You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rasmus Haslund <ra...@nowaco.com> on 2009/01/19 15:20:05 UTC
Spamassassin & dnsbl questions
Hi,
Sorry if this seems like a stupid question but I am just trying to
understand the config files better.
For example these:
header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
tflags __RCVD_IN_NJABL net
header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY net
In the header area there is a __ infront of one rule but not the
other... is this just naming or does it have any special meaning?
For example i am thinking this could be a way to check not just the last
hop before our mailserver but im not sure and
http://wiki.apache.org/spamassassin/DnsBlocklists doesnt seem to
provide an explanation on this.
Thank you in advance.
Best Regards
Rasmus Haslund
NOWACO A/S
Prinsensgade 15
9100 Aalborg, Denmark
Phone: +45 96 30 80 80
Direct: +45 96 30 80 83
Mobile: +45 40 59 94 94
Fax: +45 96 30 80 90
www.nowaco.com
Re: Spamassassin & dnsbl questions
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2009-01-19 at 09:51 -0500, Matt Kettler wrote:
> Rasmus Haslund wrote:
> > Hi,
> >
> > Sorry if this seems like a stupid question but I am just trying to
> > understand the config files better.
> >
> > For example these:
> >
> > header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
> > describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
> > tflags __RCVD_IN_NJABL net
> >
> > header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
> > describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
> > tflags RCVD_IN_NJABL_RELAY net
> > In the header area there is a __ infront of one rule but not the
> > other... is this just naming or does it have any special meaning?
> Yes. The double underscore causes the rule to run with a default score
> of 0. Normally a rule with no score line counts as 1.0. If you
> explicitly declare a score of 0 for any rule, even a double underscore,
> the rule is disabled.
>
There's another effect as well. The double underscore stops the rule
name from being included in the list of rules that fired on a message.
Because of this, its often easier to debug a meta rule if you first
write it without underscores and then add them when the rule has been
tested. If you do this, remember to change the subrule names in the meta
when you prefix the subrule names with double underscores.
Martin
Re: Spamassassin & dnsbl questions
Posted by Matt Kettler <mk...@verizon.net>.
Rasmus Haslund wrote:
> Hi,
>
> Sorry if this seems like a stupid question but I am just trying to
> understand the config files better.
>
> For example these:
>
> header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
> describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
> tflags __RCVD_IN_NJABL net
>
> header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
> describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
> tflags RCVD_IN_NJABL_RELAY net
> In the header area there is a __ infront of one rule but not the
> other... is this just naming or does it have any special meaning?
Yes. The double underscore causes the rule to run with a default score
of 0. Normally a rule with no score line counts as 1.0. If you
explicitly declare a score of 0 for any rule, even a double underscore,
the rule is disabled.
This is useful in this case as the first rule (with the double
underscore) causes a DNS lookup, but would match if anything but
NXDOMAIN was returned so you really don't want it to be scored. Then the
second rule (and others like it) can do specific checks against the
answer returned so you're only using one NJABL hosted list at a time.
This kind of thing is normally done for all DNSBLs or URIBLs with
multiple lists encoded in the return value of the one lookup. (ie:
127.0.0.2 = list 1, 127.0.0.4= list 2, etc)
Double underscore is also commonly used in meta rules, where the
individual tests aren't worth scoring, but the combined result is.
> For example i am thinking this could be a way to check not just the
> last hop before our mailserver but im not sure and
> http://wiki.apache.org/spamassassin/DnsBlocklists doesnt seem to
> provide an explanation on this.
Yeah, you'd have to look in the Conf docs under "score"
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#scoring_options
Or in the writing rules wiki:
http://wiki.apache.org/spamassassin/WritingRules