Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread John Hardin 

On Wed, 19 Oct 2016, Bill Cole wrote:


 This is a print Dumper of permsgstatus with a grep -i PYZOR:


[snip]
Hmmm... Relevant context of those lines is lost with grep, but they confirm 
something odd is going on.


Perhaps dump the entire thing to a text file and post it (gzipped if 
large) to pastebin?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A well educated Electorate, being necessary to the liberty of a
  free State, the Right of the People to Keep and Read Books,
  shall not be infringed.
---
 302 days since the first successful real return to launch site (SpaceX)

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Pedro David Marco 


>Hmmm... Relevant context of those lines is lost with grep, but they 
>confirm something odd is going on.
Bill, your remark is welcome, what lines/info should i pay attention to or 
event post here?
Pedro

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Pedro David Marco 
Thanks in any case Bill...
Really appreciate all your help and time... Bill, John, Matus...

Pedro
  From: Bill Cole 
 To: "users@spamassassin.apache.org"  
Cc: Pedro David Marco 
 Sent: Thursday, October 20, 2016 5:03 AM
 Subject: Re: PYZOR_CHECK always have zero score, why?
   
On 19 Oct 2016, at 22:41, Pedro David Marco wrote:

> Thanks Bill...

I wish it had been more helpful.

> tested...
>> 1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you 
>> had:>>    tflags PYZOR_CHECK_2 net>>Does that change whether the 
>> rule is hit?>>>2. Change the PYZOR_CHECK score line in 50_scores.cf 
>> to:>>    score PYZOR_CHECK 0.001 1.985 0.001 1.392>>Does that quiet 
>> the warning about the meta rule?If Test #1 makes PYZOR_CHECK_2 
>> NOT match a message that matched without >it, then something is 
>> disabling 'net' rules and you need to find and >correct whatever is 
>> doing that if you want SA to work well.
> PYZOR_CHECK_2 works well when tflag  net is set...
>> If Test #2 silences the warning, you've found what is PROBABLY a 
>> minor >cosmetic bug in SpamAssassin but MAY be a substantive one if 
>> it means >that meta rule is being skipped as a result of having 
>> detected the wrong >score in that line. Opening a bug report 
>> at >https://bz.apache.org/SpamAssassin/ would be helpful.
> warning still present... :-(

Color me entirely mystified.

> This is a print Dumper of permsgstatus with a grep -i PYZOR:

[snip]
Hmmm... Relevant context of those lines is lost with grep, but they 
confirm something odd is going on.

> so still wondering  about the Dumper line:  'PYZOR_CHECK' => 
> '0',

That is strange, but it's not clear which hash that is from.

> i have even performed a ext4 fs deep check to discard any drive 
> corruption issue

I'm all out of ideas grounded in sanity.

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Bill Cole 

On 19 Oct 2016, at 22:41, Pedro David Marco wrote:


Thanks Bill...


I wish it had been more helpful.


tested...
1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you 
had:>>    tflags PYZOR_CHECK_2 net>>Does that change whether the 
rule is hit?>>>2. Change the PYZOR_CHECK score line in 50_scores.cf 
to:>>    score PYZOR_CHECK 0.001 1.985 0.001 1.392>>Does that quiet 
the warning about the meta rule?If Test #1 makes PYZOR_CHECK_2 
NOT match a message that matched without >it, then something is 
disabling 'net' rules and you need to find and >correct whatever is 
doing that if you want SA to work well.

PYZOR_CHECK_2 works well when tflag  net is set...
If Test #2 silences the warning, you've found what is PROBABLY a 
minor >cosmetic bug in SpamAssassin but MAY be a substantive one if 
it means >that meta rule is being skipped as a result of having 
detected the wrong >score in that line. Opening a bug report 
at >https://bz.apache.org/SpamAssassin/ would be helpful.

warning still present... :-(


Color me entirely mystified.


This is a print Dumper of permsgstatus with a grep -i PYZOR:


[snip]
Hmmm... Relevant context of those lines is lost with grep, but they 
confirm something odd is going on.


so still wondering  about the Dumper line:  'PYZOR_CHECK' => 
'0',


That is strange, but it's not clear which hash that is from.

i have even performed a ext4 fs deep check to discard any drive 
corruption issue


I'm all out of ideas grounded in sanity.

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Pedro David Marco 
Thanks Bill...
tested...
>1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you had:>>    
>tflags PYZOR_CHECK_2 net>>Does that change whether the rule is hit?>>>2. 
>Change the PYZOR_CHECK score line in 50_scores.cf to:>>    score PYZOR_CHECK 
>0.001 1.985 0.001 1.392>>Does that quiet the warning about the meta 
>rule?If Test #1 makes PYZOR_CHECK_2 NOT match a message that matched 
>without >it, then something is disabling 'net' rules and you need to find and 
>>correct whatever is doing that if you want SA to work well.
PYZOR_CHECK_2 works well when tflag  net is set...
>If Test #2 silences the warning, you've found what is PROBABLY a minor 
>>cosmetic bug in SpamAssassin but MAY be a substantive one if it means >that 
>meta rule is being skipped as a result of having detected the wrong >score in 
>that line. Opening a bug report at >https://bz.apache.org/SpamAssassin/ would 
>be helpful.
warning still present... :-(


This is a print Dumper of permsgstatus with a grep -i PYZOR:

  'pyzor_available' => 1,   }, 'Mail::SpamAssassin::Plugin::Pyzor' ),           
                           'PYZOR_CHECK_2' => '2',                              
        'PYZOR_CHECK' => '0',                                                   
'PYZOR_CHECK_2' => 'check_pyzor',                                               
    'PYZOR_CHECK' => 'check_pyzor',                                           
'PYZOR_CHECK_2' => '/etc/mail/spamassassin/local.cf',                           
                'PYZOR_CHECK' => 
'/var/lib/spamassassin/3.004001/updates_spamassassin_org/25_pyzor.cf',          
              'pyzor_timeout' => '3.5',                                         
     'Mail::SpamAssassin::Plugin::Pyzor' => 1,                                  
          'check_pyzor' => $VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[6],   
                                           
'updates_spamassassin_org/25_pyzor.cf' => 
'updates_spamassassin_org/25_pyzor.cf',                                         
   'PYZOR_CHECK' => 'Listed in Pyzor (http://pyzor.sf.net/)',                   
                         'PYZOR_CHECK_2' => 'Listed in Pyzor 
(http://pyzor.sf.net/)'                        'pyzor_path' => undef,           
                                          'DIGEST_MULTIPLE' => 'RAZOR2_CHECK + 
DCC_CHECK + PYZOR_CHECKA > 1',                                                  
   'setting' => 'use_pyzor'                                                     
'setting' => 'pyzor_max'                                                     
'setting' => 'pyzor_timeout'                                                    
 'setting' => 'pyzor_options',                                                  
   'setting' => 'pyzor_path',                                          
'PYZOR_CHECK_2' => 13,                                          'PYZOR_CHECK' 
=> 13,                        'pyzor_options' => '',                        
'use_pyzor' => 1,                                          'PYZOR_CHECK_2' => 
'2',                                          'PYZOR_CHECK' => '0',             
                             'PYZOR_CHECK_2' => '2',                            
              'PYZOR_CHECK' => '0',                                          
'PYZOR_CHECK_2' => '2',                                          'PYZOR_CHECK' 
=> '0',                                                                         
         'pyzor_timeout' => 
$VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[17]{'conf'}{'registered_commands'}[157],
                                                                                
  'pyzor_path' => 
$VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[17]{'conf'}{'registered_commands'}[159],
                                                                                
  'pyzor_options' => 
$VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[17]{'conf'}{'registered_commands'}[158],
                                                                                
  'use_pyzor' => 
$VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[17]{'conf'}{'registered_commands'}[155],
                                                                                
  'pyzor_max' => 
$VAR1->{'async'}{'main'}{'plugins'}{'plugins'}[17]{'conf'}{'registered_commands'}[156],
                        'pyzor_max' => 5,
 It seems PYZOR_CHECK is taken from file 
/var/lib/spamassassin/3.004001/updates_spamassassin_org/25_pyzor.cf  that looks 
like:
 ifplugin Mail::SpamAssassin::Plugin::Pyzor  full     PYZOR_CHECK    
eval:check_pyzor() describe PYZOR_CHECK    Listed in Pyzor 
(http://pyzor.sf.net/) tflags   PYZOR_CHECK    net reuse    PYZOR_CHECK 
 endif

and 50_scores.cf looks as suggested by Bill:
 score PYZOR_CHECK 0.001 1.985 0.001 1.392  so still wondering  about the 
Dumper line:  'PYZOR_CHECK' => '0', i have even performed a ext4 fs deep 
check to discard any drive corruption issue

RE: Assistance needed

2016-10-19 Thread Kevin Miller 
I believe the "take your business elsewhere" comment was referring to your ISP, 
not to this list.  I.e., find an ISP that has a support staff that knows what 
they're doing.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-Original Message-
From: Sue Mey [mailto:s...@storage.co.za] 
Sent: Tuesday, October 18, 2016 12:47 AM
To: users@spamassassin.apache.org
Subject: RE: Assistance needed

Wow.
So sorry I bothered you guys.

ApacheCon is now less than a month away!

2016-10-19 Thread Rich Bowen 
Dear Apache Enthusiast,

ApacheCon Sevilla is now less than a month out, and we need your help
getting the word out. Please tell your colleagues, your friends, and
members of related technical communities, about this event. Rates go up
November 3rd, so register today!

ApacheCon, and Apache Big Data, are the official gatherings of the
Apache Software Foundation, and one of the best places in the world to
meet other members of your project community, gain deeper knowledge
about your favorite Apache projects, learn about the ASF. Your project
doesn't live in a vacuum - it's part of a larger family of projects that
have a shared set of values, as well as a shared governance model. And
many of our project have an overlap in developers, in communities, and
in subject matter, making ApacheCon a great place for cross-pollination
of ideas and of communities.

Some highlights of these events will be:

* Many of our board members and project chairs will be present
* The lightning talks are a great place to hear, and give, short
presentations about what you and other members of the community are
working on
* The key signing gets you linked into the web of trust, and better
able to verify our software releases
* Evening receptions and parties where you can meet community
members in a less formal setting
* The State of the Feather, where you can learn what the ASF has
done in the last year, and what's coming next year
* BarCampApache, an informal unconference-style event, is another
venue for discussing your projects at the ASF

We have a great schedule lined up, covering the wide range of ASF
projects, including:

* CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos -
Carlos Sanchez
* Inner sourcing 101 - Jim Jagielski
* Java Memory Leaks in Modular Environments - Mark Thomas

ApacheCon/Apache Big Data will be held in Sevilla, Spain, at the Melia
Sevilla, November 14th through 18th. You can find out more at
http://apachecon.com/  Other ways to stay up to date with ApacheCon are:

* Follow us on Twitter at @apachecon
* Join us on IRC, at #apachecon on the Freenode IRC network
* Join the apachecon-discuss mailing list by sending email to
apachecon-discuss-subscr...@apache.org
* Or contact me directly at rbo...@apache.org with questions,
comments, or to volunteer to help

See you in Sevilla!

-- 
Rich Bowen: VP, Conferences
rbo...@apache.org
http://apachecon.com/
@apachecon

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Bill Cole 

On 19 Oct 2016, at 12:16, Pedro David Marco wrote:




IIRC I've seen this warning on meta rule dependencies with a non-zero
scores. Unless you have a better reason to think Pyzor isn't working,

I>'d just ignore it.
Well... you are right, in fact i have no problem in ignoring it, but i 
do not like tohave unresolved issues in something that is going to be 
in production.

---Pedro.


OK, since nothing is re-scoring PYZOR_CHECK to 0 or otherwise acting on 
it specifically, there are some other possibilities. Try these 2 tests:


1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you had:

   tflags PYZOR_CHECK_2 net

Does that change whether the rule is hit?


2. Change the PYZOR_CHECK score line in 50_scores.cf to:

   score PYZOR_CHECK 0.001 1.985 0.001 1.392

Does that quiet the warning about the meta rule?



If Test #1 makes PYZOR_CHECK_2 NOT match a message that matched without 
it, then something is disabling 'net' rules and you need to find and 
correct whatever is doing that if you want SA to work well.


If Test #2 silences the warning, you've found what is PROBABLY a minor 
cosmetic bug in SpamAssassin but MAY be a substantive one if it means 
that meta rule is being skipped as a result of having detected the wrong 
score in that line. Opening a bug report at 
https://bz.apache.org/SpamAssassin/ would be helpful.

Re: How to create a URIBL

2016-10-19 Thread Kris Deugau 
Alex wrote:
> Hi,
> 
> I've collected a bunch of URIs that I'd like to incorporate into my
> rulebase. I know how to create a DNSBL, but I don't specifically know
> how to create a URIBL. Can I use rbldnsd for this? Or would I have to
> extract the IP or hostname from the URL, then also use a bunch of uri
> rules? If so, is there a way of automating this, given a list of URIs?
> 
> For example, I have URIs like:
> 
> http://109.73.134.241/dgq01px
> http://51steel1.org/s4b5ztgcx
> http://amessofblues1.com/m0dqfx

Do you want to use the full URI (including the /dgq01px or /s4b5ztgcx
parts), or just the domain names?

If you want the full URI, I think you're pretty much stuck collecting
them up in a huge list of uri rules, unless you want to write a custom
plugin to do a custom DNS lookup.  (Not sure some of the new DNS lookup
widgets will go quite far enough to support something like this directly.)

If you only want the domain name, you can feed those into a local DNSBL.

> I'm also then not sure which of uri* rule definition should be used.
> I've used urirhsbl before for a local host blocklist, but now after
> reading the man page again for the first time in a while, I'm not even
> sure that's correct.

"uri" rules are standard SA regular expression rules that only look at
things that SA has extracted from the message as a URI.

The others are DNSBL lookup rules, with a lot of variations on how the
lookup should be done, and the results broken down.  The
Mail::SpamAssassin::Plugin::URIDNSBL man page has all the details, but
my experience has been that for local use, you generally only need
uridnsbl and/or uridnssub.

> I'm also unclear about rbldnsd config for dnset, where hostnames would
> be used. Here is my current command-line:

Other responses have gone into more detail on this, which I probably
tested for myself at one point when I set up local DNS blacklists.

I also wrote some basic tools to feed both relay IP and URI domain data
into these local lists;  I've published them at
https://secure.deepnet.cx/trac/dnsbl.  Note that these are mainly
data-entry/export utilities, and they're a little rough around the
edges, but these are substantially what I've been using in production
for quite a few years now.

-kgd

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Pedro David Marco 



>IIRC I've seen this warning on meta rule dependencies with a non-zero
>scores. Unless you have a better reason to think Pyzor isn't working,
I>'d just ignore it.
Well... you are right, in fact i have no problem in ignoring it, but i do not 
like tohave unresolved issues in something that is going to be in production.
---Pedro.

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Matus UHLAR - fantomas 

On 19.10.16 08:47, Pedro David Marco wrote:

Thanks Matus..

you should also check homedir of user spamassassin runs under (e.g. amavis)


i already looked for the string PYZOR_CHECK trhougout the full system (homes 
included) with no luck..

where on hell is it overwriting  the local.cf line???
score         PYZOR_CHECK         2
and sets score 0? 


you haven't answered my question, see below.


 From: Matus UHLAR - fantomas 
To: users@spamassassin.apache.org
Sent: Wednesday, October 19, 2016 9:42 AM
Subject: Re: PYZOR_CHECK always have zero score, why?

On 19.10.16 04:28, Pedro David Marco wrote:

i already did but still no clues...
Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:
# for i in `dpkg -L spamassassin`; do grep -l PYZOR_CHECK $i 2>/dev/null ; 
done/usr/share/spamassassin/30_text_fr.cf/usr/share/spamassassin/30_text_pl.cf/usr/share/spamassassin/25_pyzor.cf/usr/share/spamassassin/50_scores.cf/usr/share/spamassassin/30_text_pt_br.cf/usr/share/spamassassin/20_net_tests.cf/usr/share/spamassassin/30_text_nl.cf/usr/share/spamassassin/30_text_de.cf
25_pyzor.cf contains:


grep -r PYZOR_CHECK /etc/spamassassin/

you should also check homedir of user spamassassin runs under (e.g. amavis)


i have even looked for the string PYZOR_CHECK throughout the full system... and 
no more files contain that string.


how do you run spamassassin?


so, how do you run spamassassin?
Aren't you by any change only using local tests?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread RW 
On Wed, 19 Oct 2016 03:22:13 + (UTC)
Pedro David Marco wrote:

> Hi!
> 
> It seems PYZOR_CHECK rule is not being used in my SA Just
> installed SA and Pyzor in a Debian and executed  "pyzor discover."In
> Debian pyzor is enabled by default so nothing to add in
> local.cf. Command "pyzor check < emailfile.eml" works ok. .. now i
> try to test SA in debug mode like this: # spamassassin  -D  2>&1
>  04:48:28.562 [9566] dbg: plugin: loading
> Mail::SpamAssassin::Plugin::Pyzor from @INC Oct 19 04:48:28.564
> [9566] dbg: pyzor: network tests on, attempting Pyzor. Oct 19
> 04:48:29.711 [9566] info: rules: meta test DIGEST_MULTIPLE has
> dependency 'PYZOR_CHECK' with a zero score 

IIRC I've seen this warning on meta rule dependencies with a non-zero
scores. Unless you have a better reason to think Pyzor isn't working,
I'd just ignore it.

Re: How to create a URIBL

2016-10-19 Thread Rob McEwen 

On 10/18/2016 9:09 PM, Alex wrote:

How do you then enter ranges? For example, one of the rbldnsd zone
examples I've seen have entries such as:
1.168.160.0-255
That does not look to be in reverse order, as the host octet is still last.


while there may be a more complicated and unusual answer for this.. the 
short answer is... you don't, and you shouldn't have to.


(1) IPs at the base of clickable links inside the body of the message in 
spams... is still a little rare... comprising roughly 2% of all such 
listings.


(2) This means that (a) those IPs aren't taking up a lot of space in the 
dnset files, when compared to the domains and host names there, and (b) 
of that ~2% of IPs, extremely few of those are even in the same /24 
block - so you don't get much mileage out of trying to list ranges


having said that... sending-IP lists that use ipset DO have the 
functionality that you desire. ipset actually has quite a number of 
acceptable formats to list blocks or ranges of IPs.


iptset... not so much. iptset is built for EXTRA speed and EXTRA 
low-memory usage, but isn't as flexible and generally requires one 
single IP per line.


Based on your question, it could be that you're trying to merge your 
sending IP blacklist, with your URI/domain blacklists... all into one 
single dnset rbldnsd file? if so, that is NOT recommended. It causes 
problems and removes some of rbldnsd best features/strengths.



Your service is great, btw.


Thanks. Please send me a note off-list as you how/why you think that. 
I'm not looking for praise... just curious if you're one of my clients 
(such as at your dayjob?) or if we've crossed paths somewhere and I 
forgot about it?... or if you have ever testing invaluement? etc (though 
I know you're a frequent SA discussion participant)



--
Rob McEwen
http://www.invaluement.com
+1 (478) 475-9032

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Pedro David Marco 
Thanks Matus..
>you should also check homedir of user spamassassin runs under (e.g. amavis)

i already looked for the string PYZOR_CHECK trhougout the full system (homes 
included) with no luck..

where on hell is it overwriting  the local.cf line???
score         PYZOR_CHECK         2
and sets score 0? 

i am stuck... 

-Pedro

  From: Matus UHLAR - fantomas 
 To: users@spamassassin.apache.org 
 Sent: Wednesday, October 19, 2016 9:42 AM
 Subject: Re: PYZOR_CHECK always have zero score, why?
   
On 19.10.16 04:28, Pedro David Marco wrote:
>i already did but still no clues...
>Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:
># for i in `dpkg -L spamassassin`; do grep -l PYZOR_CHECK $i 2>/dev/null ; 
>done/usr/share/spamassassin/30_text_fr.cf/usr/share/spamassassin/30_text_pl.cf/usr/share/spamassassin/25_pyzor.cf/usr/share/spamassassin/50_scores.cf/usr/share/spamassassin/30_text_pt_br.cf/usr/share/spamassassin/20_net_tests.cf/usr/share/spamassassin/30_text_nl.cf/usr/share/spamassassin/30_text_de.cf
>25_pyzor.cf contains:

grep -r PYZOR_CHECK /etc/spamassassin/

you should also check homedir of user spamassassin runs under (e.g. amavis)

>i have even looked for the string PYZOR_CHECK throughout the full system... 
>and no more files contain that string.

how do you run spamassassin?

>i have tried sa-compile of course but... is there maybe any cache i can delete 
>manually? not to my knowledge but...

sa-compile only compiles regular expressions AFAIK.


-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: How to create a URIBL

2016-10-19 Thread Rob McEwen 

On 10/19/2016 3:51 AM, Matus UHLAR - fantomas wrote:

are you REALLY sure the IP has to be reversed?
rbldns parses IP and reverses them by itself, if used in ip4* dataset.
When used in dnset, it should not be reversed.


Your most valid points do not apply to "dnset". they apply to ip4tset 
and ip4set for sending-IP blacklists.


Let me explain... but before I explain, let me say that I'm not arguing 
for any of this. These standards were put in place long before my time 
(and are followed by SURBL and URIBL, too). Or, at least I didn't set 
these standards. I MIGHT have been involved in some of the discussions 
about this circa 2004, in internal discussions at SURBL - and in SA 
discussions - but I think this was all set just a little before my time 
in those forums.


So basically, if you look at the anatomy of a domain name... from left 
to right, you get into a higher hierarchy.


So in "foo.example.com"

"foo" is drilling into detail. while "example.com" is the bigger 
picture. And then ".com" is an even bigger picture! In a domain, as you 
get FURTHER to the right, you go to a HIGHER hierarchy or level.


But IPs are the opposite. For an IPv4 IP, the leftmost number is the 
highest in the hierarchy, and you drill down into more detail as you 
move to the right.


For this reason, it was decided a long time ago... that for URI DNSBL 
blacklists that use "dnset", the IP should be reversed in the source file.


Therefore, in the data file, the test point IP:

127.0.0.1

shows up as

1.0.0.127

And then when the client queries that IP, the query is formatted as follows:

1.0.0.127.example.com

(where example.com is the URI blacklist's host name)

And, likewise, ALL of the major anti-spam software, (such as 
SpamAssassin), automatically reverses the IP when that (forward-ordered) 
IP is extracted from a base of a URL found in the body of a spam, and 
then this is appended to the beginning of a URI blacklist's hostname, 
for checking against a URIBL blacklists (such as SURBL, URIBL, or my own 
ivmURI list)


This decision to do it this way PROBABLY had something to do with trying 
to get rbldnsd engine to NOT have to internally treat IPs and 
domains/host-names differently. otherwise, it would have had to "know" 
to reverse IPs, but yet know to NOT reverse domains or host names. (and 
who knows what TLDs could be coming up in the future?)


In contrast, IPs found in sending IP data files (for ip4tset and ip4set) 
don't have this inconsistency problem. So it make sense to just leave 
them in forward-order, for EASY readability... and then just allow 
rbldnsd to reverse order them on-the-fly. (thank God - I'd go nuts if my 
ip4tset and ip4set were all in reverse order! meanwhile, IPs in URIBL 
data files are usually a TINY percentage of the listings!)


--

Having said all of that, for regular sending0IP blacklists, (just as you 
said) the IP is NOT in reverse order in the file. But rbldnsd "knows" to 
reverse order it in memory, before it is compared to the reverse-ordered 
query that comes in from the client.


So you're correct when you say, "rbldns parses IP and reverses them by 
itself" ... but that only applies to sending-IP blacklists, set up with 
ip4tset and ip4set in rbldnsd.


As shown, dnset operates differently for IP addresses found in URIBL 
blacklists.


--

This was a trip down memory lane for me.

--
Rob McEwen
invaluement

Re: How to create a URIBL

2016-10-19 Thread Axb 

On 10/19/2016 09:51 AM, Matus UHLAR - fantomas wrote:

On 18.10.16 20:03, Rob McEwen wrote:

So your three examples:

109 .73 .134 .241



would like like this:

.241 .134 .73 .109



NOTICE 2 things:



(2) the fact that the IP is in reverse order. The great part about
rbldnsd is that a lookup on either


are you REALLY sure the IP has to be reversed?
rbldns parses IP and reverses them by itself, if used in ip4* dataset.
When used in dnset, it should not be reversed.



in the rbldnsd zone the ip does NOT have to reversed
the query reverses the IP

Re: How to create a URIBL

2016-10-19 Thread Matus UHLAR - fantomas 

On 18.10.16 20:03, Rob McEwen wrote:

So your three examples:

109 .73 .134 .241



would like like this:

.241 .134 .73 .109



NOTICE 2 things:


(2) the fact that the IP is in reverse order. The great part about 
rbldnsd is that a lookup on either


are you REALLY sure the IP has to be reversed?
rbldns parses IP and reverses them by itself, if used in ip4* dataset.
When used in dnset, it should not be reversed.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: PYZOR_CHECK always have zero score, why?

2016-10-19 Thread Matus UHLAR - fantomas 

On 19.10.16 04:28, Pedro David Marco wrote:

i already did but still no clues...
Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:
# for i in `dpkg -L spamassassin`; do grep -l PYZOR_CHECK $i 2>/dev/null ; 
done/usr/share/spamassassin/30_text_fr.cf/usr/share/spamassassin/30_text_pl.cf/usr/share/spamassassin/25_pyzor.cf/usr/share/spamassassin/50_scores.cf/usr/share/spamassassin/30_text_pt_br.cf/usr/share/spamassassin/20_net_tests.cf/usr/share/spamassassin/30_text_nl.cf/usr/share/spamassassin/30_text_de.cf
25_pyzor.cf contains:


grep -r PYZOR_CHECK /etc/spamassassin/

you should also check homedir of user spamassassin runs under (e.g. amavis)


i have even looked for the string PYZOR_CHECK throughout the full system... and 
no more files contain that string.


how do you run spamassassin?


i have tried sa-compile of course but... is there maybe any cache i can delete 
manually? not to my knowledge but...


sa-compile only compiles regular expressions AFAIK.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.