spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stan Hoeppner <s...@hardwarefreak.com>
Subject Re: Strange URIBL_SBL false positive?
Date Thu, 17 Oct 2013 18:27:57 GMT
On 10/17/2013 10:55 AM, Axb wrote:
> On 10/17/2013 05:41 PM, Stan Hoeppner wrote:
>> This is what Neil meant by the "deeper dive".  Again, the URIBL_SBL test
>> isn't responsible for this behavior.  Spamhaus is.  Thus you can't
>> create a separate rule to do this "deeper diving".  Spamhaus is doing
>> it, automagically, and it will continue to do so with the current
>> URIBL_SBL rule, whether you like it or not (or until enough customers
>> complain I guess).
> Stan,
> 
> Spamhaus did nothing other than publishinh an IP with a karma
> 
> elts get the termis right
> SA did a a query using eval:check_uridnsbl, which means:
> 
> Is the domain's NS IP listed in SBL?
> sbl.spamhaus.org replied with yes...
> rule hit

I may be misreading it, but it seems to suggest that's only true if
version < 3.004.  If greater, then the check is for the A record, not
the NS IPs.  Or is this version of 25_uribl.cf out of date?

http://svn.apache.org/repos/asf/spamassassin/trunk/rules/25_uribl.cf


###########################################################################
## Spamhaus

uridnssub       URIBL_SBL        zen.spamhaus.org.       A   127.0.0.2
body            URIBL_SBL        eval:check_uridnsbl('URIBL_SBL')
describe        URIBL_SBL        Contains an URL's NS IP listed in the
SBL blocklist
tflags          URIBL_SBL        net
reuse           URIBL_SBL

if (version >= 3.004000)
  ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

    uridnsbl        URIBL_SBL_A    sbl.spamhaus.org.   A
    body            URIBL_SBL_A    eval:check_uridnsbl('URIBL_SBL_A')
    describe        URIBL_SBL_A    Contains URL's A record listed in the
SBL blocklist
    tflags          URIBL_SBL_A    net a
  endif
endif

> Spamhaus' FAQ is incorrect:
> 
> http://www.spamhaus.org/faq/section/Spamhaus%20SBL#270
> 
> I hear the SBL can also block domains, how? What is "URIBL_SBL"?
>     Yes, the SBL can also be used as a URI Blocklist and is particularly
> effective in this role. In tests, over 60% of spam was found to contain
> URIs (links to web sites) whose webserver IPs were listed on the SBL.
> SpamAssassin, for example, includes a feature called URIBL_SBL for this
> purpose. The technique involves resolving the URI's domain to and IP
> address and checking that against the SBL zone.
> 
> I'll try to get this corrected...
> 
> h2h

-- 
Stan



Mime
View raw message