More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)
I have used the following rules (which greatly overlap the existing URI rules) to drive up scores, while not repeating the same tests or increasing the scores for existing tests. YMMV, but they work for me (v3.0.x). uridnsblURIBL_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A bodyURIBL_COMPLETEWHOIS eval:check_uridnsbl('URIBL_COMPLETEWHOIS') describeURIBL_COMPLETEWHOIS Contains an URL listed in the combined-HIB.dnsiplists.completewhois.com blocklist tflags URIBL_COMPLETEWHOIS net urirhssub URIBL_RHS_DSN fulldom.rfc-ignorant.org. A 127.0.0.2 bodyURIBL_RHS_DSN eval:check_uridnsbl('URIBL_RHS_DSN') describeURIBL_RHS_DSN Contains an URL listed in the dsn.rfc-ignorant.org blocklist tflags URIBL_RHS_DSN net urirhssub URIBL_RHS_POST fulldom.rfc-ignorant.org. A 127.0.0.3 bodyURIBL_RHS_POST eval:check_uridnsbl('URIBL_RHS_POST') describeURIBL_RHS_POST Contains an URL listed in the postmaster.rfc-ignorant.org blocklist tflags URIBL_RHS_POST net urirhssub URIBL_RHS_ABUSE fulldom.rfc-ignorant.org. A 127.0.0.4 bodyURIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE') describeURIBL_RHS_ABUSE Contains an URL listed in the abuse.rfc-ignorant.org blocklist tflags URIBL_RHS_ABUSE net urirhssub URIBL_RHS_WHOIS fulldom.rfc-ignorant.org. A 127.0.0.5 bodyURIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS') describeURIBL_RHS_WHOIS Contains an URL listed in the whois.rfc-ignorant.org blocklist tflags URIBL_RHS_WHOIS net urirhssub URIBL_RHS_BOGUSMX fulldom.rfc-ignorant.org. A 127.0.0.8 bodyURIBL_RHS_BOGUSMX eval:check_uridnsbl('URIBL_RHS_BOGUSMX') describeURIBL_RHS_BOGUSMX Contains an URL listed in the bogusmx.rfc-ignorant.org blocklist tflags URIBL_RHS_BOGUSMX net With the (completely empirically - almost arbitrarily - chosen) scores of: score URIBL_COMPLETEWHOIS 1.75 score URIBL_RHS_DSN 0.5 score URIBL_RHS_POST0.75 score URIBL_RHS_ABUSE 0.25 score URIBL_RHS_WHOIS 1.33 score URIBL_RHS_BOGUSMX 3.75 Note: as might be expected, the abuse and postmaster tests give a lot of FPs, particularly from the free (but often abused) services like Hotmail. Hence the low score assigned to them. On the other hand the bogusmx test is a good candidate for a higher score (I've never seem a false positive for my admittedly very biased corpus). The combined-HIB.dnsiplists.completewhois.com. list can be considered to be a likely replacement for the now discontinued ipwhois.rfc-ignorant.org. I also use similar RCVD_IN_* rules to also drive up scores (with a similar low weighting on abuse and postmaster). The logical rationale behind these, is: if you or your ISP either don't accept complaints, or lie about your contact data, I probably don't want to hear from you. The score values are low enough, that they don't cause (not for me at least) FPs for email from mailing lists where the original poster has one of those appended advertisements at the bottom (like Sign up now for your free email at xyz.com and xyz.com fails the postmaster/abuse tests - so the -notfirsthop option is may be appropriate for any similar RCVD_IN_* rules, though I don't use it myself). Hope these help someone, Paul Shupak [EMAIL PROTECTED]
Re: More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)
On Friday, January 7, 2005, 9:02:47 PM, List User wrote: I have used the following rules (which greatly overlap the existing URI rules) to drive up scores, while not repeating the same tests or increasing the scores for existing tests. YMMV, but they work for me (v3.0.x). uridnsblURIBL_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A bodyURIBL_COMPLETEWHOIS eval:check_uridnsbl('URIBL_COMPLETEWHOIS') describeURIBL_COMPLETEWHOIS Contains an URL listed in the combined-HIB.dnsiplists.completewhois.com blocklist tflags URIBL_COMPLETEWHOIS net urirhssub URIBL_RHS_DSN fulldom.rfc-ignorant.org. A 127.0.0.2 bodyURIBL_RHS_DSN eval:check_uridnsbl('URIBL_RHS_DSN') describeURIBL_RHS_DSN Contains an URL listed in the dsn.rfc-ignorant.org blocklist tflags URIBL_RHS_DSN net urirhssub URIBL_RHS_POST fulldom.rfc-ignorant.org. A 127.0.0.3 bodyURIBL_RHS_POST eval:check_uridnsbl('URIBL_RHS_POST') describeURIBL_RHS_POST Contains an URL listed in the postmaster.rfc-ignorant.org blocklist tflags URIBL_RHS_POST net urirhssub URIBL_RHS_ABUSE fulldom.rfc-ignorant.org. A 127.0.0.4 bodyURIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE') describeURIBL_RHS_ABUSE Contains an URL listed in the abuse.rfc-ignorant.org blocklist tflags URIBL_RHS_ABUSE net urirhssub URIBL_RHS_WHOIS fulldom.rfc-ignorant.org. A 127.0.0.5 bodyURIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS') describeURIBL_RHS_WHOIS Contains an URL listed in the whois.rfc-ignorant.org blocklist tflags URIBL_RHS_WHOIS net urirhssub URIBL_RHS_BOGUSMX fulldom.rfc-ignorant.org. A 127.0.0.8 bodyURIBL_RHS_BOGUSMX eval:check_uridnsbl('URIBL_RHS_BOGUSMX') describeURIBL_RHS_BOGUSMX Contains an URL listed in the bogusmx.rfc-ignorant.org blocklist tflags URIBL_RHS_BOGUSMX net Hi Paul, I'm not sure that this is a correct use of urirhssub, which may have been more suited towards bitmasked lists such as multi.surbl.org and CBL. In other words, it may only be useable with power of two results like 127.0.0.2,4,8,16,32. To be honest I haven't checked how the urirhssub source code handles other cases. urirhsbl may be more appropriate if the result codes are not encoded with bitmask positions. http://www.surbl.org/lists.html#multi Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/