I was hoping that someone would correct my mistakes on this instead of
me needing to do another famous reply to my own post :)
In this case you are correct, but there is a little problem in the
details. Adding DUL, DYNA or DUHL to the name of any dnsbl test in
Declude will result in not only restricting the test to the last hop
only, but it will also disable the test for any E-mail that contains a
local Mail From address, regardless of AUTH. This would include both
legitimate users as well as zombies that forge local addresses when
sending spam. This was originally a trick that Scott used before
WHITELIST AUTH existed that protected local users from getting tagged
by dnsbl's, but it also would result in some leaked spam from forging
zombies.
If this was IMail/Declude, adding DUL, DYNA or DUHL to the test name
for CBL would definitely prevent CBL from hitting local users when
WHITELIST AUTH wasn't available. I can't however vouch for this
working with SmarterMail installations.
So it would be possibly useful in this case, but again, solving the
issue that created the CBL listing is the most direct route, and less
dependency on any particular test by adding something like Sniffer and
reducing weights on such things I think is still the best overall
solution.
Matt
Colbeck, Andrew wrote:
That's a good point, Matt.
I glossed over analyzing the hops, but wouldn't Declude skip running any
test with DYNA in the name if the message was received via AUTH? I
remember that you wrote a Master's Thesis on this over in the
Declude.Support mailing list.
Naturally, this would only count with Declude running on IMail, and not
on SmarterMail.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, June 13, 2005 6:14 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Declude using CBL to block users sending
mail?????
Andrew,
Just to clear up any confusion, this message was sent by Doug through
his own SmarterMail/Declude server, so his IP was the connecting hop and
the DYNA/hop limiting tricks won't have an effect here.
I think it might be valuable if people resisted the temptation of
removing IP's from headers when shared because those that might help out
would often benefit from this information. Sometimes it doesn't really
matter of course, and Doug did give enough information to figure this
out, but the three received headers were confusing without a careful
read.
Matt
Colbeck, Andrew wrote:
Doug, you're probably scoring on multiple hops by setting your HOPHIGH
in global.cfg ...
If you don't want RBLs to score on multiple hops, just comment out that
HOPHIGH line.
Alternatively, rename your CBL test to CBL-DYNA (don't forget to change
the global.cfg definition plus the action line wherever it appears in
your configuration files (e.g. CBL WARN to CBL-DYNA WARN).
Andrew 8)
p.s. Is your own machine's address on the Internet, or was CBL listing
an internal, non-routable IP address like 192.168.1.1 ?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Douglas Cohn
Sent: Monday, June 13, 2005 5:03 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Declude using CBL to block users sending
mail?????
My desktop IP was erroneously listed on CBL. It seems that declude is
checking autheticated users sending mail for CBL and according to CBL
this is wrong. SEE below
Here is the header showing what went on with the actual Ips removed to
proect the innocent (ME). But it sure seems that my desktop machine is
the one being checked and shown as on CBL. Had 10 points been enough I
would not have been able to send mail. The ONLY address within the
below HEADER that was actually listed in the CBL is the HOST machine
sending the email. NOT the MAIL servers but MY DESKTOP of which I am an
authenticated sender.
Why would declude check an authenticated sender on the CBL list?
This all started because Smartermails SPAM does NOT check the
authenticated senders and this is what confused me intially. IE I
thought Smartermails SPAM was not working properly on another server
where I do NOT have declude ANTISPAM installed. BUT as you see
according to CBL it should NOT detect CBL on an autheticated senders
IP.
According to CBL this is not how the list is designed.
Return-Path: <[EMAIL PROTECTED]> Sun Jun 12 18:35:56 2005
Received: from forwardeddestinationmailserver [123.123.123.123] by
forwardeddestinationmailserver with SMTP;
Sun, 12 Jun 2005 18:35:56 -0400
Received: from decludesmtpserver [456.456.456.456] by
destinationmailserver with SMTP;
Sun, 12 Jun 2005 18:35:20 -0400
Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver
with SMTP;
Sun, 12 Jun 2005 18:34:59 -0400
From: "douglas cohn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: Test cbl
Date: Sun, 12 Jun 2005 18:34:52 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP]
X-Declude-Spoolname: 37296653.EML
X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005
X-Declude-Fail: CBL, WEIGHT10
X-Country-Chain: UNITED STATES->destination
X-SmarterMail-Spam: SPF_None
X-Rcpt-To: <[EMAIL PROTECTED]>
http://cbl.abuseat.org/
We're getting a lot of reports of spurious blocking caused by sites
using the CBL to block authenticated access to smarthosts / outgoing
mail servers. THE CBL is only designed to be used on INCOMING mail,
i.e. on the hosts that your MX records point to.
If you use the same hosts for incoming mail and smarthosting, then you
should always ensure that you exempt authenticated clients from CBL
checks, just as you would for dynamic/dialup blocklists.
Another way of putting this is: "Do not use the CBL to block your own
users".
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
