Hi, guys Thanks a lot for replies!! First of all, sorry for long mail! Let me try to detail a bit, as this has been confusing for us to understand.
Can you detail when you say to check util_rb_2tld and util_rb_3tld directives? I have to manually add all 2tld manually in this file...? Sorry we have very little SA experience. But this is basically about a Brazilian DNSBL (www.spfbl.net, currently site only in Portuguese but they promise one in English) that has helped many systems in Brazil to catch a lot of spam other DNSBLs and SA doesn't catch. They list IPs as other DNSBL, but also started testing to add URIs. So we adapted the check_uridnsbl check and look for result code 127.0.0.1. Subdomains would be nice to be supported, as its a way we have to block spams that are spamvertised, when we cant block the IP since its some mailer company that also sends legit mails. So we try to find a URL that we can block. Sometimes, many times, its a subdomain. For example, a company that sends email marketing called sendmarketing.com might have a customer that sends spam and there are URLs in body of email such as spammer123.domain.com.sendmarketing.com... What is strange is, testing the rule just like the one I posted, but checking the Brasilian DNSBL, it does work, but sometimes strange things happen or it doesnt catch subdomains, but sometimes it does. some examples, testing on a qmail and also on an icewarp mail server. 1) conteudo.nibo.com.br in a URL of a spam body. It does not catch it, but its blacklisted in the DNSBL. 2) A certain legit email has this in the body: https://cdn-lojaglobo.s3.amazonaws.com/emailmarketing It causes a false positive, since it considers amazonaws.com (which for some reason is listed on the DNSBL blacklist), but what we want to block is the subdomain only, not the domain... I have some DNS logging that should a hit to amazonaws.com, it splits the request, see: SYSTEM [28BC] 11:08:43 multirequest (2)-> res=1, 15 ms amazonaws.com.dnsbl.spfbl.net(A)-> res=1, responsecode=0, ancount=1, length=100, cache=0 com.br.dnsbl.spfbl.net(A)-> res=1, responsecode=3, ancount=0, length=76, cache=1 respondecode=0 means a hit. 3) A certain legit email has this in body It hits. But strangely, it checked cloudflare.p on the DNSBL (which is listed there). But we want it to check entire URLs (so cloudfare.pw) and not part of it. SYSTEM [0D74] 09:40:16 multirequest (2)-> res=1, 202 ms cloudflare.p.dnsbl.spfbl.net(A)-> res=1, responsecode=0, ancount=1, length=99, cache=0 org.br.dnsbl.spfbl.net(A)-> res=1, responsecode=3, ancount=0, length=76, cache=0 this is not even a subdomain case, just strange suffix. but strange it considers cloudflare.p instead of .pw as we wanted it to (as thats what the URL is...) 4) What is strange is many times it works fine even with subdomains. example, this URL is listed in the DNSBL. http://d-click.contato.emktpme.com.br and it does detect it just fine, even being a subdomain. Why? Because "click" (regex) is defined in that file 20_aux_tlds.cf you guys mentioned? All we wanted is to be able to consistantly check a full URI, not just base domain. I saw someone suggesting that for URIBL PH list also, for similar reason, sometimes you cant block a root domain, but you can block a subdomain... Thanks a lot! Rob -- View this message in context: http://spamassassin.1065346.n5.nabble.com/eval-check-uridnsbl-to-check-subdomains-tp121922p121991.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.