RE: uridnsbl only spamhaus in 3.0.4 ?
Dallas L. Engelken wrote: I'm running a more recent snapshot and URI's that are dotted-decimal are not being reversed and checked properly against uridnsbl lists. For example, a test on '202.99.223.139'. You mean they ARE being lookup up, right? Not are not? Yes, sorry. All is well in the current trunk as far as I can tell. D
uridnsbl only spamhaus in 3.0.4 ?
Hi, I just downgraded from a svn version to 3.0.4 I've noticed SA only utilized spamhaus for uridnsbl's. I check my /usr/share/spamassassin/25_uribl.cf it has all the surbl.org zones listed + I enabled multi.uribl.com in local.cf. loadplugin Mail::SpamAssassin::Plugin::URIDNSBL is turn on in init.pre. Here's the relevant section of spamassassin -D: debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: domains to query: 212.203.31.2 debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84f7de0) implements 'check_tick' debug: URIDNSBL: query for 212.203.31.2 took 0 seconds to look up (sbl.spamhaus.org.:2.31.203.212) debug: URIDNSBL: queries completed: 1 started: 0 debug: URIDNSBL: queries active: at Tue Jun 7 16:42:30 2005 And that's it, no surbl.org or uribl.com lookups. At the time of writing this email, the ip was listed in multi.uribl.com. Is anyone else seeing this too, or is it just me ? Niek Baakman
RE: uridnsbl only spamhaus in 3.0.4 ?
-Original Message- From: Niek [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 10:48 AM To: users@spamassassin.apache.org Subject: uridnsbl only spamhaus in 3.0.4 ? Hi, I just downgraded from a svn version to 3.0.4 *snip* And that's it, no surbl.org or uribl.com lookups. At the time of writing this email, the ip was listed in multi.uribl.com. Is anyone else seeing this too, or is it just me ? Niek Baakman URIBL has not officially requested to be included yet. We are doing some behind the scenes beef ups. Our front end seems to be ever improving. :) IMHO, I think we will be in the next release. (Doesn't mean you can't use it now...s.) *cough* OVERALL% SPAM% HAM% S/ORANK SCORE NAME 2620823081 31270.881 0.000.00 (all messages) 100.000 88.0685 11.93150.881 0.000.00 (all messages as %) 65.949 74.8754 0.06400.999 1.003.00 URIBL_BLACK *cough* And I've sinced removed the FP that was hit ;) (Thank you again, little birdy who gave me that data!) Chris Santerre System Admin and SARE/URIBL Ninja http://www.rulesemporium.com http://www.uribl.com
Re: uridnsbl only spamhaus in 3.0.4 ?
On 6/7/2005 5:39 PM +0200, Chris Santerre wrote: URIBL has not officially requested to be included yet. We are doing some behind the scenes beef ups. Our front end seems to be ever improving. :) I know, but that doesn't matter in this case. The ip listed in multi.surbl.org too, but SA seems to be checking spamhaus only. Niek Baakman
Re: uridnsbl only spamhaus in 3.0.4 ?
On Tue, Jun 07, 2005 at 06:11:18PM +0200, Niek wrote: On 6/7/2005 5:39 PM +0200, Chris Santerre wrote: URIBL has not officially requested to be included yet. We are doing some behind the scenes beef ups. Our front end seems to be ever improving. :) I know, but that doesn't matter in this case. The ip listed in multi.surbl.org too, but SA seems to be checking spamhaus only. The debug output specified what happened. The domains were all in the skip list, and SURBL and such doesn't have IPs looked up. SBL does do IPs, so it was queried. -- Randomly Generated Tagline: And just what is UNIX' single point of failure, anyway? Should we infer then that Windows is better because it offers multiple points of failure? - David Wollmann from Linux Today pgpcHPviSQ4fy.pgp Description: PGP signature
Re: uridnsbl only spamhaus in 3.0.4 ?
On 6/7/2005 6:13 PM +0200, Theo Van Dinter wrote: The debug output specified what happened. The domains were all in the skip list, and SURBL and such doesn't have IPs looked up. SBL does do IPs, so it was queried. debug: uri found: http://pics.ebaystatic.com/aw/pics/x.gif debug: uri found: http://pics.ebaystatic.com/aw/pics/spacer.gif debug: uri found: http://pages.ebay.com/help/community/png-priv.html debug: uri found: http://cgi4.ebay.com/ws1/eBayISAPI.dll?OptinLoginShow debug: uri found: http://pages.ebay.com/help/account_protection.html debug: uri found: http://212.203.31.2/.a/.a/Aw-Confirm/update/login/login.html debug: uri found: http://signin.ebay.com/eBayISAPI.dll?SignInssPageName=h:h:sin:US debug: uri found: http://pics.ebaystatic.com/aw/pics/aboutme/v3/ebay_logo_39x18.gif debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebay.com in skip list debug: URIDNSBL: found domain ebaystatic.com in skip list debug: URIDNSBL: domains to query: 212.203.31.2 It wants to query the domain: 212.203.31.2 It does so here: debug: URIDNSBL: query for 212.203.31.2 took 1 seconds to look up (sbl.spamhaus.org.:2.31.203.212) debug: URIDNSBL: queries completed: 1 started: 0 debug: URIDNSBL: queries active: at Tue Jun 7 18:10:32 2005 So, why is URIDNSBL only asking sbl.spamhaus.org ? If i replace that ip with 127.0.0.2, spamassassin tells me this: * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: 127.0.0.2] So it does work, but only for sbl.spamhaus.org. This is the odd thing, because in 25_uribl.cf all the surbl.org's are enabled too. And in local.cf I added multi.uribl.com as well. Those are not queried. It only does this with IPs. Urls are checked against all the uridnsbl's. Niek Baakman
RE: uridnsbl only spamhaus in 3.0.4 ?
It wants to query the domain: 212.203.31.2 It does so here: debug: URIDNSBL: query for 212.203.31.2 took 1 seconds to look up (sbl.spamhaus.org.:2.31.203.212) debug: URIDNSBL: queries completed: 1 started: 0 debug: URIDNSBL: queries active: at Tue Jun 7 18:10:32 2005 So, why is URIDNSBL only asking sbl.spamhaus.org ? If i replace that ip with 127.0.0.2, spamassassin tells me this: * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: 127.0.0.2] So it does work, but only for sbl.spamhaus.org. This is the odd thing, because in 25_uribl.cf all the surbl.org's are enabled too. And in local.cf I added multi.uribl.com as well. Those are not queried. It only does this with IPs. Urls are checked against all the uridnsbl's. I'm not sure exactly when it was corrected in the trunk, but dotted-decimal URI's are not scanned against anything but SBL in prior to and including 3.0.4 I think 3.0.4 still has the NS lookup issue I reported back in november also (http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200411.mbox/% [EMAIL PROTECTED]), but I havent checked for a while. I'm running a more recent snapshot and URI's that are dotted-decimal are not being reversed and checked properly against uridnsbl lists. For example, a test on '202.99.223.139'. # x-spam-report shows... # echo -e From: dallase\n\nhttp://202.99.223.139/help/\n | spam X-Spam-Report: * 0.0 MISSING_DATE Missing Date: header * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 1.4 DOMAIN_RATIO BODY: Message body mentions many internet domains * 1.8 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: 202.99.223.139] * 2.4 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: 202.99.223.139] * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: 202.99.223.139] * 1.2 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist * [URIs: 202.99.223.139] * 1.0 TO_CC_NONE No To: or Cc: header * 1.6 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * -2.6 AWL AWL: From: address is in the auto white-list tcpdump shows... 21:30:50.992486 dev.nmgi.com.32879 main.nmgi.com.domain: 32762+ TXT? 139.223.99.202.sbl.spamhaus.org. (49) (DF) 21:30:50.994192 dev.nmgi.com.32879 main.nmgi.com.domain: 32763+ A? 139.223.99.202.multi.uribl.com. (48) (DF) 21:30:50.995491 dev.nmgi.com.32879 main.nmgi.com.domain: 32764+ A? 139.223.99.202.multi.surbl.org. (48) (DF) 21:30:51.033813 main.nmgi.com.domain dev.nmgi.com.32879: 32762 1/0/0 (114) 21:30:51.281404 main.nmgi.com.domain dev.nmgi.com.32879: 32764 1/0/0 (64) 21:30:53.064747 main.nmgi.com.domain dev.nmgi.com.32879: 32763 1/4/0 (128) spamd debug shows... @400042a6586503d675c4 [4884] dbg: uridnsbl: domain 202.99.223.139 listed (URIBL_SBL): http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27327; @400042a6586510ea6fcc [4884] dbg: uridnsbl: domain 202.99.223.139 listed (URIBL_PH_SURBL): 127.0.0.10 @400042a6586510f0a98c [4884] dbg: uridnsbl: domain 202.99.223.139 listed (URIBL_SC_SURBL): 127.0.0.10 @400042a65867040eb81c [4884] dbg: uridnsbl: domain 202.99.223.139 listed (URIBL_BLACK): 127.0.0.2 @400042a65867056e3c64 [4884] dbg: check: tests=AWL,DOMAIN_RATIO,MISSING_DATE,MISSING_SUBJECT,NORMAL_HTTP_TO_IP,NO _RECEIVED,NO_RELAYS,TO_CC_NONE,URIBL_BLACK,URIBL_PH_SURBL,URIBL_SBL,URIB L_SC_SURBL @400042a658670602d374 [4884] info: spamd: result: Y 10 - AWL,DOMAIN_RATIO,MISSING_DATE,MISSING_SUBJECT,NORMAL_HTTP_TO_IP,NO_RECEI VED,NO_RELAYS,TO_CC_NONE,URIBL_BLACK,URIBL_PH_SURBL,URIBL_SBL,URIBL_SC_S URBL scantime=2.2,size=45,user=root,uid=200,required_score=5.0,rhost=localhos t,raddr=127.0.0.1,rport=51712,mid=(unknown),autolearn=no ## I recommend running the trunk, it handles dotted-decimal Ips now, better redirect detection, as well as standalone domains that do not have http:// in front of them, plus numerous other uri detection additions and fixes. D
Re: uridnsbl only spamhaus in 3.0.4 ?
Dallas L. Engelken wrote: I'm running a more recent snapshot and URI's that are dotted-decimal are not being reversed and checked properly against uridnsbl lists. For example, a test on '202.99.223.139'. You mean they ARE being lookup up, right? Not are not? Daryl
