On Sat, 2009-07-11 at 20:10 -0700, an anonymous Nabble user wrote: > > > The problem is have is that sometimes I get RBL hits eventhrough the > > > sender > > > is using a valid smarthost.
BTW, using that relay is not being punished in any way, and actually entirely irrelevant to this NJABL PROXY hit. > > Some DNSBLs are *meant* to do deep parsing. PBL style ones are not, [...] > > Well, if I take a look at http://combined.njabl.org/listing.html it says > that "Being a dial-up port IP or other dynamic address" is reason enough to > become listed. So therefore I don't want the last IPs to score on that list > because they are almost always dynamic... That's a different list than the PROXY hit -- and that particular NJABL list is deprecated in favor of Spamhaus PBL anyway. See NJABL usage info. > > Apparently it's an open proxy, ready and willing to relay ANY spam to > > ANYone. That *is* worth scoring. Fix the open proxy. > > What are you talking about? The web.de server is definitely not an open > proxy and the other IP doesn't even have port 25 open (OK, since it's a I am talking about the first hop being an open proxy. I am not talking about the web.de relay, neither any relay at all. Open port 25 ready to relay mail unconditionally would be OPEN RELAY, which is NOT the same as PROXY. Again, see the usage info. > dynamic IP that could have been different in the past but that is exactly > the reason why I don't want these first ips to be checked...) Frankly, it does appear to be a dynamic end-user IP. Listed years ago, so I jut went ahead and requested de-listing of that IP. Probably an outdated listing. If it still does open proxying, though, it will be re-listed very shortly. However, see NJABL FAQ 11. Spam sent via a proxy means, that it is the very first hop, completely masking the original source. Thus, this test MUST include the first hop. > > Nope. You're understanding wrong, some tests are deliberately meant to > > do deep-parsing. > > My question again: Is it possible to change this default behaviour somehow > and just have the Yes, it is possible to change this, by overriding the rule similar to other rules found in the *sigh* > > Score -0.4. What do you feel like "fixing"? > > As I mentioned this problem often leads to emails with scores around 3 and > if this problem woudn't be there I could lower the the threshold to 1.5 I agree with Henrik here -- that does not make sense Actually, it is harmful. All scores have been evaluated according to a threshold of 5 -- lowering it that drastically is just begging for FPs. Instead, raise some good performing rule's scores, or add third-party rule-sets. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
