The various eval:check_rbl() selectors are: -notfirsthop -firsttrusted -untrusted -untrusted
My understanding from the docs: -notfirsthop examines all IPs except the originating one, useful for ignoring the user's direct IP, which could be a hotel or dialup IP. -firsttrusted examines the IP address of the relay that connected to the outermost trusted relay (based on trusted_networks). SA can trust that this server exists, but it cannot trust any of the information it provides (specifically, the relays/client it claims to have received mail from). This can be the relay skipped by -notfirsthop. -untrusted examines all IPs that are not trusted, excluding the -firsttrusted relay but including those beyond it and the relay skipped by -notfirsthop. -lastexternal examines the external host that connected to the internal network, or at least the last external host with a public IP. My confusion: -firsttrusted is "trusted" in that you can trust that the server is valid and not forged. It is /not/ a member of trusted_networks (this is similar to the AWL vs whitelist issue!). A name without the word "trust" (like "-firstseen") would be preferable. -untrusted is also easily confused with "trust" from trusted_networks though like firsttrusted, it refers to potential forgery (and it took me a while to figure that out). Renaming this to avoid the word "trust" (e.g. "-maybeforged") would make it more clear. Before determining that "trust" refered to potential forgery, I couldn't understand why the -firsttrusted relay wasn't included. -lastexternal looks the same as -firsttrusted except it discards any private IP (which I have to assume -firsttrusted does not do). I can't otherwise tell the difference. Nice lookups use firsttrusted instead of lastexternal, and I can't determine why. Perhaps lastexternal refers to the relay that connected to the last (outermost) internal_network while firsttrusted refers to the relay that connected to the outermost trusted_network? There's more name confusion here, too; "last" vs "first" depends on the direction you're looking: firsttrusted looks in the /opposite/ direction as lastexternal. Why not have a flag for "not in trusted_networks" which would operate like the union of what we currently call -untrusted and -firsttrusted (or can I say 'mybl-untrusted-firsttrusted' ?) ... what would we call such a thing? -foreign perhaps? Also, "selectors" are never actually named anything; I've named them that because the docs have headers like "selecting ..." for each one. They are described only as "place '-foo' at the end of the set name." This makes it hard to talk about them and harder to search for them in the documentation. -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
