Re: dropbox phish

Tue, 01 Nov 2016 19:12:07 -0700 

Hi,

>>> Well, I find this quite useful with very few false positives:
>>>
>>> uridnsbl        URIBL_SBLXBL    sbl-xbl.spamhaus.org.   TXT
>>> body            URIBL_SBLXBL    eval:check_uridnsbl('URIBL_SBLXBL')
>>> describe        URIBL_SBLXBL    Contains a URL listed in the SBL/XBL
>>>>
>>>> blocklist
>>>
>>> tflags         URIBL_SBLXBL     net
>>> score             URIBL_SBLXBL          7
>>>
>>> This check will FP after a fashion when a nominally legitimate webserver
>>> lands on the CBL because it is infected with something. I see that as not
>>> a
>>> FP at all but some may disagree.
>>>
>>> Your sample directs recipients to an URL whose domain name resolves to an
>>> IP
>>> that has been pon the CBL for over 30 hours straight.
>>
>>
>> Is this not already in 25_uribl.cf?
>
>
> Not in the one sa-update fetched for me today... It is however given as an
> example in the Mail::SpamAssassin::Plugin::URIDNSBL pod/man with the
> explicit 'ns' tflag, which is a bit of a surprise to me. My local.cf
> comments imply that I added it at the suggestion of a wise colleague many
> years ago (circa SA 3.2.)

This is the one I was referring to, although it doesn't include
XBL/CBL after all.

uridnssub       URIBL_SBL        zen.spamhaus.org.       A   127.0.0.2
body            URIBL_SBL        eval:check_uridnsbl('URIBL_SBL')
describe        URIBL_SBL        Contains an URL's NS IP listed in the
SBL blocklist
tflags          URIBL_SBL        net
reuse           URIBL_SBL

>> You believe this is more effective, and safer than a check_rbl_sub()
>> SBLXBL call on the header?
>
> I believe it is entirely orthogonal to that test, although I don't expect
> there's many SBL/XBL listees in headers unless one does not use Zen ahead of
> SA (which I suppose some people probably do not...)

I've had to lower the score on my header XBL check because it was
triggering on so many dynamic IPs that were clearly reassigned to new
users, then being blacklisted. I'd appreciate it if anyone could
provide additional input on how they might use something like this.

header   RCVD_IN_XBL_ALL    eval:check_rbl_sub('zen', '127.0.0.[45678]')
describe RCVD_IN_XBL_ALL    Received via a relay in Spamhaus SBL-XBL
tflags   RCVD_IN_XBL_ALL    net
score    RCVD_IN_XBL_ALL    0.01

Reply via email to