On Mon, 2003-06-02 at 03:25, Justin Shore wrote:
> Howdy, Dave. Thanks for the reply.
>
> On 2 Jun 2003, Yorkshire Dave wrote:
>
> > Call them all and use a meta || rule for the score, or call and score
> > them all then use a meta && rule to subtract some score back off, that's
> > what I'm doing here
> >
> > meta Z_OPEN_PROXY (X_OSIRU_OPEN_PROXY || X_OSIRU_OPEN_SOCKS ||
> > X_MONKEYS_OPEN_PROXY)
> > describe Z_OPEN_PROXY Host is an open proxy server
> > score Z_OPEN_PROXY 1.4
> >
> > Of course I could be totally wrong, but it works for me.
>
> That's a good idea. So in my case I'd do something like
>
> meta Z_DIALUPS (RCVD_IN_OSIRU_DUL || RCVD_IN_NJABL_DIALUP ||
> RCVD_IN_MAPS_DUL || RCVD_IN_VISI_DIALUPS)
> describe Z_DIALUPS Host has a dynamically assigned IP
> score 2
>
> So if any or all of them are hit, the only score any of them can score is
> 2, correct? Would this be something worth doing with blackholes.us
> rules? That's probably a bad example. SOCKS, proxy, formmail.cgi, and
> direct-to-mx are probably the best examples.
>
As far as I can tell, that's how it works. I tried it and it seems to
work that way for me. Everything I've done so far has been trial and
error.
> I'm trying to learn more about the rule generation. I asked a while back
> but didn't get much in the way of responses. Tonight, while looking
> through my rules, I saw a number of things I need to change/fix. I need
> to actually organize my DNSBL rules. I didn't notice until tonight that
> I'm not actually re-querying the ORSS BL for the proxy check. I have it
> set up with check_rbl_sub. Now I actually see how that works! :) I need
> to find docs on how to create rules the right way before I seriously break
> something.
The only rules I've added so far have been 5 or 6 DNSBL rules and one to
catch my X-SpamTrap: header. I started laying out a list of DNSBL rules
and how they need to be organised and grouped for scoring but I haven't
got very far yet.
>
> > Yet again I could be totally wrong about this, but I think you're
> > wasting a lookup by querying proxies.relays.osirusoft.com, spamassassin
> > already did RCVD_IN_OSIRUSOFT_COM for you so all you need to do is
> > rbleval:check_rbl_results_for('osirusoft', '127.0.0.9')
> > I can't get to osirusoft website right now to check but istr something
> > like:-
> >
> > 127.0.0.2 = open relay
> > 127.0.0.3 = dialup
> > 127.0.0.4 = spam source
> > 127.0.0.5 = smart host
> > 127.0.0.6 = mirror of spamhaus.org/spamsites.org
> > 127.0.0.7 = non-confirm mailing lists
> > 127.0.0.8 = insecure formmail
> > 127.0.0.9 = open proxy
> >
> > as I said, I could be wrong, shouldn't be difficult to check when the
> > website comes back up.
>
> I was on it just a little while ago. Your list looks right. Smart host
> shouldn't be ready yet. It's going to be renamed to "outputs" when it's
> ready. IIRC it's a multihop list so no one should block with it. I'd
> score off it though. :)
>
> I wish Joe wouldn't put the SBL in 127.0.0.6 or with anything else. I'd
> like to reference seperately. I'm going to half to call it seperately I
> guess.
SBL is a standard spamassassin test, the fact that it's also duplicated
in relays.osirusoft.com as 127.0.0.6 shouldn't make any difference as
long as you score osirusoft on the subs/results and not the check_rbl
itself (score the check_rbl at 0.01). Scoring on a meta || type rule
between the two of them should mean you get the score even if one or
other is down, less chance of DNSBL outages causing false negatives.
>
> While I have a human reading this thread, and one that knows more about
> rule creation than I do, I'm going to include the rules I created if you
> don't mind. (sorry for the ugly wrapping)
>
I don't know that much about rule creation, just the bits I've had to
work out for what I need to do, and a couple of things I found that I
can't do. Don't go mistaking me for an expert :)
>
> # Reenabled MAPS checks
> score RCVD_IN_RSS 1
> score RCVD_IN_DUL 1
>
>
> ############### BEGIN relays.orsirusoft.com ######################
> score RCVD_IN_OSIRU_PROXY 1
> header RCVD_IN_OSIRU_PROXY rbleval:check_rbl_sub('osirusoft',
> '127.0.0.9')
> describe RCVD_IN_OSIRU_PROXY DNSBL: Insecure Proxy
> tflags RCVD_IN_OSIRU_PROXY net
>
> score RCVD_IN_OSIRU_INSECURE_LIST 1
> header RCVD_IN_OSIRU_INSECURE_LIST rbleval:check_rbl_sub('osirusoft',
> '127.0.0.8')
> describe RCVD_IN_OSIRU_INSECURE_LIST DNSBL: Opts in without
> confirmation
> tflags RCVD_IN_OSIRU_INSECURE_LIST net
> ############### END relays.orsirusoft.com ######################
>
>
> ############### BEGIN blackholes.us ######################
> score RCVD_IN_BLKHO_ARGENTINA 1
> header RCVD_IN_BLKHO_ARENTINA
> rbleval:check_rbl('blackholes.us-ar', 'argentina.blackholes.us.')
> describe RCVD_IN_BLKHO_ARENTINA ccTLD: sender is in Argentina
> tflags RCVD_IN_BLKHO_ARENTINA net
>
> score RCVD_IN_BLKHO_BRAZIL 1
> header RCVD_IN_BLKHO_BRAZIL
> rbleval:check_rbl('blackholes.us-br', 'brazil.blackholes.us.')
> describe RCVD_IN_BLKHO_BRAZIL ccTLD: sender is in Brazil
> tflags RCVD_IN_BLKHO_BRAZIL net
>
> score RCVD_IN_BLKHO_CHINA 1
> header RCVD_IN_BLKHO_CHINA
> rbleval:check_rbl('blackholes.us-ch', 'china.blackholes.us.')
> describe RCVD_IN_BLKHO_CHINA ccTLD: sender is in China
> tflags RCVD_IN_BLKHO_CHINA net
>
> score RCVD_IN_BLKHO_HONGKONG 1
> header RCVD_IN_BLKHO_HONGKONG
> rbleval:check_rbl('blackholes.us-hk', 'hongkong.blackholes.us.')
> describe RCVD_IN_BLKHO_HONGKONG ccTLD: sender is in Hong Kong
> tflags RCVD_IN_BLKHO_HONGKONG net
>
> score RCVD_IN_BLKHO_JAPAN 1
> header RCVD_IN_BLKHO_JAPAN
> rbleval:check_rbl('blackholes.us-jp', 'japan.blackholes.us.')
> describe RCVD_IN_BLKHO_JAPAN ccTLD: sender is in Japan
> tflags RCVD_IN_BLKHO_JAPAN net
>
> score RCVD_IN_BLKHO_KOREA 1
> header RCVD_IN_BLKHO_KOREA
> rbleval:check_rbl('blackholes.us-kr', 'korea.blackholes.us.')
> describe RCVD_IN_BLKHO_KOREA ccTLD: sender is in Korea
> tflags RCVD_IN_BLKHO_KOREA net
>
> score RCVD_IN_BLKHO_MALAYSIA 1
> header RCVD_IN_BLKHO_MALAYSIA
> rbleval:check_rbl('blackholes.us-my', 'malaysia.blackholes.us.')
> describe RCVD_IN_BLKHO_MALAYSIA ccTLD: sender is in Malaysia
> tflags RCVD_IN_BLKHO_MALAYSIA net
>
> score RCVD_IN_BLKHO_NIGERIA 1
> header RCVD_IN_BLKHO_NIGERIA
> rbleval:check_rbl('blackholes.us-ng', 'nigeria.blackholes.us.')
> describe RCVD_IN_BLKHO_NIGERIA ccTLD: sender is in Nigeria
> tflags RCVD_IN_BLKHO_NIGERIA net
>
> score RCVD_IN_BLKHO_RUSSIA 1
> header RCVD_IN_BLKHO_RUSSIA
> rbleval:check_rbl('blackholes.us-ru', 'russia.blackholes.us.')
> describe RCVD_IN_BLKHO_RUSSIA ccTLD: sender is in Russia
> tflags RCVD_IN_BLKHO_RUSSIA net
>
> score RCVD_IN_BLKHO_SINGAPORE 1
> header RCVD_IN_BLKHO_SINGAPORE
> rbleval:check_rbl('blackholes.us-sg', 'singapore.blackholes.us.')
> describe RCVD_IN_BLKHO_SINGAPORE ccTLD: sender is in Singapore
> tflags RCVD_IN_BLKHO_SINGAPORE net
>
> score RCVD_IN_BLKHO_TAIWAN 1
> header RCVD_IN_BLKHO_TAIWAN
> rbleval:check_rbl('blackholes.us-tw', 'taiwan.blackholes.us.')
> describe RCVD_IN_BLKHO_TAIWAN ccTLD: sender is in Taiwan
> tflags RCVD_IN_BLKHO_TAIWAN net
>
> score RCVD_IN_BLKHO_THAILAND 1
> header RCVD_IN_BLKHO_THAILAND
> rbleval:check_rbl('blackholes.us-th', 'thailand.blackholes.us.')
> describe RCVD_IN_BLKHO_THAILAND ccTLD: sender is in Thailand
> tflags RCVD_IN_BLKHO_THAILAND net
>
> score RCVD_IN_BLKHO_TURKEY 1
> header RCVD_IN_BLKHO_TURKEY
> rbleval:check_rbl('blackholes.us-tr', 'turkey.blackholes.us.')
> describe RCVD_IN_BLKHO_TURKEY ccTLD: sender is in Turkey
> tflags RCVD_IN_BLKHO_TURKEY net
> ############### END blackholes.us ######################
>
>
> ############### BEGIN SORBS ######################
> score RCVD_IN_SORBS 1
> header RCVD_IN_SORBS rbleval:check_rbl('sorbs',
> 'dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS SORBS: sender is listed in SORBS
> tflags RCVD_IN_SORBS net
>
> score RCVD_IN_SORBS_HTTP 1
> header RCVD_IN_SORBS_HTTP rbleval:check_rbl('sorbs-http',
> 'http.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_HTTP SORBS: Open HTTP Proxy
> tflags RCVD_IN_SORBS_HTTP net
>
> score RCVD_IN_SORBS_SOCKS 1
> header RCVD_IN_SORBS_SOCKS rbleval:check_rbl('sorbs-socks',
> 'socks.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SOCKS SORBS: Open SOCKS Proxy
> tflags RCVD_IN_SORBS_SOCKS net
>
> score RCVD_IN_SORBS_MISC 1
> header RCVD_IN_SORBS_MISC rbleval:check_rbl('sorbs-misc',
> 'misc.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_MISC SORBS: Miscellaneous Open Proxy
> tflags RCVD_IN_SORBS_MISC net
>
> score RCVD_IN_SORBS_SMTP 1
> header RCVD_IN_SORBS_SMTP rbleval:check_rbl('sorbs-smtp',
> 'smtp.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SMTP SORBS: Open SMTP Relay
> tflags RCVD_IN_SORBS_SMTP net
>
> score RCVD_IN_SORBS_WEB 1
> header RCVD_IN_SORBS_WEB rbleval:check_rbl('sorbs-web',
> 'web.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_WEB SORBS: Vulnerable WWW server
> (formmail.cgi, Code Red, Nimda)
> tflags RCVD_IN_SORBS_WEB net
>
> score RCVD_IN_SORBS_SPAM 1
> header RCVD_IN_SORBS_SPAM rbleval:check_rbl('sorbs-spam',
> 'spam.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_SPAM SORBS: Spam Source/Support
> tflags RCVD_IN_SORBS_SPAM net
>
> score RCVD_IN_SORBS_ZOMBIE 1
> header RCVD_IN_SORBS_ZOMBIE rbleval:check_rbl('sorbs-zombie',
> 'zombie.dnsbl.sorbs.net.')
> describe RCVD_IN_SORBS_ZOMBIE SORBS: Hijacked netblock
> tflags RCVD_IN_SORBS_ZOMBIE net
> ############### END SORBS ######################
>
>
> score RCVD_IN_MONKEYS_PROXIES 1
> header RCVD_IN_MONKEYS_PROXIES
> rbleval:check_rbl('monkeys-proxies', 'proxies.relays.monkeys.com.')
> describe RCVD_IN_MONKEYS_PROXIES MONKEYS: Unsecured Proxy
> tflags RCVD_IN_MONKEYS_PROXIES net
>
> #dynablock.easynet.nl
> #blackholes.easynet.nl
> #proxies.blackholes.easynet.nl
> ############### BEGIN EASYNET ######################
> # Formerly Wirehub
> score RCVD_IN_EASYNET 1
> header RCVD_IN_EASYNET rbleval:check_rbl('easynet',
> 'blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET EASYNET: Listed at Easynet.nl
> tflags RCVD_IN_EASYNET net
>
> score RCVD_IN_EASYNET_PROXIES 1
> header RCVD_IN_EASYNET_PROXIES
> rbleval:check_rbl('easynet-proxies', 'proxies.blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET_PROXIES EASYNET: Unsecured Proxy
> tflags RCVD_IN_EASYNET_PROXIES net
>
> score RCVD_IN_EASYNET_DYNABLOCK 1
> header RCVD_IN_EASYNET_DYNABLOCK
> rbleval:check_rbl('easynet-dynablock', 'dynablock.blackholes.easynet.nl.')
> describe RCVD_IN_EASYNET_DYNABLOCK EASYNET: sender has a dynamically
> assigned IP
> tflags RCVD_IN_EASYNET_DYNABLOCK net
> ############### END EASYNET ######################
>
>
> ############### BEGIN MISC CHECKS ######################
> score RCVD_IN_DSBL_MULTIHOP 1
> header RCVD_IN_DSBL_MULTIHOP rbleval:check_rbl_txt('dsbl',
> 'multihop.dsbl.org.')
> describe RCVD_IN_DSBL_MULTIHOP DSBL: received via a relay in
> multihop.dsbl.org
> tflags RCVD_IN_DSBL_MULTIHOP net
>
> score RCVD_IN_VISI_DIALUPS 1
> header RCVD_IN_VISI_DIALUPS rbleval:check_rbl('visi-dialups',
> 'dialups.visi.com.')
> describe RCVD_IN_VISI_DIALUPS DNSBL: sender has a dynamically
> assigned IP
> tflags RCVD_IN_VISI_DIALUPS net
>
>
> Do you see any glaring mistakes in all of that? (we are DUL and RSS
> customers) I can send it as an attachment if desired.
I don't see any mistakes other than a spelling mistake in a comment line
where it doesn't matter, but at 5 AM I struggle to even see the monitor.
The best thing to do is add it a rule or two at a time and test it. Fake
up some mail that should cause a hit and see if it does, test beats
guessed every time :)
> I don't know if I
> used the correct rbleval options or not. I see a number of rules in
> 20_dnsbl that look like
>
> check_rbl('osirusoft-notfirsthop'
>
> Is "-notfirsthop" some sort of code that SA looks for that I can use or
> dialups.visi.com for example? Is any of this documented anywhere? I
> can't find any mention of this.
>
I remember seeing in some docs somewhere that -firsthop is magic, I
don't know about -notfirsthop, it might be time for me to spend a day or
two reading the source code so I know what it's all doing :)
> Thanks
> Justin
Hope that helps,
Dave (asleep at the keyboard again)
--
Scanned by MailScanner at wot.no-ip.com
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
