You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Jeff Chan <je...@surbl.org> on 2004/04/22 07:29:14 UTC
ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL form as be.surbl.org
BigEvil.cf and MidEvil.cf are now available in SURBL form as
be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
URIDNSBL SpamAssassin 3.0 plugins. Thanks Chris, Paul and
Gary Funck!
Here's an excerpt about the new list from the Quick Start
section:
http://www.surbl.org/
Chris Santerre and Paul Barbeau's BigEvil and MidEvil
SpamAssassin rules are now available as an SURBL for use with
plugins and programs such as those mentioned above which can
extract message body URI domains and compare them against
name-based RBLs. The name of the list is be.surbl.org, and some
sample rules and scores to use it appears below. The well-known
and popular BigEvil and MidEvil SA rulesets are used to block
messages based on domains that have occurred in spam message body
URIs. Using this as an SURBL instead allows you to remove this
relatively large ruleset from SA memory and lets DNS cache the
data in a zone file instead, querying SURBL hits from DNS as
needed.
An SA 2.63 rule and score using SpamCopURI (but not the SpamCop
data!) looks like this:
uri BE_URI_RBL eval:check_spamcop_uri_rbl('be.surbl.org','127.0.0.2')
describe BE_URI_RBL URI's domain appears in BigEvil
tflags BE_URI_RBL net
score BE_URI_RBL 3.0
An SA 3.0 rule and score using URIBL's urirhsbl looks like this:
urirhsbl URIBL_BE_SURBL be.surbl.org. A
header URIBL_BE_SURBL eval:check_uridnsbl('URIBL_BE_SURBL')
describe URIBL_BE_SURBL Contains a URL listed BigEvil
tflags URIBL_BE_SURBL net
score URIBL_BE_SURBL 3.0
be.surbl.org can be used alone or with other SURBL lists; all
that's needed are different rule and score names, as we've shown
in the samples. More information about be.surbl.org can be found
in the Additional SURBLs section.
http://www.surbl.org/additional.html
be.surbl.org joins Bill Stearns' sa-blacklist-based ws.surbl.org
and my own SpamCop URI-based sc.surbl.org SURBLs. All are
described more at the site.
Please send me any questions, comments, corrections, updates,
etc.
Cheers,
Jeff C.
P.S. We will probably offer a combined list at some point.
We're still working out the details of that. Until then it's
quite possible to use one or more of the lists simply by using
separate SA rules for each one that you want to use, as shown
in the Quick Start samples.
P.P.S. The sample rules have been updated to mention "SpamCop"
only in the descriptions of rules that actually use SpamCop data.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
BigEvil.cf and SURBL
Posted by Andy Jezierski <aj...@stepan.com>.
I noticed that be.surbl.org doesn't catch the domains referenced by the
BigEvilList_RX rule. Are there other rules in bigevil that surbl won't
catch? I'd like to strip those out and create a LittleEvil :-) Or is
that the only rule?
Thanks.
Andy
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Matthias Fuhrmann <Ma...@stud.uni-hannover.de>.
On Thu, 22 Apr 2004, Mark wrote:
> Matthias Fuhrmann wrote:
>
> > On Wed, 21 Apr 2004, Jeff Chan wrote:
> >
> > Hi,
> >
> >> BigEvil.cf and MidEvil.cf are now available in SURBL form as
> >> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
> >> URIDNSBL SpamAssassin 3.0 plugins.
> >
> > just installed SpamCopURI and added ws and be.surbl to my local.cf.
> > things are really fast now after removing text-based rulesets. i only
> > can recommend them.
>
> Are you saying an RBL lookup is faster than executing a local regex?? I find
> that difficult to imagine. Please, explain.
spoken for our weak equipment. due to lag of ram and massive usage of
vmem, things are slow down here. after removing 200+ kb of textbased regex
the amount of mem usage per spamd child decreased by nearly 15% per
child, assuming it gives a speed benefit.
regards,
Matthias
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Mark <ad...@asarian-host.net>.
Matthias Fuhrmann wrote:
> On Wed, 21 Apr 2004, Jeff Chan wrote:
>
> Hi,
>
>> BigEvil.cf and MidEvil.cf are now available in SURBL form as
>> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
>> URIDNSBL SpamAssassin 3.0 plugins.
>
> just installed SpamCopURI and added ws and be.surbl to my local.cf.
> things are really fast now after removing text-based rulesets. i only
> can recommend them.
Are you saying an RBL lookup is faster than executing a local regex?? I find
that difficult to imagine. Please, explain.
Thanks,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, April 22, 2004, 6:17:45 AM, Matthias Fuhrmann wrote:
> On Thu, 22 Apr 2004, Jeff Chan wrote:
>> BTW Now that you have SpamCopURI installed, please consider
>> giving sc.surbl.org a try also. You may be pleasantly surprised
>> at the results.
> already did. installing SpamCopURI implies using sc.surbl, i thought at
> least :)
Aha, I've got it now.... :-) (Since you mentioned BigEvil and
sa-blacklist, I thought perhaps that you were installing just to
replace those, which could be a popular thing to do to save
memory, etc.)
>> I hope our web site is clear that there are three lists now
>> and not just one or two. :-)
> the website is just fine. quickstart got all information for adding all
> _three_ rules/lists :)
Thanks!
Jeff C.
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Matthias Fuhrmann <Ma...@stud.uni-hannover.de>.
On Thu, 22 Apr 2004, Jeff Chan wrote:
[...]
> > are really fast now after removing text-based rulesets. i only can
> > recommend them.
> > and thanks for all your effort!
>
> Thanks for the feedback! It's been fun to help put these
> good works into a new form.
>
> BTW Now that you have SpamCopURI installed, please consider
> giving sc.surbl.org a try also. You may be pleasantly surprised
> at the results.
already did. installing SpamCopURI implies using sc.surbl, i thought at
least :)
> I hope our web site is clear that there are three lists now
> and not just one or two. :-)
the website is just fine. quickstart got all information for adding all
_three_ rules/lists :)
cheers,
Matthias
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, April 22, 2004, 6:00:36 AM, Matthias Fuhrmann wrote:
> On Wed, 21 Apr 2004, Jeff Chan wrote:
>> BigEvil.cf and MidEvil.cf are now available in SURBL form as
>> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
>> URIDNSBL SpamAssassin 3.0 plugins.
> just installed SpamCopURI and added ws and be.surbl to my local.cf. things
> are really fast now after removing text-based rulesets. i only can
> recommend them.
> and thanks for all your effort!
Thanks for the feedback! It's been fun to help put these
good works into a new form.
BTW Now that you have SpamCopURI installed, please consider
giving sc.surbl.org a try also. You may be pleasantly surprised
at the results.
I hope our web site is clear that there are three lists now
and not just one or two. :-)
Cheers,
Jeff C.
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL
Posted by Matthias Fuhrmann <Ma...@stud.uni-hannover.de>.
On Wed, 21 Apr 2004, Jeff Chan wrote:
Hi,
> BigEvil.cf and MidEvil.cf are now available in SURBL form as
> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
> URIDNSBL SpamAssassin 3.0 plugins.
just installed SpamCopURI and added ws and be.surbl to my local.cf. things
are really fast now after removing text-based rulesets. i only can
recommend them.
and thanks for all your effort!
regards,
Matthias
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL form as be.surbl.org
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, April 22, 2004, 8:30:42 AM, Mark Mark wrote:
> Jeff Chan wrote:
>> BigEvil.cf and MidEvil.cf are now available in SURBL form as
>> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
>> URIDNSBL SpamAssassin 3.0 plugins. Thanks Chris, Paul and
>> Gary Funck!
> I though the traditional BigEvil regex rules are done on the entire URL,
> right? (I pretty much always assumed that; I'm probably wrong about this
> then). So, what prefix are we to pass to be.surbl.org? Also a single, 2-3
> level domain name?
We are extracting the domains from BigEvil + MidEvil, doing some
minor processing on them, and putting them into be.surbl.org.
These are domains from spam URIs, but we're only using the domain
part.
Similarly clients that use be.surbl.org such as SpamCopURI and
urirhsbl extract the domains from the URIs in incoming messages
and compare them *as domain names* against the be.surbl.org.
Generally speaking, the domain to pass is the base, registrar
domain, such as foo.com or foo.co.uk. There are some additional
subdomains/hostnames getting into some of the SURBL data, but
they generally won't/shouldn't be checked by client programs.
Check out the Implementation Guidelines and Data description
for more info:
http://www.surbl.org/
then let us know if you have any questions.
Jeff C.
Re: ANNOUNCE: BigEvil.cf and MidEvil.cf are now available in SURBL form as be.surbl.org
Posted by Mark <ad...@asarian-host.net>.
Jeff Chan wrote:
> BigEvil.cf and MidEvil.cf are now available in SURBL form as
> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
> URIDNSBL SpamAssassin 3.0 plugins. Thanks Chris, Paul and
> Gary Funck!
Please, enlighten me, once more. :)
I though the traditional BigEvil regex rules are done on the entire URL,
right? (I pretty much always assumed that; I'm probably wrong about this
then). So, what prefix are we to pass to be.surbl.org? Also a single, 2-3
level domain name?
Thanks,
- Mark