Re: SA Sorbs Usage/Rules
On Fri, 2011-12-16 at 13:57 -0500, dar...@chaosreigns.com wrote: Basically, without evidence money is not charged to be delisted from any of those three lists, they're going to stay out of the default rule set. On 17.12.11 12:16, Noel Butler wrote: Lastly, I would have thought SA dev team would have liked to see hard evidence that someone was _forced_ to pay the 50 donation to be delisted, because all I here is the web site says it which frankly doesn't cut it with me, we were nobody special to SORBS, so I can't see why they'd remove us for free but forcibly demand payments from others, the only common ground we had with Matt back then was we were both located in the same city, along with 2 million others. afaik, the request for donating $50 to charity (not paying SORBS! some people did have lied about this) was removed some time ago, and delisting is now done upon request. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: SA Sorbs Usage/Rules
On Mon, 2011-12-19 at 11:20 +0100, Matus UHLAR - fantomas wrote: On Fri, 2011-12-16 at 13:57 -0500, dar...@chaosreigns.com wrote: Basically, without evidence money is not charged to be delisted from any of those three lists, they're going to stay out of the default rule set. On 17.12.11 12:16, Noel Butler wrote: Lastly, I would have thought SA dev team would have liked to see hard evidence that someone was _forced_ to pay the 50 donation to be delisted, because all I here is the web site says it which frankly doesn't cut it with me, we were nobody special to SORBS, so I can't see why they'd remove us for free but forcibly demand payments from others, the only common ground we had with Matt back then was we were both located in the same city, along with 2 million others. afaik, the request for donating $50 to charity (not paying SORBS! some people did have lied about this) was removed some time ago, and delisting is now done upon request. Paying to charities correct, but hey, you know, some people can't let the facts get in the way of a ruining a good whinge, and you're right, it was my understanding also this was being removed from the website some time ago, but haven't been to check it out so can not comment one way or another. Cheers signature.asc Description: This is a digitally signed message part
SA Sorbs Usage/Rules
I know some of the discussions in the past about usage of Sorbs RBLs
in Spamassassin. The scores today are as follows:
score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
score RCVD_IN_SORBS_WEB 0 0.614 0 0.770 # n=0 n=2
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
The 0-Scores for DUL was done because lot of people thought there
were too much false positives within that (I dont see so, but ok).
Another Argument for 0-Scoring or not using sorbs was that the rbl
contains a lot of old (meaning not actual) entries in the spam
section (in mind of the dislist policy). Ok.
But today I take a deeper look at the sorbs rbls and found, that
there is a very simple misconfigration in the SA rules. The rbl
check is done against the big 'dnsbl.sorbs.net' zone:
eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
And _that_ in my opinion is wrong. The rbl lookup should be done
against the rbl 'safe.dnsbl.sorbs.net' instead. This rbl is a
compilation of most of the sorbs partial lists as dnsbl.sorbs.net
but with a simple difference: In opposite to dnsl.sorbs.net it
does not contain the 'recent.spam' and the 'old.spam' partial
lists, which are contained in 'dnsbl.sorbs.net'. The only spam
listed in this 'safe.dnsbl.sorbs.net' contains spam of the last
24 hours, so the arguments against using sorbs especially because
of its spam delisting policy do not exist. One could simply change
the rbl lookup to the right zone and so also score spams within
that rbl (low).
Description of the different sorbs partial-zones as of the
aggregate zones here: https://www.sorbs.net/using.shtml
Re: SA Sorbs Usage/Rules
Interesting. Will cross-post to dev and see if anyone has some
input.
On 12/16/2011 12:22 PM, Lutz Petersen wrote:
I know some of the discussions in the past about usage of Sorbs RBLs
in Spamassassin. The scores today are as follows:
score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
score RCVD_IN_SORBS_WEB 0 0.614 0 0.770 # n=0 n=2
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
The 0-Scores for DUL was done because lot of people thought there
were too much false positives within that (I dont see so, but ok).
Another Argument for 0-Scoring or not using sorbs was that the rbl
contains a lot of old (meaning not actual) entries in the spam
section (in mind of the dislist policy). Ok.
But today I take a deeper look at the sorbs rbls and found, that
there is a very simple misconfigration in the SA rules. The rbl
check is done against the big 'dnsbl.sorbs.net' zone:
eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
And _that_ in my opinion is wrong. The rbl lookup should be done
against the rbl 'safe.dnsbl.sorbs.net' instead. This rbl is a
compilation of most of the sorbs partial lists as dnsbl.sorbs.net
but with a simple difference: In opposite to dnsl.sorbs.net it
does not contain the 'recent.spam' and the 'old.spam' partial
lists, which are contained in 'dnsbl.sorbs.net'. The only spam
listed in this 'safe.dnsbl.sorbs.net' contains spam of the last
24 hours, so the arguments against using sorbs especially because
of its spam delisting policy do not exist. One could simply change
the rbl lookup to the right zone and so also score spams within
that rbl (low).
Description of the different sorbs partial-zones as of the
aggregate zones here: https://www.sorbs.net/using.shtml
--
Kevin A. McGrail
President
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
kmcgr...@pccc.com
Re: SA Sorbs Usage/Rules
On 12/16, Lutz Petersen wrote:
I know some of the discussions in the past about usage of Sorbs RBLs
in Spamassassin. The scores today are as follows:
score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
score RCVD_IN_SORBS_WEB 0 0.614 0 0.770 # n=0 n=2
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
The 0-Scores for DUL was done because lot of people thought there
were too much false positives within that (I dont see so, but ok).
Another Argument for 0-Scoring or not using sorbs was that the rbl
contains a lot of old (meaning not actual) entries in the spam
section (in mind of the dislist policy). Ok.
But today I take a deeper look at the sorbs rbls and found, that
there is a very simple misconfigration in the SA rules. The rbl
check is done against the big 'dnsbl.sorbs.net' zone:
eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
And _that_ in my opinion is wrong. The rbl lookup should be done
against the rbl 'safe.dnsbl.sorbs.net' instead. This rbl is a
compilation of most of the sorbs partial lists as dnsbl.sorbs.net
but with a simple difference: In opposite to dnsl.sorbs.net it
does not contain the 'recent.spam' and the 'old.spam' partial
lists, which are contained in 'dnsbl.sorbs.net'. The only spam
listed in this 'safe.dnsbl.sorbs.net' contains spam of the last
24 hours, so the arguments against using sorbs especially because
of its spam delisting policy do not exist. One could simply change
the rbl lookup to the right zone and so also score spams within
that rbl (low).
Description of the different sorbs partial-zones as of the
aggregate zones here: https://www.sorbs.net/using.shtml
After digging into this a bit, I believe your entire objection is to the
default rule set not handling the 127.0.0.6 return code, used by the
following lists?
new.spam.dnsbl.sorbs.net127.0.0.6
recent.spam.dnsbl.sorbs.net127.0.0.6
old.spam.dnsbl.sorbs.net127.0.0.6
spam.dnsbl.sorbs.net127.0.0.6
escalations.dnsbl.sorbs.net127.0.0.6
The rule for that return code is commented out in the default rule set with
this comment:
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
Which seems likely to have resulted from this bug:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2221
Lists returning the 127.0.0.6 code in the safe.dnsbl.sorbs.net agregate
zone are:
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
new.spam is only hosts from the last 48 hours.
recent.spam is hosts from the last 28 days.
escalations doesn't seem to have a time limit.
So it seems your statement that The only spam listed in this
'safe.dnsbl.sorbs.net' contains spam of the last 24 hours is incorrect.
Basically, without evidence money is not charged to be delisted from any
of those three lists, they're going to stay out of the default rule set.
With the currently enabled default rules, there would be *no* difference
if you changed from dnsbl.sorbs.net to safe.dnsbl.sorbs.net because we're
not using the lists as an aggregate (we don't only have a RCVD_IN_SORBS
rule), but have separate rules for each of the return codes. And there
is no difference in what lists are providing which return codes between
those two aggregate lists other than the 127.0.0.6 (spam) value (which is
disabled).
Also, I wouldn't say the 0 scores were done because lot of people thought
there were too much false positives. The scores are flagged
as mutable, meaning optimal scores are generated daily
using masscheck data. Related statistics can be seen here:
http://ruleqa.spamassassin.org/?daterev=20111210rule=%2Fsorbs
RCVD_IN_SORBS_DUL seems to have a decent hit rate for both spam and ham, so
somehow the score generator just decided the most spams would be caught
without exceeding 1 false positive in 2500 hams with that score. It's not
always clear what exactly it's thinking. It could be, for example,
that almost all of the spam hits from RCVD_IN_SORBS_DUL overlapped with
another blacklist, and the SORBS_DUL list caused more false positives
than that other blacklist, so that other blacklist got a decent score,
and SORBS_DUL didn't. But these scores do not come from the whims
of humans.
--
Anarchy is based on the observation that since few are fit to rule
themselves, even fewer are fit to rule others. -Edward Abbey
http://www.ChaosReigns.com
Re: SA Sorbs Usage/Rules
On Fri, 2011-12-16 at 13:57 -0500, dar...@chaosreigns.com wrote: Basically, without evidence money is not charged to be delisted from any of those three lists, they're going to stay out of the default rule set. Plenty of people can attest to the fact there is no payment taking place, its just a scare tactic to coerce admins to act rather then ignore and hope it sorts itself out. Don't use DNSBL's in SA myself, I use them in MTA (frankly, where they belong). At least under the control of its original owner there wasn't anyway, and yes, we, like most large ISP's, had a couple of times the odd different outbound smtp server listed with them, typically we were alerted of the listing quickly (by use of mon) , a login to the SORBS site for info, and the culprit was identified and we were unlisted in hours, only one time did it take about 24 hours, and, IIRC, that was a holiday season, happy to say not had any my servers listed anywhere that I know of since 2005. Lastly, I would have thought SA dev team would have liked to see hard evidence that someone was _forced_ to pay the 50 donation to be delisted, because all I here is the web site says it which frankly doesn't cut it with me, we were nobody special to SORBS, so I can't see why they'd remove us for free but forcibly demand payments from others, the only common ground we had with Matt back then was we were both located in the same city, along with 2 million others. signature.asc Description: This is a digitally signed message part
