|
Matt,
I
think there is a misunderstanding (possibly on MY side).
>> DUL/DYNA/DUHL
tests from hitting your own local users when they are sending E-mail (only one
hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or
rhsbl test when they have one of those strings in the name
<<
I was
aware that DUL/DYNA/DUHL only checks the LAST hop (the server connnecting to
you) - but doesn't check the prior hops. The idea is, that of course, ANY
valid dial-up user will eventually appear in the first hop - the one to his
provider's mail server. But a dial-up user should never be contacting YOUR
mail server directly - so the LAST hop should not come from a dial-up
user.
What
you are saying sounds almost like the reverse?
>> I found that on locally hosted
E-mail, this test would be defeated if the spammer forged a local
address. <<
You mean forging an IP address? Or
forging a FROM address? I don't believe Declude "trusts" the from address
- of course it will be forged for spam!?
>> Every user on my
system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST
AUTH. The issue now is that when a spammer forges a locally hosted address
in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests
that contain either DUL, DYNA or DUHL in the name, and this now represents a
weakness instead of a benefit. <<
I use
AUTH as well without problems. If you don't want the DUL/DYNA/DUHL, then why are
you using those strings?
Best
Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent
Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414 x20
(Business)
Fax: +1 201 934-9206
http://www.HM-Software.com/
Don,
Since I started this thread, I'll try to
answer what's at issue here.
Declude has functionality to only scan the
last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or
DUHL in the name of the test. This is done in order to protect you from
scoring hits on dial-up or residential IP's when they weren't the connecting
server and when you are using Declude to score on multiple hops (I believe
this is version restricted).
In order to keep these DUL/DYNA/DUHL tests
from hitting your own local users when they are sending E-mail (only one hop
and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl
test when they have one of those strings in the name. This was very
useful until IMail 8 came along and they started providing an indication of
whether or not AUTH was used in the Q*.SMD file. When IMail 8 did that,
Scott introduced a function called WHITELIST AUTH that will whitelist any
E-mail that is AUTH'd.
Every user on my system uses AUTH and I'm on
IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that
when a spammer forges a locally hosted address in the Mail From, Declude is
still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA
or DUHL in the name, and this now represents a weakness instead of a
benefit. So for users that have IMail 8, where all of their users are
whitelisted either by IP or by AUTH, it would be nice to turn this
functionality off.
Something that seemed to confuse you was the fact
that I am using several tests twice like
so:
XBL(LAST)
dnsbl %IP4R%.sbl-xbl.spamhaus.org
127.0.0.4 6
0
XBL(ALL)
ip4r sbl-xbl.spamhaus.org
127.0.0.4 2 0
The reason why I do
this is because I score on multiple hops, and instead of having XBL score
exactly the same on every hop, I created a work around so that it would score
higher on the last hop, and lower if it only hit one of the prior hops.
The prior hop functionality helps with catching spam that is relayed from one
open relay to another open relay, or worse yet, from an open relay to a
legitimate mail server. At the same time there are lots of IP's in some
of these lists that have long since been fixed/closed and are sending only
legitimate E-mail through legitimate servers, and only adding a few points
helps protect from false positives.
The former kludge that I used was
to use (DYNA) in the name of the test that I only wanted to score on the last
hop, but this morning, I found that on locally hosted E-mail, this test would
be defeated if the spammer forged a local address. By changing the test
to how it appears as XBL(LAST) in the above example, I'm creating a way to
score only the last hop without it being defeated when a local address is
forged and DUL/DYNA/DUHL appears in the name.
The short answer is that
in the example above for XBL(LAST), using the dnsbl/%IP4R% hack, you can
construct a test that only hits the last hop (if you are scoring on multiple
hops like I am).
It's convoluted, but it works, and I do recommend
doing it, but only if you understand how it works and why it is
useful.
Matt
Don Brown wrote:
Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry <[EMAIL PROTECTED]> wrote:
I seem to have broken things worse :) Is there any reason why the
following wouldn't work?
XBL(LAST) dnsbl %REMOTEIP%.sbl-xbl.spamhaus.org 127.0.0.4
6 0
I tested the DUL lists using this format and it seemed to be
working. Here's the headers from a single hop test that tripped on the
ip4r version of XBL and returned the proper %REMOTEIP% in the headers:
RSP> The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail
RSP> will create "192.0.2.25.sbl-xbl.spamhaus.org". But, you really want
RSP> "25.2.0.192.sbl-xbl.spamhaus.org". Fortunately, you can use:
RSP> XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6
RSP> 0
RSP> which should do what you want.
RSP> -Scott
Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the
same thing as using %IP4R% as shown above? If not, what is the
difference?
SBL-ALL ip4r sbl-xbl.spamhaus.org
Thanks,
----
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED] http://www.inetconcepts.net
(972) 788-2364 Fax: (972) 788-5049
----
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
