Re: Central and common rules
On Tue, 27 Jan 2009 21:51:13 +, Nigel Frankcom wrote: >Hi All, > >Is there are central point for links or dissemination of 'best >practice' rules? > >I freely admit this is my 1st port of call. > >I'm wondering if there is a simple (i.e works for a muppet like me) >page that lists details of how to synch non sa-update rules. The >question is based on the sad and slow demise of the ninjas. > >If no such central repository exists I'd be interested in setting up >one; hopefully with some info for new users. > >Kind regards > >Nigel Many thanks to all for your replies. Also to those that have taken the time and trouble to set up channels. Kind regards Nigel
RE: Central and common rules
Karsten Bräckelmann wrote: > On Wed, 2009-01-28 at 16:55 -0500, Bowie Bailey wrote: > > Yet Another Ninja wrote: > > > On 1/28/2009 10:22 PM, Bowie Bailey wrote: > > > > > > 90_2tld.cf.sare.sa-update.dostech.net (from SARE) > > > > > > > > I haven't seen this rule set before. Is there any information > > > > out there about it? There doesn't seem to be anything on the > > > > SARE rules page. > > > > > > http://www.rulesemporium.com/rules/90_2tld.cf > > > This file doesn't have any actual rules in it. Do these settings > > affect the standard rules or do I need something else? > > They are settings, not rules. > > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html The reason I asked this question was because I searched the man page and didn't find the "util_rb_2tld" setting listed. I guess I was looking at the Mail::SpamAssassin man page rather than the config page. Thanks for the info! I'll add this to my config. -- Bowie
Re: Central and common rules
Karsten Bräckelmann a écrit : > On Wed, 2009-01-28 at 23:29 +0100, mouss wrote: > [...] >> you want to lookup "spammer.geocities.com" instead. for this, the domain >> "geocities.com" must be included in a list of such "exceptional" domains >> (domains for which 3 labels are kept instead of just 2. [The "2" in >> util_rb_2tld is because the TLD is not counted]). > > Hmm. Actually, the "2" translates to "the TLD consists of 2 labels", > including and counting the real TLD. Thus, the BL lookup needs to be > done for 2+1, since the logical TLD is an exception to the general .com > TLD. ;) indeed. silly me (it's clear now that I open my eyes on the "2tld" part!) > > guenther -- nitpicker having a beer > mouss, in a need for a franciskaner ;-p
Re: Central and common rules
On Wed, 2009-01-28 at 23:29 +0100, mouss wrote:
[...]
> you want to lookup "spammer.geocities.com" instead. for this, the domain
> "geocities.com" must be included in a list of such "exceptional" domains
> (domains for which 3 labels are kept instead of just 2. [The "2" in
> util_rb_2tld is because the TLD is not counted]).
Hmm. Actually, the "2" translates to "the TLD consists of 2 labels",
including and counting the real TLD. Thus, the BL lookup needs to be
done for 2+1, since the logical TLD is an exception to the general .com
TLD. ;)
guenther -- nitpicker having a beer
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Central and common rules
Bowie Bailey a écrit : > Yet Another Ninja wrote: >> On 1/28/2009 10:22 PM, Bowie Bailey wrote: >>> mouss wrote: 90_2tld.cf.sare.sa-update.dostech.net (from SARE) >>> I haven't seen this rule set before. Is there any information out >>> there about it? There doesn't seem to be anything on the SARE >>> rules page. >>> >> http://www.rulesemporium.com/rules/90_2tld.cf > > Yes, I found the file itself, but it doesn't give much information about > it. > > What is it for? > let's say you get a url like http://spammer.geocities.com/... by default, SA will lookup "geocities.com" (in uribl, ...). but this will not be listed (uribl won't list such domains for obvious reasons). so you want to lookup "spammer.geocities.com" instead. for this, the domain "geocities.com" must be included in a list of such "exceptional" domains (domains for which 3 labels are kept instead of just 2. [The "2" in util_rb_2tld is because the TLD is not counted]). this list needs to be updated. if you don't use an external file (such as 90_2tld.cf), you would need to wait for an SA upgrade. > What is "the RegistrarBoundaries code" and why should I update it? > to catch more spam. > This file doesn't have any actual rules in it. Do these settings affect > the standard rules or do I need something else? > > Any possibilities of false positives or negatives here? > no false anything.
RE: Central and common rules
On Wed, 2009-01-28 at 16:55 -0500, Bowie Bailey wrote:
> Yet Another Ninja wrote:
> > On 1/28/2009 10:22 PM, Bowie Bailey wrote:
> > > > 90_2tld.cf.sare.sa-update.dostech.net (from SARE)
> > >
> > > I haven't seen this rule set before. Is there any information out
> > > there about it? There doesn't seem to be anything on the SARE
> > > rules page.
> >
> > http://www.rulesemporium.com/rules/90_2tld.cf
>
> Yes, I found the file itself, but it doesn't give much information about
> it.
>
> What is it for?
It lists free and abused sub-domain hosters.
The reason is, that because e.g. blogspot.com itself will never be
listed by BLs, the network tests instead will be done for the second
level TLD domain: spammer-abused.blogspot.com
This is useful with blacklists actually listing those domains by using
the 2nd level TLD as registrar boundaries -- currently that's URIBL only
for the stuff you find in that file.
It is used by other BLs for "real" 2nd level TLDs, like co.uk, which are
defined in SA.
> What is "the RegistrarBoundaries code" and why should I update it?
$ locate RegistrarBoundaries
You don't update the code. ;)
> This file doesn't have any actual rules in it. Do these settings affect
> the standard rules or do I need something else?
They are settings, not rules.
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
They do affect some URIs to check against BLs. See above. It's a self
contained cf file (actually, an entire sa-update channel has been
mentioned), so you do not need anything -- other than SA >= 3.2.4. ;)
> Any possibilities of false positives or negatives here?
Possibility? Yes, just like with any other BL match. Though IMHO, the
odds are about zero for FPs.
Unless another BL righfully blacklists an entire domain listed in that
file, there is no possibility for FNs.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Central and common rules
Yet Another Ninja wrote: > On 1/28/2009 10:22 PM, Bowie Bailey wrote: > > mouss wrote: > > > 90_2tld.cf.sare.sa-update.dostech.net (from SARE) > > > > I haven't seen this rule set before. Is there any information out > > there about it? There doesn't seem to be anything on the SARE > > rules page. > > > > http://www.rulesemporium.com/rules/90_2tld.cf Yes, I found the file itself, but it doesn't give much information about it. What is it for? What is "the RegistrarBoundaries code" and why should I update it? This file doesn't have any actual rules in it. Do these settings affect the standard rules or do I need something else? Any possibilities of false positives or negatives here? -- Bowie
Re: Central and common rules
On 1/28/2009 10:22 PM, Bowie Bailey wrote: mouss wrote: 90_2tld.cf.sare.sa-update.dostech.net (from SARE) I haven't seen this rule set before. Is there any information out there about it? There doesn't seem to be anything on the SARE rules page. http://www.rulesemporium.com/rules/90_2tld.cf
RE: Central and common rules
mouss wrote: > > 90_2tld.cf.sare.sa-update.dostech.net (from SARE) I haven't seen this rule set before. Is there any information out there about it? There doesn't seem to be anything on the SARE rules page. -- Bowie
Re: Central and common rules
Nigel Frankcom a écrit : > Hi All, > > Is there are central point for links or dissemination of 'best > practice' rules? > > I freely admit this is my 1st port of call. > > I'm wondering if there is a simple (i.e works for a muppet like me) > page that lists details of how to synch non sa-update rules. The > question is based on the sad and slow demise of the ninjas. > > If no such central repository exists I'd be interested in setting up > one; hopefully with some info for new users. > > Kind regards > > Nigel here are the only channels I use at this time: updates.spamassassin.org sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net (from SARE)
