On 10/17/2013 04:51 PM, Kai Schaetzl wrote:
Neil Schwartzman wrote on 17 Oct 2013 07:01:00 -0700:
incorrect, not false, which implies maliciousness. I believe Spamhaus
only recently, for some value of recently, started doing NS listings
with deeper dives that show up on an SBL listing.
They didn't list any "NS IP". If you look at the record there was spam
sent from 151.1.141.150 in August and nobody bothered to have it removed
since then (easy enough). That's why it was included. It looks very much
like collateral damage that errebian.it was caught. It's a web server also
acting as DNS for some sites.
15 live SBL listings aren't collateral damage:
http://www.spamhaus.org/sbl/listings/it.net
Obvious that ISP doesn't care - I would take my business somewhere else.
The "deeper dive" comes from SA. I'm not yet sure if I appreciate this,
but I would fully agree that this should be reflected in the description
of the rule.
be patient - till next sa-update :)
After a second thought I think the current combination is not a good
thing. I understand that URIBL is not the same as a black list of mail
servers, it hits on spammed sites. Nevertheless in all other regards I
expected from URIBL_SBL to work like the original SBL. e.g. get IP
address, look it up, hit or not. I did not expect it to do any fancy stuff
like getting the nameserver and flagging the hostname if the nameserver is
listed in SBL. I think I would like to see a second rule like
URIBL_ADVANCED_SBL that does fancy stuff like this.
It doesn't get the nameserver, it gets the NS IP
name server lookups require a urifullnsrhssub eval rule.
This rule has been around for +5 years and all of sudden, when it gets
good teeth ppl are suprised?
Since it was born, there have been many changes/additions in the
URIBL.pm plugin.
See the SVN log for that module for details, etc.
