Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Mon, 05 Feb 2018 07:59:10 -0800 

On 02/05/2018 09:44 AM, Reindl Harald wrote:


Am 05.02.2018 um 16:36 schrieb David Jones:

On 02/05/2018 09:26 AM, Benny Pedersen wrote:

David Jones skrev den 2018-02-05 15:09:


ifplugin Mail::SpamAssassin::Plugin::DNSEval

header          __RCVD_IN_BRBL  eval:check_rbl('brbl',
'bb.barracudacentral.org')
tflags          __RCVD_IN_BRBL  net


header          __RCVD_IN_BRBL_2        eval:check_rbl_sub('brbl', 
'127.0.0.2')
meta            RCVD_IN_BRBL    __RCVD_IN_BRBL_2 && 
!RCVD_IN_BRBL_LASTEXT

describe        RCVD_IN_BRBL    Received is listed in Barracuda RBL
bb.barracudacentral.org
score           RCVD_IN_BRBL    1.2
tflags          RCVD_IN_BRBL    net

header          RCVD_IN_BRBL_LASTEXT
eval:check_rbl('brbl-lastexternal', 'bb.barracudacentral.org')
describe        RCVD_IN_BRBL_LASTEXT    Last external is listed in
Barracuda RBL bb.barracudacentral.org
score           RCVD_IN_BRBL_LASTEXT    2.2
tflags          RCVD_IN_BRBL_LASTEXT    net

endif



this rule makes 2 dns querys, waste of cpu performance, i would 
suggest to drop the lastextnal, so its only if ip is listed yes or 
no, 50% dns querys saved, and still same hits on listed ips, why do 
we need to help spammers ?



If you are running a local DNS cache like this list and the SA 
documention recommends, does this really matter?  My MTA should have 
already queried this before SA does it so it should be in the local 
DNS cache and not require a full recursive lookup from the SA rule above



1.2 poitns just because the IP of the previous hop is listet is pure 
nonsense and it was even nosense as Barracuda Networks started with that 
bullshit called "deep header inspection"



Barracuda and many other RBL's list here a ton of innocent IP's which 
are nothing else than the endusers range which never should tocu an 
inbound MX itself



so what the hell is the point that you give me 1.2 points because i use 
as i should our MTA from my home-ip to send an ordianry mail?



It can be a sign of a compromised account.  I just saw a compromised 
account coming from Nigeria listed on BRBL through Office 365.  Now that 
O365 is finally adding the "x-originating-ip" header, we can detect 
botnets sending via infected home computers.



Legit emails should have other rules subtracting points so a 1.2 should 
not be a major factor in the score.  My mail platform is scoring real 
spam greater than 18 and usually in the 20's.  I could leave this rule 
out and be fine but most default SA instances would benefit from it.  If 
they want to lower the scores, then make them 0.2 and 1.2 then and use 
them in meta rules.


--
David Jones






















					Reply via email to