I have used the following rules (which greatly overlap the existing URI
rules) to drive up scores, while not repeating the same tests or increasing the
scores for existing tests. YMMV, but they work for me (v3.0.x).
uridnsbl URIBL_COMPLETEWHOIS
combined-HIB.dnsiplists.completewhois.com. A
body URIBL_COMPLETEWHOIS
eval:check_uridnsbl('URIBL_COMPLETEWHOIS')
describe URIBL_COMPLETEWHOIS Contains an URL listed in the
combined-HIB.dnsiplists.completewhois.com blocklist
tflags URIBL_COMPLETEWHOIS net
urirhssub URIBL_RHS_DSN fulldom.rfc-ignorant.org. A
127.0.0.2
body URIBL_RHS_DSN eval:check_uridnsbl('URIBL_RHS_DSN')
describe URIBL_RHS_DSN Contains an URL listed in the
dsn.rfc-ignorant.org blocklist
tflags URIBL_RHS_DSN net
urirhssub URIBL_RHS_POST fulldom.rfc-ignorant.org. A
127.0.0.3
body URIBL_RHS_POST eval:check_uridnsbl('URIBL_RHS_POST')
describe URIBL_RHS_POST Contains an URL listed in the
postmaster.rfc-ignorant.org blocklist
tflags URIBL_RHS_POST net
urirhssub URIBL_RHS_ABUSE fulldom.rfc-ignorant.org. A
127.0.0.4
body URIBL_RHS_ABUSE eval:check_uridnsbl('URIBL_RHS_ABUSE')
describe URIBL_RHS_ABUSE Contains an URL listed in the
abuse.rfc-ignorant.org blocklist
tflags URIBL_RHS_ABUSE net
urirhssub URIBL_RHS_WHOIS fulldom.rfc-ignorant.org. A
127.0.0.5
body URIBL_RHS_WHOIS eval:check_uridnsbl('URIBL_RHS_WHOIS')
describe URIBL_RHS_WHOIS Contains an URL listed in the
whois.rfc-ignorant.org blocklist
tflags URIBL_RHS_WHOIS net
urirhssub URIBL_RHS_BOGUSMX fulldom.rfc-ignorant.org. A
127.0.0.8
body URIBL_RHS_BOGUSMX
eval:check_uridnsbl('URIBL_RHS_BOGUSMX')
describe URIBL_RHS_BOGUSMX Contains an URL listed in the
bogusmx.rfc-ignorant.org blocklist
tflags URIBL_RHS_BOGUSMX net
With the (completely empirically - almost arbitrarily - chosen) scores of:
score URIBL_COMPLETEWHOIS 1.75
score URIBL_RHS_DSN 0.5
score URIBL_RHS_POST 0.75
score URIBL_RHS_ABUSE 0.25
score URIBL_RHS_WHOIS 1.33
score URIBL_RHS_BOGUSMX 3.75
Note: as might be expected, the "abuse" and "postmaster" tests give a
lot of FPs, particularly from the free (but often abused) services like Hotmail.
Hence the low score assigned to them. On the other hand the "bogusmx" test is
a good candidate for a higher score (I've never seem a false positive for my
admittedly very biased corpus).
The "combined-HIB.dnsiplists.completewhois.com." list can be considered
to be a likely replacement for the now discontinued "ipwhois.rfc-ignorant.org".
I also use similar "RCVD_IN_*" rules to also drive up scores (with a
similar low weighting on "abuse" and "postmaster").
The logical rationale behind these, is: if you or your ISP either
don't accept complaints, or lie about your contact data, I probably don't
want to hear from you.
The score values are low enough, that they don't cause (not for me
at least) FPs for email from mailing lists where the original poster has one
of those appended advertisements at the bottom (like "Sign up now for your
free email at xyz.com" and xyz.com fails the postmaster/abuse tests - so the
"-notfirsthop" option is may be appropriate for any similar RCVD_IN_* rules,
though I don't use it myself).
Hope these help someone,
Paul Shupak
[EMAIL PROTECTED]
