Martin, I understand that, and that is not my problem. VIRBL ( http://virbl.bit.nl/ ) is a special list of addresses that are known to have a virus (because in the last 24 hours a virus was actually received from that host).
I run SA within MailScanner in the MX mail server (that is actually a gateway to an internal mail server where the mailboxes are)... this server ONLY receive mail from Internet to my domains (outgoing messages go thru other server). Now, a machine infected by a virus may have a legitimante user sending mail, but also, is probably abused by a spammer to send spam. So, if I want to detect the spammer and allow the legit mail, I'd block _direct_ connections from that IP to my mail server... but if the legit user sent me a message, it should've been properly relayed, so I only want to check the IP that actually connected to my server. This is easily done by an MTA-level RBL check... but as, for now, I'm not allowed to reject the message, only mark it and deliver it, I check RBL's within SpamAssassin. Now that I'm writing it, I see that the '-notfirsthop' setting would do... the only drawback is that if the chain of 'Received:' headers is long, it'd be checking all but the first, when checking only the last one would do... El 17 Jun 2004 a las 13:40, Martin Hepworth escribi�: > Mariano > > the RBL's will check where the connection initiates, in email's this > case it will notice when it goes from my email gateway to the email > server handliing your email. It won;t check my internal email address > etc etc. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Mariano Absatz wrote: > > Hi, > > > > I use SpamAssassin 2.63 within MailScanner and, as I'm not authorized to > > delete any e-mail (only mark it as spam), I do all my RBL checking from > > within SpamAssassin. > > > > I wanted to start using http://virbl.bit.nl/ but it is only meaningfull if > > the host connecting directly to you (or your trusted_networks if I > > understand > > that correctly). > > > > That is, if an infected machine is properly relaying thru its ISP's mail > > server, I don't want to mark it. > > > > Can check_rbl() work only on the 'last hop'? > > > > If so, how? > > -- Mariano Absatz El Baby ---------------------------------------------------------- Military justice is to justice what military music is to music. -- Groucho Marx
