On Mon, 31 Oct 2016 21:11:06 -0400
Bill Cole wrote:
> Well, I find this quite useful with very few false positives:
>
> uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
> body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL')
> describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL
> >blocklist
> tflags URIBL_SBLXBL net
> score URIBL_SBLXBL 7
>
> This check will FP after a fashion when a nominally legitimate
> webserver lands on the CBL because it is infected with something.
In theory this shouldn't work. According to the documentation, by
default, that rule checks the webserver's nameservers.
It seems to be relying on a bug, see:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7242
http://www.gossamer-threads.com/lists/spamassassin/users/194944
It's probably firing on either kind of lookup, but in case it ever gets
fixed you should have:
tflags URIBL_SBLXBL net a
