Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 11 Feb 2018, at 9:54 (-0500), Benny Pedersen wrote: first query would be valid for 300 secs, but that is imho still not free, problem is that keeping low ttls does not change how dns works, any auth dns servers will upate on soa serial anyway, the crime comes in when sa using remote dns

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Dave Warren skrev den 2018-02-06 20:39: How low are the TTLs? I'm seeing 300 seconds on 127.0.0.2 which is more than sufficient time for a single message to finish processing, such that multiple queries from one message would absolutely be cached (or more likely, the first would still be

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On Tue, 6 Feb 2018 11:38:42 -0500 Alex wrote: > On Tue, Feb 6, 2018 at 8:44 AM, David Jones wrote: ustomer's compromised accounts. > > > > Leave out the RCVD_IN_BRBL rule above and change the > > RCVD_IN_BRBL_LASTEXT score to 1.4 to keep things the same. > > If you think the

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Hi, >>> whitelist_auth *@bounce.mail.salesforce.com >>> whitelist_auth *@sendgrid.net >>> whitelist_auth *@*.mcdlv.net >> >> >> I've seen enough spam sent through all three - both by way of whole >> apparently spammer-owned accounts and cracked-but-otherwise-legitimate >> accounts - that I would

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On Tue, 6 Feb 2018, Kris Deugau wrote: Alex wrote: These phishes we've received were all from otherwise trusted sources like salesforce, amazonses and sendgrid. These are examples that I believe were previously whitelisted because of having received a phish through these systems but have no

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 02/06/2018 01:28 PM, Alex wrote: Hi, ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_BRBL eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags __RCVD_IN_BRBL net header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', '127.0.0.2') meta

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Alex wrote: These phishes we've received were all from otherwise trusted sources like salesforce, amazonses and sendgrid. These are examples that I believe were previously whitelisted because of having received a phish through these systems but have no been disabled. whitelist_auth

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 2018-02-05 09:12, Benny Pedersen wrote: Kevin A. McGrail skrev den 2018-02-05 16:53: I don't think that will apply will it because it will be looking up something like 1.2.3.4.bb.barracuda.blah which isn't cached. the first qurry can make a qurry with very low ttl, so it would not be

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Hi, > ifplugin Mail::SpamAssassin::Plugin::DNSEval > > header __RCVD_IN_BRBL eval:check_rbl('brbl', > 'bb.barracudacentral.org') > tflags __RCVD_IN_BRBL net > > header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', > '127.0.0.2')

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 02/06/2018 10:38 AM, Alex wrote: Hi, On Tue, Feb 6, 2018 at 8:44 AM, David Jones wrote: On 02/05/2018 09:07 PM, Alex wrote: Hi, ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_BRBL eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Hi, On Tue, Feb 6, 2018 at 8:44 AM, David Jones wrote: > On 02/05/2018 09:07 PM, Alex wrote: >> >> Hi, >> >>> ifplugin Mail::SpamAssassin::Plugin::DNSEval >>> >>> header __RCVD_IN_BRBL eval:check_rbl('brbl', >>> 'bb.barracudacentral.org') >>> tflags

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 02/05/2018 09:07 PM, Alex wrote: Hi, ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_BRBL eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags __RCVD_IN_BRBL net header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', '127.0.0.2') meta

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

David Jones skrev den 2018-02-05 15:09: ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_BRBL eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags __RCVD_IN_BRBL net header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', '127.0.0.2') meta

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Hi, > ifplugin Mail::SpamAssassin::Plugin::DNSEval > > header __RCVD_IN_BRBL eval:check_rbl('brbl', > 'bb.barracudacentral.org') > tflags __RCVD_IN_BRBL net > > header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', > '127.0.0.2') > metaRCVD_IN_BRBL

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On Mon, 05 Feb 2018 17:12:08 +0100 Benny Pedersen wrote: > Kevin A. McGrail skrev den 2018-02-05 16:53: > > > I don't think that will apply will it because it will be looking up > > something like 1.2.3.4.bb.barracuda.blah which isn't cached. > > the first qurry can make a qurry with very low

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 2/5/2018 11:32 AM, RW wrote: Just to clarify, there is no legal or moral obligation to do this, the 'bb' subdomain was created specifically so SA users wouldn't need to register. Anything you may read on the Barracuda site applies to the 'b' version. Barracuda has given no indication that

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On Mon, 5 Feb 2018 08:09:55 -0600 David Jones wrote: > Heads up! This RBL has been removed from the core SA ruleset. In 36 > to 48 hours sa-update will remove the RCVD_IN_BRBL_LASTEXT rule after > it has gone through the masscheck and rule promotion process. > > Details can be found here: > >

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Kevin A. McGrail skrev den 2018-02-05 16:53: I don't think that will apply will it because it will be looking up something like 1.2.3.4.bb.barracuda.blah which isn't cached. the first qurry can make a qurry with very low ttl, so it would not be cached, that means number 2 query still mkae

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 02/05/2018 09:44 AM, Reindl Harald wrote: Am 05.02.2018 um 16:36 schrieb David Jones: On 02/05/2018 09:26 AM, Benny Pedersen wrote: David Jones skrev den 2018-02-05 15:09: ifplugin Mail::SpamAssassin::Plugin::DNSEval header  __RCVD_IN_BRBL  eval:check_rbl('brbl',

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 2/5/2018 10:36 AM, David Jones wrote: If you are running a local DNS cache like this list and the SA documention recommends, does this really matter?  My MTA should have already queried this before SA does it so it should be in the local DNS cache and not require a full recursive lookup

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

David Jones skrev den 2018-02-05 16:36: If you are running a local DNS cache like this list and the SA documention recommends, does this really matter? My MTA should have already queried this before SA does it so it should be in the local DNS cache and not require a full recursive lookup from

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 02/05/2018 09:26 AM, Benny Pedersen wrote: David Jones skrev den 2018-02-05 15:09: ifplugin Mail::SpamAssassin::Plugin::DNSEval header  __RCVD_IN_BRBL  eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags  __RCVD_IN_BRBL  net header  __RCVD_IN_BRBL_2   

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

David Jones skrev den 2018-02-05 15:09: ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_BRBL eval:check_rbl('brbl', 'bb.barracudacentral.org') tflags __RCVD_IN_BRBL net header __RCVD_IN_BRBL_2eval:check_rbl_sub('brbl', '127.0.0.2') meta

Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Heads up! This RBL has been removed from the core SA ruleset. In 36 to 48 hours sa-update will remove the RCVD_IN_BRBL_LASTEXT rule after it has gone through the masscheck and rule promotion process. Details can be found here: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7417 To add