URIDNSBL recommended?

[Juan Miscaro <jm...@gmail.com>]

Hi, I recently activated URIDNSBL and my scores went through the roof.

I'm a little worried about it.

So first, is this method a recommended in the SA community?

And secondly, how can I mod down the (high) scores I'm seeing?  I
tried this in my local.cf file but it was ignored:

score URIBL_SBL 1.0

/juan

Re: URIDNSBL recommended?

[Matt Kettler <mk...@verizon.net>]

Juan Miscaro wrote:
>
>>  Do you use spamd? did you restart it? (spamd only reads .cf and .pre files
>> on startup)
>>     
>
> I use SA in conjunction with amavisd-new.  So there answer to your
> question is, I'm not sure.  :)
>   
Amavis (Well, amavisd-new) caches it's own Mail::SpamAssassin instance, 
so in essence it is its own spamd. Thus, Amavis must be restarted after 
editing your .cf files.
>   
>>  Are you sure you've got the right directory local.cf?
>>     
>
> Yes, I have other stuff in there.
>
> /juan
>
>   

Re: URIDNSBL recommended?

[Juan Miscaro <jm...@gmail.com>]

On 06/04/2008, Matt Kettler <mk...@verizon.net> wrote:
> Juan Miscaro wrote:
>
> > Hi, I recently activated URIDNSBL and my scores went through the roof.
> >
> > I'm a little worried about it.
> >
> > So first, is this method a recommended in the SA community?
> >
> >
>  Given that it is on by default in all versions of spamassassin from 3.0.0
> onward, calling it recommended would be an understatement. Yes, it's
> recommended.

OK, nice.

>  You seem concerned about scores, but is it just jacking up your average
> spam score, or are you having false positive problems?

I never get FP.  ;)

> > And secondly, how can I mod down the (high) scores I'm seeing?  I
> > tried this in my local.cf file but it was ignored:
> >
> > score URIBL_SBL 1.0
> >
> >
>  Do you use spamd? did you restart it? (spamd only reads .cf and .pre files
> on startup)

I use SA in conjunction with amavisd-new.  So there answer to your
question is, I'm not sure.  :)

>  Are you sure you've got the right directory local.cf?

Yes, I have other stuff in there.

/juan

Re: URIDNSBL recommended?

[Matt Kettler <mk...@verizon.net>]

Juan Miscaro wrote:
> Hi, I recently activated URIDNSBL and my scores went through the roof.
>
> I'm a little worried about it.
>
> So first, is this method a recommended in the SA community?
>   
Given that it is on by default in all versions of spamassassin from 
3.0.0 onward, calling it recommended would be an understatement. Yes, 
it's recommended. IMO the URIBLs are p the second most useful part of  
SpamAssassin, surpassed only by bayes. I give bayes higher props because 
it works on all messages, and it can (and should) be custom trained to 
your personal ideas of what is and is not spam. That's a really powerful 
system that's really hard to top, so coming in second to it is no shame 
on the URIBLs.

You seem concerned about scores, but is it just jacking up your average 
spam score, or are you having false positive problems? Elevated spam 
scores aren't really much of a problem, but when you start having false 
positives, that's an issue to be looking at.

In my experience, the FP rate of all the URIBL_* rules (well, except 
URIBL_GREY) are pretty low. I have occasional problems with URIBL_BLACK, 
URIBL_WS_SURBL and URIBL_OB_SURBL hitting nonspam email, but this rarely 
causes false positives at a threshold of 5.0, and I generally report the 
FPs to the appropriate list maintainers when I've got time available to 
do so.

> And secondly, how can I mod down the (high) scores I'm seeing?  I
> tried this in my local.cf file but it was ignored:
>
> score URIBL_SBL 1.0
>   
Do you use spamd? did you restart it? (spamd only reads .cf and .pre 
files on startup)

Are you sure you've got the right directory local.cf? (try a 
spamassassin -D --lint and see what SA is using as a "site rules dir")

Re: URIDNSBL recommended?

[Karsten Bräckelmann <gu...@rudersport.de>]

On Mon, 2008-04-07 at 03:09 +0200, Karsten Bräckelmann wrote:
> Sorry for quoting myself, just elaborating some more...

> (c) Coming up with a new rule, that triggers on 30%+ of my low scoring
> spam (aka <10).  ;)

Eep -- I did mean to say "<15" there. It's been a long day...

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: URIDNSBL recommended?

[Karsten Bräckelmann <gu...@rudersport.de>]

Sorry for quoting myself, just elaborating some more...

On Mon, 2008-04-07 at 02:52 +0200, Karsten Bräckelmann wrote:
> On Sun, 2008-04-06 at 20:00 -0400, Juan Miscaro wrote:
> > Hi, I recently activated URIDNSBL and my scores went through the roof.
> 
> You mean you activated the plugin? What's your SA version? These checks
> are enabled by default and actually are quite effective. As you noticed.
> And as the plugin doc [1] states. ;)

Literally, btw. ;)

> > I'm a little worried about it.
> 
> Don't. :)
> 
> Seriously, I know that feeling -- changing your mail processing
> "slightly", and noticing some massive changes. However...

I was referring to things like these -- neither have been major changes
to SA, but just some additional love or better evaluation of SAs answer
to the spam.

(a) Enabling some additional plugins, giving moderate scores. May easily
turn out to help a lot of spam jump the barrier of "dumping" somewhere
else.

(b) Adding a bunch of custom, funky procmail receipts, investigating the
triggered rules. Even with a safety net of constraints like high Bayes
scores, at least one of a few carefully chosen blacklists and a total
score of above 16, I currently merely *log* the headers of about 96% of
my spam. Throwing away hundreds of MByte per month of useless payload
for a single user...

(c) Coming up with a new rule, that triggers on 30%+ of my low scoring
spam (aka <10).  ;)

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: URIDNSBL recommended?

[Karsten Bräckelmann <gu...@rudersport.de>]

On Sun, 2008-04-06 at 20:00 -0400, Juan Miscaro wrote:
> Hi, I recently activated URIDNSBL and my scores went through the roof.

You mean you activated the plugin? What's your SA version? These checks
are enabled by default and actually are quite effective. As you noticed.
And as the plugin doc [1] states. ;)

> I'm a little worried about it.

Don't. :)

Seriously, I know that feeling -- changing your mail processing
"slightly", and noticing some massive changes. However...

> So first, is this method a recommended in the SA community?

Yes. It is enabled by default.

> And secondly, how can I mod down the (high) scores I'm seeing?  I
> tried this in my local.cf file but it was ignored:
> 
> score URIBL_SBL 1.0

That will *only* change the score for the URIBL_SBL test, the URI
Blacklist by Spamhaus, which defaults to a score of about 1.5 in SA.
This indeed doesn't make much of a difference -- even more so, since
there are other blacklists queried [2]. URIBL_BLACK for example is
highly efficient, and will trigger on a lot of (read: most) spam
containing URIs.

If you really want to lower the scores for the tests you just enabled,
you will need to do so in your local.cf for other rules, too. See
25_uribl.cf and 50_scores.cf for the default score. Lint check and
restart spamd after modifying anything in local.cf.


IMHO, the high scores are justified. ;)  The scoring process prior to a
release carefully set these scores, based on the reliability and
effectiveness of the various BLs, while minimizing FPs.

  guenther


[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
[2] see 25_uribl.cf

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}