Spamassassin & dnsbl questions

[Rasmus Haslund <ra...@nowaco.com>]

Hi,
 
Sorry if this seems like a stupid question but I am just trying to
understand the config files better.
 
For example these:
 
header __RCVD_IN_NJABL  eval:check_rbl('njabl', 'combined.njabl.org.')
describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
tflags __RCVD_IN_NJABL  net
 
header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY net

In the header area there is a __ infront of one rule but not the
other... is this just naming or does it have any special meaning?
For example i am thinking this could be a way to check not just the last
hop before our mailserver but im not sure and 
http://wiki.apache.org/spamassassin/DnsBlocklists doesnt seem  to
provide an explanation on this.
 
Thank you in advance.
 
Best Regards
 
 
Rasmus Haslund
 
NOWACO A/S
Prinsensgade 15
9100 Aalborg, Denmark
 
Phone:	 +45 96 30 80 80	
Direct:	 +45 96 30 80 83	
Mobile:	 +45 40 59 94 94	
Fax:	 +45 96 30 80 90	
www.nowaco.com 
 

Re: Spamassassin & dnsbl questions

[Martin Gregorie <ma...@gregorie.org>]

On Mon, 2009-01-19 at 09:51 -0500, Matt Kettler wrote:
> Rasmus Haslund wrote:
> > Hi,
> >  
> > Sorry if this seems like a stupid question but I am just trying to
> > understand the config files better.
> >  
> > For example these:
> >  
> > header __RCVD_IN_NJABL  eval:check_rbl('njabl', 'combined.njabl.org.')
> > describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
> > tflags __RCVD_IN_NJABL  net
> >  
> > header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
> > describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
> > tflags RCVD_IN_NJABL_RELAY net
> > In the header area there is a __ infront of one rule but not the
> > other... is this just naming or does it have any special meaning?
> Yes. The double underscore causes the rule to run with a default score
> of 0. Normally a rule with no score line counts as 1.0. If you
> explicitly declare a score of 0 for any rule, even a double underscore,
> the rule is disabled.
> 
There's another effect as well. The double underscore stops the rule
name from being included in the list of rules that fired on a message.

Because of this, its often easier to debug a meta rule if you first
write it without underscores and then add them when the rule has been
tested. If you do this, remember to change the subrule names in the meta
when you prefix the subrule names with double underscores.
 

Martin

Re: Spamassassin & dnsbl questions

[Matt Kettler <mk...@verizon.net>]

Rasmus Haslund wrote:
> Hi,
>  
> Sorry if this seems like a stupid question but I am just trying to
> understand the config files better.
>  
> For example these:
>  
> header __RCVD_IN_NJABL  eval:check_rbl('njabl', 'combined.njabl.org.')
> describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
> tflags __RCVD_IN_NJABL  net
>  
> header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
> describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
> tflags RCVD_IN_NJABL_RELAY net
> In the header area there is a __ infront of one rule but not the
> other... is this just naming or does it have any special meaning?
Yes. The double underscore causes the rule to run with a default score
of 0. Normally a rule with no score line counts as 1.0. If you
explicitly declare a score of 0 for any rule, even a double underscore,
the rule is disabled.

This is useful in this case as the first rule (with the double
underscore) causes a DNS lookup, but would match if anything but
NXDOMAIN was returned so you really don't want it to be scored. Then the
second rule (and others like it) can do specific checks against the
answer returned so you're only using one NJABL hosted list at a time.

This kind of thing is normally done for all DNSBLs or URIBLs with
multiple lists encoded in the return value of the one lookup. (ie:
127.0.0.2 = list 1, 127.0.0.4= list 2, etc)

Double underscore is also commonly used in meta rules, where the
individual tests aren't worth scoring, but the combined result is.

> For example i am thinking this could be a way to check not just the
> last hop before our mailserver but im not sure and
> http://wiki.apache.org/spamassassin/DnsBlocklists doesnt seem  to
> provide an explanation on this.
Yeah, you'd have to look in the Conf docs under "score"

http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#scoring_options

Or in the writing rules wiki:

http://wiki.apache.org/spamassassin/WritingRules