On Mon, 2003-06-02 at 03:25, Justin Shore wrote:
> Howdy, Dave.  Thanks for the reply.
> 
> On 2 Jun 2003, Yorkshire Dave wrote:
> 
> > Call them all and use a meta || rule for the score, or call and score
> > them all then use a meta && rule to subtract some score back off, that's
> > what I'm doing here
> > 
> > meta Z_OPEN_PROXY (X_OSIRU_OPEN_PROXY || X_OSIRU_OPEN_SOCKS ||
> > X_MONKEYS_OPEN_PROXY)
> > describe Z_OPEN_PROXY Host is an open proxy server
> > score Z_OPEN_PROXY 1.4
> > 
> > Of course I could be totally wrong, but it works for me.
> 
> That's a good idea.  So in my case I'd do something like
> 
> meta Z_DIALUPS (RCVD_IN_OSIRU_DUL || RCVD_IN_NJABL_DIALUP || 
> RCVD_IN_MAPS_DUL || RCVD_IN_VISI_DIALUPS)
> describe Z_DIALUPS Host has a dynamically assigned IP
> score 2
> 
> So if any or all of them are hit, the only score any of them can score is 
> 2, correct?  Would this be something worth doing with blackholes.us 
> rules?  That's probably a bad example.  SOCKS, proxy, formmail.cgi, and 
> direct-to-mx are probably the best examples.
> 
As far as I can tell, that's how it works. I tried it and it seems to
work that way for me. Everything I've done so far has been trial and
error.

> I'm trying to learn more about the rule generation.  I asked a while back
> but didn't get much in the way of responses.  Tonight, while looking
> through my rules, I saw a number of things I need to change/fix.  I need
> to actually organize my DNSBL rules.  I didn't notice until tonight that
> I'm not actually re-querying the ORSS BL for the proxy check.  I have it
> set up with check_rbl_sub.  Now I actually see how that works! :)  I need
> to find docs on how to create rules the right way before I seriously break
> something.

The only rules I've added so far have been 5 or 6 DNSBL rules and one to
catch my X-SpamTrap: header. I started laying out a list of DNSBL rules
and how they need to be organised and grouped for scoring but I haven't
got very far yet.
> 
> > Yet again I could be totally wrong about this, but I think you're
> > wasting a lookup by querying proxies.relays.osirusoft.com, spamassassin
> > already did RCVD_IN_OSIRUSOFT_COM for you so all you need to do is 
> > rbleval:check_rbl_results_for('osirusoft', '127.0.0.9')
> > I can't get to osirusoft website right now to check but istr something
> > like:- 
> > 
> > 127.0.0.2 = open relay
> > 127.0.0.3 = dialup
> > 127.0.0.4 = spam source
> > 127.0.0.5 = smart host
> > 127.0.0.6 = mirror of spamhaus.org/spamsites.org
> > 127.0.0.7 = non-confirm mailing lists
> > 127.0.0.8 = insecure formmail
> > 127.0.0.9 = open proxy
> > 
> > as I said, I could be wrong, shouldn't be difficult to check when the
> > website comes back up.
> 
> I was on it just a little while ago.  Your list looks right.  Smart host 
> shouldn't be ready yet.  It's going to be renamed to "outputs" when it's 
> ready.  IIRC it's a multihop list so no one should block with it.  I'd 
> score off it though. :)
> 
> I wish Joe wouldn't put the SBL in 127.0.0.6 or with anything else.  I'd 
> like to reference seperately.  I'm going to half to call it seperately I 
> guess.

SBL is a standard spamassassin test, the fact that it's also duplicated
in relays.osirusoft.com as 127.0.0.6 shouldn't make any difference as
long as you score osirusoft on the subs/results and not the check_rbl
itself (score the check_rbl at 0.01). Scoring on a meta || type rule
between the two of them should mean you get the score even if one or
other is down, less chance of DNSBL outages causing false negatives.
> 
> While I have a human reading this thread, and one that knows more about 
> rule creation than I do, I'm going to include the rules I created if you 
> don't mind.  (sorry for the ugly wrapping)
> 
I don't know that much about rule creation, just the bits I've had to
work out for what I need to do, and a couple of things I found that I
can't do. Don't go mistaking me for an expert :)
> 
> # Reenabled MAPS checks
> score RCVD_IN_RSS       1
> score RCVD_IN_DUL       1
> 
> 
> ############### BEGIN  relays.orsirusoft.com ######################
> score RCVD_IN_OSIRU_PROXY               1
> header RCVD_IN_OSIRU_PROXY              rbleval:check_rbl_sub('osirusoft', 
> '127.0.0.9')
> describe RCVD_IN_OSIRU_PROXY            DNSBL: Insecure Proxy
> tflags RCVD_IN_OSIRU_PROXY              net
> 
> score RCVD_IN_OSIRU_INSECURE_LIST       1
> header RCVD_IN_OSIRU_INSECURE_LIST      rbleval:check_rbl_sub('osirusoft', 
> '127.0.0.8')
> describe RCVD_IN_OSIRU_INSECURE_LIST    DNSBL: Opts in without 
> confirmation
> tflags RCVD_IN_OSIRU_INSECURE_LIST      net
> ############### END  relays.orsirusoft.com ######################
> 
> 
> ############### BEGIN  blackholes.us ######################
> score RCVD_IN_BLKHO_ARGENTINA           1
> header RCVD_IN_BLKHO_ARENTINA           
> rbleval:check_rbl('blackholes.us-ar', 'argentina.blackholes.us.')
> describe RCVD_IN_BLKHO_ARENTINA         ccTLD: sender is in Argentina
> tflags RCVD_IN_BLKHO_ARENTINA           net
> 
> score RCVD_IN_BLKHO_BRAZIL              1
> header RCVD_IN_BLKHO_BRAZIL             
> rbleval:check_rbl('blackholes.us-br', 'brazil.blackholes.us.')
> describe RCVD_IN_BLKHO_BRAZIL           ccTLD: sender is in Brazil
> tflags RCVD_IN_BLKHO_BRAZIL             net
> 
> score RCVD_IN_BLKHO_CHINA               1
> header RCVD_IN_BLKHO_CHINA              
> rbleval:check_rbl('blackholes.us-ch', 'china.blackholes.us.')
> describe RCVD_IN_BLKHO_CHINA            ccTLD: sender is in China
> tflags RCVD_IN_BLKHO_CHINA              net
> 
> score RCVD_IN_BLKHO_HONGKONG            1
> header RCVD_IN_BLKHO_HONGKONG           
> rbleval:check_rbl('blackholes.us-hk', 'hongkong.blackholes.us.')
> describe RCVD_IN_BLKHO_HONGKONG         ccTLD: sender is in Hong Kong
> tflags RCVD_IN_BLKHO_HONGKONG           net
> 
> score RCVD_IN_BLKHO_JAPAN               1
> header RCVD_IN_BLKHO_JAPAN              
> rbleval:check_rbl('blackholes.us-jp', 'japan.blackholes.us.')
> describe RCVD_IN_BLKHO_JAPAN            ccTLD: sender is in Japan
> tflags RCVD_IN_BLKHO_JAPAN              net
> 
> score RCVD_IN_BLKHO_KOREA               1
> header RCVD_IN_BLKHO_KOREA              
> rbleval:check_rbl('blackholes.us-kr', 'korea.blackholes.us.')
> describe RCVD_IN_BLKHO_KOREA            ccTLD: sender is in Korea
> tflags RCVD_IN_BLKHO_KOREA              net
> 
> score RCVD_IN_BLKHO_MALAYSIA            1
> header RCVD_IN_BLKHO_MALAYSIA           
> rbleval:check_rbl('blackholes.us-my', 'malaysia.blackholes.us.')
> describe RCVD_IN_BLKHO_MALAYSIA         ccTLD: sender is in Malaysia
> tflags RCVD_IN_BLKHO_MALAYSIA           net
> 
> score RCVD_IN_BLKHO_NIGERIA             1
> header RCVD_IN_BLKHO_NIGERIA            
> rbleval:check_rbl('blackholes.us-ng', 'nigeria.blackholes.us.')
> describe RCVD_IN_BLKHO_NIGERIA          ccTLD: sender is in Nigeria
> tflags RCVD_IN_BLKHO_NIGERIA            net
> 
> score RCVD_IN_BLKHO_RUSSIA              1
> header RCVD_IN_BLKHO_RUSSIA             
> rbleval:check_rbl('blackholes.us-ru', 'russia.blackholes.us.')
> describe RCVD_IN_BLKHO_RUSSIA           ccTLD: sender is in Russia
> tflags RCVD_IN_BLKHO_RUSSIA             net
> 
> score RCVD_IN_BLKHO_SINGAPORE           1
> header RCVD_IN_BLKHO_SINGAPORE          
> rbleval:check_rbl('blackholes.us-sg', 'singapore.blackholes.us.')
> describe RCVD_IN_BLKHO_SINGAPORE        ccTLD: sender is in Singapore
> tflags RCVD_IN_BLKHO_SINGAPORE          net
> 
> score RCVD_IN_BLKHO_TAIWAN              1
> header RCVD_IN_BLKHO_TAIWAN             
> rbleval:check_rbl('blackholes.us-tw', 'taiwan.blackholes.us.')
> describe RCVD_IN_BLKHO_TAIWAN           ccTLD: sender is in Taiwan
> tflags RCVD_IN_BLKHO_TAIWAN             net
> 
> score RCVD_IN_BLKHO_THAILAND            1
> header RCVD_IN_BLKHO_THAILAND           
> rbleval:check_rbl('blackholes.us-th', 'thailand.blackholes.us.')
> describe RCVD_IN_BLKHO_THAILAND         ccTLD: sender is in Thailand
> tflags RCVD_IN_BLKHO_THAILAND           net
> 
> score RCVD_IN_BLKHO_TURKEY              1
> header RCVD_IN_BLKHO_TURKEY             
> rbleval:check_rbl('blackholes.us-tr', 'turkey.blackholes.us.')
> describe RCVD_IN_BLKHO_TURKEY           ccTLD: sender is in Turkey
> tflags RCVD_IN_BLKHO_TURKEY             net
> ############### END  blackholes.us ######################
> 
> 
> ############### BEGIN  SORBS ######################
> score RCVD_IN_SORBS                     1
> header RCVD_IN_SORBS                    rbleval:check_rbl('sorbs', 
> 'dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS                  SORBS: sender is listed in SORBS
> tflags RCVD_IN_SORBS                    net
> 
> score RCVD_IN_SORBS_HTTP                1
> header RCVD_IN_SORBS_HTTP               rbleval:check_rbl('sorbs-http', 
> 'http.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_HTTP             SORBS: Open HTTP Proxy
> tflags RCVD_IN_SORBS_HTTP               net
> 
> score RCVD_IN_SORBS_SOCKS               1
> header RCVD_IN_SORBS_SOCKS              rbleval:check_rbl('sorbs-socks', 
> 'socks.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SOCKS            SORBS: Open SOCKS Proxy
> tflags RCVD_IN_SORBS_SOCKS              net
> 
> score RCVD_IN_SORBS_MISC                1
> header RCVD_IN_SORBS_MISC               rbleval:check_rbl('sorbs-misc', 
> 'misc.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_MISC             SORBS: Miscellaneous Open Proxy
> tflags RCVD_IN_SORBS_MISC               net
> 
> score RCVD_IN_SORBS_SMTP                1
> header RCVD_IN_SORBS_SMTP               rbleval:check_rbl('sorbs-smtp', 
> 'smtp.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SMTP             SORBS: Open SMTP Relay
> tflags RCVD_IN_SORBS_SMTP               net
> 
> score RCVD_IN_SORBS_WEB                 1
> header RCVD_IN_SORBS_WEB                rbleval:check_rbl('sorbs-web', 
> 'web.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_WEB              SORBS: Vulnerable WWW server 
> (formmail.cgi, Code Red, Nimda)
> tflags RCVD_IN_SORBS_WEB                net
> 
> score RCVD_IN_SORBS_SPAM                1
> header RCVD_IN_SORBS_SPAM               rbleval:check_rbl('sorbs-spam', 
> 'spam.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SPAM             SORBS: Spam Source/Support
> tflags RCVD_IN_SORBS_SPAM               net
> 
> score RCVD_IN_SORBS_ZOMBIE              1
> header RCVD_IN_SORBS_ZOMBIE             rbleval:check_rbl('sorbs-zombie', 
> 'zombie.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_ZOMBIE           SORBS: Hijacked netblock
> tflags RCVD_IN_SORBS_ZOMBIE             net
> ############### END  SORBS ######################
> 
> 
> score RCVD_IN_MONKEYS_PROXIES           1
> header RCVD_IN_MONKEYS_PROXIES          
> rbleval:check_rbl('monkeys-proxies', 'proxies.relays.monkeys.com.')
> describe RCVD_IN_MONKEYS_PROXIES        MONKEYS: Unsecured Proxy
> tflags RCVD_IN_MONKEYS_PROXIES          net
> 
> #dynablock.easynet.nl
> #blackholes.easynet.nl
> #proxies.blackholes.easynet.nl
> ############### BEGIN  EASYNET ######################
> #  Formerly Wirehub
> score RCVD_IN_EASYNET                   1
> header RCVD_IN_EASYNET                  rbleval:check_rbl('easynet', 
> 'blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET                EASYNET: Listed at Easynet.nl
> tflags RCVD_IN_EASYNET                  net
> 
> score RCVD_IN_EASYNET_PROXIES           1
> header RCVD_IN_EASYNET_PROXIES          
> rbleval:check_rbl('easynet-proxies', 'proxies.blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET_PROXIES        EASYNET: Unsecured Proxy
> tflags RCVD_IN_EASYNET_PROXIES          net
> 
> score RCVD_IN_EASYNET_DYNABLOCK         1
> header RCVD_IN_EASYNET_DYNABLOCK        
> rbleval:check_rbl('easynet-dynablock', 'dynablock.blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET_DYNABLOCK      EASYNET: sender has a dynamically 
> assigned IP
> tflags RCVD_IN_EASYNET_DYNABLOCK        net
> ############### END  EASYNET ######################
> 
> 
> ############### BEGIN MISC CHECKS ######################
> score RCVD_IN_DSBL_MULTIHOP             1
> header RCVD_IN_DSBL_MULTIHOP            rbleval:check_rbl_txt('dsbl', 
> 'multihop.dsbl.org.')
> describe RCVD_IN_DSBL_MULTIHOP          DSBL: received via a relay in 
> multihop.dsbl.org
> tflags RCVD_IN_DSBL_MULTIHOP            net
> 
> score RCVD_IN_VISI_DIALUPS              1
> header RCVD_IN_VISI_DIALUPS             rbleval:check_rbl('visi-dialups', 
> 'dialups.visi.com.')
> describe RCVD_IN_VISI_DIALUPS           DNSBL: sender has a dynamically 
> assigned IP
> tflags RCVD_IN_VISI_DIALUPS             net
> 
> 
> Do you see any glaring mistakes in all of that?  (we are DUL and RSS
> customers)  I can send it as an attachment if desired.  

I don't see any mistakes other than a spelling mistake in a comment line
where it doesn't matter, but at 5 AM I struggle to even see the monitor.
The best thing to do is add it a rule or two at a time and test it. Fake
up some mail that should cause a hit and see if it does, test beats
guessed every time :)

> I don't know if I
> used the correct rbleval options or not.  I see a number of rules in
> 20_dnsbl that look like
> 
> check_rbl('osirusoft-notfirsthop'
> 
> Is "-notfirsthop" some sort of code that SA looks for that I can use or
> dialups.visi.com for example?  Is any of this documented anywhere?  I
> can't find any mention of this.
> 

I remember seeing in some docs somewhere that -firsthop is magic, I
don't know about -notfirsthop, it might be time for me to spend a day or
two reading the source code so I know what it's all doing :)

> Thanks
>  Justin

Hope that helps,

Dave (asleep at the keyboard again)


-- 
Scanned by MailScanner at wot.no-ip.com



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to