On Fri, 2010-09-24 at 13:03 -0700, njjrdell wrote:
> we have setup on our mailservers.
> sbl-xbl.spamhaus.org
> dnsbl.njable.org
> bl.spamcop.net
> b.barracudacentral.org
Hmm, that seems to hint checking at SMTP time and outright rejecting
based on the sender's IP. While that certainly is a good idea in
general, what Benny and John have been hinting at is DNSBL tests enabled
in SA.
Point being, SA does a lot more lookups. Including, as John mentioned,
URI DNSBL lookups, which are not covered in the above. Same for Razor,
e.g., which would be part of Benny's broader recommendation.
Besides, the above is missing SpamHaus PBL. Again, SA uses it.
> We are not doing any other network tests. I will look into it. can you
> please recommend specifics
So you disabled them in SA, using "skip_rbl_checks 1"? By default, they
are enabled (set to 0, not skip). Same with skip_uribl_checks, if you
are using SA 3.3.
In your other follow-up, you corrected the above, mentioning you have a
custom rule-set defined for URIBL_BLACK.
> I actually take that back in our local.cf we have
In local.cf? It's default with SA anyway. So if there is any need to
define these locally, there are issues with your installation or DNS.
Why did you add it to local.cf in the first place? Also, do you ever see
URIBL_BLACK hits?
Do you have a local, caching (non-forwarding) nameserver?
> > > Hello sorry for the newbie question, one of our users is getting slammed
> > > by these. I'm wondering which rules should be stopping these.
Your sample is missing the rules actually triggered, which usually would
be in the X-Spam-Status header.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
