-------- Original-Nachricht -------- Datum: Fri, 18 May 2007 23:50:18 +0200 Von: Robert Felber <[EMAIL PROTECTED]> An: policyd-weight-list@ek-muc.de Betreff: Re: Strange scoring with 0.1.14 beta-5
> On Fri, May 18, 2007 at 11:19:45PM +0200, [EMAIL PROTECTED] wrote: > > > > -------- Original-Nachricht -------- > > Datum: Fri, 18 May 2007 22:47:56 +0200 > > Von: Robert Felber <[EMAIL PROTECTED]> > > An: policyd-weight-list@ek-muc.de > > Betreff: Re: Strange scoring with 0.1.14 beta-5 > > > > > On Fri, May 18, 2007 at 10:18:41PM +0200, [EMAIL PROTECTED] wrote: > > > > @dnsbl_score = ( > > > > 'sa-hil.habeas.com', 8.00, 0, > > > 'HIL-HABEAS', > > > > 'sa-hul.habeas.com', -1.00, 0, > > > 'HUL-HABEAS', > > > > 'sa-trusted.bondedsender.org', -4.25, 0, > > > 'TRUSTED-BONDESENDER', > > > > 'sa-other.bondedsender.org', -4.25, 0, > > > 'OTHER-BONDESENDER', > > > > 'wl.trusted-forwarder.org', -0.50, 0, > > > 'T-FWL-DNSWL', > > > > 'list.dnswl.org', -0.50, 0, 'DNSWL', > > > > 'white.dnsbl.securityplanet.nl', -0.70, 0, > > > 'SECURITYPLANETWL', > > > > 'exemptions.ahbl.org', -1.00, 0, > > > 'EXEMPTIONS-AHBL', > > > > 'ch.countries.nerd.dk', -1.00, 0, > 'NERD-CH', > > > > 'se.countries.nerd.dk', -1.00, 0, > 'NERD-SE', > > > > 'us.countries.nerd.dk', 2.044, 0, > 'NERD-US', > > > > > > > > > This has a hit. > > > And - the client meets ~ 4 conditions for > > > > > > CLIENT_NOT_MX/A_FROM_DOMAIN > > > CLIENT/24_NOT_MX/A_FROM_DOMAIN > > > > > > >>From the code: > > > > > > ## client == MX/A FROM domain > > > ################################################# > > > > > > if( > > > ($mx_ok != 1) && > > > ( > > > ($do_client_from_check) && > > > ($dnsbl_hits > 0) > > > ) > > > ) > > > > > > $mx_ok wasn't 1 > > > do_client from check was 1 because helo (domains) didn't appear > > > to be responsible for sender domain (Arguments and sender MX results) > > > $dnsbl_hits was greater 0 > > > Subnets of the client didn't match sender A/MX subnets > > > > > > > > > Solution, lower the score for us.countries.nerd.dk > > > > > > With 1.044 the client passes here with -0.732 > > > > > Okay. Thanks for explaining. > > > > It is strange that the SUN news letter does not pass but the HP alert > passes: > > Ok, another piece: > > senderA = your .hp. com > heloA = mh .hp. m0.net > > The sender, resp. MX match with 'hp' against the helo > > > senderB = mail.communications.sun.com > heloB = mh.sunmicrosystemsinc.m0.net > > the sender, resp. MXes of sun.com do not match stringwise with > 'sunmicrosystemsinc' > I think I understand now: mail ~ # dig +short in mx your.hp.com 10 imh.merchantmail.net. mail ~ # dig +short in mx hp.m0.net 10 imh.merchantmail.net. mail ~ # dig +short in mx mail.communications.sun.com 10 imh.delivery.net. mail ~ # dig +short in mx sunmicrosystemsinc.m0.net mail ~ # Is that right? The first one has the proper MX record for the sender domain and for the used HELO/EHLO, while the second one has no MX record on the HELO/EHLO. > Usually this has not much effect - unless the client is also > RBL listed. Which is the case. Thus, decrease the according RBL > score, as suggested in the previous mail. > Yes. I understand that. I changed my script to use the top 1 to be 100% (aka 1) and calculate the other values based on that. Now my RBL looks like that: ## THE 10 WORST SPAM ORIGIN COUNTRIES: START ## http://www.spamhaus.org/statistics/countries.lasso 'us.countries.nerd.dk', 1.000, 0, 'NERD-US', 'cn.countries.nerd.dk', 0.212, 0, 'NERD-CN', 'ru.countries.nerd.dk', 0.123, 0, 'NERD-RU', 'uk.countries.nerd.dk', 0.101, 0, 'NERD-UK', 'kr.countries.nerd.dk', 0.087, 0, 'NERD-KR', 'de.countries.nerd.dk', 0.083, 0, 'NERD-DE', 'jp.countries.nerd.dk', 0.081, 0, 'NERD-JP', 'nl.countries.nerd.dk', 0.069, 0, 'NERD-NL', 'ca.countries.nerd.dk', 0.066, 0, 'NERD-CA', 'ar.countries.nerd.dk', 0.057, 0, 'NERD-AR', ## THE 10 WORST SPAM ORIGIN COUNTRIES: END The check now produces: 00:20:07 info: weighted check: IN_DNSWL=-0.5 IN_NERD-US=1 NOT_IN_SPAMCOP=-1.5 NOT_IN_ZEN_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .sun. - helo: .mh.sunmicrosystemsinc.m0. - helo-domain: .m0.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=1.125 CLIENT_NOT_MX/A_FROM_DOMAIN=2 CLIENT/24_NOT_MX/A_FROM_DOMAIN=2 <client=209.11.164.54> <helo=mh.sunmicrosystemsinc.m0.net> <[EMAIL PROTECTED]> <to=> <helo_ips: 209.11.136.89 209.11.136.89 209.11.137.36 88.221.21.195 192.18.98.36 192.18.43.25 192.18.98.34 150.143.103.14 150.143.103.24 150.143.103.54 150.143.103.74 150.143.60.6 192.12.251.34 192.12.251.54 192.12.251.74 192.12.251.14 192.5.209.6 192.18.98.43 192.18.43.24 192.18.98.31 72.5.124.61 209.11.164.54>, rate: -0.875 00:20:07 info: decided action=PREPEND X-policyd-weight: IN_DNSWL=-0.5 IN_NERD-US=1 NOT_IN_SPAMCOP=-1.5 NOT_IN_ZEN_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .sun. - helo: .mh.sunmicrosystemsinc.m0. - helo-domain: .m0.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=1.125 CLIENT_NOT_MX/A_FROM_DOMAIN=2 CLIENT/24_NOT_MX/A_FROM_DOMAIN=2 <client=209.11.164.54> <helo=mh.sunmicrosystemsinc.m0.net> <[EMAIL PROTECTED]> <to=> <helo_ips: 209.11.136.89 209.11.136.89 209.11.137.36 88.221.21.195 192.18.98.36 192.18.43.25 192.18.98.34 150.143.103.14 150.143.103.24 150.143.103.54 150.143.103.74 150.143.60.6 192.12.251.34 192.12.251.54 192.12.251.74 192.12.251.14 192.5.209.6 192.18.98.43 192.18.43.24 192.18.98.31 72.5.124.61 209.11.164.54>, rate: -0.875; delay: 6s action=PREPEND X-policyd-weight: IN_DNSWL=-0.5 IN_NERD-US=1 NOT_IN_SPAMCOP=-1.5 NOT_IN_ZEN_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .sun. - helo: .mh.sunmicrosystemsinc.m0. - helo-domain: .m0.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=1.125 CLIENT_NOT_MX/A_FROM_DOMAIN=2 CLIENT/24_NOT_MX/A_FROM_DOMAIN=2 <client=209.11.164.54> <helo=mh.sunmicrosystemsinc.m0.net> <[EMAIL PROTECTED]> <to=> <helo_ips: 209.11.136.89 209.11.136.89 209.11.137.36 88.221.21.195 192.18.98.36 192.18.43.25 192.18.98.34 150.143.103.14 150.143.103.24 150.143.103.54 150.143.103.74 150.143.60.6 192.12.251.34 192.12.251.54 192.12.251.74 192.12.251.14 192.5.209.6 192.18.98.43 192.18.43.24 192.18.98.31 72.5.124.61 209.11.164.54>, rate: -0.875 They now don't get rejected. In reality they would get even a lower value since p0f would probably substract 1 or 1.5 from the total score. But anyway.... at least now they go below 0. Maybe it is better to not punish the US servers so much. A value of 2 was just too much. I anyway have back on the content filter the possibility to flag them as spam and if the mail gets flagged as spam then automatically will go into my RABL (http://www.zdziarski.com/projects/rabl/). I just like to kill as much as possible with policyd-weight since this means that the mail will not be spooled/queued. Policyd-weight is my cheapest processing stage. Everything after policyd-weight is much more expensive. > (Sidenote: this check was introduced because it was the only > way to reject sober/sobig without breaking forwarding per se). > Interesting. > > > > > -- > Robert Felber (PGP: 896CF30B) > Munich, Germany > // SteveB > ____________________________________________________________ > Policyd-weight Mailinglist - http://www.policyd-weight.org/ -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ____________________________________________________________ Policyd-weight Mailinglist - http://www.policyd-weight.org/
