spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <rwmailli...@googlemail.com>
Subject Re: dropbox phish
Date Tue, 01 Nov 2016 10:40:28 GMT
On Mon, 31 Oct 2016 21:11:06 -0400
Bill Cole wrote:


> Well, I find this quite useful with very few false positives:
> 
> uridnsbl        URIBL_SBLXBL    sbl-xbl.spamhaus.org.   TXT
> body            URIBL_SBLXBL    eval:check_uridnsbl('URIBL_SBLXBL')
> describe        URIBL_SBLXBL    Contains a URL listed in the SBL/XBL 
>  >blocklist  
> tflags	       URIBL_SBLXBL    	net
> score	          URIBL_SBLXBL    	7
> 
> This check will FP after a fashion when a nominally legitimate
> webserver lands on the CBL because it is infected with something.

In theory this shouldn't work. According to the documentation, by
default, that rule checks the webserver's nameservers.

It seems to be relying on a bug, see: 

 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7242

 http://www.gossamer-threads.com/lists/spamassassin/users/194944

It's probably firing on either kind of lookup, but in case it ever gets
fixed you should have:

tflags	       URIBL_SBLXBL    	net a


Mime
View raw message