You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/08/21 23:03:30 UTC
Need a plugin written relating to black/white/yellow lists
I'd like to get some people to take an idea that I'm been using
successfully for a long time that I would like to see implemented in SA.
I'm doing it mostly with Exim rules and generating these lists in some
unusual ways. But if this were done right it would make SA a lot faster
and more accurate.
Here's a link to and overview of my lists:
http://wiki.ctyme.com/index.php/Spam_DNS_Lists
But - ultimately my lists would be replaced by a more massive public
list that would be done better than what I started. I'd like a plugin
written or someone who understands the rules better than me to build on
these ideas. What I have is my hostkarma list which returns different
code depending on the reputation of the sending host.
Before you look at this as just another blacklist - the real power is in
the white and yellow lists. First - an overview. My list returns these
codes:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam and nonspam
* 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist
The idea here is that white short circuit to HAM and could be
autolearned. Yellow is for mixed source hosts like Hotmail, Yahoo, etc
that should never be blacklisted. This is important because if a host is
yellow listed then you skip all blacklist tests and move on to other
tests. This will allow you to avoid testing to see if Yahoo hosts are
blacklisted. Brown listing is a host not bad enough to be blacklisted
but still worth a point ot so.
My list has about 275k black, 300k brown, 20k yellow, and 6k white. So I
have some useful data. Here's some rules to use it now but I'd like to
see someone smarter than me improve these to do it right.
header __RCVD_IN_JMFILTER eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMFILTER Sender listed in JMFILTER
tflags __RCVD_IN_JMFILTER net
header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1')
describe RCVD_IN_JMFILTER_W Sender listed in JMFILTER-WHITE
tflags RCVD_IN_JMFILTER_W net nice
score RCVD_IN_JMFILTER_W -5
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.2')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BLACK
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 4.0
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.4')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BROWN
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 1.0
What it needs is if it's white then we short circuit to call it ham and
skip other tests. The white list is very accurate and it's not hard to
get a good whitelist. The yellow list is also very good. The idea here
is to stop all other blacklist tests after a yellow list. I don't know
how to do that in SA.
Then - like the black lists - these lists can be enhanced by people
sharper than me. And instead of me hosting it someone can do it right,
or better than me.
So - the point - this works for me - lets make it better. Who's interested?
Re: Need a plugin written relating to black/white/yellow lists
Posted by Loren Wilton <lw...@earthlink.net>.
> header __RCVD_IN_JMFILTER
> eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.')
> describe __RCVD_IN_JMFILTER Sender listed in JMFILTER
> tflags __RCVD_IN_JMFILTER net
>
> header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1')
> describe RCVD_IN_JMFILTER_W Sender listed in JMFILTER-WHITE
> tflags RCVD_IN_JMFILTER_W net nice
> score RCVD_IN_JMFILTER_W -5
>
> header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.2')
> describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BLACK
> tflags RCVD_IN_JMFILTER_B net
> score RCVD_IN_JMFILTER_B 4.0
>
> header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.4')
> describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BROWN
> tflags RCVD_IN_JMFILTER_B net
> score RCVD_IN_JMFILTER_B 1.0
>
> What it needs is if it's white then we short circuit to call it ham and
> skip other tests.
> The white list is very accurate and it's not hard to get a good whitelist.
> The yellow
> list is also very good. The idea here is to stop all other blacklist tests
> after a yellow
> list. I don't know how to do that in SA.
The first part is easy with the more recent SA releases. Justin put in the
short-circuit logic. Give your while rule a high priority so that it runs
first (which is actually a negative number). The flag it as a short circuit
rule, which I think is done in tflags; but I've never done it so I'm not
positive on that.
Since its also a net rule I'm not positive that it will run all that
firstly, because I think there is some strange interaction with delayed net
results and when normal rules run. But maybe the priority combined with a
short circuit flag will hold off the normal rules until the results of this
rule are in. It would be worth doing it that way.
I can't think of a good way to make your yellow list or maybe even the brown
list hold off all possible blacklists. Probably don't want to anyway -- if
someone has personally blacklisted host X, they probably want it
blacklisted.
The not-so-good way is to build a meta test to back out the results of any
blacklist hit if the yellow list is also hit. Which isn't all that
wonderful, since blacklists have different scores, so it will take a bunch
of metas.
In theory the yellow list could be given a priority higher than all of the
blacklists, and then it could short circuit at that point. That woudl
require assigning a relatively low priority to all the blacklist rules.
Maybe that would be good, maybe not. It would be a bunch of work though.
OTOH, blacklist net rules don't change all that often, so it might be
reasonably feasible to do.
It might be nice if there were a way to specify 'priority groups' for rules.
This wouldn't affect the priority of the rule or the score of the rule under
normal conditions, but you would be able to say "this short-circuit rule
must run before rule group X". In effect this would make the rule group an
implicit meta on the short-circuit rule, pushing that rule ahead of the
evaluation of the other rules.
But at least have the puzzle has a fix now.
Loren
Re: Need a plugin written relating to black/white/yellow lists
Posted by John Rudd <jr...@ucsc.edu>.
Marc Perkel wrote:
>
>
> John Rudd wrote:
>> Loren Wilton wrote:
>>>> the last byte of the return is a number from 1-255. This is the hosts
>>>
>>>> 1 means "not only have we never seen ham come from this host, it has
>>>> all kinds of danger signals that indicate you shouldn't ever trust
>>>> them to do anything useful".
>>>
>>> You probably really need one bit somewhere that says "this is a
>>> client PC" or something like that.
>>>
>>> If you think about it, the average home PC that is a zombie sends
>>> absolutely nothing but spam to everyone but its owning ISP, so
>>> deserves a 1 rating by your posited rule. But the owning ISP also
>>> see actual legit mail from the clueless owner of the system that has
>>> no idea that the PC is sending zillions of spam messages every second
>>> while he is uploading pictures from his most recent party. So the
>>> owning ISP will want to rate that PC as somewhere between 255 and 2.
>>>
>>> There needs to be some way to resolve the fact that one major ISP
>>> sees this as a slightly valid system, but everyone else sees it as
>>> absolute junk.
>>
>> I think this is already a solved problem.
>>
>> Most MTAs already have an ability to whitelist local/client IPs. So,
>> the bit in question wouldn't be necessary. You tell Sendmail, via the
>> access file, that this is an "OK" block of network addresses, and use
>> delayed checks for RBLs ... now sendmail wont block those addresses.
>> With CGP, you tell CGP that it's a "client" address range, and same
>> thing (or, if you do this via a CGP plugin, then you only submit
>> messages to the CGP plugin if they're "not trusted").
>>
>> I would imagine that postfix, qmail, etc., all have similar constructs
>> ... otherwise, they're extremely deficient in their RBL handling.
>>
>>
>> For SA, if I were to write a plugin for this type of thing, it
>> wouldn't trigger against IPs that are in my trusted_networks.
>>
>
> One feature that would be nice is to take advantage of the yellow
> listing in my hostkarma dns list. Yellow listing means that the source
> is a mixed source that sends some spam. (yahoo, hotmail, gmail) and the
> idea is that if it is tellow listed to stop checking other blacklists.
> This reduces false positives and reduces network calls.
>
> It is my hope that someone steal my idea of doing these lists the way I
> do and do a better job of it than me. I have some really simple ways of
> generating these lists that are extremely accurate.
>
A host you would yellow list would be a host that would show up in this
proposed list with a middling score, I think. I don't think there'd be
any other need to link the two concepts.
Re: Need a plugin written relating to black/white/yellow lists
Posted by Marc Perkel <ma...@perkel.com>.
John Rudd wrote:
> Loren Wilton wrote:
>>> the last byte of the return is a number from 1-255. This is the hosts
>>
>>> 1 means "not only have we never seen ham come from this host, it has
>>> all kinds of danger signals that indicate you shouldn't ever trust
>>> them to do anything useful".
>>
>> You probably really need one bit somewhere that says "this is a
>> client PC" or something like that.
>>
>> If you think about it, the average home PC that is a zombie sends
>> absolutely nothing but spam to everyone but its owning ISP, so
>> deserves a 1 rating by your posited rule. But the owning ISP also
>> see actual legit mail from the clueless owner of the system that has
>> no idea that the PC is sending zillions of spam messages every second
>> while he is uploading pictures from his most recent party. So the
>> owning ISP will want to rate that PC as somewhere between 255 and 2.
>>
>> There needs to be some way to resolve the fact that one major ISP
>> sees this as a slightly valid system, but everyone else sees it as
>> absolute junk.
>
> I think this is already a solved problem.
>
> Most MTAs already have an ability to whitelist local/client IPs. So,
> the bit in question wouldn't be necessary. You tell Sendmail, via the
> access file, that this is an "OK" block of network addresses, and use
> delayed checks for RBLs ... now sendmail wont block those addresses.
> With CGP, you tell CGP that it's a "client" address range, and same
> thing (or, if you do this via a CGP plugin, then you only submit
> messages to the CGP plugin if they're "not trusted").
>
> I would imagine that postfix, qmail, etc., all have similar constructs
> ... otherwise, they're extremely deficient in their RBL handling.
>
>
> For SA, if I were to write a plugin for this type of thing, it
> wouldn't trigger against IPs that are in my trusted_networks.
>
One feature that would be nice is to take advantage of the yellow
listing in my hostkarma dns list. Yellow listing means that the source
is a mixed source that sends some spam. (yahoo, hotmail, gmail) and the
idea is that if it is tellow listed to stop checking other blacklists.
This reduces false positives and reduces network calls.
It is my hope that someone steal my idea of doing these lists the way I
do and do a better job of it than me. I have some really simple ways of
generating these lists that are extremely accurate.
Re: Need a plugin written relating to black/white/yellow lists
Posted by John Rudd <jr...@ucsc.edu>.
Loren Wilton wrote:
>> the last byte of the return is a number from 1-255. This is the hosts
>
>> 1 means "not only have we never seen ham come from this host, it has
>> all kinds of danger signals that indicate you shouldn't ever trust
>> them to do anything useful".
>
> You probably really need one bit somewhere that says "this is a client
> PC" or something like that.
>
> If you think about it, the average home PC that is a zombie sends
> absolutely nothing but spam to everyone but its owning ISP, so deserves
> a 1 rating by your posited rule. But the owning ISP also see actual
> legit mail from the clueless owner of the system that has no idea that
> the PC is sending zillions of spam messages every second while he is
> uploading pictures from his most recent party. So the owning ISP will
> want to rate that PC as somewhere between 255 and 2.
>
> There needs to be some way to resolve the fact that one major ISP sees
> this as a slightly valid system, but everyone else sees it as absolute
> junk.
I think this is already a solved problem.
Most MTAs already have an ability to whitelist local/client IPs. So,
the bit in question wouldn't be necessary. You tell Sendmail, via the
access file, that this is an "OK" block of network addresses, and use
delayed checks for RBLs ... now sendmail wont block those addresses.
With CGP, you tell CGP that it's a "client" address range, and same
thing (or, if you do this via a CGP plugin, then you only submit
messages to the CGP plugin if they're "not trusted").
I would imagine that postfix, qmail, etc., all have similar constructs
... otherwise, they're extremely deficient in their RBL handling.
For SA, if I were to write a plugin for this type of thing, it wouldn't
trigger against IPs that are in my trusted_networks.
Re: Need a plugin written relating to black/white/yellow lists
Posted by Loren Wilton <lw...@earthlink.net>.
> the last byte of the return is a number from 1-255. This is the hosts
> 1 means "not only have we never seen ham come from this host, it has all
> kinds of danger signals that indicate you shouldn't ever trust them to do
> anything useful".
You probably really need one bit somewhere that says "this is a client PC"
or something like that.
If you think about it, the average home PC that is a zombie sends absolutely
nothing but spam to everyone but its owning ISP, so deserves a 1 rating by
your posited rule. But the owning ISP also see actual legit mail from the
clueless owner of the system that has no idea that the PC is sending
zillions of spam messages every second while he is uploading pictures from
his most recent party. So the owning ISP will want to rate that PC as
somewhere between 255 and 2.
There needs to be some way to resolve the fact that one major ISP sees this
as a slightly valid system, but everyone else sees it as absolute junk.
Loren
Re: Need a plugin written relating to black/white/yellow lists
Posted by John Rudd <jr...@ucsc.edu>.
Bret Miller wrote:
>> Before you look at this as just another blacklist - the real
>> power is in the white and yellow lists. First - an overview.
>> My list returns these codes:
>>
>>
>>
>> * 127.0.0.1 - whilelist - trusted nonspam
>> * 127.0.0.2 - blacklist - block spam
>> * 127.0.0.3 - yellowlist - mix of spam and nonspam
>> * 127.0.0.4 - brownlist - all spam - but not yet enough
>> to blacklist
>
> And hotmail.com warrants being blacklisted?? Ouch.
>
> I do like the idea of white and yellow lists. If I could just get
> CommuniGate to add the ability to use it...
CommuniGate has whitelisting, but it has to be a local list.
Though, if you did your whitelist/blacklist/etc. check in a plugin,
using synchronous rules, then you could do it however you want.
Though, what I really want to see in the DNS-list arena is not another
blacklist/etc. I want to see an open reputation list.
Think of it like this:
the last byte of the return is a number from 1-255. This is the hosts
reputation. 128 means completely neutral. 255 means "perfectly spam
free, no danger signs, no worries that this host is sending you spam".
1 means "not only have we never seen ham come from this host, it has all
kinds of danger signals that indicate you shouldn't ever trust them to
do anything useful".
From there, it's up to YOU what levels of result you want to use for
rejecting during SMTP or marking as spam, etc. Do you want to reject
messages whose reputation is lower than 64, and assign different levels
of spam score for reputations from 65-128? It just becomes config
options in your MTA and SA checks.
Things that would likely go into the reputation score:
* long term overall message rate (have we NEVER seen any messages from
this IP before? might be an indication of a fresh zombie)
* short term overall message rate (sudden spike in message throughput
might be an indication of a spam or joe-job flood from a previously good
mail relay)
* long term history of spam or viruses coming from this host (percentage
of spam+viruses/all-messages in the last year or two)
* short term history of spam or viruses coming from this host
(percentage of spam+viruses/all-messages in the last week)
* DNS A and PTR checks (the stuff Botnet does)
* MX record checks
* DNS TTL checks
* DNS registrar reputation
Perhaps other things.
And, it could be used not just on IP address lookups, but also for URIBL
lookups (what is the reputation of this URL?), and mail domain lookups
(so, looking up the sender's mail domain and getting a reputation for
that mail domain).
The main roadblock here is: exact score generation formula, and
gathering the data to build the score database. The closed reputation
lists get this data by basically having their anti-spam appliances
aggregate data and report it back to the home office (Ironport,
Proofpoint, etc., all have reputation list features). So, you'd have to
build a network of reporting entities, and each reporting entity would
ALSO need to have a reputation (so that you can eliminate both the
spammers trying to artificially give good reputations, and eliminate the
zealots trying to lower reputations of good but commercial senders).
Re: Need a plugin written relating to black/white/yellow lists
Posted by Matt Kettler <mk...@verizon.net>.
Marc Perkel wrote:
>
>
> Bret Miller wrote:
>>
>>
>> .
>>
>> OK... but the rules you supplied for SpamAssassin did exactly that--
>> they looked back at all the received headers and X-Original-IP and
>> tested them against the lists. Add a -lastexternal to the set name to
>> get only the last IP outside your network.
>>
>> Bret
>>
>
> Not familiar with -lastexternal - can you give an example?
>
grep lastexternal 20_dnsbl_tests.cf
header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal',
'dnsbl.sorbs.net.', '127.0.0.10')
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '127.0.0.[45678]')
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '127.0.0.1[01]')
header RCVD_IN_WHOIS_INVALID eval:check_rbl('whois-lastexternal',
'combined-HIB.dnsiplists.completewhois.com.', '127.0.0.4')
header RCVD_IN_DSBL eval:check_rbl_txt('dsbl-lastexternal',
'list.dsbl.org.', '(?i:dsbl)')
header RCVD_IN_MAPS_DUL eval:check_rbl('dialup-lastexternal',
'dialups.mail-abuse.org.')
#header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal',
'rbl-plus.mail-abuse.org.', '2')
Basically, SA takes a cue from the suffix appended to the "set name" of
the RBL. There's a couple different suffixes you can use with different
effects, but only lastexternal is documented in the man
Mail::SpamAssassin::Conf page, so I'd not rely on the others sticking
around. (SA also uses -firsttrusted, and -untrusted, and you can see
them implemented in DNSEval.pm)
RE: Need a plugin written relating to black/white/yellow lists
Posted by Bret Miller <br...@wcg.org>.
From: Marc Perkel [mailto:marc@perkel.com]
Bret Miller wrote:
From: Marc Perkel [mailto:marc@perkel.com]
Bret Miller wrote:
Bret Miller wrote:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam
and nonspam
* 127.0.0.4 - brownlist - all spam - but
not yet enough
to blacklist
And hotmail.com warrants being blacklisted?? Ouch.
I do like the idea of white and yellow lists. If I
could just get
CommuniGate to add the ability to use it...
Hotmail would be yellow listed.
My headers say RCVD_IN_JMF_BL, the rule says:
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.0
And here are the headers:
X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_B
L=
1,
RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
X-Spam-Score: 1.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
X-Spam-Level: +
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
Return-Path: <ma...@hotmail.com>
<tr...@hotmail.com>
Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
Received: from hotmail.com ([65.55.130.13]) by
bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Mon, 27 Aug 2007 11:29:16 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Mon, 27 Aug 2007 11:29:15 -0700
Message-ID: <ma...@phx.gbl>
<BA...@phx.gbl>
Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
Mon, 27 Aug 2007 18:29:10 +0000
X-Originating-IP: [71.110.94.199]
X-Originating-Email: [trinitycommonground@hotmail.com]
X-Sender: trinitycommonground@hotmail.com
From: " Common Ground" <ma...@hotmail.com>
<tr...@hotmail.com>
To: <xxxx>
Subject: Back to School Blessings
Date: Mon, 27 Aug 2007 11:29:09 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
FILETIME=[2C450810:01C7E8D8]
Return-Path: trinitycommonground@hotmail.com
To me, this equals hotmail is on the black list.
Bret
Something is odd. That IP isn't in any of my lists.
Indeed. The problem is the rule, not the list. The check looks back at
all IPs in the path, including the X-Originating-IP headers. So, "[2860]
dbg: dns: hit <dns:199.94.110.71.hostkarma.junkemailfilter.com> 127.0.0.2"
is what SA says is the problem. I guess I need to look at fixing it so it
scans only the last external...
Bret
I did some experimenting a while back looking at all the received IP
addresses and got too many false positives. I had to give up on the idea
because it didn't work.
OK... but the rules you supplied for SpamAssassin did exactly that-- they
looked back at all the received headers and X-Original-IP and tested them
against the lists. Add a -lastexternal to the set name to get only the
last IP outside your network.
Bret
Not familiar with -lastexternal - can you give an example?
I think, as I read in the configuration docs, that you'd do it like this:
header __RCVD_IN_JMF
eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
tflags __RCVD_IN_JMF net
header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.0
header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
tflags RCVD_IN_JMF_BR net
score RCVD_IN_JMF_BR 0.5
Re: Need a plugin written relating to black/white/yellow lists
Posted by Marc Perkel <ma...@perkel.com>.
Bret Miller wrote:
>
>
> *From:* Marc Perkel [mailto:marc@perkel.com]
> Bret Miller wrote:
>>
>> Bret Miller wrote:
>>>> * 127.0.0.1 - whilelist - trusted nonspam
>>>> * 127.0.0.2 - blacklist - block spam
>>>> * 127.0.0.3 - yellowlist - mix of spam
>>>> and nonspam
>>>> * 127.0.0.4 - brownlist - all spam - but
>>>> not yet enough
>>>> to blacklist
>>>>
>>>>
>>>>
>>>> And hotmail.com warrants being blacklisted?? Ouch.
>>>>
>>>> I do like the idea of white and yellow lists. If I
>>>> could just get
>>>> CommuniGate to add the ability to use it...
>>>>
>>>> Hotmail would be yellow listed.
>>>>
>>>
>>> My headers say RCVD_IN_JMF_BL, the rule says:
>>>
>>> header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
>>> describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
>>> tflags RCVD_IN_JMF_BL net
>>> score RCVD_IN_JMF_BL 1.0
>>>
>>> And here are the headers:
>>>
>>> X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
>>>
>>> FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL=
>>> 1,
>>>
>>> RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
>>> X-Spam-Score: 1.4
>>> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
>>> X-Spam-Level: +
>>> X-TFF-CGPSA-Version: 1.6a5
>>> X-WCG-CGPSA-Filter: Scanned
>>> Return-Path: <tr...@hotmail.com>
>>> Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
>>> by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
>>> with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
>>> Received: from hotmail.com ([65.55.130.13]) by
>>> bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
>>> Mon, 27 Aug 2007 11:29:16 -0700
>>> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>>> Mon, 27 Aug 2007 11:29:15 -0700
>>> Message-ID: <BA...@phx.gbl>
>>> Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
>>> Mon, 27 Aug 2007 18:29:10 +0000
>>> X-Originating-IP: [71.110.94.199]
>>> X-Originating-Email: [trinitycommonground@hotmail.com]
>>> X-Sender: trinitycommonground@hotmail.com
>>> From: " Common Ground" <tr...@hotmail.com>
>>> To: <xxxx>
>>> Subject: Back to School Blessings
>>> Date: Mon, 27 Aug 2007 11:29:09 -0700
>>> MIME-Version: 1.0
>>> Content-Type: multipart/related;
>>> boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
>>> type="multipart/alternative"
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
>>> X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
>>> FILETIME=[2C450810:01C7E8D8]
>>> Return-Path: trinitycommonground@hotmail.com
>>>
>>> To me, this equals hotmail is on the black list.
>>>
>>> Bret
>>>
>>
>> Something is odd. That IP isn't in any of my lists.
>>
>>
>> Indeed. The problem is the rule, not the list. The check looks
>> back at all IPs in the path, including the X-Originating-IP
>> headers. So, "[2860] dbg: dns: hit
>> <dns:199.94.110.71.hostkarma.junkemailfilter.com> 127.0.0.2" is
>> what SA says is the problem. I guess I need to look at fixing it
>> so it scans only the last external...
>>
>> Bret
>>
>
> I did some experimenting a while back looking at all the received
> IP addresses and got too many false positives. I had to give up on
> the idea because it didn't work.
>
> OK... but the rules you supplied for SpamAssassin did exactly that--
> they looked back at all the received headers and X-Original-IP and
> tested them against the lists. Add a -lastexternal to the set name to
> get only the last IP outside your network.
>
> Bret
>
Not familiar with -lastexternal - can you give an example?
RE: Need a plugin written relating to black/white/yellow lists
Posted by Bret Miller <br...@wcg.org>.
From: Marc Perkel [mailto:marc@perkel.com]
Bret Miller wrote:
Bret Miller wrote:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam
and nonspam
* 127.0.0.4 - brownlist - all spam - but
not yet enough
to blacklist
And hotmail.com warrants being blacklisted?? Ouch.
I do like the idea of white and yellow lists. If I
could just get
CommuniGate to add the ability to use it...
Hotmail would be yellow listed.
My headers say RCVD_IN_JMF_BL, the rule says:
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.0
And here are the headers:
X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_B
L=
1,
RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
X-Spam-Score: 1.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
X-Spam-Level: +
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
Return-Path: <ma...@hotmail.com>
<tr...@hotmail.com>
Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
Received: from hotmail.com ([65.55.130.13]) by
bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Mon, 27 Aug 2007 11:29:16 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Mon, 27 Aug 2007 11:29:15 -0700
Message-ID: <ma...@phx.gbl>
<BA...@phx.gbl>
Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
Mon, 27 Aug 2007 18:29:10 +0000
X-Originating-IP: [71.110.94.199]
X-Originating-Email: [trinitycommonground@hotmail.com]
X-Sender: trinitycommonground@hotmail.com
From: " Common Ground" <ma...@hotmail.com>
<tr...@hotmail.com>
To: <xxxx>
Subject: Back to School Blessings
Date: Mon, 27 Aug 2007 11:29:09 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
FILETIME=[2C450810:01C7E8D8]
Return-Path: trinitycommonground@hotmail.com
To me, this equals hotmail is on the black list.
Bret
Something is odd. That IP isn't in any of my lists.
Indeed. The problem is the rule, not the list. The check looks back at
all IPs in the path, including the X-Originating-IP headers. So, "[2860]
dbg: dns: hit <dns:199.94.110.71.hostkarma.junkemailfilter.com> 127.0.0.2"
is what SA says is the problem. I guess I need to look at fixing it so it
scans only the last external...
Bret
I did some experimenting a while back looking at all the received IP
addresses and got too many false positives. I had to give up on the idea
because it didn't work.
OK... but the rules you supplied for SpamAssassin did exactly that-- they
looked back at all the received headers and X-Original-IP and tested them
against the lists. Add a -lastexternal to the set name to get only the
last IP outside your network.
Bret
Re: Need a plugin written relating to black/white/yellow lists
Posted by Marc Perkel <ma...@perkel.com>.
Bret Miller wrote:
>
> Bret Miller wrote:
>>> * 127.0.0.1 - whilelist - trusted nonspam
>>> * 127.0.0.2 - blacklist - block spam
>>> * 127.0.0.3 - yellowlist - mix of spam
>>> and nonspam
>>> * 127.0.0.4 - brownlist - all spam - but
>>> not yet enough
>>> to blacklist
>>>
>>>
>>>
>>> And hotmail.com warrants being blacklisted?? Ouch.
>>>
>>> I do like the idea of white and yellow lists. If I
>>> could just get
>>> CommuniGate to add the ability to use it...
>>>
>>> Hotmail would be yellow listed.
>>>
>>
>> My headers say RCVD_IN_JMF_BL, the rule says:
>>
>> header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
>> describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
>> tflags RCVD_IN_JMF_BL net
>> score RCVD_IN_JMF_BL 1.0
>>
>> And here are the headers:
>>
>> X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
>>
>> FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL=
>> 1,
>>
>> RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
>> X-Spam-Score: 1.4
>> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
>> X-Spam-Level: +
>> X-TFF-CGPSA-Version: 1.6a5
>> X-WCG-CGPSA-Filter: Scanned
>> Return-Path: <tr...@hotmail.com>
>> Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
>> by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
>> with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
>> Received: from hotmail.com ([65.55.130.13]) by
>> bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
>> Mon, 27 Aug 2007 11:29:16 -0700
>> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>> Mon, 27 Aug 2007 11:29:15 -0700
>> Message-ID: <BA...@phx.gbl>
>> Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
>> Mon, 27 Aug 2007 18:29:10 +0000
>> X-Originating-IP: [71.110.94.199]
>> X-Originating-Email: [trinitycommonground@hotmail.com]
>> X-Sender: trinitycommonground@hotmail.com
>> From: " Common Ground" <tr...@hotmail.com>
>> To: <xxxx>
>> Subject: Back to School Blessings
>> Date: Mon, 27 Aug 2007 11:29:09 -0700
>> MIME-Version: 1.0
>> Content-Type: multipart/related;
>> boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
>> type="multipart/alternative"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
>> X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
>> FILETIME=[2C450810:01C7E8D8]
>> Return-Path: trinitycommonground@hotmail.com
>>
>> To me, this equals hotmail is on the black list.
>>
>> Bret
>>
>
> Something is odd. That IP isn't in any of my lists.
>
>
> Indeed. The problem is the rule, not the list. The check looks back
> at all IPs in the path, including the X-Originating-IP headers. So,
> "[2860] dbg: dns: hit
> <dns:199.94.110.71.hostkarma.junkemailfilter.com> 127.0.0.2" is what
> SA says is the problem. I guess I need to look at fixing it so it
> scans only the last external...
>
> Bret
>
I did some experimenting a while back looking at all the received IP
addresses and got too many false positives. I had to give up on the idea
because it didn't work.
RE: Need a plugin written relating to black/white/yellow lists
Posted by Bret Miller <br...@wcg.org>.
Bret Miller wrote:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam
and nonspam
* 127.0.0.4 - brownlist - all spam - but
not yet enough
to blacklist
And hotmail.com warrants being blacklisted?? Ouch.
I do like the idea of white and yellow lists. If I
could just get
CommuniGate to add the ability to use it...
Hotmail would be yellow listed.
My headers say RCVD_IN_JMF_BL, the rule says:
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.0
And here are the headers:
X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL=
1,
RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
X-Spam-Score: 1.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
X-Spam-Level: +
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
Return-Path: <ma...@hotmail.com>
<tr...@hotmail.com>
Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
Received: from hotmail.com ([65.55.130.13]) by
bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Mon, 27 Aug 2007 11:29:16 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Mon, 27 Aug 2007 11:29:15 -0700
Message-ID: <ma...@phx.gbl>
<BA...@phx.gbl>
Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
Mon, 27 Aug 2007 18:29:10 +0000
X-Originating-IP: [71.110.94.199]
X-Originating-Email: [trinitycommonground@hotmail.com]
X-Sender: trinitycommonground@hotmail.com
From: " Common Ground" <ma...@hotmail.com>
<tr...@hotmail.com>
To: <xxxx>
Subject: Back to School Blessings
Date: Mon, 27 Aug 2007 11:29:09 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
FILETIME=[2C450810:01C7E8D8]
Return-Path: trinitycommonground@hotmail.com
To me, this equals hotmail is on the black list.
Bret
Something is odd. That IP isn't in any of my lists.
Indeed. The problem is the rule, not the list. The check looks back at all
IPs in the path, including the X-Originating-IP headers. So, "[2860] dbg:
dns: hit <dns:199.94.110.71.hostkarma.junkemailfilter.com> 127.0.0.2" is
what SA says is the problem. I guess I need to look at fixing it so it scans
only the last external...
Bret
Re: Need a plugin written relating to black/white/yellow lists
Posted by Marc Perkel <ma...@perkel.com>.
Bret Miller wrote:
>> * 127.0.0.1 - whilelist - trusted nonspam
>> * 127.0.0.2 - blacklist - block spam
>> * 127.0.0.3 - yellowlist - mix of spam
>> and nonspam
>> * 127.0.0.4 - brownlist - all spam - but
>> not yet enough
>> to blacklist
>>
>>
>>
>> And hotmail.com warrants being blacklisted?? Ouch.
>>
>> I do like the idea of white and yellow lists. If I
>> could just get
>> CommuniGate to add the ability to use it...
>>
>> Hotmail would be yellow listed.
>>
>
> My headers say RCVD_IN_JMF_BL, the rule says:
>
> header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
> describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
> tflags RCVD_IN_JMF_BL net
> score RCVD_IN_JMF_BL 1.0
>
> And here are the headers:
>
> X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
>
> FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL=
> 1,
>
> RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
> X-Spam-Score: 1.4
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
> X-Spam-Level: +
> X-TFF-CGPSA-Version: 1.6a5
> X-WCG-CGPSA-Filter: Scanned
> Return-Path: <tr...@hotmail.com>
> Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
> by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
> with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
> Received: from hotmail.com ([65.55.130.13]) by
> bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
> Mon, 27 Aug 2007 11:29:16 -0700
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Mon, 27 Aug 2007 11:29:15 -0700
> Message-ID: <BA...@phx.gbl>
> Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
> Mon, 27 Aug 2007 18:29:10 +0000
> X-Originating-IP: [71.110.94.199]
> X-Originating-Email: [trinitycommonground@hotmail.com]
> X-Sender: trinitycommonground@hotmail.com
> From: " Common Ground" <tr...@hotmail.com>
> To: <xxxx>
> Subject: Back to School Blessings
> Date: Mon, 27 Aug 2007 11:29:09 -0700
> MIME-Version: 1.0
> Content-Type: multipart/related;
> boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
> type="multipart/alternative"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
> X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
> FILETIME=[2C450810:01C7E8D8]
> Return-Path: trinitycommonground@hotmail.com
>
> To me, this equals hotmail is on the black list.
>
> Bret
>
Something is odd. That IP isn't in any of my lists.
RE: Need a plugin written relating to black/white/yellow lists
Posted by Bret Miller <br...@wcg.org>.
> * 127.0.0.1 - whilelist - trusted nonspam
> * 127.0.0.2 - blacklist - block spam
> * 127.0.0.3 - yellowlist - mix of spam
> and nonspam
> * 127.0.0.4 - brownlist - all spam - but
> not yet enough
> to blacklist
>
>
>
> And hotmail.com warrants being blacklisted?? Ouch.
>
> I do like the idea of white and yellow lists. If I
> could just get
> CommuniGate to add the ability to use it...
>
>Hotmail would be yellow listed.
My headers say RCVD_IN_JMF_BL, the rule says:
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.0
And here are the headers:
X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1,
FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL=
1,
RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no
X-Spam-Score: 1.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org
X-Spam-Level: +
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
Return-Path: <tr...@hotmail.com>
Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com)
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
with ESMTP id 22324864 for xxxx@wcg.org; Mon, 27 Aug 2007 11:29:31 -0700
Received: from hotmail.com ([65.55.130.13]) by
bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Mon, 27 Aug 2007 11:29:16 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Mon, 27 Aug 2007 11:29:15 -0700
Message-ID: <BA...@phx.gbl>
Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV;
Mon, 27 Aug 2007 18:29:10 +0000
X-Originating-IP: [71.110.94.199]
X-Originating-Email: [trinitycommonground@hotmail.com]
X-Sender: trinitycommonground@hotmail.com
From: " Common Ground" <tr...@hotmail.com>
To: <xxxx>
Subject: Back to School Blessings
Date: Mon, 27 Aug 2007 11:29:09 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0023_01C7E89D.7C72B430";
type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC)
FILETIME=[2C450810:01C7E8D8]
Return-Path: trinitycommonground@hotmail.com
To me, this equals hotmail is on the black list.
Bret
Re: Need a plugin written relating to black/white/yellow lists
Posted by Marc Perkel <ma...@perkel.com>.
Bret Miller wrote:
>> Before you look at this as just another blacklist - the real
>> power is in the white and yellow lists. First - an overview.
>> My list returns these codes:
>>
>>
>>
>> * 127.0.0.1 - whilelist - trusted nonspam
>> * 127.0.0.2 - blacklist - block spam
>> * 127.0.0.3 - yellowlist - mix of spam and nonspam
>> * 127.0.0.4 - brownlist - all spam - but not yet enough
>> to blacklist
>>
>
> And hotmail.com warrants being blacklisted?? Ouch.
>
> I do like the idea of white and yellow lists. If I could just get
> CommuniGate to add the ability to use it...
>
> Bret
>
Hotmail would be yellow listed.
RE: Need a plugin written relating to black/white/yellow lists
Posted by Bret Miller <br...@wcg.org>.
> Before you look at this as just another blacklist - the real
> power is in the white and yellow lists. First - an overview.
> My list returns these codes:
>
>
>
> * 127.0.0.1 - whilelist - trusted nonspam
> * 127.0.0.2 - blacklist - block spam
> * 127.0.0.3 - yellowlist - mix of spam and nonspam
> * 127.0.0.4 - brownlist - all spam - but not yet enough
> to blacklist
And hotmail.com warrants being blacklisted?? Ouch.
I do like the idea of white and yellow lists. If I could just get
CommuniGate to add the ability to use it...
Bret