Hop 0 is the MTA delivering to your MTA - Hop 0 is NOT your MTA, i.e.
(sender-MUA)-->(sender MTA)-->(Your MTA)-->(Your MUA)
(Hop 1)------->(Hop 0)------->(No HOP)---->(No Hop)
The reason to use Hop 0 and HopHigh 1 is to pick up a spammer MUA or MTA which is sending
or relaying through a clean MTA.
You don't however want to apply Dial-up lists in this instance and Zen has two of them.
To prevent it, I believe the test name needs to include DUL or DUHL. Since this isn't
in the manual, I've asked Tech Support to confirm it.
The test would look something like below. Declude does only one look up of Zen, but scores each test individually.
SPAMHAUS-5 ip4r zen.spamhaus.org 127.0.0.5 10 0
SPAMHAUS-DUL ip4r zen.spamhaus.org 127.0.0.10 10 0
SPAMHAUS-DUL2 ip4r zen.spamhaus.org 127.0.0.11 10 0
Thursday, August 2, 2007, 2:49:46 AM, Bonno Bloksma <[EMAIL PROTECTED]> wrote:
|
> |
Hi,
> Due to your HOP setting you are checking multiple hops.
Ok, that was the intent.
> Since you use a multihop setting you should score the hops differently > or run into problems like you identified.
That's one way of handling it.
> I would suggest reducing it to 1. This will score the last two hops.
And that's what I don't get. As far as I know I'm at hop 0, the machine sending it to me is hop 1. The machine sending it to that machine is hop 2.
That's as far as I want to check, but in the case below it seemed as if it was checking hop 3. The > Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl > [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id line was the third Received line and it was caught bij the ZEN test > X-RBL-Warning: ZEN: "http://www.spamhaus.org/query/bl?ip=83.116.227.41"
So, am I mistaken in the meaning of the Hop count, or is something else going on? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl ----- Original Message ----- From: Darrell ([EMAIL PROTECTED]) Sent: Wednesday, August 01, 2007 4:48 PM Subject: Re: [Declude.JunkMail] ZEN test Bonno, Due to your HOP setting you are checking multiple hops. Since you use a multihop setting you should score the hops differently or run into problems like you identified. I would suggest reducing it to 1. This will score the last two hops. Than you can modify your tests like the following. The first one only checks the last ip recevied. The second one checks all of them. One thing to keep in mind if the LAST test hits so will the ALL test. So for example if you want the last hop (who connected to you) to have a weight of 3 for the SORBS-SPAM test than you will want to make sure that the sum of the two tests equal that weight. SORBS-SPAM(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 2 0 SORBS-SPAM(ALL) ip4r dnsbl.sorbs.net 127.0.0.6 1 0 So in the case above if the second hop was listed we would only assign a score of "1" from the SORBS-SPAM(ALL) test. If the last hop was listed than we would have a score of "3" since both the (LAST) and (ALL) test would hit. Let me know if this is not clear, Darrell ---------------------------------- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: > Hi, > > Maybe using the ZEN test isn't such a good idea. It is caching a DSL > line that is several hops down. > > In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that > the cause? If so.... > As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, > the me-wanadoo.net should then be Hop 2. > So the hulsbeek.nl (adsl-dc-34529.... line) should be Hop 3 and not be > checked. > > Why was that ip number checked? > > ----------<quote>-------------------- > Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with > ESMTP (SMTPD-9.21) id A33707C8; > Mon, 30 Jul 2007 09:28:55 +0200 > Received: from me-wanadoo.net (localhost [127.0.0.1])by > mwinf6301.orange.nl (SMTP Server) with ESMTP id E84957000084for > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; > Mon, 30 Jul 2007 09:28:54 +0200 (CEST) > Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl > [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id > AF5A97000082for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; > Mon, 30 Jul 2007 09:28:54 +0200 (CEST) > X-ME-UUID: [EMAIL PROTECTED] > Subject: [SPAM: 22]RE: 5 augustus > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C7D27B.467F4FA9" > Date: Mon, 30 Jul 2007 09:28:50 +0200 > Content-class: urn:content-classes:message > X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 > Message-ID: > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: 5 augustus > thread-index: AcfSClRkqB1y6CB4TkymtwIq3Exp3QAZtfQA > From: "Erve Hulsbeek" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > Sender: "Piet Heuvelmans" <[EMAIL PROTECTED] > To: "Nienke Koster" <[EMAIL PROTECTED] > X-RBL-Warning: FIVETEN-SRC: 41.227.116.83.blackholes.five-ten-sg.com. > X-RBL-Warning: MXRATE-BLOCK: > "http://www.mxrate.com/lookup/refused.asp?ipaddress=193.252.22.249" > X-RBL-Warning: ZEN: "http://www.spamhaus.org/query/bl?ip=83.116.227.41" > X-RBL-Warning: SPAMCANNIBAL: "blocked, See: > http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=193.252.22.249 > <http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=193.252.22.249>" > X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>) From: ([EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>) mismatch. > X-Declude-Sender: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> [193.252.22.249] > X-Declude-Spoolname: D933701b30000b7de.smd > X-Declude-RefID: str=0001.0A0B0204.46AD933D.0104,ss=1,fgs=0 > X-Declude-Note: Scanned by Declude 4.3.46 for spam. > "http://www.declude.com/x-note.htm" > X-Declude-Scan: Incoming Score [22] at 09:29:18 on 30 Jul 2007 > X-Declude-Fail: FIVETEN-SRC [3], MXRATE-BLOCK [7], ZEN [7], SPAMCANNIBAL > [2], FROMNOMATCH [3], SPAMSUBJECT [12], SPAMHOLD [20], ZEROHOUR [0] > X-Country-Chain: NETHERLANDS->FRANCE->destination > X-fpReview-Weight: 22 > > ----------<quote>-------------------- > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > tio hogeschool hotelmanagement en toerisme > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. |
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
----
Don Brown - Dallas, Texas USA Internet Concepts®
[EMAIL PROTECTED] http://www.inetconcepts.net
(972) 788-2364 Fax: (972) 788-5049
----
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
