Looking at the log, you can see where a hit on the same blacklist yields two different results, possibly dependent upon whether it's a cached hit or not. This causes false positives when a more aggressive blacklist is intermittently and improperly scored the same way as say, Spamhaus. URIBL hits appear to exhibit the same behavior.
I'm hoping that V2 is in better shape now than when we tried it last, which was admittedly quite some time ago. I'm not sure why this behavior was changed in V1 as it worked perfectly before. Looking back, I'm pretty sure that the inconsistent scoring behavior started after the "improvement". :) From: Thomas Eckardt <Thomas.E<ckardt@th...> - 2014-07-04 06:10:02 >added 30 for DNSBLcache: neutral >added 50 for DNSBL: failed >Now tell me what is wrong ? Also, is there a way to still have ASSP score the message based on total DNSBL points like it used to instead of limiting to the neutral/fail scoring dependent upon the number of hits? >use V2 >Thomas _____________________________________________ From: Phil Quesinberry Sent: Friday, July 04, 2014 12:12 AM To: '[email protected]' Subject: RE: Inconsistent DNSBL scoring The same thing appears to be happening with URIBL hits as well. _____________________________________________ From: Phil Quesinberry Sent: Thursday, July 03, 2014 12:08 PM To: '[email protected]' Subject: Inconsistent DNSBL scoring We're seeing some odd behavior when it comes to DNSBL scoring. One of the DNSBLs we use is i2.apews.org. It's useful for weighing in against a message with other problems but it's occasionally prone to false-positives, so we give hits against it a score of 20. Notice the following log entries (hit on apews DNSBL adds 20 which is the correct behavior): Jul-01-14 11:02:45 Connected: 108.12.183.50:31641 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 11:02:45 108.12.183.50 MTA offered STARTTLS - converting to SSL; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <[email protected]> to: [email protected] Message-Score: added -5 for SSL-TLS-connection-OK, total score fo r this message is now -5; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] [DNSBL] 108.12.183.50 <[email protected]> to: [email protected] [scoring:20] (108.12.183.50 listed in DNSBLcache by l2.ap ews.org at 2014-07-01/10:54:50); Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <[email protected]> to: [email protected] Message-Score: added 30 for DNSBLcache: neutral, 108.12.183.50 li sted in l2.apews.org, total score for this message is now 25; This is what we'd expect. Now have a look at the following log entries (hit on apews DNSBL adds 50 which is NOT correct), no configurational changes have been made: Jul-01-14 16:20:36 Connected: 173.67.34.179:54431 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 16:20:36 173.67.34.179 MTA offered STARTTLS - converting to SSL; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <[email protected]> to: [email protected] Message-Score: added -5 for SSL-TLS-connection-OK, total score for this message is now -5; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <[email protected]> to: [email protected] deleting spamming whitelisted tuplet: (173.67.34.0,anothersender.com) age: 2s; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <[email protected]> to: [email protected] Message-Score: added 50 for DNSBL: failed, 173.67.34.179 listed in l2.apews.org, total score for this message is now 45; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] [DNSBL] 173.67.34.179 <[email protected]> to: [email protected] [scoring:50] (DNSBL: failed, 173.67.34.179 listed in (l2.apews.org<-127.0.0.2; )); >From the above, It looks like cached hits are scored correctly but real-time hits are not? If you need additional info, let me know. I can crank up the DNSBL logging to debug/verbose if it will help. Also, is there a way to still have ASSP score the message based on total DNSBL points like it used to instead of limiting to the neutral/fail scoring dependent upon the number of hits? There are a number of DNSBLs which are useful for pushing suspect messages "over the edge" but more prone to false-positives and we'd prefer to have the granularity of just weighting them accordingly, which was the behavior of ASSP until fairly recently. Thanks! Phil Quesinberry Vintage Telecom VoIP Business Telephone Hosting Improve your business telephone services and save money (410) 921-6550 http://www.vintagetelecom.com ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
