You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Cliff Stanford <cl...@may.be> on 2007/03/06 17:40:26 UTC

Spamhaus Tests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some questions:

1.  RCVD_IN_XBL

Why is this only applied by default to -lastexternal rather than all the
  Received: lines?  Surely if any forwarding host is a known exploit, it
should score the same 3.897 ?

2.  RCVD_IN_PBL

This is (IMHO) correctly applied to -lastexternal.  Why is the default
score only 0.001 ?

3.  -lastexternal

The docs for this flag say, "You can select only the external host that
connected to your internal network."  Does this mean that
"trusted_networks" is ignored for this flag and I would need to put the
secondary MXs' IP addresses into "internal_networks" instead.

4.  Lists

Is this the right place or should I have posted this to the dev list
instead?

Many thanks,
Cliff.

- --
Cliff Stanford
Might Limited                           +44 845 0045 666 (Office)
Suite 67, Dorset House                  +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7Zl6fNTx9pWyKfwRAnxFAJ42+uaxKVd9y764iMHUX6Tc6HmhvACcDVK5
liMuRvQlu3/S2NMsGjZfsPw=
=v7sQ
-----END PGP SIGNATURE-----

Re: Spamhaus Tests

Posted by Cliff Stanford <cl...@may.be>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Kettler wrote:

> However, be aware that I'm merely a "helpful community member" and my
> opinions on the list uses are purely non-official.

Thank you, that was all very helpful.

Cliff.

- --
Cliff Stanford
Might Limited                           +44 845 0045 666 (Office)
Suite 67, Dorset House                  +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7slefNTx9pWyKfwRAlWLAKC2w2nH/RL/5ae46huuqcQhhAlE0QCfTdpa
WSAPElhzpKReoQlFPngHZ/Q=
=UoS5
-----END PGP SIGNATURE-----

Re: Spamhaus Tests

Posted by Matt Kettler <mk...@verizon.net>.

Cliff Stanford wrote:
> Some questions:
>
> 1.  RCVD_IN_XBL
>
> Why is this only applied by default to -lastexternal rather than all the
>   Received: lines?  Surely if any forwarding host is a known exploit, it
> should score the same 3.897 ?
The problem here is that XBL will generally consist of home-user IPs.
Those IPs are of hosts known to have been infected with backdoors that
cause spam relaying.

XBL is highly effective if you use it to pick of hosts directly sending
mail to your network, with near zero false positives. Generally home
users use their relays, and spam tools direct deliver.

However, if you apply it to the originating IP, you'll also pick off all
the legitamate mail sent by infected users (or uninfected users who got
reallocated the same IP!) the false positive rate goes up as a result,
and the score of this test would fall as a result.
>
> 2.  RCVD_IN_PBL
>
> This is (IMHO) correctly applied to -lastexternal.  Why is the default
> score only 0.001 ?
I suspect It's not been around long enough to have been subjected to a
mass-check to determine its accuracy. It is also not clear to what
degree it will overlap with the NJABL and SORBS DUL lists, which would
also show up in mass-check. With no detailed information on the accuracy
of the list, or how it interacts with other existing lists, they
probably assigned it this score to start.
>
> 3.  -lastexternal
>
> The docs for this flag say, "You can select only the external host that
> connected to your internal network."  Does this mean that
> "trusted_networks" is ignored for this flag and I would need to put the
> secondary MXs' IP addresses into "internal_networks" instead.
Yes, although be aware that unless you explicitly specify a
internal_networks, the value is copied from trusted_networks.

Most people only need to set trusted_networks, and let internal_networks
copy it. Only a few sites (for example those that need to accept mail
from dialup users) need to make these two lists differ.
>
> 4.  Lists
>
> Is this the right place or should I have posted this to the dev list
> instead?
This is the right place for questions about SA. Even though this touches
a bit on the subject of development, it's really only questions about
the hows and whys of SA's rules. As such, I'd say this is the right list.

Personally, I kind of view the dev list as more of a place to make
specific suggestions. This list is a better place to ask questions,
unless you're really getting into questions that arise from attempts to
implement a new feature in SA. (ie: if you were writing a new bayes
store for some new kind of database, and had questions about how bayes
stores are used.. that would probably be good to post to dev)

However, be aware that I'm merely a "helpful community member" and my
opinions on the list uses are purely non-official.