In addition to Darrell's answer, here is my best understandings of the DNSBL vs IP4R tests:
IP4R test: Will search the up to the number of hops up to (HOPHIGH variable +1) with the following exceptions:
If DYNA, DUL, or DUHL are in the test name, they will be skipped after the first hop. (From the release notes).
If the mailfrom matches a local address then Declude will not test the last hop. (alas this is a common spamming technique)
Source: "What was discovered and initially discussed in this thread though is that Declude will not test the last hot with such tests when the MailFrom matches a local address. That was also good design, but if you can whitelist all local senders, it is best to turn this off. A suitable work around for this issue has been provided. The work around that was discussed will only test the last hop. When Declude uses the %IP4R% variable, this comes from the connecting IP (unless IPBYPASSed), and there is only one value tested."
Pulled from: http://www.mail-archive.com/[email protected]/msg18675.html
Note on HOPHIGH: HOPHIGH 0 = Last hop HOPHIGH 1 = Last hop and one previous hop. HOPHIGH 2 = Last hop and two previous hops.
RHSBL test: Will seach the domain name against a domain name database.
DNSBL test:
Variable options and examples:
%HELO% to test HELO string: MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
%REVDNS% to test with a revdns: MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
%IP4R% IP4R test: BLITZEDALL-LAST dnsbl %IP4R%.opm.blitzed.org * 0 0
%MAILFROMBL% to test mailfrom: support.declude.com. I use this with a copy of Joe Wein's 419 email address list db: JOEWEIN-MAILFROM dnsbl %MAILFROMBL%.jw.farmprogress.local 127.0.0.11 100 0
If you use the %IP4R% with the DNSBL, you are checking mails that do match your mailfrom and may catch more spam. If you are scanning valid mail with your mailfrom, this could be trouble. My mails are WHILTELIST AUTH, so all other mail can be scanned.
In summary:
HOPHIGH 2
ORDB-LAST dnsbl %IP4R%.dnsbl.antispam.or.id 127.0.0.2 10 0
Will scan the last hop (including MailFrom matches a local address). and score 10 points
ORDB-ALL ip4r relays.ordb.org 127.0.0.2 2 0
Will scan the last hop and up to 2 previous hops (excluding last hop where MailFrom matches a local address) and score 2 points on any of their hits.
Also:
In my experience, the last hop is a better indicator od spam than previous hops.
So this configuration scores accordingly and may help minimze false positives in the previous hops by scoring them less.
----- Original Message ----- From: "Fox, Thomas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, March 09, 2005 10:13 AM
Subject: RE: [Declude.JunkMail] Purpose of %IP4R%
I've been following the beginner config thread, trying to improve my setup, and am curious about the %IP4R% tag on some of the tests. What does this do/mean?
> It depends on how you want to score. > You are currently referencing the sbl-xbl with only a return code of > 127.0.0.4 and running blitzedall, cbl and sbl: > XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.4 9 0 > XBL(ALL) ip4r sbl-xbl.spamhaus.org > 127.0.0.4 2 0 > BLITZEDALL ip4r opm.blitzed.org * > 7 0 > CBL ip4r cbl.abuseat.org > 127.0.0.2 6 0 > (Duplicate of XBL-ALL) > SBL ip4r sbl.spamhaus.org * > 7 0 > > This would score the entire xbl list the same: (one DNS call) > XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org * 9 0 > XBL(ALL) ip4r sbl-xbl.spamhaus.org * 2 0 > > This would score the results of the sbl-xbl differently > depending on which list they are on (one DNS call) > SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0 > CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 > BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.5 7 0 >
--- [This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
