[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting


[Sorry if you get this twice, local mailer problem...]

Am 21.12.09 12:11, schrieb Jost Krieger:

> For reporters:
> 1. Don't report
> a) Spam sent through legitimate mailing lists, unless
>    the mailing list has turned into a main source of spam.
> b) Spam sent to your forwarding accounts somewhere else.

ACK. On the other hand, if we can reliably(!) identify the spamming IP,
it can still be reported.

> SpamCop, e.g., has a mechanism to reliably find out the correct IP in
> these cases, but it's complicated and most probably this will not be an
> address on DNSWL.

Each reporter should be able to configure his or her mailservers, so
that we can reliably identify the "last external IP". That is close
enough to SpamCop's behaviour. Since we have a closed user group (at
least for the moment) we can keep the whole authentication stuff a bit
simpler.

> I'm not sure what to do about outscatter.

Please report it. While technically not spam, it's annoying enough that
we do consider back-/outscatter when assigning scores.

> 2. I'm preprocessing the reported spams by first, folding header lines, and
> then, eliminating locally added header lines. This will put the first
> relevant "Received" line on top and they have always been automatically (I
> hope) recognized. I'm not sure if it's sensible to remove all
> spam-handling headers but the samples will probably be forwarded to the
> originating party?

The code became a bit more intelligent. It will now understand a number
of Received: formats (thanks to Email::Received), and will use the
top-most Received: header which has a usable, public IP (ie,
non-rfc1918, non-localhost).


> For DNSWL:
>
> In the current interface, I always find "Corr" to be "0", but the IP and
> ID has been filled in. I hope that doesn't mean someone is doing this by
> hand :-)

The only hand was the hand that made an off-by-one error ;)


> Tha "Action" column has a lot of "undefs". Perhaps this is a moving
> target, but it would be nice to see if someone has handled the case in
> any way, to find out whether to provide more samples for the same IP,
> e.g..

Yes, it is a moving target. Depending on the volume, not every single
item may get a dedicated action, but we also look at the aggregated
abuse reports, mostly per DNSWL Id. A number of abuse reports for
hotmail.com is not very significant (because some level of spam is to be
expected, hence the "low" rating), but may very well be significant for
a "med" or "hi" rated DNSWL Id.

In the end, we plan to have a consolidated "badness" report, which uses
the abuse reports, DNSBL checks and other feedbacks. We're not there yet :)

-- Matthias



References:
[dnswl-users] Experimental dnswl.org feature - Abuse ReportingMatthias Leisi <matthias@xxxxxxxxx>
Re: [dnswl-users] Experimental dnswl.org feature - Abuse ReportingJost Krieger <Jost.Krieger+dnswl@xxxxxxxxxxxxxxxxxx>