On 2022-08-12 at 23:43:48 UTC-0400 (Sat, 13 Aug 2022 13:43:48 +1000)
Noel Butler <noel.but...@ausics.net>
is rumored to have said:
Why are you not blocking with blacklists at the border, ie: MTA.
Given its 0 resources for your MTA, with anti spam checking on SA
often using significant resources (depending on traffic/number of
tests/rules etc), its best to stop it getting to SA in the first
place.
Absolutely true for sender and client host domains, but looking for
domains in mail body URIs as Joe described isn't possible in most MTAs
and is inherently costly.
SA also has this by-default list of domains that it never checks,
Not exactly. There are 2 distinct domain lists internal to SA that exist
to reduce false positives.
1. The URIDNSBL 'skip' list of domains which are ignored in body URIs.
These are known to not *per se* have any correlation to the ham/spam
classification decision.
2. The default welcomelist, which provides a 15 point bonus when in a
sender address that has been authenticated with DKIM or SPF. In
comparison, explicit block/welcome listings (i.e. done locally) are
worth +/- 100 points. These are domains which the SA developers believe
*BASED ON HARD EVIDENCE* send only ham to the degree that is possible
for a large sender of commercial email.
The purpose of these is not to overrule conscious local admin choices,
but to minimize bad surprises.
for along time I have disagreed with this, we are the ones to decide
who gets whitelisted not SA, not some paid third party,
That's the ideal, but it is not universally feasible. Most sites won't
know what needs exemption from filtering until they have a false
positive. They may never figure it out. Both lists that are internal to
SA are intended to only reduce false positives, not to exempt anyone
from behavior norms.
the option clear_uridnsbl_skip_domain however prevents this,
Yes, you can clear out the skip list in whole or piecemeal. You can also
remove sender domains from the default welcomelist or zero out the
score for USER_IN_DEF_WELCOMELIST entirely to disable that list.
but then you have to locate and 0 all the general rulesets scores that
are whitelists as well.
Not sure what you mean by that... There are a handful of rules that
sidestep specific false positive cases because the hit being evaded
isn't meaningful in specific cases. None of those are intended to
'whitelist' any domain, they exist to avoid incorrect hits.
On 13/08/2022 09:55, joe a wrote:
I need to refresh my brain on using blacklists with SA, before
looking more deeply into why this got through.
Today a email slipped through with a very low score that was clearly
phishy. A url in question, posing as another, hits no less that 6
blacklists. I was going to look at clamav that is in use here, as I
had just been tuning that a bit and realized that that may be using a
hammer to drive a screw. so to speak.
Or are they passe these days?
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject
to copyright protected under international law. You may not
disseminate this message without the authors express written authority
to do so. If you are not the intended recipient, please notify the
sender then delete all copies of this message including attachments
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
