Benny, Maybe I don't see your point clearly ;-) But I don't want to whitelist URIHOSTS. Have this two rules now
urirhssub URIBL_DOMAIN my.rbl.tld. A 127.0.0.16 body URIBL_DOMAIN eval:check_uridnsbl('MY_URIBL_DOMAIN') askdns URIBL_HOST _URIHOSTS_.my.rbl.tld. A 127.0.0.24 my.rbl.tld is based on mysql data which gets feeded more or less automatically from different sources (like my own traps or external data like phishtank etc ppt). And I have a third rule urirhssub URIBL_DOMAIN_FU my.rbl.tld. A 127.0.0.32 body URIBL_DOMAIN_FU eval:check_uridnsbl('URIBL_DOMAIN_FU') score URIBL_DOMAIN_FU 200 where domains will be listed after too many entries in fullhost table. Cheers tobi Am 19.02.2018 um 16:14 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 14:43: > >> no need for this as that case is covered by sa urirhssub queries. >> I needed a way to perform www.sub.domain.tld AND domain.tld queries of >> the uri www.sub.domain.tld > > would you like to test? > > blacklist _URIDOMAINS_ > whitelist _URIHOSTS_ > > :=) > > if you score whitelist 50% of blacklist score there could be nice > > that way spammers have higther burdon to jump over > > and you dont need random listning of next subdomain spammer