Mailspike IP Reputation (was: Re: Fwd: DNSBL mirrors)

[Karsten Bräckelmann <gu...@rudersport.de>]

On Sun, 2010-02-28 at 01:40 +0000, João Gouveia wrote:
> http://mailspike.org/anubis/implementation_sa.html

I guess the rule definitions are slightly broken. After all, the ZBI
meta especially is meant to counter multiple hits. However, since the
plain Z eval() rule does not have a score assigned, it still *does* get
a default score of 1.0.

I'm also slightly irritated by the meta logic. A Z listed "spam wave
participant" only hits ZBI and thus its 4.1, if they are NOT also listed
with a poor reputation. That applies to senders with no previous
reputation data, as well as ones with a *good* reputation otherwise.

On the other hand, a L3 "low reputation" listing prevents ZBI hits, and
scores the 2.9 of L3 only. Compare that to the above with a good sender,
both currently listed in Z. Is that actually intended?

Ah, well, the default 1.0 for Z in this case makes up for that -- turns
the 2.9 into a 3.9 almost equal to 4.1...


What listing and scoring logic did you actually mean? Feel free to give
a verbal rather than logic expression. :)

Also, what I wondered about, can a single IP really have multiple,
different listing results? I should go dig into the code on this.


On a side note, the very brief "Bad" comment on your actual base
check_rbl() eval rule is quite irritating on a first look. Kind of gives
the impression of a bad example, with better rules following...

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}