[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting
[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
- Subject: Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting
- From: Matthias Leisi <matthias@xxxxxxxxx>
- Date: Mon, 21 Dec 2009 17:07:13 +0100
[Sorry if you get this twice, local mailer problem...] Am 21.12.09 12:11, schrieb Jost Krieger: > For reporters: > 1. Don't report > a) Spam sent through legitimate mailing lists, unless > the mailing list has turned into a main source of spam. > b) Spam sent to your forwarding accounts somewhere else. ACK. On the other hand, if we can reliably(!) identify the spamming IP, it can still be reported. > SpamCop, e.g., has a mechanism to reliably find out the correct IP in > these cases, but it's complicated and most probably this will not be an > address on DNSWL. Each reporter should be able to configure his or her mailservers, so that we can reliably identify the "last external IP". That is close enough to SpamCop's behaviour. Since we have a closed user group (at least for the moment) we can keep the whole authentication stuff a bit simpler. > I'm not sure what to do about outscatter. Please report it. While technically not spam, it's annoying enough that we do consider back-/outscatter when assigning scores. > 2. I'm preprocessing the reported spams by first, folding header lines, and > then, eliminating locally added header lines. This will put the first > relevant "Received" line on top and they have always been automatically (I > hope) recognized. I'm not sure if it's sensible to remove all > spam-handling headers but the samples will probably be forwarded to the > originating party? The code became a bit more intelligent. It will now understand a number of Received: formats (thanks to Email::Received), and will use the top-most Received: header which has a usable, public IP (ie, non-rfc1918, non-localhost). > For DNSWL: > > In the current interface, I always find "Corr" to be "0", but the IP and > ID has been filled in. I hope that doesn't mean someone is doing this by > hand :-) The only hand was the hand that made an off-by-one error ;) > Tha "Action" column has a lot of "undefs". Perhaps this is a moving > target, but it would be nice to see if someone has handled the case in > any way, to find out whether to provide more samples for the same IP, > e.g.. Yes, it is a moving target. Depending on the volume, not every single item may get a dedicated action, but we also look at the aggregated abuse reports, mostly per DNSWL Id. A number of abuse reports for hotmail.com is not very significant (because some level of spam is to be expected, hence the "low" rating), but may very well be significant for a "med" or "hi" rated DNSWL Id. In the end, we plan to have a consolidated "badness" report, which uses the abuse reports, DNSBL checks and other feedbacks. We're not there yet :) -- Matthias
| [dnswl-users] Experimental dnswl.org feature - Abuse Reporting | Matthias Leisi <matthias@xxxxxxxxx> |
| Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting | Jost Krieger <Jost.Krieger+dnswl@xxxxxxxxxxxxxxxxxx> |