header __RCVD_IN_JMFILTER
eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMFILTER Sender listed in JMFILTER
tflags __RCVD_IN_JMFILTER net
header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1')
describe RCVD_IN_JMFILTER_W Sender listed in JMFILTER-WHITE
tflags RCVD_IN_JMFILTER_W net nice
score RCVD_IN_JMFILTER_W -5
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.2')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BLACK
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 4.0
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.4')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BROWN
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 1.0
What it needs is if it's white then we short circuit to call it ham and
skip other tests.
The white list is very accurate and it's not hard to get a good whitelist.
The yellow
list is also very good. The idea here is to stop all other blacklist tests
after a yellow
list. I don't know how to do that in SA.
The first part is easy with the more recent SA releases. Justin put in the
short-circuit logic. Give your while rule a high priority so that it runs
first (which is actually a negative number). The flag it as a short circuit
rule, which I think is done in tflags; but I've never done it so I'm not
positive on that.
Since its also a net rule I'm not positive that it will run all that
firstly, because I think there is some strange interaction with delayed net
results and when normal rules run. But maybe the priority combined with a
short circuit flag will hold off the normal rules until the results of this
rule are in. It would be worth doing it that way.
I can't think of a good way to make your yellow list or maybe even the brown
list hold off all possible blacklists. Probably don't want to anyway -- if
someone has personally blacklisted host X, they probably want it
blacklisted.
The not-so-good way is to build a meta test to back out the results of any
blacklist hit if the yellow list is also hit. Which isn't all that
wonderful, since blacklists have different scores, so it will take a bunch
of metas.
In theory the yellow list could be given a priority higher than all of the
blacklists, and then it could short circuit at that point. That woudl
require assigning a relatively low priority to all the blacklist rules.
Maybe that would be good, maybe not. It would be a bunch of work though.
OTOH, blacklist net rules don't change all that often, so it might be
reasonably feasible to do.
It might be nice if there were a way to specify 'priority groups' for rules.
This wouldn't affect the priority of the rule or the score of the rule under
normal conditions, but you would be able to say "this short-circuit rule
must run before rule group X". In effect this would make the rule group an
implicit meta on the short-circuit rule, pushing that rule ahead of the
evaluation of the other rules.
But at least have the puzzle has a fix now.
Loren
