On Mon, 2003-06-02 at 03:25, Justin Shore wrote: > Howdy, Dave. Thanks for the reply. > > On 2 Jun 2003, Yorkshire Dave wrote: > > > Call them all and use a meta || rule for the score, or call and score > > them all then use a meta && rule to subtract some score back off, that's > > what I'm doing here > > > > meta Z_OPEN_PROXY (X_OSIRU_OPEN_PROXY || X_OSIRU_OPEN_SOCKS || > > X_MONKEYS_OPEN_PROXY) > > describe Z_OPEN_PROXY Host is an open proxy server > > score Z_OPEN_PROXY 1.4 > > > > Of course I could be totally wrong, but it works for me. > > That's a good idea. So in my case I'd do something like > > meta Z_DIALUPS (RCVD_IN_OSIRU_DUL || RCVD_IN_NJABL_DIALUP || > RCVD_IN_MAPS_DUL || RCVD_IN_VISI_DIALUPS) > describe Z_DIALUPS Host has a dynamically assigned IP > score 2 > > So if any or all of them are hit, the only score any of them can score is > 2, correct? Would this be something worth doing with blackholes.us > rules? That's probably a bad example. SOCKS, proxy, formmail.cgi, and > direct-to-mx are probably the best examples. > As far as I can tell, that's how it works. I tried it and it seems to work that way for me. Everything I've done so far has been trial and error.
> I'm trying to learn more about the rule generation. I asked a while back > but didn't get much in the way of responses. Tonight, while looking > through my rules, I saw a number of things I need to change/fix. I need > to actually organize my DNSBL rules. I didn't notice until tonight that > I'm not actually re-querying the ORSS BL for the proxy check. I have it > set up with check_rbl_sub. Now I actually see how that works! :) I need > to find docs on how to create rules the right way before I seriously break > something. The only rules I've added so far have been 5 or 6 DNSBL rules and one to catch my X-SpamTrap: header. I started laying out a list of DNSBL rules and how they need to be organised and grouped for scoring but I haven't got very far yet. > > > Yet again I could be totally wrong about this, but I think you're > > wasting a lookup by querying proxies.relays.osirusoft.com, spamassassin > > already did RCVD_IN_OSIRUSOFT_COM for you so all you need to do is > > rbleval:check_rbl_results_for('osirusoft', '127.0.0.9') > > I can't get to osirusoft website right now to check but istr something > > like:- > > > > 127.0.0.2 = open relay > > 127.0.0.3 = dialup > > 127.0.0.4 = spam source > > 127.0.0.5 = smart host > > 127.0.0.6 = mirror of spamhaus.org/spamsites.org > > 127.0.0.7 = non-confirm mailing lists > > 127.0.0.8 = insecure formmail > > 127.0.0.9 = open proxy > > > > as I said, I could be wrong, shouldn't be difficult to check when the > > website comes back up. > > I was on it just a little while ago. Your list looks right. Smart host > shouldn't be ready yet. It's going to be renamed to "outputs" when it's > ready. IIRC it's a multihop list so no one should block with it. I'd > score off it though. :) > > I wish Joe wouldn't put the SBL in 127.0.0.6 or with anything else. I'd > like to reference seperately. I'm going to half to call it seperately I > guess. SBL is a standard spamassassin test, the fact that it's also duplicated in relays.osirusoft.com as 127.0.0.6 shouldn't make any difference as long as you score osirusoft on the subs/results and not the check_rbl itself (score the check_rbl at 0.01). Scoring on a meta || type rule between the two of them should mean you get the score even if one or other is down, less chance of DNSBL outages causing false negatives. > > While I have a human reading this thread, and one that knows more about > rule creation than I do, I'm going to include the rules I created if you > don't mind. (sorry for the ugly wrapping) > I don't know that much about rule creation, just the bits I've had to work out for what I need to do, and a couple of things I found that I can't do. Don't go mistaking me for an expert :) > > # Reenabled MAPS checks > score RCVD_IN_RSS 1 > score RCVD_IN_DUL 1 > > > ############### BEGIN relays.orsirusoft.com ###################### > score RCVD_IN_OSIRU_PROXY 1 > header RCVD_IN_OSIRU_PROXY rbleval:check_rbl_sub('osirusoft', > '127.0.0.9') > describe RCVD_IN_OSIRU_PROXY DNSBL: Insecure Proxy > tflags RCVD_IN_OSIRU_PROXY net > > score RCVD_IN_OSIRU_INSECURE_LIST 1 > header RCVD_IN_OSIRU_INSECURE_LIST rbleval:check_rbl_sub('osirusoft', > '127.0.0.8') > describe RCVD_IN_OSIRU_INSECURE_LIST DNSBL: Opts in without > confirmation > tflags RCVD_IN_OSIRU_INSECURE_LIST net > ############### END relays.orsirusoft.com ###################### > > > ############### BEGIN blackholes.us ###################### > score RCVD_IN_BLKHO_ARGENTINA 1 > header RCVD_IN_BLKHO_ARENTINA > rbleval:check_rbl('blackholes.us-ar', 'argentina.blackholes.us.') > describe RCVD_IN_BLKHO_ARENTINA ccTLD: sender is in Argentina > tflags RCVD_IN_BLKHO_ARENTINA net > > score RCVD_IN_BLKHO_BRAZIL 1 > header RCVD_IN_BLKHO_BRAZIL > rbleval:check_rbl('blackholes.us-br', 'brazil.blackholes.us.') > describe RCVD_IN_BLKHO_BRAZIL ccTLD: sender is in Brazil > tflags RCVD_IN_BLKHO_BRAZIL net > > score RCVD_IN_BLKHO_CHINA 1 > header RCVD_IN_BLKHO_CHINA > rbleval:check_rbl('blackholes.us-ch', 'china.blackholes.us.') > describe RCVD_IN_BLKHO_CHINA ccTLD: sender is in China > tflags RCVD_IN_BLKHO_CHINA net > > score RCVD_IN_BLKHO_HONGKONG 1 > header RCVD_IN_BLKHO_HONGKONG > rbleval:check_rbl('blackholes.us-hk', 'hongkong.blackholes.us.') > describe RCVD_IN_BLKHO_HONGKONG ccTLD: sender is in Hong Kong > tflags RCVD_IN_BLKHO_HONGKONG net > > score RCVD_IN_BLKHO_JAPAN 1 > header RCVD_IN_BLKHO_JAPAN > rbleval:check_rbl('blackholes.us-jp', 'japan.blackholes.us.') > describe RCVD_IN_BLKHO_JAPAN ccTLD: sender is in Japan > tflags RCVD_IN_BLKHO_JAPAN net > > score RCVD_IN_BLKHO_KOREA 1 > header RCVD_IN_BLKHO_KOREA > rbleval:check_rbl('blackholes.us-kr', 'korea.blackholes.us.') > describe RCVD_IN_BLKHO_KOREA ccTLD: sender is in Korea > tflags RCVD_IN_BLKHO_KOREA net > > score RCVD_IN_BLKHO_MALAYSIA 1 > header RCVD_IN_BLKHO_MALAYSIA > rbleval:check_rbl('blackholes.us-my', 'malaysia.blackholes.us.') > describe RCVD_IN_BLKHO_MALAYSIA ccTLD: sender is in Malaysia > tflags RCVD_IN_BLKHO_MALAYSIA net > > score RCVD_IN_BLKHO_NIGERIA 1 > header RCVD_IN_BLKHO_NIGERIA > rbleval:check_rbl('blackholes.us-ng', 'nigeria.blackholes.us.') > describe RCVD_IN_BLKHO_NIGERIA ccTLD: sender is in Nigeria > tflags RCVD_IN_BLKHO_NIGERIA net > > score RCVD_IN_BLKHO_RUSSIA 1 > header RCVD_IN_BLKHO_RUSSIA > rbleval:check_rbl('blackholes.us-ru', 'russia.blackholes.us.') > describe RCVD_IN_BLKHO_RUSSIA ccTLD: sender is in Russia > tflags RCVD_IN_BLKHO_RUSSIA net > > score RCVD_IN_BLKHO_SINGAPORE 1 > header RCVD_IN_BLKHO_SINGAPORE > rbleval:check_rbl('blackholes.us-sg', 'singapore.blackholes.us.') > describe RCVD_IN_BLKHO_SINGAPORE ccTLD: sender is in Singapore > tflags RCVD_IN_BLKHO_SINGAPORE net > > score RCVD_IN_BLKHO_TAIWAN 1 > header RCVD_IN_BLKHO_TAIWAN > rbleval:check_rbl('blackholes.us-tw', 'taiwan.blackholes.us.') > describe RCVD_IN_BLKHO_TAIWAN ccTLD: sender is in Taiwan > tflags RCVD_IN_BLKHO_TAIWAN net > > score RCVD_IN_BLKHO_THAILAND 1 > header RCVD_IN_BLKHO_THAILAND > rbleval:check_rbl('blackholes.us-th', 'thailand.blackholes.us.') > describe RCVD_IN_BLKHO_THAILAND ccTLD: sender is in Thailand > tflags RCVD_IN_BLKHO_THAILAND net > > score RCVD_IN_BLKHO_TURKEY 1 > header RCVD_IN_BLKHO_TURKEY > rbleval:check_rbl('blackholes.us-tr', 'turkey.blackholes.us.') > describe RCVD_IN_BLKHO_TURKEY ccTLD: sender is in Turkey > tflags RCVD_IN_BLKHO_TURKEY net > ############### END blackholes.us ###################### > > > ############### BEGIN SORBS ###################### > score RCVD_IN_SORBS 1 > header RCVD_IN_SORBS rbleval:check_rbl('sorbs', > 'dnsbl.sorbs.net.') > describe RCVD_IN_SORBS SORBS: sender is listed in SORBS > tflags RCVD_IN_SORBS net > > score RCVD_IN_SORBS_HTTP 1 > header RCVD_IN_SORBS_HTTP rbleval:check_rbl('sorbs-http', > 'http.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_HTTP SORBS: Open HTTP Proxy > tflags RCVD_IN_SORBS_HTTP net > > score RCVD_IN_SORBS_SOCKS 1 > header RCVD_IN_SORBS_SOCKS rbleval:check_rbl('sorbs-socks', > 'socks.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_SOCKS SORBS: Open SOCKS Proxy > tflags RCVD_IN_SORBS_SOCKS net > > score RCVD_IN_SORBS_MISC 1 > header RCVD_IN_SORBS_MISC rbleval:check_rbl('sorbs-misc', > 'misc.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_MISC SORBS: Miscellaneous Open Proxy > tflags RCVD_IN_SORBS_MISC net > > score RCVD_IN_SORBS_SMTP 1 > header RCVD_IN_SORBS_SMTP rbleval:check_rbl('sorbs-smtp', > 'smtp.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_SMTP SORBS: Open SMTP Relay > tflags RCVD_IN_SORBS_SMTP net > > score RCVD_IN_SORBS_WEB 1 > header RCVD_IN_SORBS_WEB rbleval:check_rbl('sorbs-web', > 'web.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_WEB SORBS: Vulnerable WWW server > (formmail.cgi, Code Red, Nimda) > tflags RCVD_IN_SORBS_WEB net > > score RCVD_IN_SORBS_SPAM 1 > header RCVD_IN_SORBS_SPAM rbleval:check_rbl('sorbs-spam', > 'spam.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_SPAM SORBS: Spam Source/Support > tflags RCVD_IN_SORBS_SPAM net > > score RCVD_IN_SORBS_ZOMBIE 1 > header RCVD_IN_SORBS_ZOMBIE rbleval:check_rbl('sorbs-zombie', > 'zombie.dnsbl.sorbs.net.') > describe RCVD_IN_SORBS_ZOMBIE SORBS: Hijacked netblock > tflags RCVD_IN_SORBS_ZOMBIE net > ############### END SORBS ###################### > > > score RCVD_IN_MONKEYS_PROXIES 1 > header RCVD_IN_MONKEYS_PROXIES > rbleval:check_rbl('monkeys-proxies', 'proxies.relays.monkeys.com.') > describe RCVD_IN_MONKEYS_PROXIES MONKEYS: Unsecured Proxy > tflags RCVD_IN_MONKEYS_PROXIES net > > #dynablock.easynet.nl > #blackholes.easynet.nl > #proxies.blackholes.easynet.nl > ############### BEGIN EASYNET ###################### > # Formerly Wirehub > score RCVD_IN_EASYNET 1 > header RCVD_IN_EASYNET rbleval:check_rbl('easynet', > 'blackholes.easynet.nl.') > describe RCVD_IN_EASYNET EASYNET: Listed at Easynet.nl > tflags RCVD_IN_EASYNET net > > score RCVD_IN_EASYNET_PROXIES 1 > header RCVD_IN_EASYNET_PROXIES > rbleval:check_rbl('easynet-proxies', 'proxies.blackholes.easynet.nl.') > describe RCVD_IN_EASYNET_PROXIES EASYNET: Unsecured Proxy > tflags RCVD_IN_EASYNET_PROXIES net > > score RCVD_IN_EASYNET_DYNABLOCK 1 > header RCVD_IN_EASYNET_DYNABLOCK > rbleval:check_rbl('easynet-dynablock', 'dynablock.blackholes.easynet.nl.') > describe RCVD_IN_EASYNET_DYNABLOCK EASYNET: sender has a dynamically > assigned IP > tflags RCVD_IN_EASYNET_DYNABLOCK net > ############### END EASYNET ###################### > > > ############### BEGIN MISC CHECKS ###################### > score RCVD_IN_DSBL_MULTIHOP 1 > header RCVD_IN_DSBL_MULTIHOP rbleval:check_rbl_txt('dsbl', > 'multihop.dsbl.org.') > describe RCVD_IN_DSBL_MULTIHOP DSBL: received via a relay in > multihop.dsbl.org > tflags RCVD_IN_DSBL_MULTIHOP net > > score RCVD_IN_VISI_DIALUPS 1 > header RCVD_IN_VISI_DIALUPS rbleval:check_rbl('visi-dialups', > 'dialups.visi.com.') > describe RCVD_IN_VISI_DIALUPS DNSBL: sender has a dynamically > assigned IP > tflags RCVD_IN_VISI_DIALUPS net > > > Do you see any glaring mistakes in all of that? (we are DUL and RSS > customers) I can send it as an attachment if desired. I don't see any mistakes other than a spelling mistake in a comment line where it doesn't matter, but at 5 AM I struggle to even see the monitor. The best thing to do is add it a rule or two at a time and test it. Fake up some mail that should cause a hit and see if it does, test beats guessed every time :) > I don't know if I > used the correct rbleval options or not. I see a number of rules in > 20_dnsbl that look like > > check_rbl('osirusoft-notfirsthop' > > Is "-notfirsthop" some sort of code that SA looks for that I can use or > dialups.visi.com for example? Is any of this documented anywhere? I > can't find any mention of this. > I remember seeing in some docs somewhere that -firsthop is magic, I don't know about -notfirsthop, it might be time for me to spend a day or two reading the source code so I know what it's all doing :) > Thanks > Justin Hope that helps, Dave (asleep at the keyboard again) -- Scanned by MailScanner at wot.no-ip.com ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk