You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Fabio Sangiovanni <sa...@nweb.it> on 2013/01/04 11:48:21 UTC
URIDNSBL: how to query certain lists only?
Hello list,
I'm a relatively new user of Spamassassin.
My setup is a postfix + amavisd-new + spamassassin stack, with amavisd-new acting as before-queue filter. My use case is filtering submissions by untrusted users (customers of the company I work for); sasl authentication is mandatory.
I'm trying to set URIDNSBL rules in such a way that only certain dns lists are queried (Spamhaus DBL and SURBL; we have a datafeed subscription with them).
What I did was to look at /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_uribl.cf and set my local.cf as follows:
[...]
score URIBL_SBL 0
score URIBL_SBL_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_REDIR 0
score URIBL_DBL_ERROR 0
score URIBL_SC_SURBL 0
score URIBL_WS_SURBL 0
score URIBL_PH_SURBL 0
score URIBL_AB_SURBL 0
score URIBL_JP_SURBL 0
score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0
score URIBL_BLOCKED 0
urirhsbl URIBL_SURBL multi.surbl.org. A
body URIBL_SURBL eval:check_uridnsbl('URIBL_SURBL')
describe URIBL_SURBL Contains an URL listed in the SURBL blocklist
tflags URIBL_SURBL net
reuse URIBL_SURBL
score URIBL_SURBL 3
urirhsbl URIBL_DBL_SPAM dbl.spamhaus.org. A
body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
tflags URIBL_DBL_SPAM net domains_only
score URIBL_DBL_SPAM 3
[...]
I *intentionally* want to check aggregate lists instead of single ones and reassign scores.
Everything works ok, except for the fact that queries are performed to dob.sibl.support-intelligence.net as well. The matching rule is obviously URIBL_RHS_DOB in 72_active.cf, and adding "score URIBL_RHS_DOB 0" to local.cf solved the issue.
So my problem is: if I understand correctly the process of 72_active.cf rule generation, new URIBL_* rules could end up appearing in 72_active.cf at any time through sa-update.
How can I configure Spamassassin to permanently use just the URIBL_* rules I want? Do I have to check from time to time 72_ac tive.cf and see if something has been added? That would be quite painful!
Thanks a lot for your support!
Fabio
Re: URIDNSBL: how to query certain lists only?
Posted by Alexandre Boyer <bi...@gmail.com>.
Alex, from prypiat.
Yes, I recycle.
On 13-01-07 04:18 AM, Fabio Sangiovanni wrote:
> Hi,
>
> thanks to everybody for your answers.
>
> Il giorno 04/gen/2013, alle ore 18:12, Kris Deugau <kd...@vianet.ca> ha scritto:
>> Mmmm, the problem the OP was asking about is "how do I make sure that
>> only the specific URIBLs I want are active, no matter what may be added
>> upstream?".
>>
>> IIRC this was asked a while ago but I don't recall any answer better
>> than "watch the updates closely and disable any new ones when you see
>> them". I think the reasoning was that new DNSBLs are not casually added
>> the way new regex or non-DNS rules, and there's usually some warning on
>> the users and/or dev lists, so you can preemptively add "score NEW_URIBL
>> 0" to your local.cf or local rules channel.
> Yes, that's exactly my problem, and unfortunately this is the only solution I came up to, too.
> The introduction of symbolic name wildcards here would be of great help. Has this ever been considered?
> One could set one line as:
>
> score URIBL_* 0
>
> and add specific scores for desired lists after that.
> This would imply the definition of a standard naming for rules, but as far as I can see that's quite in place already.
>
>
>> If you're redefining the tests anyway (to use local datafeed versions of
>> any give URIBL) I would recommend putting them in a custom local TLD
>> that won't resolve globally, to make sure you really *are* using your
>> local copies.
>>
>> -kgd
> I have a local bind on each mta, which act as a cache and forwards queries to another bind on our LAN, wich in turn forwards to rbldnsd (updated daily from datafeed services).
> We'll consider the local tld as further measure.
>
> One slightly OT quesiton: as far as postfix is concerned, how could it help with checks against URIDNSBLs? I'm not aware of any method to make postfix scan the body of the message and look for URIs. At best, postfix can query DNSBLs using client IPs and envelope sender/recipient domains, but that's out of the scope of my need…am I missing something?
PF is not good at handling content of emails, especially on systems with
a lot of traffic (use body_checks and regexes). This belongs to content
filters.
I use (zen|dbl).spamhaus.org at the pre-data level, cutting *a lot* of
treatment for so few fps. As you have your own dns, you could rsync the
spamhaus zone and use your dns for queries. It's a lot faster, and your
SA instance will also appreciate :-)
>
> Thanks to everyone for your help!
>
> Fabio
>
Re: URIDNSBL: how to query certain lists only?
Posted by Fabio Sangiovanni <sa...@nweb.it>.
Hi,
thanks to everybody for your answers.
Il giorno 04/gen/2013, alle ore 18:12, Kris Deugau <kd...@vianet.ca> ha scritto:
>
> Mmmm, the problem the OP was asking about is "how do I make sure that
> only the specific URIBLs I want are active, no matter what may be added
> upstream?".
>
> IIRC this was asked a while ago but I don't recall any answer better
> than "watch the updates closely and disable any new ones when you see
> them". I think the reasoning was that new DNSBLs are not casually added
> the way new regex or non-DNS rules, and there's usually some warning on
> the users and/or dev lists, so you can preemptively add "score NEW_URIBL
> 0" to your local.cf or local rules channel.
Yes, that's exactly my problem, and unfortunately this is the only solution I came up to, too.
The introduction of symbolic name wildcards here would be of great help. Has this ever been considered?
One could set one line as:
score URIBL_* 0
and add specific scores for desired lists after that.
This would imply the definition of a standard naming for rules, but as far as I can see that's quite in place already.
> If you're redefining the tests anyway (to use local datafeed versions of
> any give URIBL) I would recommend putting them in a custom local TLD
> that won't resolve globally, to make sure you really *are* using your
> local copies.
>
> -kgd
I have a local bind on each mta, which act as a cache and forwards queries to another bind on our LAN, wich in turn forwards to rbldnsd (updated daily from datafeed services).
We'll consider the local tld as further measure.
One slightly OT quesiton: as far as postfix is concerned, how could it help with checks against URIDNSBLs? I'm not aware of any method to make postfix scan the body of the message and look for URIs. At best, postfix can query DNSBLs using client IPs and envelope sender/recipient domains, but that's out of the scope of my need…am I missing something?
Thanks to everyone for your help!
Fabio
Re: URIDNSBL: how to query certain lists only?
Posted by Kris Deugau <kd...@vianet.ca>.
Daniel McDonald wrote:
> And, uridnsbls look at body text for uris embedded inside the message,
> something that postfix doesn't do terribly well (which is why you need to
> test these sorts of things after normalizing the text, which SpamAssassin
> does very well..)
*nod* Yeah, that too; I've been getting annoyed at the number of
messages I see that are base64-encoded for no reason I can see, which
makes it hard to eyeball the raw message for rules, or to see what might
have triggered a rule on a false positive.
> The tack I would probably want to take would be to convince bind that the
> public domains are, in fact, local, and then allow the standard rules to
> query the "public" addresses, but respond to those queries from your local
> rbldnsd...
Mmmm, the problem the OP was asking about is "how do I make sure that
only the specific URIBLs I want are active, no matter what may be added
upstream?".
IIRC this was asked a while ago but I don't recall any answer better
than "watch the updates closely and disable any new ones when you see
them". I think the reasoning was that new DNSBLs are not casually added
the way new regex or non-DNS rules, and there's usually some warning on
the users and/or dev lists, so you can preemptively add "score NEW_URIBL
0" to your local.cf or local rules channel.
If you're redefining the tests anyway (to use local datafeed versions of
any give URIBL) I would recommend putting them in a custom local TLD
that won't resolve globally, to make sure you really *are* using your
local copies.
-kgd
Re: URIDNSBL: how to query certain lists only?
Posted by Daniel McDonald <da...@austinenergy.com>.
On 1/4/13 8:38 AM, "Kris Deugau" <kd...@vianet.ca> wrote:
> Alexandre Boyer wrote:
>> Hi there,
>>
>> Why dont you perform those checks at the pre-data level, within postfix?
>
> Because you don't absolutely trust the DNSBL as a one-shot
> "this-is-spam" test, but you want to use its data to influence the
> spam/not-spam decision.
And, uridnsbls look at body text for uris embedded inside the message,
something that postfix doesn't do terribly well (which is why you need to
test these sorts of things after normalizing the text, which SpamAssassin
does very well..)
The tack I would probably want to take would be to convince bind that the
public domains are, in fact, local, and then allow the standard rules to
query the "public" addresses, but respond to those queries from your local
rbldnsd...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: URIDNSBL: how to query certain lists only?
Posted by Kris Deugau <kd...@vianet.ca>.
Alexandre Boyer wrote:
> Hi there,
>
> Why dont you perform those checks at the pre-data level, within postfix?
Because you don't absolutely trust the DNSBL as a one-shot
"this-is-spam" test, but you want to use its data to influence the
spam/not-spam decision.
-kgd
Re: URIDNSBL: how to query certain lists only?
Posted by Alexandre Boyer <bi...@gmail.com>.
Hi there,
Why dont you perform those checks at the pre-data level, within postfix?
It's faster and cuts a lot of treatment for the data analysis.
The way you are doing is the way I would do, but someone on the list might
have a better way.
Alex, from N7.
Hello list,
I'm a relatively new user of Spamassassin.
My setup is a postfix + amavisd-new + spamassassin stack, with amavisd-new
acting as before-queue filter. My use case is filtering submissions by
untrusted users (customers of the company I work for); sasl authentication
is mandatory.
I'm trying to set URIDNSBL rules in such a way that only certain dns lists
are queried (Spamhaus DBL and SURBL; we have a datafeed subscription with
them).
What I did was to look at
/var/lib/spamassassin/3.003002/updates_spamassassin_org/25_uribl.cf and set
my local.cf as follows:
[...]
score URIBL_SBL 0
score URIBL_SBL_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_REDIR 0
score URIBL_DBL_ERROR 0
score URIBL_SC_SURBL 0
score URIBL_WS_SURBL 0
score URIBL_PH_SURBL 0
score URIBL_AB_SURBL 0
score URIBL_JP_SURBL 0
score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0
score URIBL_BLOCKED 0
urirhsbl URIBL_SURBL multi.surbl.org. A
body URIBL_SURBL eval:check_uridnsbl('URIBL_SURBL')
describe URIBL_SURBL Contains an URL listed in the SURBL
blocklist
tflags URIBL_SURBL net
reuse URIBL_SURBL
score URIBL_SURBL 3
urirhsbl URIBL_DBL_SPAM dbl.spamhaus.org. A
body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
tflags URIBL_DBL_SPAM net domains_only
score URIBL_DBL_SPAM 3
[...]
I *intentionally* want to check aggregate lists instead of single ones and
reassign scores.
Everything works ok, except for the fact that queries are performed to
dob.sibl.support-intelligence.net as well. The matching rule is obviously
URIBL_RHS_DOB in 72_active.cf, and adding "score URIBL_RHS_DOB 0" to
local.cf solved the issue.
So my problem is: if I understand correctly the process of
72_active.cfrule generation, new URIBL_* rules could end up appearing
in
72_active.cf at any time through sa-update.
How can I configure Spamassassin to permanently use just the URIBL_* rules
I want? Do I have to check from time to time 72_ac tive.cf and see if
something has been added? That would be quite painful!
Thanks a lot for your support!
Fabio