You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andrea Gelmini <an...@gmail.com> on 2010/08/18 16:47:36 UTC
IP blacklists via Rsync
Hi all,
thanks a lot for the wonderful SpamAssassin.
I'm trying to keep update Wikipedia page about DNS blacklists, also
adding info about blacklists data available via Rsync, for free.
I wrote about UceProtect¹ and Surriel.
I'm checking all of them, but probably you can already point me to
others offering same thing.
Thanks a lot for your time,
Andrea
--------------------------
¹ http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
² http://www.uceprotect.net/en/index.php?m=6&s=10
³ http://psbl.surriel.com/howto/
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
> here i do
> #
> # meta to hit on both ABUSE and POSTMASTER missing on sending domain
> #
> meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST &&
> !USER_IN_BLACKLIST && !USER_IN_SPF_WHITELIST && !HAM_LISTED_LOCAL)
> describe RFC_ABUSE_POST Meta: both abuse and postmaster missing on
> sender domain
> score RFC_ABUSE_POST 6.0
Most helpful - thanks.
Re: abuse/postmaster lists at RFC-Ignorant.org
Posted by Benny Pedersen <me...@junc.org>.
On tor 19 aug 2010 02:21:26 CEST, wrote
> A release or two ago, default inclusion of Postmaster and Abuse
> lists at RFC-Ignorant.org were turned off (some will say for good
> reason).
>
> What is easiest way to turn them back on again?
meta it from subrules, both exists as __foo
here i do
#
# meta to hit on both ABUSE and POSTMASTER missing on sending domain
#
meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST &&
!USER_IN_BLACKLIST && !USER_IN_SPF_WHITELIST && !HAM_LISTED_LOCAL)
describe RFC_ABUSE_POST Meta: both abuse and postmaster missing on
sender domain
score RFC_ABUSE_POST 6.0
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
Guys,
Thanks for time and effort on this.
Consider this matter closed.
Mup.
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-08-23 at 18:23 +0100, si@yacc.co.uk wrote:
> I realise that my English isn't that good, but I think what I've
> written is pretty clear.
Not a native English speaker myself, so there's plenty of room for
mis-interpretation...
> I never disputed the fact the rules were there. If you look at my
> original post, I say 'turned off', not 'removed'.
>
> I never said I wanted them for Meta rules, I asked for best way to turn
> then back on again (eventually! :). I am completely open minded re-
> what 'best' may be ... in fact, the whole point of my post was to
> discover what folks consider the best option to be.
OK, so we agree these rules in question have been turned off of sorts.
Turned off in the sense that they do not have a score -- they still
exist and can be used.
Since these rules essentially come for free (no dedicated DNS lookup),
they have been retained as non-scoring sub-rules, so they easily can be
used in meta rules.
> I merely asked for high-level direction/opinion ... call it what you
> will.
In this case the easiest way to (re)enable such a rule is again a meta
rule -- a trivial one, though maybe not immediately obvious, given the
docs are about combining multiple sub-rules.
meta FOO __FOO
score FOO 0.1
> I'm guessing you'll require the last word in this exchange, so maybe
I don't. :) But I prefer any thread to end without any ill-feeling and
a solution to the question.
> you could address one technical issue in the process ... Mr Pederson
> has suggested that META's might be the way to go, rather than
> reinstating individual rules. I tend towards this opinion myself, but
> remain open minded. Do you have a technical view on this subject?
Recent mass-checks have shown that the rules in question are not useful
to identify spam -- on their own, that is.
They might prove more worthwhile together with other rules, as a meta.
If they actually are, however, depends on your particular mail in-stream
and the other parts of the meta you come up with.
A meta rule often is useful to construct a more reliable rule, based on
less reliable parts. Whether this works out for the rules in question to
actually make a difference in detecting spam remains to be shown.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
I realise that my English isn't that good, but I think what I've written is pretty clear.
I never disputed the fact the rules were there. If you look at my original post, I say 'turned off', not 'removed'.
I never said I wanted them for Meta rules, I asked for best way to turn then back on again (eventually! :). I am completely open minded re- what 'best' may be ... in fact, the whole point of my post was to discover what folks consider the best option to be.
I agree that simply pasting parts of rule files and manuals into your reply is a waste to the list's time ... the least you can expect folks to do is their own basic research, which I have done. But I never asked you or anyone else to do spoon-feed me in this way.
I merely asked for high-level direction/opinion ... call it what you will.
I think that any confusion that has been created is due to you putting words into my mouth, reading unintended things between the lines, and making too many assumptions about me personally ... like I can't be bothered to look through rule files, and 'one doesn't understand the bad things implied'.
I'm guessing you'll require the last word in this exchange, so maybe you could address one technical issue in the process ... Mr Pederson has suggested that META's might be the way to go, rather than reinstating individual rules. I tend towards this opinion myself, but remain open minded. Do you have a technical view on this subject?
Thanks again for your time sir.
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: 23 August 2010 17:11
To: users@spamassassin.apache.org
Subject: RE: abuse/postmaster lists at RFC-Ignorant.org
On Mon, 2010-08-23 at 10:05 +0100, si@yacc.co.uk wrote:
> > So, no, I guess I'd better not post these trivial rules in public. The
> > above hints are a dead give-away already.
>
> Absolutely not - to do so would be patronising beyond words!
Not a dead give-away, you mean? I'm slightly confused. Maybe you
shouldn't have snipped the most important part from my previous post.
"The rules even *do* exist in the latest 3.3 rule-set. They just happen
to not score."
Since you apparently want them for meta rules, that's exactly what they
are there for. As I said, they still do exist. The rule names did not
even change, other than adding the special non-scoring double-underscore
prefix.
So, mind grepping for the rules!?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-08-23 at 10:05 +0100, si@yacc.co.uk wrote:
> > So, no, I guess I'd better not post these trivial rules in public. The
> > above hints are a dead give-away already.
>
> Absolutely not - to do so would be patronising beyond words!
Not a dead give-away, you mean? I'm slightly confused. Maybe you
shouldn't have snipped the most important part from my previous post.
"The rules even *do* exist in the latest 3.3 rule-set. They just happen
to not score."
Since you apparently want them for meta rules, that's exactly what they
are there for. As I said, they still do exist. The rule names did not
even change, other than adding the special non-scoring double-underscore
prefix.
So, mind grepping for the rules!?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
> These sub-BL listings still have been used in 3.1.x, no need to dig
into
> the ancient age of 2.5x. As you said yourself, "a release or two ago".
> Why do you now bring up that version?
That's the last version I did anything serious with, and version used to
produce the system I'm presently replacing. Thought it may help from a
'context' pov.
> Uhm, did I really give the impression you'd have been annoying? Nah,
not
> my intention.
> However, I got the impression you do not actually realize the
> suitability of these tests to identify spam.
Like the man says - without smileys, e-mail would lead to even more
fist-fights than it already does :)
> Varying mileage or not. Did
> you have a look at recent mass-check results? Kind of missing spam
hits
> at all.
Yes. FYI - I've always used the rfc-Ignorant stuff to add, shall we say
'texture' to other info. For example, if you hit on missing abuse and
postmaster, and sender DNS is broken, etc, etc, you're probably dealing
with an 'unloved' domain, and thus (in my experience) more likely to
receive spam from it. I repeat - your mileage may vary, but in situation
I'm dealing with, it's helpful.
> So, no, I guess I'd better not post these trivial rules in public. The
> above hints are a dead give-away already.
Absolutely not - to do so would be patronising beyond words!
Thanks for your help
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-08-19 at 09:19 +0100, si@yacc.co.uk wrote:
> RE- 'digging' ... I have, but SA seems to have come along a fair bit
> since SA2.5 days, hence the word 'easiest'. Maybe 'best' would have
> been a better choice of word.
These sub-BL listings still have been used in 3.1.x, no need to dig into
the ancient age of 2.5x. As you said yourself, "a release or two ago".
Why do you now bring up that version?
There is a bug about disabling them in the SA bugzilla, including
discussion, reasoning and code.
The rules even *do* exist in the latest 3.3 rule-set. They just happen
to not score.
> Re- risk. Thing with risk is that 'mileage varies' ... I can live with
> it in context of how I wish to use lists, but thanks for pointing that
> out.
>
> Thanks for your time in replying, and further appols for annoying you
> so much.
Uhm, did I really give the impression you'd have been annoying? Nah, not
my intention.
However, I got the impression you do not actually realize the
suitability of these tests to identify spam. Varying mileage or not. Did
you have a look at recent mass-check results? Kind of missing spam hits
at all.
So, no, I guess I'd better not post these trivial rules in public. The
above hints are a dead give-away already.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by Benny Pedersen <me...@junc.org>.
On tor 19 aug 2010 10:19:47 CEST, wrote
> Re- hijack - sorry - it was 1:20am when I sent this ... we all make
> mistakes :)
road to hell is paid with good intentions :)
> RE- 'digging' ... I have, but SA seems to have come along a fair bit
> since SA2.5 days, hence the word 'easiest'. Maybe 'best' would have
> been a better choice of word.
yes, but my example is just an example it might not work but it does for me
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
Re- hijack - sorry - it was 1:20am when I sent this ... we all make mistakes :)
RE- 'digging' ... I have, but SA seems to have come along a fair bit since SA2.5 days, hence the word 'easiest'. Maybe 'best' would have been a better choice of word.
Re- risk. Thing with risk is that 'mileage varies' ... I can live with it in context of how I wish to use lists, but thanks for pointing that out.
Thanks for your time in replying, and further appols for annoying you so much.
Si.
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: 19 August 2010 01:45
To: users@spamassassin.apache.org
Subject: Re: abuse/postmaster lists at RFC-Ignorant.org
Please do NOT reply to an unrelated message, if you actually intend to
start a new thread. In-Reply-To and References headers make your post
appear as a reply to another post. You just hi-jacked a thread.
On Thu, 2010-08-19 at 01:21 +0100, si@yacc.co.uk wrote:
> A release or two ago, default inclusion of Postmaster and Abuse lists
> at RFC-Ignorant.org were turned off (some will say for good reason).
>
> What is easiest way to turn them back on again?
I would agree with the assessment of "for good reason".
Moreover, I have a very strong gut feeling, that if finding out the
answer to this question is too hard to get by digging through old list
posts or rule-sets where it still was used -- one better should not add
them, because one doesn't understand the bad things implied.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: abuse/postmaster lists at RFC-Ignorant.org
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
Please do NOT reply to an unrelated message, if you actually intend to
start a new thread. In-Reply-To and References headers make your post
appear as a reply to another post. You just hi-jacked a thread.
On Thu, 2010-08-19 at 01:21 +0100, si@yacc.co.uk wrote:
> A release or two ago, default inclusion of Postmaster and Abuse lists
> at RFC-Ignorant.org were turned off (some will say for good reason).
>
> What is easiest way to turn them back on again?
I would agree with the assessment of "for good reason".
Moreover, I have a very strong gut feeling, that if finding out the
answer to this question is too hard to get by digging through old list
posts or rule-sets where it still was used -- one better should not add
them, because one doesn't understand the bad things implied.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
abuse/postmaster lists at RFC-Ignorant.org
Posted by si...@yacc.co.uk.
Guys,
A release or two ago, default inclusion of Postmaster and Abuse lists at RFC-Ignorant.org were turned off (some will say for good reason).
What is easiest way to turn them back on again?
Thanks
Mup.
Re: IP blacklists via Rsync
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.08.10 16:47, Andrea Gelmini wrote:
> Hi all,
> thanks a lot for the wonderful SpamAssassin.
>
> I'm trying to keep update Wikipedia page about DNS blacklists, also
> adding info about blacklists data available via Rsync, for free.
> I wrote about UceProtect¹ and Surriel.
> I'm checking all of them, but probably you can already point me to
> others offering same thing.
afaik sorbs and njabl do support that on request. rfc-ignorant is also
available. I guess you are having many customers, aren't you?
otherwise it's not worth doing this
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.