On 2022-05-07 at 10:42:59 UTC-0400 (Sat, 07 May 2022 07:42:59 -0700) Paul Pace <p...@mostlybsd.com> is rumored to have said:
> I have set up SpamAssassin with the following in > /etc/spamassassin/mycustomscores.cf: > > score RCVD_IN_SBL 10.0 > score RCVD_IN_XBL 10.0 > score RCVD_IN_PBL 10.0 > score RCVD_IN_SBL_CSS 10.0 Not entirely unreasonable. Cheaper to do most of that in the MTA, unless you have complex whitelisting needs. > score URIBL_SBL 10.0 > score URIBL_CSS 10.0 > score URIBL_CSS_A 10.0 > score URIBL_SBL_A 10.0 I'm surprised that this is anywhere near usable. > I do not otherwise block using Spamhaus at the MTA or elsewhere. > > I occasionally see false positives because of these scores and it is when a > domain is in the body of a message. So: the URIBL_* rules. > When I check the Spamhaus website[1], the domain is not there. Each time this > has occurred, it has been for a website currently in the news and usually > something to do with politics. > > A few days ago I happened to be on my computer exactly when one of these > false positives came in[2]. I immediately went and checked the Spamhaus site > and the domain was not listed. I checked several times throughout the day and > never saw the domain there. The Spamhaus SBL will never show any domain name as listed because it does not list domain names. It lists IP addresses. > So I am trying to figure out why there is a disparity between what > SpamAssassin reports and the Spamhaus website reports, but I'm not clear how > SpamAssassin checks Spamhaus, and since these are usually domains I rarely > have in a message any place, I don't have a good feel for whether or not this > is some regular problem. > > If anyone can point me to how this check is performed, that would be very > helpful. > > Thank you, > > > Paul > > [1] https://check.spamhaus.org/ > [2] Scores: > * 10 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL > * blocklist > * [URIs: wikileaksdotorg] > * 10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL > * blocklist > * [URIs: wikileaksdotorg] Read the rule descriptions carefully. Also see the rule definitions and ` perldoc Mail::SpamAssassin::Plugin::URIDNSBL` SBL, including its CSS component, lists IP addresses, NOT domain names. In these cases, as documented, SA looks up a specific record type (A, NS, or MX) for a name extracted from an URL to get one or more IP addresses, and then those IP addresses are checked against the DNSBL. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
