On 13/12/10 15:44, RW wrote:
> On Mon, 13 Dec 2010 13:47:14 +0000
> Cedric Knight <ced...@gn.apc.org> wrote:
...
>> header RCVD_IN_GBUDB_TRUNC eval:check_rbl('trunc-firsttrusted',
>> 'truncate.gbudb.net.')
>
> That should be "-lastexternal" - assuming that the list contains
> a lot of dynamic addresses.
And assuming that you've populated trusted_networks with the SMTP
servers for ISPs/freemailers that don't put any authentication
information in the header. I haven't, personally.
The list doesn't contain a lot of dynamic addresses in the sense of
RCVD_IN_SORBS_DUL, but I'm not sure it excludes them the way
deep-parsing lists are supposed to.
> Blacklists run on either the last external address or run deep,
> whitelists run on first-trusted.
I guess this one could run deep, and will try that for a period.
This is a confusing issue. The way I think of it goes roughly as follows:
* I prefer not to do unnecessary DNS lookups, ideally at most one per
message (per RBL).
* If I know another party's server forwards a domain it MXes to me, but
is also a MSA (SMTP server) for users, then I don't want to put it in
internal_networks, to prevent possible DUL FPs from the SMTP users.
* So, assuming my spam-checking is better than on that server, I put it
in trusted_networks. Now -firsttrusted rules will catch spam sent to
the MX, but will not hit the other server's users, unless they are on a
dynamic IP address that has unfortunately recently been used by spammers
and there is no SA-recognised authentication such as ESMTPA (a risk I
can take). This is a conservative approach to trusted_networks. (And a
bit lazy, perhaps: I do have a list of mx-like servers that have sent
ham, but I don't want to keep updating it.)
* If I put all major ISPs and freemailers into firsttrusted, and some of
them do have authentication that is recognised by SpamAssassin (such as
Yahoo), then the RBL won't catch exploited servers or botnets or gangs
in West Africa who have freemail accounts or are on the ISP's network;
in fact ALL_TRUSTED might hit (btw I shortcircuit if so, to stop
CPU-intensive rules running).
* With this approach, -lastexternal still catches botnet spam coming
from dynamic and dsl IP addresses direct to my MXs (and any MXs I list
that are not also MSAs), by using the dial-up RBLs like SORBS_DUL. For
a more general RBL (ie just including addresses known to send spam, not
based on whether they are dynamic), -firsttrusted hits botnet spam
sources, but also stuff from a compromised server.
* Suppose I do add Hotmail: "trusted_networks 65.52.0.0/14". Hotmail's
auth mechanism is not recognised by SA (unlike Yahoo's). Now if I set
an RBL to run -lastexternal, it will check whether Hotmail is in the RBL
(or maybe shouldn't check at all since it's trusted). That Hotmail
server may send a mixture of ham and spam, and I don't expect it to be
listed as a spam source. If I have the list (which is mostly of
addresses that are known spam sources, not just dynamic or IPs or ones
which are known not to run mailservers) set to -firsttrusted, it stands
a fair chance of discriminating between spammy and non-spammy Hotmail users.
* DNSWLs stay on -firsttrusted too.
I know this goes against received wisdom, but empirically it seems to
work well for me.
CK
