The same thing appears to be happening with URIBL hits as well. _____________________________________________ From: Phil Quesinberry Sent: Thursday, July 03, 2014 12:08 PM To: 'assp-user@lists.sourceforge.net' Subject: Inconsistent DNSBL scoring
We're seeing some odd behavior when it comes to DNSBL scoring. One of the DNSBLs we use is i2.apews.org. It's useful for weighing in against a message with other problems but it's occasionally prone to false-positives, so we give hits against it a score of 20. Notice the following log entries (hit on apews DNSBL adds 20 which is the correct behavior): Jul-01-14 11:02:45 Connected: 108.12.183.50:31641 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 11:02:45 108.12.183.50 MTA offered STARTTLS - converting to SSL; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com Message-Score: added -5 for SSL-TLS-connection-OK, total score fo r this message is now -5; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] [DNSBL] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com [scoring:20] (108.12.183.50 listed in DNSBLcache by l2.ap ews.org at 2014-07-01/10:54:50); Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com Message-Score: added 30 for DNSBLcache: neutral, 108.12.183.50 li sted in l2.apews.org, total score for this message is now 25; This is what we'd expect. Now have a look at the following log entries (hit on apews DNSBL adds 50 which is NOT correct), no configurational changes have been made: Jul-01-14 16:20:36 Connected: 173.67.34.179:54431 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 16:20:36 173.67.34.179 MTA offered STARTTLS - converting to SSL; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com Message-Score: added -5 for SSL-TLS-connection-OK, total score for this message is now -5; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com deleting spamming whitelisted tuplet: (173.67.34.0,anothersender.com) age: 2s; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com Message-Score: added 50 for DNSBL: failed, 173.67.34.179 listed in l2.apews.org, total score for this message is now 45; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] [DNSBL] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com [scoring:50] (DNSBL: failed, 173.67.34.179 listed in (l2.apews.org<-127.0.0.2; )); >From the above, It looks like cached hits are scored correctly but real-time hits are not? If you need additional info, let me know. I can crank up the DNSBL logging to debug/verbose if it will help. Also, is there a way to still have ASSP score the message based on total DNSBL points like it used to instead of limiting to the neutral/fail scoring dependent upon the number of hits? There are a number of DNSBLs which are useful for pushing suspect messages "over the edge" but more prone to false-positives and we'd prefer to have the granularity of just weighting them accordingly, which was the behavior of ASSP until fairly recently. Thanks! Phil Quesinberry Vintage Telecom VoIP Business Telephone Hosting Improve your business telephone services and save money (410) 921-6550 http://www.vintagetelecom.com ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
