Hi! >>> Despite this - messages sent by this sender are scored by DNSBL anyway. >>> >>> X-Assp-DNSBL: failed, >>> 65.254.253.144 listed in (dnsbl-1.uceprotect.net<-127.0.0.2; )
About 65.254.253.144 as example _aggressive_ ( and non-productive) behavior RBL service uceprotect.net see in P.P.S > sender is already on the white list. IMHO, need check settitings a-la "Apply to Whitelisted" ( but when RBLWL is already unset , strange . . . ) In any case see later _worked_ rbl-service.txt >> On 4/23/2013 11:36 PM, Thomas Eckardt wrote: >> Unset 'RBLWL' or use any other exception parameter in the 'DNSBL' section. > I'm sorry I wasn't clear about that. > RBLWL is already unset, > but DNSBL scores it anyway. > The only other option is noRBL, > but I can't possibly enter all of the IPs that this person can send from. Try this settings: RBLServiceProvider:=file:files/rbl-service.txt rbl-service.txt == # bl.spamcop.net=>1 # # [ # See http://www.sorbs.net/using.shtml # # # dnsbl.sorbs.net - Aggregate zone (contains all the following DNS zones) # http.dnsbl.sorbs.net - List of Open HTTP Proxy Servers. # socks.dnsbl.sorbs.net - List of Open SOCKS Proxy Servers. # misc.dnsbl.sorbs.net - List of open Proxy Servers not listed in # the SOCKS or HTTP lists. # smtp.dnsbl.sorbs.net - List of Open SMTP relay servers. # web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer # abusable vulnerabilities (e.g. FormMail scripts) # Note: This zone now includes non-webserver # IP addresses that have abusable vulnerabilities. # spam.dnsbl.sorbs.net - List of hosts that have been noted as sending # spam/UCE/UBE to the administrators of SORBS. This # zone also contains net blocks of spam supporting # service providers, including those who provide # web sites, DNS or drop boxes for a spammer. Spam # supporters are added on a 'third strike and you are # out' basis, where the third spam will cause the # supporter to be added to the list. # block.dnsbl.sorbs.net - List of hosts demanding that they never be tested # by SORBS. # zombie.dnsbl.sorbs.net - List of networks hijacked from their original # owners, some of which have already used for spamming. # dul.dnsbl.sorbs.net - Dynamic IP Address ranges (NOT a Dial Up list!) # # #Return codes are: # # http.dnsbl.sorbs.net 127.0.0.2 # socks.dnsbl.sorbs.net 127.0.0.3 # misc.dnsbl.sorbs.net 127.0.0.4 # smtp.dnsbl.sorbs.net 127.0.0.5 # spam.dnsbl.sorbs.net 127.0.0.6 # web.dnsbl.sorbs.net 127.0.0.7 # block.dnsbl.sorbs.net 127.0.0.8 # zombie.dnsbl.sorbs.net 127.0.0.9 # dul.dnsbl.sorbs.net 127.0.0.10 # # [ # http://www.zytrax.com/books/dns/ch9/dnsbl.html # # 127.0.0.2 - Open HTTP Proxy Server (http.dnsbl.sorbs.net) # 127.0.0.3 - Open SOCKS Proxy Server (socks.dnsbl.sorbs.net) # 127.0.0.4 - Open Proxy Server not listed in the SOCKS or # HTTP lists. (misc.dnsbl.sorbs.net) # 127.0.0.5 - Open SMTP relay server (smtp.dnsbl.sorbs.net) # 127.0.0.6 - Hosts sending spam/UCE/UBE to SORBS, netblocks # of spam supporting service providers # (list.spam.dnsbl.sorbs.net) # 127.0.0.7 - Web servers email vulnerabilities (e.g. FormMail scripts) # (web.dnsbl.sorbs.net) # 127.0.0.8 - Hosts demanding not to be tested by SORBS (block.dnsbl.sorbs.net) # 127.0.0.9 - Networks hijacked from original owners (zombie.dnsbl.sorbs.net) # 127.0.0.10 - Dynamic IP Address ranges (dul.dnsbl.sorbs.net) # # ] # dnsbl.sorbs.net=>127.0.0.2=>1 ## dnsbl.sorbs.net=>127.0.0.3=>1 ## dnsbl.sorbs.net=>127.0.0.4=>1 ## dnsbl.sorbs.net=>127.0.0.5=>1 ## dnsbl.sorbs.net=>127.0.0.7=>1 ## # ## dnsbl.sorbs.net=>127.0.0.6=>2 ## dnsbl.sorbs.net=>127.0.0.9=>35 ## dnsbl.sorbs.net=>127.0.0.10=>35 ## # ## dnsbl.sorbs.net=>127.0.0.8=>3 ## # # ] # [ # zen.spamhaus.org ex. sbl-xbl.spamhaus.org=>1 # # See http://www.spamhaus.org/zen/ # #127.0.0.2 SBL Direct UBE sources, spam operations & spam services #127.0.0.3 CSS Direct snowshoe spam sources detected via automation #127.0.0.4-8 XBL CBL + customised NJABL. 3rd party exploits (proxies, trojans, etc.) #127.0.0.10-11 PBL End-user Non-MTA IP addresses set by ISP outbound mail policy # # SBL + XBL # zen.spamhaus.org=>127.0.0.2=>1 zen.spamhaus.org=>127.0.0.4=>1 zen.spamhaus.org=>127.0.0.5=>1 zen.spamhaus.org=>127.0.0.6=>1 zen.spamhaus.org=>127.0.0.7=>1 zen.spamhaus.org=>127.0.0.8=>1 # # PBL + CSS # zen.spamhaus.org=>127.0.0.3=>2 zen.spamhaus.org=>127.0.0.10=>35 zen.spamhaus.org=>127.0.0.11=>35 # # ] [ # combined.njabl.org=>1 list.dsbl.org=>1 cbl.abuseat.org=>1 # # ] [ # # See http://www.five-ten-sg.com/blackhole.php # blackholes.five-ten-sg.com=>127.0.0.2=>3 blackholes.five-ten-sg.com=>127.0.0.5=>4 blackholes.five-ten-sg.com=>127.0.?.*=>5 # # ] # == This allow Use aggressive DNSBL in scoring mode Example results of settting "zen.spamhaus.org=>127.0.0.10=>35" ( see [scoring] ): == 2013-04-24 13:17:13 ZZZZ-ZZZZZZZZ [Worker_2] [DNSBL] 1.162.1ZZZ8.2ZZZZ6 <y...@yyyy.yyy> to: zzzz...@zzzzzzz.zzz [scoring] (DNSBL: neutral, 1.162.1ZZZ8.2ZZZZ6 listed in (dnsbl.sorbs.net<-127.0.0.10; )) === Example block spam e-mail by Totalscore ( mainly by 15 (Message-ID) + 35 (DNSBL: neutral) ) : === X-Assp-Message-Score: 15 (Message-ID not valid: 'A73BDBA12FBA4F1E83C887F64E2D5EE6@vobhmj') X-Assp-Received-SPF: neutral ip=999.9999.999.153 mailfrom=09...@zzzzzzzzzzz.co.nz X-Assp-Message-Score: 5 (SPF neutral) X-Assp-Message-Score: -5 (Home Country Bonus ZZ (ZZZ ZZZZZZ Telekom Servis)) X-Assp-Message-Score: 35 (DNSBL: neutral, 999.9999.999.153 listed in dnsbl.sorbs.net) X-Assp-DNSBL: neutral, 999.9999.999.153 listed in (dnsbl.sorbs.net<-127.0.0.10; ) . . . X-Spam-Status:yes X-Assp-Spam-Reason: MessageScore 50, limit 50 X-Assp-Message-Totalscore: 50 === Example exist IP in RBL, but pass e-mail ( really non-spam ) by "low limit": == Sender: "JavaOne" <zzzzz...@oraclezzzzzzz.com> X-Assp-DNSBL: neutral, 9999.999.999.61 listed in (dnsbl.sorbs.net<-127.0.0.6; ) X-Assp-Message-Score: 20 (blacklisted HELO 'ZZZZZZZZZZZZZZZZZ' - weigth 1) X-Assp-Spam-Reason: MessageScore passed low limit X-Assp-Message-Totalscore: 45 == >I have ValidateRBL set for score. "set for score" itself -- not principial :-) Usual if IP found in DNSBL , as result "added 50" to score of e-mail If no -5 or -10 for other reason then == X-Assp-Message-Totalscore: 50 X-Assp-Spam-Reason: MessageScore 50, limit 50 X-Spam-Status:yes == Best regards, Victor Miasnikov Blog: http://vvm.blog.tut.by/ P.S. IMHO, uceprotect.net as RBL is _optional_ But You can use it a-la "zen.spamhaus.org=>127.0.0.11=>35" Or "blackholes.five-ten-sg.com=>127.0.0.5=>4" P.P.S. In my collection of *.bmaillog.txt ( since 2012-05-16 ) 65.254.253.144 -- not found Substing "65.254.253." found _only_ in 2012-07-04.bmaillog.txt 2012-08-08.bmaillog.txt In 2012-07-04.bmaillog.txt : 2012-07-02 99:99:99 . . . [Collect] 65.254.253.147 <ZZZZ=TTTTTTTTTTTTTTT.com=hh...@yourhostingaccount.com> to: z...@zzz.zzz [spam found] (Collect Address: z...@zzz.zzz 2012-07-02 06:21:28 . . . [MessageLimit] 65.254.253.235 <ZZZZZ=ZZ=TTTTTTTTTTT=x...@yourhostingaccount.com> to: y...@zzz.zzz [spam found] (MessageScore 97, limit 50) In 2012-08-08.bmaillog.txt : 2012-08-08 14:49:58 . . . [MessageLimit] 65.254.253.42 <SRS0=ZZZZ=ZZZ=XXXXXXXX=o...@yourhostingaccount.com> to: n...@zzz.zzz [spam found] (MessageScore 163, limit 50) ( About yourhostingaccount.com : dig -x 65.254.253.144 == ;; ANSWER SECTION: 144.253.254.65.in-addr.arpa. 43196 IN PTR mailout18.yourhostingaccount.com. == ) Total: Look like, what 65.254.253.144 is example _agressive_ behavior RBL service uceprotect.net ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
