>... >Quin Parker wrote: >> Hello >> >> I was wondering if somebody could answer a question I have about SA's use of >> external blacklists which filter e-mail addresses. >> >> As I understand it (please correct me if I'm wrong), SA can be configured to >> look up lists such as those held on rfc-ignorant.org, match the email address >> and award points accordingly. > >Generally speaking, SA doesn't do this based on email addresses. It does it >based on server names and IPs. > >However, RFCI is a bit different, it uses the envelope from address. Currently >in 3.1.0 there' are only 3 RBLS which use envelope from. RFCI, AHBL, and >securitysage. > >> >> If only a fragment of the address is listed on the blacklist, will SA still >> add >> points to the e-mail? eg. '.de' is marked on rfc-ignorant.org as having a >> duff >> WHOIS listing. Will SA award points for any e-mail from Germany? > >No, it will never query the fragment ".de" against RFCI. SA queries the whole >domain following the @ sign. (see EvalTests.pm, sub check_rbl_envfrom) > >It also requires at least 1 . in the "domain" part, and at least 1 >non-whitespace character on each side of it. So SA will never query >"localhost", >but it would query "localhost.localdomain" if they appeared in an envelope >from. > >So RFCI would have to return a positive hit for "domain.de" not ".de". > > > >> >> If, theoretically, 'gov.uk' were listed on a blacklist, would it pickup >> addresses such as [EMAIL PROTECTED] > >This is only possible for blacklists that work on email addresses (ie: RFCI). >As >above, SA does a query of the whole domain, not fragments. > Having watched this thread, and being a user/contributer to the rfci lists, there is a bit of confusion here. Yes, SA does query the full domain, but rfci returns all matches on the domain queried *and* all parent domains, so a query on example.de will indeed return a 127.0.0.7 code because the TLD ".de" is not RFC compliant. However SA currently only checks for whois compliance at the SLD level - i.e. a return code of 127.0.0.5; RFCI distinguishes TLDs which are non-conformant with a different code, which by default SA ignores; Personally I add at my site 0.166 points for TLDs and the test and codes work just fine - the shipped rules does not check for this case (but my thresholds are all higher than the default level of 5 points).
All this said, I know I have said this before, but the RFCI rules are much more useful when also used as URI rules, not merely as DSN and RCVD checks. The same is true for the AHBL too. Simpy Matt's description is correct, except for the implementation detail that queries to fulldom.rfc-ignorant.org do include matches on parent domains (e.g. the example.de case above). This can easily be demonstrated by hand: % nslookup -type=any denic.de.fulldom.rfc-ignorant.org rfci.bl.xs4all.nl Server: rfci.bl.xs4all.nl Address: 194.109.9.6#53 Name: denic.de.fulldom.rfc-ignorant.org Address: 127.0.0.7 denic.de.fulldom.rfc-ignorant.org text = "TLD has no WHOIS server or incomplete data in server" Also a change (I believe) was made in SA a while ago to "relax" the URI rules to check mainly just URLs - the RFC for URIs specifies not just URLs, but email addresses, Message IDs and a great many other things that SA doesn't check (though I'd like it to). The primary effect of this that I see there are many others and it was argues on the list and the developer have their reasons) is that dropbox emails in 419s don't get scored at all. Paul Shupak [EMAIL PROTECTED]