Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank

[Matt]

Don, Since I started this thread, I'll try to answer what's at issue here. Declude has functionality to only scan the last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or DUHL in the name of the test.  This is done in order to protect you from scoring hits on dial-up or residential IP's when they weren't the connecting server and when you are using Declude to score on multiple hops (I believe this is version restricted). In order to keep these DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name.  This was very useful until IMail 8 came along and they started providing an indication of whether or not AUTH was used in the Q*.SMD file.  When IMail 8 did that, Scott introduced a function called WHITELIST AUTH that will whitelist any E-mail that is AUTH'd. Every user on my system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST AUTH.  The issue now is that when a spammer forges a locally hosted address in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name, and this now represents a weakness instead of a benefit.  So for users that have IMail 8, where all of their users are whitelisted either by IP or by AUTH, it would be nice to turn this functionality off. Something that seemed to confuse you was the fact that I am using several tests twice like so: XBL(LAST)        dnsbl    %IP4R%.sbl-xbl.spamhaus.org        127.0.0.4    6    0 XBL(ALL)            ip4r    sbl-xbl.spamhaus.org                        127.0.0.4    2    0 The reason why I do this is because I score on multiple hops, and instead of having XBL score exactly the same on every hop, I created a work around so that it would score higher on the last hop, and lower if it only hit one of the prior hops.  The prior hop functionality helps with catching spam that is relayed from one open relay to another open relay, or worse yet, from an open relay to a legitimate mail server.  At the same time there are lots of IP's in some of these lists that have long since been fixed/closed and are sending only legitimate E-mail through legitimate servers, and only adding a few points helps protect from false positives. The former kludge that I used was to use (DYNA) in the name of the test that I only wanted to score on the last hop, but this morning, I found that on locally hosted E-mail, this test would be defeated if the spammer forged a local address.  By changing the test to how it appears as XBL(LAST) in the above example, I'm creating a way to score only the last hop without it being defeated when a local address is forged and DUL/DYNA/DUHL appears in the name. The short answer is that in the example above for XBL(LAST), using the dnsbl/%IP4R% hack, you can construct a test that only hits the last hop (if you are scoring on multiple hops like I am). It's convoluted, but it works, and I do recommend doing it, but only if you understand how it works and why it is useful. Matt Don Brown wrote: Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry <[EMAIL PROTECTED]> wrote: I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST) dnsbl %REMOTEIP%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: RSP> The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail RSP> will create "192.0.2.25.sbl-xbl.spamhaus.org". But, you really want RSP> "25.2.0.192.sbl-xbl.spamhaus.org". Fortunately, you can use: RSP> XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 RSP> 0 RSP> which should do what you want. RSP> -Scott Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the same thing as using %IP4R% as shown above? If not, what is the difference? SBL-ALL ip4r sbl-xbl.spamhaus.org Thanks, ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364 Fax: (972) 788-5049 ---- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================