Re: Strange URIBL_SBL false positive?

Thu, 17 Oct 2013 12:07:47 -0700 

On 10/17/2013 08:27 PM, Stan Hoeppner wrote:

On 10/17/2013 10:55 AM, Axb wrote:

On 10/17/2013 05:41 PM, Stan Hoeppner wrote:

This is what Neil meant by the "deeper dive".  Again, the URIBL_SBL test
isn't responsible for this behavior.  Spamhaus is.  Thus you can't
create a separate rule to do this "deeper diving".  Spamhaus is doing
it, automagically, and it will continue to do so with the current
URIBL_SBL rule, whether you like it or not (or until enough customers
complain I guess).

Stan,

Spamhaus did nothing other than publishinh an IP with a karma

elts get the termis right
SA did a a query using eval:check_uridnsbl, which means:

Is the domain's NS IP listed in SBL?
sbl.spamhaus.org replied with yes...
rule hit


I may be misreading it, but it seems to suggest that's only true if
version < 3.004.  If greater, then the check is for the A record, not
the NS IPs.  Or is this version of 25_uribl.cf out of date?


check_uridnsbl has always been about NS IPs

as from SA  3.4 check_uridnsbl also does A lookups

by adding  "a" to the tflags




http://svn.apache.org/repos/asf/spamassassin/trunk/rules/25_uribl.cf


###########################################################################
## Spamhaus

uridnssub       URIBL_SBL        zen.spamhaus.org.       A   127.0.0.2
body            URIBL_SBL        eval:check_uridnsbl('URIBL_SBL')
describe        URIBL_SBL        Contains an URL's NS IP listed in the
SBL blocklist
tflags          URIBL_SBL        net
reuse           URIBL_SBL

if (version >= 3.004000)
   ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

     uridnsbl        URIBL_SBL_A    sbl.spamhaus.org.   A
     body            URIBL_SBL_A    eval:check_uridnsbl('URIBL_SBL_A')
     describe        URIBL_SBL_A    Contains URL's A record listed in the
SBL blocklist
     tflags          URIBL_SBL_A    net a
   endif
endif


Spamhaus' FAQ is incorrect:

http://www.spamhaus.org/faq/section/Spamhaus%20SBL#270

I hear the SBL can also block domains, how? What is "URIBL_SBL"?
     Yes, the SBL can also be used as a URI Blocklist and is particularly
effective in this role. In tests, over 60% of spam was found to contain
URIs (links to web sites) whose webserver IPs were listed on the SBL.
SpamAssassin, for example, includes a feature called URIBL_SBL for this
purpose. The technique involves resolving the URI's domain to and IP
address and checking that against the SBL zone.

I'll try to get this corrected...

h2h

Reply via email to