good wiki about using other DNS servers, etc. somewhere I thought about but I can't find it.

In general, I recommend running your own caching nameserver.

Regards,
KAM

darxus at chaosreigns

May 24, 2012, 7:20 AM

Post #16 of 45 (623 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 05/24, Benny Pedersen wrote:
> reject spf_softfail in mta, or report to http://www.dnswl.org/

SPF_SOFTFAIL kind of sucks:
http://ruleqa.spamassassin.org/?daterev=20120519-r1340375-n&rule=%2Fspf

MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 3.2640 27.9430 0.105 0.67 0.00 SPF_PASS
0 6.3320 0.6518 0.907 0.58 0.00 SPF_SOFTFAIL
0 4.0263 1.1272 0.781 0.50 0.00 SPF_NEUTRAL
0 0 0 0.500 0.50 0.00 SPF_NONE
0 1.7415 1.6254 0.517 0.39 0.00 SPF_FAIL

SPF_SOFTFAIL hits 6.3% of spam and 0.7% of ham, which is a pretty terrible
ratio, which gives it a rank of 0.58, where 1 is best (RCVD_IN_DNSWL_HI, in
fact), and 0 is worst. A rank of 0.58 sucks.

Therefore rejecting on it at your MTA is a bad idea. But it's your MTA.
I've done lots of things with my MTA on purpose that were a bad idea.

> (why
> did thay list a dynamic ip ?)

I don't think they did.

> if sender is legit why is it softfailing ?

Generally because people configure their SPF records badly. SOFTFAIL
*means* the sending domain isn't certain they have all their legit sending
IPs listed. So based on the protocol it's also inappropriate to use for
absolute blocking. (In addition to the real world statistics above.) It's
unfortunate.

--
"Wash daily from nose-tip to tail-tip; drink deeply, but never too deep;
And remember the night is for hunting, and forget not the day is for sleep."
- The Law of the Jungle, Rudyard Kipling
http://www.ChaosReigns.com

darxus at chaosreigns

May 24, 2012, 7:30 AM

Post #17 of 45 (621 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 05/24, Kevin A. McGrail wrote:
> Normally, I blame a DNS server. See pages like this for more information:
>
> http://www.surbl.org/faqs#dnsproxy

Yup, that could do it. Icky.

Jeremy: You could manually check if you're getting the wrong DNS results by
running:

$ host 26.13.94.59.list.dnswl.org
Host 26.13.94.59.list.dnswl.org not found: 3(NXDOMAIN)

(IP address reversed, then .list.dnswl.org.)

If an IP address is listed (as that one should not be), you'll see
something like:

$ host 40.152.71.64.list.dnswl.org
40.152.71.64.list.dnswl.org has address 127.0.6.3

> Darxus, you wrote a good wiki about using other DNS servers, etc. somewhere I thought about but I can't find it.

I did? Are you thinking of
https://wiki.apache.org/spamassassin/CachingNameserver ? I didn't write
it.

> In general, I recommend running your own caching nameserver.

Yup.

--
"Safe is anywhere a hungry person can't walk in three days." - John Titor
http://www.ChaosReigns.com

admin at game-point

May 24, 2012, 7:41 AM

Post #18 of 45 (623 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On 24/05/2012 15:30, darxus [at] chaosreigns wrote:
> On 05/24, Kevin A. McGrail wrote:
>> Normally, I blame a DNS server. See pages like this for more information:
>>
>> http://www.surbl.org/faqs#dnsproxy
>
> Yup, that could do it. Icky.
>
> Jeremy: You could manually check if you're getting the wrong DNS results by
> running:
>
> $ host 26.13.94.59.list.dnswl.org
> Host 26.13.94.59.list.dnswl.org not found: 3(NXDOMAIN)

I actually get:
Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)

--
Best regards,
Jeremy Morton (Jez)

me at junc

May 24, 2012, 8:01 AM

Post #19 of 45 (628 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 16:06, Kevin A. McGrail skrev:

> Normally, I blame a DNS server. See pages like this for more
> information:
>
> http://www.surbl.org/faqs#dnsproxy

surbl.org is one of the problematic dns servers for me, sent a email
about it to surbl, got nothing in return

> Darxus, you wrote a good wiki about using other DNS servers, etc.
> somewhere I thought about but I can't find it.
>
> In general, I recommend running your own caching nameserver.

local dns server is good aslong as remote servers dont reject querys
from dynamic ips [1]

1: dig +trace surbl.org
2: dig +tcp +norecurse @ns100.surbl.org surbl.org any
3: dig +notcp +norecurse @ns100.surbl.org surbl.org any

none of them should be rejected

[1] dynamic in sense of ips is hard to know if its static

admin at game-point

May 24, 2012, 8:03 AM

Post #20 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Nope, but it doesn't actually give an answer section as part of its output.

--
Best regards,
Jeremy Morton (Jez)

On 24/05/2012 16:06, Benny Pedersen wrote:
> Den 2012-05-24 16:41, Jeremy Morton skrev:
>
>> I actually get:
>> Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)
>
> dig +trace 40.152.71.64.list.dnswl.org
>
> refused ?
>
>
>
>

me at junc

May 24, 2012, 8:06 AM

Post #21 of 45 (619 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 16:41, Jeremy Morton skrev:

> I actually get:
> Host 40.152.71.64.list.dnswl.org not found: 5(REFUSED)

dig +trace 40.152.71.64.list.dnswl.org

refused ?

me at junc

May 24, 2012, 8:12 AM

Post #22 of 45 (620 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 17:03, Jeremy Morton skrev:
> Nope, but it doesn't actually give an answer section as part of its
> output.

where it timeout or rejected ?, where in the dns chain is it failing ?

admin at game-point

May 24, 2012, 8:22 AM

Post #23 of 45 (618 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Not sure. I get this:

http://pastebin.com/0U3WrgSS

--
Best regards,
Jeremy Morton (Jez)

On 24/05/2012 16:12, Benny Pedersen wrote:
> Den 2012-05-24 17:03, Jeremy Morton skrev:
>> Nope, but it doesn't actually give an answer section as part of its
>> output.
>
> where it timeout or rejected ?, where in the dns chain is it failing ?
>
>
>

corpus.defero at idnet

May 24, 2012, 9:09 AM

Post #24 of 45 (629 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

On Thu, 2012-05-24 at 16:22 +0100, Jeremy Morton wrote:
> Not sure. I get this:
>
> http://pastebin.com/0U3WrgSS
>
The answer is at the botton:

40.152.71.64.list.dnswl.org. 43200 IN A 127.0.6.3
;; Received 61 bytes from 208.67.172.131#53(c.ns.dnswl.org) in 76 ms

So, according to c.ns.dnswl.org it's a hit.

And if we do:

dig +short @208.67.172.131 40.152.71.64.list.dnswl.org
127.0.6.3

It appears to be a hit.

me at junc

May 24, 2012, 9:14 AM

Post #25 of 45 (624 views)
Permalink

Re: Suddenly getting lots of false positives. [In reply to]

Den 2012-05-24 17:22, Jeremy Morton skrev:
> Not sure. I get this:
>
> http://pastebin.com/0U3WrgSS

this is working as designed, no refused or errors, if its not working
again then report it as so, with a +trace, report the last ns that fails
if it do

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads