More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)

2005-01-08 Thread List Mail User 

I have used the following rules (which greatly overlap the existing URI
rules) to drive up scores, while not repeating the same tests or increasing the
scores for existing tests. YMMV, but they work for me (v3.0.x).


uridnsblURIBL_COMPLETEWHOIS 
combined-HIB.dnsiplists.completewhois.com.  A
bodyURIBL_COMPLETEWHOIS 
eval:check_uridnsbl('URIBL_COMPLETEWHOIS')
describeURIBL_COMPLETEWHOIS Contains an URL listed in the 
combined-HIB.dnsiplists.completewhois.com blocklist
tflags  URIBL_COMPLETEWHOIS net



urirhssub   URIBL_RHS_DSN   fulldom.rfc-ignorant.org.   A   
127.0.0.2
bodyURIBL_RHS_DSN   eval:check_uridnsbl('URIBL_RHS_DSN')
describeURIBL_RHS_DSN   Contains an URL listed in the 
dsn.rfc-ignorant.org blocklist
tflags  URIBL_RHS_DSN   net



urirhssub   URIBL_RHS_POST  fulldom.rfc-ignorant.org.   A   
127.0.0.3
bodyURIBL_RHS_POST  eval:check_uridnsbl('URIBL_RHS_POST')
describeURIBL_RHS_POST  Contains an URL listed in the 
postmaster.rfc-ignorant.org blocklist
tflags  URIBL_RHS_POST  net


urirhssub   URIBL_RHS_ABUSE fulldom.rfc-ignorant.org.   A   
127.0.0.4
bodyURIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE')
describeURIBL_RHS_ABUSE Contains an URL listed in the 
abuse.rfc-ignorant.org blocklist
tflags  URIBL_RHS_ABUSE net


urirhssub   URIBL_RHS_WHOIS fulldom.rfc-ignorant.org.   A   
127.0.0.5
bodyURIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS') 
describeURIBL_RHS_WHOIS Contains an URL listed in the 
whois.rfc-ignorant.org blocklist
tflags  URIBL_RHS_WHOIS net


urirhssub   URIBL_RHS_BOGUSMX   fulldom.rfc-ignorant.org.   A   
127.0.0.8
bodyURIBL_RHS_BOGUSMX   
eval:check_uridnsbl('URIBL_RHS_BOGUSMX')  
describeURIBL_RHS_BOGUSMX   Contains an URL listed in the 
bogusmx.rfc-ignorant.org blocklist
tflags  URIBL_RHS_BOGUSMX   net

  With the (completely empirically - almost arbitrarily - chosen) scores of:

score URIBL_COMPLETEWHOIS   1.75
score URIBL_RHS_DSN 0.5
score URIBL_RHS_POST0.75
score URIBL_RHS_ABUSE   0.25
score URIBL_RHS_WHOIS   1.33
score URIBL_RHS_BOGUSMX 3.75

Note: as might be expected, the abuse and postmaster tests give a
lot of FPs, particularly from the free (but often abused) services like Hotmail.
Hence the low score assigned to them.  On the other hand the bogusmx test is
a good candidate for a higher score (I've never seem a false positive for my
admittedly very biased corpus).

The combined-HIB.dnsiplists.completewhois.com. list can be considered
to be a likely replacement for the now discontinued ipwhois.rfc-ignorant.org.

I also use similar RCVD_IN_* rules to also drive up scores (with a
similar low weighting on abuse and postmaster).

The logical rationale behind these, is: if you or your ISP either
don't accept complaints, or lie about your contact data, I probably don't
want to hear from you.

The score values are low enough, that they don't cause (not for me
at least) FPs for email from mailing lists where the original poster has one
of those appended advertisements at the bottom (like Sign up now for your
free email at xyz.com and xyz.com fails the postmaster/abuse tests - so the
-notfirsthop option is may be appropriate for any similar RCVD_IN_* rules,
though I don't use it myself).

Hope these help someone,

Paul Shupak
[EMAIL PROTECTED]

Re: More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)

2005-01-08 Thread Jeff Chan 
On Friday, January 7, 2005, 9:02:47 PM, List User wrote:

 I have used the following rules (which greatly overlap the existing 
 URI
 rules) to drive up scores, while not repeating the same tests or increasing 
 the
 scores for existing tests. YMMV, but they work for me (v3.0.x).


 uridnsblURIBL_COMPLETEWHOIS 
 combined-HIB.dnsiplists.completewhois.com.  A
 bodyURIBL_COMPLETEWHOIS 
 eval:check_uridnsbl('URIBL_COMPLETEWHOIS')
 describeURIBL_COMPLETEWHOIS Contains an URL listed in the 
 combined-HIB.dnsiplists.completewhois.com blocklist
 tflags  URIBL_COMPLETEWHOIS net



 urirhssub   URIBL_RHS_DSN   fulldom.rfc-ignorant.org.   A   
 127.0.0.2
 bodyURIBL_RHS_DSN   eval:check_uridnsbl('URIBL_RHS_DSN')
 describeURIBL_RHS_DSN   Contains an URL listed in the 
 dsn.rfc-ignorant.org blocklist
 tflags  URIBL_RHS_DSN   net



 urirhssub   URIBL_RHS_POST  fulldom.rfc-ignorant.org.   A   
 127.0.0.3
 bodyURIBL_RHS_POST  eval:check_uridnsbl('URIBL_RHS_POST')
 describeURIBL_RHS_POST  Contains an URL listed in the 
 postmaster.rfc-ignorant.org blocklist
 tflags  URIBL_RHS_POST  net


 urirhssub   URIBL_RHS_ABUSE fulldom.rfc-ignorant.org.   A   
 127.0.0.4
 bodyURIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE')
 describeURIBL_RHS_ABUSE Contains an URL listed in the 
 abuse.rfc-ignorant.org blocklist
 tflags  URIBL_RHS_ABUSE net


 urirhssub   URIBL_RHS_WHOIS fulldom.rfc-ignorant.org.   A   
 127.0.0.5
 bodyURIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS') 
 describeURIBL_RHS_WHOIS Contains an URL listed in the 
 whois.rfc-ignorant.org blocklist
 tflags  URIBL_RHS_WHOIS net


 urirhssub   URIBL_RHS_BOGUSMX   fulldom.rfc-ignorant.org.   A 
   127.0.0.8
 bodyURIBL_RHS_BOGUSMX   
 eval:check_uridnsbl('URIBL_RHS_BOGUSMX')  
 describeURIBL_RHS_BOGUSMX   Contains an URL listed in the 
 bogusmx.rfc-ignorant.org blocklist
 tflags  URIBL_RHS_BOGUSMX   net

Hi Paul,
I'm not sure that this is a correct use of urirhssub, which
may have been more suited towards bitmasked lists such as
multi.surbl.org and CBL.  In other words, it may only be
useable with power of two results like 127.0.0.2,4,8,16,32.
To be honest I haven't checked how the urirhssub source
code handles other cases.   urirhsbl may be more appropriate
if the result codes are not encoded with bitmask positions.

  http://www.surbl.org/lists.html#multi

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/