We host tens of thousands of email domains and so we get to see a lot of spam. Over the past year we have seen spammers really raise the bar on their ability to sneak through a variety of commercial and open-source anti-spam filters, with the result that many email administrators have tightened the screws down on whatever anti-spam tools they have been using.
While this has reduced spam volumes delivered to end users’ Inboxes, we are also starting to see more “false positives” i.e. legitimate email incorrectly identified as spam.
This article is about correcting one such increasingly common “false positive” in SpamAssassin, the RDNS_NONE test.
It used to be that spammers were frequently sloppy about setting up DNS records for the servers they were using to send out spam. Typically, there was no reverse DNS record (PTR record), so the SpamAssassin test RDNS_NONE was both accurate and effective in identifying spammers’ servers. We and others would often increase the default RDNS_NONE score in SpamAssassin (the default score today is 0.793 BTW…) enough so that an RDNS_NONE hit alone would be insufficient to flag the email as spam, but, high enough so that if a few other tests hit, the email would be flagged as spam.
Alas, we are now seeing spammers make increasingly effective use of self-service Cloud servers (we suspect paid for with stolen credit cards in some cases) where DNS records management is configured to RFC-compliant standards as a matter of course. We are also seeing that more and more email administrators have started using additional spam filtering tools which modify the email header in ways that the code underlying the RDNS_NONE test does not know how to handle.
The end result is that the RDNS_NONE test triggers much more frequently now, and on legitimate email. We recommend first if you have modified a SpamAssassin .cf file to increase the default RDNS_NONE score, that you remove that modification. If your system is still flagging legitimate email as spam, and it’s the RDNS_NONE test that is putting the legitimate email’s score over the edge, then we recommend setting the score to zero. This can be done by adding “score RDNS_NONE 0.000″ to the appropriate SpamAssassin .cf file.
Two common scenarios we have seen where the RDNS_NONE test logic failed comprise:
A user in a coffee shop uses their Mac Mail or Outlook client to send an email through their corporate email server. The RDNS_NONE code is supposed to parse the email header looking for the first “real” email server. Instead, it finds the RFC1918 private IP address of the user’s laptop, sees that there is no reverse DNS for an address like 192.168.0.56 and adds the RDNS_NONE score to the email.
Web services like Basecamp use a 37signals.com server with an RFC1918 private IP address to collect notification emails destined for subscribers. The email is routed correctly through a basecamp.com email server with a public IP address and proper DNS records all around. But, the RDNS_NONE code determines the 37signals.com server is the originating sending server and incorrectly flags the email with the RDNS_NONE score.
We contribute to the Zimbra SpamAssassin Customizations wiki page. Many of the configuration tweaks there are non-Zimbra specific, so if you are looking for additional ways to improve SpamAssassin, I recommend a visit.
And if you are finding yourself just way too preoccupied dealing with spam, give us a call at (207) 772-5678 and we can walk you through some options.
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
A Division of OTT Communications
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.