On Aug 7, 2014, at 11:00 AM, Axb <axb.li...@gmail.com> wrote: > On 08/07/2014 06:55 PM, Philip Prindeville wrote: >> >> On Aug 6, 2014, at 11:20 PM, Axb <axb.li...@gmail.com> wrote: >> >>> On 08/07/2014 07:01 AM, Philip Prindeville wrote: >>>> >>>> On Aug 6, 2014, at 1:23 PM, Paul Stead <paul.st...@zeninternet.co.uk> >>>> wrote: >>>> >>>>> >>>>> On 06/08/14 20:00, John Hardin wrote: >>>>>> Can some fresh samples be posted to pastebin? >>>>>> >>>>> http://pastebin.com/yHiT2s3t >>>>> http://pastebin.com/DpxpJhtA >>>>> http://pastebin.com/DYx1ap31 >>>>> >>>>> :) >>>> >>>> >>>> Uh… the hostname in all of these URL’s always resolves to 98.124.199.1. >>>> >>>> I just use: >>>> >>>> uri_block_cidr L_BLOCK_CIDR 98.124.199.1 >>>> body L_BLOCK_CIDR eval:check_uri_local_bl() >>>> describe L_BLOCK_CIDR Block URI's pointing to bad CIDR's >>>> score L_BLOCK_CIDR 7.5 >>>> >>>> and this nails it. See: >>>> >>>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060 >>> >>> Suggesting to list any IP in the 98.124.192.0/18 net with a score of 7 is >>> not very wise advice. >> >> >> I’m listing a /32. Where do you get a /18 prefix? > > listing *anything* in that /18 will hit a zillion of legit sites... > including your /32 > > For a man and his dog setup it may be ok, but I wouldn't advise ppl to do > this without a *warning*
What is your basis for saying this? This example filters a SINGLE (/32) IP. Please don’t propagate misinformation. -Philip
