On Tue, 05 May 2015 21:21:58 +0200 Marcin Miros?aw wrote: > > So it's not important for my if address 31.61.129.221 is on any rbl > because I'm not getting email directly from this ip. It's important > for me if server 89.161.182.208 (which directly connects to my mta) > is in any RBL. I'd like SA to check only ip which diectly connects to > my server against RBL.
Mostly that's what happens because most lists contain compromised hosts on dynamic addresses. A deep hit could be a dynamic address transferred to another machine, but a hit on the last external is either compromised or a dynamic address delivering direct to MX - which is also suspicious. RCVD_IN_SORBS_WEB contains servers that could be abused, and RCVD_IN_SBL_CSS contains addresses controlled by spammers and used for snowshoe spam. In neither case should these be dynamic addresses, so the risk of doing deep scans is much smaller. If it's causing you a problem you could redefine them in your local rules them to be "last-external" - take a look at how RCVD_IN_XBL is defined.
