You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2006/11/26 19:27:20 UTC

[Bug 5209] New: Suggest checking all untrusted addresses against XBL.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5209

           Summary: Suggest  checking all untrusted addresses against XBL.
           Product: Spamassassin
           Version: 3.1.7
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Rules (Eval Tests)
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: vectro@vectro.org


Today I recieved a piece of spam with the following routing:
Spammer -> Open Proxy (XBL listed) -> Open Relay (unlisted) -> My host

Because spamassassin does not check the XBL except with -lastexternal, and
because the open relay was unlisted, the spam was falsely marked as ham.

Is there a good reason why we only check the XBL against the last connecting
machine? Even if you assume all open relays are listed somewhere, the spammer
can still connect to a closed relay (that is open to the spammer).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5209] Suggest checking all untrusted addresses against XBL.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5209





------- Additional Comments From jm@jmason.org  2006-11-27 08:31 -------
actually, something along those lines appears to be going on here:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4728



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5209] Suggest checking all untrusted addresses against XBL.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5209





------- Additional Comments From vectro@vectro.org  2006-11-27 08:20 -------
(In reply to comment #1)
> yes, the measured FP rate was lower.

I suppose that that's because of machines that are infected with rootkits but
are also used by authors of genuine ham.

What if we allowed the perceptron to score XBL-lastexternal and XBL-untrusted
seperately? Just because -lastexternal has greater predictive power doesn't mean
that -untrusted has none.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5209] Suggest checking all untrusted addresses against XBL.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5209


jm@jmason.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From jm@jmason.org  2006-11-26 14:59 -------
'Is there a good reason why we only check the XBL against the last connecting
machine?'

yes, the measured FP rate was lower.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.