Alex wrote:
> Hi,
>
> On Wed, Nov 2, 2016 at 10:36 AM, Kris Deugau <[email protected]> wrote:
>> Alex wrote:
>>> I've had to lower the score on my header XBL check because it was
>>> triggering on so many dynamic IPs that were clearly reassigned to new
>>> users, then being blacklisted. I'd appreciate it if anyone could
>>> provide additional input on how they might use something like this.
>>>
>>> header RCVD_IN_XBL_ALL eval:check_rbl_sub('zen', '127.0.0.[45678]')
>>> describe RCVD_IN_XBL_ALL Received via a relay in Spamhaus SBL-XBL
>>> tflags RCVD_IN_XBL_ALL net
>>> score RCVD_IN_XBL_ALL 0.01
>>
>> If this is really hitting on lots of legitimate mail, you probably have
>> a trust path issue. This should only check the IP that handed the
>> message to your mail server. It should NOT be checking the IP that the
>> message originated from unless you really want to refuse mail from any
>> IP that has recently had an infected PC on or behind it.
>>
>> You shouldn't need to (re)define this in any case, and I'm not certain
>> without rereading the man page if or how this will behave somewhat
>> differently to the stock RCVD_IN_XBL rule - that could be the problem
>> all on its own.
>
> Yes, as the rule currently stands, it was hitting on any Received
> header, including the origin IP from which the message was sent.
> Should there be some sort of "last-external" to signify which IP to
> check?
Yes, as per the stock rule, and the Mail::SpamAssassin::Conf man page:
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[45678]$')
Why are you (re)defining a near-duplicate of this? Was the stock rule
as above also misbehaving?
Note that the Spamhaus rules are split up somewhat as they're intended
for different IPs:
header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2')
header RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3')
These are explicitly designed to look up all Received: IPs as "places
you probably don't want to accept mail from, period, even if it takes a
hop through a non-listed innocent server". They're scored to match, so
that legitimate senders on dynamic IPs who happen to inherit a "dirty"
IP don't get blocked just on this basis.
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[45678]$')
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
The XBL and PBL sublists are ONLY checked for the relay IP, but because
of how eval:check_rbl and eval:check_rbl_sub interact, as per the man
page, these two use their own check_rbl, instead of check_rbl_sub.
If you need to redefine these because you have a local datafeed, or
key-validated DNS access, copy-paste the stock rule as-is, and only
replace the "zen.spamhaus.org" zone base name as appropriate.
-kgd
