You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Schmerold <sc...@gmail.com> on 2019/03/02 14:45:57 UTC
df.uribl.com
I subscribed to uribl's datafeed service and have read their usage
documentation on http://uribl.com/usage.shtml
I think I understand how it works, but I am confused by how things work
with the default 25_uribl.cf file if I want to change the rhsbl_zone to
_CUSTID.df.uribl.com
We don't want the URIBL rules in 25_uribl and my custom rules to fire
because that would cause 2x the lookup causing inefficient resource
utilization. If I use local.cf to set:
score URIBL_* 0.00
Will this stop the URIBL rules from firing?
OR, using BLACK as an example, if I put this in local.cf , will it
over-ride 25_uribl.cf:
urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL
blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 6.00
reuse URIBL_BLACK
OR: is there some better solution?
Thanks.
--
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis
Re: df.uribl.com
Posted by John Schmerold <sc...@gmail.com>.
On 3/2/2019 9:04 AM, Axb wrote:
> On 3/2/19 3:45 PM, John Schmerold wrote:
>> I subscribed to uribl's datafeed service and have read their usage
>> documentation on http://uribl.com/usage.shtml
>>
>> I think I understand how it works, but I am confused by how things
>> work with the default 25_uribl.cf file if I want to change the
>> rhsbl_zone to _CUSTID.df.uribl.com
>>
>> We don't want the URIBL rules in 25_uribl and my custom rules to fire
>> because that would cause 2x the lookup causing inefficient resource
>> utilization. If I use local.cf to set:
>> score URIBL_* 0.00
>> Will this stop the URIBL rules from firing?
>>
>> OR, using BLACK as an example, if I put this in local.cf , will it
>> over-ride 25_uribl.cf:
>> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
>> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
>> describe URIBL_BLACK Contains an URL listed in the URIBL
>> blacklist
>> tflags URIBL_BLACK net
>> score URIBL_BLACK 6.00
>> reuse URIBL_BLACK
>>
>> OR: is there some better solution?
>>
>> Thanks.
>>
>
> where is using a wildcard for rule names documented?
>
I should have said "Using URIBL_BLACK as an example":
We don't want the URIBL rules in 25_uribl and my custom rules to fire
because that would cause 2x the lookup causing inefficient resource
utilization. If I use local.cf to set:
score URIBL_BLACK 0.00
Will this stop the URIBL rules from firing?
Re: df.uribl.com
Posted by Axb <ax...@gmail.com>.
On 3/2/19 3:45 PM, John Schmerold wrote:
> I subscribed to uribl's datafeed service and have read their usage
> documentation on http://uribl.com/usage.shtml
>
> I think I understand how it works, but I am confused by how things work
> with the default 25_uribl.cf file if I want to change the rhsbl_zone to
> _CUSTID.df.uribl.com
>
> We don't want the URIBL rules in 25_uribl and my custom rules to fire
> because that would cause 2x the lookup causing inefficient resource
> utilization. If I use local.cf to set:
> score URIBL_* 0.00
> Will this stop the URIBL rules from firing?
>
> OR, using BLACK as an example, if I put this in local.cf , will it
> over-ride 25_uribl.cf:
> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 6.00
> reuse URIBL_BLACK
>
> OR: is there some better solution?
>
> Thanks.
>
where is using a wildcard for rule names documented?
Re: df.uribl.com
Posted by John Schmerold <sc...@gmail.com>.
On 3/2/2019 10:15 PM, Bill Cole wrote:
> On 2 Mar 2019, at 9:45, John Schmerold wrote:
>
>> I subscribed to uribl's datafeed service and have read their usage
>> documentation on http://uribl.com/usage.shtml
>>
>> I think I understand how it works, but I am confused by how things
>> work with the default 25_uribl.cf file if I want to change the
>> rhsbl_zone to _CUSTID.df.uribl.com
>>
>> We don't want the URIBL rules in 25_uribl and my custom rules to fire
>> because that would cause 2x the lookup causing inefficient resource
>> utilization.
>> If I use local.cf to set:
>> score URIBL_* 0.00
>> Will this stop the URIBL rules from firing?
>
> No. There is no "wildcard" support for rule names. Never has been,
> never will be (unless SA is taken over by lunatics.) The way rules
> operate inside SA would make such a mechanism spectacularly unsafe.
>
>> OR, using BLACK as an example, if I put this in local.cf , will it
>> over-ride 25_uribl.cf:
>> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
>> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
>> describe URIBL_BLACK Contains an URL listed in the URIBL
>> blacklist
>> tflags URIBL_BLACK net
>> score URIBL_BLACK 6.00
>> reuse URIBL_BLACK
>>
>> OR: is there some better solution?
>
> You don't need to override all aspects of a rule, just the ones you
> want to change.
> So if you just put an overriding urirhssub line in local.cf, you still
> get whatever is in the default 25_uribl.cf.
>
>
Thanks everyone - I am glad I asked, everyone's responses cleared up a
couple mis-conceptions.
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis
Re: df.uribl.com
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2 Mar 2019, at 9:45, John Schmerold wrote:
> I subscribed to uribl's datafeed service and have read their usage
> documentation on http://uribl.com/usage.shtml
>
> I think I understand how it works, but I am confused by how things
> work with the default 25_uribl.cf file if I want to change the
> rhsbl_zone to _CUSTID.df.uribl.com
>
> We don't want the URIBL rules in 25_uribl and my custom rules to fire
> because that would cause 2x the lookup causing inefficient resource
> utilization.
> If I use local.cf to set:
> score URIBL_* 0.00
> Will this stop the URIBL rules from firing?
No. There is no "wildcard" support for rule names. Never has been, never
will be (unless SA is taken over by lunatics.) The way rules operate
inside SA would make such a mechanism spectacularly unsafe.
> OR, using BLACK as an example, if I put this in local.cf , will it
> over-ride 25_uribl.cf:
> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A
> 2
> body URIBL_BLACK
> eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in
> the URIBL blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 6.00
> reuse URIBL_BLACK
>
> OR: is there some better solution?
You don't need to override all aspects of a rule, just the ones you want
to change.
So if you just put an overriding urirhssub line in local.cf, you still
get whatever is in the default 25_uribl.cf.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: df.uribl.com
Posted by John Hardin <jh...@impsec.org>.
On Sat, 2 Mar 2019, Axb wrote:
> On 3/2/19 7:35 PM, John Hardin wrote:
>> On Sat, 2 Mar 2019, John Schmerold wrote:
>>
>>> I subscribed to uribl's datafeed service and have read their usage
>>> documentation on http://uribl.com/usage.shtml
>>>
>>> I think I understand how it works, but I am confused by how things work
>>> with the default 25_uribl.cf file if I want to change the rhsbl_zone to
>>> _CUSTID.df.uribl.com
>>>
>>> We don't want the URIBL rules in 25_uribl and my custom rules to fire
>>> because that would cause 2x the lookup causing inefficient resource
>>> utilization. If I use local.cf to set:
>>> score URIBL_* 0.00
>>> Will this stop the URIBL rules from firing?
>>>
>>> OR, using BLACK as an example, if I put this in local.cf , will it
>>> over-ride 25_uribl.cf:
>>> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
>>> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
>>> describe URIBL_BLACK Contains an URL listed in the URIBL
>>> blacklist
>>> tflags URIBL_BLACK net
>>> score URIBL_BLACK 6.00
>>> reuse URIBL_BLACK
>>>
>>> OR: is there some better solution?
>>
>> Try addressing it at the DNS resolver level.
>>
>> Your MTA and SA should be using a locally-controlled resolver, they should
>> not be going directly to a public resolver. (You're getting the datafeed so
>> you obviously already know this...)
>>
>> Configure your local resolver as authoritative for multi.uribl.com and
>> point it at your datafeed. No changes needed in MTA/SA at all.
>>
>> Pointing it at your datafeed if you're getting a RSYNC feed (which doesn't
>> look to be your case) would just be using the data file URIBL provides you;
>> pointing it at a URIBL-hosted client domain would probably involve a DNAME
>> record in your local faux-master multi.uribl.com zone.
>>
>> https://www.rfc-editor.org/rfc/rfc6672.txt
>>
>> http://www.informit.com/articles/article.aspx?p=19798
>
> John,
> Your suggestions don't apply to this user's case.
>
> He's using the so called "Datafeed over DNS" and not a local rsync'd version.
I covered both possibilities:
>> pointing it at a URIBL-hosted client domain would probably involve a
>> DNAME record in your local faux-master multi.uribl.com zone.
His local MTA/SA DNS resolver would be configured to claim it is
authoritative for multi.uribl.com, and would publish a DNAME record
redirecting queries to _CUSTID.df.uribl.com (using the appropriate
customer ID, of course).
That local DNS resolver must not answer queries from (or ideally not even
be visible to) the Internet, of course.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Win95: Where do you want to go today?
Vista: Where will Microsoft allow you to go today?
-----------------------------------------------------------------------
11 days until Albert Einstein's 140th Birthday
Re: df.uribl.com
Posted by Axb <ax...@gmail.com>.
On 3/2/19 7:35 PM, John Hardin wrote:
> On Sat, 2 Mar 2019, John Schmerold wrote:
>
>> I subscribed to uribl's datafeed service and have read their usage
>> documentation on http://uribl.com/usage.shtml
>>
>> I think I understand how it works, but I am confused by how things
>> work with the default 25_uribl.cf file if I want to change the
>> rhsbl_zone to _CUSTID.df.uribl.com
>>
>> We don't want the URIBL rules in 25_uribl and my custom rules to fire
>> because that would cause 2x the lookup causing inefficient resource
>> utilization. If I use local.cf to set:
>> score URIBL_* 0.00
>> Will this stop the URIBL rules from firing?
>>
>> OR, using BLACK as an example, if I put this in local.cf , will it
>> over-ride 25_uribl.cf:
>> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
>> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
>> describe URIBL_BLACK Contains an URL listed in the URIBL
>> blacklist
>> tflags URIBL_BLACK net
>> score URIBL_BLACK 6.00
>> reuse URIBL_BLACK
>>
>> OR: is there some better solution?
>
> Try addressing it at the DNS resolver level.
>
> Your MTA and SA should be using a locally-controlled resolver, they
> should not be going directly to a public resolver. (You're getting the
> datafeed so you obviously already know this...)
>
> Configure your local resolver as authoritative for multi.uribl.com and
> point it at your datafeed. No changes needed in MTA/SA at all.
>
> Pointing it at your datafeed if you're getting a RSYNC feed (which
> doesn't look to be your case) would just be using the data file URIBL
> provides you; pointing it at a URIBL-hosted client domain would probably
> involve a DNAME record in your local faux-master multi.uribl.com zone.
>
> https://www.rfc-editor.org/rfc/rfc6672.txt
>
> http://www.informit.com/articles/article.aspx?p=19798
John,
Your suggestions don't apply to this user's case.
He's using the so called "Datafeed over DNS" and not a local rsync'd
version.
--Axb
"Datafeed over DNS
Allows end users to continue to utilize the public DNS system for URIBL
resolution. This will allow high volume end users to continue to query
URIBL without making any changes, or having to maintain additional
hardware which is necessary for Datafeed of RSYNC. As its priced by
queries per day, even small end users can benefit from Datafeed over
DNS, as it provides access over DNS to Gold zone data, as well as the
extra datasets (black_a, black_ns, black_nsip)."
Re: df.uribl.com
Posted by John Hardin <jh...@impsec.org>.
On Sat, 2 Mar 2019, John Schmerold wrote:
> I subscribed to uribl's datafeed service and have read their usage
> documentation on http://uribl.com/usage.shtml
>
> I think I understand how it works, but I am confused by how things work with
> the default 25_uribl.cf file if I want to change the rhsbl_zone to
> _CUSTID.df.uribl.com
>
> We don't want the URIBL rules in 25_uribl and my custom rules to fire because
> that would cause 2x the lookup causing inefficient resource utilization. If
> I use local.cf to set:
> score URIBL_* 0.00
> Will this stop the URIBL rules from firing?
>
> OR, using BLACK as an example, if I put this in local.cf , will it over-ride
> 25_uribl.cf:
> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 6.00
> reuse URIBL_BLACK
>
> OR: is there some better solution?
Try addressing it at the DNS resolver level.
Your MTA and SA should be using a locally-controlled resolver, they should
not be going directly to a public resolver. (You're getting the datafeed
so you obviously already know this...)
Configure your local resolver as authoritative for multi.uribl.com and
point it at your datafeed. No changes needed in MTA/SA at all.
Pointing it at your datafeed if you're getting a RSYNC feed (which doesn't
look to be your case) would just be using the data file URIBL provides
you; pointing it at a URIBL-hosted client domain would probably involve a
DNAME record in your local faux-master multi.uribl.com zone.
https://www.rfc-editor.org/rfc/rfc6672.txt
http://www.informit.com/articles/article.aspx?p=19798
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IX: Never turn your back on an enemy.
-----------------------------------------------------------------------
11 days until Albert Einstein's 140th Birthday
Re: df.uribl.com
Posted by RW <rw...@googlemail.com>.
On Sat, 2 Mar 2019 15:24:12 +0000
RW wrote:
> Either way should work. Overriding is cleaner if you want to keep the
> default score for one or more rules.
It's also a good idea just in case a URIBL rule ever get used in a meta
rule.
Re: df.uribl.com
Posted by RW <rw...@googlemail.com>.
On Sat, 2 Mar 2019 08:45:57 -0600
John Schmerold wrote:
> I subscribed to uribl's datafeed service and have read their usage
> documentation on http://uribl.com/usage.shtml
>
> I think I understand how it works, but I am confused by how things
> work with the default 25_uribl.cf file if I want to change the
> rhsbl_zone to _CUSTID.df.uribl.com
>
> We don't want the URIBL rules in 25_uribl and my custom rules to fire
> because that would cause 2x the lookup causing inefficient resource
> utilization. If I use local.cf to set:
> score URIBL_* 0.00
> Will this stop the URIBL rules from firing?
>
> OR, using BLACK as an example, if I put this in local.cf , will it
> over-ride 25_uribl.cf:
> urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 6.00
> reuse URIBL_BLACK
>
Either way should work. Overriding is cleaner if you want to keep the
default score for one or more rules. You don't need to override the
describe line.
6.00 seems a bit high to me since it doesn't a negligible FP rate.