The %IP4R% is a variable in declude that contains the IP address of the last mail server that connected to your mail server. It does not appear that this variable is listed in the manual though.
When you see some tests defined as
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
What it accomplishes is allows you to score the test differently depending on which hop was listed in the RBL. For example I score the test higher if the last hop is listed in XBL than if one of the hops were in XBL. Normally zombie computers will directly connect to your mail server. Now it is possible that a end user may be using a computer that is a zombie, but sends a peice of legit mail through their ISP's mail server. In this case the IP would still hit on XBL but on a lower HOP (assuming you are scanning multiple HOPS).
The other thing to know that if the last hop is listed in XBL than both of those tests will be hit and the weight will be combined. However, if a hop hits in the RBL that is not the last hop the message will only carry a weight of 2. It is more likely that if you hit in XBL on a HOP other than the last HOP that the odds of the message being legit increases and should not be penalized as heavily as a last hop hit.
Hope this makes sense.
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
Fox, Thomas writes:
I've been following the beginner config thread, trying to improve my setup, and am curious about the %IP4R% tag on some of the tests. What does this do/mean?
> It depends on how you want to score.
> You are currently referencing the sbl-xbl with only a return code of
> 127.0.0.4 and running blitzedall, cbl and sbl:
> XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.4 9 0
> XBL(ALL) ip4r sbl-xbl.spamhaus.org > 127.0.0.4 2 0
> BLITZEDALL ip4r opm.blitzed.org * > 7 0
> CBL ip4r cbl.abuseat.org > 127.0.0.2 6 0 > (Duplicate of XBL-ALL)
> SBL ip4r sbl.spamhaus.org * > 7 0
> > This would score the entire xbl list the same: (one DNS call)
> XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org * 9 0
> XBL(ALL) ip4r sbl-xbl.spamhaus.org * 2 0
> > This would score the results of the sbl-xbl differently > depending on which list they are on (one DNS call)
> SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0
> CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0
> BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.5 7 0
>
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
