You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by List Mail User <tr...@Plectere.com> on 2005/01/08 06:02:47 UTC
More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)
I have used the following rules (which greatly overlap the existing URI
rules) to drive up scores, while not repeating the same tests or increasing the
scores for existing tests. YMMV, but they work for me (v3.0.x).
uridnsbl URIBL_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A
body URIBL_COMPLETEWHOIS eval:check_uridnsbl('URIBL_COMPLETEWHOIS')
describe URIBL_COMPLETEWHOIS Contains an URL listed in the combined-HIB.dnsiplists.completewhois.com blocklist
tflags URIBL_COMPLETEWHOIS net
urirhssub URIBL_RHS_DSN fulldom.rfc-ignorant.org. A 127.0.0.2
body URIBL_RHS_DSN eval:check_uridnsbl('URIBL_RHS_DSN')
describe URIBL_RHS_DSN Contains an URL listed in the dsn.rfc-ignorant.org blocklist
tflags URIBL_RHS_DSN net
urirhssub URIBL_RHS_POST fulldom.rfc-ignorant.org. A 127.0.0.3
body URIBL_RHS_POST eval:check_uridnsbl('URIBL_RHS_POST')
describe URIBL_RHS_POST Contains an URL listed in the postmaster.rfc-ignorant.org blocklist
tflags URIBL_RHS_POST net
urirhssub URIBL_RHS_ABUSE fulldom.rfc-ignorant.org. A 127.0.0.4
body URIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE')
describe URIBL_RHS_ABUSE Contains an URL listed in the abuse.rfc-ignorant.org blocklist
tflags URIBL_RHS_ABUSE net
urirhssub URIBL_RHS_WHOIS fulldom.rfc-ignorant.org. A 127.0.0.5
body URIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS')
describe URIBL_RHS_WHOIS Contains an URL listed in the whois.rfc-ignorant.org blocklist
tflags URIBL_RHS_WHOIS net
urirhssub URIBL_RHS_BOGUSMX fulldom.rfc-ignorant.org. A 127.0.0.8
body URIBL_RHS_BOGUSMX eval:check_uridnsbl('URIBL_RHS_BOGUSMX')
describe URIBL_RHS_BOGUSMX Contains an URL listed in the bogusmx.rfc-ignorant.org blocklist
tflags URIBL_RHS_BOGUSMX net
With the (completely empirically - almost arbitrarily - chosen) scores of:
score URIBL_COMPLETEWHOIS 1.75
score URIBL_RHS_DSN 0.5
score URIBL_RHS_POST 0.75
score URIBL_RHS_ABUSE 0.25
score URIBL_RHS_WHOIS 1.33
score URIBL_RHS_BOGUSMX 3.75
Note: as might be expected, the "abuse" and "postmaster" tests give a
lot of FPs, particularly from the free (but often abused) services like Hotmail.
Hence the low score assigned to them. On the other hand the "bogusmx" test is
a good candidate for a higher score (I've never seem a false positive for my
admittedly very biased corpus).
The "combined-HIB.dnsiplists.completewhois.com." list can be considered
to be a likely replacement for the now discontinued "ipwhois.rfc-ignorant.org".
I also use similar "RCVD_IN_*" rules to also drive up scores (with a
similar low weighting on "abuse" and "postmaster").
The logical rationale behind these, is: if you or your ISP either
don't accept complaints, or lie about your contact data, I probably don't
want to hear from you.
The score values are low enough, that they don't cause (not for me
at least) FPs for email from mailing lists where the original poster has one
of those appended advertisements at the bottom (like "Sign up now for your
free email at xyz.com" and xyz.com fails the postmaster/abuse tests - so the
"-notfirsthop" option is may be appropriate for any similar RCVD_IN_* rules,
though I don't use it myself).
Hope these help someone,
Paul Shupak
hostmaster@plectere.com
Re: More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)
Posted by Jeff Chan <je...@surbl.org>.
On Friday, January 7, 2005, 9:02:47 PM, List User wrote:
> I have used the following rules (which greatly overlap the existing URI
> rules) to drive up scores, while not repeating the same tests or increasing the
> scores for existing tests. YMMV, but they work for me (v3.0.x).
> uridnsbl URIBL_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A
> body URIBL_COMPLETEWHOIS eval:check_uridnsbl('URIBL_COMPLETEWHOIS')
> describe URIBL_COMPLETEWHOIS Contains an URL listed in the combined-HIB.dnsiplists.completewhois.com blocklist
> tflags URIBL_COMPLETEWHOIS net
> urirhssub URIBL_RHS_DSN fulldom.rfc-ignorant.org. A 127.0.0.2
> body URIBL_RHS_DSN eval:check_uridnsbl('URIBL_RHS_DSN')
> describe URIBL_RHS_DSN Contains an URL listed in the dsn.rfc-ignorant.org blocklist
> tflags URIBL_RHS_DSN net
> urirhssub URIBL_RHS_POST fulldom.rfc-ignorant.org. A 127.0.0.3
> body URIBL_RHS_POST eval:check_uridnsbl('URIBL_RHS_POST')
> describe URIBL_RHS_POST Contains an URL listed in the postmaster.rfc-ignorant.org blocklist
> tflags URIBL_RHS_POST net
> urirhssub URIBL_RHS_ABUSE fulldom.rfc-ignorant.org. A 127.0.0.4
> body URIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE')
> describe URIBL_RHS_ABUSE Contains an URL listed in the abuse.rfc-ignorant.org blocklist
> tflags URIBL_RHS_ABUSE net
> urirhssub URIBL_RHS_WHOIS fulldom.rfc-ignorant.org. A 127.0.0.5
> body URIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS')
> describe URIBL_RHS_WHOIS Contains an URL listed in the whois.rfc-ignorant.org blocklist
> tflags URIBL_RHS_WHOIS net
> urirhssub URIBL_RHS_BOGUSMX fulldom.rfc-ignorant.org. A 127.0.0.8
> body URIBL_RHS_BOGUSMX eval:check_uridnsbl('URIBL_RHS_BOGUSMX')
> describe URIBL_RHS_BOGUSMX Contains an URL listed in the bogusmx.rfc-ignorant.org blocklist
> tflags URIBL_RHS_BOGUSMX net
Hi Paul,
I'm not sure that this is a correct use of urirhssub, which
may have been more suited towards bitmasked lists such as
multi.surbl.org and CBL. In other words, it may only be
useable with power of two results like 127.0.0.2,4,8,16,32.
To be honest I haven't checked how the urirhssub source
code handles other cases. urirhsbl may be more appropriate
if the result codes are not encoded with bitmask positions.
http://www.surbl.org/lists.html#multi
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/