Re: URIBL false matches

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Mark G. Thomas wrote:

> Does anyone have suggestions other than discontinuing use of the
> URIBL or using a much lower score?  Is there some way to fix this
> code to make it more resilient to Lotus Notes text mangling?  Is
> there some easy way I can exclude just the one domain name
> "ng.com" from being looked up at all, but otherwise still use the
> URIBL?

Don't touch the URIBL rules at all.

Create a __LOTUS_NOTES rule that hits for message processed by Notes -
there is probably something in the headers that you can look for.

Then you can:

(1) add a small negative score for that alone - not recommended, too
easy to forge,

or

(2) combine it with other rules, e.g. the URIBL hits, to offset the
score, e.g.

   meta  LOTUS_URIBL_FP  __LOTUS_NOTES && (URIBL_WS_SURBL || ... )
   score LOTUS_URBIL_FP  -2.00

If it is consistently happening to just one domain then you could also
look for the mangled domain (e.g. "/\bng\.com\b/i") to reduce the
false positives for this adjustment:

   meta  LOTUS_URIBL_FP  __LOTUS_NOTES && __CHOPPED_DOMAIN &&
(URIBL_WS_SURBL || ... )

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

RE: URIBL false matches

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Rosenbaum, Larry M. wrote:

> uridnsbl_skip_domain ng.com

{raspberry}

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

RE: URIBL false matches

2006-09-07 Thread Rosenbaum, Larry M. 
> From: Mark G. Thomas [mailto:[EMAIL PROTECTED]
> 
> Hi,
> 
> I have a problem with incorrect URIBL hits on incoming forwarded
messages
> that have been mangled by Lotus Notes.
> 
> I have a customer with the domain name "Yimaging.com".
> (Not really "Y").
> 
> "ng.com" is on the URIBL blacklist.  I think for awhile it has been
> removed, but it's there again now.
> ...
> Is there some
> easy way I can exclude just the one domain name "ng.com" from being
looked
> up at all, but otherwise still use the URIBL?

uridnsbl_skip_domain ng.com

URIBL false matches

2006-09-07 Thread Mark G. Thomas 
Hi,

I have a problem with incorrect URIBL hits on incoming forwarded messages 
that have been mangled by Lotus Notes.

I have a customer with the domain name "Yimaging.com".
(Not really "Y").

"ng.com" is on the URIBL blacklist.  I think for awhile it has been
removed, but it's there again now.

Although my customer does not use Notes, when an outside correspondent
does, sometimes the forwarded/replied message comes back containing
ascii text like this, complete with the "|, +, -, >" symbols, as follows:

|-+>
| |   "Smith, Fred"|
| |   <[EMAIL PROTECTED]|
| |   ng.com>  |
| ||
| |   30/08/2006 09:55 |
|-+>

This unfortunately matches on "ng.com".

In other messages, this mangled forwarded text ends up more like this,
with the same problem.  Sometimes messages are forwarded from one to
another person externally, then eventually back to the original sender,
at which point my system treats them as spam.

=20 >=
--|
=20 |=
=20 |
=20 |   To:   "Smith, Fred" <[EMAIL PROTECTED]
ng.com>@[EMAIL PROTECTED] |
=20 |   cc:  =
=20 |
=20 |   Subject:   Fw: message subject line here but has been removed=
selection   |
=20 >=
--|


Does anyone have suggestions other than discontinuing use of the URIBL 
or using a much lower score?  Is there some way to fix this code to 
make it more resilient to Lotus Notes text mangling?  Is there some
easy way I can exclude just the one domain name "ng.com" from being looked 
up at all, but otherwise still use the URIBL?

Mark


-- 
Mark G. Thomas ([EMAIL PROTECTED])
voice: 215-591-3695
http://www.misty.com/  http://mail-cleaner.com/