Howdy, Dave. Thanks for the reply.
On 2 Jun 2003, Yorkshire Dave wrote:
> Call them all and use a meta || rule for the score, or call and score
> them all then use a meta && rule to subtract some score back off, that's
> what I'm doing here
>
> meta Z_OPEN_PROXY (X_OSIRU_OPEN_PROXY || X_OSIRU_OPEN_SOCKS ||
> X_MONKEYS_OPEN_PROXY)
> describe Z_OPEN_PROXY Host is an open proxy server
> score Z_OPEN_PROXY 1.4
>
> Of course I could be totally wrong, but it works for me.
That's a good idea. So in my case I'd do something like
meta Z_DIALUPS (RCVD_IN_OSIRU_DUL || RCVD_IN_NJABL_DIALUP ||
RCVD_IN_MAPS_DUL || RCVD_IN_VISI_DIALUPS)
describe Z_DIALUPS Host has a dynamically assigned IP
score 2
So if any or all of them are hit, the only score any of them can score is
2, correct? Would this be something worth doing with blackholes.us
rules? That's probably a bad example. SOCKS, proxy, formmail.cgi, and
direct-to-mx are probably the best examples.
I'm trying to learn more about the rule generation. I asked a while back
but didn't get much in the way of responses. Tonight, while looking
through my rules, I saw a number of things I need to change/fix. I need
to actually organize my DNSBL rules. I didn't notice until tonight that
I'm not actually re-querying the ORSS BL for the proxy check. I have it
set up with check_rbl_sub. Now I actually see how that works! :) I need
to find docs on how to create rules the right way before I seriously break
something.
> Yet again I could be totally wrong about this, but I think you're
> wasting a lookup by querying proxies.relays.osirusoft.com, spamassassin
> already did RCVD_IN_OSIRUSOFT_COM for you so all you need to do is
> rbleval:check_rbl_results_for('osirusoft', '127.0.0.9')
> I can't get to osirusoft website right now to check but istr something
> like:-
>
> 127.0.0.2 = open relay
> 127.0.0.3 = dialup
> 127.0.0.4 = spam source
> 127.0.0.5 = smart host
> 127.0.0.6 = mirror of spamhaus.org/spamsites.org
> 127.0.0.7 = non-confirm mailing lists
> 127.0.0.8 = insecure formmail
> 127.0.0.9 = open proxy
>
> as I said, I could be wrong, shouldn't be difficult to check when the
> website comes back up.
I was on it just a little while ago. Your list looks right. Smart host
shouldn't be ready yet. It's going to be renamed to "outputs" when it's
ready. IIRC it's a multihop list so no one should block with it. I'd
score off it though. :)
I wish Joe wouldn't put the SBL in 127.0.0.6 or with anything else. I'd
like to reference seperately. I'm going to half to call it seperately I
guess.
While I have a human reading this thread, and one that knows more about
rule creation than I do, I'm going to include the rules I created if you
don't mind. (sorry for the ugly wrapping)
# Reenabled MAPS checks
score RCVD_IN_RSS 1
score RCVD_IN_DUL 1
############### BEGIN relays.orsirusoft.com ######################
score RCVD_IN_OSIRU_PROXY 1
header RCVD_IN_OSIRU_PROXY rbleval:check_rbl_sub('osirusoft',
'127.0.0.9')
describe RCVD_IN_OSIRU_PROXY DNSBL: Insecure Proxy
tflags RCVD_IN_OSIRU_PROXY net
score RCVD_IN_OSIRU_INSECURE_LIST 1
header RCVD_IN_OSIRU_INSECURE_LIST rbleval:check_rbl_sub('osirusoft',
'127.0.0.8')
describe RCVD_IN_OSIRU_INSECURE_LIST DNSBL: Opts in without
confirmation
tflags RCVD_IN_OSIRU_INSECURE_LIST net
############### END relays.orsirusoft.com ######################
############### BEGIN blackholes.us ######################
score RCVD_IN_BLKHO_ARGENTINA 1
header RCVD_IN_BLKHO_ARENTINA
rbleval:check_rbl('blackholes.us-ar', 'argentina.blackholes.us.')
describe RCVD_IN_BLKHO_ARENTINA ccTLD: sender is in Argentina
tflags RCVD_IN_BLKHO_ARENTINA net
score RCVD_IN_BLKHO_BRAZIL 1
header RCVD_IN_BLKHO_BRAZIL
rbleval:check_rbl('blackholes.us-br', 'brazil.blackholes.us.')
describe RCVD_IN_BLKHO_BRAZIL ccTLD: sender is in Brazil
tflags RCVD_IN_BLKHO_BRAZIL net
score RCVD_IN_BLKHO_CHINA 1
header RCVD_IN_BLKHO_CHINA
rbleval:check_rbl('blackholes.us-ch', 'china.blackholes.us.')
describe RCVD_IN_BLKHO_CHINA ccTLD: sender is in China
tflags RCVD_IN_BLKHO_CHINA net
score RCVD_IN_BLKHO_HONGKONG 1
header RCVD_IN_BLKHO_HONGKONG
rbleval:check_rbl('blackholes.us-hk', 'hongkong.blackholes.us.')
describe RCVD_IN_BLKHO_HONGKONG ccTLD: sender is in Hong Kong
tflags RCVD_IN_BLKHO_HONGKONG net
score RCVD_IN_BLKHO_JAPAN 1
header RCVD_IN_BLKHO_JAPAN
rbleval:check_rbl('blackholes.us-jp', 'japan.blackholes.us.')
describe RCVD_IN_BLKHO_JAPAN ccTLD: sender is in Japan
tflags RCVD_IN_BLKHO_JAPAN net
score RCVD_IN_BLKHO_KOREA 1
header RCVD_IN_BLKHO_KOREA
rbleval:check_rbl('blackholes.us-kr', 'korea.blackholes.us.')
describe RCVD_IN_BLKHO_KOREA ccTLD: sender is in Korea
tflags RCVD_IN_BLKHO_KOREA net
score RCVD_IN_BLKHO_MALAYSIA 1
header RCVD_IN_BLKHO_MALAYSIA
rbleval:check_rbl('blackholes.us-my', 'malaysia.blackholes.us.')
describe RCVD_IN_BLKHO_MALAYSIA ccTLD: sender is in Malaysia
tflags RCVD_IN_BLKHO_MALAYSIA net
score RCVD_IN_BLKHO_NIGERIA 1
header RCVD_IN_BLKHO_NIGERIA
rbleval:check_rbl('blackholes.us-ng', 'nigeria.blackholes.us.')
describe RCVD_IN_BLKHO_NIGERIA ccTLD: sender is in Nigeria
tflags RCVD_IN_BLKHO_NIGERIA net
score RCVD_IN_BLKHO_RUSSIA 1
header RCVD_IN_BLKHO_RUSSIA
rbleval:check_rbl('blackholes.us-ru', 'russia.blackholes.us.')
describe RCVD_IN_BLKHO_RUSSIA ccTLD: sender is in Russia
tflags RCVD_IN_BLKHO_RUSSIA net
score RCVD_IN_BLKHO_SINGAPORE 1
header RCVD_IN_BLKHO_SINGAPORE
rbleval:check_rbl('blackholes.us-sg', 'singapore.blackholes.us.')
describe RCVD_IN_BLKHO_SINGAPORE ccTLD: sender is in Singapore
tflags RCVD_IN_BLKHO_SINGAPORE net
score RCVD_IN_BLKHO_TAIWAN 1
header RCVD_IN_BLKHO_TAIWAN
rbleval:check_rbl('blackholes.us-tw', 'taiwan.blackholes.us.')
describe RCVD_IN_BLKHO_TAIWAN ccTLD: sender is in Taiwan
tflags RCVD_IN_BLKHO_TAIWAN net
score RCVD_IN_BLKHO_THAILAND 1
header RCVD_IN_BLKHO_THAILAND
rbleval:check_rbl('blackholes.us-th', 'thailand.blackholes.us.')
describe RCVD_IN_BLKHO_THAILAND ccTLD: sender is in Thailand
tflags RCVD_IN_BLKHO_THAILAND net
score RCVD_IN_BLKHO_TURKEY 1
header RCVD_IN_BLKHO_TURKEY
rbleval:check_rbl('blackholes.us-tr', 'turkey.blackholes.us.')
describe RCVD_IN_BLKHO_TURKEY ccTLD: sender is in Turkey
tflags RCVD_IN_BLKHO_TURKEY net
############### END blackholes.us ######################
############### BEGIN SORBS ######################
score RCVD_IN_SORBS 1
header RCVD_IN_SORBS rbleval:check_rbl('sorbs',
'dnsbl.sorbs.net.')
describe RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags RCVD_IN_SORBS net
score RCVD_IN_SORBS_HTTP 1
header RCVD_IN_SORBS_HTTP rbleval:check_rbl('sorbs-http',
'http.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_HTTP SORBS: Open HTTP Proxy
tflags RCVD_IN_SORBS_HTTP net
score RCVD_IN_SORBS_SOCKS 1
header RCVD_IN_SORBS_SOCKS rbleval:check_rbl('sorbs-socks',
'socks.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_SOCKS SORBS: Open SOCKS Proxy
tflags RCVD_IN_SORBS_SOCKS net
score RCVD_IN_SORBS_MISC 1
header RCVD_IN_SORBS_MISC rbleval:check_rbl('sorbs-misc',
'misc.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_MISC SORBS: Miscellaneous Open Proxy
tflags RCVD_IN_SORBS_MISC net
score RCVD_IN_SORBS_SMTP 1
header RCVD_IN_SORBS_SMTP rbleval:check_rbl('sorbs-smtp',
'smtp.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_SMTP SORBS: Open SMTP Relay
tflags RCVD_IN_SORBS_SMTP net
score RCVD_IN_SORBS_WEB 1
header RCVD_IN_SORBS_WEB rbleval:check_rbl('sorbs-web',
'web.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_WEB SORBS: Vulnerable WWW server
(formmail.cgi, Code Red, Nimda)
tflags RCVD_IN_SORBS_WEB net
score RCVD_IN_SORBS_SPAM 1
header RCVD_IN_SORBS_SPAM rbleval:check_rbl('sorbs-spam',
'spam.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_SPAM SORBS: Spam Source/Support
tflags RCVD_IN_SORBS_SPAM net
score RCVD_IN_SORBS_ZOMBIE 1
header RCVD_IN_SORBS_ZOMBIE rbleval:check_rbl('sorbs-zombie',
'zombie.dnsbl.sorbs.net.')
describe RCVD_IN_SORBS_ZOMBIE SORBS: Hijacked netblock
tflags RCVD_IN_SORBS_ZOMBIE net
############### END SORBS ######################
score RCVD_IN_MONKEYS_PROXIES 1
header RCVD_IN_MONKEYS_PROXIES
rbleval:check_rbl('monkeys-proxies', 'proxies.relays.monkeys.com.')
describe RCVD_IN_MONKEYS_PROXIES MONKEYS: Unsecured Proxy
tflags RCVD_IN_MONKEYS_PROXIES net
#dynablock.easynet.nl
#blackholes.easynet.nl
#proxies.blackholes.easynet.nl
############### BEGIN EASYNET ######################
# Formerly Wirehub
score RCVD_IN_EASYNET 1
header RCVD_IN_EASYNET rbleval:check_rbl('easynet',
'blackholes.easynet.nl.')
describe RCVD_IN_EASYNET EASYNET: Listed at Easynet.nl
tflags RCVD_IN_EASYNET net
score RCVD_IN_EASYNET_PROXIES 1
header RCVD_IN_EASYNET_PROXIES
rbleval:check_rbl('easynet-proxies', 'proxies.blackholes.easynet.nl.')
describe RCVD_IN_EASYNET_PROXIES EASYNET: Unsecured Proxy
tflags RCVD_IN_EASYNET_PROXIES net
score RCVD_IN_EASYNET_DYNABLOCK 1
header RCVD_IN_EASYNET_DYNABLOCK
rbleval:check_rbl('easynet-dynablock', 'dynablock.blackholes.easynet.nl.')
describe RCVD_IN_EASYNET_DYNABLOCK EASYNET: sender has a dynamically
assigned IP
tflags RCVD_IN_EASYNET_DYNABLOCK net
############### END EASYNET ######################
############### BEGIN MISC CHECKS ######################
score RCVD_IN_DSBL_MULTIHOP 1
header RCVD_IN_DSBL_MULTIHOP rbleval:check_rbl_txt('dsbl',
'multihop.dsbl.org.')
describe RCVD_IN_DSBL_MULTIHOP DSBL: received via a relay in
multihop.dsbl.org
tflags RCVD_IN_DSBL_MULTIHOP net
score RCVD_IN_VISI_DIALUPS 1
header RCVD_IN_VISI_DIALUPS rbleval:check_rbl('visi-dialups',
'dialups.visi.com.')
describe RCVD_IN_VISI_DIALUPS DNSBL: sender has a dynamically
assigned IP
tflags RCVD_IN_VISI_DIALUPS net
Do you see any glaring mistakes in all of that? (we are DUL and RSS
customers) I can send it as an attachment if desired. I don't know if I
used the correct rbleval options or not. I see a number of rules in
20_dnsbl that look like
check_rbl('osirusoft-notfirsthop'
Is "-notfirsthop" some sort of code that SA looks for that I can use or
dialups.visi.com for example? Is any of this documented anywhere? I
can't find any mention of this.
Thanks
Justin
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
