On Thu, 03 Nov 2016 13:38:30 -0400
Kris Deugau wrote:
> header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
> 'zen.spamhaus.org.', '^127\.0\.0\.[45678]$')
>
> Why are you (re)defining a near-duplicate of this? Was the stock rule
> as above also misbehaving?
>
> Note that the Spamhaus rules are split up somewhat as they're intended
> for different IPs:
>
> header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
> header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2')
> header RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3')
>
> These are explicitly designed to look up all Received: IPs as "places
> you probably don't want to accept mail from, period, even if it takes
> a hop through a non-listed innocent server". They're scored to
> match, so that legitimate senders on dynamic IPs who happen to
> inherit a "dirty" IP don't get blocked just on this basis.
There are good arguments for not discarding or rejecting based on a deep
XBL test, but the only way of knowing whether it's worth scoring is to
try it.
I score a deep XBL rule at 1 point. It would stand more because the
rule FPs are on very low scoring emails.
OTOH I would expect a rule like that to vary lot in performance.
