Giampaolo Tomassoni wrote:
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of plugins.
I didn't yet manage to test it, but it looks like an interesting work.
May I spare a suggestion?
I would prefer not to have to deal with a single, computed RELAY_CHECKER score,
but with many different ones for each of the triggered cases. This way it would
be easier to tune scores from this plugin.
To me, your plugin could trigger the following tags:
RELAY_CHECKER (at least one rule had been triggered. According to your code
would score 4 by default);
RC_NORDNS (scores 1);
RC_BADRDNS (scores 1);
RC_BADDNS (scores 1);
RC_IPINHOSTNAME (scores 1);
RC_DYNHOSTNAME (scores 1);
I was actually thinking of something slightly different.
One static score that can be adjusted in the cf file. Say, 6 (this
makes more sense than the current situation of "sometimes you get 5,
sometimes you get 6", in my opinion).
Then a bunch of individual scores (like you suggest) that are
dynamically scored (the way the plugin records its current score, giving
each of those hits as 0 or .01).
This would give a score range of 6.01 to 6.05. The basic idea is "if
you get hit by this plugin at all, you're going to get a 6, but the .01
scores will show up in a detailed report header, letting you know which
specific characteristics were triggered".
When someone wants to run tests, they'd just set the static score from 6
to .01 (yielding an overall score from .01 to .05).
The other two things I'm looking at changing are:
a) having a "relaycheck_exempt" cf configuration,
b) looking at the "auth" part of the untrusted relay data.
The result would be that instead of looking at the first untrusted
relay, it would skip past untrusted relays that were in the
relaycheck_exempt list. Then, if the untrusted relay it's left with had
used authentication, the rule wouldn't trigger.
