On 03/10/19 18:40, [email protected] wrote:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7755
RW <[email protected]> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |[email protected]
--- Comment #5 from RW <[email protected]> ---
In my experience blocklist sites seldom give sample rules with sensible scores.
Note also that the .cf file that comes with that plugin redefines RCVD_IN_PBL &
RCVD_IN_XBL to be deep tests. Most of the score is in a new zen rule, but it
still leaves deep XBL hits with 1 point. It's an unfortunate POLA violation
that could cause a lot of FPs if the scores for those rules are already
overridden locally.
That rescoring is done with a purpose, ie:
Deep test the received chain and check if an IP is in XBL/SBL and adjust
the score accordingly. That is to check if the original sender ip is
compromised in some way (XBL and SBL have different listing policies,
hence the different scores)
However, if the last untrusted relay is listed in ZEN, then tag the
email as sure spam (we have a 0% FP rate on ZEN's last untrusted relay).
PBL is a list mantained directly by ISPs where they are effectively
declaring that they *don't* want any IP listed there to be authorized to
directly send emails.
URIBL_DBL_SPAM hits when a domain tagged as spam source is found, and
that, in our opinion, should automatically flag an email as spam.
Of course I could have done some errors, but the expected behaviour
should be what is expressed above.
But, even if the OP didn't use our plugin, the fact that "example.com"
queries DBL for "here.to" should be investigated in my opinion.
Unfortunately, due to my own lack of experience, I didn't really
understood Henrik explanation of why it happens.
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
