Hi Adam, Some time ago you posted that you were investigating the stats and effectiveness of a few rules in your masschecks sandbox, and thought I would see if you had made any progress, and found anything helpful?
Posted below... Thanks, Alex On Mon, Nov 23, 2009 at 8:34 PM, Adam Katz <antis...@khopis.com> wrote: > Unless there are objections, I'm going to add two tests to my sandbox: > > RCVD_IN_NIX_SPAM, a new (to us) DNSBL populated by the same source as > the original [N]iXhash zone, with results on intra2net that look quite > promising: 72.98:0.12 spam:ham (PSBL has 48.69:0.36), > http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html > > RCVD_IN_SPAMCOP, a fix-up of SpamCop to limit it to the last external > relay (just like every other DNSBL used by SpamAssassin). > > While digging around there, I noticed that SpamCop and ham rule > RCVD_IN_BSP_TRUSTED are the only rules to use check_rbl_txt(), which > affords it a nicer explanation of what triggered the spam. For a > fully apples-to-apples comparison, my fix-up reverts back to plain-old > check_rbl() ... which unfortunately means a second DNS lookup (since > we're looking for an A record rather than a TXT record). > > Both will be marked "nopublish" until we have stats to motivate us. > > > check_rbl_txt() gives quite informative data, and it's supported by > every DNSBL I've tried (all below). RCVD_IN_NIX_SPAM supports it > (though my test will avoid it until we can determine there isn't a bug > in lookups here), as do BRBL and others. Assuming a lack of bugs or > efficiency, we should probably use it for any index that doesn't > contain multiple indices (like zen). > > Examples: > > $ host -t txt 11.70.132.91.ix.dnsbl.manitu.net. > 11.70.132.91.ix.dnsbl.manitu.net descriptive text "Spam sent to the > mailhost mx.selfip.biz was detected by NiX Spam at Mon, 23 Nov 2009 > 23:31:24 +0100, see > http://www.dnsbl.manitu.net/lookup.php?value=91.132.70.11"; > $ host -t txt 11.70.132.91.bb.barracudacentral.org > 11.70.132.91.bb.barracudacentral.org descriptive text > "http://www.barracudanetworks.com/reputation/?pr=1&ip=91.132.70.11"; > $ host -t txt 11.70.132.91.bl.spamcop.net. Mon 23 19:24:48 > 11.70.132.91.bl.spamcop.net descriptive text "Blocked - see > http://www.spamcop.net/bl.shtml?91.132.70.11"; > $ host -t txt 11.70.132.91.psbl.surriel.com. [1] 19:32:04 > 11.70.132.91.psbl.surriel.com descriptive text "Listed in PSBL, see > http://psbl.surriel.com/listing?ip=91.132.70.11"; > $ host -t txt 11.70.132.91.bl.spameatingmonkey.net. > 11.70.132.91.bl.spameatingmonkey.net descriptive text "listed, see > http://spameatingmonkey.com/lookup/91.132.70.11"; > > (If you're wondering, that IP is listed as the #1 offender by spamcop, > so it hits all of them. 127.0.0.2 gives inaccurate responses since it > is a test and often is called that.) >
