Andy Schmidt wrote:
Message
Matt,
I think there is a misunderstanding (possibly
on MY side).
>> DUL/DYNA/DUHL tests from hitting your own
local users when they are sending E-mail (only one hop and typically
dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test
when they have one of those strings in the name <<
I was aware that DUL/DYNA/DUHL only checks
the LAST hop (the server connnecting to you) - but doesn't check the
prior hops. The idea is, that of course, ANY valid dial-up user will
eventually appear in the first hop - the one to his provider's mail
server. But a dial-up user should never be contacting YOUR mail server
directly - so the LAST hop should not come from a dial-up user.
What you are saying sounds almost like the
reverse?
The caviat is that if the connecting IP is from your own customer
trying to send E-mail, it may very well be a DUL IP.
>>
I found that on locally hosted E-mail, this test would be defeated if
the spammer forged a local address. <<
You mean forging an IP address? Or forging a
FROM address? I don't believe Declude "trusts" the from address - of
course it will be forged for spam!?
At this moment, Declude will not apply scores from any dnsbl, ip4r or
rhsbl tests if they have either DUL, DYNA or DUHL in the name AND the
Mail From matches a local user. So to a certain extent, Declude does
"trust" the from address. The reason for this was to defeat DUL tests
for local users that might be sending from IP's listed in DUL lists.
This was good thinking before WHITELIST AUTH became available because
otherwise we couldn't use DUL lists effectively if we hosted accounts
and had users that came in from DUL IP's, but for those that can
whitelist all legitimate senders, either by IP, AUTH, or otherwise
guarantee that no one will be sending from a DUL tagged IP, turning
this feature off is of great benefit. The work-around discussed today
is also an effective means of doing this.
>> Every user on my
system uses AUTH and I'm on IMail 8 so I can take advantage of
WHITELIST AUTH. The issue now is that when a spammer forges a locally
hosted address in the Mail From, Declude is still disabling all dnsbl,
ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name,
and this now represents a weakness instead of a benefit. <<
I use AUTH as well without problems. If you
don't want the DUL/DYNA/DUHL, then why are you using those strings?
I was using those strings on non-DUL tests as a kludge. I've tried to
explain this several times recently and in the past. I score on
multiple hops, but I want to score hits on the connecting IP high than
on a relaying IP. I am doing this because some spam is relayed from
one machine to another and even through an ISP's mailserver, but at the
same time, there is a higher false positive rate with relaying IP's
because some lists keep IP's in their database for many months or even
years after they are nominated, and without an attempt to clean up the
listing. ORDB for instance is very bad about this, and their removal
process is useless in this regard since most broadband IP's don't have
mail servers to receive the removal requests on.
Take a look at the reply to Bill from two messages ago for further
explanation of why this is done, and note that I was only naming tests
like XBL(DYNA) to make that one test only score on the last hop, and
the one marked XBL(ALL) would score on any hop that matched, including
the first. I have HOPHIGH set to 3 which means (I believe) that I am
checking as many as 4 hops (or 3 hops plus the connecting IP).
Matt
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414
x20 (Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
Don,
Since I started this thread, I'll try to answer what's at issue here.
Declude has functionality to only scan the last hop on any dnsbl, ip4r
and rhsbl test when it has either DUL, DYNA or DUHL in the name of the
test. This is done in order to protect you from scoring hits on
dial-up or residential IP's when they weren't the connecting server and
when you are using Declude to score on multiple hops (I believe this is
version restricted).
In order to keep these DUL/DYNA/DUHL tests from hitting your own local
users when they are sending E-mail (only one hop and typically
dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test
when they have one of those strings in the name. This was very useful
until IMail 8 came along and they started providing an indication of
whether or not AUTH was used in the Q*.SMD file. When IMail 8 did
that, Scott introduced a function called WHITELIST AUTH that will
whitelist any E-mail that is AUTH'd.
Every user on my system uses AUTH and I'm on IMail 8 so I can take
advantage of WHITELIST AUTH. The issue now is that when a spammer
forges a locally hosted address in the Mail From, Declude is still
disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA
or DUHL in the name, and this now represents a weakness instead of a
benefit. So for users that have IMail 8, where all of their users are
whitelisted either by IP or by AUTH, it would be nice to turn this
functionality off.
Something that seemed to confuse you was the fact that I am using
several tests twice like so:
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org
127.0.0.4 6 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org
127.0.0.4 2 0
The reason why I do this is because I score on multiple hops, and
instead of having XBL score exactly the same on every hop, I created a
work around so that it would score higher on the last hop, and lower if
it only hit one of the prior hops. The prior hop functionality helps
with catching spam that is relayed from one open relay to another open
relay, or worse yet, from an open relay to a legitimate mail server.
At the same time there are lots of IP's in some of these lists that
have long since been fixed/closed and are sending only legitimate
E-mail through legitimate servers, and only adding a few points helps
protect from false positives.
The former kludge that I used was to use (DYNA) in the name of the test
that I only wanted to score on the last hop, but this morning, I found
that on locally hosted E-mail, this test would be defeated if the
spammer forged a local address. By changing the test to how it appears
as XBL(LAST) in the above example, I'm creating a way to score only the
last hop without it being defeated when a local address is forged and
DUL/DYNA/DUHL appears in the name.
The short answer is that in the example above for XBL(LAST), using the
dnsbl/%IP4R% hack, you can construct a test that only hits the last hop
(if you are scoring on multiple hops like I am).
It's convoluted, but it works, and I do recommend doing it, but only if
you understand how it works and why it is useful.
Matt
Don Brown wrote:
Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry <[EMAIL PROTECTED]> wrote:
I seem to have broken things worse :) Is there any reason why the
following wouldn't work?
XBL(LAST) dnsbl %REMOTEIP%.sbl-xbl.spamhaus.org 127.0.0.4
6 0
I tested the DUL lists using this format and it seemed to be
working. Here's the headers from a single hop test that tripped on the
ip4r version of XBL and returned the proper %REMOTEIP% in the headers:
RSP> The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail
RSP> will create "192.0.2.25.sbl-xbl.spamhaus.org". But, you really want
RSP> "25.2.0.192.sbl-xbl.spamhaus.org". Fortunately, you can use:
RSP> XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6
RSP> 0
RSP> which should do what you want.
RSP> -Scott
Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the
same thing as using %IP4R% as shown above? If not, what is the
difference?
SBL-ALL ip4r sbl-xbl.spamhaus.org
Thanks,
----
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED] http://www.inetconcepts.net
(972) 788-2364 Fax: (972) 788-5049
----
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
