On 10/17/2013 02:08 PM, Axb wrote: > On 10/17/2013 02:00 PM, Tom Hendrikx wrote: >> On 10/17/2013 12:25 PM, Marco wrote: >>> Hello, >>> >>> If I submit this to Spamassassin 3.3.2: >>> >>> <div><b>Da:</b> <<a >>> href="mailto:ziop...@errebian.it";>ziop...@errebian.it</a>><br>; >>> <b>Cc:</b> Alice <<a >>> href="mailto:al...@errebian.it";>al...@errebian.it</a>>, >>> Bob <<a >>> href="mailto:b...@errebian.it";>b...@errebian.it</a>><br>; >>> >>> I see: >>> >>> 7.0 URIBL_SBL Contains an URL listed in the SBL blocklist >>> [URIs: errebian.it] >>> >>> ...but errebian.it IPs are not in SBL..! >>> >>> Could you help me to understand? >>> Thank you very much!! >>> >>> Marco >>> >> >> We had this too for one of our customers. Your problem is that one of >> the nameservers of the domain is listed: >> >> http://www.spamhaus.org/query/ip/151.1.141.150 >> >> I'm not really sure whether it's a feature or a bug that the rule/plugin >> goes that deep while searching for possible wrongdoing ip addresses... > > Why would this be a bug? The rule performs as expected. > the original score is low enough not to push it over the top on its > own.. and if you have your domain on a dirty NS or A IP neighbourhood, > you may want to move to a more adequate gate community :)
Basicly the description "Contains an URL listed in the SBL blocklist [URIs: example.com]" is false, since the domain or any of the ip addresses linked directly to it aren't listed. Maybe it would be nice have a split between 'direct' hits (A/AAAA record of hostname) and 'secondaries' (ip addresses extracted from DNS 'metadata' such as MX or NS records), so the rule description can be more informative. First time when I ran into this, we spent quite some time on finding which ip was actually listed, and what relation it had to the customer domain. > > the unreal score this person is using "7.0 URIBL_SBL" > means he's screaming for trouble Totally agree.
signature.asc
Description: OpenPGP digital signature
