On Mon, 2003-06-02 at 00:32, Justin Shore wrote:
> I noticed a problem just now that I really hadn't though about before.  I 
> recently added a number of DNSBLs to my sa-mimedefang.cf that weren't in 
> the stock SA (2.6.0-cvs).
> 
> proxy.relays.osirusoft.com
> socks.relays.osirusoft.com
> all of blackholes.us's country zones, not providers
> 7 SORBS BLs
> proxies.relays.monkeys.com
> proxies.blackholes.easynet.nl
> dynablock.blackholes.easynet.nl
> multihop.dsbl.org
> dialups.visi.com
> 
> I noticed a reply that was apparently sent to a reply someone sent me on
> the Procmail list.  I couldn't seem to find that reply for some reason.  
> I checked my >= spambox and found it.  That message received a score of
> 5.787.  It received .6 for being in the ORSS, 1 for being in the NJABL,
> and 1 for being in dialups.visi (1 is the score I used for all the BLs I
> added).  His IP was listed in those lists as a dialin IP.  He effectively
> received a score of 2.6 just for being a dialin user and not SmartHosting
> to his provider's MTA.  He also received 3.3 for a Forged Outlook MUA rule
> which I haven't sorted out yet (stock rule and score).
> 
> This got me wondering.  Is it a bad idea to call more than 1 DNSBL of a 
> given type?  For example, would it be wise querying 4 direct-to-MX BLs, 4 
> proxy lists, 5 open relay lists, etc?  I'm wondering if there's a better 
> way to handle this.  For example, group all direct-to-mx lists together.  
> Query the first.  If it matches, skip the rest.  If it doesn't match, 
> query the next.  So on and so forth for the rest of the lists until the 
> end.  Is that a more logical way to handle it?
> 


Call them all and use a meta || rule for the score, or call and score
them all then use a meta && rule to subtract some score back off, that's
what I'm doing here

meta Z_OPEN_PROXY (X_OSIRU_OPEN_PROXY || X_OSIRU_OPEN_SOCKS ||
X_MONKEYS_OPEN_PROXY)
describe Z_OPEN_PROXY Host is an open proxy server
score Z_OPEN_PROXY 1.4

Of course I could be totally wrong, but it works for me.

Yet again I could be totally wrong about this, but I think you're
wasting a lookup by querying proxies.relays.osirusoft.com, spamassassin
already did RCVD_IN_OSIRUSOFT_COM for you so all you need to do is 
rbleval:check_rbl_results_for('osirusoft', '127.0.0.9')
I can't get to osirusoft website right now to check but istr something
like:- 

127.0.0.2 = open relay
127.0.0.3 = dialup
127.0.0.4 = spam source
127.0.0.5 = smart host
127.0.0.6 = mirror of spamhaus.org/spamsites.org
127.0.0.7 = non-confirm mailing lists
127.0.0.8 = insecure formmail
127.0.0.9 = open proxy

as I said, I could be wrong, shouldn't be difficult to check when the
website comes back up.

Dave


> Justin
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: eBay
> Get office equipment for less on eBay!
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


-- 
Scanned by MailScanner at wot.no-ip.com



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to