>...
>Quin Parker wrote:
>> Hello
>>
>> I was wondering if somebody could answer a question I have about SA's use of
>> external blacklists which filter e-mail addresses.
>>
>> As I understand it (please correct me if I'm wrong), SA can be configured to
>> look up lists such as those held on rfc-ignorant.org, match the email address
>> and award points accordingly.
>
>Generally speaking, SA doesn't do this based on email addresses. It does it
>based on server names and IPs.
>
>However, RFCI is a bit different, it uses the envelope from address. Currently
>in 3.1.0 there' are only 3 RBLS which use envelope from. RFCI, AHBL, and
>securitysage.
>
>>
>> If only a fragment of the address is listed on the blacklist, will SA still
>> add
>> points to the e-mail? eg. '.de' is marked on rfc-ignorant.org as having a
>> duff
>> WHOIS listing. Will SA award points for any e-mail from Germany?
>
>No, it will never query the fragment ".de" against RFCI. SA queries the whole
>domain following the @ sign. (see EvalTests.pm, sub check_rbl_envfrom)
>
>It also requires at least 1 . in the "domain" part, and at least 1
>non-whitespace character on each side of it. So SA will never query
>"localhost",
>but it would query "localhost.localdomain" if they appeared in an envelope
>from.
>
>So RFCI would have to return a positive hit for "domain.de" not ".de".
>
>
>
>>
>> If, theoretically, 'gov.uk' were listed on a blacklist, would it pickup
>> addresses such as [EMAIL PROTECTED]
>
>This is only possible for blacklists that work on email addresses (ie: RFCI).
>As
>above, SA does a query of the whole domain, not fragments.
>
Having watched this thread, and being a user/contributer to the
rfci lists, there is a bit of confusion here. Yes, SA does query the full
domain, but rfci returns all matches on the domain queried *and* all parent
domains, so a query on example.de will indeed return a 127.0.0.7 code because
the TLD ".de" is not RFC compliant. However SA currently only checks for
whois compliance at the SLD level - i.e. a return code of 127.0.0.5; RFCI
distinguishes TLDs which are non-conformant with a different code, which by
default SA ignores; Personally I add at my site 0.166 points for TLDs and
the test and codes work just fine - the shipped rules does not check for this
case (but my thresholds are all higher than the default level of 5 points).
All this said, I know I have said this before, but the RFCI rules
are much more useful when also used as URI rules, not merely as DSN and RCVD
checks. The same is true for the AHBL too.
Simpy Matt's description is correct, except for the implementation
detail that queries to fulldom.rfc-ignorant.org do include matches on parent
domains (e.g. the example.de case above).
This can easily be demonstrated by hand:
% nslookup -type=any denic.de.fulldom.rfc-ignorant.org rfci.bl.xs4all.nl
Server: rfci.bl.xs4all.nl
Address: 194.109.9.6#53
Name: denic.de.fulldom.rfc-ignorant.org
Address: 127.0.0.7
denic.de.fulldom.rfc-ignorant.org text = "TLD has no WHOIS server or
incomplete data in server"
Also a change (I believe) was made in SA a while ago to "relax" the
URI rules to check mainly just URLs - the RFC for URIs specifies not just
URLs, but email addresses, Message IDs and a great many other things that
SA doesn't check (though I'd like it to). The primary effect of this that I
see there are many others and it was argues on the list and the developer
have their reasons) is that dropbox emails in 419s don't get scored at all.
Paul Shupak
[EMAIL PROTECTED]
